資安課程 外網目標情資偵蒐

Transcript

1. 大學資安課程 外網目標情資偵蒐 Keyboard007

2. 經歷介紹 • 證照: – CEH CHFI – Palo Alto Network

   ACE – McAfee Vulnerability Manager • 經歷: – 協助調查局偵辦第一銀行盜領案 – 建置企業APT防護 – 協助企業資安事件處理 – 世新大學法律二十學分班結業 • 專長: – Incident Response – Penetration Testing & Exploit Research – Malware Analysis – Security Solution Implementation • APT Gateway (TM DDI) • APT Mail (TM DDEI) • APT SandBox (TM DDA) • APT Endpoint (CounterTack MDR)

3. Agenda • OSINT – OSINT – 介紹 – OSINT –

   DOMAIN / IP – OSINT – EMAIL – OSINT – PEOPLE • 情資蒐集應用場景 – 攻擊方 – 企業防禦方 – 調查分析方

4. OSINT 4

5. OSINT 定義 • 公開來源情資(Open-source intelligence, 簡稱OSINT) 是由美國國家 情報總監 (Director of

   National Intelligence)與美國國防部(Department of Defense)所共同定義的法律用語，係 指任何由公開資訊產出的情 報，它們經 過收集、發掘的過程後，適時地傳遞給 有特 殊情報需求的人員。

6. Intelligence cycle • Intelligence cycle

7. OSINT 定位 HUMINT SIGINT IMINT MASINT ALL-SOURCE ANALYSIS OPEN SOURCE

   INFORMATION OPEN SOURCE INTELLIGENCE 5% of cost 80% of value 95% of cost 20% of value ALL-SOURCE PROCESSING

8. What is OSINT? • 主體是人 • Reconnaissance of intelligence •

   From publicly available information • To address a specific intelligence requirement • Newspaper, blog, search engine ... • Government documents • Often undervalued though significant

9. Why OSINT? • New employee • Criminal investigation • Missing

   children / Runaway children • Human trafficking • Vandalism • Stealing • NOT to manhunt or SJW on Dcard / PTT / ...

10. OSINT Includes but Not Limited to • Location • Real

    Name • Online ID / group / community • Phone number • Email • Credit card number / Bank account • Date / Time • Documents • Domain / IP address • URL

11. Email OSINT • https://inteltechniques.com/menu.html

12. User Name OSINT • https://inteltechniques.com/menu.html

13. Real Name OSINT • https://inteltechniques.com/menu.html

14. Telephone OSINT • https://inteltechniques.com/menu.html

15. Location OSINT • https://inteltechniques.com/menu.html

16. RECONNAISSANCE A Walkthrough of the “APT” Intelligence Gathering Process(1)

17. RECONNAISSANCE A Walkthrough of the “APT” Intelligence Gathering Process(2)

18. EXAMPLE: 對岸網軍 OSINT(1)

19. EXAMPLE: 對岸網軍 OSINT(2)

20. EXAMPLE: 對岸網軍 OSINT(3)

21. EXAMPLE: 網路犯罪偵辦

22. EXAMPLE: 企業防護與追蹤 • https://www.threatcrowd.org/ip.php?ip=103.39.16.145

23. EXAMPLE: 駭客找企業目標(1) • Domain OSINT(公開情資蒐集) – 共 99 Domain –

    未進行Port Scan

24. EXAMPLE: 駭客找企業目標(2) • 利用工具情蒐企業郵件帳戶

25. EXAMPLE: 駭客找企業目標(3) • 情蒐到的企業郵件帳戶大約三四十個… – 每個郵件的攻擊方法如右圖 – 當其中一個帳戶被入侵成功當成跳板進行內網滲透的時候…

26. 攻擊方 情資蒐集應用場景 26

27. MITRE PRE-ATT&CK PRE-ATT&CK: Adversarial Tactics, Techniques & Common Knowledge for

    Left-of-Exploit

28. MITRE PRE-ATT&CK PRE-ATT&CK now comprises 15 tactics and 151 techniques

29. Organizational Information Gathering • Organizational information gathering consists of the

    process of identifying critical organizational elements of intelligence an adversary will need about a target in order to best attack. Similar to competitive intelligence, organizational intelligence gathering focuses on understanding the operational tempo of an organization and gathering a deep understanding of the organization and how it operates, in order to best develop a strategy to target it.

