Embed Size (px)
Citation preview
Open Secrets of the Defense Industry
Building Your Own Intelligence Program From the Ground Up
Sean Whalen
DisclaimerThe views and opinions expressed here are my own, and may not represent those of my past, current, and post-apocalyptic employers.
Who is this guy?• I’m an Information Security Engineer• Intelligence analyst• Human log parser
• I specialize in network defense• I love open source software• Most of my security experience comes from the Defense Industrial Base (DIB)• I recently moved to the healthcare industry
• I’m building a DIB-style intel program
• Stalk me @SeanTheGeek
OverviewRespond proactively to threats like a defense contractor. It’s more realistic than you might think!
A practical guide of how to build intelligence-driven cyber defenses using free software, based on real implementations of best practices, adapted from the Lockheed Martin Cyber Kill Chain model.
Security conference memesFor the informative lolz
Buy lots of tools and services or…
APT has magic
Actual APT code
Dropped by UltraSurf.exe6dc7cc33a3cdcfee6c4edb6c085b869d
FireEye: Operation Saffron Rose
Image credit: FireEye
They also stole creds in a more direct way
Image credit: FireEye
How do we defend against this?
Intelligence! Intelligence! Intelligence! Intelligence!
People power• A diverse, interactive team is essential for any security program• Specialties, not silos• Tool development, forensics, IR, intel, malware analysis• Look for SAs, devs, and infrastructure employees who are interested
in a new challenge• Scale up by training recent grads who are motivated• You need people who understand security, not just security tools• Allow fluid movement from one specialty to another
Intelligence building is a cycle
Observe
Collect
AnalyzeShare
Adapt
General ranking of intel priority by source1. Internal2. Trusted, “mature” industry partners3. Developing industry partners4. Subscription services5. Simi-public government publications6. OSINT/PR reports
Intel collection without evaluating the source leads to noisy alerts
Your own network is your best intel sourceNo one knows you better than you
Goals• Read the Lockheed Martin Kill Chain paper• Train employees to report phishing and other sketchy things• Collect data on phishing, malware, and other attacks sent your way• Analyze strategically• Automate the Boring Stuff with Python• Share with friends• Present findings to stakeholders• Adapt your defenses and processes
Open source softwareBreak the kill chain without breaking the bank
Why open source?• Cost – Spend less on products and more on resources• Flexibility – You can modify it and customize it however you like• Innovation – Rapidly implement new ideas; build what doesn’t exist• Privacy – Your data is your data• Community – Share knowledge and inspiration with peers
Build a malware sandbox• The Spender fork of the Cuckoo Sandbox project is a powerful way to
quickly derive actionable intelligence from malware samples• Generally higher-quality signatures and malware identification• Anti-VM and anti-sandbox countermeasures• Transparent Tor proxy support• Nice-looking PDF reports• Similar sample heuristics
• Full setup guide at https://infosecspeakeasy.org/t/howto-build-a-cuckoo-sandbox/27 • Start analyzing malware in hours!
Collect all the things!• Centralize your logs• Splunk Enterprise Security (ES)• Open source ELK stack
• CRITs – Collaborative Research Into Threats • Can store almost any kind of threat data• UI can get overwhelming if you try to store all the things in it• Most useful for storing phishing email data (IMO)
Document all the things!• Use a team wiki to document all processes, tools, security events,
intelligence research, campaign briefings, and other unstructured data• Create canned replies and action plans• Learn from mistakes, and make success repeatable• Shorten the learning curve for new team members• I recommend XWiki
• Highly extendable• LDAP and granular permissions out of the box• Much less hacking required when compared to others
Track your work• Use an InfoSec ticketing system to track all work• Store key metrics: Time-to-Detect, Time-to-Remediate• Avoid duplicated effort• Show trends, and team workload
• RTIR – Request Tracker for Incident Response• Open source, extremely flexible, customizable• Can create tickets through email, such as intel emails from partners• Integration with other services requires knowledge of Perl (my eyes!)• Simple Python API wrapper• Commercial support and professional services are available
Sharing is caringHerd immunity FTW!
What intel sharing is not
What intel sharing is
I see evil!
Sharing can be hard,at firstWhat do you collect?
What do you share?
Can you share it?
How do you share it?
Who do you share it with?
Who can you trust?
What can you do with shared information?
