SlideShare una empresa de Scribd logo

Why huntung IoC fails at protecting against targeted attacks

Cyber Security Alliance
Cyber Security Alliance

Candid Wueest, Cyber Security Conference 2016

Software
1 de 21
Descargar para leer sin conexión
@valenberg.deviantart.com
┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│ ░│ ╚═╝ │▒│ The issue with targeted attacks 2 Highly targeted Many components “Grey” tools and events Evolve/change over time Regin: 75 modules Duqu: 100+ modules … 10 or less recipients Specific forum users … Powershell, psExec Suspicious logins … Right tools for the job Learn and adapt … I like birthdays, but I think too many can kill you.
But attackers do leave traces Network Server or entry point Endpoint 3Just because I don't care doesn't mean I don't understand ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│ ░│ ╚═╝ │▒│
Connecting the dots… OUTPUT INDICATORS (IOC) • FILENAMES • REGISTRY KEYS • C&C SERVERS • EMAILS • ETC… INDUSTRY VERTICALS • HEALTHCARE • MANUFACTURING • FINANCE • … FROM A SINGLE IOC… RELATIONSHIPS • SOFACY • ELDERWOOD • HIDDENLYNX • … Many tools and IOC feeds, groups, etc. available Brains are wonderful, I wish everyone had one. 4 ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│ ░│ ╚═╝ │▓│
┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│ ░│ ╚═╝ │▓│ If a turtle doesn't have a shell, is he homeless or naked? 5 …and then the guessing game begins…
┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ @attributionDice 6My mind’s made up, don’t confuse me with facts
Example: HackingTeam hack “I didn't want to make the police's work any easier by relating my hack of Hacking Team with other hacks I've done or with names I use in my day-to-day work as a blackhat hacker. So, I used new servers and domain names, registered with new emails, and payed for with new bitcoin addresses. Also, I only used tools that are publicly available, or things that I wrote specifically for this attack, and I changed my way of doing some things to not leave my usual forensic footprint.” 7I always learn from mistake of others who take my advice. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│
┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Parachute for sale, used once, never opened!! 8
┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Threat intelligence sources Free Community Commercial Internal Costs: Free Free/$ $$/$$$ Free/$ Typology: Generic Generic/Specific Generic/Specific Very specific Based on: Public systems Public, mailinglists, private researchers products, research Internal logs Different format & tools out there: openIOC, STIX/TAXII, OSTrICa, MISP, YARA,… 9I'm on a whiskey diet. I've lost three days already.
┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Threat hunting with IOCs Most commonly shared indicators: • IP addresses / domain names • File hashes / file names • Still some hits on reused infrastructure. Do they care? • Each hash is on average in <3 companies • Bad with scripts and dual-use tools • Where is the line between APT & common malware? 10I’m not arguing, I’m simply explaining why I’m right.
┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Now you see me - now you don’t • Are you hunting IOCs in real time or on snapshots? • Many APT groups clean up after the attack • Wipe files, admin account is enough for later • Delete emails, browser history,... to hide incursion vector • Do nation-state APTs really care if they get traced back? • At the latest since Snowden, everyone knows that everyone spies • Unlikely that they get arrested in their own country • Taunt opponent - show force 11Stress is when you wake up screaming and you realize you haven't fallen asleep yet.
┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Trust issues? • Early sharing is often done only in private groups • If the group is too small you might not see much, but it can be high quality • If the group is too large you might not trust everyone • Do you trust the Uber-NG-ATP-vendor XY? • Do you double check any IP address before blacklisting? • What is the motivation for sharing? IoCs are good if you need context or when fighting common malware 12hmm... I didn’t tell you... Then It must be none of your business...
┌─┐ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Improved IoCs • Following threat families instead of variants • Better, but they might use common tools like PoisonIvy, Meterpreter,… • Follow TTPs and behavior patterns • Better, but different companies might require different TTPs • Apply them to your company, as the attackers would do too Go higher in the pyramid of pain, track exploits,… … but that’s what your security software should do too 13Always remember you're unique, just like everyone else.
Integrate the IoC consumption ┌─┐ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │█│ • Use context for IOCs, patterns of behavior where available • If possible correlate it with in house information • Check which IoCs you can actually ingest internally • It is still better to prevent the incursion, instead of hunting it later Rate the effectiveness of different types for you (and drop bad ones) • Why spend resources on external IOC feeds, when not even the internal basics are monitored properly yet? 14A day without sunshine is like, night.
┌─┐ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │█│ Of course I don't look busy...I did it right the first time. 15
┌─┐ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │█│ Oversharing? How much is too much? • The bad guys can learn how much you know • Learn how they can improve their attacks • Example: Zeroaccess P2P botnet, started to sign their commands • Most APT crews are not dumb, they could adapt if they want to • Some indicators might contain sensitive information • Internal IP addresses • Stolen passwords hardcoded in 2nd-wave malware • Spear phishing emails, e.g. myYellowCompany.exe 16Happiness does not buy you money.
┌─┐ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ I need a six month vacation, twice a year. 16
┌─┐ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ Debug Strings – Fake or Real? Turla/Waterbug Stuxnet Strider 17If brute force doesn’t solve your problems, then you aren’t using enough. «CloudAtlas» is clearly messing with us: • Arabic strings in the BlackBerry version • Hindi characters in the Android version • “God_Save_The_Queen” in the BlackBerry version • “JohnClerk” in the iOS version Thx BlueCoat/Kaspersky
┌─┐ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ Commands from Taidoor [Ping] [Set sleep interval to 1 second] cmd /c net start cmd /c dir c:docume~1 cmd /c dir "c:docume~1<CurrentUser>recent" /od cmd /c dir c:progra~1 cmd /c dir "c:docume~1<CurrentUser>desktop" /od cmd /c netstat –n cmd /c net use Commands from Sykipot ipconfig /all netstat –ano net start net group "domain admins" /domain tasklist /v dir c:*.url /s dir c:*.pdf /s dir c:*.doc /s net localgroup administrators type c:boot.ini systeminfo Commands from HoneyPot sessions 18An error? Impossible! My modem is error correcting.
┌─┐ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ │▓│ ──┐ │█│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ Following the red hering • Sometimes you have multiple infections on same machine • Which IOC came from which actor? • “Everyone” uses common tools: Mimikatz, psExec,… • Attackers can easy plant some files from other APT groups • Example: Equation group/shadow brokers • Do you trust the compilation times, timestamps, language settings? • Most companies do not really care who it was • They just want to prevent it from happening again • Or do you plan to hack back or sue them? 19Sometimes you succeed and other times you learn.
┌─┐ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ │▓│ │█│ ──┐ │█│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ ©tarantula 20My therapist says I have a preoccupation with vengeance. we'll see about that Conclusion • Do your internal homework first • Be smart in what you share • We need to be effective in checking IoC • Try them and rate effectiveness • Mistakes do happen, but they still get in

