fd53

Threat Intelligence and Baselining

/ 8 min read

Source Presentation

Presented at SANS @ Night, Wednesday, July 20, 2016 (7:15-8:15 PM), by Matthew J. Harmon (GSEC, GCIH, GCIA, CISSP). Matthew is Principal Consultant at IT Risk Limited specializing in DFIR, Pen Testing, GRC & Risk Management. He is Co-Founder & CTO of the NorSec Foundation, an Information Sharing Analysis Organization (ISAO) focused on “Securing the Internet of Everything” as a not-for-profit (seeking alpha/beta testers). He is a SANS Community & Mentor Instructor teaching Security 401, 504, and 464.

Agenda

  • State of Cyber Security: a short overview of where we are today
  • What is Threat Intelligence? Including the 15 Axioms of Traditional Intelligence, CybOX, STIX & TAXII, and a real-world example
  • Three Threat Intelligence exchanges: ThreatConnect, Critical Stack, and YARA
  • How to Do It Yourself: a lab with Security Onion, Bro, PRADS, and Critical Stack

Reminder: What We’re Protecting

The presentation opened with a reminder of what we’re protecting, sourced from Team Cymru’s visualization of the interconnected internet.

State of Cyber Security

The state of cyber security could be worse – but breaches are inevitable against a motivated attacker with time and resources. And it doesn’t take a super genius.

This is not the year of big breaches; it’s the decade of big breaches. The Verizon 2016 Data Breach Investigations Report documented the continued growth in attack vectors, and the situation remained deeply concerning.

We really need to get better at this.

Sometimes You Win the Moon Shot

On a note of inspiration: the presentation was delivered on July 20, 2016 – exactly 47 years after Apollo 11 landed on the moon (July 20, 1969, 20:18 UTC). A hat tip to Neil Armstrong, Buzz Aldrin, and Michael Collins.

Change Is Good, Sharing Is Good

Executive Order 13691

Executive Order 13691, “Promoting Private Sector Cybersecurity Information Sharing,” established ISAOs on February 13, 2015. Similar to ISACs and Cyber Fusion Centers but not siloed by sector or industry, ISAOs ended the cycle of re-discovering the same attacks. Anyone can participate at ISAO.org.

ISAO Working Groups (ISAO.org)

The ISAO Standards Organization had six working groups, all at v0.2 for document output:

  • WG1: ISAO Startup
  • WG2: ISAO Capabilities
  • WG3: Cybersecurity-Related Information Sharing Guidelines
  • WG4: Privacy & Security
  • WG5: ISAO Support Intake Process
  • WG6: Government Programs, Relations and Services to Assist ISAOs

Traditional Intelligence: The 15 Axioms

Sourced from the Central Intelligence Agency’s “Fifteen Axioms for Intelligence Analysts” (Tradecraft 2000):

  1. Believe in your own professional judgments.
  2. Be aggressive, and do not fear being wrong.
  3. It is better to be mistaken than to be wrong.
  4. Avoid mirror imaging at all costs.
  5. Intelligence is of no value if it is not disseminated.
  6. Coordination is necessary, but do not settle for the least common denominator.
  7. When everyone agrees on an issue, something probably is wrong.
  8. The consumer does not care how much you know, just tell him what is important.
  9. Form is never more important than substance.
  10. Aggressively pursue collection of information you need.
  11. Do not take the editing process too seriously.
  12. Know your Community counterparts and talk to them frequently.
  13. Never let your career take precedence over your job.
  14. Being an intelligence analyst is not a popularity contest.
  15. Do not take your job – or yourself – too seriously.

What Is Threat Intelligence?

Threat intelligence combines Indicators of Compromise (IoCs) – DNS hosts, IP addresses, email addresses, URLs, and file hashes – with relevant threat activity from exchanges: campaigns, malware, known adversaries, situational awareness, and baselining. The result is crowd-sourced, actionable cyber threat intelligence vetted by expert analysts with local validation.

