“I” Before “R” Except After “IOC”

Transcript

1. www.leocybersecurity.com 1 The Top 3 Risks of Moving to Cloud

   “I” Before “R” Except After “IOC” Andrew Hay, CTO, LEO Cyber Security +1.650.532.3555 [email protected] https://www.leocybersecurity.com @andrewsmhay

2. www.leocybersecurity.com 2 Summary Introduction Agenda The True Value of a

   Single IOC Quantify and Utilize Your IOCs When You Should Declare an Incident

3. www.leocybersecurity.com 3 About Me • Co-Founder and Chief Technology Officer

   (CTO) @ LEO Cyber Security • Former: • CISO @ DataGravity (now HyTrust) • Director of Research @ OpenDNS (now Cisco) • Chief Evangelist & Director of Research @ CloudPassage • Senior Security (Industry) Analyst @ 451 Research • Information Security Officer in higher education and financial services • Engineering manager @ Q1 Labs (now IBM) • Blogger, author, and rugby coach

4. www.leocybersecurity.com 4 Introduction • The security industry touts indicators of

   compromise (IOCs) as much needed threat intelligence (TI) in the war on attackers • The fact is that not every IOC is valuable enough to trigger an incident response (IR) activity • All too often our provided indicators contain information of varying quality including expired attribution, dubious origin, and incomplete details

5. www.leocybersecurity.com 5 Summary Introduction Agenda The True Value of a

   Single IOC Quantify and Utilize Your IOCs When You Should Declare an Incident

6. www.leocybersecurity.com 6 Why IOCs (and TI) Get a Bad Rap

   • What if… • A single threat intelligence-sourced alert generates $1000 worth of time to investigate a false positive? • An intelligence producer reports incorrectly categorizes a threat as APT (say instead of cyber crime)? • Every poor quality report costs time to read and digest • Every poor association or correlation derails an analytic effort at an organization Sourced from http://www.activeresponse.org/the-cost-of-bad-threat-intelligence/

7. www.leocybersecurity.com 7 Example: A Day In The Life

8. www.leocybersecurity.com 8 Example: A Day In The Life Alternate Title:

   “How Andrew Chased His Tail for 2 Days”

9. www.leocybersecurity.com 9 Example: A Day In The Life Endpoint security

   product detected outbound communications with an IP address identified by AlienVault OTX as being malicious. 199[.]59[.]242[.]150 Day 1 @ 10:30am SUSPICIOUS IP DETECTED

10. www.leocybersecurity.com 10 Example: A Day In The Life Start reviewing

    comments on AlienVault OTX. IP known to be associated with spam delivery, malware, and legitimate sites. Day 1 @ 11:00am INVESTIGATION BEGINS Endpoint security product detected outbound communications with an IP address identified by AlienVault OTX as being malicious. 199[.]59[.]242[.]150 Day 1 @ 10:30am SUSPICIOUS IP DETECTED

11. www.leocybersecurity.com 11 Had to stop investigating due to mandatory team

    meeting. Day 1 @ 11:30am – 2:00pm WEEKLY TEAM MEETING

12. www.leocybersecurity.com 12 Had to drive home to get water heater

    replaced. SF traffic sucks! Day 1 @ 2:30pm – 4:00pm DRIVE HOME / TRAFFIC Had to stop investigating due to mandatory team meeting. Day 1 @ 11:30am – 2:00pm WEEKLY TEAM MEETING

13. www.leocybersecurity.com 13 Had to drive home to get water heater

    replaced. SF traffic sucks! Day 1 @ 2:30pm – 4:00pm DRIVE HOME / TRAFFIC Host executed a never-before-seen binary. User had no idea how it got there and did not launch it. Day 1 @ 4:00pm INSERTION: ANOTHER ISSUE ARISES Had to stop investigating due to mandatory team meeting. Day 1 @ 11:30am – 2:00pm WEEKLY TEAM MEETING

14. www.leocybersecurity.com 14 Remotely pulled binary from running system. Day 1

    @ 4:17pm FETCH BINARY FOR ANALYSIS

15. www.leocybersecurity.com 15 Remotely pulled binary from running system. Day 1

    @ 4:17pm FETCH BINARY FOR ANALYSIS Dynamic analysis using several automated sandbox systems (all in private mode). Day 1 @ 4:18pm UPLOAD BINARY TO SANDBOX

16. www.leocybersecurity.com 16 Remotely pulled binary from running system. Day 1

    @ 4:17pm FETCH BINARY FOR ANALYSIS Dynamic analysis using several automated sandbox systems (all in private mode). Day 1 @ 4:18pm UPLOAD BINARY TO SANDBOX Completely separate issue arises at another client with a newly installed network sensor. Day 1 @ 4:40pm – 5:30pm INSERTION: NETWORK SENSOR

17. www.leocybersecurity.com 17 Om-nom-nom-nom. Day 1 @ 5:30pm – 6:45pm DINNER

18. www.leocybersecurity.com 18 Can’t fix remotely, need to send someone onsite.