30. Technical Information Gathering • Domain / IP • Email •

    徵才訊息 • Help Desk • Physical Pentest • Social Engineering

31. EXAMPLE: 駭客找企業目標(1) • Domain OSINT(公開情資蒐集) – 共 99 Domain –

    未進行Port Scan

32. 找Domain / IP Scanning • Virustotal • Passivetotal – https://community.riskiq.com/

    • Txdns (Domain Brute Force) – https://github.com/jack51706/OSINT_Course/raw/master/txdns.rar • NMAP (Common Port Scan) • Online PortScan – http://www.t1shopper.com/tools/port-scan/ • Shodan / Censys / Zoomeye • EyeWitness (take screenshots of websites ) – https://github.com/FortyNorthSecurity/EyeWitness

33. Google Hacking Database https://www.exploit-db.com/google- hacking-database/

34. People Information Gathering • People Information Gathering consists of the

    process of identifying critical personnel elements of intelligence an adversary will need about a target in order to best attack. People intelligence gathering focuses on identifying key personnel or individuals with critical accesses in order to best approach a target for attack. It may involve aspects of social engineering, elicitation, mining social media sources, or be thought of as understanding the personnel element of competitive intelligence.

35. EXAMPLE: 駭客找企業目標(1) • 利用工具情蒐企業郵件帳戶

36. EXAMPLE: 駭客找企業目標(2) • 情蒐到的企業郵件帳戶大約三四十個… – 每個郵件的攻擊方法如右圖 – 當其中一個帳戶被入侵成功當成跳板進行內網滲透的時候…

37. 找企業Email • https://github.com/cys3c/infoga

38. 企業防禦方 情資蒐集應用場景 38

39. 傳統機制的不足處 • 僅可以 IP/Domain 或 Signature 檢測及阻擋，無法鎖定問題來 源（如：主機或用戶端上的哪 一個程序、帳號、或是行為造 成），造成結案

    Loading 都在 客戶管理者上 • 僅有防火牆、入侵防禦設備的 日誌收集，缺乏內網威脅的詳 細軌跡 • 案件處理時間長（平均三天以 上） 39

40. ThreatCrowd • https://www.threatcrowd.org/

41. Threatminer https://www.threatminer.org/

42. IBM X-Force Exchange https://exchange.x force.ibmcloud.co m/

43. Darksearch http://www.darks earch.com

44. Cisco Talos Intelligence https://www.talosi ntelligence.com/

45. Threatbook https://x.threatbo ok.cn/en

46. 360威脅情報中 心 https://ti.360.net/

47. The Majestic Million https://majestic.co m/reports/majesti c-million

48. Exploits of the week https://sploitus.com/

49. Vulners https://vulners.com/

50. Riskiq https://community.riskiq.com/

51. Online Port Scan http://www.t1shopper.com/tools/port-scan/

52. 實務起手式 收到情 資通報 線上掃 描 情資網 站驗證

53. 調查分析方 情資蒐集應用場景 53

54. 情資情資哪裡來??? • IR • Malware Hunting • Threat Intelligence Exchange

    • …

55. What is VirusTotal Intelligence? • VirusTotal Intelligence (VTI) sandboxing extracts

    behavioral and other signals • VTI provides the ability to search through VT’s dataset using: – Binary properties – Detection verdicts – Static properties – Behavior patterns – Submission metadata • Access via web interface or APIs

56. 01 ALERT TRIAGE INVESTIGATIVE USE CASE

57. Alert Triage • Piece of malware/URL/IP • Context of my

    alert • Explore associated metadata • Related activity • VTI metadata Starting Point What IWant To Know VTI Approach

58. What I Want To Know • Context of my alert

    • Explore associated metadata • Related activity

59. 02 IOC EXPANSION / PIVOTING INVESTIGATIVE USE CASE

60. IOC Expansion / Pivoting • Malicious domain • Are there

    malicious subdomains? • Is this related to C2 activity? • What else is this domain linked to? • Graph + VTI Reports Starting Point What IWant To Know VTI Approach

61. Graph + VTI Reports https://www.virustotal.com/graph/

62. 03 THREAT HUNTING INVESTIGATIVE USE CASE

63. Threat Hunting • Piece of malware/URL • Are there other

    variants? • How old is my malware? • Are there other targets? • Retrohunt + YARA Starting Point What IWant To Know VTI Approach

64. What I Want To Know • Are there other variants?

    • How old is my malware? • Are there other targets?

65. Retrohunt + YARA (1)

66. Retrohunt + YARA (2) TTP Based EDR Hunting

67. Q & A