fd53

Threat Intelligence: Neighborhood Watch for Your Networks

/ 9 min read

Source Presentation

Presented at SANS @ Night, Thursday, July 23, 2015, by Matthew J. Harmon (GSEC, GCIH, GCIA, CISSP). Matthew is a SANS Community & Mentor Instructor teaching Security 401 (Security Essentials), 504 (Hacker Tools, Techniques, Exploits & Incident Handling), and 464 (Hacker Guard, IT Operations Baselining) since 2009. He serves as CTO & Executive Chairman of the NorSec ISAO (Information Sharing Analysis Organization) and is Principal Consultant at IT Risk Limited, specializing in DFIR, Pen Testing, and Risk Management.

Agenda

  • State of Cyber Security: a short overview of where we are today
  • What is Threat Intelligence? Explaining CybOX, STIX & TAXII with a real-world example
  • Two examples of Threat Intelligence platforms: ThreatConnect and Critical Stack
  • How to Do It Yourself: a homework lab with Bro and Critical Stack

State of Cyber Security

The state of cyber security could be worse – but breaches are inevitable against a motivated attacker with time and resources. And it doesn’t take a super genius: someone with a post-it note containing their username and password on live TV, or big sheets of paper with credentials in the background of an interview, demonstrate that even simple human lapses create opportunities.

Incidents and Data Loss: 2014

According to the Verizon 2015 Data Breach Investigations Report, there were 79,790 reported security incidents in 2014, of which 2,122 had confirmed data loss. Compromised credentials were still leading the pack as an attack vector. RAM scrapers were growing. Spyware and keyloggers were going out of vogue due to easier detection methods. Phishing continued to grow.

On time-to-discover: compromise was approaching 90% occurring in less than 24 hours, yet discovery in under 24 hours remained below 25%.

Latest Breaches

  • Neiman Marcus: 350,000 records
  • Michaels: 2.6 million cards
  • Affinity Gaming: 11 casinos
  • New York Attorney General: 22.8 million records
  • Community Health Systems: 4.5 million patient records
  • Adult FriendFinder: 3.9 million records
  • Ashley Madison: 37 million personal records
  • Office of Personnel Management: 21.5 million SF-86++ records
  • JP Morgan Chase: 76 million households + 7 million businesses
  • …and many, many more

What happens if we correlate the Adult FriendFinder, Ashley Madison, and OPM breaches? We really need to get better at this.

Change Is Good, Sharing Is Good

What I think we need to get better at is information sharing. Change is invigorating – if you don’t accept new challenges, you become complacent and lazy. Your network atrophies.

Executive Order 13691

On February 13, 2015, Executive Order 13691, “Promoting Private Sector Cybersecurity Information Sharing,” established Information Sharing Analysis Organizations (ISAOs). Similar to ISACs and Cyber Fusion Centers but not siloed by sector or industry, ISAOs allow anyone to participate. Within two years, it was expected that there would be over 300 ISAOs in various forms across the US, with international liaison relationships. The goal: no more re-discovering the same attacks.

What Is Threat Intelligence?

Threat intelligence isn’t easy, but it isn’t ridiculously hard either. As anyone with a formal military intelligence background can explain, the question is a matter of confidence in your sources.

There are many sources providing combinations of DNS hosts, IP addresses, email addresses, URLs, and files with their associated names and hashes. The next step is to make that information relevant with campaigns and known adversaries, and finally to link various crowd-sourced IoCs and threat activity with vetting by experts.

The result: crowd-sourced, actionable cyber threat intelligence vetted by experts.

Sharing Formats

  • Unvetted IoCs are low confidence (1)
  • Live attacks and campaigns are high confidence (5)
  • Everything else is somewhere in between

Two primary approaches:

  1. CybOX, STIX & TAXII: Cyber Observables, Structured Threat Information, and Trusted Automated Exchange of Indicator Information – spearheaded by the MITRE Corporation (maintainers of CVE), recently transferred to OASIS
  2. Tab Separated Values: used by Critical Stack with integration into Bro

CybOX, STIX & TAXII

CybOX is the dictionary of words – the Cyber Observables vocabulary, covering terms like Phishing, Exploit Target, Campaign, and Cyber Adversary.

STIX is a language that uses CybOX terms. Built on XML with Schema Definitions, it provides Object Types with Context (C2 IPs, Emails, Domains, Accounts).

TAXII defines how STIX information is shared via a Client-Server protocol over HTTP, supporting Inbox (Push) and Poll (Pull) operations.

STIX Representations

  • Observable: An event or stateful property (e.g., an email or file)
  • Indicator: An observable with a specific context (e.g., an IP, domain, or file hash)
  • Incident: A set of specific activities
  • Tactics, Techniques and Procedures (TTP): The specific modus operandi or operations by a threat actor
  • Exploit Target: A weakness exploited by a TTP
  • Course of Action (COA): A defensive measure – prevention (blocking), remediation (patching), or mitigation to limit impact
  • Campaign: A set of related TTPs, indicators, incidents, and exploit targets
  • Threat Actor: The cyber adversary performing these actions

CybOX Objects (Subset)

  • AccountObj: Domain, Authentication, Date/Time (including access and lockout state)
  • AddressObj: IPv4/IPv6 address, VLAN, subnet, e-mail
  • ArchiveFileObj: 7-zip, ZIP, APK, CAB, SIT, TGZ
  • DomainNameObj: Fully qualified domain name (e.g., SANS.org)
  • EMailMessageObj: Received, To, CC, From, Subject, body contents, any header, date/time
  • URIObj: A Uniform Resource Identifier (URL)
  • WhoisObj: Contact, Domain Name, Nameserver
  • X509CertificateObj: Serial number, Algorithm, Subject name

Real-World Example: CybOX, STIX & TAXII

The Investigation

Excessive traffic is noticed on a server from a single workstation – the investigation begins. Tracing the workstation back to a user reveals an email from jane.smith@adp.com with a .zip attachment (Indicator). The email had a Return-Path of AmericanExpress@welcome.aexp.com, was received from bba592142.alshamil.net.ae, and originated from IP 86.98.54.68 (Indicator).

