Slide 1

Slide 1 text

www.leocybersecurity.com 1 The Top 3 Risks of Moving to Cloud “I” Before “R” Except After “IOC” Andrew Hay, CTO, LEO Cyber Security +1.650.532.3555 [email protected] https://www.leocybersecurity.com @andrewsmhay

Slide 2

Slide 2 text

www.leocybersecurity.com 2 Summary Introduction Agenda The True Value of a Single IOC Quantify and Utilize Your IOCs When You Should Declare an Incident

Slide 3

Slide 3 text

www.leocybersecurity.com 3 About Me • Co-Founder and Chief Technology Officer (CTO) @ LEO Cyber Security • Former: • CISO @ DataGravity (now HyTrust) • Director of Research @ OpenDNS (now Cisco) • Chief Evangelist & Director of Research @ CloudPassage • Senior Security (Industry) Analyst @ 451 Research • Information Security Officer in higher education and financial services • Engineering manager @ Q1 Labs (now IBM) • Blogger, author, and rugby coach

Slide 4

Slide 4 text

www.leocybersecurity.com 4 Introduction • The security industry touts indicators of compromise (IOCs) as much needed threat intelligence (TI) in the war on attackers • The fact is that not every IOC is valuable enough to trigger an incident response (IR) activity • All too often our provided indicators contain information of varying quality including expired attribution, dubious origin, and incomplete details

Slide 5

Slide 5 text

www.leocybersecurity.com 5 Summary Introduction Agenda The True Value of a Single IOC Quantify and Utilize Your IOCs When You Should Declare an Incident

Slide 6

Slide 6 text

www.leocybersecurity.com 6 Why IOCs (and TI) Get a Bad Rap • What if… • A single threat intelligence-sourced alert generates $1000 worth of time to investigate a false positive? • An intelligence producer reports incorrectly categorizes a threat as APT (say instead of cyber crime)? • Every poor quality report costs time to read and digest • Every poor association or correlation derails an analytic effort at an organization Sourced from http://www.activeresponse.org/the-cost-of-bad-threat-intelligence/

Slide 7

Slide 7 text

www.leocybersecurity.com 7 Example: A Day In The Life

Slide 8

Slide 8 text

www.leocybersecurity.com 8 Example: A Day In The Life Alternate Title: “How Andrew Chased His Tail for 2 Days”

Slide 9

Slide 9 text

www.leocybersecurity.com 9 Example: A Day In The Life Endpoint security product detected outbound communications with an IP address identified by AlienVault OTX as being malicious. 199[.]59[.]242[.]150 Day 1 @ 10:30am SUSPICIOUS IP DETECTED

Slide 10

Slide 10 text

www.leocybersecurity.com 10 Example: A Day In The Life Start reviewing comments on AlienVault OTX. IP known to be associated with spam delivery, malware, and legitimate sites. Day 1 @ 11:00am INVESTIGATION BEGINS Endpoint security product detected outbound communications with an IP address identified by AlienVault OTX as being malicious. 199[.]59[.]242[.]150 Day 1 @ 10:30am SUSPICIOUS IP DETECTED

Slide 11

Slide 11 text

www.leocybersecurity.com 11 Had to stop investigating due to mandatory team meeting. Day 1 @ 11:30am – 2:00pm WEEKLY TEAM MEETING

Slide 12

Slide 12 text

www.leocybersecurity.com 12 Had to drive home to get water heater replaced. SF traffic sucks! Day 1 @ 2:30pm – 4:00pm DRIVE HOME / TRAFFIC Had to stop investigating due to mandatory team meeting. Day 1 @ 11:30am – 2:00pm WEEKLY TEAM MEETING

Slide 13

Slide 13 text

www.leocybersecurity.com 13 Had to drive home to get water heater replaced. SF traffic sucks! Day 1 @ 2:30pm – 4:00pm DRIVE HOME / TRAFFIC Host executed a never-before-seen binary. User had no idea how it got there and did not launch it. Day 1 @ 4:00pm INSERTION: ANOTHER ISSUE ARISES Had to stop investigating due to mandatory team meeting. Day 1 @ 11:30am – 2:00pm WEEKLY TEAM MEETING

