Upgrade to Pro — share decks privately, control downloads, hide ads and more …

資安課程 外網目標情資偵蒐

jack chou
October 25, 2018
Technology
0
2k

資安課程 外網目標情資偵蒐

jack chou

October 25, 2018
Tweet

More Decks by jack chou

See All by jack chou
Raidforums台灣金融情資驗證探討
jack51706
0
1.5k
Threat Hunting & Compromised Assessment on the cheap 101
jack51706
2
1.5k
我們與厲駭的距離@高科大
jack51706
0
1.1k
ITHOME2019-手把手,教你如何處理資安事件
jack51706
0
1.2k
鍵盤福爾摩斯的觀落陰真經
jack51706
1
630
研究所資安課程_第五週 準備武器階段 第十七週 清除軌跡
jack51706
0
1.1k
TDOHPIPE_公部門資安工作分享
jack51706
0
600

Other Decks in Technology

See All in Technology
JAWS-UG Bedrock Claude Night
yamahiro
3
700
【NW X Security JAWS#3】L3-4:AWS環境のIPv6移行に向けて知っておきたいこと
shotashiratori
1
620
認知症フレンドリーテックとスタックチャン
naokiuc
0
180
Gitlab本から学んだこと - そーだいなるプレイバック / gitlab-book
soudai
7
1.3k
One engineer company with Ruby on Rails
rstankov
2
420
On Your Data を超えていく!
hirotomotaguchi
2
750
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
1k
AOAI をきっかけに​ 社内の Azure 管理を見直した話​
recruitengineers
PRO
1
450
開発パフォーマンスを最大化するための開発体制
ham0215
7
1.1k
How to Lead? Testimonial of a Lead Android Engineer
oleur
1
110
リテール金融(キャッシュレス・ネット銀行・ネット証券)の競争環境と経済圏
8maki
0
1.6k
アクセス制御にまつわる改善 / Improving access control
itkq
0
590

Featured

See All Featured
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
41
4.4k
The Pragmatic Product Professional
lauravandoore
26
5.8k
Six Lessons from altMBA
skipperchong
22
3k
Why Our Code Smells
bkeepers
PRO
331
56k
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
Rails Girls Zürich Keynote
gr2m
91
13k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
188
16k
Happy Clients
brianwarren
92
6.4k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
13
8.3k
Practical Orchestrator
shlominoach
183
9.7k
Creatively Recalculating Your Daily Design Routine
revolveconf
211
11k

Transcript

  1. 大學資安課程 外網目標情資偵蒐 Keyboard007

  2. 經歷介紹 • 證照: – CEH CHFI – Palo Alto Network

    ACE – McAfee Vulnerability Manager • 經歷: – 協助調查局偵辦第一銀行盜領案 – 建置企業APT防護 – 協助企業資安事件處理 – 世新大學法律二十學分班結業 • 專長: – Incident Response – Penetration Testing & Exploit Research – Malware Analysis – Security Solution Implementation • APT Gateway (TM DDI) • APT Mail (TM DDEI) • APT SandBox (TM DDA) • APT Endpoint (CounterTack MDR)

  3. Agenda • OSINT – OSINT – 介紹 – OSINT –

    DOMAIN / IP – OSINT – EMAIL – OSINT – PEOPLE • 情資蒐集應用場景 – 攻擊方 – 企業防禦方 – 調查分析方

  4. OSINT 4

  5. OSINT 定義 • 公開來源情資(Open-source intelligence, 簡稱OSINT) 是由美國國家 情報總監 (Director of

    National Intelligence)與美國國防部(Department of Defense)所共同定義的法律用語,係 指任何由公開資訊產出的情 報,它們經 過收集、發掘的過程後,適時地傳遞給 有特 殊情報需求的人員。

  6. Intelligence cycle • Intelligence cycle

  7. OSINT 定位 HUMINT SIGINT IMINT MASINT ALL-SOURCE ANALYSIS OPEN SOURCE

    INFORMATION OPEN SOURCE INTELLIGENCE 5% of cost 80% of value 95% of cost 20% of value ALL-SOURCE PROCESSING

  8. What is OSINT? • 主體是人 • Reconnaissance of intelligence •

    From publicly available information • To address a specific intelligence requirement • Newspaper, blog, search engine ... • Government documents • Often undervalued though significant

  9. Why OSINT? • New employee • Criminal investigation • Missing

    children / Runaway children • Human trafficking • Vandalism • Stealing • NOT to manhunt or SJW on Dcard / PTT / ...

  10. OSINT Includes but Not Limited to • Location • Real

    Name • Online ID / group / community • Phone number • Email • Credit card number / Bank account • Date / Time • Documents • Domain / IP address • URL

