28
Copyright 2018 Anomali 1 Open Source Intelligence (OSINT) for Network Defenders Roberto Sanchez, Director of Threat & Information Analysis
Copyright 2018 Anomali 1
Open Source Intelligence
(OSINT) for Network Defenders
R o b e r t o S a n c h e z , D i r e c t o r o f T h r e a t & I n f o r m a t i o n A n a l y s i s
Copyright 2018 Anomali 2
About Me
Roberto Sanchez, MBA, CISSP, GCTI, CSMIE
•Director of Threat & Information Analysis
Background
• U.S. Intel Community
• Commercial Sector
• U.S. Marine Corps
Twitter: @rpsanch | LinkedIn:
linkedin.com/in/sanchezrobertop
Copyright 2018 Anomali 3
Session Outline
• Introduction to OSINT
• OSINT Research
• Analyst’s Toolbox
• Scenario: OSINT resources for incident triaging
Session Goal: Empower Analysts to Conduct
Focused, Accurate, and Successful OSINT research
Copyright 2018 Anomali 4
What is Open Source Intell igence (OSINT)?
Open-Source Intelligence (OSINT) involves finding, selecting, and acquiring publicly available
information from media (newspapers, radio, television, etc.), professional and academic
records (papers, conferences, professional associations, etc.), social media, public data
(government reports, demographics, hearings, speeches, etc.) and ANALYZING it to produce
actionable intelligence.
• The “Net” (Social Media, Blogs, Forums, Google, Deep Web, Dark Web)
• Traditional mass media (e.g. television, radio, newspapers, magazines)
• Specialized journals, conference proceedings, and think tank studies
• Photos
• Geospatial information (e.g. maps and commercial imagery products)
Information does not have to be secret to be valuable. Whether in the blogs we browse, the
broadcasts we watch, or the specialized journals we read, there is an endless supply of
information that contributes to our understanding of the world.
Copyright 2018 Anomali 5PwC
Publicly Accessible Sites“Analyst’s Toolbox”
Copyright 2018 Anomali 6Copyright 2018 Anomali 6
Where Do I Start?
Domain & IP
IntelligencePassive DNS Multi-AV &
SandboxLink AnalysisCrowdsourcingURL Scanning Mobile Apps
inurl:apk “app name”
Copyright 2018 Anomali 7Copyright 2018 Anomali 7
Where Do I Start?
Infrastructure Analysis Social Media IntelligenceSensitive & Confidential Files
Copyright 2018 Anomali 8Copyright 2018 Anomali 8
Where Do I Start?
Source: http://osintframework.com/
Copyright 2018 Anomali 9Copyright 2018 Anomali 9
Scenar io: Malware In fect ion
Background
A security device alert identified a possible infected client (1.2.3.4) performing HTTP GET connections over TCP port 80 to omlinux.com (212.83.180.64). When examining the suspected compromised system logs in your SIEM, you observe the network connection made using PID 888 (svchost.exe) with an unknown mutex value of 316D1C7871E00.
Task
• Conduct threat infrastructure analysis of omlinux.com and 212.83.180.64
• What type of malware family is the mutex object 316D1C7871E00 related to?
• Is this an opportunistic or targeted attack?
• What was the initial infection vector?
Source: http://malware-traffic-analysis.net/2018/08/17/index.html
Copyright 2018 Anomali 10Copyright 2018 Anomali 10
VirusTota l
Source: https://www.virustotal.com/en/domain/omlinux.com/information/
Copyright 2018 Anomali 11Copyright 2018 Anomali 11
VirusTota l
Copyright 2018 Anomali 12Copyright 2018 Anomali 12
VirusTota l
Source: https://www.virustotal.com/en/ip-address/212.83.180.64/information/
Copyright 2018 Anomali 13Copyright 2018 Anomali 13
Hybr id Analys is
Source: https://www.hybrid-analysis.com/
Copyright 2018 Anomali 14Copyright 2018 Anomali 14
Hybr id Analys is
Source: https://www.hybrid-analysis.com/sample/086c852fb8a8c5832081e67d6baee535b3fbb3ffb9321664fecb792a7c527a8f/5b8cbac57ca3e1457d7b0cdc
Copyright 2018 Anomali 15Copyright 2018 Anomali 15
Hybr id Analys is
Source: https://www.hybrid-analysis.com/sample/086c852fb8a8c5832081e67d6baee535b3fbb3ffb9321664fecb792a7c527a8f/5b8cbac57ca3e1457d7b0cdc
Copyright 2018 Anomali 16Copyright 2018 Anomali 16
IBM X-Force Exchange
Source: https://exchange.xforce.ibmcloud.com/url/omlinux.com
Copyright 2018 Anomali 17Copyright 2018 Anomali 17
IBM X-Force Exchange
Source: https://exchange.xforce.ibmcloud.com/ip/212.83.180.64
Copyright 2018 Anomali 18Copyright 2018 Anomali 18
ThreatMiner
Source: https://www.threatminer.org/domain.php?q=omlinux.com
Copyright 2018 Anomali 19Copyright 2018 Anomali 19
ThreatMiner
Source: https://www.threatminer.org/host.php?q=212.83.180.64
Copyright 2018 Anomali 20Copyright 2018 Anomali 20
ThreatMiner
Source: https://www.threatminer.org/mutex.php?q=316D1C7871E00
Copyright 2018 Anomali 21Copyright 2018 Anomali 21
ThreatCrowd
Source: https://www.threatcrowd.org/domain.php?domain=omlinux.com
Copyright 2018 Anomali 22Copyright 2018 Anomali 22
ThreatCrowd
Source: https://www.threatcrowd.org/ip.php?ip=212.83.180.64
Copyright 2018 Anomali 23Copyright 2018 Anomali 23
ViewDNS
Source: https://viewdns.info/
Copyright 2018 Anomali 24Copyright 2018 Anomali 24
Google Dork ing & Pastebin
Source: https://pastebin.com/1gWS87E3
Copyright 2018 Anomali 25Copyright 2018 Anomali 25
Google Dork ing & Malware Traf f ic Analys is
Source: https://www.malware-traffic-analysis.net/2018/08/17/index.html
Copyright 2018 Anomali 26Copyright 2018 Anomali 26
Google & Cisco Talos Blog
Source: Cisco Talos Blog
Copyright 2018 Anomali 27Copyright 2018 Anomali 27
• A corporate user most likely was sent a malspam with a financial-themed subject line that contained an infected (Potentially Emotet Trojan) macro-enabled Microsoft Word Document
• OSINT from VirusTotal, Hybrid Analysis, Cisco Talos, and Pastebin identifies multiple malspam using various financial themes: Payment, Invoice, Shipment Tracking, Well Fargo Bank, delivering the Emotet Trojan hidden within macro-enabled Microsoft Word file attachments and used as a springboard for launching other system processes
• The corporate user most likely downloaded the weaponized file and enabled macros on the document; thereby, infecting their machine with a TrickBot downloader malware (Mutex: 316D1C7871E00)
• OSINT from VirusTotal, Hybrid Analysis, Cisco Talos, Pastebin, and Malware Traffic Analysis tells us that TrickBot is a possible secondary payload downloaded after clients are infected with the Emotet Trojan Downloader.
• Upon infection, the compromised host performed an outbound HTTP GET connection over TCP port 80 using pid 888 (svchost.exe) with an TrickBot mutex value of 316D1C7871E00 to domain omlinux.com, which resolves to France-based IP address 212.83.180.64
• OSINT from Cisco Talos states that the observed mutex object (316D1C7871E00) is associated with a TrickBot Downloader
Summary
Copyright 2018 Anomali 28
Thank You
