SlideShare uma empresa Scribd logo

Bsides

R
Roberto Sponchioni
1 de 21
Baixar para ler offline
OSTrICa – Open Source Threat Intelligence Collector Roberto Sponchioni Senior Threat Analysis Engineer
Agenda 2 Introduction to Threat Intelligence Scenarios where to use TI What is OSTrICa? Demo How to develop OSTrICa Plugins
Who am I? • Working as a Senior Threat Analysis Engineer @ Symantec • Working as an Independent Security Researcher (Development, Malware Analysis, etc) • Worked as a Security Consultant (PT/VA, Incident Response) • Contacts: – @Ptr32Void on Twitter – https://github.com/Ptr32Void/ - GitHub Page – Roberto_Sponchioni@symantec.com – rsponchioni@yahoo.it 3
Introduction to Threat Intelligence 4
Data breaches are a big issue… 5Ref.: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
What is Threat Intelligence & Why we have to use it 6 According to Gartner: “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.” • Tracking cyber criminals, hacktivists • Provide “context” to reconstruct attacks quickly • Proactively block new attacks • Validate and prioritize indicators and alerts • Provide priorities to C-Levels (based on business risks) What can we do with Threat Intelligence?
Scenarios where to use TI 7
Current solutions that most companies use are… 8 • Anti-Virus products • Firewall • IDS/IPS • Log collectors / SIEMs • … Attacker Victims PDF unescape("%u33dd%u3030%u33dd%u3030….") pointerSled = unescape("<Contents>"); while (pointerSled.length < chunk_size) pointerSled += pointerSled; pointerSled_len = chunk_size - (....
TI can help to proactively protect your network 9Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/ 9
Collecting Threat Intelligence Information 10
Threat Indicators (IoCs) 11 • File hashes (MD5, SHA256, …) • C&C Server (Domain & IP Address) • URL Reputation • AV Detections • Mutex • File names • ….
Threat Intelligence Sources… 12 Free Community Commercial Internal Costs Free Free / $ $$$ - Typology Generic Intelligence Generic / Specific Intelligence Generic / Specific Intelligence Very specific intelligence Where do you get it Public Systems, Honeypots, Scanners on network Public/Private Systems (Sandboxing products...) Public/Private Systems (Sandboxing products, surveys, underground market places...) Internal Appliances, Logs, Analysis systems, SIEMS OSTrICa – Open Source Threat Intelligence Collector
What is OSTrICa? 13 Open Source Threat Intelligence Collector
What is OSTrICa? 14 OSTrICa Visualization Module Plugin Collector 1 Plugin Collector 2 Plugin Collector … Plugin Loader Plugin Collector n
How does OSTrICa work? 15 VT Domain IP Address MD5 SHA256 DeepViz MD5 SafeBrowsing IP Address Domain ASN CymruWhois IP Address Others… … … … 747b3fd525de1af0a56985aa29779b86 OSTrICa
16 • API Access • Web ScrapingPlugin 1 • API Access • Web ScrapingPlugin 2 • API Access • Web ScrapingPlugin 3 • API Access • Web ScrapingPlugin N How do plugins work? JSON & Visual Report
Why OSTrICa? 17 • It is Free & Open Source (will be released soon on my GitHub page) • It has a plugin architecture. You can include Free, Commercial and Internal intelligence data • It allows anyone to create a relevant and accurate threat profile • It can be used to proactively protect company’s information • It automatically generates: – A report in JSON format containing all the collected information – A graph allowing the users to link together the information, filter out, hide and search IoCs. End goal is to help SOC Analysts, IR, Attack Investigators Note: all the collected IoCs have been collected from publicly available sources like VirusTotal, Google SafeBrowsing, etc.
Demo 18
How to develop OSTrICa Plugins 19 A quick overview…
20 Conclusion & Future Works • It’s Open Source: you can add new features and add new plugins (to extract intelligence from your internal systems). You can download it soon from my GitHub page… Follow me @Ptr32Void for updates • Add a Timeline • Weights intelligence and links based on how malicious the collected information could be • Improve graphic interface • Add a interactive map containing the location of the threats
&Q A 21 Roberto Sponchioni Thank you! @Ptr32Void