Slide 14

Slide 14 text

www.leocybersecurity.com 14 Remotely pulled binary from running system. Day 1 @ 4:17pm FETCH BINARY FOR ANALYSIS

Slide 15

Slide 15 text

www.leocybersecurity.com 15 Remotely pulled binary from running system. Day 1 @ 4:17pm FETCH BINARY FOR ANALYSIS Dynamic analysis using several automated sandbox systems (all in private mode). Day 1 @ 4:18pm UPLOAD BINARY TO SANDBOX

Slide 16

Slide 16 text

www.leocybersecurity.com 16 Remotely pulled binary from running system. Day 1 @ 4:17pm FETCH BINARY FOR ANALYSIS Dynamic analysis using several automated sandbox systems (all in private mode). Day 1 @ 4:18pm UPLOAD BINARY TO SANDBOX Completely separate issue arises at another client with a newly installed network sensor. Day 1 @ 4:40pm – 5:30pm INSERTION: NETWORK SENSOR

Slide 17

Slide 17 text

www.leocybersecurity.com 17 Om-nom-nom-nom. Day 1 @ 5:30pm – 6:45pm DINNER

Slide 18

Slide 18 text

www.leocybersecurity.com 18 Can’t fix remotely, need to send someone onsite. Day 1 @ 7:00pm NETWORK SENSOR ISSUE REQUIRES ONSITE Om-nom-nom-nom. Day 1 @ 5:30pm – 6:45pm DINNER

Slide 19

Slide 19 text

www.leocybersecurity.com 19 Can’t fix remotely, need to send someone onsite. Day 1 @ 7:00pm NETWORK SENSOR ISSUE REQUIRES ONSITE Om-nom-nom-nom. Day 1 @ 5:30pm – 6:45pm DINNER Start checking third-party intel tools. Day 1 @ 7:00pm CONTINUE IP ADDRESS ISSUE

Slide 20

Slide 20 text

www.leocybersecurity.com 20 GTO-CERT • Reported this IP as being associated with M2M – Malspam • Spreads VB/Trojan.Valyria Domaintools • 477,068 websites use this address • IP location – Bodis, LLC, New York • AS395082 BODIS-NJ OpenDNS • 612 malicious domains being blocked Ransomware Tracker • Ransomware infrastructure associated with IP: 9 IBM X-Force • Anonymization Services (43%), Malware (43%), Botnet C2 (29%) • Comment: Bodis, LLC operates a domain name monetization platform Also: ThreatMiner, Cymon, AbuseIPB, OTX, ThreatCrowd Day 1 @ 7:00pm – 8:00pm THIRD-PARTY TOOL INTEL

Slide 21

Slide 21 text

www.leocybersecurity.com 21 Day 2 @ 6:00am BREAKFAST, GYM, SHOWER

Slide 22

Slide 22 text

www.leocybersecurity.com 22 Day 2 @ 6:00am BREAKFAST, GYM, SHOWER

Slide 23

Slide 23 text

www.leocybersecurity.com 23 Day 2 @ 6:00am BREAKFAST, GYM, SHOWER Decided to reach out to a private trust group of which I am a member. Day 2 @ 8:45am – 9:00am CONTINUE IP ADDRESS ISSUE

Slide 24

Slide 24 text

www.leocybersecurity.com 24 Day 2 @ 6:00am BREAKFAST, GYM, SHOWER Decided to reach out to a private trust group of which I am a member. Day 2 @ 8:45am – 9:00am CONTINUE IP ADDRESS ISSUE Numerous other analysts seeing this traffic on their network. Consensus is that this is related to pixel[.]ad[.]minadvertising[.]com Day 2 @ 9:00am – 9:30am WORKING WITH PEERS

