Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Sharing What MattersAccelerating Incident Response and Threat Hunting by Sharing Behavioral Data
Dan Gunter, Principal Threat AnalystMarc Seitz, Threat AnalystDragos, Inc. | August 2018
Today’s Talk at a Glance
• You won’t with a magic, turnkey solution• You will leave with some good, tested ideas• Outcome can hopefully improve maturity of any existing programs• We will talk about what we’ve seen that works well
Why Share: Ideal Scenario
• Accelerate remediations• Strengthen mitigations through risk reduction• Reduce adversary dwell time• Respond with fewer resources• Strengthen relationships with community
• Higher quality threat intelligence• Internal cooperation
• Site – Site• IT – OT
• Industry Partners
Reaction Process
First Reaction • Oh wow! Information sharing sounds great!
Attempt to Implement
• Plenty of government programs and vendors to do this right!
Program Implemented
• I haven’t seen any results and I’m spending too many resources on this
Final Reaction
• Lets stop this nonsense
What Happened?
No Tangible Results
• Accelerate Remediations• Strengthen Mitigations through risk reduction• Reduce adversary dwell time• Respond with fewer resources• Strengthen relationships with community
Objective: Show how information sharing can actually be useful
Addressing False Perceptions
1. Introduces additional risk to reputation2. Isn’t immediately useful3. Isn’t worth the time/resources4. Network defense/architecture exposure
When information sharing is done with the less effective data, then these perceptions
are justified
What is the less effective data?
• IOC feeds based on just atomic indicators are of limited use• Attackers can test their attacks with these feeds• Attacker might have insight into your IOC strategy
• Specific addressing information• Internal addressing space will most likely put any network admins and management in an
uncomfortable situation• Each company is networked differently, thus specific addresses will not be useful
What is the less effective data?
• Attempted attribution • From the asset owner perspective, the origin should not matter• Asset owners cannot decide who targets them
• Guessing Intent• Leads to bias during investigation• Usually not rooted in evidence
• Company information• Each company is unique, specific information is not useful
Wrong Data Examples
File HashAttacking IP
infrastructure Internal Compromised IP
• 9e107d9d372bb6826bd81d3542a419d6
• 34.78.162.96 • 192.168.5.14
Great. You’ve made a point, now what’s your solution?
BEHAVIORAL DATA
What is behavioral data?
• A chain of events rooted in observables with high confidence in activity
VPN connection established to network RDP session
to Historian machine
Malicious download executes
code
Data exfiltration to external
source
Behavioral Data: What its not
• No specific IP information• No company specific information• Not typically IOCs, but they can help• No attribution• No intent guessing
Behavioral Data: What to share?
• Description of compromised assets• Asset function
• Historian• Asset Management• Vulnerability scanner• Etc…
• OS, Software, Firmware versions
Behavioral Data: What to share?
• Description of traffic• Protocols (and versions) used• Time stamps of attack sequence• Frequency of attack infrastructure communication• External to Internal• Internal to External• Etc..
Behavioral Data: What it is
VPN connection established to network RDP session
to Historian machine
Malicious download executes
code
Data exfiltration to external
source
• Tactics, Techniques, and Procedures of attacker activity• Rooted in observable evidence in network and host• Abstracted from too specific information to what can be shared
Why is sharing behavioral data useful for IR/Threat hunting?• Attackers generally won’t build malware specific to one victim
• Not a good use of limited attacker resources• You probably aren’t that special
• Asset owners might see attacks before publishing cycle• Some threat intel sources can get you ahead of the attack curve• Effectiveness of threat intelligence depends on sources, methods and analysis techniques
• Generic IR/Hunting is good but not as focused as behavioral driven IR/Hunting
How do I actually share behavioral data effectively?
Boils down to:
1.Know what and how to share with others2.Know how to consume data from others
Sharing With Others: Threat Intel
• ADVERSARY: Development and likely initial access team for SANDWORM group.
• Does not appear to be directly involved in pre-2016 Ukraine events• However, group appears solely responsible for 2016 event.
• INFRASTRUCTURE: Leveraging dual-use infrastructure, such as public servers used for TOR to host C2.
• VICTIM: At this time, only observed victim is Ukrainian utility companies.
• CAPABILITY: Group appears well organized and financed.• CRASHOVERRIDE required existing, long-term access to
enumerate network, gain access to ICS, and identify appropriate communication protocols.
• Group deployed a fully-featured ICS effects module focused on European electric transmission substations as part of attack, implying a separate test and development environment for ICS software.
Sharing With Others: Threat Intel
• ADVERSARY: Development and likely initial access team for SANDWORM group.
• Does not appear to be directly involved in pre-2016 Ukraine events• However, group appears solely responsible for 2016 event.
• INFRASTRUCTURE: Leveraging dual-use infrastructure, such as public servers used for TOR to host C2.
• VICTIM: At this time, only observed victim is Ukrainian utility companies.
• CAPABILITY: Group appears well organized and financed.• CRASHOVERRIDE required existing, long-term access to
enumerate network, gain access to ICS, and identify appropriate communication protocols.
• Group deployed a fully-featured ICS effects module focused on European electric transmission substations as part of attack, implying a separate test and development environment for ICS software.