  11. Email OSINT • https://inteltechniques.com/menu.html

  12. User Name OSINT • https://inteltechniques.com/menu.html

  13. Real Name OSINT • https://inteltechniques.com/menu.html

  14. Telephone OSINT • https://inteltechniques.com/menu.html

  15. Location OSINT • https://inteltechniques.com/menu.html

  16. RECONNAISSANCE A Walkthrough of the “APT” Intelligence Gathering Process(1)

  17. RECONNAISSANCE A Walkthrough of the “APT” Intelligence Gathering Process(2)

  18. EXAMPLE: 對岸網軍 OSINT(1)

  19. EXAMPLE: 對岸網軍 OSINT(2)

  20. EXAMPLE: 對岸網軍 OSINT(3)

  21. EXAMPLE: 網路犯罪偵辦

  22. EXAMPLE: 企業防護與追蹤 • https://www.threatcrowd.org/ip.php?ip=103.39.16.145

  23. EXAMPLE: 駭客找企業目標(1) • Domain OSINT(公開情資蒐集) – 共 99 Domain –

    未進行Port Scan

  24. EXAMPLE: 駭客找企業目標(2) • 利用工具情蒐企業郵件帳戶

  25. EXAMPLE: 駭客找企業目標(3) • 情蒐到的企業郵件帳戶大約三四十個… – 每個郵件的攻擊方法如右圖 – 當其中一個帳戶被入侵成功當成跳板進行內網滲透的時候…

  26. 攻擊方 情資蒐集應用場景 26

  27. MITRE PRE-ATT&CK PRE-ATT&CK: Adversarial Tactics, Techniques & Common Knowledge for

    Left-of-Exploit

  28. MITRE PRE-ATT&CK PRE-ATT&CK now comprises 15 tactics and 151 techniques

  29. Organizational Information Gathering • Organizational information gathering consists of the

    process of identifying critical organizational elements of intelligence an adversary will need about a target in order to best attack. Similar to competitive intelligence, organizational intelligence gathering focuses on understanding the operational tempo of an organization and gathering a deep understanding of the organization and how it operates, in order to best develop a strategy to target it.

  30. Technical Information Gathering • Domain / IP • Email •

    徵才訊息 • Help Desk • Physical Pentest • Social Engineering

  31. EXAMPLE: 駭客找企業目標(1) • Domain OSINT(公開情資蒐集) – 共 99 Domain –

    未進行Port Scan

  32. 找Domain / IP Scanning • Virustotal • Passivetotal – https://community.riskiq.com/

    • Txdns (Domain Brute Force) – https://github.com/jack51706/OSINT_Course/raw/master/txdns.rar • NMAP (Common Port Scan) • Online PortScan – http://www.t1shopper.com/tools/port-scan/ • Shodan / Censys / Zoomeye • EyeWitness (take screenshots of websites ) – https://github.com/FortyNorthSecurity/EyeWitness

  33. Google Hacking Database https://www.exploit-db.com/google- hacking-database/

  34. People Information Gathering • People Information Gathering consists of the

    process of identifying critical personnel elements of intelligence an adversary will need about a target in order to best attack. People intelligence gathering focuses on identifying key personnel or individuals with critical accesses in order to best approach a target for attack. It may involve aspects of social engineering, elicitation, mining social media sources, or be thought of as understanding the personnel element of competitive intelligence.

  35. EXAMPLE: 駭客找企業目標(1) • 利用工具情蒐企業郵件帳戶

  36. EXAMPLE: 駭客找企業目標(2) • 情蒐到的企業郵件帳戶大約三四十個… – 每個郵件的攻擊方法如右圖 – 當其中一個帳戶被入侵成功當成跳板進行內網滲透的時候…

  37. 找企業Email • https://github.com/cys3c/infoga

  38. 企業防禦方 情資蒐集應用場景 38

  39. 傳統機制的不足處 • 僅可以 IP/Domain 或 Signature 檢測及阻擋,無法鎖定問題來 源(如:主機或用戶端上的哪 一個程序、帳號、或是行為造 成),造成結案

    Loading 都在 客戶管理者上 • 僅有防火牆、入侵防禦設備的 日誌收集,缺乏內網威脅的詳 細軌跡 • 案件處理時間長(平均三天以 上) 39

  40. ThreatCrowd • https://www.threatcrowd.org/

  41. Threatminer https://www.threatminer.org/

  42. IBM X-Force Exchange https://exchange.x force.ibmcloud.co m/

  43. Darksearch http://www.darks earch.com

  44. Cisco Talos Intelligence https://www.talosi ntelligence.com/

  45. Threatbook https://x.threatbo ok.cn/en

  46. 360威脅情報中 心 https://ti.360.net/

  47. The Majestic Million https://majestic.co m/reports/majesti c-million

  48. Exploits of the week https://sploitus.com/

  49. Vulners https://vulners.com/

  50. Riskiq https://community.riskiq.com/

  51. Online Port Scan http://www.t1shopper.com/tools/port-scan/

  52. 實務起手式 收到情 資通報 線上掃 描 情資網 站驗證

  53. 調查分析方 情資蒐集應用場景 53

  54. 情資情資哪裡來??? • IR • Malware Hunting • Threat Intelligence Exchange

    • …

  55. What is VirusTotal Intelligence? • VirusTotal Intelligence (VTI) sandboxing extracts

    behavioral and other signals • VTI provides the ability to search through VT’s dataset using: – Binary properties – Detection verdicts – Static properties – Behavior patterns – Submission metadata • Access via web interface or APIs

  56. 01 ALERT TRIAGE INVESTIGATIVE USE CASE

  57. Alert Triage • Piece of malware/URL/IP • Context of my

    alert • Explore associated metadata • Related activity • VTI metadata Starting Point What IWant To Know VTI Approach

  58. What I Want To Know • Context of my alert

    • Explore associated metadata • Related activity

  59. 02 IOC EXPANSION / PIVOTING INVESTIGATIVE USE CASE

  60. IOC Expansion / Pivoting • Malicious domain • Are there

    malicious subdomains? • Is this related to C2 activity? • What else is this domain linked to? • Graph + VTI Reports Starting Point What IWant To Know VTI Approach

  61. Graph + VTI Reports https://www.virustotal.com/graph/

  62. 03 THREAT HUNTING INVESTIGATIVE USE CASE

  63. Threat Hunting • Piece of malware/URL • Are there other

    variants? • How old is my malware? • Are there other targets? • Retrohunt + YARA Starting Point What IWant To Know VTI Approach

  64. What I Want To Know • Are there other variants?

    • How old is my malware? • Are there other targets?

  65. Retrohunt + YARA (1)

  66. Retrohunt + YARA (2) TTP Based EDR Hunting

  67. Q & A