Recomendados

Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industrySeminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Roberto Sponchioni
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
Ramin Farajpour Cami
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard Project
Narudom Roongsiriwong, CISSP
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Santiago Bassett
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber Criminals
Narudom Roongsiriwong, CISSP
 
IOT Security FUN-damental
IOT Security FUN-damentalIOT Security FUN-damental
IOT Security FUN-damental
Satria Ady Pradana
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
Narudom Roongsiriwong, CISSP
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar Slides
ThreatConnect
 

Recomendados

Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industrySeminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Roberto Sponchioni
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
Ramin Farajpour Cami
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard Project
Narudom Roongsiriwong, CISSP
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Santiago Bassett
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber Criminals
Narudom Roongsiriwong, CISSP
 
IOT Security FUN-damental
IOT Security FUN-damentalIOT Security FUN-damental
IOT Security FUN-damental
Satria Ady Pradana
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
Narudom Roongsiriwong, CISSP
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar Slides
ThreatConnect
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal Security
Tara Arnold
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
AlienVault
 
Risky project Enterprise
Risky project EnterpriseRisky project Enterprise
Risky project Enterprise
Intaver Insititute
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 
Application Security: Last Line of Defense
Application Security: Last Line of DefenseApplication Security: Last Line of Defense
Application Security: Last Line of Defense
Narudom Roongsiriwong, CISSP
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
Priyanka Aash
 
IOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareIOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshare
Sai Kesavamatham
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
grecsl
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
Narudom Roongsiriwong, CISSP
 
How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security Flaws
Priyanka Aash
 
How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19
Narudom Roongsiriwong, CISSP
 
Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)
Eduardo Arriols Nuñez
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Coding Security: Code Mania 101
Coding Security: Code Mania 101Coding Security: Code Mania 101
Coding Security: Code Mania 101
Narudom Roongsiriwong, CISSP
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
Priyanka Aash
 
Prepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec ProfessionalPrepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec Professional
M.Syarifudin, ST, OSCP, OSWP
 
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DeviceWireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Priyanka Aash
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
Spyglass Security
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot Essentials
Anton Chuvakin
 
Secure Software Development Adoption Strategy
Secure Software Development Adoption StrategySecure Software Development Adoption Strategy
Secure Software Development Adoption Strategy
Narudom Roongsiriwong, CISSP
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 

Mais conteúdo relacionado

Mais procurados

Application Security: Last Line of Defense
Application Security: Last Line of DefenseApplication Security: Last Line of Defense
Application Security: Last Line of Defense
Narudom Roongsiriwong, CISSP
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
grecsl
 
Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)
Eduardo Arriols Nuñez
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
Spyglass Security
 

Mais procurados (20)

Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal Security
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
 
Risky project Enterprise
Risky project EnterpriseRisky project Enterprise
Risky project Enterprise
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
 
Application Security: Last Line of Defense
Application Security: Last Line of DefenseApplication Security: Last Line of Defense
Application Security: Last Line of Defense
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
 
IOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareIOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshare
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
 
How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security Flaws
 
How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19
 
Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Coding Security: Code Mania 101
Coding Security: Code Mania 101Coding Security: Code Mania 101
Coding Security: Code Mania 101
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
 
Prepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec ProfessionalPrepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec Professional
 
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DeviceWireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot Essentials
 
Secure Software Development Adoption Strategy
Secure Software Development Adoption StrategySecure Software Development Adoption Strategy
Secure Software Development Adoption Strategy
 

Semelhante a Bsides

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
AI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat DetectionAI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat Detection
Databricks
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
Haydn Johnson
 

Semelhante a Bsides (20)

Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
AI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat DetectionAI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat Detection
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
SFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdfSFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdf
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
 
Enterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior AnalyticsEnterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior Analytics
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber Security
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
OpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptxOpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptx
 
(ISC)2 Security Congress EMEA. You are being watched.
(ISC)2 Security Congress EMEA. You are being watched.(ISC)2 Security Congress EMEA. You are being watched.
(ISC)2 Security Congress EMEA. You are being watched.
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
Honeypots for proactively detecting security incidents
Honeypots for proactively detecting security incidentsHoneypots for proactively detecting security incidents
Honeypots for proactively detecting security incidents
 
