SlideShare uma empresa Scribd logo

SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense

Transferir como PPTX, PDF
John Bambenek
John Bambenek

Between limited resources and a lack of trained professionals on one hand and the increasing quantity and quality of attacks on the other, securing enterprises and responding to incidents has placed defenders on the losing end of a digital arms race. Even managing the amounts of threat data and open-source intelligence has become a challenge. This talk will cover the possibilities and perils of integrating all the various sources of threat intelligence data to protect an organization. With all the various open-source and paid-source data, simply dumping it all into a firewall or DNS RPZ zone can be problematic. What to do about compromised websites or shared hosting environments? What about DGA domains that use full words and may collide with actual innocent websites? What about how to handle threat data that is lacking in context to make appropriate decisions on its validity and accuracy? This talk will present several case studies in how these problems can be tackled and how using multi-domain analysis can help reduce the risk and maximize the value of automated protection using these types of data.

Internet
1 de 42
John Bambenek VP, Security Research and Intelligence, ThreatSTOP War Stories on Using Automated Threat Intelligence for Defense
About me • SANS ISC Handler • VP of Security Research and Intelligence at ThreatSTOP • Lecturer at the University of Illinois at Urbana-Champaign • Producer of open-source threat feeds • Involved in DNC, DCCC, et al investigations in 2016
The Problem – the “too much” issues • “1,000,000 unfilled cybersecurity jobs” • Too much work and not enough skilled people to do it. • Too much data, no clear prioritization. • Too much manual work to investigate and respond to incidents. • What’s Worth Responding To? What is the Intention of the Attacker? 3
The Problem in Numbers • Average dwell time during a breach: 4-5 months • Percentage of breaches were evidence was in logs: 80+% • These two data points mean that if a SOC knew what to look for and had the tools to respond quickly, a great deal of damage could be mitigated. 4
The Problem Illustrated (from Virustotal) 5
The Reality  There is a much smaller set of actual malware tools, many are used by multiple people.  Problem: How to use this data effectively?  How to manage large data sets to correlate behavior over time? 6
Pyramid of Pain
War Story #1 – Election Hacking • Brief overview of DNC, et al related hacks. • The private sector was “highly confident” of FSB/GRU attribution even before the news was released in the summer of 2016. • We have a long history of APT 28/29 history with a variety of TTPs and other info that allowed not just the responders, but those who verified the work of responders, to make determinations quickly. • And see what they were doing during the French Presidential Election, and some 2018 activity….
Stuff we know now
War Story #1 – Election Hacking • TTP – likes impersonating “vendors”/”partners”. • MIS Department in case of DNC • Using DomainTools Brand Monitor or Farsight Brand Sentry, you can proactively look for impersonation. • WHOIS details also provide clues. 10
WHOIS Registrant Intel • Often actors may re-use registrant information across different campaigns. There may be other indicators too. • Sometimes *even with WHOIS privacy protection* it may be possible to correlate domains and by extension the actor. • Most criminal prosecution in cybercrime is due to an OPSEC fail and the ability to map backwards in time of what the actor did to find that fail that exposes them. 11
War Story #1 – Election Hacking 12 Maltego graph from Motherboard: https://motherboard.vice.com/en_us/article/vvaxy8/evidence-linking- russian-hackers-fancy-bear-to-macron-phishing
War Story #1 – Election Hacking • Trend Micro was looking for domains with “en-marche” in the name and found 4. • En Marche! Said they fed fake information to the adversary. • Contrast with American response. • You COULD hack back here… but why? • There are dangers of deception though. 13
What we can do in 2018? • Because of the shear number of targets, any in-depth attempt to target political or election organizations will be “loud”. • If data is shared (IPs, domains, etc), AND you automatically block them, you can have a good layer of protection. • MS-ISAC, DHS AIS, other…
Malware Configs • Every malware has different configurable items. • Not every configuration item is necessarily valuable for intelligence purposes. Some items may have default values. • Free-form text fields provide interesting data that may be useful for correlation. • Mutex can be useful for correlating binaries to the same actor. • How to get to the identity of someone using Cobalt Strike to attack you? • KEY POINT: Non-operational data is still useful for intelligence purposes. 15
