2. ┌─┐
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
──┐ │▒│
░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│
░│ ╚═╝ │▒│
The issue with targeted attacks
2
Highly targeted Many components “Grey” tools
and events
Evolve/change
over time
Regin: 75 modules
Duqu: 100+ modules
…
10 or less recipients
Specific forum users
…
Powershell, psExec
Suspicious logins
…
Right tools for the job
Learn and adapt
…
I like birthdays, but I think too many can kill you.
3. But attackers do leave traces
Network Server or
entry point
Endpoint
3Just because I don't care doesn't mean I don't understand
┌─┐
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
──┐ │▒│
░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│
░│ ╚═╝ │▒│
4. Connecting the dots…
OUTPUT
INDICATORS (IOC)
• FILENAMES
• REGISTRY KEYS
• C&C SERVERS
• EMAILS
• ETC…
INDUSTRY VERTICALS
• HEALTHCARE
• MANUFACTURING
• FINANCE
• …
FROM A SINGLE IOC…
RELATIONSHIPS
• SOFACY
• ELDERWOOD
• HIDDENLYNX
• …
Many tools and IOC feeds, groups, etc. available
Brains are wonderful, I wish everyone had one. 4
┌─┐
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
──┐ │▒│
░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│
░│ ╚═╝ │▓│
5. ┌─┐
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
──┐ │▒│
░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│
░│ ╚═╝ │▓│
If a turtle doesn't have a shell, is he homeless or naked? 5
…and then the
guessing game
begins…
7. Example: HackingTeam hack
“I didn't want to make the police's work any easier by relating my
hack of Hacking Team with other hacks I've done or with names I
use in my day-to-day work as a blackhat hacker.
So, I used new servers and domain names, registered with new emails,
and payed for with new bitcoin addresses. Also, I only used tools that
are publicly available, or things that I wrote specifically for this attack,
and I changed my way of doing some things to not leave my usual
forensic footprint.”
7I always learn from mistake of others who take my advice.
┌─┐
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
──┐ │▒│
░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│
░│ ╚═╝ │▓│
9. ┌─┐
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
──┐ │▓│
░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│
░│ ╚═╝ │▓│
Threat intelligence sources
Free Community Commercial Internal
Costs: Free Free/$ $$/$$$ Free/$
Typology: Generic Generic/Specific Generic/Specific Very specific
Based on: Public systems
Public, mailinglists,
private researchers
products,
research
Internal logs
Different format & tools out there:
openIOC, STIX/TAXII, OSTrICa, MISP, YARA,…
9I'm on a whiskey diet. I've lost three days already.
10. ┌─┐
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
──┐ │▓│
░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│
░│ ╚═╝ │▓│
Threat hunting with IOCs
Most commonly shared indicators:
• IP addresses / domain names
• File hashes / file names
• Still some hits on reused infrastructure. Do they care?
• Each hash is on average in <3 companies
• Bad with scripts and dual-use tools
• Where is the line between APT & common malware?
10I’m not arguing, I’m simply explaining why I’m right.
11. ┌─┐
│ │
│ │
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
──┐ │▓│
░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│
░│ ╚═╝ │▓│
Now you see me - now you don’t
• Are you hunting IOCs in real time or on snapshots?
• Many APT groups clean up after the attack
• Wipe files, admin account is enough for later
• Delete emails, browser history,... to hide incursion vector
• Do nation-state APTs really care if they get traced back?
• At the latest since Snowden, everyone knows that everyone spies
• Unlikely that they get arrested in their own country
• Taunt opponent - show force
11Stress is when you wake up screaming and you realize you haven't fallen asleep yet.
12. ┌─┐
│ │
│ │
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
──┐ │▓│
░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│
░│ ╚═╝ │▓│
Trust issues?
• Early sharing is often done only in private groups
• If the group is too small you might not see much, but it can be high quality
• If the group is too large you might not trust everyone
• Do you trust the Uber-NG-ATP-vendor XY?
• Do you double check any IP address before blacklisting?
• What is the motivation for sharing?