Slide 25

Slide 25 text

www.leocybersecurity.com 25 Day 2 @ 6:00am BREAKFAST, GYM, SHOWER Decided to reach out to a private trust group of which I am a member. Day 2 @ 8:45am – 9:00am CONTINUE IP ADDRESS ISSUE Numerous other analysts seeing this traffic on their network. Consensus is that this is related to pixel[.]ad[.]minadvertising[.]com Day 2 @ 9:00am – 9:30am WORKING WITH PEERS Confirmed via DNS queries in OpenDNS. Added my own comments to OTX. Communicated FALSE POSITIVE to client. Day 2 @ 9:30am – 10:00am CONTINUE IP ADDRESS ISSUE

Slide 26

Slide 26 text

www.leocybersecurity.com 26 Review dynamic sandbox analysis results. Nothing glaringly bad happens after execution. Day 2 @ 10:00am CONTINUE SUSPICIOUS BINARY ISSUE

Slide 27

Slide 27 text

www.leocybersecurity.com 27 Review dynamic sandbox analysis results. Nothing glaringly bad happens after execution. Day 2 @ 10:00am CONTINUE SUSPICIOUS BINARY ISSUE Identified a number of suspicious imports (e.g. IsDebuggerPresent, GetTickCount64, Sleep, etc.) often associated with malware. Day 2 @ 10:30am STRINGS AND IMPORTS

Slide 28

Slide 28 text

www.leocybersecurity.com 28 Review dynamic sandbox analysis results. Nothing glaringly bad happens after execution. Day 2 @ 10:00am CONTINUE SUSPICIOUS BINARY ISSUE Identified a number of suspicious imports (e.g. IsDebuggerPresent, GetTickCount64, Sleep, etc.) often associated with malware. Day 2 @ 10:30am STRINGS AND IMPORTS VirusTotal and CarbonBlack showed multiple instances of this executable (wininfo.exe) having been uploaded for analysis. AV engines show as benign. Shows many standard executables being written to disk, however (e.g. svchost.exe, xcopy.exe, 7z.exe, etc.) Day 2 @ 10:45am CHECK THIRD-PARTY INTEL

Slide 29

Slide 29 text

www.leocybersecurity.com 29 Review dynamic sandbox analysis results. Nothing glaringly bad happens after execution. Day 2 @ 10:00am CONTINUE SUSPICIOUS BINARY ISSUE Identified a number of suspicious imports (e.g. IsDebuggerPresent, GetTickCount64, Sleep, etc.) often associated with malware. Day 2 @ 10:30am STRINGS AND IMPORTS VirusTotal and CarbonBlack showed multiple instances of this executable (wininfo.exe) having been uploaded for analysis. AV engines show as benign. Shows many standard executables being written to disk, however (e.g. svchost.exe, xcopy.exe, 7z.exe, etc.) Day 2 @ 10:45am CHECK THIRD-PARTY INTEL Turns out that this is one of many executables that the client’s MSP deploys for ”remote work and stuff”. Communicated FALSE POSSITIVE to client. Day 2 @ 11:00am ANDREW SMASH!

Slide 30

Slide 30 text

www.leocybersecurity.com 30 Review By The Numbers… The number of issues the client said were “almost definitely” associated with malware or hackers. 2

Slide 31

Slide 31 text

www.leocybersecurity.com 31 Review By The Numbers… The number of issues the client said were “almost definitely” associated with malware or hackers. 2 The number of IOCs per issue that triggered a threat hunting and incident response exercise. 1

Slide 32

Slide 32 text

www.leocybersecurity.com 32 Review By The Numbers… The number of issues the client said were “almost definitely” associated with malware or hackers. 2 The number of IOCs per issue that triggered a threat hunting and incident response exercise. 1 12 The number of hours spent investigating the two issues.

Slide 33

Slide 33 text

www.leocybersecurity.com 33 Review By The Numbers… The number of actual issues uncovered as a result of the investigation. 0

Slide 34

Slide 34 text

www.leocybersecurity.com 34 Review By The Numbers… The number of actual issues uncovered as a result of the investigation. 0 The ballpark monetary cost (in USD) of having me look into these two issues. 5K

Slide 35

Slide 35 text

www.leocybersecurity.com 35 Review By The Numbers… The number of actual issues uncovered as a result of the investigation. 0 The ballpark monetary cost (in USD) of having me look into these two issues. 5K ∞ The value of the experience in providing me a CFP topic to present.

