Company Confidential Powered by Building a Threat Intelligence Field of Dreams 05.12.2016
CompanyConfidential
Poweredby
BuildingaThreatIntelligenceFieldofDreams
05.12.2016
CompanyConfidential
James CarderCISO | VP LogRhythm Labs
Greg FossGlobal Security Operations
Team Lead
OperationalizingThreatIntelligenceMakingThreatIntelligenceUseful
CompanyConfidential
DefiningThreatIntelligence
“Evidence-basedknowledge,includingcontext,mechanisms,indicators,implicationsandACTIONABLEadviceaboutanexistingoremergingmenaceorhazardtoassetsthatcanbeusedtoinformdecisionsregardingthe
subject’sresponsetothatmenaceorhazard”- Gartner
CompanyConfidential
• Documents(e.g.,FBIflashreports)• Blogs,emails• RSSfeeds
• CSVandtextfiles• STIX• OpenIOC
• Malwaresamples• Packetcapture• Forensicartifacts(files,email)
Actionabledatatypes
IntelReports
IndicatorsofCompromise
RawDataTypes
• UserBehaviors• EndpointBehaviors• NetworkBehaviors
YourOwnData
CompanyConfidential
OperationalizingThreatIntelligence
IndicatorsofCompromise(IOC)areautomaticallysearched
Changestoexternalthreatenvironmentimmediatedetected
Providesanalystcontextaroundincident,event,threat,campaign• Historicalknowledgeaswelltochainrelatedattacks
Reconnaissance&Planning
InitialCompromise
Command&Control
LateralMovement
TargetAttainment
ExfiltrationCorruptionDisruption
OSINTOpenSourceIntelligenceGathering
CompanyConfidential
OpenSourceIntelligenceGathering
OpenSourceIntelligence(OSINT)inthesimplestoftermsislocating,andanalyzingpublically(open)availablesourcesofinformation.Thekeycomponenthereisthatthisintelligencegatheringprocesshasagoalofproducingcurrentandrelevantinformationthatisvaluabletoeitheranattackerorcompetitor.Forthemostpart,OSINTismorethansimplyperformingwebsearchesusingvarioussources.
- http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines#OSINT
CompanyConfidential
OSINT
• OffensiveandDefensive• Manual– InDepthAnalysisofthetargetentityorindividual(s)• Automated– Highlevelanalysisofmetadata• Operationalize,Integrate,andAutomateOSINTanalysis FTW• Definegoals– whattoanalyze,why,how,outputs,etc.
• IndicatorsofCompromise• Datatofeedbackloopsintodefensivetools• Research
• Attribution• Actors,victims,servers,locations,samples,etc.
CompanyConfidential
OSINTOPSEC(Manual)
• OPSEC:OperationalSecurity• Thetargetcannotknowyourorganizationisactivelyinvestigatingthem…
• UseaUSB-bootableLinuximagesuchasTails– non-persistent• RunbothTORandaVPN(commercialorusecloudsystems)• VirtualPrivateServers(VPS)locatedinothercountries• Payforservicesusingbitcoinand/orpre-paidgiftcards• Regardlessofsolution– understandtheservice’sloggingpolicy,
checkforwarrantcanaries,andknowyourrights…
CompanyConfidential
WhyTORandVPN?
TOR!=VPN
TOR=Randomizer
VPN=Tunnel
Honestly…Notabigdealunlessyou’replanningtodoillegalthings– Whichyoushouldnotbedoinganyways...
CompanyConfidential
OSINTOPSEC(Automated– Corporate)
• RegisteraLinuxAmazonEC2box(freetier)withnoelasticIP• PurchaseaDyn DNSaccount– fordynamicDNSregistration• EstablishaPPTPVPNtunneltotheEC2system(s)• Performinvestigativeanalysisfromthesecloud-hostedsystems
and/orlocalboxeswithproperprecautionsinplace• ProxytrafficthroughanduseSSHportforwardingtoaccessservices
• Followingthecompletionoftheanalysis,rebootthesystem.• Bydefault,AWSwillassignanewIPunlessyouuseanelasticIP• ReconfigurethetunnelsandDNSasnecessary(automatethis)
CompanyConfidential
AutomatingOSINTandResponse
DomainTools
PassiveTotal
VirusTotal
CiscoAMPThreatGRID
Netflow /IDS
Firewalls
Proxy
Endpoint
SIEM
API SecOps Infrastructure
CompanyConfidential
ManualOSINTAnalysis
• Goal-Oriented• Definespecifictargetandunderstandthedatayouwishtoobtain
• Technical – Accounts,Servers,Services,Software,Integrations• Social – SocialMedia,Photography,WishLists,Email• Physical – Address,HomeIPAddress,Business,Footprint• Logical – Network,OperationalIntelligence,Where,When
CompanyConfidential
AFewOSINTTools
• Maltego• Transforms!