Sharing Formats

  • Unvetted IoCs are low confidence (1)
  • Live attacks and campaigns are high confidence (5)

Sharing methods include:

  • YARA: YAML-like exchange of malfeasance signatures
  • XML-Based: CybOX, STIX & TAXII, and OpenIOC
    • Cyber Observables
    • Structured Threat Information
    • Trusted Automated Exchange of Indicator Information
    • Open IOC (Indicators of Compromise)
  • Tab Separated Values: Critical Stack + Bro

YARA Signatures

YARA rules provide a pattern-matching language for malware identification. Example: https://github.com/Yara-Rules/rules/blob/master/CVE_Rules/CVE-2015-2426.yar

CybOX, STIX & TAXII

CybOX is the dictionary of words – Cyber Observables such as Phishing, Exploit Target, Campaign, and Cyber Adversary.

STIX is a language that uses CybOX terms, built on XML with Schema Definitions providing Object Types with Context (C2 IPs, Emails, Domains, Accounts).

TAXII defines how STIX is shared via Client-Server over HTTP, supporting Inbox (Push) and Poll (Pull).

STIX 2.0 Draft

This is continually evolving: STIX Specification v2.0 Draft 1 was released on Monday, July 18, 2016. See: https://lists.oasis-open.org/archives/cti/201607/msg00051.html

STIX Representations

  • Observable: An event or stateful property
  • Indicator: Observable with context
  • Incident: Set of activities
  • Tactics, Techniques and Procedures (TTP): Operations
  • Exploit Target: Weakness exploited by TTP
  • Course of Action (COA): Defense – prevention, remediation, mitigation
  • Campaign: Set of related TTPs, indicators, incidents, and exploit targets
  • Threat Actor: The adversary

CybOX Objects (Subset)

  • AccountObj: Domain, Authentication, Date/Time
  • AddressObj: IPv4/IPv6 address, VLAN, e-mail
  • ArchiveFileObj: 7-zip, ZIP, APK, CAB, SIT, TGZ
  • DomainNameObj: Fully qualified domain name
  • EMailMessageObj: Received, To, CC, From, Subject
  • URIObj: A Uniform Resource Locator (URL)
  • WhoisObj: Contact, Domain Name, Nameserver
  • X509CertificateObj: Serial number, Algorithm, Subject

OpenIOC

Led by Mandiant, OpenIOC uses XML + XML Schema Definitions. A converter is available: https://github.com/STIXProject/openioc-to-stix

Real-World Example: CybOX, STIX & TAXII

The Investigation

Excessive traffic is noticed on a server from a single workstation – investigation begins. Tracing the workstation back to a user reveals an email from jane.smith@adp.com with a .zip attachment (Indicator). The email had a Return-Path of AmericanExpress@welcome.aexp.com, was received from bba592142.alshamil.net.ae, originating from IP 86.98.54.68 (Indicator).

Malware Analysis

The .zip attachment Invoice_11082014.zip (Indicator, MD5 5d6cbd0a557bb10603bb63b8fe0c4160) contains Invoice_11082014.exe (Observable, MD5 911b7604e84096ee5bbb6741cf02542c). The executable reaches out to 94.23.247.202 (Indicator), redirecting downloads to:

  • porfintengoweb.com/css/11s1.zip
  • jc-charge-it.nl/pages/11s1.zip
  • flightss.d-webs.com/images/airlines-logo/h76id30.zip

Linking to a Campaign

The executable is part of the “Dyreza” banking trojan. Its TTPs include a Domain Generation Algorithm, reaching hosts in the Pacific Islands, and using I2P. Blocks were deployed (COA) to emails matching the MD5 signature and HTTP to C2 hosts. Sharing via TAXII revealed other victims who linked their incidents, mapping a campaign.

