Sharing What MattersAccelerating Incident Response and Threat Hunting by Sharing Behavioral Data

Dan Gunter, Principal Threat AnalystMarc Seitz, Threat AnalystDragos, Inc. | August 2018

Today’s Talk at a Glance

• You won’t with a magic, turnkey solution• You will leave with some good, tested ideas• Outcome can hopefully improve maturity of any existing programs• We will talk about what we’ve seen that works well

Why Share: Ideal Scenario

• Accelerate remediations• Strengthen mitigations through risk reduction• Reduce adversary dwell time• Respond with fewer resources• Strengthen relationships with community

• Higher quality threat intelligence• Internal cooperation

• Site – Site• IT – OT

• Industry Partners

Reaction Process

First Reaction • Oh wow! Information sharing sounds great!

Attempt to Implement

• Plenty of government programs and vendors to do this right!

Program Implemented

• I haven’t seen any results and I’m spending too many resources on this

Final Reaction

• Lets stop this nonsense

What Happened?

No Tangible Results

• Accelerate Remediations• Strengthen Mitigations through risk reduction• Reduce adversary dwell time• Respond with fewer resources• Strengthen relationships with community

Objective: Show how information sharing can actually be useful

Addressing False Perceptions

1. Introduces additional risk to reputation2. Isn’t immediately useful3. Isn’t worth the time/resources4. Network defense/architecture exposure

When information sharing is done with the less effective data, then these perceptions

are justified

What is the less effective data?

• IOC feeds based on just atomic indicators are of limited use• Attackers can test their attacks with these feeds• Attacker might have insight into your IOC strategy

• Specific addressing information• Internal addressing space will most likely put any network admins and management in an

uncomfortable situation• Each company is networked differently, thus specific addresses will not be useful

What is the less effective data?

• Attempted attribution • From the asset owner perspective, the origin should not matter• Asset owners cannot decide who targets them

• Guessing Intent• Leads to bias during investigation• Usually not rooted in evidence

• Company information• Each company is unique, specific information is not useful

Wrong Data Examples

File HashAttacking IP

infrastructure Internal Compromised IP

• 9e107d9d372bb6826bd81d3542a419d6

• 34.78.162.96 • 192.168.5.14

Great. You’ve made a point, now what’s your solution?

BEHAVIORAL DATA

What is behavioral data?

• A chain of events rooted in observables with high confidence in activity

VPN connection established to network RDP session

to Historian machine

Malicious download executes

code

Data exfiltration to external

source

Behavioral Data: What its not

• No specific IP information• No company specific information• Not typically IOCs, but they can help• No attribution• No intent guessing

Behavioral Data: What to share?

• Description of compromised assets• Asset function

• Historian• Asset Management• Vulnerability scanner• Etc…

• OS, Software, Firmware versions

Behavioral Data: What to share?

• Description of traffic• Protocols (and versions) used• Time stamps of attack sequence• Frequency of attack infrastructure communication• External to Internal• Internal to External• Etc..

Behavioral Data: What it is

VPN connection established to network RDP session

to Historian machine

Malicious download executes

code

Data exfiltration to external

source

• Tactics, Techniques, and Procedures of attacker activity• Rooted in observable evidence in network and host• Abstracted from too specific information to what can be shared

Why is sharing behavioral data useful for IR/Threat hunting?• Attackers generally won’t build malware specific to one victim

• Not a good use of limited attacker resources• You probably aren’t that special

• Asset owners might see attacks before publishing cycle• Some threat intel sources can get you ahead of the attack curve• Effectiveness of threat intelligence depends on sources, methods and analysis techniques

• Generic IR/Hunting is good but not as focused as behavioral driven IR/Hunting

How do I actually share behavioral data effectively?

Boils down to:

1.Know what and how to share with others2.Know how to consume data from others

Sharing With Others: Threat Intel

• ADVERSARY: Development and likely initial access team for SANDWORM group.

• Does not appear to be directly involved in pre-2016 Ukraine events• However, group appears solely responsible for 2016 event.

• INFRASTRUCTURE: Leveraging dual-use infrastructure, such as public servers used for TOR to host C2.

• VICTIM: At this time, only observed victim is Ukrainian utility companies.

• CAPABILITY: Group appears well organized and financed.• CRASHOVERRIDE required existing, long-term access to

enumerate network, gain access to ICS, and identify appropriate communication protocols.

• Group deployed a fully-featured ICS effects module focused on European electric transmission substations as part of attack, implying a separate test and development environment for ICS software.

Sharing With Others: Threat Intel

• ADVERSARY: Development and likely initial access team for SANDWORM group.

• Does not appear to be directly involved in pre-2016 Ukraine events• However, group appears solely responsible for 2016 event.

• INFRASTRUCTURE: Leveraging dual-use infrastructure, such as public servers used for TOR to host C2.

• VICTIM: At this time, only observed victim is Ukrainian utility companies.

• CAPABILITY: Group appears well organized and financed.• CRASHOVERRIDE required existing, long-term access to

enumerate network, gain access to ICS, and identify appropriate communication protocols.

• Group deployed a fully-featured ICS effects module focused on European electric transmission substations as part of attack, implying a separate test and development environment for ICS software.