• Notice:• No specific system information• Information is TTP focused
• We will show how to consume this
Sharing With Others: *Kill Chain Mapping
Stage 1: Cyber Kill Chain Stage 2: ICS Cyber Kill Chain
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-
system-cyber-kill-chain-36297
Deliver
Sharing With Others: Case Study
• DNS queries are noticed successfully reaching beyond internal network boundaries
• Kicks off investigation • Reporting begins as teams uncover full scope of intrusion
How to share: IR Case Study
• Details• DNS and HTTP queries beyond network were successfully reaching 34.78.162.96• Suspected watering hole attack from 34.78.162.96 (p1csuperstore.com) as multiple files
were downloading on host machine• Persistence connection over DNS to 34.78.162.96• ICMP Scanning to internal subnets 192.168.*.* and 172.16.*.*• Large data exfiltration to 34.78.162.96 over HTTP • Quarantine of infected machine
How to Share: Suspected Timeline
Query to water hole site
Response from
external IP
Flood of DNS traffic to
external IP
HTTP queries to external IP
ICMP Scanning
Data exfiltration
over HTTP to external IP
Detected abnormal DNS
queries
Start: January 18, 2015, 4:43 AM EST
Finish: March 24, 2015, 9:36 AM EST
What matters?
How to Share: Tactics, Techniques, Procedures• Details
• DNS and HTTP queries beyond network were successfully reaching 34.78.162.96
• Suspected watering hole attack from 34.78.162.96, (p1csuperstore.com) as multiple files
were downloaded on host machine
• ICMP Scanning to internal subnets 192.168.*.* and 172.16.*.*
• Connections were made to 192.168.5.7, 192.168.5.8, etc..
• None connected to 172.16.*.*
• Large data exfiltration to 34.78.162.96 over HTTP
• Quarantine of infected machine
How to Share: Behavior over TimeQuery
to water hole site
Response from
external IP
Flood of DNS traffic to
external IP
HTTP queries to external IP
ICMP Scanning
Data exfiltration
over HTTP to external IP
Detected abnormal DNS
queries
Start: January 18, 2015, 4:43 AM EST
Finish: March 24, 2015, 9:36 AM EST
36 Days
4 Days 15 Days10 Days
2 Hours
How to Share: Kill Chain Mapping
Deliver
Waterhole attack at domain p1csuperstore.com
Command and control over DNS inbound from external IP
Data exfiltration over HTTP to external IP address
ICMP scanning to internal addresses
40 Days, one internal asset (transient laptop, Windows 7) reached out once to evil domain
10 Days, traffic between internal asset and malicious external IP started to pick up in traffic
Scanning was slow and steady scanning at a rate of 5 addresses/30 minutes
How to share: Methods
• Whatever works best for your community• Find what works:
• Encrypted Email• Phone• Tabletop Exercise• Fax
• Define a format for sharing:• We like diamond model summaries• Kill chain mapping• Simple email or word document summary
• Get the right data in the right hands!
How to consume shared information
Informed Threat Hunting
How to consume shared information
Take actionable information and actually do actions with it = Threat Hunting
Not a real definition but you get the point
Threat Hunt Cycle
• Purpose• Why are we threat hunting? • What are we hoping to achieve?• What does success look like when the hunt is
finished?
Threat Hunt Cycle
• Scope• Phase 1: Location
• Where does the hunt need to take place?• Subnet, System, Network, Facility
• Phase 2: Hypothesis Generation• Creating hypotheses that can be confirmed or denied• Do the hypotheses cover the entire set of objectives
from Purpose stage?
Asset owners should share TTP focused hunt hypotheses
Threat Hunt Cycle
• Equip• Phase 1: Collection Management Framework
• What data do I currently have available?• What data according to the information sharing
mapping do I need to collect to enable success?• Do I have the right storage duration to be successful?
• Phase 2: Resource Allocation• Team members assigned to hunt
• Senior and Junior members mixed• Tools Required
• Open source• Custom development
• External Resources
Threat Hunt Cycle
• Plan Review• All stakeholders need to know what the plan is
moving forward• Does the final plan make sense?• Is the final plan addressing all objectives from
Purpose stage?
Threat Hunt Cycle
• Execute• Do the hunt• Search for observables in available data sources• Produce a report based on findings from hunt
Threat Hunt Cycle
• Feedback• Discuss what worked and what can be improved at
each stage• Internal:
• What are collection gaps?• What are policy and procedure gaps?• How would we have done if we were patient 0?
• External:• Provide additional findings back to source• Understand what information was useful and what was
not• Develop the relationship further
Wrapping Up
How does behavioral data address false perceptions?1. Introduces additional risk to reputation
• If anything, it creates a stronger community bond in the ability to hunt and respond to adversaries across the industry
2. Isn’t immediately useful• If the information shared is timely, then hunting can be immediately useful to confirm or
deny adversary presence
3. Isn’t worth the time/resources• How bad do you want to know the network is clean and not compromised?
4. Network defense/architecture exposure• Abstracting sensitive information that is not useful to investigation removes the fear of
exposure network defense and network architecture
ACCELERATE INCIDENT RESPONSE
Informed Threat Hunting
Just the beginning
• Current information sharing methods exist and plenty of work has already been done for sharing
• How do we evolve the current state to be more valuable?
• Driving new requirements• Asset owners, analysts, anyone who is boots on the ground
• Behavioral sharing is a process and this talk is a conversation starter
Thank you for the opportunity to present
Dan Gunter, @dan_gunter, [email protected] Seitz, @SubtleThreat, [email protected]