Practical Threat Intelligence How to Build Your Own Workflow Using Open Source to Monitor Modern Threats Thomas Roccia Sr. Security Researcher at Microsoft @fr0gger

WHOAMI Thomas Roccia Sr. Security Researcher at Microsoft From France to Australia https://SecurityBreak.io @fr0gger_

What will be covered? What is Threat Intelligence? How to deal with a huge amount of data? Overview of the LAB Introducing OpenCTI ElasticSearch for other data intelligence The power of Jupyter

INFOBESITY Geopolitics Affiliates Nation-State

What is Threat Intelligence? • Threat Intelligence is knowledge that allows you to prevent or mitigate cyberattacks. • Rooted in data, threat intelligence gives you context that helps you make informed decisions about your security by answering questions like: • Who is attacking you? • What their motivations and capabilities? • What IOCs in your system to look for?

Types of Intelligence Tactical •Malware analysis •Threat Indicators •Improve detection Operational •Adversarial capabilities •Infrastructure •TTPs Strategic •High level trends •Adversarial motives •Strategic decision SOC Analysts, SIEM, Endpoints, Detection Engineering Threat hunters, Incident Response, SOC Analysts CISO, CIO, CTO, Executives

Threat Intelligence Process Collect & classify intelligence reports: • Advanced Persistent Threat, Threat Actors • Tactics, Techniques and Procedures • Vulnerability reports Define your requirements. Understand international relations and the geopolitical context.

Threat Intelligence Process Collect & classify Indicators of Compromise (IOC): • Incident Response • Open-Source Intelligence (OSINT) • Threat Hunting Analyze & triage IOCs: • Malware and/or vulnerability analysis • Infrastructures mapping. New domains.

Threat Intelligence Process Hunt & pivot for new attacks: • Create Yara, Sigma, Snort Rules • Identify code similarities • Search for infrastructure overlap & passive DNS • MassScanning to uncover new C2s • Set up honeypots • Get information from private sources Understand victimology: • Who/where are the targets? Which sectors? • Make the connections to past attacks. • Find a link with the geopolitical context.

Threat Intelligence Process Share intelligence, dispatch IOCs, improve the knowledge base. Iterate & improve the process.

Goal of the Lab Classify external threat reports and centralize the data Track IOCs and TTPS Analyze different kind of data, such as data leaks, OSINT… Empower analysts with ready to use tools Articulate everything and build your Threat Intel Practice

Lab Overview OpenCTI ELK External Threat Reports Tracking Threat Actors TTPs Incident Response Feeds OSINT Data Leaks Other Data Jupyter Notebooks Data Analytics Malware Analysis Intelligence Analysis Analysts

OpenCTI • OpenCTI is a French Open-Source project. • Used to classify and track threat actors • Can be used to document actors, campaigns, tools and more… • Modules can be easily added in Python for enrichment. • API available for automations. • OpenCTI - Open platform for cyber threat intelligence

No content

No content

ELK For Ingesting data • The ELK stack is a powerful tool to analyse data. • The data can be ingested via LogStash. • Kibana is used for creating dashboards and visualisation. • ELK can be useful for all kind of data analysis. • Data Leaks • Detection Logs • Monitoring • Anything else Data Logstash Elasticsearch Kibana Data Processing Storage Visualization *Logstash, Elasticsearch and Kibana are trademark of Elasticsearch BV, registered in the U.S. and in other countries.

Practical Example ELK With Malware Bazaar • Malware Bazaar is an open malware database • It helps provides an overview of the data. • Daily samples are uploaded and analysed by the community

No content

Jupyter Lab • JupyterLab is a web-based interactive development environment for notebooks, code, and data. • It is a great tool to share your code with others. • It can be used to create workflows and procedures.

Jupyter to ELK

Analyzing the data with Jupyter

MSTICpy Querying log data from multiple sources Machine learning analysis Extracting Indicators of Activity (IOA) from logs and unpack encoded data Performing analysis such as anomalous session detection and time series decomposition Visualizing data using interactive timelines; process trees and multidimension Morph Charts Enriching data with TI, geolocalisation…

MSTICpy Enrichment

Take Away The amount of information available can be overwhelming. Threat Intelligence is the process of sorting and making sense of all the data. Threat Intelligence requires trained people. Open-source technologies can help and bolster your teams during investigation and analysis. Centralised platforms are great for getting a common knowledge base. Python and Jupyter empowers analysts and make sense of the stored data.

Resources • https://www.opencti.io/ • https://www.elastic.co/what-is/elk-stack • https://jupyter.org/ • https://msticpy.readthedocs.io/ • https://bazaar.abuse.ch/ • https://www.flaticon.com/ • https://www.sans.org/tools/the-pyramid-of-pain/

THANK YOU Thomas Roccia @fr0gger