Where to get Malware • Everyone uses Virustotal • You can buy a malware feed… • Better is to mine your spam / e-mail for attacks. • This is the targeted malware no one can sell you. • Eliminate malware seen by VT (other sources), that is unique • Who are the repeat visitors? Advanced attackers need to go low and slow... 16
Sample DarkComet Data • Key: CampaignID Value: Guest16 • Key: Domains Value: 06059600929.ddns.net:1234 • Key: FTPHost Value: • Key: FTPKeyLogs Value: • Key: FTPPassword Value: • Key: FTPPort Value: • Key: FTPRoot Value: • Key: FTPSize Value: • Key: FTPUserName Value: • Key: FireWallBypass Value: 0 • Key: Gencode Value: 3yHVnheK6eDm • Key: Mutex Value: DC_MUTEX-W45NCJ6 • Key: OfflineKeylogger Value: 1 • Key: Password Value: • Key: Version Value: #KCMDDC51# 17
Sample njRat config • Key: Campaign ID Value: 1111111111111111111 • Key: Domain Value: apolo47.ddns.net • Key: Install Dir Value: UserProfile • Key: Install Flag Value: False • Key: Install Name Value: svchost.exe • Key: Network Separator Value: |'|'| • Key: Port Value: 1177 • Key: Registry Value Value: 5d5e3c1b562e3a75dc95740a35744ad0 • Key: version Value: 0.6.4 18
All the fields… • ActivateKeylogger,ActiveXKey,ActiveXStartup,AddToRegistry,AntiKillProcess,BypassUAC,CONNECTION _TIME,Campaign,ChangeCreationDate,ClearAccessControl,ClearZoneIdentifier,ConnectDelay,Custom RegKey,CustomRegName,CustomRegValue,DELAY_CONNECT,DELAY_INSTALL,Date,DebugMsg,Domain ,EnableDebugMode,EnableMessageBox,EncryptionKey,Error,ExeName,FTPDirectory,FTPHost,FTPInter val,FTPKeyLogs,FTPPassword,FTPPort,FTPRoot,FTPServer,FTPSize,FTPUser,FireWallBypass,FolderNam e,Gencode,GoogleChromePasswords,Group,HKCU,HKLM,HideFile,ID,INSTALL,INSTALL_TIME,Injection ,InstallDir,InstallDirectory,InstallFileName,InstallFlag,InstallFolder,InstallMessageBox,InstallMessageTi tle,InstallName,JAR_EXTENSION,JAR_FOLDER,JAR_NAME,JAR_REGISTRY,JRE_FOLDER,KeyloggerBacks pace=Delete,KeyloggerEnableFTP,KillAVG2012- 2013,MPort,MeltFile,MessageBoxButton,MessageBoxIcon,MsgBoxText,MsgBoxTitle,Mutex,NICKNAM E,NetworkSeparator,OS,OfflineKeylogger,Origin,P2PSpread,PLUGIN_EXTENSION,PLUGIN_FOLDER,Pas sword,Perms,Persistance,Port,PreventSystemSleep,PrimaryDNSServer,ProcessInjection,RECONNECTI ON_TIME,REGKeyHKCU,REGKeyHKLM,RegistryValue,RequestElevation,RestartDelay,RetryInterval,Run OnStartup,SECURITY_TIMES,ServerID,SetCriticalProcess,StartUpName,StartupPolicies,TI,TimeOut,US BSpread,UseCustomDNS,VBOX,VMWARE,Version,_raw,_time,adaware,ahnlab,baidu,bull,clam,comod o,compile_date,date_hour,date_mday,date_minute,date_month,date_second,date_wday,date_year, date_zone,escan,eventtype,fprot,fsecure,gdata,host,ikarus,immunet,imphash,index,k7,linecount,ma gic,malw,mc,mcshield,md5,nano,norman,norton,outpost,panda,product,proex,prohac,quickheal,rat_ name,resys,run_date,section_,section_.BSS,section_.DATA,section_.IDATA,section_.ITEXT,section_.R DATA,section_.RELOC,section_.RSRC,section_.TEXT,section_.TLS,section_AKMBCZMH,section_BSS,sec tion_CODE,section_DATA,section_ELTQHVWF,section_VDOJLYFM,section_YRKCHNMU,sha1,sha256,s ource,sourcetype,splunk_server,splunk_server_group,spybot,super,tag,tag::eventtype,taskmgr,times _submitted,timestamp,trend,uac,unique_sources,unthreat,vendor,vipre,windef,wire © Fidelis Cybersecurity. All rights reserved. 19
War Story #2 – Understanding Locky • Locky uses combination of static domains and a DGA for C2. • Has an affiliate program. • Seems to heavily favor necurs for delivery (but not exclusively) 20
War Story #2 – Understanding Locky 21
War Story #2 – Understanding Locky • We know there is a close relationship between necurs and Locky. (What about specific affiliates?) • We can see it’s likely Locky operator runs C2 infrastructure on behalf of affiliates. • This can inform prosecutorial decisions or potential “hack back” operatiors (i.e. stealing encryption keys) 22
Using DNS to Track the Adversary • Only certain ways you can contact a C2 server: • Static IP / Hostname Lists • Proxied C2s • Dynamic DNS • Fast Flux / Double Flux Networks • Domain Generation Algorithms • Tor / i2p hidden services 23
Domain Generation Algorithms  Usually a complex math algorithm to create pseudo-random but predictable domain names.  Now instead of a static list, you have a dynamic list of hundreds or thousands of domains and adversary only needs to have a couple registered at a time.  Can search for “friendly” registrars to avoid suspension. 24
Reverse Engineering DGAs  Many blog posts about reversing specific DGAs, Johannes Bader has the most online at his blog:  Johannesbader.ch  No real shortcuts except working through IDA/Debugger and reversing the function.  Look for functions that iterate many times.  There will be at least a function to generate the domains and a function to connect to all of them to find the C2.  As with all reverse engineering, be aware of obfuscation and decoy code meant to deceive you.
Types of DGAs  Almost all DGAs use some time of “Seed”.  Types:  Date-based  Static seed  Dynamic seed  Seed has to be globally consistent so all victims use the same one at the same time.
