Creating, Capturing, and Using your own threat intelligence with open source tools

1. Threat Intelligence
By Dave Herrald and
Ryan Kovar @Splunk

2. Disclaimer
2
During the course of this presentation, we may make forward looking statements
regarding future events or the expected performance of the company. I often lie. Maybe
this is a lie. Wik Alsø wik Alsø alsø wik Wi nøt trei a høliday in Sweden this yër? See the
løveli lakes The wøndërful telephøne system And mäni interesting furry animals The
characters and incidents portrayed and the names used in this Presentation are fictitious
and any similarity to the names, characters, or history of any person is entirely
accidental and unintentional. Signed RICHARD M. NIXON Including the majestik møøse
A Møøse once bit my Marcus... No realli! He was Karving his initials on the møøse with
the sharpened end of an interspace tøøthbrush given him by Svenge – his brother-in-law
– a Canadian dentist and star of many Norwegian møvies: "The Høt Hands of an
Canadian Dentist", "Fillings of Passion", "The Huge Mølars of Horst Nordfink"... In
addition, any information about our roadmap outlines our general product direction and
is subject to change at any time without notice. Splunk undertakës no øbligation either to
develøp the features or functionality described or to include any such feature or
functionality in a future release.

3. • 17 years of cyber security
experience
• Current role on Security
Practice team focuses on
incident/breach response,
threat intelligence, and
research
• Also investigating why
printers are so
insubordinate ಠ_ಠ
3
Staff Security Strategist
Minster of the OODAloopers
@meansec
# whoami > Ryan Kovar
CISSP,MSc(Dist)

4. -20+ years in IT and security
-Information security
officer, security architect,
pen tester, consultant, SE,
system/network engineer
-Former SANS Mentor
Senior Security Architect
Minister of Peace
@daveherrald
# whoami > Dave Herrald
CISSP, GIAC G*, GSE #79

6. Agenda
•Overview
•Why
•What
•How
•Done

7. Overview

9. Rick Holland Rebekah Brown
On the
shoulders of
SANS giants

10. http://files.sans.org/summit/Cyber_Threat_Intelligence_Summit_2016/PDFs/You-
Got-99-Problems-and-a-Budget-Is-One-Rebekah-Brown.pdf

11. http://files.sans.org/summit/Cyber_Threat_Intelligence_Summit_2016/PDFs/Threat-
Intelligence-Awakens-Rick-Holland.pdf

12. 12

13. 13
Tier 1

14. 14
Writing the
book[s]

15. Nothing. Just broken dreams
and tired analysts

16. Why?

17. Evangelize

18. He who is
without
knowledge of
tickets is lacking
cyber hygiene.
-Sun Cyber Tzu
Think

19. Buying Threat Intelligence is
awesome…

20. Local Threat
Intelligence Sources

21. Overview
CYBER
What and How?

23. We use Splunk
But you don’t have to!

24. Use Your
Security
Awareness
Data

25. Some security awareness data

26. Zoom plz!

28. Just Word launching cmd.exe

29. Suspicion++

30. Security Awareness
Training
• “Clicking on Phishing test”==“clicking on Spear
Phishing email”
• Make your users your canaries in the coal mine
• Education helps… make your own targeting list

31. Decoy
document
Decoy
Docs

33. https://mice.cs.columbia.edu/getTechreport.php?techreportID=596
Embedded callbacks

34. Set “Audit
Object
Access” to
Success AND
failure

35. This is cool…
But make sure you create
whitelists

36. Decoy Docs and you
• Make a file called passwords.docx. Put
usernames/passwords in file and leave it inVIP
directories.
• Put enhanced audit logging on that directory
• Insert Web Beacon into document… setup alerting
for its callback
• Disable (or restrict) honey-users. Setup alerts for
their usage.

37. CHANGES HIS
IPs AND
DOMAINs
Passive
DNS

38. Passive DNS
is hard
to
visualize
So here is a camouflaged
puppy instead

39. Passive DNS in Splunk

40. Passive DNS
• Record your DNS data
• Find out how adversaries have pivoted by looking at
your own data
• Hunt in your org using your own data

41. Google Fooey

42. Threat Intel Network Endpoints Identity & Context
42
So many vendors. So little time

44. SOC
GOOGLE

48. Google Fooey
and you
• Determine what your vendors your security depends
upon
• Craft Google alerts to notify you of vulnerabilities or
compromises
• Integrate alerts into your analytical toolkit for
automated thingies

49. Domain Squatting

51. DNS
Twist

52. dnstwist sans.org -w -g -b -s -m -c -t 100 -d english.dict

53. Samuel Johnson in the 21st century

55. DNS Twist and you
• Search backward.Then alert in the future
• Set a cronjob, run it daily, ingest it into your tool set
• Increase risk for important variables
• Registered domain
• MX records
• Newly registered domain

56. Done

57. CTI Victory Garden Showcase App

58. CTI Victory Garden Showcase App
Github
https://github.com/daveherrald/SA-TI_showcase
Splunkbase
https://splunkbase.splunk.com/app/3441/

60. He who is
without
knowledge of his
network is lacking
in cyber hygiene.
-Sun Cyber Tzu

61. And then they
bought MORE
threat
intelligence
feeds!!!

62. Takeaways
• Dig into your own data
• DNStwist your way to visibility
• Automate your GoogleFu
• Local PassiveDNS is good!!!
• Don’t let SAT go to waste
• Set decoys and then alert on them

63. Dave Herrald
dherrald@splunk.com
@daveherrald
Ryan Kovar
rkovar@splunk.com
@meansec
http://blogs.splunk.com/author/rkovar
Contact info