Embed Size (px)
DESCRIPTION
Threat Intelligence has become increasingly important as the number and severity of threats is growing continuously. We live in an era where our prevention technologies are not enough anymore, antivirus products fail to detect new or sophisticated pieces of malware, our firewalls and perimeter defenses are easily bypassed and the attacker’s techniques are growing in complexity. In this new landscape, sharing threat intelligence has become a key component to mitigate cyber-attacks. In this session we will define what Threat Intelligence is and discuss how to collect and integrate threat intelligence from public sources. In addition, we’ll demonstrate how to build your own Threat Intelligence data using Open Source tools such as sandboxes, honeypots, sinkholes and other publicly available tools. The industry’s reticence to share information about attack vectors gives the adversary a huge advantage. Using Threat Intelligence we can reduce this advantage and enable preventative response. We will guide you through the different standards (OpenIOC, STIX, MAEC, OTX, IODEF…) to describe and share cyber intelligence, as well as Open Source Frameworks such as CIF (Collective Intelligence Framework) that allows you to combine different threat sources. One of the biggest problems with Threat Intelligence is finding out how to take advantage of the data you have to actually improve the detection/prevention capabilities in your environment. We will describe how to leverage Threat Intelligence to detect threats and provide defenses, and we will focus on how to use Open Source Tools (Suricata, OSSIM, OSSEC, Bro, Yara…) to get the most of your Threat Intelligence. Presenters: Jaime Blasco and Santiago Bassett Cornerstones of Trust 2014: https://www.cornerstonesoftrust.com
Citation preview
Threat Intelligencewith Open Source tools
Cornerstones of Trust 2014
@jaimeblasco@santiagobassett
Presenters
JAIME BLASCODirector AlienVault Labs
Security Researcher Malware Analyst
Incident Response
SANTIAGO BASSETTSecurity Engineer
OSSIM / OSSECNetwork Security
Logs Management
The attacker’s advantage
• They only need to be successful once
• Determined, skilled and often funded adversaries
• Custom malware, 0days, multiple attack vectors, social engineering
• Persistent
The defender’s disadvantage
• They can’t make a mistake
• Understaffed, jack of all trades, underfunded
• Increasing complex IT infrastructure:
– Moving to the cloud
– Virtualization
– Bring your own device
• Prevention controls fail to block everything
• Hundreds of systems and vulnerabilities to patch
What is Threat Intelligence?
• Information about malicious actors
• Helps you make better decisions about defense
• Examples: IP addresses, Domains, URL’s, File Hashes, TTP’s, victim’s industries, countries..
State of the art
• Most sharing is unstructured & human-to-human
• Closed groups
• Actual standards require knowledge, resources and time to integrate the data
How to use Threat Intelligence
• Detect what my prevention technologies fail to block
• Security planning, threat assessment
• Improves incident response / Triage
• Decide which vulnerabilities should I patch first
The Threat Intelligence Pyramid of Pain
Standards & Tools
• IODEF: Incident Object Description Exchange Format
• MITRE:– STIX: Structured Threat Information eXpression
– TAXXII: Trusted Automated eXchange of Indicator Information
– MAEC, CAPEC, CyBOX
• CIF: Collective Intelligence Framework
Collective Intelligence Framework
Collecting malware
Some malware tracking sites:
• http://malc0de.com/rss
• http://www.malwareblacklist.com/mbl.xml
• http://www.malwaredomainlist.com/hostslist/mdl.xml
• http://vxvault.siri-urz.net/URL_List.php
• http://urlquery.net
• http://support.clean-mx.de/clean-mx/xmlviruses.php
Some Open Source malware crawlers:
• Maltrieve: https://github.com/technoskald/maltrieve
• Ragpicker: https://code.google.com/p/malware-crawler/
Collecting malware
Other malware collection tools
Dionaea honeypot:
• http://dionaea.carnivore.it/
Thug Honeyclient – Drive by download attacks:
• https://github.com/buffer/thug
• Emulates browsers functionality (activeXcontrols and plugins)
Analyzing malware
Yara: Flexible, human-readable rules for identifying malicious streams.
Can be used to analyze:
• files
• memory (volatility)
• network streams.
private rule APT1_RARSilent_EXE_PDF {meta:
author = "AlienVault Labs"info = "CommentCrew-threat-apt1"
strings:$winrar1 = "WINRAR.SFX" wide ascii$winrar2 = ";The comment below contains SFX
script commands" wide ascii$winrar3 = "Silent=1" wide ascii
$str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/$str2 = "Steup=\"" wide ascii
condition:all of ($winrar*) and 1 of ($str*)
}
Analyzing malware
Cuckoo Sandbox: Used for automated malware analysis.
• Traces Win32 API calls
• Files created, deleted and downloaded
• Memory dumps of malicious processes
• Network traffic pcaps
Analyzing malware
Sandbox – CIF integration
In our example: hxxp://www.garyhart.com, domain
CIF External feed example
Thank you!!
@jaimeblascob
@santiagobassett
