Making Sense of Cyber Threat Intelligence · The unsuspecting victim receives KRIPTOVOR via an...

1

Copyrighted material. Any reproduction, in any mediaor format is forbidden

© 2019

Making Sense of Cyber Threat IntelligenceAlmerindo Graziano, PhDSilensec, [email protected]

2


© 2019

About Me

www.silensec.com

• Almerindo Graziano, CEO of Silensec• PhD in mobile computer security from the

University of Naples, Italy. • Founder and course Leader for the MSc in

Information Systems Security at Sheffield Hallam University

• Author of numerous security training courses• Cyber security expert for International

Telecommunication Union (ITU) • Co-chair of ECSO SWG 5.3 on Cyber Ranges and

Security Awareness• Airmiles collector

3


© 2019

The Threat Landscape

4


© 2019

Social Media Threats

5


© 2019

Hashtag/traffic hijacking

#McDStories (McDonald, 2012)

Twitter accounts hijacked with 'Nazi' hashtags in Turkish (Mar ‘17)

• Re-use of an hashtag for a different purpose than the one originally intended

• Typical threat actors– Trollers– Hactivists– Cyber criminals– State-sponsored

• Hijacked hashtags can be used to include malicious links

6


© 2019

Fake Profiles

The Case of Robin Sage

• Fake profile by researcher Tom Ryan as a proof of concept in 2010

• Connections across NSA, DOD and Military Intelligence groups and from global 500 corporations

• Robin Sage was offered – job opportunities– Request to review papers and

presentations

7


© 2019

Account Impersonation

Example: Twitter

• The attacker impersonates the coporate Twitter account– Corporate Logo– Misleading Twitter handle

• Typical scenarios– Direct user account

compromise– Mass malware campaign

via hashtag highjacking

8


© 2019

Example 1Example: Linkedin

Account Impersonation

Example 2– Target Linkedin account

cloned– Invitation is sent to

contacts asking to reconnect

– A few days of “normal” linkedin posts

– Mass message containing a malicious link sent

9


© 2019

Clickbait Attacks

• Use of sensational news headlines to spread phishing or malware links

• Exploits the reader’s curiosity– “WATCH THIS INSANE VIDEO OF A SHARK EATING A

FISHERMAN!” “APPLE IPADS 95% OFF TODAY ONLY!”

10


© 2019

Targeting Senior Execs

• Notable Senior Execs– Facebook’s CEO Mark

Zuckerberg– Twitter Ex-CEO Dick Costolo– Google's CEO Sundar Pichai

• Business Email Compromise (BEC)

A form of phishing attack where a cyber criminal impersonates an executive (often the CEO), and attempts to get an employee, customer, or vendor to transfer funds or sensitive information to the phisher.

11


© 2019

Stolen Credentials

Rambler.ru’s 98.1M accounts, and their cleartext passwords (stolen in 2012) made public (Sep ‘16)

ClixSense Data Breach, 6.6 Million users’ records stolen! (Sep ‘16)

Hacker Selling 65 Million Passwords From Tumblr Data Breach (May ‘16)

12


© 2019

Rogue Mobile Applications

Sample Alternative Marketplaces

Marketplace Number of Users/Apps

AppChina 30 million users

Tencent App Gem 80 million users

Anzhi 25 million users

Amazon Appstore 25 million apps downloaded every monthOpera Mobile Store 30 million apps downloaded every monthAppChina 600 million apps downloaded every month

Wandoujia 200 million users with over 30 million apps downloaded every day – 500,000 new users are acquired every day

Samsung Apps Preinstalled on more than 100 million Galaxy smartphones

http://www.businessofapps.com/the-ultimate-app-store-list/

13


© 2019

Traditional Approach to Security

• Risk-based Approach– Focus on the vulnerability element of risk– Little or no emphasis on threats and threat actors

• Choose security controls for risk treatment– Protection – Detection – Reaction Reaction Protection

Detection

14


© 2019

Traditional Approach to Security

• Too much focus on Protection• Too little Detection• Too much Reaction without Learning!