Slide 36

Slide 36 text

www.leocybersecurity.com 36 A Quality IOC • A quality IOC should empower/enable an analyst to… • Fully analyze successful and unsuccessful intrusions by threat actors • Construct descriptions of campaigns, actors, and organizations • Seek out, collect, and properly exploit intelligence from others • Generate intelligence from their own data sources and share it accordingly • Manage intelligence to further the objectives of their organization

Slide 37

Slide 37 text

www.leocybersecurity.com 37 Good vs. Bad IOCs Bad Good Indicators without context Indicators with context related to your business Indicators from an untrusted source Indicators from trusted peers, organizations, or entities Port scan-derived indicators Indicators derived from undertaken response activities Old or dated indicators Recent and validated indicators Report delivered indicators Ingestible indicators

Slide 38

Slide 38 text

www.leocybersecurity.com 38 David J Bianco’s Pyramid of Pain TTPs Tools Network/Host Artifacts Domain Names IP Addresses Hash Values value ease of acquisition

Slide 39

Slide 39 text

www.leocybersecurity.com 39 Summary Introduction Agenda Quantify and Utilize Your IOCs The True Value of a Single IOC When You Should Declare an Incident

Slide 40

Slide 40 text

www.leocybersecurity.com 40 A Word About Intelligence vs. Information • Intelligence is information (or data) that has been analyzed to answer a specific question • At the initial stage, we are grabbing as much potentially useful information as we can find, which we will then analyze to determine whether it is something that we want to include in the remaining steps *Roberts, Scott J; Brown, Rebekah. Intelligence-Driven Incident Response: Outwitting the Adversary (Kindle Locations 1531-1536). O'Reilly Media. Kindle Edition.

Slide 41

Slide 41 text

www.leocybersecurity.com 41 The (SANS) Active Cyber Defense Cycle Network Security Monitoring Incident Response Threat & Environment Manipulation Threat Intelligence Consumption Phase III Phase II Phase I Phase IV

Slide 42

Slide 42 text

www.leocybersecurity.com 42 Phase I: Consumption • Conceptualize critical assets • Identify intelligence gaps • Consider future security changes Understand the Organization • Prioritize generated intelligence • Put intelligence in usable form • Ensure correct usage of IOCs Translate Intelligence • Collect internal threat data • Manage/store lessons learned • Share with those generating intel Internal Knowledge Management

Slide 43

Slide 43 text

www.leocybersecurity.com 43 Phase II: Network Monitoring • Record network changes • Understand network topologies • Make architecture suggestions Identify the Assets • Collect data • Alert on threats • Analyze to ensure true positive Hunt for the Adversary • Help drive decision to start IR • Monitor the scope of the infection • Supply IR with relevant data Assist Incident Responders

Slide 44

Slide 44 text

www.leocybersecurity.com 44 Managing Your IOCs • As with any security problem, there is a single platform to solve the problem

Slide 45

Slide 45 text

www.leocybersecurity.com 45 Managing Your IOCs • As with any security problem, there is a single platform are a seemingly unlimited number of tools to solve the problem

Slide 46

Slide 46 text

www.leocybersecurity.com 46 Managing Your IOCs • As with any security problem, there is a single platform are a seemingly unlimited number of tools to solve the problem • Luckily, there are free, inexpensive, and mature commercial platforms to help

Slide 47

Slide 47 text

www.leocybersecurity.com 47 Free IOC “Management” Tools • GOSINT • The GOSINT framework is a project used for collecting, processing, and exporting high quality indicators of compromise (IOCs). • https://github.com/ciscocsirt/GOSINT • MISP - Open Source Threat Intelligence Platform • A threat intelligence platform for gathering, sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information. • https://www.misp-project.org/