Declassified SASC Inquiry Into Cyber Intrusions of TRANSCOM Contractors
How to share phishing data• Include full email headers (except internal ones)• Redact the target addresses for privacy• Include generalized targeting information (number, roles)• Include the raw body and attachments (within encrypted zips)• Redact any ID numbers in URLs for privacy, but note the composition• If it is in HTML, include screenshots
How to share watering hole data• The date and time the attack was observed, with UTC offset• The URL of the watering hole (i.e. the compromised site)• The URLs of any malicious resources or website redirections• A list of tactics used (e.g. iframes, plugins, etc.)• Any malicious files (e.g. swfs) as attachments• Defanged sample code
Sharing malware• Use encrypted zips with a password of “infected”• Avoids contamination and making AV/IDS go crazy
• Include any sandbox report you may have• Make note of any interesting or confusing points• Include the best indicators for detecting it, if you know them• C2• Stages• Files/registry keys created/modified, or deleted• Mutexes• General behavior
• Basically the only free (as in beer), production-quality TAXII server/application• Freeware – Open standards, not open source software
• Support subscriptions
• Created by the NH-ISAC, in use at most ISACs• Lots of SIEMs/IR tools can take TAXII feeds; to name a few:
• Carbon Black• Splunk Enterprise Security• Cyphort• QRadar
• The STIX/TAXII standards can take a while to implement on your own
Soltra Edge
Malware Information Sharing Platform (MISP)• Open source software (GPLv3)• Indicator database• Straightforward workflows• Flexible, automated sharing• Generates Snort/Suricata rules• Imports from OpenIOC, Cuckoo, ThreatConnect CSV• Exports to OpenIOC, plain text, CSV, MISP XML or JSON• Simple API – Not in wide use like TAXII, but much easier to use
ThreatConnect• Everything you could ever want in a SaaS Threat Intelligence Platform• Turnkey• Extremely Expensive• Intel in the cloud may raise privacy and legal concerns
Free Threat Intelligence Platforms• AlienVault Open Threat Exchange (OTX)• Open threat information sharing• Simple API• Bro, TAXII, and Suricata integration• Python, Java, and Go SDKs
• Facebook ThreatExchange• Share threat indicators on Facebook’s Graph API infrastructure• Share with the whole community, or a selected partners• Libraries for Python, Ruby, PHP, and NodeJS
Automate all the things! Within reason… • Think of ways to integrate your
intel tools and security controls• Automate repeatable tasks• Don’t try to automate people• If a security product does not
have documented, robust API, you do not want it!
TTPs > Indicators
Discourse• The best intel sharing groups that I have been a part of are private
discussion forums. No fancy tech, just humans helping humans• Great for: learning and sharing tactics, team discussions• Discourse is a modern, open source forum/mailing list• Created by the founders of stack overflow• Responsive/mobile-friendly• Updates in real-time• Easy to read
Defanging attack data• Defang malicious URLs and mail addresses when posting to places
that auto-link, such as IMs and some forums• That way, a researcher doesn’t accidently click on a malicious link• Common conventions• Replace http with hxxp• Replace . with [.]
What makes a good intel sharing community?• Confidentiality – The Traffic Light Protocal (TLP) is a good system, if
followed. NDAs are better• No anonymity – We need to know who is being attacked• Made of all parts of an industry: Suppliers, contractors, competitors• Supportive discussion• Clear threat indicators (not a wall of text)• Rapid dissemination• Frequent activity• Historic – Learn from the past
The InfoSec Speakeasy• An invite-only community for InfoSec professionals• I designed it to be a model for starting and managing other groups• A place to build and share strategy and intel across industries• Public tutorials• Powered by the Discourse open source discussion platform• Send me a request for an invite from your work email, then send your
own invites to your colleagues
https://infosecspeakeasy.org
Red Sky Alliance• A private, vetted commercial intel sharing community• Follows the Kill Chain model – Includes signatures• All data comes from other members – across a diverse range of
industries
Red Sky Alliance FAQ
Leveraging intelUse it or loose it
Deploy intel-guided countermeasures• Block/redirect known bad x-mailers, IPs, user agents, etc.• Write custom IDS/IPS rules• Compare attack techniques to current security controls• Infer attacker intentions based on targeting and actions• Block domains based on DNS recon using services like whoisxmlapi • Keep users and leadership aware of attack trends against your
network
DIY Endpoint Monitoring and Remediation• Use the power of open source software and mature, internal intel• LIMA CHARLIE – Endpoint monitoring stack• Constantly monitor your endpoints• Recursively investigates• Present findings to IR analyst
• Use native tools such as PowerShell• PSRecon• Kansa
Defenses to deploy yesterday• Microsoft EMET (0-day killer)• Multi-factor authentication (DUO is easy-to-use and extremely flexible)• Remove local admins (Avecto DefendPoint, ByondTrust PowerBroker)• Email sandboxing (Your custom sandbox, Proofpoint, or a combination)• Block all uncategorized sites at your web proxy• Block any outflow that isn’t your from your mail servers or web proxies• WAFs, seriously• Bro NSM, Suricata IDS/IPS with Emerging Threats• Forced, multi-factor full-time VPNs for all remote workers• Tune your AV (It isn’t dead; you might not be using it right)• Application Whitelisting (Windows AppLocker is included with Windows
Enterprise)
