Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
-
Upload
santiago-bassett -
Category
Internet
-
view
3.577 -
download
2
description
Transcript of Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
![Page 1: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.fdocuments.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/1.jpg)
Threat Intelligencewith Open Source tools
Cornerstones of Trust 2014
@jaimeblasco@santiagobassett
![Page 2: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.fdocuments.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/2.jpg)
Presenters
JAIME BLASCODirector AlienVault Labs
Security Researcher Malware Analyst
Incident Response
SANTIAGO BASSETTSecurity Engineer
OSSIM / OSSECNetwork Security
Logs Management
![Page 3: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.fdocuments.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/3.jpg)
The attacker’s advantage
• They only need to be successful once
• Determined, skilled and often funded adversaries
• Custom malware, 0days, multiple attack vectors, social engineering
• Persistent
![Page 4: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.fdocuments.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/4.jpg)
The defender’s disadvantage
• They can’t make a mistake
• Understaffed, jack of all trades, underfunded
• Increasing complex IT infrastructure:
– Moving to the cloud
– Virtualization
– Bring your own device
• Prevention controls fail to block everything
• Hundreds of systems and vulnerabilities to patch
![Page 5: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.fdocuments.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/5.jpg)
What is Threat Intelligence?
• Information about malicious actors
• Helps you make better decisions about defense
• Examples: IP addresses, Domains, URL’s, File Hashes, TTP’s, victim’s industries, countries..
![Page 6: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.fdocuments.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/6.jpg)
State of the art
• Most sharing is unstructured & human-to-human
• Closed groups
• Actual standards require knowledge, resources and time to integrate the data
![Page 7: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.fdocuments.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/7.jpg)
How to use Threat Intelligence
• Detect what my prevention technologies fail to block
• Security planning, threat assessment
• Improves incident response / Triage
• Decide which vulnerabilities should I patch first
![Page 8: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.fdocuments.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/8.jpg)
The Threat Intelligence Pyramid of Pain
![Page 9: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.fdocuments.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/9.jpg)
Standards & Tools
• IODEF: Incident Object Description Exchange Format
• MITRE:– STIX: Structured Threat Information eXpression
– TAXXII: Trusted Automated eXchange of Indicator Information
– MAEC, CAPEC, CyBOX
• CIF: Collective Intelligence Framework
![Page 10: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.fdocuments.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/10.jpg)
Collective Intelligence Framework
![Page 11: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.fdocuments.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/11.jpg)
Collecting malware
Some malware tracking sites:
• http://malc0de.com/rss
• http://www.malwareblacklist.com/mbl.xml
• http://www.malwaredomainlist.com/hostslist/mdl.xml
• http://vxvault.siri-urz.net/URL_List.php
• http://urlquery.net
• http://support.clean-mx.de/clean-mx/xmlviruses.php
Some Open Source malware crawlers:
• Maltrieve: https://github.com/technoskald/maltrieve
• Ragpicker: https://code.google.com/p/malware-crawler/
![Page 12: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.fdocuments.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/12.jpg)
Collecting malware
![Page 13: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.fdocuments.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/13.jpg)
Other malware collection tools
Dionaea honeypot:
• http://dionaea.carnivore.it/
Thug Honeyclient – Drive by download attacks:
• https://github.com/buffer/thug
• Emulates browsers functionality (activeXcontrols and plugins)
![Page 14: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.fdocuments.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/14.jpg)
Analyzing malware
Yara: Flexible, human-readable rules for identifying malicious streams.
Can be used to analyze:
• files
• memory (volatility)
• network streams.
private rule APT1_RARSilent_EXE_PDF {meta:
author = "AlienVault Labs"info = "CommentCrew-threat-apt1"
strings:$winrar1 = "WINRAR.SFX" wide ascii$winrar2 = ";The comment below contains SFX
script commands" wide ascii$winrar3 = "Silent=1" wide ascii
$str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/$str2 = "Steup=\"" wide ascii
condition:all of ($winrar*) and 1 of ($str*)
}
![Page 15: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.fdocuments.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/15.jpg)
Analyzing malware
Cuckoo Sandbox: Used for automated malware analysis.
• Traces Win32 API calls
• Files created, deleted and downloaded
• Memory dumps of malicious processes
• Network traffic pcaps
![Page 16: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.fdocuments.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/16.jpg)
Analyzing malware
![Page 17: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.fdocuments.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/17.jpg)
Sandbox – CIF integration
In our example: hxxp://www.garyhart.com, domain
![Page 18: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.fdocuments.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/18.jpg)
CIF External feed example
![Page 19: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.fdocuments.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/19.jpg)
Thank you!!
@jaimeblascob
@santiagobassett