Malware Analysis

The .zip attachment is named Invoice_11082014.zip (Indicator) with MD5 5d6cbd0a557bb10603bb63b8fe0c4160. It contains an executable Invoice_11082014.exe with MD5 911b7604e84096ee5bbb6741cf02542c (Observable). The executable reaches out over HTTP to 94.23.247.202 (Indicator), which redirects downloads to:

  • porfintengoweb.com/css/11s1.zip
  • jc-charge-it.nl/pages/11s1.zip
  • flightss.d-webs.com/images/airlines-logo/h76id30.zip

Linking to a Campaign

The executable is identified as part of the “Dyreza” malware, a banking trojan. Its TTPs include a Domain Generation Algorithm, reaching out to hosts in the Pacific Islands, and using I2P. The Course of Action was to deploy blocks to emails matching the MD5 signature and block HTTP to the C2 hosts. Sharing this information with peers via TAXII revealed other similar victims who linked their incidents to these observations, mapping a campaign.

Pieces of STIX

STIX Headers reference schema definitions for stix_core.xsd, indicator.xsd, ttp.xsd, and course_of_action.xsd, with a header titled “Dryeza Phishing Indicator” and Package Intent of “Indicators - Phishing”.

ZIP File Hash identifies the file extension (zip), size (9,531 bytes), and MD5 hash, with a TTP description of “Phishing”.

IP Watchlist uses AddressObject:AddressObjectType of category ipv4-addr to match 94.23.247.202 and 217.13.80.226.

URL Watchlist uses URIObject:URIObjectType to match the malicious download URLs.

The full IoC includes the File Hash Watchlist indicator, valid time window, FileObjectType, MD5 hash type and value, and a confidence level of Medium. TAXII Poll requests run over HTTP with Host, Content-Type, User-Agent headers, Services and Protocol version numbers, followed by a Poll Fulfillment request. The response returns the corresponding STIX payload.

Threat Intelligence Platforms

ThreatConnect

ThreatConnect is a collaborative Threat Intelligence Platform offering threat data collection, analysis, and collaboration with incident response experts on staff to vet information. It was free for NorSec and other ISAO members. Each adversary (such as “Hacking Team” out of Milan) has specific IoCs associated with them, including file hashes, URLs, and hostile addresses – as they frequently sell the same tools to multiple parties with very few modifications.

CriticalStack // Intel

CriticalStack // Intel aggregates open-source indicators of compromise from 100+ feeds into easy-to-read Tab Separated Values with direct client integration into Bro. Open-source IoCs should be considered low to medium confidence as they are not vetted by experts like ThreatConnect sources, but they are still very valuable. The aggregated feeds include the malwaredomainlist, Tor Project exit node list, Team Cymru’s PoSeidon IOCs, Zeus Tracker, DShield, known scam domains, known compromised hosts, and the CryptoWall domain and IP lists.

Using the Feeds with Bro

Bro is an open-source network analysis framework with well-structured, easy-to-parse data via bro-cut. It is an unbeatable resource for forensics activities, network baselining, and network visibility. Bro is built into the Security Onion Linux distribution and available at www.bro.org.

Feed Format (.bro.dat)

Critical Stack Intel feeds download as .bro.dat files – much simpler than the complex XML and Schema Definitions of CybOX & STIX. They contain tab-separated fields: indicator, indicator_type, and meta.source.

CryptoWall Ransomware Domains example:

#fields indicator indicator_type meta.source
adolfforua.com Intel::DOMAIN http://example.com/feeds/cryptowall-domlist.txt
babamamama.com Intel::DOMAIN http://example.com/feeds/cryptowall-domlist.txt
craspatsp.com  Intel::DOMAIN http://example.com/feeds/cryptowall-domlist.txt

PoSeidon Point-of-Sale Malware example from Team Cymru:

#fields indicator indicator_type meta.source
askyourspace.com/ldl01aef/viewtopic.php Intel::URL https://example.com/link
46.30.41.159    Intel::ADDR    https://blog.team-cymru.org/
46.166.168.106  Intel::ADDR    https://blog.team-cymru.org/
164af045a08d718372dd6ecd34b746e7032127b1 Intel::FILE_HASH https://blog.team-cymru.org/

Loading and Verifying

After loading feeds into Bro, use critical-stack-intel list to view subscribed feeds and their indicator counts. Use bro-cut -d -C < intel.log to view intel hits with human-readable time values (-d) and all headers (-C). In live testing, five connections to known TOR exit nodes and a hostile domain were detected.

Homework Lab

  1. Install Security Onion on a 2+1 NIC box (one port ingress, one egress, one management): https://github.com/Security-Onion-Solutions/security-onion/wiki/Installation (comes with Bro preconfigured), or install Bro standalone: https://www.bro.org/sphinx/install/install.html

  2. Sign up at Critical Stack // Intel: https://intel.criticalstack.com/

  3. Follow the setup instructions: subscribe to some feeds, load the client and feeds into your Bro instance

  4. Set up a span, mirror, or network tap:

    • At work: get employer permission for a passive mirror port for network traffic
    • At home: Throwing Star LAN Tap ($20) or NetGear GS108E ($60) with port mirror capability

Homework Lab, Resources & Links: http://bit.ly/SANSMpls2015MJH

Contact: mjh@itys.net