www.leocybersecurity.com 1 The Top 3 Risks of Moving to Cloud “I” Before “R” Except After “IOC” Andrew Hay, CTO, LEO Cyber Security +1.650.532.3555 [email protected] https://www.leocybersecurity.com @andrewsmhay

www.leocybersecurity.com 2 Summary Introduction Agenda The True Value of a Single IOC Quantify and Utilize Your IOCs When You Should Declare an Incident

www.leocybersecurity.com 3 About Me • Co-Founder and Chief Technology Officer (CTO) @ LEO Cyber Security • Former: • CISO @ DataGravity (now HyTrust) • Director of Research @ OpenDNS (now Cisco) • Chief Evangelist & Director of Research @ CloudPassage • Senior Security (Industry) Analyst @ 451 Research • Information Security Officer in higher education and financial services • Engineering manager @ Q1 Labs (now IBM) • Blogger, author, and rugby coach

www.leocybersecurity.com 4 Introduction • The security industry touts indicators of compromise (IOCs) as much needed threat intelligence (TI) in the war on attackers • The fact is that not every IOC is valuable enough to trigger an incident response (IR) activity • All too often our provided indicators contain information of varying quality including expired attribution, dubious origin, and incomplete details

www.leocybersecurity.com 5 Summary Introduction Agenda The True Value of a Single IOC Quantify and Utilize Your IOCs When You Should Declare an Incident

www.leocybersecurity.com 6 Why IOCs (and TI) Get a Bad Rap • What if… • A single threat intelligence-sourced alert generates $1000 worth of time to investigate a false positive? • An intelligence producer reports incorrectly categorizes a threat as APT (say instead of cyber crime)? • Every poor quality report costs time to read and digest • Every poor association or correlation derails an analytic effort at an organization Sourced from http://www.activeresponse.org/the-cost-of-bad-threat-intelligence/

www.leocybersecurity.com 7 Example: A Day In The Life

www.leocybersecurity.com 8 Example: A Day In The Life Alternate Title: “How Andrew Chased His Tail for 2 Days”

www.leocybersecurity.com 9 Example: A Day In The Life Endpoint security product detected outbound communications with an IP address identified by AlienVault OTX as being malicious. 199[.]59[.]242[.]150 Day 1 @ 10:30am SUSPICIOUS IP DETECTED

www.leocybersecurity.com 10 Example: A Day In The Life Start reviewing comments on AlienVault OTX. IP known to be associated with spam delivery, malware, and legitimate sites. Day 1 @ 11:00am INVESTIGATION BEGINS Endpoint security product detected outbound communications with an IP address identified by AlienVault OTX as being malicious. 199[.]59[.]242[.]150 Day 1 @ 10:30am SUSPICIOUS IP DETECTED

www.leocybersecurity.com 11 Had to stop investigating due to mandatory team meeting. Day 1 @ 11:30am – 2:00pm WEEKLY TEAM MEETING

www.leocybersecurity.com 12 Had to drive home to get water heater replaced. SF traffic sucks! Day 1 @ 2:30pm – 4:00pm DRIVE HOME / TRAFFIC Had to stop investigating due to mandatory team meeting. Day 1 @ 11:30am – 2:00pm WEEKLY TEAM MEETING

www.leocybersecurity.com 13 Had to drive home to get water heater replaced. SF traffic sucks! Day 1 @ 2:30pm – 4:00pm DRIVE HOME / TRAFFIC Host executed a never-before-seen binary. User had no idea how it got there and did not launch it. Day 1 @ 4:00pm INSERTION: ANOTHER ISSUE ARISES Had to stop investigating due to mandatory team meeting. Day 1 @ 11:30am – 2:00pm WEEKLY TEAM MEETING

www.leocybersecurity.com 14 Remotely pulled binary from running system. Day 1 @ 4:17pm FETCH BINARY FOR ANALYSIS

www.leocybersecurity.com 15 Remotely pulled binary from running system. Day 1 @ 4:17pm FETCH BINARY FOR ANALYSIS Dynamic analysis using several automated sandbox systems (all in private mode). Day 1 @ 4:18pm UPLOAD BINARY TO SANDBOX

www.leocybersecurity.com 16 Remotely pulled binary from running system. Day 1 @ 4:17pm FETCH BINARY FOR ANALYSIS Dynamic analysis using several automated sandbox systems (all in private mode). Day 1 @ 4:18pm UPLOAD BINARY TO SANDBOX Completely separate issue arises at another client with a newly installed network sensor. Day 1 @ 4:40pm – 5:30pm INSERTION: NETWORK SENSOR