Too Little Detection

ReactionProtection

Detection

15


© 2019

Understanding Cyber Threat Intelligence

Proactive measures to identify potential attackers, intentions and methods

Process of monitoring to identify intrusions and attacks

Security measures and controls to protect from, deter and stop attacks as well minimize the impact of a compromise

Proaction

Protection

Detection

ReactionProcesses and methods to investigate intrusions and respond to a compromise

16


© 2019

What is Threat Intelligence

• “Details of the motivations, intent, and capabilities of internal and external threat actors. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligence's primary purpose is to inform business decisions regarding the risks and implications associated with threats” (Forrester)

17


© 2019

CTI in Layman’s Terms

• CTI is about managing risk exposure by trying to identify the capabilities of threat actors– Likelihood of a threat manifesting itself– Impact of attacks

Capability

Intent

Vulnerability ImpactExploit Cause

18


© 2019

The Big Picture

• Threat Actors– Different types, motivations, targets

• Goals and Strategy– Define what the attackers want and how the

plan to achieve it• Tactics Techniques and Procedures– Define what the attackers will do to implement

their strategy and achieve their goals• Indicators– Define the evidence left behind by the attackers

Goals

Strategy

Tactics

Techniques

Procedures

Indicators

Threat Actor

19


© 2019

Indicators

• Typical indicators addressed by cyber threat intelligence include

– Domain name, IP address, hash (MD5, SHA1, SHA256), email address, SSL hash (SHA1), malware name (e.g. Trojan.Enfal), filename (e.g. .scr, resume.doc), URI string (e.g. main.php), User-Agent string (e.g. Python-urllib), a registry key string

• Support for indicators varies across CTI vendors/solutions

Samples

Weaponize Deliver Exploit InstallCommand

&Control

ActionRecon

20


© 2019

The Cyber Threat Intelligence Landscape

Open source Feeds

CommercialFeeds

Social Media Deep Web

Sources

Threat Intelligence Providers

Output

Vendor Updates Sinkholes Dark Web

WebIRC Channels

Mobile App Stores

Telco/Signal

People

CERTs

News Media

Technology Vendors

IndependentResearchers

Open source Projects CTI Vendors

OSINTCrawlersHumanInfiltration

TechInfiltration

Intelligence CTIServices

Internet Registries

Domain Registries

Method of Collection

CTI Platforms

CTITools

21


© 2019

Threat Intelligence Feeds

• Curated data• Two main types– Opensource– Commercial

• Hundreds of available feeds• Focused on different CTI domains• Too many to list!

Whitelisting Sites Alexa Top 1 Million sites Whitelist of the top 1 Million sites from Amazon(Alexa). Cisco Umbrella Probable Whitelist of the top 1 million sites resolved by Cisco Umbrella (was

OpenDNS). Statvoo Top 1 Million Sites Probable Whitelist of the top 1 million web sites, as ranked by Statvoo. Malicious IPs and Websites FireHOL IP Lists 400+ publicly available IP Feeds analysed to document their evolution, geo-

map, age of IPs, retention policy and overlaps. The site focuses on cyber crime (attacks, abuse, malware).

I-Blocklist I-Blocklist maintains several types of lists containing IP addresses belonging to various categories. Some of these main categories include countries, ISPs and organizations. Other lists include web attacks, TOR, spyware and proxies. Many are free to use, and available in various formats.

OpenBL.org A feed of IP addresses found to be attempting brute-force logins on services such as SSH, FTP, IMAP and phpMyAdmin and other web applications.

AutoShun A public service offering at most 2000 malicious IPs and some more resources. The Spamhaus project The Spamhaus Project contains multiple threat lists associated with spam and

malware activity. SSL Blacklist SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to

provide a list of "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists

Botnets Botnet Tracker Tracks several active botnets. C&C Tracker A feed of known, active and non-sinkholed C&C IP addresses, from Bambenek

Consulting. ZeuS Tracker The ZeuS Tracker by abuse.ch tracks ZeuS Command & Control servers

(hosts) around the world and provides you a domain- and a IP-blocklist. Malware MalwareDomains.com The DNS-BH project creates and maintains a listing of domains that are known

to be used to propagate malware and spyware. These can be used for detection as well as prevention (sinkholing DNS requests).

Metadefender.com Metadefender Cloud Threat Intelligence Feeds contains top new malware hash signatures, including MD5, SHA1, and SHA256. Metadefender Cloud has spotted these new malicious hashes within the last 24 hours. The feeds are updated daily with newly detected and reported malware to provide actionable and timely threat intelligence.