Recomendados

Depression
DepressionDepression
DepressionSaira Ashraf
 
Carreras unam
Carreras unamCarreras unam
Carreras unam313295726
 
2012 science nature trail
2012 science nature trail2012 science nature trail
2012 science nature trailglenvintario
 
Pragmatic approach to building native apps hybrid way
Pragmatic approach to building native apps hybrid wayPragmatic approach to building native apps hybrid way
Pragmatic approach to building native apps hybrid wayThoughtworks
 
Giss.e.psicologia educativa los indicadores
Giss.e.psicologia educativa los indicadoresGiss.e.psicologia educativa los indicadores
Giss.e.psicologia educativa los indicadoresBanesa Ruiz
 
Priming the Economic Engine: How Social Media is Driving Growth for Small and...
Priming the Economic Engine: How Social Media is Driving Growth for Small and...Priming the Economic Engine: How Social Media is Driving Growth for Small and...
Priming the Economic Engine: How Social Media is Driving Growth for Small and...LinkedIn Canada
 
Daily Newsletter: 12th August, 2011
Daily Newsletter: 12th August, 2011Daily Newsletter: 12th August, 2011
Daily Newsletter: 12th August, 2011Fullerton Securities
 
Everything you need to know about give to the max day 2013
Everything you need to know about give to the max day 2013Everything you need to know about give to the max day 2013
Everything you need to know about give to the max day 2013Jeff Achen
 

Recomendados

Depression
DepressionDepression
DepressionSaira Ashraf
 
Carreras unam
Carreras unamCarreras unam
Carreras unam313295726
 
2012 science nature trail
2012 science nature trail2012 science nature trail
2012 science nature trailglenvintario
 
Pragmatic approach to building native apps hybrid way
Pragmatic approach to building native apps hybrid wayPragmatic approach to building native apps hybrid way
Pragmatic approach to building native apps hybrid wayThoughtworks
 
Giss.e.psicologia educativa los indicadores
Giss.e.psicologia educativa los indicadoresGiss.e.psicologia educativa los indicadores
Giss.e.psicologia educativa los indicadoresBanesa Ruiz
 
