Blue team reboot - HackFest

Blue Team Reboot

● Security Consultant - Researcher

● Twitter: @haydnjohnson

● Talks: BsidesTO, Circle City Con, BsidesLV, SecTor

● Offsec, Purple Team, Gym??

● Big 4 experience

● http://www.slideshare.net/HaydnJohnson

Haydn Johnson

Cheryl Biswas

● Security researcher/analyst Threat Intel

● APTs, Mainframes, ICS SCADA, Shadow IT, StarTrek

● BSidesLV, Circle City, BSidesT0, SecTor, Hackfest, TiaraCon

● https://whitehatcheryl.wordpress.com

● Twitter: @3ncr1pt3d

DISCLAIMER: The views represented here are solely our own and not those of

our employers, past or present, or future.

Blue Team Reboot

Props to DarkReadingThis started with a webinar for DarkReading on Threat Intel and how to use it effectively. We received some great feedback, a lot of interest, and built upon it for HackFest.

Our Webinar:https://webinar.darkreading.com/2492?keycode=SBX&cid=smartbox_techweb_upcoming_webinars_8.500000620

What We Will Cover

All. That. DATALogging towards AlertsThreat IntelVisibilityContextPinpointing an AttackKill Chains & OODA Loops

Terminology

IOC - Indicator of Compromise - Domain, IP address, URLIOA - Indicator of AttackCOA - Course of Action - What can we do to prevent, mitigate, detect, EG - Implement a block on an email addressTTP - Tactics, Techniques, and Procedures

Your Take-Away Lootbag

What it isRelevanceExample casesTools & software applicable

LOGGING

LOGS: First Line of Defence

Logs

CIA

ConfidentialityIntegrityAvailability

WHO’S IN

YOUR

NETWORK?

Web Application Logs

Knock KnockWho was there?

The first place to detect

scannersrecon data scraping

Firewall Logs

Ingress | Egress

Websites | Email | FTP

End Point

Host Logs

Whitelisting applications - KNOWN GOODExecution of MacrosTerminal Commands executedTime of loginsAverage use

Network Logs

Internal trafficDomain connectionsInternal Scanning

https://www.sans.org/reading-room/whitepapers/logging/importance-

logging-traffic-monitoring-information-security-1379

2003

Big DataA Little Talk About ...

So. Much. Data

Crown Jewels

RelevanceAsset

Management

Create A Baseline

Have a starting placeKnown trafficKnown goodRegular review

Know Your Normal

Just Say NO!!!Macros: Disable

Adobe Anything: I can’t even

PowerShell: Are you worthy?

Admin for all - ORLY?

Deny on open Macros!

@InvokeThreatGuy https://github.com/invokethreatguy/DC416October?files=1

Wait! Who’s the all-powerful admin here?

Tools / Software

Carbon Black / Bit9SysMonLog-MDWireShark

https://www.wireshark.org/

https://msdn.microsoft.com/en-us/library/windows/desktop/dd408124(v=vs.85).aspx

http://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon

http://log-md.com/

http://brakeingsecurity.blogspot.ca/2015/10/2015-042-logmd-more-malware-archaeology.html

Logs to Alerts!

VISIBILITY

Visibility:What’s in your sights

CONTEXT

ContextI haz meaning?

Bad Alerts

Help! Too Many!

Good Alerts

Timely

Relevant

Context

Actionable

Good Alerts

Give enough information to correlate

Understand all you can from the one logActionable

Standard procedures for each for IR team

Time is NOT on your side

Example TimeWorkstation 2 Workstation

A: Lateral Movement

@raffertylaura | @haydnjohnsonhttps://www.youtube.com/watch?v=KO68mbk9-

OU&list=PL02T0JOKYEq52plvmxiJ1cSbwUgHHvP7H&index=8

Windows Event Log

Runs PowerShell

Connects to Web Server

Threat Intel

Threat Intel: What it Ain’t

Threat actor informationCampaignsIndicators of Compromise (IOCs)Identify known threatsExploitation in the wild

Threat intel: What it is

A product from collection, processing, exploitation, analysis dissemination and feedback of information.