Ransomware Tracker The Ransomware Tracker by abuse.ch tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C∓C servers, distribution sites and payment sites.

22


© 2019

What Cyber Threat Intelligence Looks Like

Some ExamplesINTELLIGENCE ANALYSIS CONNECTIONS SUBMIT INTEL FIC

Analysis of KRIPTOVOR: Infostealer+Ransomware-JHPublished To: demo01

Tags: data theft

Analysis of KRIPTOVOR: Infostealer+Ransomware

April 08, 2015 | By Erye Hernandez | Threat Research, Advanced Malware

KRIPTOVOR, from the Russian word ‘kripto’ which means crypto and ‘vor’ which means thief, is what we named this malware family due to its Russian stomping grounds and

the malware’s behavior. FireEye Labs has collected several samples of this malware (see the Appendix), which primarily targets Russian businesses, or any international

companies that do business in Russia.

The malware is modular, which makes it easy for the author to add more functionality. Analysis of an early variant shows that it was first used to steal cryptocurrency wallets

from its victims. Over time it evolved to include a ransomware component.

The earliest known infection of the variant with the ransomware component is in early 2014. Several victims reported to have lost their files. Their documents were

encrypted and the file extensions were changed to .JUST. The malware also leaves a ransom note taking the victim hostage.

The author put a lot of effort into making it difficult to detect this malware. It employs several evasion techniques and it even cleans up after itself whether or not it was

successful in stealing or encrypting its targets. The malware also checks if the victim belongs to specific network segments, which suggests that the author intended on

keeping the infections to specific regions.

In this blog, we discuss KRIPTOVOR in detail from the infection vector to the ransom note. Figure 1 depicts the entire cycle of this malware. It starts with the attacker sending

an email to the victim. The victim opens the email and the attached Word document. The Word document contains an embedded binary file, which the attacker crafted to

look like a PDF file. Opening the binary launches a PDF file containing a resume. Unbeknownst to the victim, the malware begins its routine in the background.

Figure 1. Overview of KRIPTOVOR

Infection Vector

The unsuspecting victim receives KRIPTOVOR via an email attachment. The subject of the email is: Резюме на вакантную должность, which translates to “Resume for the

vacant post”. Both the subject and the sender’s email address (which is likely spoofed) vary. The following is a list of email addresses we have collected:

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

+ "

1 Intel Document

Create your intel doc.2 Indicator Detection

Act upon found indicators.3 Share Document

You don't have permission.EDIT#

$

48

FireEye Intel Center - Intelligence Documents - FEYE-INT-135U4E - Ana... https://demo.apps.fireeye.com/intel/documents/FEYE-INT-135U4E

1 of 11 29/09/2015 8:01 PM

INTELLIGENCE ANALYSIS CONNECTIONS SUBMIT INTEL FIC+ "

download all

81 indicatorswere derived from your document.

FQDN (7)

IP (1)

HASH (64)

add a custom signature

SIGNATUREShave been auto generated from the indicators to the left.

FORMAT INDICATORS USED OPTIONS

OPENIOC V1.0 81

OPENIOC V1.1 81

SNORT V2.9 17

IPTABLES V1.4 1

BRO V2.3 81

STIX V1.2 72

CUSTOM SIGNATURES

You have not added any custom signatures yet.

1 Intel Document

Create your intel doc.2 Indicator Detection

Act upon found indicators.3 Share Document

You don't have permission.

kirova.ls

nic.ru

plantsroyal.org

ripola.net

valanoice.org

adorephoto.org

jackropely.org

66.96.147.86

488ba9382c9ee260bbca1ef03e843981

e426309faa42e406e5c0691bf5005781

00e3b69b18bfad7980c1621256ee10fa

3d8e0471b822e7cb8efb490ea2801262

6fc98a27bda791282ba101ac696bffa1

19266c9182e8232ff286ff2f276000c5

2191510667defe7f386fc1c889e5b731

23afbf34eb2cbe2043a69233c6d1301b

28dae07573fecee2b28137205f8d9a98

2ea06433f5ae3bffa5896100d5361458

39391e022ce89784eb46fed43c8aa341

4add1925e46ed6576861f62ebb016185

68dfcb48d99a0735fdf477b869eac9df

6e618523c3eb5c286149c020fd6afadd

79b4c9f1b81b26853ea74adf4559d5f2

7da180d0e49ee2b892c25bc93865b250

890c9bb8b257636a6e2081acdfdd6e3c

89fd244336cdb8fab0527609ca738afb

8dbb0f6470af1876af0b00d8eb6c0bd3

90a75836352c7662cb63dbc566f8e2de

90f1572e1bfe9f41bbdbd4774411aeb9

ADD CUSTOM SIGNATURE

# $

# $

# $

# $

# $

# $

48

FireEye Intel Center - Detections - Detect FEYE-INT-135U4E - Analysis ... https://demo.apps.fireeye.com/intel/documents/FEYE-INT-135U4E/detect...

