Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beginners Guide to OSINT

paulh
April 17, 2016

Beginners Guide to OSINT

AtlSecCon, Halifax. 2016

paulh

April 17, 2016
Tweet

More Decks by paulh

Other Decks in Technology

Transcript

  1. - Enrol in IT Program at NSCC - Get job

    with NSCC - Design and Build their first Security Monitoring Infrastructure - Deploy to 21 locations (13 campuses) throughout the province The Plan*: * OK, not really at all but incredibly that’s how it played out
  2. Source: iSIGHT Partners - What is Cyber Threat Intelligence and

    why do I need it? what we really care about
  3. “Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice

    about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” Source: Gartner - Defini[on: Threat Intelligence Threat Intelligence:
  4. = = data intel but, add a narrative and URL

    IP FILEHASH DOMAIN USER EMAIL CERTHASH IOCs (by themselves) are just data
  5. Source: David Bianco Indicators of Compromise (IOCs) The Pyramid of

    Pain “..knowledge about adversaries and their motivations, intentions, and methods..” refactoring effort =
  6. some carry more weight than others many types, but keep

    in mind meaningful metadata little or no metadata
  7. DNS Blackhole google.ca facebook.com cbc.ca badplace.ru reallybadplace.nl twitter.com cnn.com ….

    ? domains limitations 1. http:/ /dropbox.com/evilpayload.exe.txt 2. http:/ /95.28.37.16/evilpayload.exe.txt 3. http:/ /reallybadplace.nl/evilpayload.exe.txt (indicators)
  8. DNS Log HTTP Log Connection Log SSL Log SMTP Log

    Files Log …..? The Bro Network Security Monitor Logging Framework
  9. 01100001 00100000 01110111 01101000 01101111 01101100 01100101 00100000 01100010 01110101

    01101110 01100011 01101000 00100000 01101111 01100110 00100000 01100100 01100001 01110100 01100001 00100000 01101000 01100101 01110010 01100101 00100001 00100001 Intel::ADDR Intel::URL Intel::SOFTWARE Intel::EMAIL Intel::DOMAIN Intel::USER_NAME Intel::FILE_HASH Intel::FILE_NAME Intel::CERT_HASH Intel Types Intel.log #fields indicator indicator_type meta.source meta.url meta.do_notice meta.if_in 000007.ru Intel::DOMAIN MalwareDomains http:/ /malwaredomains.com/files/domains F - intel metadata args type Wow. More logs.. Now what?
  10. multiple log matches 1. connection log shows the protocol 2.

    intel log shows a bad IP address 3. ssh log shows an authentication failure 1 2 3 Timestamp UID* If we follow the UID from the intel hit, what do we see?