Slide 48

Slide 48 text

www.leocybersecurity.com 48 Free IOC “Management” Tools • Yeti - Your everyday threat intelligence • Platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. Yeti will also automatically enrich observables (e.g. resolve domains, geolocate IPs) so that you don't have to. • https://github.com/yeti-platform/yeti • Collective Intelligence Framework (CIF) • CIF allows you to combine known malicious threat information from many sources and use that information for incident response, detection and mitigation. • http://csirtgadgets.org/

Slide 49

Slide 49 text

www.leocybersecurity.com 49 More IOC “Management” Tools CO ST CO ST

Slide 50

Slide 50 text

www.leocybersecurity.com 50 Summary Introduction Agenda When You Should Declare an Incident The True Value of a Single IOC Quantify and Utilize Your IOCs

Slide 51

Slide 51 text

www.leocybersecurity.com 51 Declaring an Incident • Is it an incident yet? • Now you have data and intelligence…should you declare an incident? • An incident is the act of violating an explicit or implied security policy according to NIST Special Publication 800-61 • Of course, this definition relies on the existence of a security policy that, while generally understood, varies among organizations

Slide 52

Slide 52 text

www.leocybersecurity.com 52 Declaring an Incident • Unsure what constitutes as “violation”? Use the following: The unauthorized use of a system for the processing or storage of data USAGE Unwanted disruption or denial of service DISRUPTION Changes to system HW, FW, or SW characteristics w/o owner knowledge, instruction, or consent CHANGES Attempts (either failed or successful) to gain unauthorized access to a system or its data ACCESS

Slide 53

Slide 53 text

www.leocybersecurity.com 53 Phase III: Incident Response • Leverage IOCs • Integrate NSM efforts • Preserve forensic evidence Scope the Infection • Keep business operations running • Empower decision makers • IR steps to ensure success Timely Response • Identify threat variants • Collect samples for REM analysts • Keep aware of threat responses Collect Threat Samples

Slide 54

Slide 54 text

www.leocybersecurity.com 54 Phase IV: Threat & Environment Manipulation • Collect and document samples • Use threat intel to see if known • Use known info or analyze De-Duplication • Use automated sandboxes • Perform behavioral analysis • Identify capabilities and impact Timely Malware Analysis • Encourage defenses that counter • Use logical architecture vs. C2 • Make recommendations for future Environment Manipulation

Slide 55

Slide 55 text

www.leocybersecurity.com 55 When All Else Fails… • Trust your gut… • Declare an incident if: • You know it’s necessary • You’re not sure it’s necessary • You’re told it’s necessary by a • Partner, peer, friend, superior, customer, etc. • You have a feeling it might be necessary

Slide 56

Slide 56 text

www.leocybersecurity.com 56 Summary Introduction Agenda When You Should Declare an Incident The True Value of a Single IOC Quantify and Utilize Your IOCs

Slide 57

Slide 57 text

www.leocybersecurity.com 57 Place Subtitle Here • IOC mantra: Garbage in, Garbage out • If wielded properly, IOCs can accelerate incident response activities • If automated, even more so • If you chase a single IOC, you might not have enough context to confidently declare an incident Summary

Slide 58

Slide 58 text

www.leocybersecurity.com 58 Further Reading • Awesome Threat Detection and Hunting • https://github.com/0x4D31/awesome-threat-detection • Awesome Threat Intelligence • https://github.com/hslatman/awesome-threat-intelligence • MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) • https://attack.mitre.org/wiki/Main_Page

Slide 59

Slide 59 text

www.leocybersecurity.com 59 Place Subtitle Here • Determine what the following domain is used for: militarysurpluspotsandpans[.]com • If you think you’ve figured it out, message me on Twitter at @andrewsmhay J Bonus Task

Slide 60

Slide 60 text

www.leocybersecurity.com 60 Visit Us At: https://www.leocybersecurity.com LEO Cyber Security 1612 Summit Avenue, Suite 415, Ft. Worth, TX 76102 +1.530.FINDLEO [email protected] www.leocybersecurity.com @LeoCyberSec Questions? Thank You! Andrew Hay, CTO +1.650.532.3555 [email protected] www.leocybersecurity.com @andrewsmhay