Tweet
Tweet

Slide 1

Slide 1 text

The Most Dangerous Game Hunting Adversaries Across the Internet

Slide 2

Slide 2 text

Kyle Maxwell Super Special Security Researcher @ iDefense

Slide 3

Slide 3 text

Scott J Roberts Advanced Persistent Incident Responder @ GitHub

Slide 4

Slide 4 text

How Kyle met Scott or How Scott met Kyle

Slide 5

Slide 5 text

If you are on the Twitter we’re @kylemaxwell & @sroberts #YOLOTHREAT

Slide 6

Slide 6 text

Intelligence Concepts That everyone knows and already agrees on right…?

Slide 7

Slide 7 text

Data vs Intelligence Intelligence has gone through the intelligence process Data is a raw piece of information without context

Slide 8

Slide 8 text

Feedback Analysis Processing Dissemination Collection Requirements Intelligence Cycle

Slide 9

Slide 9 text

F3EAD While… Find Exploit Finish Disseminate Fix Analyze

Slide 10

Slide 10 text

The Target

Slide 11

Slide 11 text

What is Targeting? Making a plan for focusing threat research & investigation

Slide 12

Slide 12 text

Targeting Methodologies Actor Centric ~ Target Centric ~ Technology centric

Slide 13

Slide 13 text

Feeds Needles in Haystacks

Slide 14

Slide 14 text

“My 5.4 gazillion indicators can beat up your threat indicators. Garbage in garbage out #ThreatIntel ~ Rick Holland

Slide 15

Slide 15 text

Honeypots Bringing the Bad Guys to You

Slide 16

Slide 16 text

Low vs High Interaction High interaction honeypots are a risky & complicated way to generate high quality intelligence Low interaction honeypots are an easy way to get low value intel on commodity threats

Slide 17

Slide 17 text

Software Old School: HoneyNet Project New Hotness: Modern Honey Network by Threat Stream

Slide 18

Slide 18 text

Vulnerability Information Taking care of your Toys

Slide 19

Slide 19 text

“Structured vulnerability analysis is not threat intelligence it is requirements gathering for threat intelligence. ~ @selil

Slide 20

Slide 20 text

Vendor Information Blogs ~ Reports ~ Services & APIs

Slide 21

Slide 21 text

Personal Aside to Vendors If you’re going to release a report, blog post, etc: do not break the Cut and Copy Actions

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

Review Your Own Incidents Mine that fancy Incident Management System…

Slide 24

Slide 24 text

Review Your Others Incidents By sharing or News mining

Slide 25

Slide 25 text

The Hunt

Slide 26

Slide 26 text

What to Analyze Technical Sources

Slide 27

Slide 27 text

What to Analyze: Hashes Reversing: • C2 info • Developer artifacts Sources: • VxShare • VirusTotal • malwr.com

Slide 28

Slide 28 text

What to Analyze: Passive DNS • Single most useful tool for infrastructure research • What resolved to what, and when? • DNSDB (Farsight), PassiveTotal, VirusTotal

Slide 29

Slide 29 text

What to Analyze: Whois • Tougher to Acquire • WhoDat etc for ongoing Tracking

Slide 30

Slide 30 text

What to Analyze Actors

Slide 31

Slide 31 text

What to Analyze: Criminal • Primary Weapon: Google • Social Media (Twitter, Facebook) • Underground forums?

Slide 32

Slide 32 text

What to Analyze: Espionage • This is hard • Malware & System artifacts • whois/registrar data • actions over target

Slide 33

Slide 33 text

How to Keep Tracking

Slide 34

Slide 34 text

Threat Library • CRITs is popular, MISP also • Lighter solutions often work • Market hasn't fully addressed this

Slide 35

Slide 35 text

Web Monitoring Systems • Netflix Scumblr Meta SearcH (Works alongside Sketchy) • Recorded Future • Lots of custom development

Slide 36

Slide 36 text

Malware Monitoring • VirusTotal is • Malware feeds with Lots of custom internal solutions • Maltrieve, Viper, & Cuckoo

Slide 37

Slide 37 text

Internal Logging • Firewall, IDS, & Proxy • Web, mail, & DNS • Authentication & Audit

Slide 38

Slide 38 text

The “Kill”

Slide 39

Slide 39 text

Incident Response The Entire Goal… Right?

Slide 40

Slide 40 text

The Imitation Game Don’t let them know that you know that they know…

Slide 41

Slide 41 text

Attribution Probably doesn’t matter unless you can do this

Slide 42

Slide 42 text

Hand Cuffs or Cruise Missiles

Slide 43

Slide 43 text

KICK ‘EM OUT NOW! Sometimes it’s better to watch for a while

Slide 44

Slide 44 text

Intel Driven Responses deny Deceive ⁉️ degrade ⁉️ disrupt ⁉️ Destroy ‼️

Slide 45

Slide 45 text

Communication Who can make use of this information? ~ Who might be able to provide additional intel?

Slide 46

Slide 46 text

The Hunting Stories

Slide 47

Slide 47 text

Products IOCs & RFIs ~ Short Form Products ~ Long Form Products

Slide 48

Slide 48 text

Audience Internal - Team Internal - Organization External - Peers External - Wide

Slide 49

Slide 49 text

IOCs - Generalized Stix & OpenIOC

Slide 50

Slide 50 text

“you pretty much need a PHD in XML to understand either STIX or TAXII ~ Jeff Bryner

Slide 51

Slide 51 text

XKCD.com/927

Slide 52

Slide 52 text

IOCs - Specialized Yara: Malware centric av signature style IOCs, getting more advanced Snort: Go to for network activity, Comprehensive and well supported

Slide 53

Slide 53 text

“OH: "Yara is an antivirus that you update using git pull" ~ @tomchop_

Slide 54

Slide 54 text

Requests For Intelligence A Q/A requesting very specific Intelligence ~ Shortest form Possible ~ Fastest turn around

Slide 55

Slide 55 text

Short Form Products Intermediate products to support incident response ~ Focus on actionable Information

Slide 56

Slide 56 text

Long Form Products Comprehensive “All Source” intelligence products ~ Requires considerable Time & a well rounded team

Slide 57

Slide 57 text

The Surprise…

Slide 58

Slide 58 text

You Can’t Download a Threat Intelligence Until now….

Slide 59

Slide 59 text

The Surprise Coming out of Stealth Today, our new Startup… YOLOTHRE.At

Slide 60

Slide 60 text

Announcement yolothre.at has run out of runway (We used up our whole Starbucks Gift Card)
 SO we’re open sourcing everything and going back to our old jobs...

Slide 61

Slide 61 text

YoloThre.at A collection of open source docker containers for Threat Intel

Slide 62

Slide 62 text

Including Maltrieve Malware Collection Combine Threat Feed Aggregator Scumblr Social Network Collection CRITs Intel Collection System MISP Malware Analysis Hub ELK Log Analysis Viper Malware Zoo System Thug Website Collection Tool Yara Malware Identification

Slide 63

Slide 63 text

Review

Slide 64

Slide 64 text

Review The Target The Hunt The “Kill” The Hunting Stories

Slide 65

Slide 65 text

Questions?

Slide 66

Slide 66 text

Thanks

Slide 67

Slide 67 text

No content