Feed generation on DGAs • sjuemopwhollev.co.uk,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • meeeqyblgbussq.info,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • ntjqyqhqwcwost.com,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13, • nvtvqpjmstuvju.net,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • olyiyhprjuwrsl.biz,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • sillomslltbgyu.ru,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • gmqjihgsfulcau.org,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13, • From here you could easily feed this into RPZ or other technology to protect your organization.
DGA surveillance  Pre-generate all domains 2 days before to 2 days in future.  Pipe all those domains into adnshost using parallel to limit the number of lines.  Able to process over 700,000 domains inside 10 minutes (and I’m not done optimizing). • parallel -j4 --max-lines=3500 --pipe adnshost -a -f < $list-of-domains | fgrep -v nxdomain >> $outputfile
New Matsnu domains registered
What to do with this data? • With IP addresses, you can just block them at the firewall. • Inbound **AND** outbound traffic. • If you control DNS, you control the endpoint. Use a DNS Firewall! • Which means you can limit what the device can talk to in order to prevent exploitation or command-and-control. • DNS is on everything… even IoT devices!
What is a DNS Firewall? • Uses RPZ (Response Policy Zones) or the Microsoft equivalent. • Response Policy Zones are zone files you put into your DNS resolver that can block, redirect, or alert on specific queries. • Can flag on: • Specific hostname, domain, or TLD (i.e. www.google.com or *.ru) • The resolved IP address • The authoritative nameserver hostnames used • The authoritative nameserver IP addresses used
Block Bad Neighborhoods • There are many networks you can be pretty sure they are “always” safe (i.e. CDNs). • There are many networks you can treat as completely malicious (i.e. bullet proof hosters). • Some countries you may not have (or want) to talk to. • ITAR/OFAC • Why should your MRI machine talk to a Russian IP?
War Story #3 – Operation Tovar • One of the first modern successful ransomware attacks. • Was able to proactively monitor all new registrations for domains, mine registrant details, and ultimately get quicker to look at proxies. • This not only allowed us to grind to get to an indictment of Evgeniy Bogachev, but also to retrieve the private encryption keys so people could get their files back. • Was able to do a bulk takedown and shut the whole system down. 33
Tracking Malware Functions • We have tools to correlate IP addresses, domains, registration information, malware families, malware configs… • What about specific functions or portions of code? • The more we can correlate, the more we can get visibility into how code is shared, developed, and the ecosystem behind it. 34
FIRST IDA Plugin • Developed by Cisco Talos: https://github.com/vrtadmin/FIRST- plugin-ida • In essence, ties a database into IDA so you can search for functions that exist elsewhere to find code level relationships. • Presentation: https://www.botconf.eu/wp- content/uploads/2016/11/PR11-Function-Identification-and- Recovery-Signature-Tool-Villegas.pdf 35
FIRST IDA Plugin 36
War Story #4 - Wannacry • We all know Wannacry, worm-based ransomware using disclosed exploits (Thanks NSA!). • Very quickly we noticed that the payment infrastructure was not sound (and neither was NotPetya) • What’s the point of cryptographic ransomware if you aren’t getting paid? (Made only about $100k USD) 37
War Story #4 - Wannacry 38 From Costin Raiu twitter, 40 byte code reuse from Lazarus backdoor
War Story #4 - Wannacry • 40 bytes of code were identical to a Lazarus Group (DPRK) backdoor used in 2015. • Found by “spot checking” and memory. • This is not ideal • Not found anywhere else. • Inconclusive but suggests DPRK (since proven). • We NEED to figure out a way to make this a database search problem, not a tribal lore in analyst’s mind problem. 39
Last Key Point • Ending this talk with WannaCry and NotPetya was intentional. • Most of the techniques here are useful for crime. • Increasingly, however, APT is using crime tools as “obfuscation”. • WannaCry and NotPetya (if we’re right) are precursors to future APT attacks using criminals tools. • What if our research leads to a kinetic response? • We need to get the above right to disambiguate their intentions and to find investigate leads and potential weaknesses (hack back?) 40
Solution • Lots of us are all working on the same problems independently, we need to be working together more and sharing data. • Sharing data isn’t to contribute more to “admiring the problem”. Need to block stuff. • Back to Pyramid of Pain, block as much as you can as low as you can to focus limited people/resources on ”what’s left”. 41
Questions? John Bambenek / @bambenek jbambenek@threatstop.com