Priming the Economic Engine: How Social Media is Driving Growth for Small and...
Priming the Economic Engine: How Social Media is Driving Growth for Small and...Priming the Economic Engine: How Social Media is Driving Growth for Small and...
Priming the Economic Engine: How Social Media is Driving Growth for Small and...LinkedIn Canada
 
Daily Newsletter: 12th August, 2011
Daily Newsletter: 12th August, 2011Daily Newsletter: 12th August, 2011
Daily Newsletter: 12th August, 2011Fullerton Securities
 
Everything you need to know about give to the max day 2013
Everything you need to know about give to the max day 2013Everything you need to know about give to the max day 2013
Everything you need to know about give to the max day 2013Jeff Achen
 
Ism presentation 2010
Ism presentation 2010Ism presentation 2010
Ism presentation 2010Daniel Chan
 
Pixelart 3D deck
Pixelart 3D deckPixelart 3D deck
Pixelart 3D deckJohn Dennis Thottam
 
Método Newton Raphson
Método Newton RaphsonMétodo Newton Raphson
Método Newton RaphsonAzal Flores
 
The Behaviour of Conversations Knowledge Cafe
The Behaviour of Conversations Knowledge CafeThe Behaviour of Conversations Knowledge Cafe
The Behaviour of Conversations Knowledge CafeArthur Shelley
 
Pretotyping: Crash Test Your Idea - ITESCIA 2015-2016 (English Version)
Pretotyping: Crash Test Your Idea - ITESCIA 2015-2016 (English Version)Pretotyping: Crash Test Your Idea - ITESCIA 2015-2016 (English Version)
Pretotyping: Crash Test Your Idea - ITESCIA 2015-2016 (English Version)André De Sousa
 
Makerspaces in Bibliotheken
Makerspaces in BibliothekenMakerspaces in Bibliotheken
Makerspaces in BibliothekenFers
 
Creative Ways to Boost Attendance
Creative Ways to Boost AttendanceCreative Ways to Boost Attendance
Creative Ways to Boost AttendanceAudienceView
 
The Future of Wearables in Health Clubs Webinar
The Future of Wearables in Health Clubs WebinarThe Future of Wearables in Health Clubs Webinar
The Future of Wearables in Health Clubs WebinarNetpulse
 
UX ♥ Digital Transformation
UX ♥ Digital TransformationUX ♥ Digital Transformation
UX ♥ Digital TransformationCaroline Andersson
 
Design up front is back! v2
Design up front is back! v2Design up front is back! v2
Design up front is back! v2Ari Tanninen
 
Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ SwisscomCyber Security Alliance
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Cyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners Cyber Security Alliance
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Cyber Security Alliance
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsCyber Security Alliance
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffingCyber Security Alliance
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0Cyber Security Alliance
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 

Más contenido relacionado

Destacado

Ism presentation 2010
Ism presentation 2010Ism presentation 2010
Ism presentation 2010Daniel Chan
 
Método Newton Raphson
Método Newton RaphsonMétodo Newton Raphson
Método Newton RaphsonAzal Flores
 
The Behaviour of Conversations Knowledge Cafe
The Behaviour of Conversations Knowledge CafeThe Behaviour of Conversations Knowledge Cafe
The Behaviour of Conversations Knowledge CafeArthur Shelley
 
Pretotyping: Crash Test Your Idea - ITESCIA 2015-2016 (English Version)
Pretotyping: Crash Test Your Idea - ITESCIA 2015-2016 (English Version)Pretotyping: Crash Test Your Idea - ITESCIA 2015-2016 (English Version)
Pretotyping: Crash Test Your Idea - ITESCIA 2015-2016 (English Version)André De Sousa
 
Makerspaces in Bibliotheken
Makerspaces in BibliothekenMakerspaces in Bibliotheken
Makerspaces in BibliothekenFers
 
Creative Ways to Boost Attendance
Creative Ways to Boost AttendanceCreative Ways to Boost Attendance
Creative Ways to Boost AttendanceAudienceView
 
The Future of Wearables in Health Clubs Webinar
The Future of Wearables in Health Clubs WebinarThe Future of Wearables in Health Clubs Webinar
The Future of Wearables in Health Clubs WebinarNetpulse
 
Design up front is back! v2
Design up front is back! v2Design up front is back! v2
Design up front is back! v2Ari Tanninen
 

Destacado (10)

