This document discusses strategies for incident response and gaining intelligence about adversaries. It emphasizes collecting diverse types of data from hash values to tactics, techniques, and procedures used. Combining different layers of information through data stacking and analytics can provide better accuracy and flexibility to understand attacks at varying levels of difficulty, from easy-to-change details to harder-to-modify tactics. The goal is to operationalize threat intelligence by hunting for known indicators but also finding unknown threats through anomaly detection and scalable analytics across all hosts.
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Incident Response - Shift the Balance with Intel Gathering
1. Jim Wojno – Technical Account Manager
jim.wojno@tanium.com
Incident Response – No Pain No Gain
2. Balance of Power
Favors the attacker
• Pick time / place / method
• Patient and persistent
• Intel gathering – seeking
weakness
• Only has to succeed once –
defender has to succeed
every time
4. Shift the Balance
Make the adversary’s job as hard as possible
• Awareness window reduction
• Security Basics / Hygiene
• patching / segmentation / bastion hosts / 2FA
• Intel gathering – all the cool kids are doing it…
• Most relevant threat intel comes from inside
• Verizon DBIR Report - ~3% overlap in threat feeds
6. Quickly:
• determine scope
• limit damage
• investigate and gather evidence
• remediate
• use lessons learned to spot future attacks
Crucial to understand most important data to collect
Incident Response Done Right
7. Intel requires data but is the sum of many parts
Information and knowledge about an adversary obtained through
observation, investigation, analysis, or understanding.
https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi-studies/studies/vol46no3/article02.html
Analysis is key – data without analysis is not intel
Analysis transforms disconnected data points into actionable intel
Data != Intel
8.
9. Pyramid of Pain
David Bianco – Mandiant
• Model of Trivial to Tough
• Ascending in difficulty
• Begins with data – ends with
intel
Source: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
10. Hash Values
TTP
Tools
Network/Host
Artifacts
Domain Names
IP Addresses
Hash Values
High Confidence
Low False Positive Rate
Trivial to Change
Fast burn rate – packers / custom shellcode
md5sum/sha1sum/sha256sum
md5, shasum –a 1|256
Powershell - Get-FileHash
FCIV – File Checksum Integrity Verifier
VirusTotal, Cymru, VirusShare, ViCheck.ca,
ThreatExpert, etc
11. IP Addresses
TTP
Tools
Network/Host
Artifacts
Domain Names
IP Addresses
Hash Values
Easy to Change
VPN, TOR, i2p to obfuscate
Fast burn rate – unless hardcoded into bot/tools
Firewall / web server / IPS logs / DNS cache / Event Logs (RDP)
AV/HIPS
Project HoneyPot, ThreatStop, IPVoid, Google, whois,
TrustedSource, abuse.ch, etc
12. Domain Names
TTP
Tools
Network/Host
Artifacts
Domain Names
IP Addresses
Hash Values
Easy to Change
Domain Generation Algorithms (DGA)
Fast burn rate
Browser history, firewall / IPS logs, DNS cache, DNS
server logs, Event Logs, AV/HIPS
Similar domains – misleading typos:
totallylegit.com vs
tota11ylegit.com
OpenDNS – “Catching malware enmasse” – Defcon 22
MalwareDomainList, DGA List, Cymru, Malc0de,
ZeusTracker, many, many more…
13. Network / Host Artifacts
TTP
Tools
Network/Host
Artifacts
Domain Names
IP Addresses
Hash Values
Harder to Change
Higher Potential for False Positive
mutex, strings in memory, user agent strings,
Registry / persistence / scheduled tasks, files, directories,
protocol anomalies (ex: non-http on port 80),
beaconing activity, unsigned services, listeners with
active connections
Stacking / frequency analysis, autoruns / scheduled task review, volatile artifact analysis,
NGFW / AV-HIP / IPS logs
VirusTotal, Cymru, user-agents.org, IOCs
14. Tools
TTP
Tools
Network/Host
Artifacts
Domain Names
IP Addresses
Hash Values
Attackers are Humans
Humans are Lazy
Attackers are Lazy
C2, tool / infrastructure reuse very common
If it continues to work – why change it?
Distinctive beaconing / protocol / port
Common persistence mechanism
webshell, mimikatz, putty/plink, winrar, netcat
15. TTPs
TTP
Tools
Network/Host
Artifacts
Domain Names
IP Addresses
Hash Values
Very Hard to Change
If it continues to work – why change it?
Attack patterns
Tool versions
Mission – Goal of intrusion
Window size / parameters
Commands / typos entered
Language / Localization variables
Data exfiltration technique
Lateral movement / scanning technique
This is the ultimate goal but few organizations have this level of maturity
• 3rd party / Commercial Threat Intel
21. Hunting Methods: Data Stacking & Analytics
• Retrieve select set of artifacts from all hosts
• Perform sub-search or frequency-of-occurrence analysis
• Find anomalies and unknown bad
• Key challenges: speed of data acquisition, scalability, ease of search
22. Jim Wojno – Technical Account Manager
jim.wojno@tanium.com
Hinweis der Redaktion
Most of the native data retrieved from systems needs to be combined or aggregated with other data sets to see patterns of malicious behavior
Low frequency of occurrence events that require data enrichment