www.leocybersecurity.com 17 Om-nom-nom-nom. Day 1 @ 5:30pm – 6:45pm DINNER

www.leocybersecurity.com 18 Can’t fix remotely, need to send someone onsite. Day 1 @ 7:00pm NETWORK SENSOR ISSUE REQUIRES ONSITE Om-nom-nom-nom. Day 1 @ 5:30pm – 6:45pm DINNER

www.leocybersecurity.com 19 Can’t fix remotely, need to send someone onsite. Day 1 @ 7:00pm NETWORK SENSOR ISSUE REQUIRES ONSITE Om-nom-nom-nom. Day 1 @ 5:30pm – 6:45pm DINNER Start checking third-party intel tools. Day 1 @ 7:00pm CONTINUE IP ADDRESS ISSUE

www.leocybersecurity.com 20 GTO-CERT • Reported this IP as being associated with M2M – Malspam • Spreads VB/Trojan.Valyria Domaintools • 477,068 websites use this address • IP location – Bodis, LLC, New York • AS395082 BODIS-NJ OpenDNS • 612 malicious domains being blocked Ransomware Tracker • Ransomware infrastructure associated with IP: 9 IBM X-Force • Anonymization Services (43%), Malware (43%), Botnet C2 (29%) • Comment: Bodis, LLC operates a domain name monetization platform Also: ThreatMiner, Cymon, AbuseIPB, OTX, ThreatCrowd Day 1 @ 7:00pm – 8:00pm THIRD-PARTY TOOL INTEL

www.leocybersecurity.com 21 Day 2 @ 6:00am BREAKFAST, GYM, SHOWER

www.leocybersecurity.com 22 Day 2 @ 6:00am BREAKFAST, GYM, SHOWER

www.leocybersecurity.com 23 Day 2 @ 6:00am BREAKFAST, GYM, SHOWER Decided to reach out to a private trust group of which I am a member. Day 2 @ 8:45am – 9:00am CONTINUE IP ADDRESS ISSUE

www.leocybersecurity.com 24 Day 2 @ 6:00am BREAKFAST, GYM, SHOWER Decided to reach out to a private trust group of which I am a member. Day 2 @ 8:45am – 9:00am CONTINUE IP ADDRESS ISSUE Numerous other analysts seeing this traffic on their network. Consensus is that this is related to pixel[.]ad[.]minadvertising[.]com Day 2 @ 9:00am – 9:30am WORKING WITH PEERS

www.leocybersecurity.com 25 Day 2 @ 6:00am BREAKFAST, GYM, SHOWER Decided to reach out to a private trust group of which I am a member. Day 2 @ 8:45am – 9:00am CONTINUE IP ADDRESS ISSUE Numerous other analysts seeing this traffic on their network. Consensus is that this is related to pixel[.]ad[.]minadvertising[.]com Day 2 @ 9:00am – 9:30am WORKING WITH PEERS Confirmed via DNS queries in OpenDNS. Added my own comments to OTX. Communicated FALSE POSITIVE to client. Day 2 @ 9:30am – 10:00am CONTINUE IP ADDRESS ISSUE

www.leocybersecurity.com 26 Review dynamic sandbox analysis results. Nothing glaringly bad happens after execution. Day 2 @ 10:00am CONTINUE SUSPICIOUS BINARY ISSUE

www.leocybersecurity.com 27 Review dynamic sandbox analysis results. Nothing glaringly bad happens after execution. Day 2 @ 10:00am CONTINUE SUSPICIOUS BINARY ISSUE Identified a number of suspicious imports (e.g. IsDebuggerPresent, GetTickCount64, Sleep, etc.) often associated with malware. Day 2 @ 10:30am STRINGS AND IMPORTS

www.leocybersecurity.com 28 Review dynamic sandbox analysis results. Nothing glaringly bad happens after execution. Day 2 @ 10:00am CONTINUE SUSPICIOUS BINARY ISSUE Identified a number of suspicious imports (e.g. IsDebuggerPresent, GetTickCount64, Sleep, etc.) often associated with malware. Day 2 @ 10:30am STRINGS AND IMPORTS VirusTotal and CarbonBlack showed multiple instances of this executable (wininfo.exe) having been uploaded for analysis. AV engines show as benign. Shows many standard executables being written to disk, however (e.g. svchost.exe, xcopy.exe, 7z.exe, etc.) Day 2 @ 10:45am CHECK THIRD-PARTY INTEL