Reducing False Positives

IOC ValidationAlert Tuning from IOCs

https://quadrantsec.com/about/blog/the_false_positives_of_threat_intelligence/

Threat Reports

Is it relevant to business?Could it have an impact?Are there IOCs?COA for prevention, detection, mitigation

KEY CRITERIA

Threat Report - Example

Landing PageDownloader URLC2 traffic

Threat Report - Example 2

http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-

evolves-adds-japan-target-list/

Threat Report - Example 2

C2 via blogsHard coded tags

http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-

evolves-adds-japan-target-list/

Threat Report - Example 2

Downloader

C2

Threat Report - Example 2

http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-

evolves-adds-japan-target-list/

Threat Report - Example 2

Threat Report - Example 2

IOCs - MD5Not strong but can put in place fast!

THREAT CORRELATION

Combining Data and Threat intel

The 4 C’s

Collect

Consolidate

Control

Communicate

Visibility

Take a big picture view

Know what’s going on from end to end

Cuz you don’t know what you don’t know

Context

Look for the patterns

So you can find the anomalies

How to Play With Data

Not what you got but how you use it

Ask the right questions - get the right answers

What have we been missing?

Security Analytics - Example

The Game Changers

Machine Learning

Analytics

IAM

BIG DATA - TOOLS

OpenSoc - Cisco

RITA - Real Intelligence Threat Analysis

BreakoutDetection R package - Twitter

http://opensoc.github.io/

RITA - http://www.blackhillsinfosec.com/?page_id=4417

https://github.com/twitter/BreakoutDetection

Pinpointing an Attack Identification of malicious-ness

Detecting an attack - Visibility & Patterns

Known Good

Alerts

Investigation

Lessons learned

http://www.scmagazine.com/five-tips-to-detect-contain-and-control-cyber-threats/article/467856/

Detecting an attack

Preparation Identification ContainmentEradication Recovery Lessons Learned

SANS IR Steps!

Cyber Kill Chain + Extended Version

Lockheed Martin Cyber Kill Chain

“The seven steps of the Lockheed Martin Cyber Kill Chain® enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures.”

http://cyber.lockheedmartin.com/solutions/cyber-kill-chain

Cyber Kill Chain

1. Reconnaissance2.Weaponization3.Delivery4.Exploitation5.Installation6.Command & Control7.Action on Objectives

Cyber Kill Chain Extended

7 - Actions on

Objectives

Internal Kill

Chain

Target

Manipulation

Kill Chain

http://www.seantmalone.com/docs/us-16-Malone-

Using-an-Expanded-Cyber-Kill-Chain-Model-to-

Increase-Attack-Resiliency.pdf

Cyber Kill Chain Extended

Map & understanding specific systemsSubvert target systems & business processes

Raise Attackers Cost

OODA LOOP

Attackers

Observe Orient Decide Act

Your Blue Team Fighter Pilots

Goose Maverick

OODA Loop - for the defender

Practice

Be ready to change direction

Take Action

Relevance

Use to actively identify security controls

People Process Procedures

Identify Gaps

Confirm assumptions

Tune

Visibility on Blind Spots

Looking at each step allows a methodical approach to defense.

Reduces Bias and Blind spots.

Can lead to Threat Hunting

Example Time

Attachments

Malicious Attachments

https://github.com/carnal0wnage/malicious_file_maker

Malicious Attachments

Malicious Attachments

Test your email filters

Understand which attachments come through

Build | refine | controls

Malicious Attachments

Send various types of malicious attachments via multiple sources

How many emails does it take to block a sender?

What types of attachments generate alerts?

Go hunting

In summary

LOGSALERTSTHREAT INTELCORRELATIONCYBER KILL CHAIN

PROACTIVE=

Take awaysAKA - what you should remember

Total success!

❖Be proactive❖Back2Basics❖Visibility❖Context

❖Test it❖Look for it❖Patterns❖Anomalies

Total success!

Thank You!Any questions?Feel free to reach out to us later!@haydnjohnson @3ncr1pt3d