Collecting information of targeted attacks by OSINT

Transcript

1. seraph(Akira Miyata) AVTOKYO 2015 2015/11/14 Collecting information of targeted attacks

   by OSINT

2. Who am I?   seraph（Akira Miyata）   Twitter: @Seraph39  

   Maybe I’m a malware analyst.   SANS Lethal Forensicator Coin Folder   2014 Washington D.C. (FOR610)   https://digital-forensics.sans.org/community/lethal-forensicator/ coin-holders/m

3. Intelligence   HUMINT（HUMan INTelligence）   Intelligence gathered by means of

   interpersonal contact   Including collaborators   SIGINT（SIGnals INTelligence）   Wiretapping   Shortwave communication and satcom   PRISM   Upstream Elephant Cage and ECHELON of Misawa base https://www.google.co.jp/maps/@40.7203821,141.3233764,1281m/data=!3m1!1e3

4. Intelligence   IMINT（IMagery INTelligence）   Shooting by reconnaissance satellites and

   aircraft Vladivostok base of russian military https://www.google.co.jp/maps/@43.1072317,131.9145565,1466m/data=!3m1!1e3

5. Intelligence   OSINT（Open Source INTelligence）   Collecting information from open

   source   Newspaper, Television, Radio, Books, Internet, etc   Note: Public information may be incorrect. etc   MASINT（Measurement And Signatures INTelligence）   TECHINT（TECHnical INTelligence）

6. Flow to assess campaign attribution Analysis of targeted email Analysis

   of links, malwares and tools Investigating C2 servers Collecting open source Analysis of collected information

7. Analysis of targeted email   Message body   Characteristic string

   or sentence   Originating IP address   Erasing case   Hijacking case   Mail relay server   Free email   Characteristic mailer

8. Malware Analysis   Extension   exe, scr, cpl, etc  

   Compression   zip, lzh, rar, 7z, etc   Password to communicate with C2 server   Language information   Build time

9. Malware Analysis   Sandboxes VirusTotal   Malwr   #totalhash  

   PAYLOAD SECURITY ThreatExpert threatcrowd   User Agent String.com https://totalhash.cymru.com/ https://www.threatcrowd.org/

10. Investigating C2 servers   PASSIVE TOTAL   DNSDB   DomainTools

    VirusTotal   It is running as PassiveDNS, we can investigate an used in the past the IP address. https://www.passivetotal.org

11. Collecting leaked data   PASTEBIN   Leaked code   C2

    servers information   WikiLeaks   CIA director John Brennan emails within one month Domain name of some supposedly Emdivi C２ server http://pastebin.com/j4a1xxtR https://wikileaks.org/cia-emails/

12. SNS   You might be able to identify attacker by

    investigating whois information from SNS.   Facebook   Twitter   LinkedIn   QQ   Weibo etc

13. APT information   APT Notes   Site that collected the

    APT of reports, etc.   Indicator is public in CSV, JSON, yara format.   For example, it is possible to match APT Notes’s indicator with collected information(domain name, IP address, etc.)   If you do not match the information, there is a possibility of nobody knows campaign or attacker.

14. APT Notes https://aptnotes.malwareconfig.com/

15. Analysis of collected information   Matching and analysis of collected

    information   Analysis and visualization   Analyst’s Notebook/iBase   Maltego

16. Example Only conference attendee

17. Conclusion   Everyone can easily collect APT information by OSINT.

      Points   It is difficult for the information to be checked for correct.   For example, it is difficult to understand only malware information. So we need to investigate combined mails, tools, malwares and C2 servers, etc.   When investigating, there is a need to be aware of remaining log.   When the sample is large, such as malware, survey of accuracy is improved.

18. Questions?

19. Thank you