Pieces of STIX

STIX Headers, ZIP File Hash identification (extension, size 9,531 bytes, MD5), IP Watchlist (94.23.247.202, 217.13.80.226), and URL Watchlist for the malicious download URLs were all structured according to CybOX-compliant STIX packages.

Threat Intelligence Platforms

ThreatConnect

A collaborative Threat Intelligence Platform with threat data collection, analysis, collaboration, and incident response experts vetting information. Free for NorSec and other ISAO members.

CriticalStack // Intel

Aggregation of open-source indicators of compromise from many feeds in easy-to-read Tab Separated Values with easy client integration into Bro.

Using the Feeds with Bro

Bro is an open-source network analysis framework with well-structured, easy-to-parse data via bro-cut. Unbeatable for forensics, network baselining, and visibility. Built into Security Onion and available at www.bro.org.

Feed Format (.bro.dat)

CryptoWall Ransomware Domains:

#fields indicator indicator_type meta.source
adolfforua.com Intel::DOMAIN http://example.com/feeds/cryptowall-domlist.txt
babamamama.com Intel::DOMAIN http://example.com/feeds/cryptowall-domlist.txt

PoSeidon Point-of-Sale Malware from Team Cymru:

#fields indicator indicator_type meta.source
askyourspace.com/ldl01aef/viewtopic.php Intel::URL https://example.com/link
46.30.41.159    Intel::ADDR    https://blog.team-cymru.org/
164af045a08d718372dd6ecd34b746e7032127b1 Intel::FILE_HASH https://blog.team-cymru.org/

Use critical-stack-intel list to view subscribed feeds and bro-cut -d -C < intel.log for human-readable intel hits.

Baselining and Analysis Tools

SGUIL Analysis

SGUIL provides alert analysis capabilities within Security Onion, allowing analysts to investigate and correlate alerts from multiple data sources. (Source: Doug Burks of Security Onion Solutions)

PRADS for Baselining

PRADS (Passive Real-time Asset Detection System) provides passive network baselining and asset identification. Source: Edward Fjellskaal (https://github.com/gamelinux/prads)

LOKI for IOC Checking

LOKI is an IOC scanner by Florian Roth (https://github.com/Neo23x0/Loki) that checks systems against known indicators of compromise. LOKI includes IOCs for:

  • Equation Group Malware (hashes, Yara rules by Kaspersky and 10 custom rules)
  • Carbanak APT – Kaspersky Report (hashes, filename IOCs, Yara rules)
  • Arid Viper APT – Trendmicro (hashes)
  • Anthem APT Deep Panda Signatures (not officially confirmed, per krebsonsecurity.com)
  • Regin Malware (GCHQ / NSA / FiveEyes) including Legspin and Hopscotch
  • More than 180 hack tool Yara rules (source: APT Scanner THOR)
  • More than 600 web shell Yara rules (source: APT Scanner THOR)
  • Numerous suspicious file name regex signatures (source: APT Scanner THOR)
  • Much more

Getting Started

Threat intelligence is pointless without baselining. You must know what is correct before you can detect deviations. Key principles:

  • Explore the Intelligence Axioms
  • Use Bro and PRADS for baselining and asset identification
  • Use SGUIL for alert analysis
  • Use LOKI for IOC detection
  • Doug Burks’ Security Onion makes it easy

How to Do It Yourself

  1. Install Security Onion on a 2+1 NIC box: https://github.com/Security-Onion-Solutions/security-onion/wiki/Installation (comes with Bro & PRADS preconfigured)

  2. Sign up at Critical Stack // Intel: https://intel.criticalstack.com/

  3. Follow the setup instructions: configure your first client to add Bro and YARA rules to Security Onion

  4. Set up a span, mirror, or network tap: NetGear GS108E ($60) + Raspberry Pi or better

  5. Bonus: Document every authorized device to win!

Email for a copy of the slides and/or to get involved with the NorSec Foundation ISAO Program: matthew@itriskltd.com