Upgrade to Pro — share decks privately, control downloads, hide ads and more …

“I” Before “R” Except After “IOC”

“I” Before “R” Except After “IOC”

Just because the security industry touts indicators of compromise (IOCs) as much needed intelligence in the war on attackers, the fact is that not every IOC is valuable enough to trigger an incident response (IR) activity. All too often our provided indicators contain information of varying quality including expired attribution, dubious origin, and incomplete details.

So how many IOCs are needed before you can confidently declare an incident? Using actual investigations and research, this session will help attendees better understand the true value of an individual IOC, how to quantify and utilize your collected indicators, and what constitutes an actual incident.

After completing this session, the attendee will:
- Know how to quickly determine the value of an IOC,
- Understand when more information is needed (and from what source), and
- Make intelligent decisions on whether or not an incident should be declared

Andrew Hay

May 26, 2018
Tweet

More Decks by Andrew Hay

Other Decks in Technology

Transcript

  1. www.leocybersecurity.com 1 The Top 3 Risks of Moving to Cloud

    “I” Before “R” Except After “IOC” Andrew Hay, CTO, LEO Cyber Security +1.650.532.3555 [email protected] https://www.leocybersecurity.com @andrewsmhay
  2. www.leocybersecurity.com 2 Summary Introduction Agenda The True Value of a

    Single IOC Quantify and Utilize Your IOCs When You Should Declare an Incident
  3. www.leocybersecurity.com 3 About Me • Co-Founder and Chief Technology Officer

    (CTO) @ LEO Cyber Security • Former: • CISO @ DataGravity (now HyTrust) • Director of Research @ OpenDNS (now Cisco) • Chief Evangelist & Director of Research @ CloudPassage • Senior Security (Industry) Analyst @ 451 Research • Information Security Officer in higher education and financial services • Engineering manager @ Q1 Labs (now IBM) • Blogger, author, and rugby coach
  4. www.leocybersecurity.com 4 Introduction • The security industry touts indicators of

    compromise (IOCs) as much needed threat intelligence (TI) in the war on attackers • The fact is that not every IOC is valuable enough to trigger an incident response (IR) activity • All too often our provided indicators contain information of varying quality including expired attribution, dubious origin, and incomplete details
  5. www.leocybersecurity.com 5 Summary Introduction Agenda The True Value of a

    Single IOC Quantify and Utilize Your IOCs When You Should Declare an Incident
  6. www.leocybersecurity.com 6 Why IOCs (and TI) Get a Bad Rap

    • What if… • A single threat intelligence-sourced alert generates $1000 worth of time to investigate a false positive? • An intelligence producer reports incorrectly categorizes a threat as APT (say instead of cyber crime)? • Every poor quality report costs time to read and digest • Every poor association or correlation derails an analytic effort at an organization Sourced from http://www.activeresponse.org/the-cost-of-bad-threat-intelligence/
  7. www.leocybersecurity.com 9 Example: A Day In The Life Endpoint security

    product detected outbound communications with an IP address identified by AlienVault OTX as being malicious. 199[.]59[.]242[.]150 Day 1 @ 10:30am SUSPICIOUS IP DETECTED
  8. www.leocybersecurity.com 10 Example: A Day In The Life Start reviewing

    comments on AlienVault OTX. IP known to be associated with spam delivery, malware, and legitimate sites. Day 1 @ 11:00am INVESTIGATION BEGINS Endpoint security product detected outbound communications with an IP address identified by AlienVault OTX as being malicious. 199[.]59[.]242[.]150 Day 1 @ 10:30am SUSPICIOUS IP DETECTED
  9. www.leocybersecurity.com 11 Had to stop investigating due to mandatory team

    meeting. Day 1 @ 11:30am – 2:00pm WEEKLY TEAM MEETING
  10. www.leocybersecurity.com 12 Had to drive home to get water heater

    replaced. SF traffic sucks! Day 1 @ 2:30pm – 4:00pm DRIVE HOME / TRAFFIC Had to stop investigating due to mandatory team meeting. Day 1 @ 11:30am – 2:00pm WEEKLY TEAM MEETING
  11. www.leocybersecurity.com 13 Had to drive home to get water heater

    replaced. SF traffic sucks! Day 1 @ 2:30pm – 4:00pm DRIVE HOME / TRAFFIC Host executed a never-before-seen binary. User had no idea how it got there and did not launch it. Day 1 @ 4:00pm INSERTION: ANOTHER ISSUE ARISES Had to stop investigating due to mandatory team meeting. Day 1 @ 11:30am – 2:00pm WEEKLY TEAM MEETING
  12. www.leocybersecurity.com 15 Remotely pulled binary from running system. Day 1

    @ 4:17pm FETCH BINARY FOR ANALYSIS Dynamic analysis using several automated sandbox systems (all in private mode). Day 1 @ 4:18pm UPLOAD BINARY TO SANDBOX
  13. www.leocybersecurity.com 16 Remotely pulled binary from running system. Day 1

    @ 4:17pm FETCH BINARY FOR ANALYSIS Dynamic analysis using several automated sandbox systems (all in private mode). Day 1 @ 4:18pm UPLOAD BINARY TO SANDBOX Completely separate issue arises at another client with a newly installed network sensor. Day 1 @ 4:40pm – 5:30pm INSERTION: NETWORK SENSOR
  14. www.leocybersecurity.com 18 Can’t fix remotely, need to send someone onsite.

