This presentation has been delivered during the CyberCon AISA in Melbourne. It talks about threat intelligence and open source technologies including OpenCTI, ELK and Jupyter.
Practical Threat Intelligence How to Build Your Own Workflow Using Open Source to Monitor Modern Threats Thomas Roccia Sr. Security Researcher at Microsoft @fr0gger
What will be covered? What is Threat Intelligence? How to deal with a huge amount of data? Overview of the LAB Introducing OpenCTI ElasticSearch for other data intelligence The power of Jupyter
What is Threat Intelligence? • Threat Intelligence is knowledge that allows you to prevent or mitigate cyberattacks. • Rooted in data, threat intelligence gives you context that helps you make informed decisions about your security by answering questions like: • Who is attacking you? • What their motivations and capabilities? • What IOCs in your system to look for?
Threat Intelligence Process Hunt & pivot for new attacks: • Create Yara, Sigma, Snort Rules • Identify code similarities • Search for infrastructure overlap & passive DNS • MassScanning to uncover new C2s • Set up honeypots • Get information from private sources Understand victimology: • Who/where are the targets? Which sectors? • Make the connections to past attacks. • Find a link with the geopolitical context.
Goal of the Lab Classify external threat reports and centralize the data Track IOCs and TTPS Analyze different kind of data, such as data leaks, OSINT… Empower analysts with ready to use tools Articulate everything and build your Threat Intel Practice
OpenCTI • OpenCTI is a French Open-Source project. • Used to classify and track threat actors • Can be used to document actors, campaigns, tools and more… • Modules can be easily added in Python for enrichment. • API available for automations. • OpenCTI - Open platform for cyber threat intelligence
ELK For Ingesting data • The ELK stack is a powerful tool to analyse data. • The data can be ingested via LogStash. • Kibana is used for creating dashboards and visualisation. • ELK can be useful for all kind of data analysis. • Data Leaks • Detection Logs • Monitoring • Anything else Data Logstash Elasticsearch Kibana Data Processing Storage Visualization *Logstash, Elasticsearch and Kibana are trademark of Elasticsearch BV, registered in the U.S. and in other countries.
Practical Example ELK With Malware Bazaar • Malware Bazaar is an open malware database • It helps provides an overview of the data. • Daily samples are uploaded and analysed by the community
Jupyter Lab • JupyterLab is a web-based interactive development environment for notebooks, code, and data. • It is a great tool to share your code with others. • It can be used to create workflows and procedures.
MSTICpy Querying log data from multiple sources Machine learning analysis Extracting Indicators of Activity (IOA) from logs and unpack encoded data Performing analysis such as anomalous session detection and time series decomposition Visualizing data using interactive timelines; process trees and multidimension Morph Charts Enriching data with TI, geolocalisation…
Take Away The amount of information available can be overwhelming. Threat Intelligence is the process of sorting and making sense of all the data. Threat Intelligence requires trained people. Open-source technologies can help and bolster your teams during investigation and analysis. Centralised platforms are great for getting a common knowledge base. Python and Jupyter empowers analysts and make sense of the stored data.