Slide 1

Slide 1 text

Practical Threat Intelligence How to Build Your Own Workflow Using Open Source to Monitor Modern Threats Thomas Roccia Sr. Security Researcher at Microsoft @fr0gger

Slide 2

Slide 2 text

WHOAMI Thomas Roccia Sr. Security Researcher at Microsoft From France to Australia https://SecurityBreak.io @fr0gger_

Slide 3

Slide 3 text

What will be covered? What is Threat Intelligence? How to deal with a huge amount of data? Overview of the LAB Introducing OpenCTI ElasticSearch for other data intelligence The power of Jupyter

Slide 4

Slide 4 text

INFOBESITY Geopolitics Affiliates Nation-State

Slide 5

Slide 5 text

What is Threat Intelligence? • Threat Intelligence is knowledge that allows you to prevent or mitigate cyberattacks. • Rooted in data, threat intelligence gives you context that helps you make informed decisions about your security by answering questions like: • Who is attacking you? • What their motivations and capabilities? • What IOCs in your system to look for?

Slide 6

Slide 6 text

Types of Intelligence Tactical •Malware analysis •Threat Indicators •Improve detection Operational •Adversarial capabilities •Infrastructure •TTPs Strategic •High level trends •Adversarial motives •Strategic decision SOC Analysts, SIEM, Endpoints, Detection Engineering Threat hunters, Incident Response, SOC Analysts CISO, CIO, CTO, Executives

Slide 7

Slide 7 text

Threat Intelligence Process Collect & classify intelligence reports: • Advanced Persistent Threat, Threat Actors • Tactics, Techniques and Procedures • Vulnerability reports Define your requirements. Understand international relations and the geopolitical context.

Slide 8

Slide 8 text

Threat Intelligence Process Collect & classify Indicators of Compromise (IOC): • Incident Response • Open-Source Intelligence (OSINT) • Threat Hunting Analyze & triage IOCs: • Malware and/or vulnerability analysis • Infrastructures mapping. New domains.

Slide 9

Slide 9 text

Threat Intelligence Process Hunt & pivot for new attacks: • Create Yara, Sigma, Snort Rules • Identify code similarities • Search for infrastructure overlap & passive DNS • MassScanning to uncover new C2s • Set up honeypots • Get information from private sources Understand victimology: • Who/where are the targets? Which sectors? • Make the connections to past attacks. • Find a link with the geopolitical context.

Slide 10

Slide 10 text

Threat Intelligence Process Share intelligence, dispatch IOCs, improve the knowledge base. Iterate & improve the process.

Slide 11

Slide 11 text

Goal of the Lab Classify external threat reports and centralize the data Track IOCs and TTPS Analyze different kind of data, such as data leaks, OSINT… Empower analysts with ready to use tools Articulate everything and build your Threat Intel Practice

Slide 12

Slide 12 text

Lab Overview OpenCTI ELK External Threat Reports Tracking Threat Actors TTPs Incident Response Feeds OSINT Data Leaks Other Data Jupyter Notebooks Data Analytics Malware Analysis Intelligence Analysis Analysts

Slide 13

Slide 13 text

OpenCTI • OpenCTI is a French Open-Source project. • Used to classify and track threat actors • Can be used to document actors, campaigns, tools and more… • Modules can be easily added in Python for enrichment. • API available for automations. • OpenCTI - Open platform for cyber threat intelligence

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

ELK For Ingesting data • The ELK stack is a powerful tool to analyse data. • The data can be ingested via LogStash. • Kibana is used for creating dashboards and visualisation. • ELK can be useful for all kind of data analysis. • Data Leaks • Detection Logs • Monitoring • Anything else Data Logstash Elasticsearch Kibana Data Processing Storage Visualization *Logstash, Elasticsearch and Kibana are trademark of Elasticsearch BV, registered in the U.S. and in other countries.

Slide 17

Slide 17 text

Practical Example ELK With Malware Bazaar • Malware Bazaar is an open malware database • It helps provides an overview of the data. • Daily samples are uploaded and analysed by the community

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

Jupyter Lab • JupyterLab is a web-based interactive development environment for notebooks, code, and data. • It is a great tool to share your code with others. • It can be used to create workflows and procedures.

Slide 20

Slide 20 text

Jupyter to ELK

Slide 21

Slide 21 text

Analyzing the data with Jupyter

Slide 22

Slide 22 text

MSTICpy Querying log data from multiple sources Machine learning analysis Extracting Indicators of Activity (IOA) from logs and unpack encoded data Performing analysis such as anomalous session detection and time series decomposition Visualizing data using interactive timelines; process trees and multidimension Morph Charts Enriching data with TI, geolocalisation…

Slide 23

Slide 23 text

MSTICpy Enrichment

Slide 24

Slide 24 text

Take Away The amount of information available can be overwhelming. Threat Intelligence is the process of sorting and making sense of all the data. Threat Intelligence requires trained people. Open-source technologies can help and bolster your teams during investigation and analysis. Centralised platforms are great for getting a common knowledge base. Python and Jupyter empowers analysts and make sense of the stored data.

Slide 25

Slide 25 text

Resources • https://www.opencti.io/ • https://www.elastic.co/what-is/elk-stack • https://jupyter.org/ • https://msticpy.readthedocs.io/ • https://bazaar.abuse.ch/ • https://www.flaticon.com/ • https://www.sans.org/tools/the-pyramid-of-pain/

Slide 26

Slide 26 text

THANK YOU Thomas Roccia @fr0gger