Upgrade to Pro — share decks privately, control downloads, hide ads and more …

資安課程 外網目標情資偵蒐

jack chou
October 25, 2018
Technology
0
2.1k

資安課程 外網目標情資偵蒐

jack chou

October 25, 2018
Tweet

More Decks by jack chou

See All by jack chou
Raidforums台灣金融情資驗證探討
jack51706
0
1.5k
Threat Hunting & Compromised Assessment on the cheap 101
jack51706
2
1.5k
我們與厲駭的距離@高科大
jack51706
0
1.1k
ITHOME2019-手把手,教你如何處理資安事件
jack51706
0
1.2k
鍵盤福爾摩斯的觀落陰真經
jack51706
1
640
研究所資安課程_第五週 準備武器階段 第十七週 清除軌跡
jack51706
0
1.1k
TDOHPIPE_公部門資安工作分享
jack51706
0
640

Other Decks in Technology

See All in Technology
新しいスケーリング則と学習理論
taiji_suzuki
9
3.4k
ソフトウェア開発における「パーフェクトな意思決定」/Perfect Decision-Making in Software Development
yayoi_dd
2
2.6k
OCI技術資料 : ファイル・ストレージ 概要
ocise
3
12k
I could be Wrong!! - Learning from Agile Experts
kawaguti
PRO
8
1.7k
事業貢献を考えるための技術改善の目標設計と改善実績 / Targeted design of technical improvements to consider business contribution and improvement performance
oomatomo
0
250
Unlearn Product Development - Unleashed Edition
lemiorhan
PRO
2
160
ZOZOTOWN の推薦における KPI モニタリング/KPI monitoring for ZOZOTOWN recommendations
rayuron
1
690
Azureの開発で辛いところ
re3turn
0
160
DevFest 2024 Incheon / Songdo - Compose UI 조합 심화
wisemuji
0
240
30分でわかるデータ分析者のためのディメンショナルモデリング #datatechjp / 20250120
kazaneya
PRO
12
3.3k
大規模言語モデルとそのソフトウェア開発に向けた応用 (2024年版)
kazato
2
420
[Oracle TechNight#85] Oracle Autonomous Databaseを使ったAI活用入門
oracle4engineer
PRO
1
200

Featured

See All Featured
We Have a Design System, Now What?
morganepeng
51
7.3k
The Cost Of JavaScript in 2023
addyosmani
46
7.1k
Thoughts on Productivity
jonyablonski
68
4.4k
Optimising Largest Contentful Paint
csswizardry
33
3k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
The Invisible Side of Design
smashingmag
299
50k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Git: the NoSQL Database
bkeepers
PRO
427
64k
GraphQLとの向き合い方2022年版
quramy
44
13k
A designer walks into a library…
pauljervisheath
205
24k
How to Ace a Technical Interview
jacobian
276
23k
Done Done
chrislema
182
16k

Transcript

  1. 大學資安課程 外網目標情資偵蒐 Keyboard007

  2. 經歷介紹 • 證照: – CEH CHFI – Palo Alto Network

    ACE – McAfee Vulnerability Manager • 經歷: – 協助調查局偵辦第一銀行盜領案 – 建置企業APT防護 – 協助企業資安事件處理 – 世新大學法律二十學分班結業 • 專長: – Incident Response – Penetration Testing & Exploit Research – Malware Analysis – Security Solution Implementation • APT Gateway (TM DDI) • APT Mail (TM DDEI) • APT SandBox (TM DDA) • APT Endpoint (CounterTack MDR)

  3. Agenda • OSINT – OSINT – 介紹 – OSINT –

    DOMAIN / IP – OSINT – EMAIL – OSINT – PEOPLE • 情資蒐集應用場景 – 攻擊方 – 企業防禦方 – 調查分析方

  4. OSINT 4

  5. OSINT 定義 • 公開來源情資(Open-source intelligence, 簡稱OSINT) 是由美國國家 情報總監 (Director of

    National Intelligence)與美國國防部(Department of Defense)所共同定義的法律用語,係 指任何由公開資訊產出的情 報,它們經 過收集、發掘的過程後,適時地傳遞給 有特 殊情報需求的人員。