Recomendados

THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesJohn Bambenek
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligenceJohn Bambenek
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 

Recomendados

THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesJohn Bambenek
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligenceJohn Bambenek
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanEC-Council
 
Mo and Tao 魔与道
Mo and Tao 魔与道Mo and Tao 魔与道
Mo and Tao 魔与道Austin Chou
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksGreg Foss
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceChristopher Gerritz
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsJustin Warner
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Fade from Whitehat... to Black
Fade from Whitehat... to BlackFade from Whitehat... to Black
Fade from Whitehat... to BlackBeau Bullock
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
 

Mais conteúdo relacionado

Mais procurados

DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanEC-Council
 
Mo and Tao 魔与道
Mo and Tao 魔与道Mo and Tao 魔与道
Mo and Tao 魔与道Austin Chou
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksGreg Foss
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceChristopher Gerritz
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsJustin Warner
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Fade from Whitehat... to Black
Fade from Whitehat... to BlackFade from Whitehat... to Black
Fade from Whitehat... to BlackBeau Bullock
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 

Mais procurados (20)

DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
 
Mo and Tao 魔与道
Mo and Tao 魔与道Mo and Tao 魔与道
Mo and Tao 魔与道
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Fade from Whitehat... to Black
Fade from Whitehat... to BlackFade from Whitehat... to Black
Fade from Whitehat... to Black
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 

