Threat Intelligence • Publicly available data from overt sources • Distinct from open-source software • But all software discussed today is FLOSS • Non-asset, non-vulnerability • In VERIS A4 terms: actor and action • Not investigation-focused but can support it • True intel is product of data and analysis • Generalizing slightly here to include raw-ish data • Focus on broadly gathering data, tools for analysis CISPA and other political or legislative issues are out-of-scope for this talk
project • Sucks in feeds of IOCs from public and private sources • Focuses on lower end of “pyramid of pain” • Exports data to infrastructure or supports lookup during response David J. Bianco detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html collectiveintel.net
• BFK edv-consulting • Virustotal ;; bailiwick: butlesuh.ru. ;; count: 2 ;; first seen: 2013-04-04 19:55:24 -0000 ;; last seen: 2013-04-04 19:55:24 -0000 butlesuh.ru. IN A 1.174.2.127 ;; bailiwick: butlesuh.ru. ;; count: 2 ;; first seen: 2013-04-05 01:59:40 -0000 ;; last seen: 2013-04-05 01:59:40 -0000 butlesuh.ru. IN A 2.60.67.146 Historical records of actual DNS responses
• Sine qua non for existing public data • Search by hash, URL, domain, or other indicators • Includes passive DNS related to malware callouts • Additional data including feeds of recent samples and indicators • Part of Shadowserver Foundation • Large repository of malware samples of all types • 3 TB of data, indexed and searchable • Distributed via BitTorrent
VERIS: Entities that cause or contribute to an incident are referred to as “threat actors”. There can be more than one actor involved in any particular incident, and their actions can be malicious or non- malicious, intentional or unintentional, causal or contributory. VERIS recognizes three primary categories of threat actors – External, Internal, and Partner. www.veriscommunity.net/doku.php?id=actors Not THAT kind of threat actor! (Gary Oldman, public domain image)
Twitter (particularly via the API or RSS) • Pastebin (e.g. @pastebindorks) • Google Alerts are particularly useful for monitoring specific actors Threat actor sources Defacements and incidents Social Media
tools • Use APIs and scripting languages (Python) • Store in document database (MongoDB) • Highly flexible but requires a bit more effort • Evernote • Feedly • ifttt • Delicious Impossible to do properly without automation
Takes screenshots, integrates with Virustotal, exposes an API, and is written in Python. www.cuckoosandbox.org Local repositories and analysis Cuckoo Sandbox Basic database for storing samples from the command line. Think of this as your “working set”. sroberts.github.io/malwarehouse/ malwarehouse VxCage Larger, more complete database with a RESTful API interface. Think of this as your complete historical repository. github.com/cuckoobox/vxcage
(CybOX) and other data (stix.mitre.org) • TTPs • Exploitation targets • Campaigns • Courses of Action [COA] • OpenIOC originally produced by Mandiant under Apache 2 license (openioc.org) • Similar to CybOX from MITRE (cybox.mitre.org) • Capture stateful properties (file hashes, IPs, HTTP GET, registry keys and values) Threat intel standards STIX OpenIOC and CybOX
and actors Indicators of Compromise Use a wiki with defined templates like those from Scott Roberts for keeping profile data on specific threat actors. Link back to your document repository (e.g. in MongoDB). • Artifacts • Exploits • Intrusion sets • Third-party intelligence • Threat actors github.com/sroberts/threat-intel-templates Pull feeds from CIF or similar tools into your SIEM. Organizations without an existing deployment may want to look into OSSIM to get started. communities.alienvault.com Not a lot of open-source tools for sweeping hosts broadly. pyioc is one example: github.com/jeffbryner/pyioc This is where a lot of the heavy lifting occurs.
standards Trust groups Software development • OpenIOC / CybOX • STIX (builds on CybOX) • Not “open source”, strictly speaking • But do good work and keep some of it in the public • Can be significant and targeted boost • FLOSS projects depend on the community • Github is a great place to get started • Not just developers: use case feedback, docs, etc! Threat actors talk to each other. We have to do the same.
great work David J Bianco (@davidjbianco) Jeff Bryner (@p0wnlabs) Keith Gilbert (@digital4rensics) Claudio Guarnieri (@botherder) Andrew Macpherson (@andrewmohawk) J-Michael Roberts (@forensication) Scott Roberts (@sroberts) Alessandro Tanasi (@jekil) Wes Young (@barely3am) Image by woodleywonderworks Used under license
tracking in particular is relatively nascent in the public domain • Lots of attention on getting better at sharing low-end IOCs • Determine and detect TTPs (machine learning?) Image by Neil Kremer Used under license Want to talk more? @kylemaxwell [email protected]