Super1
Super1Super1
Super1
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 

Bsides

  • 1. OSTrICa – Open Source Threat Intelligence Collector Roberto Sponchioni Senior Threat Analysis Engineer
  • 2. Agenda 2 Introduction to Threat Intelligence Scenarios where to use TI What is OSTrICa? Demo How to develop OSTrICa Plugins
  • 3. Who am I? • Working as a Senior Threat Analysis Engineer @ Symantec • Working as an Independent Security Researcher (Development, Malware Analysis, etc) • Worked as a Security Consultant (PT/VA, Incident Response) • Contacts: – @Ptr32Void on Twitter – https://github.com/Ptr32Void/ - GitHub Page – Roberto_Sponchioni@symantec.com – rsponchioni@yahoo.it 3
  • 4. Introduction to Threat Intelligence 4
  • 5. Data breaches are a big issue… 5Ref.: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
  • 6. What is Threat Intelligence & Why we have to use it 6 According to Gartner: “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.” • Tracking cyber criminals, hacktivists • Provide “context” to reconstruct attacks quickly • Proactively block new attacks • Validate and prioritize indicators and alerts • Provide priorities to C-Levels (based on business risks) What can we do with Threat Intelligence?
  • 8. Current solutions that most companies use are… 8 • Anti-Virus products • Firewall • IDS/IPS • Log collectors / SIEMs • … Attacker Victims PDF unescape("%u33dd%u3030%u33dd%u3030….") pointerSled = unescape("<Contents>"); while (pointerSled.length < chunk_size) pointerSled += pointerSled; pointerSled_len = chunk_size - (....
  • 9. TI can help to proactively protect your network 9Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/ 9
  • 11. Threat Indicators (IoCs) 11 • File hashes (MD5, SHA256, …) • C&C Server (Domain & IP Address) • URL Reputation • AV Detections • Mutex • File names • ….
  • 12. Threat Intelligence Sources… 12 Free Community Commercial Internal Costs Free Free / $ $$$ - Typology Generic Intelligence Generic / Specific Intelligence Generic / Specific Intelligence Very specific intelligence Where do you get it Public Systems, Honeypots, Scanners on network Public/Private Systems (Sandboxing products...) Public/Private Systems (Sandboxing products, surveys, underground market places...) Internal Appliances, Logs, Analysis systems, SIEMS OSTrICa – Open Source Threat Intelligence Collector
  • 13. What is OSTrICa? 13 Open Source Threat Intelligence Collector
  • 14. What is OSTrICa? 14 OSTrICa Visualization Module Plugin Collector 1 Plugin Collector 2 Plugin Collector … Plugin Loader Plugin Collector n
  • 15. How does OSTrICa work? 15 VT Domain IP Address MD5 SHA256 DeepViz MD5 SafeBrowsing IP Address Domain ASN CymruWhois IP Address Others… … … … 747b3fd525de1af0a56985aa29779b86 OSTrICa
  • 16. 16 • API Access • Web ScrapingPlugin 1 • API Access • Web ScrapingPlugin 2 • API Access • Web ScrapingPlugin 3 • API Access • Web ScrapingPlugin N How do plugins work? JSON & Visual Report
  • 17. Why OSTrICa? 17 • It is Free & Open Source (will be released soon on my GitHub page) • It has a plugin architecture. You can include Free, Commercial and Internal intelligence data • It allows anyone to create a relevant and accurate threat profile • It can be used to proactively protect company’s information • It automatically generates: – A report in JSON format containing all the collected information – A graph allowing the users to link together the information, filter out, hide and search IoCs. End goal is to help SOC Analysts, IR, Attack Investigators Note: all the collected IoCs have been collected from publicly available sources like VirusTotal, Google SafeBrowsing, etc.
  • 19. How to develop OSTrICa Plugins 19 A quick overview…
  • 20. 20 Conclusion & Future Works • It’s Open Source: you can add new features and add new plugins (to extract intelligence from your internal systems). You can download it soon from my GitHub page… Follow me @Ptr32Void for updates • Add a Timeline • Weights intelligence and links based on how malicious the collected information could be • Improve graphic interface • Add a interactive map containing the location of the threats