    Day 1 @ 7:00pm NETWORK SENSOR ISSUE REQUIRES ONSITE Om-nom-nom-nom. Day 1 @ 5:30pm – 6:45pm DINNER

19. www.leocybersecurity.com 19 Can’t fix remotely, need to send someone onsite.

    Day 1 @ 7:00pm NETWORK SENSOR ISSUE REQUIRES ONSITE Om-nom-nom-nom. Day 1 @ 5:30pm – 6:45pm DINNER Start checking third-party intel tools. Day 1 @ 7:00pm CONTINUE IP ADDRESS ISSUE

20. www.leocybersecurity.com 20 GTO-CERT • Reported this IP as being associated

    with M2M – Malspam • Spreads VB/Trojan.Valyria Domaintools • 477,068 websites use this address • IP location – Bodis, LLC, New York • AS395082 BODIS-NJ OpenDNS • 612 malicious domains being blocked Ransomware Tracker • Ransomware infrastructure associated with IP: 9 IBM X-Force • Anonymization Services (43%), Malware (43%), Botnet C2 (29%) • Comment: Bodis, LLC operates a domain name monetization platform Also: ThreatMiner, Cymon, AbuseIPB, OTX, ThreatCrowd Day 1 @ 7:00pm – 8:00pm THIRD-PARTY TOOL INTEL

21. www.leocybersecurity.com 21 Day 2 @ 6:00am BREAKFAST, GYM, SHOWER

22. www.leocybersecurity.com 22 Day 2 @ 6:00am BREAKFAST, GYM, SHOWER

23. www.leocybersecurity.com 23 Day 2 @ 6:00am BREAKFAST, GYM, SHOWER Decided

    to reach out to a private trust group of which I am a member. Day 2 @ 8:45am – 9:00am CONTINUE IP ADDRESS ISSUE

24. www.leocybersecurity.com 24 Day 2 @ 6:00am BREAKFAST, GYM, SHOWER Decided

    to reach out to a private trust group of which I am a member. Day 2 @ 8:45am – 9:00am CONTINUE IP ADDRESS ISSUE Numerous other analysts seeing this traffic on their network. Consensus is that this is related to pixel[.]ad[.]minadvertising[.]com Day 2 @ 9:00am – 9:30am WORKING WITH PEERS

25. www.leocybersecurity.com 25 Day 2 @ 6:00am BREAKFAST, GYM, SHOWER Decided

    to reach out to a private trust group of which I am a member. Day 2 @ 8:45am – 9:00am CONTINUE IP ADDRESS ISSUE Numerous other analysts seeing this traffic on their network. Consensus is that this is related to pixel[.]ad[.]minadvertising[.]com Day 2 @ 9:00am – 9:30am WORKING WITH PEERS Confirmed via DNS queries in OpenDNS. Added my own comments to OTX. Communicated FALSE POSITIVE to client. Day 2 @ 9:30am – 10:00am CONTINUE IP ADDRESS ISSUE

26. www.leocybersecurity.com 26 Review dynamic sandbox analysis results. Nothing glaringly bad

    happens after execution. Day 2 @ 10:00am CONTINUE SUSPICIOUS BINARY ISSUE

27. www.leocybersecurity.com 27 Review dynamic sandbox analysis results. Nothing glaringly bad

    happens after execution. Day 2 @ 10:00am CONTINUE SUSPICIOUS BINARY ISSUE Identified a number of suspicious imports (e.g. IsDebuggerPresent, GetTickCount64, Sleep, etc.) often associated with malware. Day 2 @ 10:30am STRINGS AND IMPORTS

28. www.leocybersecurity.com 28 Review dynamic sandbox analysis results. Nothing glaringly bad

    happens after execution. Day 2 @ 10:00am CONTINUE SUSPICIOUS BINARY ISSUE Identified a number of suspicious imports (e.g. IsDebuggerPresent, GetTickCount64, Sleep, etc.) often associated with malware. Day 2 @ 10:30am STRINGS AND IMPORTS VirusTotal and CarbonBlack showed multiple instances of this executable (wininfo.exe) having been uploaded for analysis. AV engines show as benign. Shows many standard executables being written to disk, however (e.g. svchost.exe, xcopy.exe, 7z.exe, etc.) Day 2 @ 10:45am CHECK THIRD-PARTY INTEL