IoCs are good if you need context
or when fighting common malware
12hmm... I didn’t tell you... Then It must be none of your business...
13. ┌─┐
│ │
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
│▓│
──┐ │▓│
░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│
░│ ╚═╝ │▓│
Improved IoCs
• Following threat families instead of variants
• Better, but they might use common tools like PoisonIvy, Meterpreter,…
• Follow TTPs and behavior patterns
• Better, but different companies might require different TTPs
• Apply them to your company, as the attackers would do too
Go higher in the pyramid of pain, track exploits,…
… but that’s what your security software should do too
13Always remember you're unique, just like everyone else.
14. Integrate the IoC consumption
┌─┐
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
│▓│
│▓│
──┐ │▓│
░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│
░│ ╚═╝ │█│
• Use context for IOCs, patterns of behavior where available
• If possible correlate it with in house information
• Check which IoCs you can actually ingest internally
• It is still better to prevent the incursion, instead of hunting it later
Rate the effectiveness of different types for you (and drop bad ones)
• Why spend resources on external IOC feeds, when not even the
internal basics are monitored properly yet?
14A day without sunshine is like, night.
15. ┌─┐
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
│▓│
│▓│
──┐ │▓│
░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│
░│ ╚═╝ │█│
Of course I don't look busy...I did it right the first time. 15
16. ┌─┐
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
│▓│
│▓│
──┐ │▓│
░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│
░│ ╚═╝ │█│
Oversharing? How much is too much?
• The bad guys can learn how much you know
• Learn how they can improve their attacks
• Example: Zeroaccess P2P botnet, started to sign their commands
• Most APT crews are not dumb, they could adapt if they want to
• Some indicators might contain sensitive information
• Internal IP addresses
• Stolen passwords hardcoded in 2nd-wave malware
• Spear phishing emails, e.g. myYellowCompany.exe
16Happiness does not buy you money.
17. ┌─┐
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
│▓│
│▓│
│▓│
──┐ │▓│
░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│
░│ ╚═╝ │█│
I need a six month vacation, twice a year. 16
18. ┌─┐
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
│▓│
│▓│
│▓│
──┐ │▓│
░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│
░│ ╚═╝ │█│
Debug Strings – Fake or Real?
Turla/Waterbug
Stuxnet
Strider
17If brute force doesn’t solve your problems, then you aren’t using enough.
«CloudAtlas» is clearly messing with us:
• Arabic strings in the BlackBerry version
• Hindi characters in the Android version
• “God_Save_The_Queen” in the BlackBerry version
• “JohnClerk” in the iOS version Thx BlueCoat/Kaspersky
19. ┌─┐
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
│▓│
│▓│
│▓│
──┐ │▓│
░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│
░│ ╚═╝ │█│
Commands from Taidoor
[Ping]
[Set sleep interval to 1 second]
cmd /c net start
cmd /c dir c:docume~1
cmd /c dir "c:docume~1<CurrentUser>recent" /od
cmd /c dir c:progra~1
cmd /c dir "c:docume~1<CurrentUser>desktop" /od
cmd /c netstat –n
cmd /c net use
Commands from Sykipot
ipconfig /all
netstat –ano
net start
net group "domain admins" /domain
tasklist /v
dir c:*.url /s
dir c:*.pdf /s
dir c:*.doc /s
net localgroup administrators
type c:boot.ini
systeminfo
Commands from HoneyPot sessions
18An error? Impossible! My modem is error correcting.
20. ┌─┐
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
│▓│
│▓│
│▓│
│▓│
──┐ │█│
░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│
░│ ╚═╝ │█│
Following the red hering
• Sometimes you have multiple infections on same machine
• Which IOC came from which actor?
• “Everyone” uses common tools: Mimikatz, psExec,…
• Attackers can easy plant some files from other APT groups
• Example: Equation group/shadow brokers
• Do you trust the compilation times, timestamps, language settings?
• Most companies do not really care who it was
• They just want to prevent it from happening again
• Or do you plan to hack back or sue them?
19Sometimes you succeed and other times you learn.