Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AISA - Practical Threat Intelligence

Thomas Roccia
October 11, 2022

AISA - Practical Threat Intelligence

This presentation has been delivered during the CyberCon AISA in Melbourne. It talks about threat intelligence and open source technologies including OpenCTI, ELK and Jupyter.

Thomas Roccia

October 11, 2022
Tweet

More Decks by Thomas Roccia

Other Decks in Science

Transcript

  1. Practical Threat Intelligence
    How to Build Your Own Workflow Using Open Source to Monitor Modern Threats
    Thomas Roccia
    Sr. Security Researcher at Microsoft
    @fr0gger

    View Slide

  2. WHOAMI
    Thomas Roccia
    Sr. Security Researcher at Microsoft
    From France to Australia
    https://SecurityBreak.io
    @fr0gger_

    View Slide

  3. What will be covered?
    What is Threat Intelligence?
    How to deal with a huge amount of data?
    Overview of the LAB
    Introducing OpenCTI
    ElasticSearch for other data intelligence
    The power of Jupyter

    View Slide

  4. INFOBESITY
    Geopolitics
    Affiliates
    Nation-State

    View Slide

  5. What is Threat Intelligence?
    • Threat Intelligence is knowledge that allows you to
    prevent or mitigate cyberattacks.
    • Rooted in data, threat intelligence gives you context
    that helps you make informed decisions about your
    security by answering questions like:
    • Who is attacking you?
    • What their motivations and capabilities?
    • What IOCs in your system to look for?

    View Slide

  6. Types of Intelligence
    Tactical
    •Malware analysis
    •Threat Indicators
    •Improve detection
    Operational
    •Adversarial capabilities
    •Infrastructure
    •TTPs
    Strategic
    •High level trends
    •Adversarial motives
    •Strategic decision
    SOC Analysts, SIEM, Endpoints,
    Detection Engineering
    Threat hunters, Incident
    Response, SOC Analysts
    CISO, CIO, CTO, Executives

    View Slide

  7. Threat Intelligence Process
    Collect & classify intelligence reports:
    • Advanced Persistent Threat, Threat Actors
    • Tactics, Techniques and Procedures
    • Vulnerability reports
    Define your requirements. Understand
    international relations and the geopolitical context.

    View Slide

  8. Threat Intelligence Process
    Collect & classify Indicators of Compromise (IOC):
    • Incident Response
    • Open-Source Intelligence (OSINT)
    • Threat Hunting
    Analyze & triage IOCs:
    • Malware and/or vulnerability analysis
    • Infrastructures mapping. New domains.

    View Slide

  9. Threat Intelligence Process
    Hunt & pivot for new attacks:
    • Create Yara, Sigma, Snort Rules
    • Identify code similarities
    • Search for infrastructure overlap & passive DNS
    • MassScanning to uncover new C2s
    • Set up honeypots
    • Get information from private sources
    Understand victimology:
    • Who/where are the targets? Which sectors?
    • Make the connections to past attacks.
    • Find a link with the geopolitical context.

    View Slide

  10. Threat Intelligence Process
    Share intelligence, dispatch IOCs,
    improve the knowledge base.
    Iterate & improve the process.

    View Slide

  11. Goal of the Lab
    Classify external threat reports and centralize the data
    Track IOCs and TTPS
    Analyze different kind of data, such as data leaks, OSINT…
    Empower analysts with ready to use tools
    Articulate everything and build your Threat Intel Practice

    View Slide

  12. Lab Overview
    OpenCTI
    ELK
    External Threat Reports
    Tracking Threat Actors
    TTPs
    Incident Response
    Feeds
    OSINT
    Data Leaks
    Other Data
    Jupyter
    Notebooks
    Data Analytics
    Malware Analysis
    Intelligence Analysis
    Analysts

    View Slide

  13. OpenCTI
    • OpenCTI is a French Open-Source project.
    • Used to classify and track threat actors
    • Can be used to document actors, campaigns, tools and more…
    • Modules can be easily added in Python for enrichment.
    • API available for automations.
    • OpenCTI - Open platform for cyber threat intelligence

    View Slide

  14. View Slide

  15. View Slide

  16. ELK For Ingesting data
    • The ELK stack is a powerful tool to analyse data.
    • The data can be ingested via LogStash.
    • Kibana is used for creating dashboards and
    visualisation.
    • ELK can be useful for all kind of data analysis.
    • Data Leaks
    • Detection Logs
    • Monitoring
    • Anything else
    Data
    Logstash
    Elasticsearch
    Kibana
    Data Processing
    Storage
    Visualization
    *Logstash, Elasticsearch and Kibana are trademark of Elasticsearch BV, registered in the U.S. and in other countries.

    View Slide

  17. Practical Example ELK With Malware Bazaar
    • Malware Bazaar is an open malware database
    • It helps provides an overview of the data.
    • Daily samples are uploaded and analysed by the
    community

    View Slide

  18. View Slide

  19. Jupyter Lab
    • JupyterLab is a web-based interactive development
    environment for notebooks, code, and data.
    • It is a great tool to share your code with others.
    • It can be used to create workflows and procedures.

    View Slide

  20. Jupyter to ELK

    View Slide

  21. Analyzing the data with Jupyter

    View Slide

  22. MSTICpy
    Querying log data from multiple sources
    Machine learning analysis
    Extracting Indicators of Activity (IOA) from
    logs and unpack encoded data
    Performing analysis such as anomalous session
    detection and time series decomposition
    Visualizing data using interactive
    timelines; process trees and
    multidimension Morph Charts
    Enriching data with TI, geolocalisation…

    View Slide

  23. MSTICpy Enrichment

    View Slide

  24. Take Away
    The amount of information available can be overwhelming.
    Threat Intelligence is the process of sorting and making sense of all the data.
    Threat Intelligence requires trained people. Open-source technologies can
    help and bolster your teams during investigation and analysis.
    Centralised platforms are great for getting a common knowledge base.
    Python and Jupyter empowers analysts and make sense of the stored data.

    View Slide

  25. Resources
    • https://www.opencti.io/
    • https://www.elastic.co/what-is/elk-stack
    • https://jupyter.org/
    • https://msticpy.readthedocs.io/
    • https://bazaar.abuse.ch/
    • https://www.flaticon.com/
    • https://www.sans.org/tools/the-pyramid-of-pain/

    View Slide

  26. THANK YOU
    Thomas Roccia
    @fr0gger

    View Slide