www.leocybersecurity.com 29 Review dynamic sandbox analysis results. Nothing glaringly bad happens after execution. Day 2 @ 10:00am CONTINUE SUSPICIOUS BINARY ISSUE Identified a number of suspicious imports (e.g. IsDebuggerPresent, GetTickCount64, Sleep, etc.) often associated with malware. Day 2 @ 10:30am STRINGS AND IMPORTS VirusTotal and CarbonBlack showed multiple instances of this executable (wininfo.exe) having been uploaded for analysis. AV engines show as benign. Shows many standard executables being written to disk, however (e.g. svchost.exe, xcopy.exe, 7z.exe, etc.) Day 2 @ 10:45am CHECK THIRD-PARTY INTEL Turns out that this is one of many executables that the client’s MSP deploys for ”remote work and stuff”. Communicated FALSE POSSITIVE to client. Day 2 @ 11:00am ANDREW SMASH!

www.leocybersecurity.com 30 Review By The Numbers… The number of issues the client said were “almost definitely” associated with malware or hackers. 2

www.leocybersecurity.com 31 Review By The Numbers… The number of issues the client said were “almost definitely” associated with malware or hackers. 2 The number of IOCs per issue that triggered a threat hunting and incident response exercise. 1

www.leocybersecurity.com 32 Review By The Numbers… The number of issues the client said were “almost definitely” associated with malware or hackers. 2 The number of IOCs per issue that triggered a threat hunting and incident response exercise. 1 12 The number of hours spent investigating the two issues.

www.leocybersecurity.com 33 Review By The Numbers… The number of actual issues uncovered as a result of the investigation. 0

www.leocybersecurity.com 34 Review By The Numbers… The number of actual issues uncovered as a result of the investigation. 0 The ballpark monetary cost (in USD) of having me look into these two issues. 5K

www.leocybersecurity.com 35 Review By The Numbers… The number of actual issues uncovered as a result of the investigation. 0 The ballpark monetary cost (in USD) of having me look into these two issues. 5K ∞ The value of the experience in providing me a CFP topic to present.

www.leocybersecurity.com 36 A Quality IOC • A quality IOC should empower/enable an analyst to… • Fully analyze successful and unsuccessful intrusions by threat actors • Construct descriptions of campaigns, actors, and organizations • Seek out, collect, and properly exploit intelligence from others • Generate intelligence from their own data sources and share it accordingly • Manage intelligence to further the objectives of their organization

www.leocybersecurity.com 37 Good vs. Bad IOCs Bad Good Indicators without context Indicators with context related to your business Indicators from an untrusted source Indicators from trusted peers, organizations, or entities Port scan-derived indicators Indicators derived from undertaken response activities Old or dated indicators Recent and validated indicators Report delivered indicators Ingestible indicators

www.leocybersecurity.com 38 David J Bianco’s Pyramid of Pain TTPs Tools Network/Host Artifacts Domain Names IP Addresses Hash Values value ease of acquisition

www.leocybersecurity.com 39 Summary Introduction Agenda Quantify and Utilize Your IOCs The True Value of a Single IOC When You Should Declare an Incident

www.leocybersecurity.com 40 A Word About Intelligence vs. Information • Intelligence is information (or data) that has been analyzed to answer a specific question • At the initial stage, we are grabbing as much potentially useful information as we can find, which we will then analyze to determine whether it is something that we want to include in the remaining steps *Roberts, Scott J; Brown, Rebekah. Intelligence-Driven Incident Response: Outwitting the Adversary (Kindle Locations 1531-1536). O'Reilly Media. Kindle Edition.

www.leocybersecurity.com 41 The (SANS) Active Cyber Defense Cycle Network Security Monitoring Incident Response Threat & Environment Manipulation Threat Intelligence Consumption Phase III Phase II Phase I Phase IV

www.leocybersecurity.com 42 Phase I: Consumption • Conceptualize critical assets • Identify intelligence gaps • Consider future security changes Understand the Organization • Prioritize generated intelligence • Put intelligence in usable form • Ensure correct usage of IOCs Translate Intelligence • Collect internal threat data • Manage/store lessons learned • Share with those generating intel Internal Knowledge Management

www.leocybersecurity.com 43 Phase II: Network Monitoring • Record network changes • Understand network topologies • Make architecture suggestions Identify the Assets • Collect data • Alert on threats • Analyze to ensure true positive Hunt for the Adversary • Help drive decision to start IR • Monitor the scope of the infection • Supply IR with relevant data Assist Incident Responders