Semelhante a SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense

Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to executionAlgoSec
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
Automation Attacks At Scale
Automation Attacks At ScaleAutomation Attacks At Scale
Automation Attacks At ScaleMayank Dhiman
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.Teri Radichel
 
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceMISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceJohn Bambenek
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
DEF CON 23 - Weston Hecker - goodbye memory scraping malware
DEF CON 23 - Weston Hecker - goodbye memory scraping malwareDEF CON 23 - Weston Hecker - goodbye memory scraping malware
DEF CON 23 - Weston Hecker - goodbye memory scraping malwareFelipe Prado
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Sean Whalen
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4TEKMONKS
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4Rohit Kapoor
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1wharpreet
 

Semelhante a SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense (20)

Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to execution
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Automation Attacks At Scale
Automation Attacks At ScaleAutomation Attacks At Scale
Automation Attacks At Scale
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.
 
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceMISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
DEF CON 23 - Weston Hecker - goodbye memory scraping malware
DEF CON 23 - Weston Hecker - goodbye memory scraping malwareDEF CON 23 - Weston Hecker - goodbye memory scraping malware
DEF CON 23 - Weston Hecker - goodbye memory scraping malware
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
The artificial reality of cyber defense
The artificial reality of cyber defenseThe artificial reality of cyber defense
The artificial reality of cyber defense
 
Ready set hack
Ready set hackReady set hack
Ready set hack
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1
 

Mais de John Bambenek

I'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisI'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisJohn Bambenek
 
SANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesSANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesJohn Bambenek
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016John Bambenek
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareJohn Bambenek
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekJohn Bambenek
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014John Bambenek
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...John Bambenek
 
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011John Bambenek
 
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...John Bambenek
 

Mais de John Bambenek (9)

I'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisI'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the Nazis
 
SANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesSANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political Breaches
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of Ransomware
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John Bambenek
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
 
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
 
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
 

Último

Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.soniya singh
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...tanu pandey
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...Escorts Call Girls
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663Call Girls Mumbai
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 

Último (20)

Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 

SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense

  • 1. John Bambenek VP, Security Research and Intelligence, ThreatSTOP War Stories on Using Automated Threat Intelligence for Defense
  • 2. About me • SANS ISC Handler • VP of Security Research and Intelligence at ThreatSTOP • Lecturer at the University of Illinois at Urbana-Champaign • Producer of open-source threat feeds • Involved in DNC, DCCC, et al investigations in 2016
  • 3. The Problem – the “too much” issues • “1,000,000 unfilled cybersecurity jobs” • Too much work and not enough skilled people to do it. • Too much data, no clear prioritization. • Too much manual work to investigate and respond to incidents. • What’s Worth Responding To? What is the Intention of the Attacker? 3
  • 4. The Problem in Numbers • Average dwell time during a breach: 4-5 months • Percentage of breaches were evidence was in logs: 80+% • These two data points mean that if a SOC knew what to look for and had the tools to respond quickly, a great deal of damage could be mitigated. 4
  • 5. The Problem Illustrated (from Virustotal) 5
  • 6. The Reality  There is a much smaller set of actual malware tools, many are used by multiple people.  Problem: How to use this data effectively?  How to manage large data sets to correlate behavior over time? 6
  • 8. War Story #1 – Election Hacking • Brief overview of DNC, et al related hacks. • The private sector was “highly confident” of FSB/GRU attribution even before the news was released in the summer of 2016. • We have a long history of APT 28/29 history with a variety of TTPs and other info that allowed not just the responders, but those who verified the work of responders, to make determinations quickly. • And see what they were doing during the French Presidential Election, and some 2018 activity….
  • 10. War Story #1 – Election Hacking • TTP – likes impersonating “vendors”/”partners”. • MIS Department in case of DNC • Using DomainTools Brand Monitor or Farsight Brand Sentry, you can proactively look for impersonation. • WHOIS details also provide clues. 10
  • 11. WHOIS Registrant Intel • Often actors may re-use registrant information across different campaigns. There may be other indicators too. • Sometimes *even with WHOIS privacy protection* it may be possible to correlate domains and by extension the actor. • Most criminal prosecution in cybercrime is due to an OPSEC fail and the ability to map backwards in time of what the actor did to find that fail that exposes them. 11
  • 12. War Story #1 – Election Hacking 12 Maltego graph from Motherboard: https://motherboard.vice.com/en_us/article/vvaxy8/evidence-linking- russian-hackers-fancy-bear-to-macron-phishing
  • 13. War Story #1 – Election Hacking • Trend Micro was looking for domains with “en-marche” in the name and found 4. • En Marche! Said they fed fake information to the adversary. • Contrast with American response. • You COULD hack back here… but why? • There are dangers of deception though. 13
  • 14. What we can do in 2018? • Because of the shear number of targets, any in-depth attempt to target political or election organizations will be “loud”. • If data is shared (IPs, domains, etc), AND you automatically block them, you can have a good layer of protection. • MS-ISAC, DHS AIS, other…
  • 15. Malware Configs • Every malware has different configurable items. • Not every configuration item is necessarily valuable for intelligence purposes. Some items may have default values. • Free-form text fields provide interesting data that may be useful for correlation. • Mutex can be useful for correlating binaries to the same actor. • How to get to the identity of someone using Cobalt Strike to attack you? • KEY POINT: Non-operational data is still useful for intelligence purposes. 15
  • 16. Where to get Malware • Everyone uses Virustotal • You can buy a malware feed… • Better is to mine your spam / e-mail for attacks. • This is the targeted malware no one can sell you. • Eliminate malware seen by VT (other sources), that is unique • Who are the repeat visitors? Advanced attackers need to go low and slow... 16
  • 17. Sample DarkComet Data • Key: CampaignID Value: Guest16 • Key: Domains Value: 06059600929.ddns.net:1234 • Key: FTPHost Value: • Key: FTPKeyLogs Value: • Key: FTPPassword Value: • Key: FTPPort Value: • Key: FTPRoot Value: • Key: FTPSize Value: • Key: FTPUserName Value: • Key: FireWallBypass Value: 0 • Key: Gencode Value: 3yHVnheK6eDm • Key: Mutex Value: DC_MUTEX-W45NCJ6 • Key: OfflineKeylogger Value: 1 • Key: Password Value: • Key: Version Value: #KCMDDC51# 17