• Notice:• No specific system information• Information is TTP focused

• We will show how to consume this

Sharing With Others: *Kill Chain Mapping

Stage 1: Cyber Kill Chain Stage 2: ICS Cyber Kill Chain

https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-

system-cyber-kill-chain-36297

Deliver

Sharing With Others: Case Study

• DNS queries are noticed successfully reaching beyond internal network boundaries

• Kicks off investigation • Reporting begins as teams uncover full scope of intrusion

How to share: IR Case Study

• Details• DNS and HTTP queries beyond network were successfully reaching 34.78.162.96• Suspected watering hole attack from 34.78.162.96 (p1csuperstore.com) as multiple files

were downloading on host machine• Persistence connection over DNS to 34.78.162.96• ICMP Scanning to internal subnets 192.168.*.* and 172.16.*.*• Large data exfiltration to 34.78.162.96 over HTTP • Quarantine of infected machine

How to Share: Suspected Timeline

Query to water hole site

Response from

external IP

Flood of DNS traffic to

external IP

HTTP queries to external IP

ICMP Scanning

Data exfiltration

over HTTP to external IP

Detected abnormal DNS

queries

Start: January 18, 2015, 4:43 AM EST

Finish: March 24, 2015, 9:36 AM EST

What matters?

How to Share: Tactics, Techniques, Procedures• Details

• DNS and HTTP queries beyond network were successfully reaching 34.78.162.96

• Suspected watering hole attack from 34.78.162.96, (p1csuperstore.com) as multiple files

were downloaded on host machine

• ICMP Scanning to internal subnets 192.168.*.* and 172.16.*.*

• Connections were made to 192.168.5.7, 192.168.5.8, etc..

• None connected to 172.16.*.*

• Large data exfiltration to 34.78.162.96 over HTTP

• Quarantine of infected machine

How to Share: Behavior over TimeQuery

to water hole site

Response from

external IP

Flood of DNS traffic to

external IP

HTTP queries to external IP

ICMP Scanning

Data exfiltration

over HTTP to external IP

Detected abnormal DNS

queries

Start: January 18, 2015, 4:43 AM EST

Finish: March 24, 2015, 9:36 AM EST

36 Days

4 Days 15 Days10 Days

2 Hours

How to Share: Kill Chain Mapping

Deliver

Waterhole attack at domain p1csuperstore.com

Command and control over DNS inbound from external IP

Data exfiltration over HTTP to external IP address

ICMP scanning to internal addresses

40 Days, one internal asset (transient laptop, Windows 7) reached out once to evil domain

10 Days, traffic between internal asset and malicious external IP started to pick up in traffic

Scanning was slow and steady scanning at a rate of 5 addresses/30 minutes

How to share: Methods

• Whatever works best for your community• Find what works:

• Encrypted Email• Phone• Tabletop Exercise• Fax

• Define a format for sharing:• We like diamond model summaries• Kill chain mapping• Simple email or word document summary

• Get the right data in the right hands!

How to consume shared information

Informed Threat Hunting

How to consume shared information

Take actionable information and actually do actions with it = Threat Hunting

Not a real definition but you get the point

Threat Hunt Cycle

• Purpose• Why are we threat hunting? • What are we hoping to achieve?• What does success look like when the hunt is

finished?

Threat Hunt Cycle

• Scope• Phase 1: Location

• Where does the hunt need to take place?• Subnet, System, Network, Facility

• Phase 2: Hypothesis Generation• Creating hypotheses that can be confirmed or denied• Do the hypotheses cover the entire set of objectives

from Purpose stage?

Asset owners should share TTP focused hunt hypotheses

Threat Hunt Cycle

• Equip• Phase 1: Collection Management Framework

• What data do I currently have available?• What data according to the information sharing

mapping do I need to collect to enable success?• Do I have the right storage duration to be successful?

• Phase 2: Resource Allocation• Team members assigned to hunt

• Senior and Junior members mixed• Tools Required

• Open source• Custom development

• External Resources

Threat Hunt Cycle

• Plan Review• All stakeholders need to know what the plan is

moving forward• Does the final plan make sense?• Is the final plan addressing all objectives from

Purpose stage?

Threat Hunt Cycle

• Execute• Do the hunt• Search for observables in available data sources• Produce a report based on findings from hunt

Threat Hunt Cycle

• Feedback• Discuss what worked and what can be improved at

each stage• Internal:

• What are collection gaps?• What are policy and procedure gaps?• How would we have done if we were patient 0?

• External:• Provide additional findings back to source• Understand what information was useful and what was

not• Develop the relationship further

Wrapping Up

How does behavioral data address false perceptions?1. Introduces additional risk to reputation

• If anything, it creates a stronger community bond in the ability to hunt and respond to adversaries across the industry

2. Isn’t immediately useful• If the information shared is timely, then hunting can be immediately useful to confirm or

deny adversary presence

3. Isn’t worth the time/resources• How bad do you want to know the network is clean and not compromised?

4. Network defense/architecture exposure• Abstracting sensitive information that is not useful to investigation removes the fear of

exposure network defense and network architecture

ACCELERATE INCIDENT RESPONSE

Informed Threat Hunting

Just the beginning

• Current information sharing methods exist and plenty of work has already been done for sharing

• How do we evolve the current state to be more valuable?

• Driving new requirements• Asset owners, analysts, anyone who is boots on the ground

• Behavioral sharing is a process and this talk is a conversation starter

Thank you for the opportunity to present

Dan Gunter, @dan_gunter, dgunter@dragos.comMarc Seitz, @SubtleThreat, mseitz@dragos.com