    Day 1 @ 7:00pm NETWORK SENSOR ISSUE REQUIRES ONSITE Om-nom-nom-nom. Day 1 @ 5:30pm – 6:45pm DINNER
  15. www.leocybersecurity.com 19 Can’t fix remotely, need to send someone onsite.

    Day 1 @ 7:00pm NETWORK SENSOR ISSUE REQUIRES ONSITE Om-nom-nom-nom. Day 1 @ 5:30pm – 6:45pm DINNER Start checking third-party intel tools. Day 1 @ 7:00pm CONTINUE IP ADDRESS ISSUE
  16. www.leocybersecurity.com 20 GTO-CERT • Reported this IP as being associated

    with M2M – Malspam • Spreads VB/Trojan.Valyria Domaintools • 477,068 websites use this address • IP location – Bodis, LLC, New York • AS395082 BODIS-NJ OpenDNS • 612 malicious domains being blocked Ransomware Tracker • Ransomware infrastructure associated with IP: 9 IBM X-Force • Anonymization Services (43%), Malware (43%), Botnet C2 (29%) • Comment: Bodis, LLC operates a domain name monetization platform Also: ThreatMiner, Cymon, AbuseIPB, OTX, ThreatCrowd Day 1 @ 7:00pm – 8:00pm THIRD-PARTY TOOL INTEL
  17. www.leocybersecurity.com 23 Day 2 @ 6:00am BREAKFAST, GYM, SHOWER Decided

    to reach out to a private trust group of which I am a member. Day 2 @ 8:45am – 9:00am CONTINUE IP ADDRESS ISSUE
  18. www.leocybersecurity.com 24 Day 2 @ 6:00am BREAKFAST, GYM, SHOWER Decided

    to reach out to a private trust group of which I am a member. Day 2 @ 8:45am – 9:00am CONTINUE IP ADDRESS ISSUE Numerous other analysts seeing this traffic on their network. Consensus is that this is related to pixel[.]ad[.]minadvertising[.]com Day 2 @ 9:00am – 9:30am WORKING WITH PEERS
  19. www.leocybersecurity.com 25 Day 2 @ 6:00am BREAKFAST, GYM, SHOWER Decided

    to reach out to a private trust group of which I am a member. Day 2 @ 8:45am – 9:00am CONTINUE IP ADDRESS ISSUE Numerous other analysts seeing this traffic on their network. Consensus is that this is related to pixel[.]ad[.]minadvertising[.]com Day 2 @ 9:00am – 9:30am WORKING WITH PEERS Confirmed via DNS queries in OpenDNS. Added my own comments to OTX. Communicated FALSE POSITIVE to client. Day 2 @ 9:30am – 10:00am CONTINUE IP ADDRESS ISSUE
  20. www.leocybersecurity.com 26 Review dynamic sandbox analysis results. Nothing glaringly bad

    happens after execution. Day 2 @ 10:00am CONTINUE SUSPICIOUS BINARY ISSUE
  21. www.leocybersecurity.com 27 Review dynamic sandbox analysis results. Nothing glaringly bad

    happens after execution. Day 2 @ 10:00am CONTINUE SUSPICIOUS BINARY ISSUE Identified a number of suspicious imports (e.g. IsDebuggerPresent, GetTickCount64, Sleep, etc.) often associated with malware. Day 2 @ 10:30am STRINGS AND IMPORTS
  22. www.leocybersecurity.com 28 Review dynamic sandbox analysis results. Nothing glaringly bad

    happens after execution. Day 2 @ 10:00am CONTINUE SUSPICIOUS BINARY ISSUE Identified a number of suspicious imports (e.g. IsDebuggerPresent, GetTickCount64, Sleep, etc.) often associated with malware. Day 2 @ 10:30am STRINGS AND IMPORTS VirusTotal and CarbonBlack showed multiple instances of this executable (wininfo.exe) having been uploaded for analysis. AV engines show as benign. Shows many standard executables being written to disk, however (e.g. svchost.exe, xcopy.exe, 7z.exe, etc.) Day 2 @ 10:45am CHECK THIRD-PARTY INTEL
  23. www.leocybersecurity.com 29 Review dynamic sandbox analysis results. Nothing glaringly bad