Ism presentation 2010
Ism presentation 2010Ism presentation 2010
Ism presentation 2010
 
Pixelart 3D deck
Pixelart 3D deckPixelart 3D deck
Pixelart 3D deck
 
Método Newton Raphson
Método Newton RaphsonMétodo Newton Raphson
Método Newton Raphson
 
The Behaviour of Conversations Knowledge Cafe
The Behaviour of Conversations Knowledge CafeThe Behaviour of Conversations Knowledge Cafe
The Behaviour of Conversations Knowledge Cafe
 
Pretotyping: Crash Test Your Idea - ITESCIA 2015-2016 (English Version)
Pretotyping: Crash Test Your Idea - ITESCIA 2015-2016 (English Version)Pretotyping: Crash Test Your Idea - ITESCIA 2015-2016 (English Version)
Pretotyping: Crash Test Your Idea - ITESCIA 2015-2016 (English Version)
 
Makerspaces in Bibliotheken
Makerspaces in BibliothekenMakerspaces in Bibliotheken
Makerspaces in Bibliotheken
 
Creative Ways to Boost Attendance
Creative Ways to Boost AttendanceCreative Ways to Boost Attendance
Creative Ways to Boost Attendance
 
The Future of Wearables in Health Clubs Webinar
The Future of Wearables in Health Clubs WebinarThe Future of Wearables in Health Clubs Webinar
The Future of Wearables in Health Clubs Webinar
 
UX ♥ Digital Transformation
UX ♥ Digital TransformationUX ♥ Digital Transformation
UX ♥ Digital Transformation
 
Design up front is back! v2
Design up front is back! v2Design up front is back! v2
Design up front is back! v2
 

Más de Cyber Security Alliance

Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Cyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsCyber Security Alliance
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Cyber Security Alliance
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 

Más de Cyber Security Alliance (20)

Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ Swisscom
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffing
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Rump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabriceRump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabrice
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 

Último

React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfIdiosysTechnologies1
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 

Último (20)

React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdf
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 