  • 18. Sample njRat config • Key: Campaign ID Value: 1111111111111111111 • Key: Domain Value: apolo47.ddns.net • Key: Install Dir Value: UserProfile • Key: Install Flag Value: False • Key: Install Name Value: svchost.exe • Key: Network Separator Value: |'|'| • Key: Port Value: 1177 • Key: Registry Value Value: 5d5e3c1b562e3a75dc95740a35744ad0 • Key: version Value: 0.6.4 18
  • 19. All the fields… • ActivateKeylogger,ActiveXKey,ActiveXStartup,AddToRegistry,AntiKillProcess,BypassUAC,CONNECTION _TIME,Campaign,ChangeCreationDate,ClearAccessControl,ClearZoneIdentifier,ConnectDelay,Custom RegKey,CustomRegName,CustomRegValue,DELAY_CONNECT,DELAY_INSTALL,Date,DebugMsg,Domain ,EnableDebugMode,EnableMessageBox,EncryptionKey,Error,ExeName,FTPDirectory,FTPHost,FTPInter val,FTPKeyLogs,FTPPassword,FTPPort,FTPRoot,FTPServer,FTPSize,FTPUser,FireWallBypass,FolderNam e,Gencode,GoogleChromePasswords,Group,HKCU,HKLM,HideFile,ID,INSTALL,INSTALL_TIME,Injection ,InstallDir,InstallDirectory,InstallFileName,InstallFlag,InstallFolder,InstallMessageBox,InstallMessageTi tle,InstallName,JAR_EXTENSION,JAR_FOLDER,JAR_NAME,JAR_REGISTRY,JRE_FOLDER,KeyloggerBacks pace=Delete,KeyloggerEnableFTP,KillAVG2012- 2013,MPort,MeltFile,MessageBoxButton,MessageBoxIcon,MsgBoxText,MsgBoxTitle,Mutex,NICKNAM E,NetworkSeparator,OS,OfflineKeylogger,Origin,P2PSpread,PLUGIN_EXTENSION,PLUGIN_FOLDER,Pas sword,Perms,Persistance,Port,PreventSystemSleep,PrimaryDNSServer,ProcessInjection,RECONNECTI ON_TIME,REGKeyHKCU,REGKeyHKLM,RegistryValue,RequestElevation,RestartDelay,RetryInterval,Run OnStartup,SECURITY_TIMES,ServerID,SetCriticalProcess,StartUpName,StartupPolicies,TI,TimeOut,US BSpread,UseCustomDNS,VBOX,VMWARE,Version,_raw,_time,adaware,ahnlab,baidu,bull,clam,comod o,compile_date,date_hour,date_mday,date_minute,date_month,date_second,date_wday,date_year, date_zone,escan,eventtype,fprot,fsecure,gdata,host,ikarus,immunet,imphash,index,k7,linecount,ma gic,malw,mc,mcshield,md5,nano,norman,norton,outpost,panda,product,proex,prohac,quickheal,rat_ name,resys,run_date,section_,section_.BSS,section_.DATA,section_.IDATA,section_.ITEXT,section_.R DATA,section_.RELOC,section_.RSRC,section_.TEXT,section_.TLS,section_AKMBCZMH,section_BSS,sec tion_CODE,section_DATA,section_ELTQHVWF,section_VDOJLYFM,section_YRKCHNMU,sha1,sha256,s ource,sourcetype,splunk_server,splunk_server_group,spybot,super,tag,tag::eventtype,taskmgr,times _submitted,timestamp,trend,uac,unique_sources,unthreat,vendor,vipre,windef,wire © Fidelis Cybersecurity. All rights reserved. 19
  • 20. War Story #2 – Understanding Locky • Locky uses combination of static domains and a DGA for C2. • Has an affiliate program. • Seems to heavily favor necurs for delivery (but not exclusively) 20
  • 21. War Story #2 – Understanding Locky 21
  • 22. War Story #2 – Understanding Locky • We know there is a close relationship between necurs and Locky. (What about specific affiliates?) • We can see it’s likely Locky operator runs C2 infrastructure on behalf of affiliates. • This can inform prosecutorial decisions or potential “hack back” operatiors (i.e. stealing encryption keys) 22
  • 23. Using DNS to Track the Adversary • Only certain ways you can contact a C2 server: • Static IP / Hostname Lists • Proxied C2s • Dynamic DNS • Fast Flux / Double Flux Networks • Domain Generation Algorithms • Tor / i2p hidden services 23
  • 24. Domain Generation Algorithms  Usually a complex math algorithm to create pseudo-random but predictable domain names.  Now instead of a static list, you have a dynamic list of hundreds or thousands of domains and adversary only needs to have a couple registered at a time.  Can search for “friendly” registrars to avoid suspension. 24
  • 25. Reverse Engineering DGAs  Many blog posts about reversing specific DGAs, Johannes Bader has the most online at his blog:  Johannesbader.ch  No real shortcuts except working through IDA/Debugger and reversing the function.  Look for functions that iterate many times.  There will be at least a function to generate the domains and a function to connect to all of them to find the C2.  As with all reverse engineering, be aware of obfuscation and decoy code meant to deceive you.
  • 26. Types of DGAs  Almost all DGAs use some time of “Seed”.  Types:  Date-based  Static seed  Dynamic seed  Seed has to be globally consistent so all victims use the same one at the same time.
  • 27. Feed generation on DGAs • sjuemopwhollev.co.uk,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • meeeqyblgbussq.info,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • ntjqyqhqwcwost.com,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13, • nvtvqpjmstuvju.net,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • olyiyhprjuwrsl.biz,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • sillomslltbgyu.ru,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • gmqjihgsfulcau.org,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13, • From here you could easily feed this into RPZ or other technology to protect your organization.
