fd53

Threat Intelligence 101: Introduction and Foundations

/ 7 min read

Source Presentation

Presented at the Cyber Security Summit 2015 by Matthew J. Harmon of IT Risk Limited, LLC. Matthew is a Principal Consultant specializing in DFIR, Pen Testing, Risk Management, and IT Audit. He is a SANS Instructor for courses 401 (Security Essentials), 464 (Hacker Guard, IT Operations Baselining), and 504 (Hacker Tools, Techniques, Exploits & Incident Handling), holding GSEC, GCIH, GCIA, and CISSP certifications. He also serves as a Working Board Member of the NorSec ISAO (Information Sharing Analysis Organization).

Agenda

  • State of Cyber Security: a short overview of where we are today
  • What is Threat Intelligence? Including an explanation of CybOX, STIX & TAXII, with a real-world example
  • Two examples of Threat Intelligence platforms: ThreatConnect and Critical Stack
  • How to Do It Yourself: a homework lab with Bro and Critical Stack

State of Cyber Security

The state of cyber security could be worse – but breaches are inevitable against a motivated attacker with time and resources. And it doesn’t take a super genius: credentials on post-it notes caught on live TV, or big sheets of paper in the background of an interview, demonstrate that even simple human lapses open the door.

Incidents and Data Loss: 2014

Drawing from the Verizon 2015 Data Breach Investigations Report, the presentation reviewed incident counts, attack vectors (compromised credentials leading the pack, RAM scrapers growing, phishing continuing to rise), and the alarming gap in time-to-discover metrics. Compromise approaches 90% occurring in less than 24 hours, yet discovery in less than 24 hours remains below 25%.

Latest Breaches

A roll call of major breaches underscored the scale of the problem:

  • 100 banks across 30 countries lost $1 billion in fraudulent transfers over two years
  • Michaels: 2.6 million cards
  • Affinity Gaming: 11 casinos
  • New York Attorney General: 22.8 million records
  • Community Health Systems: 4.5 million patient records
  • Adult FriendFinder: 3.9 million records
  • Ashley Madison: 37 million personal records
  • Office of Personnel Management: 21.5 million SF-86++ records
  • Experian: 15 million T-Mobile customers (from a single file)
  • JP Morgan Chase: 76 million households + 7 million businesses
  • …and many, many more

We really need to get better at this.

Change Is Good, Sharing Is Good

We need to learn from each other. On February 13, 2015, Executive Order 13691, “Promoting Private Sector Cybersecurity Information Sharing,” established Information Sharing Analysis Organizations (ISAOs). Similar to ISACs and Cyber Fusion Centers but not siloed by sector or industry, ISAOs allow anyone to participate. The goal: no more re-discovering the same attacks.

What Is Threat Intelligence?

Threat intelligence combines Indicators of Compromise (IoCs) – DNS hosts, IP addresses, email addresses, URLs, and file hashes – with relevant threat activity such as campaigns, malware families, and known adversaries. The result is crowd-sourced, actionable cyber threat intelligence vetted by experts.

Confidence Levels

  • Unvetted IoCs are low confidence (1)
  • Live attacks and campaigns are high confidence (5)
  • Everything else falls somewhere in between

Sharing Formats

Two primary approaches for sharing threat intelligence:

  1. CybOX, STIX & TAXII – Cyber Observables, Structured Threat Information, and Trusted Automated Exchange of Indicator Information
  2. Tab Separated Values – used by Critical Stack with integration into Bro

CybOX, STIX & TAXII

CybOX is the dictionary of words – the Cyber Observables vocabulary. It defines terms like Phishing, Exploit Target, Campaign, and Cyber Adversary.

STIX is a language that uses CybOX terms. Built on XML with Schema Definitions, it provides Object Types with Context (C2 IPs, Emails, Domains, Accounts).

TAXII defines how STIX information is shared. It operates as a Client-Server protocol over HTTP, supporting both Inbox (Push) and Poll (Pull) operations.

STIX Representations

  • Observable: An event or stateful property
  • Indicator: An observable with context
  • Incident: A set of activities
  • Tactics, Techniques and Procedures (TTP): The modus operandi
  • Exploit Target: A weakness exploited by a TTP
  • Course of Action (COA): A defensive measure – prevention, remediation, or mitigation
  • Campaign: A set of related TTPs, indicators, incidents, and exploit targets
  • Threat Actor: The adversary

CybOX Objects (Subset)

  • AccountObj: Domain, Authentication, Date/Time
  • AddressObj: IPv4/IPv6 address, VLAN, e-mail
  • ArchiveFileObj: 7-zip, ZIP, APK, CAB, SIT, TGZ
  • DomainNameObj: Fully qualified domain name
  • EMailMessageObj: Received, To, CC, From, Subject
  • URIObj: A Uniform Resource Locator (URL)
  • WhoisObj: Contact, Domain Name, Nameserver
  • X509CertificateObj: Serial number, Algorithm, Subject

Real-World Example: CybOX, STIX & TAXII

The Investigation

Excessive traffic is noticed on a server from a single workstation – the investigation begins. Tracing the workstation back to a user reveals an email from jane.smith@adp.com with a .zip attachment (Indicator). The email had a Return-Path of AmericanExpress@welcome.aexp.com, was received from bba592142.alshamil.net.ae, and originated from IP 86.98.54.68 (Indicator).

