Threat Intelligence is by far one of the most over-used buzz words in the security industry. Many professionals have very mixed feelings about Threat Intelligence feeds as well. This discussion is around how LogRhythm’s internal security team utilizes Threat Intelligence to operationalize efficiently and streamline Security Operations processes and help improve an organization’s defenses. We will show how you can generate your own Threat Intelligence and create information sharing loops within like industries to fully realize the team's defensive capabilities. On top of the technical aspects around building out a good Threat Intel program, we will discuss how to manage this from a leadership perspective and get buy-in from the top. Most importantly, once these systems are in place, how we can show value to leadership using key performance indicators and leverage this to improve the overall security program.
5. Company Confidential
• Documents (e.g., FBI flash reports)
• Blogs, emails
• RSS feeds
• CSV and text files
• STIX
• Open IOC
• Malware samples
• Packet capture
• Forensic artifacts (files, email)
Actionable data types
Intel Reports
Indicators of
Compromise
Raw Data Types
• User Behaviors
• Endpoint Behaviors
• Network Behaviors
Your Own Data
9. Company Confidential
OSINT
• Offensive and Defensive
• Manual – In Depth Analysis of the target entity or individual(s)
• Automated – High level analysis of metadata
• Operationalize, Integrate, and Automate OSINT analysis FTW
• Define goals – what to analyze, why, how, outputs, etc.
• Indicators of Compromise
• Data to feedback loops into defensive tools
• Research
• Attribution
• Actors, victims, servers, locations, samples, etc.
12. Company Confidential
OSINT OPSEC (Automated – Corporate)
• Register a Linux Amazon EC2 box (free tier) with no elastic IP
• Purchase a Dyn DNS account – for dynamic DNS registration
• Establish a PPTP VPN tunnel to the EC2 system(s)
• Perform investigative analysis from these cloud-hosted systems
and / or local boxes with proper precautions in place
• Proxy traffic through and use SSH port forwarding to access services
• Following the completion of the analysis, reboot the system.
• By default, AWS will assign a new IP unless you use an elastic IP
• Reconfigure the tunnels and DNS as necessary (automate this)
15. Company Confidential
A Few OSINT Tools
• Maltego
• Transforms!
• Passive Total
• Threat Intel and Maltego API!
• Domain Tools IRIS
• Whois History, Pivot off of data points (email, address, phone, etc.)
• Shodan
• The network search engine – everything from open VNC services to C2’s
• Facebook / Linkedin / Spokeo / Pipl / etc.
• Create fake accounts and use API integrations to automate searches
30. Company Confidential
• Who did it?
• Why did they do it?
• What were they after?
• Could we have prevented it?
• APT, China
• China 5yr plan, don’t know
• Research data, intellectual
property, I don’t know
• No, not without more
budget
“China stole it, specifically an
APT group out of A province.
The data was then transferred
to person B, located in province
C. Then person B sent it to
person D in Russia. Once in
Russia, the stolen data ended
up on person E’s table.”
What if attribution was real’ized?
34. Company Confidential
Document Bugging – How To
• WebBug Background Information:
http://ha.ckers.org/webbug.html
• WebBug Server:
https://bitbucket.org/ethanr/webbugserver
• Bugged Files – Is Your Document Telling on You?
Daniel Crowley and Damon Smith (Chaos Communication Camp 2015)
https://www.youtube.com/watch?v=j5cjFul4ZIc