  6. Intelligence cycle • Intelligence cycle

  7. OSINT 定位 HUMINT SIGINT IMINT MASINT ALL-SOURCE ANALYSIS OPEN SOURCE

    INFORMATION OPEN SOURCE INTELLIGENCE 5% of cost 80% of value 95% of cost 20% of value ALL-SOURCE PROCESSING

  8. What is OSINT? • 主體是人 • Reconnaissance of intelligence •

    From publicly available information • To address a specific intelligence requirement • Newspaper, blog, search engine ... • Government documents • Often undervalued though significant

  9. Why OSINT? • New employee • Criminal investigation • Missing

    children / Runaway children • Human trafficking • Vandalism • Stealing • NOT to manhunt or SJW on Dcard / PTT / ...

  10. OSINT Includes but Not Limited to • Location • Real

    Name • Online ID / group / community • Phone number • Email • Credit card number / Bank account • Date / Time • Documents • Domain / IP address • URL

  11. Email OSINT • https://inteltechniques.com/menu.html

  12. User Name OSINT • https://inteltechniques.com/menu.html

  13. Real Name OSINT • https://inteltechniques.com/menu.html

  14. Telephone OSINT • https://inteltechniques.com/menu.html

  15. Location OSINT • https://inteltechniques.com/menu.html

  16. RECONNAISSANCE A Walkthrough of the “APT” Intelligence Gathering Process(1)

  17. RECONNAISSANCE A Walkthrough of the “APT” Intelligence Gathering Process(2)

  18. EXAMPLE: 對岸網軍 OSINT(1)

  19. EXAMPLE: 對岸網軍 OSINT(2)

  20. EXAMPLE: 對岸網軍 OSINT(3)

  21. EXAMPLE: 網路犯罪偵辦

  22. EXAMPLE: 企業防護與追蹤 • https://www.threatcrowd.org/ip.php?ip=103.39.16.145

  23. EXAMPLE: 駭客找企業目標(1) • Domain OSINT(公開情資蒐集) – 共 99 Domain –

    未進行Port Scan

  24. EXAMPLE: 駭客找企業目標(2) • 利用工具情蒐企業郵件帳戶

  25. EXAMPLE: 駭客找企業目標(3) • 情蒐到的企業郵件帳戶大約三四十個… – 每個郵件的攻擊方法如右圖 – 當其中一個帳戶被入侵成功當成跳板進行內網滲透的時候…

  26. 攻擊方 情資蒐集應用場景 26

  27. MITRE PRE-ATT&CK PRE-ATT&CK: Adversarial Tactics, Techniques & Common Knowledge for

    Left-of-Exploit

  28. MITRE PRE-ATT&CK PRE-ATT&CK now comprises 15 tactics and 151 techniques

  29. Organizational Information Gathering • Organizational information gathering consists of the

    process of identifying critical organizational elements of intelligence an adversary will need about a target in order to best attack. Similar to competitive intelligence, organizational intelligence gathering focuses on understanding the operational tempo of an organization and gathering a deep understanding of the organization and how it operates, in order to best develop a strategy to target it.

  30. Technical Information Gathering • Domain / IP • Email •

    徵才訊息 • Help Desk • Physical Pentest • Social Engineering

  31. EXAMPLE: 駭客找企業目標(1) • Domain OSINT(公開情資蒐集) – 共 99 Domain –

    未進行Port Scan

  32. 找Domain / IP Scanning • Virustotal • Passivetotal – https://community.riskiq.com/

    • Txdns (Domain Brute Force) – https://github.com/jack51706/OSINT_Course/raw/master/txdns.rar • NMAP (Common Port Scan) • Online PortScan – http://www.t1shopper.com/tools/port-scan/ • Shodan / Censys / Zoomeye • EyeWitness (take screenshots of websites ) – https://github.com/FortyNorthSecurity/EyeWitness

  33. Google Hacking Database https://www.exploit-db.com/google- hacking-database/

  34. People Information Gathering • People Information Gathering consists of the

    process of identifying critical personnel elements of intelligence an adversary will need about a target in order to best attack. People intelligence gathering focuses on identifying key personnel or individuals with critical accesses in order to best approach a target for attack. It may involve aspects of social engineering, elicitation, mining social media sources, or be thought of as understanding the personnel element of competitive intelligence.