29. www.leocybersecurity.com 29 Review dynamic sandbox analysis results. Nothing glaringly bad

    happens after execution. Day 2 @ 10:00am CONTINUE SUSPICIOUS BINARY ISSUE Identified a number of suspicious imports (e.g. IsDebuggerPresent, GetTickCount64, Sleep, etc.) often associated with malware. Day 2 @ 10:30am STRINGS AND IMPORTS VirusTotal and CarbonBlack showed multiple instances of this executable (wininfo.exe) having been uploaded for analysis. AV engines show as benign. Shows many standard executables being written to disk, however (e.g. svchost.exe, xcopy.exe, 7z.exe, etc.) Day 2 @ 10:45am CHECK THIRD-PARTY INTEL Turns out that this is one of many executables that the client’s MSP deploys for ”remote work and stuff”. Communicated FALSE POSSITIVE to client. Day 2 @ 11:00am ANDREW SMASH!

30. www.leocybersecurity.com 30 Review By The Numbers… The number of issues

    the client said were “almost definitely” associated with malware or hackers. 2

31. www.leocybersecurity.com 31 Review By The Numbers… The number of issues

    the client said were “almost definitely” associated with malware or hackers. 2 The number of IOCs per issue that triggered a threat hunting and incident response exercise. 1

32. www.leocybersecurity.com 32 Review By The Numbers… The number of issues

    the client said were “almost definitely” associated with malware or hackers. 2 The number of IOCs per issue that triggered a threat hunting and incident response exercise. 1 12 The number of hours spent investigating the two issues.

33. www.leocybersecurity.com 33 Review By The Numbers… The number of actual

    issues uncovered as a result of the investigation. 0

34. www.leocybersecurity.com 34 Review By The Numbers… The number of actual

    issues uncovered as a result of the investigation. 0 The ballpark monetary cost (in USD) of having me look into these two issues. 5K

35. www.leocybersecurity.com 35 Review By The Numbers… The number of actual

    issues uncovered as a result of the investigation. 0 The ballpark monetary cost (in USD) of having me look into these two issues. 5K ∞ The value of the experience in providing me a CFP topic to present.

36. www.leocybersecurity.com 36 A Quality IOC • A quality IOC should

    empower/enable an analyst to… • Fully analyze successful and unsuccessful intrusions by threat actors • Construct descriptions of campaigns, actors, and organizations • Seek out, collect, and properly exploit intelligence from others • Generate intelligence from their own data sources and share it accordingly • Manage intelligence to further the objectives of their organization

37. www.leocybersecurity.com 37 Good vs. Bad IOCs Bad Good Indicators without

    context Indicators with context related to your business Indicators from an untrusted source Indicators from trusted peers, organizations, or entities Port scan-derived indicators Indicators derived from undertaken response activities Old or dated indicators Recent and validated indicators Report delivered indicators Ingestible indicators

38. www.leocybersecurity.com 38 David J Bianco’s Pyramid of Pain TTPs Tools

    Network/Host Artifacts Domain Names IP Addresses Hash Values value ease of acquisition

39. www.leocybersecurity.com 39 Summary Introduction Agenda Quantify and Utilize Your IOCs

    The True Value of a Single IOC When You Should Declare an Incident

40. www.leocybersecurity.com 40 A Word About Intelligence vs. Information • Intelligence

    is information (or data) that has been analyzed to answer a specific question • At the initial stage, we are grabbing as much potentially useful information as we can find, which we will then analyze to determine whether it is something that we want to include in the remaining steps *Roberts, Scott J; Brown, Rebekah. Intelligence-Driven Incident Response: Outwitting the Adversary (Kindle Locations 1531-1536). O'Reilly Media. Kindle Edition.

41. www.leocybersecurity.com 41 The (SANS) Active Cyber Defense Cycle Network Security

    Monitoring Incident Response Threat & Environment Manipulation Threat Intelligence Consumption Phase III Phase II Phase I Phase IV

42. www.leocybersecurity.com 42 Phase I: Consumption • Conceptualize critical assets •

    Identify intelligence gaps • Consider future security changes Understand the Organization • Prioritize generated intelligence • Put intelligence in usable form • Ensure correct usage of IOCs Translate Intelligence • Collect internal threat data • Manage/store lessons learned • Share with those generating intel Internal Knowledge Management

43. www.leocybersecurity.com 43 Phase II: Network Monitoring • Record network changes

    • Understand network topologies • Make architecture suggestions Identify the Assets • Collect data • Alert on threats • Analyze to ensure true positive Hunt for the Adversary • Help drive decision to start IR • Monitor the scope of the infection • Supply IR with relevant data Assist Incident Responders