    happens after execution. Day 2 @ 10:00am CONTINUE SUSPICIOUS BINARY ISSUE Identified a number of suspicious imports (e.g. IsDebuggerPresent, GetTickCount64, Sleep, etc.) often associated with malware. Day 2 @ 10:30am STRINGS AND IMPORTS VirusTotal and CarbonBlack showed multiple instances of this executable (wininfo.exe) having been uploaded for analysis. AV engines show as benign. Shows many standard executables being written to disk, however (e.g. svchost.exe, xcopy.exe, 7z.exe, etc.) Day 2 @ 10:45am CHECK THIRD-PARTY INTEL Turns out that this is one of many executables that the client’s MSP deploys for ”remote work and stuff”. Communicated FALSE POSSITIVE to client. Day 2 @ 11:00am ANDREW SMASH!
  24. www.leocybersecurity.com 30 Review By The Numbers… The number of issues

    the client said were “almost definitely” associated with malware or hackers. 2
  25. www.leocybersecurity.com 31 Review By The Numbers… The number of issues

    the client said were “almost definitely” associated with malware or hackers. 2 The number of IOCs per issue that triggered a threat hunting and incident response exercise. 1
  26. www.leocybersecurity.com 32 Review By The Numbers… The number of issues

    the client said were “almost definitely” associated with malware or hackers. 2 The number of IOCs per issue that triggered a threat hunting and incident response exercise. 1 12 The number of hours spent investigating the two issues.
  27. www.leocybersecurity.com 33 Review By The Numbers… The number of actual

    issues uncovered as a result of the investigation. 0
  28. www.leocybersecurity.com 34 Review By The Numbers… The number of actual

    issues uncovered as a result of the investigation. 0 The ballpark monetary cost (in USD) of having me look into these two issues. 5K
  29. www.leocybersecurity.com 35 Review By The Numbers… The number of actual

    issues uncovered as a result of the investigation. 0 The ballpark monetary cost (in USD) of having me look into these two issues. 5K ∞ The value of the experience in providing me a CFP topic to present.
  30. www.leocybersecurity.com 36 A Quality IOC • A quality IOC should

    empower/enable an analyst to… • Fully analyze successful and unsuccessful intrusions by threat actors • Construct descriptions of campaigns, actors, and organizations • Seek out, collect, and properly exploit intelligence from others • Generate intelligence from their own data sources and share it accordingly • Manage intelligence to further the objectives of their organization
  31. www.leocybersecurity.com 37 Good vs. Bad IOCs Bad Good Indicators without

    context Indicators with context related to your business Indicators from an untrusted source Indicators from trusted peers, organizations, or entities Port scan-derived indicators Indicators derived from undertaken response activities Old or dated indicators Recent and validated indicators Report delivered indicators Ingestible indicators
  32. www.leocybersecurity.com 38 David J Bianco’s Pyramid of Pain TTPs Tools

    Network/Host Artifacts Domain Names IP Addresses Hash Values value ease of acquisition
  33. www.leocybersecurity.com 39 Summary Introduction Agenda Quantify and Utilize Your IOCs

    The True Value of a Single IOC When You Should Declare an Incident
  34. www.leocybersecurity.com 40 A Word About Intelligence vs. Information • Intelligence

    is information (or data) that has been analyzed to answer a specific question • At the initial stage, we are grabbing as much potentially useful information as we can find, which we will then analyze to determine whether it is something that we want to include in the remaining steps *Roberts, Scott J; Brown, Rebekah. Intelligence-Driven Incident Response: Outwitting the Adversary (Kindle Locations 1531-1536). O'Reilly Media. Kindle Edition.
  35. www.leocybersecurity.com 41 The (SANS) Active Cyber Defense Cycle Network Security

    Monitoring Incident Response Threat & Environment Manipulation Threat Intelligence Consumption Phase III Phase II Phase I Phase IV
  36. www.leocybersecurity.com 42 Phase I: Consumption • Conceptualize critical assets •

    Identify intelligence gaps • Consider future security changes Understand the Organization • Prioritize generated intelligence • Put intelligence in usable form • Ensure correct usage of IOCs Translate Intelligence • Collect internal threat data • Manage/store lessons learned • Share with those generating intel Internal Knowledge Management
  37. www.leocybersecurity.com 43 Phase II: Network Monitoring • Record network changes