  • 28. DGA surveillance  Pre-generate all domains 2 days before to 2 days in future.  Pipe all those domains into adnshost using parallel to limit the number of lines.  Able to process over 700,000 domains inside 10 minutes (and I’m not done optimizing). • parallel -j4 --max-lines=3500 --pipe adnshost -a -f < $list-of-domains | fgrep -v nxdomain >> $outputfile
  • 29. New Matsnu domains registered
  • 30. What to do with this data? • With IP addresses, you can just block them at the firewall. • Inbound **AND** outbound traffic. • If you control DNS, you control the endpoint. Use a DNS Firewall! • Which means you can limit what the device can talk to in order to prevent exploitation or command-and-control. • DNS is on everything… even IoT devices!
  • 31. What is a DNS Firewall? • Uses RPZ (Response Policy Zones) or the Microsoft equivalent. • Response Policy Zones are zone files you put into your DNS resolver that can block, redirect, or alert on specific queries. • Can flag on: • Specific hostname, domain, or TLD (i.e. www.google.com or *.ru) • The resolved IP address • The authoritative nameserver hostnames used • The authoritative nameserver IP addresses used
  • 32. Block Bad Neighborhoods • There are many networks you can be pretty sure they are “always” safe (i.e. CDNs). • There are many networks you can treat as completely malicious (i.e. bullet proof hosters). • Some countries you may not have (or want) to talk to. • ITAR/OFAC • Why should your MRI machine talk to a Russian IP?
  • 33. War Story #3 – Operation Tovar • One of the first modern successful ransomware attacks. • Was able to proactively monitor all new registrations for domains, mine registrant details, and ultimately get quicker to look at proxies. • This not only allowed us to grind to get to an indictment of Evgeniy Bogachev, but also to retrieve the private encryption keys so people could get their files back. • Was able to do a bulk takedown and shut the whole system down. 33
  • 34. Tracking Malware Functions • We have tools to correlate IP addresses, domains, registration information, malware families, malware configs… • What about specific functions or portions of code? • The more we can correlate, the more we can get visibility into how code is shared, developed, and the ecosystem behind it. 34
  • 35. FIRST IDA Plugin • Developed by Cisco Talos: https://github.com/vrtadmin/FIRST- plugin-ida • In essence, ties a database into IDA so you can search for functions that exist elsewhere to find code level relationships. • Presentation: https://www.botconf.eu/wp- content/uploads/2016/11/PR11-Function-Identification-and- Recovery-Signature-Tool-Villegas.pdf 35
  • 37. War Story #4 - Wannacry • We all know Wannacry, worm-based ransomware using disclosed exploits (Thanks NSA!). • Very quickly we noticed that the payment infrastructure was not sound (and neither was NotPetya) • What’s the point of cryptographic ransomware if you aren’t getting paid? (Made only about $100k USD) 37
  • 38. War Story #4 - Wannacry 38 From Costin Raiu twitter, 40 byte code reuse from Lazarus backdoor
  • 39. War Story #4 - Wannacry • 40 bytes of code were identical to a Lazarus Group (DPRK) backdoor used in 2015. • Found by “spot checking” and memory. • This is not ideal • Not found anywhere else. • Inconclusive but suggests DPRK (since proven). • We NEED to figure out a way to make this a database search problem, not a tribal lore in analyst’s mind problem. 39
  • 40. Last Key Point • Ending this talk with WannaCry and NotPetya was intentional. • Most of the techniques here are useful for crime. • Increasingly, however, APT is using crime tools as “obfuscation”. • WannaCry and NotPetya (if we’re right) are precursors to future APT attacks using criminals tools. • What if our research leads to a kinetic response? • We need to get the above right to disambiguate their intentions and to find investigate leads and potential weaknesses (hack back?) 40
  • 41. Solution • Lots of us are all working on the same problems independently, we need to be working together more and sharing data. • Sharing data isn’t to contribute more to “admiring the problem”. Need to block stuff. • Back to Pyramid of Pain, block as much as you can as low as you can to focus limited people/resources on ”what’s left”. 41
  • 42. Questions? John Bambenek / @bambenek jbambenek@threatstop.com