• PassiveTotal• ThreatIntelandMaltego API!
• DomainToolsIRIS• Whois History,Pivotoffofdatapoints(email,address,phone,etc.)
• Shodan• Thenetworksearchengine– everythingfromopenVNCservicestoC2’s
• Facebook/Linkedin /Spokeo /Pipl /etc.• CreatefakeaccountsanduseAPIintegrationstoautomatesearches
CompanyConfidential
OSINTTipsandTricks:ShortenedURL’s
Allyouneedis+
CompanyConfidential
OSINTTipsandTricks:ShortenedURL’s
CompanyConfidential
OSINTTipsandTricks:ResolveSkypeUsernametoIP
CompanyConfidential
OSINTTipsandTricks:ResolveSkypeUsernametoIP
CompanyConfidential
OSINTTipsandTricks:SourceCodeSearch
Nerdydata.com
CompanyConfidential
OSINTTipsandTricks:SourceCodeSearch
;-)
CompanyConfidential
Justscratchingthesurface…
CaseStudiesOperationalizationofThreatIntel
CompanyConfidential
CaseStudy:OperationalizingPOSIntelfromaThreatReport
ThreatReport
SIEM/AnalyticsEngine
Hits,Alarm,SmartResponse
NoHits,NoAlarm,SmartResponse
AutomatedSearchusingHostandNetworkIOCsand/or
BrutPOSbehavior inSIEMandonendpoint
POSNetwork
• Containment• Acquisition• Analysis• Confirmation• Remediation• Metrics/Reporting
CompanyConfidential
SIEM/AnalyticsEngine
Domainwasopenedinthelast7daysor
registeredbyknownbad…SmartResponse
Domainisreputableorcategorizedasgood
DNSnameisn’trecognizedorpartofknownmaliciousdomainlists…Smart
Response…checkDomainTools
• Containment• Acquisition• Analysis• Confirmation• Remediation• Metrics/Reporting
InternetBrowsing
Internet
CaseStudy:OperationalizingIntelusingThirdPartyIntegrations
CompanyConfidential
CaseStudy:OperationalizingIntelfromInternalBehaviors/Baselines
Assumecredentialsare
stolen
SIEM/AnalyticsEngine
Detect:Networktraffictovl.ff.avast.com &su.ff.avast.com
Detect: 128BitGUIDcba871fa-80c9-48bc-9836-
8df3a7f67145
Identify:Avast AV
SingleFactor
• Containment• Acquisition• Analysis• Confirmation• Remediation• Metrics/Reporting
SmartResponse:Does ITinventoryhaveanythingother thanMcAfeeorESET?Ifnot,SmartResponseintoIR
CompanyConfidential
MalwareSandboxe.g.Cuckoo
Historical CaseData
Analyste.g.Malware,Forensics
External Servicese.g.DomainTools,
VirusTotal
ThreatIntelligencee.g.ISACs,
ThreatFeeds,FlashReports
OfferServicestoyourfriendsCollect Intel&Collaborate Vulnerability Intelligence
Ifyoubuildit…theywillcome…
CompanyConfidential
Isattributionimportant?
• “Ifyouknowtheenemyandknowyourselfyouneednotfeartheresultsofahundredbattles”– SunTzu
• “Allwarfareisbasedondeception.Hence,whenweareabletoattackwemustseemunable,whenusingourforcewemustappearinactive,whenwearenearwemustmaketheenemybelievewearefaraway,whenwearefarawaywemustmakehimbelievewearenear”– SunTzu
CompanyConfidential
• Whodidit?• Whydidtheydoit?• Whatweretheyafter?• Couldwehavepreventedit?
• APT,China• China5yrplan,don’tknow• Researchdata,intellectual
property, Idon’tknow• No,notwithoutmore
budget
“Chinastoleit,specificallyanAPTgroupoutofAprovince.ThedatawasthentransferredtopersonB,locatedinprovinceC.ThenpersonBsentittopersonDinRussia.OnceinRussia,thestolendataendeduponpersonE’stable.”
Whatifattributionwasreal’ized?
DocumentBuggingandWebTracingTrackingpeopleofinterestandmappingouttheirdigitalfootprints
CompanyConfidential
HoneyTokensandDocumentBugging
Tracking file access, modification, exfiltration, etc…
• Use File Integrity Monitoring to track file interactions
• Any predefined item, instrumented to generate a unique log
• Strings, Drives, Directories, Hashes, ‘employees’
CompanyConfidential
File Integrity Monitoring – Built in to Windows Logging
CompanyConfidential
DocumentBugging– HowTo
• WebBug Background Information:
http://ha.ckers.org/webbug.html
• WebBug Server:
https://bitbucket.org/ethanr/webbugserver
• Bugged Files – Is Your Document Telling on You?