  35. EXAMPLE: 駭客找企業目標(1) • 利用工具情蒐企業郵件帳戶

  36. EXAMPLE: 駭客找企業目標(2) • 情蒐到的企業郵件帳戶大約三四十個… – 每個郵件的攻擊方法如右圖 – 當其中一個帳戶被入侵成功當成跳板進行內網滲透的時候…

  37. 找企業Email • https://github.com/cys3c/infoga

  38. 企業防禦方 情資蒐集應用場景 38

  39. 傳統機制的不足處 • 僅可以 IP/Domain 或 Signature 檢測及阻擋,無法鎖定問題來 源(如:主機或用戶端上的哪 一個程序、帳號、或是行為造 成),造成結案

    Loading 都在 客戶管理者上 • 僅有防火牆、入侵防禦設備的 日誌收集,缺乏內網威脅的詳 細軌跡 • 案件處理時間長(平均三天以 上) 39

  40. ThreatCrowd • https://www.threatcrowd.org/

  41. Threatminer https://www.threatminer.org/

  42. IBM X-Force Exchange https://exchange.x force.ibmcloud.co m/

  43. Darksearch http://www.darks earch.com

  44. Cisco Talos Intelligence https://www.talosi ntelligence.com/

  45. Threatbook https://x.threatbo ok.cn/en

  46. 360威脅情報中 心 https://ti.360.net/

  47. The Majestic Million https://majestic.co m/reports/majesti c-million

  48. Exploits of the week https://sploitus.com/

  49. Vulners https://vulners.com/

  50. Riskiq https://community.riskiq.com/

  51. Online Port Scan http://www.t1shopper.com/tools/port-scan/

  52. 實務起手式 收到情 資通報 線上掃 描 情資網 站驗證

  53. 調查分析方 情資蒐集應用場景 53

  54. 情資情資哪裡來??? • IR • Malware Hunting • Threat Intelligence Exchange

    • …

  55. What is VirusTotal Intelligence? • VirusTotal Intelligence (VTI) sandboxing extracts

    behavioral and other signals • VTI provides the ability to search through VT’s dataset using: – Binary properties – Detection verdicts – Static properties – Behavior patterns – Submission metadata • Access via web interface or APIs

  56. 01 ALERT TRIAGE INVESTIGATIVE USE CASE

  57. Alert Triage • Piece of malware/URL/IP • Context of my

    alert • Explore associated metadata • Related activity • VTI metadata Starting Point What IWant To Know VTI Approach

  58. What I Want To Know • Context of my alert

    • Explore associated metadata • Related activity

  59. 02 IOC EXPANSION / PIVOTING INVESTIGATIVE USE CASE

  60. IOC Expansion / Pivoting • Malicious domain • Are there

    malicious subdomains? • Is this related to C2 activity? • What else is this domain linked to? • Graph + VTI Reports Starting Point What IWant To Know VTI Approach

  61. Graph + VTI Reports https://www.virustotal.com/graph/

  62. 03 THREAT HUNTING INVESTIGATIVE USE CASE

  63. Threat Hunting • Piece of malware/URL • Are there other

    variants? • How old is my malware? • Are there other targets? • Retrohunt + YARA Starting Point What IWant To Know VTI Approach

  64. What I Want To Know • Are there other variants?

    • How old is my malware? • Are there other targets?

  65. Retrohunt + YARA (1)

  66. Retrohunt + YARA (2) TTP Based EDR Hunting

  67. Q & A