4. Introduction – The Presentation
• Original purpose of this presentation
– An open discussion between A Client and Symantec
• About the types of intelligence sources A Client could leverage
• How these could be used to gain insight into threats
– Present of a number of ideas on how to achieve this
– Designed to be interactive
• Braining storming, guidance, questions, answers all welcome…
• What this presentation is NOT
– A presentation on productized technology available from Symantec
• Goal of a well developed intelligence program
– Gain visibility ahead of time
– Predict likely targets
– Detect stealthy attacks or attack precursors
Symantec Advanced Threat Research
Threat Intelligence – Routes to a Proactive Capability
4
5. Introduction – The Presentation
• Problem statement guidance
– Existing threat intelligence data is re-active
• Patch Tuesday etc…
– A Client want to develop more of a pro-active capability
• How to gain visibility before the attack
– Technology threat intelligence
– Aggressor threat intelligence
• How to detect attacks for which there is no signature
• Additional guidance already given
– This will not focus on web based applications
– This will look at infrastructure, standard client based threats
Symantec Advanced Threat Research
Threat Intelligence – Routes to a Proactive Capability
5
7. Intelligence Sources
• So what does A Client have access to?
– A lot!
– However deciding what to process will be difficult
– Actual processing will present some unique challenges
– Result – risk / effort versus reward will come into play
• Caveat: You may be analyzing some of these already
• What follows is a relatively high-level overview
– Designed to capture the key sources
– Does not cover in detail all the methods of analysis
Symantec Advanced Threat Research
Threat Intelligence – Routes to a Proactive Capability
7
9. Intelligence Sources
• A couple key observations
– Gaining insight into where/how an attack will happen ahead of time is
hard
• Unlike fraud attackers aren’t going to hang out on publically accessible channels
discussing their targets/methods
• Monitoring for sentiment is going to throw up false positives (annoyed customers
etc)
• Attacks which hit you fall into two categories – mass exploitation & targeted
• Mass exploitation – some indication ahead of time
• Targeted – little to no indication ahead of time
– However detecting the early stages of an attack is far easier
– Detecting an in-progress attack is even easier
– So some discussion around the key objectives will need to be had
Symantec Advanced Threat Research
Threat Intelligence – Routes to a Proactive Capability
9
11. Binary File Format Exploitation - PDF
• Goal
– Process PDFs at mail server/AV/SPAM layer to identify suspicious
files potentially trying to exploit a vulnerability
• Approach
– Does it comply with the file format?
• Does your AV/SPAM solution successfully parse it?
• Can you automate the opening of all PDF files in a sandbox to detect crashes and/or
suspicious behavior?
– What does it contain?
• Is it a re-work of press release either issues by you, a competitors, regulator or
publically listed company?
• Shell code heuristics trigger?
– What produced it?
• Surprising amount of meta data in PDFs which could be used to influence the risk
profile of it.
Symantec Advanced Threat Research
Threat Intelligence – Routes to a Proactive Capability
11
12. Binary File Format Exploitation - PDF
Symantec Advanced Threat Research
Threat Intelligence – Routes to a Proactive Capability
12
13. Binary File Format Exploitation - JAR
• Goal
– Log accesses made to JARs via A Client web proxies
– Isolate those of interest and analyze off-line to detect targeted attacks
• Approach
– Has it changed?
• Over time if you generate hashes for the JARs accessed you’ll be able to spot
changes
– Is it signed?
• Is the archive signed by a trusted company?
– Does it comply with the file format?
• Does your AV/SPAM solution successfully parse it?
• Can you automate the opening of all JAR files in a sandbox to detect crashes and/or
suspicious behavior using multiple JVMs?
Symantec Advanced Threat Research
Threat Intelligence – Routes to a Proactive Capability
13
14. The Generic E-Mail Attack
• Goal
– Detect the generic targeted e-mail attachment born attack..
• Lots of things to look at
– Is the source IP actually assigned to the company it’s claimed to be
from?
– If you’ve received e-mail from that organization before did the e-mail
originate from the same source?
– Does the message header contain character set information which
indicates it’s originated from a non friendly or suspicious country?
– Have you seen e-mails from that person to that person before?
– Does the message content contain public information re-worked?
– Does the attachment contain public information re-worked?
Symantec Advanced Threat Research
Threat Intelligence – Routes to a Proactive Capability
14
15. Pro-Active Strategies for Attachments
• Goal
– How do we identify the next zero-day that would work against our
organization?
• We utilize some of the pre-filtering already discussed
• Then we have a copy of our geographic or departmental
standard builds inside a couple of virtualized environments*
• We then pass a selection of received e-mails/attacks through
• We also regularly visit a selection of web sites commonly
visited by the entire organization or specific departments
• We also visit a sample of URLs sent into the organization (EMail/IM etc.)
• All to monitor for any unexpected behavior
Symantec Advanced Threat Research
Threat Intelligence – Routes to a Proactive Capability
15
16. Other Things to Consider
• All of the strategies I’ve discussed are because we know the
modi operandi of certain classes of attacker
• However there are a number of other approaches we can
consider to spot attacker evolution
– Trending
• We’ve seen attackers go after images (JPG/PNG/TIFF), Office (DOC/XLS/PPT),
Web Containers (JAR), Other (WMF,PDF,ZIP) for binary format exploitation
• It doesn’t take a rocket scientist to realize this isn’t going to stop while it’s so
successful
• So what application do you run which haven’t be targeted (either propriety, niche or
common)? Why don’t you go after them aggressively, find the vulnerabilities,
develop mitigations and/or detections ahead of time
Symantec Advanced Threat Research
Threat Intelligence – Routes to a Proactive Capability
16