1 of 3 29/09/2015 8:02 PM

23


© 2019

In Many Cases.. Too Much Intelligence!

24


© 2019

Many Solutions, Vendors, Providers

25


© 2019

Some Remarks

• CTI is charged as a service, and so it should be• CTI means different things to different vendors– IP reputation, social media, deep/dark web etc

• Identify CTI needs and ensure current maturity to benefit from CTI– Look for actionable intelligence!

• Only a small 5% of the intelligence is common across different organizations– Many Intelligence products and services are not targeted nor tailored

26


© 2019

CTI Challenges

• IPR used to sell black magic• Immature business model– Many “how much would the client spend”– FEW “This is our price, take it or leave it”

• Not enough in-house competences to evaluate vendors

27


© 201927

Comune di Afragola

COmpetitive Methods to protect local Public Administration from Cyber security Threat

COMPACT consortium partners 14 organisations from seven EU countries.Austria | Belgium | Germany | Italy | Portugal | Spain | United Kingdom

28


© 201928

COmpetitive Methods to protect local Public Administration from Cyber security Threat

Cyber Threat Intelligence

29


© 2019

Cyber Threat Intelligence Feeds

• Over 100 Opensource feeds analyzed and integrated• Majority of Indicator of Compromise (IoC) from around 40

feeds• Parser for CTI feed analysis and integration into OpenIntel• Daily correlation of millions of IoC with world whois

databases

29

Source Counthttps://virusshare.com/ 1,892,475http://data.netlab.360.com/ 1,146,594http://hosts-file.net/ 546,665https://www.badips.com 351,682http://osint.bambenekconsulting.com/ 271,327http://wget-mirrors.uceprotect.net/ 137,900http://www.cert.at 90,884https://raw.githubusercontent.com/Neo23x0/signature-base/master/iocs/otx-hash-iocs.txt 46,524https://alienvault.com 40,617https://www.phishtank.com 36,327http://www.blocklist.de 32,915http://www.malwaredomains.com 19,437http://cybercrime-tracker.net 12,889http://dataplane.org 12,822https://www.turris.cz 12,354http://cinsscore.com/ 11,181https://openphish.com 9,745https://ransomwaretracker.abuse.ch/ 9,097http://torstatus.blutmagie.de/ 6,124https://dshield.org/suspicious_domains.html 3,521https://raw.githubusercontent.com 3,480http://www.botvrij.eu/ 3,340https://report.cs.rutgers.edu 3,018https://greensnow.co 2,818https://sslbl.abuse.ch/ 2,480http://rules.emergingthreats.net 1,503https://rules.emergingthreats.net/ 1,376http://talosintel.com/ 1,372http://danger.rulez.sk/ 1,051https://www.dan.me.uk/tornodes 829http://www.urlvir.com/ 631https://www.autoshun.org/ 497http://booterblacklist.com/ 437https://zeustracker.abuse.ch/ 417http://spys.one/en/ 300http://www.nothink.org/honeypots.php 167http://security-research.dyndns.org 105http://malc0de.com 101http://vxvault.net 101https://www.packetmail.net 25https://feodotracker.abuse.ch/ 7

https://raw.githubusercontent.com/

https://report.cs.rutgers.edu/

30


© 2019

Cyber Threat Feeds

30

31


© 2019

Monitoring Threats from Suppliers

OpenIntel Trial in a Local Public Administratior

32


© 2019

Follow us on Linkedin and Facebook

• Awareness Cartoons– Security Awareness– Security Editorials– Life of the Security Consultant

33


© 2019

Thank youQuestions?

Date post:	26-May-2020
Category:	Documents
Upload:	others
View:	6 times
Download:	0 times