www.leocybersecurity.com 44 Managing Your IOCs • As with any security problem, there is a single platform to solve the problem

www.leocybersecurity.com 45 Managing Your IOCs • As with any security problem, there is a single platform are a seemingly unlimited number of tools to solve the problem

www.leocybersecurity.com 46 Managing Your IOCs • As with any security problem, there is a single platform are a seemingly unlimited number of tools to solve the problem • Luckily, there are free, inexpensive, and mature commercial platforms to help

www.leocybersecurity.com 47 Free IOC “Management” Tools • GOSINT • The GOSINT framework is a project used for collecting, processing, and exporting high quality indicators of compromise (IOCs). • https://github.com/ciscocsirt/GOSINT • MISP - Open Source Threat Intelligence Platform • A threat intelligence platform for gathering, sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information. • https://www.misp-project.org/

www.leocybersecurity.com 48 Free IOC “Management” Tools • Yeti - Your everyday threat intelligence • Platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. Yeti will also automatically enrich observables (e.g. resolve domains, geolocate IPs) so that you don't have to. • https://github.com/yeti-platform/yeti • Collective Intelligence Framework (CIF) • CIF allows you to combine known malicious threat information from many sources and use that information for incident response, detection and mitigation. • http://csirtgadgets.org/

www.leocybersecurity.com 49 More IOC “Management” Tools CO ST CO ST

www.leocybersecurity.com 50 Summary Introduction Agenda When You Should Declare an Incident The True Value of a Single IOC Quantify and Utilize Your IOCs

www.leocybersecurity.com 51 Declaring an Incident • Is it an incident yet? • Now you have data and intelligence…should you declare an incident? • An incident is the act of violating an explicit or implied security policy according to NIST Special Publication 800-61 • Of course, this definition relies on the existence of a security policy that, while generally understood, varies among organizations

www.leocybersecurity.com 52 Declaring an Incident • Unsure what constitutes as “violation”? Use the following: The unauthorized use of a system for the processing or storage of data USAGE Unwanted disruption or denial of service DISRUPTION Changes to system HW, FW, or SW characteristics w/o owner knowledge, instruction, or consent CHANGES Attempts (either failed or successful) to gain unauthorized access to a system or its data ACCESS

www.leocybersecurity.com 53 Phase III: Incident Response • Leverage IOCs • Integrate NSM efforts • Preserve forensic evidence Scope the Infection • Keep business operations running • Empower decision makers • IR steps to ensure success Timely Response • Identify threat variants • Collect samples for REM analysts • Keep aware of threat responses Collect Threat Samples

www.leocybersecurity.com 54 Phase IV: Threat & Environment Manipulation • Collect and document samples • Use threat intel to see if known • Use known info or analyze De-Duplication • Use automated sandboxes • Perform behavioral analysis • Identify capabilities and impact Timely Malware Analysis • Encourage defenses that counter • Use logical architecture vs. C2 • Make recommendations for future Environment Manipulation

www.leocybersecurity.com 55 When All Else Fails… • Trust your gut… • Declare an incident if: • You know it’s necessary • You’re not sure it’s necessary • You’re told it’s necessary by a • Partner, peer, friend, superior, customer, etc. • You have a feeling it might be necessary

www.leocybersecurity.com 56 Summary Introduction Agenda When You Should Declare an Incident The True Value of a Single IOC Quantify and Utilize Your IOCs

www.leocybersecurity.com 57 Place Subtitle Here • IOC mantra: Garbage in, Garbage out • If wielded properly, IOCs can accelerate incident response activities • If automated, even more so • If you chase a single IOC, you might not have enough context to confidently declare an incident Summary

www.leocybersecurity.com 58 Further Reading • Awesome Threat Detection and Hunting • https://github.com/0x4D31/awesome-threat-detection • Awesome Threat Intelligence • https://github.com/hslatman/awesome-threat-intelligence • MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) • https://attack.mitre.org/wiki/Main_Page

www.leocybersecurity.com 59 Place Subtitle Here • Determine what the following domain is used for: militarysurpluspotsandpans[.]com • If you think you’ve figured it out, message me on Twitter at @andrewsmhay J Bonus Task

www.leocybersecurity.com 60 Visit Us At: https://www.leocybersecurity.com LEO Cyber Security 1612 Summit Avenue, Suite 415, Ft. Worth, TX 76102 +1.530.FINDLEO [email protected] www.leocybersecurity.com @LeoCyberSec Questions? Thank You! Andrew Hay, CTO +1.650.532.3555 [email protected] www.leocybersecurity.com @andrewsmhay