Daniel Crowley and Damon Smith (Chaos Communication Camp 2015)
https://www.youtube.com/watch?v=j5cjFul4ZIc
CompanyConfidential
DocumentTracking
Same tricks used by Marketing / Sales for years. Normally for tracking emails, clicks, downloads, etc.
Why loading external images within email is risky…
CompanyConfidentialhttps://github.com/gfoss/misc/tree/master/Bash/webbug
Documentscanbetrackedinthesamewayasemail/web
CompanyConfidential
IssueswithDocumentTracking
When a document is opened up offline, it is possible that information will be divulged about the tracking service itself. Be cognizant of this when bugging documents.
CompanyConfidential
IssueswithDocumentTracking
Visiting the site directly
Dead giveaway that something phishy is up…
CompanyConfidential
IssueswithDocumentTracking
You may even get your domain flagged
This can hinder your tracking ability
Ensure that you check regularly…
CompanyConfidential
Takingitastepfurther…• Honeybadger, Flash, Java, Client Side Code
If you are able to execute code on the endpoint, you can uncover the true location, regardless of proxy
CompanyConfidential
Nohelpincourt…
• Evidenceobtainedviawebbugs,tracing,orsimilarformsoftrackingmaynotbeadmissibleincourt,asthiscouldbeconsideredentrapment.• FBICase– OperationTorpedo• https://www.wired.com/2014/08/operation_torpedo/
CompanyConfidential
LegalitiesofDocumentBugging
• Isitspying?• Canyoureallygetintroublefortrackingyourownthings?• Allboilsdowntointent…verygreyarea.
CompanyConfidential
BuggedDocumentsInPractice
ReversePhishing
CompanyConfidential
Hewasevenkindenoughtocompletetheformandsenditback!
CompanyConfidential
BuggedDocuments– InPractice
CaptureTheFlag– LogRhythmChallenge.com
CompanyConfidential
InPractice
BuggingtheCTFinstructions…
CompanyConfidential
BuggedDocuments– InPractice
“Weneedyourslides9-monthsaheadoftimeforthisindustry-leadingcybersecurityevent”– RandomConference
CompanyConfidential
USBDrop– SecurityAwarenessCaseStudy
CompanyConfidential
BuildingaBelievableCampaign
USBHumanInterfaceDevice(HID)attacksaretooobvious.Adeadgiveawaythatthetargetjustcompromisedtheirsystem.+Expensive.
http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe?variant=353378649
CompanyConfidential
BuildingaBelievableCampaign
Userealisticfileswithsomewhatrealisticdata
Stagedapproachtotrackfileaccessandexploitation
CompanyConfidential
README.doc
CompanyConfidential
TrackingFileAccess
Buggeddocumentopenedwithinthecorporatenetwork?
Correlateaccesslogswithnetworkflowanalysistofindthevictim
CompanyConfidential
WhoOpenedTheFile?
CompanyConfidential
Competitive-Business-Analysis.xlsm
CompanyConfidential
PowerShellMacro
CompanyConfidential
PowerShellPrompt
PowerShellEmpire– Invoke-Prompt
CompanyConfidential
Step1– CompressPowerShellScript
CompanyConfidential
Step2– BuildtheMacroandInjectPowerShellScript
CompanyConfidential
Step3-CustomizetheMacro
CompanyConfidential
Step4- Profit
SendanemailwhentheMacroisrun…
Useabogusemail(unlikeIdidhere)– Iknow,Iknow.BadOpSec.
CompanyConfidential
CompanyConfidential
Tools\calculator.exe
CompanyConfidential
Yep…Theyranit
“Nobody’sgoingtorunanexecutablefromsomerandomUSB”-- Greg
CompanyConfidential
Nowwehaveourfoothold…
Fortunatelytheydidn’trunthisasanadmin
CompanyConfidential
CompanyConfidential
CompanyConfidential
MacroAttackDetection
CompanyConfidential
MalwareBeaconing
CompanyConfidential
Conclusion
• DevelopingandleveragingactionableOSINTdatacanhelpoperationalizeThreatIntelligence
• DevelopacyclicalThreatIntelligenceecosystemandimplementautomatedresponses toknownthreats
• Takeproactivemeasuresbylayingtrapsandvariousflagsthatwillnotify theSOCtoanomalousactivity
• Useactivedefensetechniques tolearnmoreabouttheadversaryandattempttogainattribution
• Understandtheshortcomings ofattributionanddocumentbugging toavoidcommonpitfalls
• Communicateacrossvariousdepartmentsandcoordinatedefensiveefforts
CompanyConfidential
James [email protected]
CISO | VP LogRhythm Labs
Greg [email protected]
Global Security Operations Team Lead
Thank You!