Malware Analysis

The .zip attachment is named Invoice_11082014.zip (Indicator) with MD5 5d6cbd0a557bb10603bb63b8fe0c4160. It contains an executable Invoice_11082014.exe with MD5 911b7604e84096ee5bbb6741cf02542c (Observable). The executable reaches out over HTTP to 94.23.247.202 (Indicator), which redirects downloads to:

  • porfintengoweb.com/css/11s1.zip
  • jc-charge-it.nl/pages/11s1.zip
  • flightss.d-webs.com/images/airlines-logo/h76id30.zip

Linking to a Campaign

Through research, the executable is identified as part of the “Dyreza” malware, a banking trojan. This trojan uses a Domain Generation Algorithm (TTP), reaches out to hosts in the Pacific Islands (TTP), and uses I2P (TTP). Blocks are deployed (COA) to emails matching the MD5 signature, and HTTP to the C2 hosts is blocked. Sharing this information with peers via TAXII reveals other similar victims who link their incidents to these observations, discovering a campaign.

Pieces of STIX

STIX Headers for a CybOX-compliant package reference schema definitions for stix_core.xsd, indicator.xsd, ttp.xsd, and course_of_action.xsd, with a header titled “Dryeza Phishing Indicator” and Package Intent of “Indicators - Phishing”.

ZIP File Hash identifies the file extension (zip), size (9,531 bytes), and MD5 hash (5d6cbd0a557bb10603bb63b8fe0c4160), with an indicated TTP description of “Phishing”.

IP Watchlist uses an AddressObject:AddressObjectType of category ipv4-addr to match IPs 94.23.247.202 and 217.13.80.226.

URL Watchlist uses a URIObject:URIObjectType to match the malicious download URLs at porfintengoweb.com, jc-charge-it.nl, and flightss.d-webs.com.

The full IoC assembled in CybOX + STIX includes the File Hash Watchlist indicator, valid time window, FileObjectType, MD5 hash value, and a confidence level of Medium. TAXII Poll requests and responses run over HTTP with appropriate headers, protocol versions, and Poll Fulfillment payloads.

Threat Intelligence Platforms

ThreatConnect

ThreatConnect is a collaborative Threat Intelligence Platform offering threat data collection, analysis, and collaboration with incident response experts on staff to vet information. It was free for NorSec and other ISAO members. The platform provides views of known adversaries and their associated indicators of compromise, including file hashes, URLs, and hostile addresses.

CriticalStack // Intel

CriticalStack // Intel aggregates open source indicators of compromise from 100+ feeds into easy-to-read Tab Separated Values with direct client integration into Bro.

Using the Feeds with Bro

Bro is an open-source network analysis framework with well-structured, easy-to-parse data via bro-cut. It is an unbeatable resource for forensics activities, network baselining, and network visibility. Bro is built into the Security Onion Linux distribution and is available at www.bro.org.

Feed Format (.bro.dat)

Critical Stack Intel feeds download as .bro.dat files containing tab-separated fields: indicator, indicator_type, and meta.source.

CryptoWall Ransomware Domains example:

#fields indicator indicator_type meta.source
adolfforua.com Intel::DOMAIN http://example.com/feeds/cryptowall-domlist.txt
babamamama.com Intel::DOMAIN http://example.com/feeds/cryptowall-domlist.txt
craspatsp.com  Intel::DOMAIN http://example.com/feeds/cryptowall-domlist.txt

PoSeidon Point-of-Sale Malware example from Team Cymru:

#fields indicator indicator_type meta.source
askyourspace.com/ldl01aef/viewtopic.php Intel::URL https://example.com/link
46.30.41.159    Intel::ADDR    https://blog.team-cymru.org/
46.166.168.106  Intel::ADDR    https://blog.team-cymru.org/
164af045a08d718372dd6ecd34b746e7032127b1 Intel::FILE_HASH https://blog.team-cymru.org/

Analyzing with bro-cut

Use bro-cut -d -C < intel.log to view intel hits with human-readable time values (-d) and all headers (-C).

Prototyping with Raspberry Pi

The presentation demonstrated prototyping a threat intelligence sensor using a Raspberry Pi 2.

Homework Lab

  1. Install Security Onion on a 2+1 NIC box: https://github.com/Security-Onion-Solutions/security-onion/wiki/Installation (comes with Bro preconfigured), or install Bro standalone: https://www.bro.org/sphinx/install/install.html

  2. Sign up at Critical Stack // Intel: https://intel.criticalstack.com/

  3. Follow the setup instructions: configure your first client to add Bro rules to Security Onion

  4. Set up a span, mirror, or network tap:

    • At work: get employer permission for a threat intel mirror port
    • At home: Throwing Star LAN Tap ($20) or NetGear GS108E ($60)

NorSec ISAO

The NorSec ISAO was actively seeking alpha testers and first members. Contact: info@norsec.org.

Lab, Resources & Links: http://bit.ly/CSS2015ThreatIntel101