Why huntung IoC fails at protecting against targeted attacks

  • 2. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│ ░│ ╚═╝ │▒│ The issue with targeted attacks 2 Highly targeted Many components “Grey” tools and events Evolve/change over time Regin: 75 modules Duqu: 100+ modules … 10 or less recipients Specific forum users … Powershell, psExec Suspicious logins … Right tools for the job Learn and adapt … I like birthdays, but I think too many can kill you.
  • 3. But attackers do leave traces Network Server or entry point Endpoint 3Just because I don't care doesn't mean I don't understand ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│ ░│ ╚═╝ │▒│
  • 4. Connecting the dots… OUTPUT INDICATORS (IOC) • FILENAMES • REGISTRY KEYS • C&C SERVERS • EMAILS • ETC… INDUSTRY VERTICALS • HEALTHCARE • MANUFACTURING • FINANCE • … FROM A SINGLE IOC… RELATIONSHIPS • SOFACY • ELDERWOOD • HIDDENLYNX • … Many tools and IOC feeds, groups, etc. available Brains are wonderful, I wish everyone had one. 4 ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│ ░│ ╚═╝ │▓│
  • 5. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│ ░│ ╚═╝ │▓│ If a turtle doesn't have a shell, is he homeless or naked? 5 …and then the guessing game begins…
  • 6. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ @attributionDice 6My mind’s made up, don’t confuse me with facts
  • 7. Example: HackingTeam hack “I didn't want to make the police's work any easier by relating my hack of Hacking Team with other hacks I've done or with names I use in my day-to-day work as a blackhat hacker. So, I used new servers and domain names, registered with new emails, and payed for with new bitcoin addresses. Also, I only used tools that are publicly available, or things that I wrote specifically for this attack, and I changed my way of doing some things to not leave my usual forensic footprint.” 7I always learn from mistake of others who take my advice. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│
  • 8. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Parachute for sale, used once, never opened!! 8
  • 9. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Threat intelligence sources Free Community Commercial Internal Costs: Free Free/$ $$/$$$ Free/$ Typology: Generic Generic/Specific Generic/Specific Very specific Based on: Public systems Public, mailinglists, private researchers products, research Internal logs Different format & tools out there: openIOC, STIX/TAXII, OSTrICa, MISP, YARA,… 9I'm on a whiskey diet. I've lost three days already.
  • 10. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Threat hunting with IOCs Most commonly shared indicators: • IP addresses / domain names • File hashes / file names • Still some hits on reused infrastructure. Do they care? • Each hash is on average in <3 companies • Bad with scripts and dual-use tools • Where is the line between APT & common malware? 10I’m not arguing, I’m simply explaining why I’m right.
  • 11. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Now you see me - now you don’t • Are you hunting IOCs in real time or on snapshots? • Many APT groups clean up after the attack • Wipe files, admin account is enough for later • Delete emails, browser history,... to hide incursion vector • Do nation-state APTs really care if they get traced back? • At the latest since Snowden, everyone knows that everyone spies • Unlikely that they get arrested in their own country • Taunt opponent - show force 11Stress is when you wake up screaming and you realize you haven't fallen asleep yet.
  • 12. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Trust issues? • Early sharing is often done only in private groups • If the group is too small you might not see much, but it can be high quality • If the group is too large you might not trust everyone • Do you trust the Uber-NG-ATP-vendor XY? • Do you double check any IP address before blacklisting? • What is the motivation for sharing? IoCs are good if you need context or when fighting common malware 12hmm... I didn’t tell you... Then It must be none of your business...
  • 13. ┌─┐ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Improved IoCs • Following threat families instead of variants • Better, but they might use common tools like PoisonIvy, Meterpreter,… • Follow TTPs and behavior patterns • Better, but different companies might require different TTPs • Apply them to your company, as the attackers would do too Go higher in the pyramid of pain, track exploits,… … but that’s what your security software should do too 13Always remember you're unique, just like everyone else.
  • 14. Integrate the IoC consumption ┌─┐ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │█│ • Use context for IOCs, patterns of behavior where available • If possible correlate it with in house information • Check which IoCs you can actually ingest internally • It is still better to prevent the incursion, instead of hunting it later Rate the effectiveness of different types for you (and drop bad ones) • Why spend resources on external IOC feeds, when not even the internal basics are monitored properly yet? 14A day without sunshine is like, night.
  • 15. ┌─┐ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │█│ Of course I don't look busy...I did it right the first time. 15
  • 16. ┌─┐ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │█│ Oversharing? How much is too much? • The bad guys can learn how much you know • Learn how they can improve their attacks • Example: Zeroaccess P2P botnet, started to sign their commands • Most APT crews are not dumb, they could adapt if they want to • Some indicators might contain sensitive information • Internal IP addresses • Stolen passwords hardcoded in 2nd-wave malware • Spear phishing emails, e.g. myYellowCompany.exe 16Happiness does not buy you money.
  • 17. ┌─┐ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ I need a six month vacation, twice a year. 16
  • 18. ┌─┐ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ Debug Strings – Fake or Real? Turla/Waterbug Stuxnet Strider 17If brute force doesn’t solve your problems, then you aren’t using enough. «CloudAtlas» is clearly messing with us: • Arabic strings in the BlackBerry version • Hindi characters in the Android version • “God_Save_The_Queen” in the BlackBerry version • “JohnClerk” in the iOS version Thx BlueCoat/Kaspersky
  • 19. ┌─┐ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ Commands from Taidoor [Ping] [Set sleep interval to 1 second] cmd /c net start cmd /c dir c:docume~1 cmd /c dir "c:docume~1<CurrentUser>recent" /od cmd /c dir c:progra~1 cmd /c dir "c:docume~1<CurrentUser>desktop" /od cmd /c netstat –n cmd /c net use Commands from Sykipot ipconfig /all netstat –ano net start net group "domain admins" /domain tasklist /v dir c:*.url /s dir c:*.pdf /s dir c:*.doc /s net localgroup administrators type c:boot.ini systeminfo Commands from HoneyPot sessions 18An error? Impossible! My modem is error correcting.
  • 20. ┌─┐ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ │▓│ ──┐ │█│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ Following the red hering • Sometimes you have multiple infections on same machine • Which IOC came from which actor? • “Everyone” uses common tools: Mimikatz, psExec,… • Attackers can easy plant some files from other APT groups • Example: Equation group/shadow brokers • Do you trust the compilation times, timestamps, language settings? • Most companies do not really care who it was • They just want to prevent it from happening again • Or do you plan to hack back or sue them? 19Sometimes you succeed and other times you learn.
  • 21. ┌─┐ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ │▓│ │█│ ──┐ │█│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ ©tarantula 20My therapist says I have a preoccupation with vengeance. we'll see about that Conclusion • Do your internal homework first • Be smart in what you share • We need to be effective in checking IoC • Try them and rate effectiveness • Mistakes do happen, but they still get in