Indicators and Intelligence Incident Response

Indicators and Intelligence Incident Response

Threat Intelligence Information about adversaries Intelligence gathered about adversaries Threat landscape Need to understand how adversaries operate Broad - Specific Learn the tools, techniques, and infrastructure of adversaries Threat landscapes vary between organizations Even by the same adversary Incident Response Broad to understand their techniques, useful for hunting anomaly based searches Specific to understand exactly what they look like, useful for signatures 2

Understand your risk To begin to understand the threat, you need to characterize your org’s risk Risk Vulnerability Impact Threat Vulnerability What exposure does your system have? Any known weaknesses that could be leveraged? Impact What happens if you are compromised? Not something that can be changed by the organization, often just a factor of what what the organization is/has Threat Incident Response 3

Risk – the threat Why would an adversary want to compromise the org? Does the adversary want to compromise the org? What capabilities does the adversary have? Does the adversary have the technical capability for successful compromise? Do identified vulnerabilities align with an adversary’s capabilities? Incident Response Do they gain anything? What do they gain? 4

Threat Intelligence The idea is to have more risks in the known knowns category Ideally, as few unknown unknowns as possible Can come from many different sources News report about an attack on a flaw -to Learning how an adversary is targeting a competing organization The UK’s National Cyber Security Centre divides threat intelligence into four categories Strategic Operational Tactical Technical Incident Response 5

Strategic Intelligence High level Typically acquired at the board or high senior manager level Not technical information Typically about an attack’s potential Financial impact Impact on business decisions Example: A report states a foreign government hacks into foreign companies with direct competitors in their own nation Your organization is identified as a competitor Incident Response 6

Operational Intelligence Information about a specific incoming attack Typically acquired by high level security staff Rarely available Typically only a government has access to such information No legal way for private companies to access this info on their own Rare cases the info may be available Public actors (hacktivists) Link cyber attacks to real world events Incident Response 7

Tactical Intelligence Information about how adversaries are conducting their attacks TTPs – Tactics, Techniques, and Procedures Typically acquired by defenders and incident responders Example: Learning an adversary is using psexec to move laterally Block remote logins by admins and/or log and monitor this activity Typically obtained through: Talking with other defenders about what they’re seeing Purchasing a threat feed of this information White papers Incident Response 8

Technical Intelligence Deeply technical data consumed through technical methods Example: Often a short timeline – attackers can change IP addresses Often feeds monitoring and alerting solutions Incident Response Feed of malicious IP addresses Feed of malicious domain names Feed of malicious software hashes 9

Threat Intelligence Feeds Feed of indicators or artifacts from a third party Often focus on one indicator area IP addresses Domains Hashes Real-time Some free feeds, many paid feeds Six main data source types – ideally cover as many as possible Open Source Customer telemetry Honeypots Scanning/crawling Malware processing Human intelligence Incident Response Automatically updates with the latest available threat information 10

Indicator of Compromise (IOC) Identifies characteristics of malware Can be used to identify the presence of malware on a compromised host IOCs are typically created by reversing malware Professional responders typically have large IOC lists collected from previous intrusions they have worked IOCs can save you time when analyzing multiple hosts Even if you only have one IOC for one piece of malware you found Various ”standard” languages to share indicators and threat intelligence Incident Response Host-based and network-based characteristics 11

Standard sharing languages Standardization is important! Makes sharing easier Makes working with multiple data sources easier Different logs often refer to the same thing by different names Logged on Login success Accepted password Account Logon Sharing between different systems within the organization Sharing with other organizations Need a common language to speak Incident Response 12

CybOX Cybox.mitre.org Cyber Observable eXpression Standardized schema for describing observable events Event logging Malware characterization Intrusion detection Incident response Attack pattern characterization Standard structure and content has been rolled into STIX the past few years Incident Response 13

Stix.mitre.org Structured Threat Information eXpression Community driven Standardized language to represent structured threat information Some examples: Malware Indicator for File Hash File Hash Reputation Incident Essentials – Who, What, When Affected Asset list Command and Control IP List Incident Response STIX 14

YARA Tool used to help identify and classify malware Create descriptions based on patterns Each rule has a set of strings and Boolean logic Any file containing one of the three strings is reported as a silent banker match Incident Response “Pattern matching swiss knife for malware researchers (and everyone else)” 15

OpenIOC Openioc.org Open framework for threat intelligence sharing Originally designed for Mandiant’s products Has since been standardized and open sourced IOCs are stored as XML IOC is made up of three major parts Author of the IOC, Name of the IOC, description, etc. References Investigation name, case number, comments, etc Definition The content of the IOC itself – artifacts, MD5 hash, registry path, etc. Incident Response IOC Metadata 16

OpenIOC IOC Editor Allows users to work with indicators in XML format Manage the fields within the IOCs Edit the IOCs IOC Finder Search for IOCs on a single host Can be used to test new OICs Can be used to find malware on hosts IOC hit reporting in various formats, including HTML and text Reports for single or multiple hosts Incident Response 17

Incident Response Lab - OpenIOC 18