Threat Intelligencewith Open Source tools

Cornerstones of Trust 2014

@jaimeblasco@santiagobassett

Presenters

JAIME BLASCODirector AlienVault Labs

Security Researcher Malware Analyst

Incident Response

SANTIAGO BASSETTSecurity Engineer

OSSIM / OSSECNetwork Security

Logs Management

The attacker’s advantage

• They only need to be successful once

• Determined, skilled and often funded adversaries

• Custom malware, 0days, multiple attack vectors, social engineering

• Persistent

The defender’s disadvantage

• They can’t make a mistake

• Understaffed, jack of all trades, underfunded

• Increasing complex IT infrastructure:

– Moving to the cloud

– Virtualization

– Bring your own device

• Prevention controls fail to block everything

• Hundreds of systems and vulnerabilities to patch

What is Threat Intelligence?

• Information about malicious actors

• Helps you make better decisions about defense

• Examples: IP addresses, Domains, URL’s, File Hashes, TTP’s, victim’s industries, countries..

State of the art

• Most sharing is unstructured & human-to-human

• Closed groups

• Actual standards require knowledge, resources and time to integrate the data

How to use Threat Intelligence

• Detect what my prevention technologies fail to block

• Security planning, threat assessment

• Improves incident response / Triage

• Decide which vulnerabilities should I patch first

The Threat Intelligence Pyramid of Pain

Standards & Tools

• IODEF: Incident Object Description Exchange Format

• MITRE:– STIX: Structured Threat Information eXpression

– TAXXII: Trusted Automated eXchange of Indicator Information

– MAEC, CAPEC, CyBOX

• CIF: Collective Intelligence Framework

Collective Intelligence Framework

Collecting malware

Some malware tracking sites:

• http://malc0de.com/rss

• http://www.malwareblacklist.com/mbl.xml

• http://www.malwaredomainlist.com/hostslist/mdl.xml

• http://vxvault.siri-urz.net/URL_List.php

• http://urlquery.net

• http://support.clean-mx.de/clean-mx/xmlviruses.php

Some Open Source malware crawlers:

• Maltrieve: https://github.com/technoskald/maltrieve

• Ragpicker: https://code.google.com/p/malware-crawler/

Collecting malware

Other malware collection tools

Dionaea honeypot:

• http://dionaea.carnivore.it/

Thug Honeyclient – Drive by download attacks:

• https://github.com/buffer/thug

• Emulates browsers functionality (activeXcontrols and plugins)

Analyzing malware

Yara: Flexible, human-readable rules for identifying malicious streams.

Can be used to analyze:

• files

• memory (volatility)

• network streams.

private rule APT1_RARSilent_EXE_PDF {meta:

author = "AlienVault Labs"info = "CommentCrew-threat-apt1"

strings:$winrar1 = "WINRAR.SFX" wide ascii$winrar2 = ";The comment below contains SFX

script commands" wide ascii$winrar3 = "Silent=1" wide ascii

$str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/$str2 = "Steup=\"" wide ascii

condition:all of ($winrar*) and 1 of ($str*)

}

Analyzing malware

Cuckoo Sandbox: Used for automated malware analysis.

• Traces Win32 API calls

• Files created, deleted and downloaded

• Memory dumps of malicious processes

• Network traffic pcaps

Analyzing malware

Sandbox – CIF integration

In our example: hxxp://www.garyhart.com, domain

CIF External feed example

Thank you!!

@jaimeblascob

@santiagobassett