    • Understand network topologies • Make architecture suggestions Identify the Assets • Collect data • Alert on threats • Analyze to ensure true positive Hunt for the Adversary • Help drive decision to start IR • Monitor the scope of the infection • Supply IR with relevant data Assist Incident Responders
  38. www.leocybersecurity.com 44 Managing Your IOCs • As with any security

    problem, there is a single platform to solve the problem
  39. www.leocybersecurity.com 45 Managing Your IOCs • As with any security

    problem, there is a single platform are a seemingly unlimited number of tools to solve the problem
  40. www.leocybersecurity.com 46 Managing Your IOCs • As with any security

    problem, there is a single platform are a seemingly unlimited number of tools to solve the problem • Luckily, there are free, inexpensive, and mature commercial platforms to help
  41. www.leocybersecurity.com 47 Free IOC “Management” Tools • GOSINT • The

    GOSINT framework is a project used for collecting, processing, and exporting high quality indicators of compromise (IOCs). • https://github.com/ciscocsirt/GOSINT • MISP - Open Source Threat Intelligence Platform • A threat intelligence platform for gathering, sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information. • https://www.misp-project.org/
  42. www.leocybersecurity.com 48 Free IOC “Management” Tools • Yeti - Your

    everyday threat intelligence • Platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. Yeti will also automatically enrich observables (e.g. resolve domains, geolocate IPs) so that you don't have to. • https://github.com/yeti-platform/yeti • Collective Intelligence Framework (CIF) • CIF allows you to combine known malicious threat information from many sources and use that information for incident response, detection and mitigation. • http://csirtgadgets.org/
  43. www.leocybersecurity.com 50 Summary Introduction Agenda When You Should Declare an

    Incident The True Value of a Single IOC Quantify and Utilize Your IOCs
  44. www.leocybersecurity.com 51 Declaring an Incident • Is it an incident

    yet? • Now you have data and intelligence…should you declare an incident? • An incident is the act of violating an explicit or implied security policy according to NIST Special Publication 800-61 • Of course, this definition relies on the existence of a security policy that, while generally understood, varies among organizations
  45. www.leocybersecurity.com 52 Declaring an Incident • Unsure what constitutes as

    “violation”? Use the following: The unauthorized use of a system for the processing or storage of data USAGE Unwanted disruption or denial of service DISRUPTION Changes to system HW, FW, or SW characteristics w/o owner knowledge, instruction, or consent CHANGES Attempts (either failed or successful) to gain unauthorized access to a system or its data ACCESS
  46. www.leocybersecurity.com 53 Phase III: Incident Response • Leverage IOCs •

    Integrate NSM efforts • Preserve forensic evidence Scope the Infection • Keep business operations running • Empower decision makers • IR steps to ensure success Timely Response • Identify threat variants • Collect samples for REM analysts • Keep aware of threat responses Collect Threat Samples
  47. www.leocybersecurity.com 54 Phase IV: Threat & Environment Manipulation • Collect

    and document samples • Use threat intel to see if known • Use known info or analyze De-Duplication • Use automated sandboxes • Perform behavioral analysis • Identify capabilities and impact Timely Malware Analysis • Encourage defenses that counter • Use logical architecture vs. C2 • Make recommendations for future Environment Manipulation
  48. www.leocybersecurity.com 55 When All Else Fails… • Trust your gut…

    • Declare an incident if: • You know it’s necessary • You’re not sure it’s necessary • You’re told it’s necessary by a • Partner, peer, friend, superior, customer, etc. • You have a feeling it might be necessary
  49. www.leocybersecurity.com 56 Summary Introduction Agenda When You Should Declare an

    Incident The True Value of a Single IOC Quantify and Utilize Your IOCs
  50. www.leocybersecurity.com 57 Place Subtitle Here • IOC mantra: Garbage in,

    Garbage out • If wielded properly, IOCs can accelerate incident response activities • If automated, even more so • If you chase a single IOC, you might not have enough context to confidently declare an incident Summary
  51. www.leocybersecurity.com 58 Further Reading • Awesome Threat Detection and Hunting

    • https://github.com/0x4D31/awesome-threat-detection • Awesome Threat Intelligence • https://github.com/hslatman/awesome-threat-intelligence • MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) • https://attack.mitre.org/wiki/Main_Page
  52. www.leocybersecurity.com 59 Place Subtitle Here • Determine what the following

    domain is used for: militarysurpluspotsandpans[.]com • If you think you’ve figured it out, message me on Twitter at @andrewsmhay J Bonus Task
  53. www.leocybersecurity.com 60 Visit Us At: https://www.leocybersecurity.com LEO Cyber Security 1612

    Summit Avenue, Suite 415, Ft. Worth, TX 76102 +1.530.FINDLEO [email protected] www.leocybersecurity.com @LeoCyberSec Questions? Thank You! Andrew Hay, CTO +1.650.532.3555 [email protected] www.leocybersecurity.com @andrewsmhay