Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Most Dangerous Game

The Most Dangerous Game

A presentation about merging Threat Intelligence and DFIR by the team behind YoloThre.at.

Scott J. Roberts

February 03, 2015

More Decks by Scott J. Roberts

Other Decks in Technology


  1. The Most Dangerous Game Hunting Adversaries Across the Internet

  2. Kyle Maxwell Super Special Security Researcher @ iDefense

  3. Scott J Roberts Advanced Persistent Incident Responder @ GitHub

  4. How Kyle met Scott or How Scott met Kyle

  5. If you are on the Twitter we’re @kylemaxwell & @sroberts

  6. Intelligence Concepts That everyone knows and already agrees on right…?

  7. Data vs Intelligence Intelligence has gone through the intelligence process

    Data is a raw piece of information without context
  8. Feedback Analysis Processing Dissemination Collection Requirements Intelligence Cycle

  9. F3EAD While… Find Exploit Finish Disseminate Fix Analyze

  10. The Target

  11. What is Targeting? Making a plan for focusing threat research

    & investigation
  12. Targeting Methodologies Actor Centric ~ Target Centric ~ Technology centric

  13. Feeds Needles in Haystacks

  14. “My 5.4 gazillion indicators can beat up your threat indicators.

    Garbage in garbage out #ThreatIntel ~ Rick Holland
  15. Honeypots Bringing the Bad Guys to You

  16. Low vs High Interaction High interaction honeypots are a risky

    & complicated way to generate high quality intelligence Low interaction honeypots are an easy way to get low value intel on commodity threats
  17. Software Old School: HoneyNet Project New Hotness: Modern Honey Network

    by Threat Stream
  18. Vulnerability Information Taking care of your Toys

  19. “Structured vulnerability analysis is not threat intelligence it is requirements

    gathering for threat intelligence. ~ @selil
  20. Vendor Information Blogs ~ Reports ~ Services & APIs

  21. Personal Aside to Vendors If you’re going to release a

    report, blog post, etc: do not break the Cut and Copy Actions
  22. None
  23. Review Your Own Incidents Mine that fancy Incident Management System…

  24. Review Your Others Incidents By sharing or News mining

  25. The Hunt

  26. What to Analyze Technical Sources

  27. What to Analyze: Hashes Reversing: • C2 info • Developer

    artifacts Sources: • VxShare • VirusTotal • malwr.com
  28. What to Analyze: Passive DNS • Single most useful tool

    for infrastructure research • What resolved to what, and when? • DNSDB (Farsight), PassiveTotal, VirusTotal
  29. What to Analyze: Whois • Tougher to Acquire • WhoDat

    etc for ongoing Tracking
  30. What to Analyze Actors

  31. What to Analyze: Criminal • Primary Weapon: Google • Social

    Media (Twitter, Facebook) • Underground forums?
  32. What to Analyze: Espionage • This is hard • Malware

    & System artifacts • whois/registrar data • actions over target
  33. How to Keep Tracking

  34. Threat Library • CRITs is popular, MISP also • Lighter

    solutions often work • Market hasn't fully addressed this
  35. Web Monitoring Systems • Netflix Scumblr Meta SearcH (Works alongside

    Sketchy) • Recorded Future • Lots of custom development
  36. Malware Monitoring • VirusTotal is • Malware feeds with Lots

    of custom internal solutions • Maltrieve, Viper, & Cuckoo
  37. Internal Logging • Firewall, IDS, & Proxy • Web, mail,

    & DNS • Authentication & Audit
  38. The “Kill”

  39. Incident Response The Entire Goal… Right?

  40. The Imitation Game Don’t let them know that you know

    that they know…
  41. Attribution Probably doesn’t matter unless you can do this

  42. Hand Cuffs or Cruise Missiles

  43. KICK ‘EM OUT NOW! Sometimes it’s better to watch for

    a while
  44. Intel Driven Responses deny Deceive ⁉️ degrade ⁉️ disrupt ⁉️

    Destroy ‼️
  45. Communication Who can make use of this information? ~ Who

    might be able to provide additional intel?
  46. The Hunting Stories

  47. Products IOCs & RFIs ~ Short Form Products ~ Long

    Form Products
  48. Audience Internal - Team Internal - Organization External - Peers

    External - Wide
  49. IOCs - Generalized Stix & OpenIOC

  50. “you pretty much need a PHD in XML to understand

    either STIX or TAXII ~ Jeff Bryner
  51. XKCD.com/927

  52. IOCs - Specialized Yara: Malware centric av signature style IOCs,

    getting more advanced Snort: Go to for network activity, Comprehensive and well supported
  53. “OH: "Yara is an antivirus that you update using git

    pull" ~ @tomchop_
  54. Requests For Intelligence A Q/A requesting very specific Intelligence ~

    Shortest form Possible ~ Fastest turn around
  55. Short Form Products Intermediate products to support incident response ~

    Focus on actionable Information
  56. Long Form Products Comprehensive “All Source” intelligence products ~ Requires

    considerable Time & a well rounded team
  57. The Surprise…

  58. You Can’t Download a Threat Intelligence Until now….

  59. The Surprise Coming out of Stealth Today, our new Startup…

  60. Announcement yolothre.at has run out of runway (We used up

    our whole Starbucks Gift Card)
 SO we’re open sourcing everything and going back to our old jobs...
  61. YoloThre.at A collection of open source docker containers for Threat

  62. Including Maltrieve Malware Collection Combine Threat Feed Aggregator Scumblr Social

    Network Collection CRITs Intel Collection System MISP Malware Analysis Hub ELK Log Analysis Viper Malware Zoo System Thug Website Collection Tool Yara Malware Identification
  63. Review

  64. Review The Target The Hunt The “Kill” The Hunting Stories

  65. Questions?

  66. Thanks

  67. None