44. www.leocybersecurity.com 44 Managing Your IOCs • As with any security

    problem, there is a single platform to solve the problem

45. www.leocybersecurity.com 45 Managing Your IOCs • As with any security

    problem, there is a single platform are a seemingly unlimited number of tools to solve the problem

46. www.leocybersecurity.com 46 Managing Your IOCs • As with any security

    problem, there is a single platform are a seemingly unlimited number of tools to solve the problem • Luckily, there are free, inexpensive, and mature commercial platforms to help

47. www.leocybersecurity.com 47 Free IOC “Management” Tools • GOSINT • The

    GOSINT framework is a project used for collecting, processing, and exporting high quality indicators of compromise (IOCs). • https://github.com/ciscocsirt/GOSINT • MISP - Open Source Threat Intelligence Platform • A threat intelligence platform for gathering, sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information. • https://www.misp-project.org/

48. www.leocybersecurity.com 48 Free IOC “Management” Tools • Yeti - Your

    everyday threat intelligence • Platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. Yeti will also automatically enrich observables (e.g. resolve domains, geolocate IPs) so that you don't have to. • https://github.com/yeti-platform/yeti • Collective Intelligence Framework (CIF) • CIF allows you to combine known malicious threat information from many sources and use that information for incident response, detection and mitigation. • http://csirtgadgets.org/

49. www.leocybersecurity.com 49 More IOC “Management” Tools CO ST CO ST

50. www.leocybersecurity.com 50 Summary Introduction Agenda When You Should Declare an

    Incident The True Value of a Single IOC Quantify and Utilize Your IOCs

51. www.leocybersecurity.com 51 Declaring an Incident • Is it an incident

    yet? • Now you have data and intelligence…should you declare an incident? • An incident is the act of violating an explicit or implied security policy according to NIST Special Publication 800-61 • Of course, this definition relies on the existence of a security policy that, while generally understood, varies among organizations

52. www.leocybersecurity.com 52 Declaring an Incident • Unsure what constitutes as

    “violation”? Use the following: The unauthorized use of a system for the processing or storage of data USAGE Unwanted disruption or denial of service DISRUPTION Changes to system HW, FW, or SW characteristics w/o owner knowledge, instruction, or consent CHANGES Attempts (either failed or successful) to gain unauthorized access to a system or its data ACCESS

53. www.leocybersecurity.com 53 Phase III: Incident Response • Leverage IOCs •

    Integrate NSM efforts • Preserve forensic evidence Scope the Infection • Keep business operations running • Empower decision makers • IR steps to ensure success Timely Response • Identify threat variants • Collect samples for REM analysts • Keep aware of threat responses Collect Threat Samples

54. www.leocybersecurity.com 54 Phase IV: Threat & Environment Manipulation • Collect

    and document samples • Use threat intel to see if known • Use known info or analyze De-Duplication • Use automated sandboxes • Perform behavioral analysis • Identify capabilities and impact Timely Malware Analysis • Encourage defenses that counter • Use logical architecture vs. C2 • Make recommendations for future Environment Manipulation

55. www.leocybersecurity.com 55 When All Else Fails… • Trust your gut…

    • Declare an incident if: • You know it’s necessary • You’re not sure it’s necessary • You’re told it’s necessary by a • Partner, peer, friend, superior, customer, etc. • You have a feeling it might be necessary

56. www.leocybersecurity.com 56 Summary Introduction Agenda When You Should Declare an

    Incident The True Value of a Single IOC Quantify and Utilize Your IOCs

57. www.leocybersecurity.com 57 Place Subtitle Here • IOC mantra: Garbage in,

    Garbage out • If wielded properly, IOCs can accelerate incident response activities • If automated, even more so • If you chase a single IOC, you might not have enough context to confidently declare an incident Summary

58. www.leocybersecurity.com 58 Further Reading • Awesome Threat Detection and Hunting

    • https://github.com/0x4D31/awesome-threat-detection • Awesome Threat Intelligence • https://github.com/hslatman/awesome-threat-intelligence • MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) • https://attack.mitre.org/wiki/Main_Page

59. www.leocybersecurity.com 59 Place Subtitle Here • Determine what the following

    domain is used for: militarysurpluspotsandpans[.]com • If you think you’ve figured it out, message me on Twitter at @andrewsmhay J Bonus Task

60. www.leocybersecurity.com 60 Visit Us At: https://www.leocybersecurity.com LEO Cyber Security 1612

    Summit Avenue, Suite 415, Ft. Worth, TX 76102 +1.530.FINDLEO [email protected] www.leocybersecurity.com @LeoCyberSec Questions? Thank You! Andrew Hay, CTO +1.650.532.3555 [email protected] www.leocybersecurity.com @andrewsmhay