Beginners Guide to OSINT

Transcript

1. about me

2. really sucked at school

3. Age 12 18 14 16 work experience 20 *

4. None

5. time to regroup

6. - Enrol in IT Program at NSCC - Get job

   with NSCC - Design and Build their first Security Monitoring Infrastructure - Deploy to 21 locations (13 campuses) throughout the province The Plan*: * OK, not really at all but incredibly that’s how it played out
7. None
8. None
9. None

10. open source developer

11. open source contributor

12. working for a really cool company

13. Next-generation, Deployable Defensive Cyberspace Operations (DCO) Infrastructure (DDI) prototype kits

    for Cyber Protection Teams (CPTs) *

14. moon shot ~1 year No VC $

15. None

16. Beginners Guide to OSINT paul halliday | AtlSecCon Halifax |

    April 2016

17. So what is threat intelligence?

18. in the beginning, there was a whole lotta nothing

19. good guys

20. bad guys

21. threat intel provider

22. Take 1 Data

23. None
24. None

25. Source: iSIGHT Partners - What is Cyber Threat Intelligence and

    why do I need it? what we really care about

26. “Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice

    about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” Source: Gartner - Defini[on: Threat Intelligence Threat Intelligence:

27. = = Take 2 More Data

28. None

29. Take 3 Narrative 5 KM = = ETA 5min

30. None

31. = = data intel but, add a narrative and URL

    IP FILEHASH DOMAIN USER EMAIL CERTHASH IOCs (by themselves) are just data

32. Source: David Bianco Indicators of Compromise (IOCs) The Pyramid of

    Pain “..knowledge about adversaries and their motivations, intentions, and methods..” refactoring effort =

33. types of OSINT

34. specific threats numerous trackers

35. None
36. None
37. None
38. None
39. None
40. None
41. None

42. generic bad

43. Community Votes

44. non-specific threat (or perhaps no threat at all) Exit Nodes

45. some carry more weight than others many types, but keep

    in mind meaningful metadata little or no metadata

46. stay calm. more importantly though: threat indicators are not signatures

47. a simple use case

48. DNS Blackhole google.ca facebook.com cbc.ca badplace.ru reallybadplace.nl twitter.com cnn.com ….

    ? domains limitations 1. http:/ /dropbox.com/evilpayload.exe.txt 2. http:/ /95.28.37.16/evilpayload.exe.txt 3. http:/ /reallybadplace.nl/evilpayload.exe.txt (indicators)

49. a more advanced use case

50. DNS Log HTTP Log Connection Log SSL Log SMTP Log

    Files Log …..? The Bro Network Security Monitor Logging Framework

51. 01100001 00100000 01110111 01101000 01101111 01101100 01100101 00100000 01100010 01110101

    01101110 01100011 01101000 00100000 01101111 01100110 00100000 01100100 01100001 01110100 01100001 00100000 01101000 01100101 01110010 01100101 00100001 00100001 Intel::ADDR Intel::URL Intel::SOFTWARE Intel::EMAIL Intel::DOMAIN Intel::USER_NAME Intel::FILE_HASH Intel::FILE_NAME Intel::CERT_HASH Intel Types Intel.log #fields indicator indicator_type meta.source meta.url meta.do_notice meta.if_in 000007.ru Intel::DOMAIN MalwareDomains http:/ /malwaredomains.com/files/domains F - intel metadata args type Wow. More logs.. Now what?

52. Timestamp UID* Origin Response Indicator Type Where Sources super important

53. multiple log matches 1. connection log shows the protocol 2.

    intel log shows a bad IP address 3. ssh log shows an authentication failure 1 2 3 Timestamp UID* If we follow the UID from the intel hit, what do we see?

54. https:/ /intel.criticalstack.com Free!