Upgrade to Pro — share decks privately, control downloads, hide ads and more …

資安課程 外網目標情資偵蒐

Avatar for jack chou jack chou
October 25, 2018

資安課程 外網目標情資偵蒐

Avatar for jack chou

jack chou

October 25, 2018
Tweet

More Decks by jack chou

Other Decks in Technology

Transcript

  1. 經歷介紹 • 證照: – CEH CHFI – Palo Alto Network

    ACE – McAfee Vulnerability Manager • 經歷: – 協助調查局偵辦第一銀行盜領案 – 建置企業APT防護 – 協助企業資安事件處理 – 世新大學法律二十學分班結業 • 專長: – Incident Response – Penetration Testing & Exploit Research – Malware Analysis – Security Solution Implementation • APT Gateway (TM DDI) • APT Mail (TM DDEI) • APT SandBox (TM DDA) • APT Endpoint (CounterTack MDR)
  2. Agenda • OSINT – OSINT – 介紹 – OSINT –

    DOMAIN / IP – OSINT – EMAIL – OSINT – PEOPLE • 情資蒐集應用場景 – 攻擊方 – 企業防禦方 – 調查分析方
  3. OSINT 定義 • 公開來源情資(Open-source intelligence, 簡稱OSINT) 是由美國國家 情報總監 (Director of

    National Intelligence)與美國國防部(Department of Defense)所共同定義的法律用語,係 指任何由公開資訊產出的情 報,它們經 過收集、發掘的過程後,適時地傳遞給 有特 殊情報需求的人員。
  4. OSINT 定位 HUMINT SIGINT IMINT MASINT ALL-SOURCE ANALYSIS OPEN SOURCE

    INFORMATION OPEN SOURCE INTELLIGENCE 5% of cost 80% of value 95% of cost 20% of value ALL-SOURCE PROCESSING
  5. What is OSINT? • 主體是人 • Reconnaissance of intelligence •

    From publicly available information • To address a specific intelligence requirement • Newspaper, blog, search engine ... • Government documents • Often undervalued though significant
  6. Why OSINT? • New employee • Criminal investigation • Missing

    children / Runaway children • Human trafficking • Vandalism • Stealing • NOT to manhunt or SJW on Dcard / PTT / ...
  7. OSINT Includes but Not Limited to • Location • Real

    Name • Online ID / group / community • Phone number • Email • Credit card number / Bank account • Date / Time • Documents • Domain / IP address • URL
  8. Organizational Information Gathering • Organizational information gathering consists of the

    process of identifying critical organizational elements of intelligence an adversary will need about a target in order to best attack. Similar to competitive intelligence, organizational intelligence gathering focuses on understanding the operational tempo of an organization and gathering a deep understanding of the organization and how it operates, in order to best develop a strategy to target it.
  9. Technical Information Gathering • Domain / IP • Email •

    徵才訊息 • Help Desk • Physical Pentest • Social Engineering
  10. 找Domain / IP Scanning • Virustotal • Passivetotal – https://community.riskiq.com/

    • Txdns (Domain Brute Force) – https://github.com/jack51706/OSINT_Course/raw/master/txdns.rar • NMAP (Common Port Scan) • Online PortScan – http://www.t1shopper.com/tools/port-scan/ • Shodan / Censys / Zoomeye • EyeWitness (take screenshots of websites ) – https://github.com/FortyNorthSecurity/EyeWitness
  11. People Information Gathering • People Information Gathering consists of the

    process of identifying critical personnel elements of intelligence an adversary will need about a target in order to best attack. People intelligence gathering focuses on identifying key personnel or individuals with critical accesses in order to best approach a target for attack. It may involve aspects of social engineering, elicitation, mining social media sources, or be thought of as understanding the personnel element of competitive intelligence.
  12. 傳統機制的不足處 • 僅可以 IP/Domain 或 Signature 檢測及阻擋,無法鎖定問題來 源(如:主機或用戶端上的哪 一個程序、帳號、或是行為造 成),造成結案

    Loading 都在 客戶管理者上 • 僅有防火牆、入侵防禦設備的 日誌收集,缺乏內網威脅的詳 細軌跡 • 案件處理時間長(平均三天以 上) 39
  13. What is VirusTotal Intelligence? • VirusTotal Intelligence (VTI) sandboxing extracts

    behavioral and other signals • VTI provides the ability to search through VT’s dataset using: – Binary properties – Detection verdicts – Static properties – Behavior patterns – Submission metadata • Access via web interface or APIs
  14. Alert Triage • Piece of malware/URL/IP • Context of my

    alert • Explore associated metadata • Related activity • VTI metadata Starting Point What IWant To Know VTI Approach
  15. What I Want To Know • Context of my alert

    • Explore associated metadata • Related activity
  16. IOC Expansion / Pivoting • Malicious domain • Are there

    malicious subdomains? • Is this related to C2 activity? • What else is this domain linked to? • Graph + VTI Reports Starting Point What IWant To Know VTI Approach
  17. Threat Hunting • Piece of malware/URL • Are there other

    variants? • How old is my malware? • Are there other targets? • Retrohunt + YARA Starting Point What IWant To Know VTI Approach
  18. What I Want To Know • Are there other variants?

    • How old is my malware? • Are there other targets?