Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
@valenberg.deviantart.com
┌─┐
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
──┐ │▒│
░╞════════════════════════...
But attackers do leave traces
Network Server or
entry point
Endpoint
3Just because I don't care doesn't mean I don't under...
Connecting the dots…
OUTPUT
INDICATORS (IOC)
• FILENAMES
• REGISTRY KEYS
• C&C SERVERS
• EMAILS
• ETC…
INDUSTRY VERTICALS
...
┌─┐
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
──┐ │▒│
░╞════════════════════════...
┌─┐
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
──┐ │▒│
░╞════════════════════════...
Example: HackingTeam hack
“I didn't want to make the police's work any easier by relating my
hack of Hacking Team with oth...
┌─┐
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
──┐ │▓│
░╞════════════════════════...
┌─┐
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
──┐ │▓│
░╞════════════════════════...
┌─┐
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
──┐ │▓│
░╞════════════════════════...
┌─┐
│ │
│ │
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
──┐ │▓│
░╞════════════════════════...
┌─┐
│ │
│ │
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
──┐ │▓│
░╞════════════════════════...
┌─┐
│ │
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
│▓│
──┐ │▓│
░╞════════════════════════...
Integrate the IoC consumption
┌─┐
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
│▓│
│▓│
──┐ ...
┌─┐
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
│▓│
│▓│
──┐ │▓│
░╞════════════════════════...
┌─┐
│ │
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
│▓│
│▓│
──┐ │▓│
░╞════════════════════════...
┌─┐
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
│▓│
│▓│
│▓│
──┐ │▓│
░╞════════════════════════...
┌─┐
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
│▓│
│▓│
│▓│
──┐ │▓│
░╞════════════════════════...
┌─┐
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
│▓│
│▓│
│▓│
──┐ │▓│
░╞════════════════════════...
┌─┐
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
│▓│
│▓│
│▓│
│▓│
──┐ │█│
░╞════════════════════════...
┌─┐
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
│▓│
│▓│
│▓│
│▓│
│█│
──┐ │█│
░╞════════════════════════...
Prochain SlideShare
Chargement dans…5
×

Why huntung IoC fails at protecting against targeted attacks

Candid Wueest, Cyber Security Conference 2016

Livres associés

Gratuit avec un essai de 30 jours de Scribd

Tout voir
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Why huntung IoC fails at protecting against targeted attacks

  1. 1. @valenberg.deviantart.com
  2. 2. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│ ░│ ╚═╝ │▒│ The issue with targeted attacks 2 Highly targeted Many components “Grey” tools and events Evolve/change over time Regin: 75 modules Duqu: 100+ modules … 10 or less recipients Specific forum users … Powershell, psExec Suspicious logins … Right tools for the job Learn and adapt … I like birthdays, but I think too many can kill you.
  3. 3. But attackers do leave traces Network Server or entry point Endpoint 3Just because I don't care doesn't mean I don't understand ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│ ░│ ╚═╝ │▒│
  4. 4. Connecting the dots… OUTPUT INDICATORS (IOC) • FILENAMES • REGISTRY KEYS • C&C SERVERS • EMAILS • ETC… INDUSTRY VERTICALS • HEALTHCARE • MANUFACTURING • FINANCE • … FROM A SINGLE IOC… RELATIONSHIPS • SOFACY • ELDERWOOD • HIDDENLYNX • … Many tools and IOC feeds, groups, etc. available Brains are wonderful, I wish everyone had one. 4 ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│ ░│ ╚═╝ │▓│
  5. 5. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│ ░│ ╚═╝ │▓│ If a turtle doesn't have a shell, is he homeless or naked? 5 …and then the guessing game begins…
  6. 6. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ @attributionDice 6My mind’s made up, don’t confuse me with facts
  7. 7. Example: HackingTeam hack “I didn't want to make the police's work any easier by relating my hack of Hacking Team with other hacks I've done or with names I use in my day-to-day work as a blackhat hacker. So, I used new servers and domain names, registered with new emails, and payed for with new bitcoin addresses. Also, I only used tools that are publicly available, or things that I wrote specifically for this attack, and I changed my way of doing some things to not leave my usual forensic footprint.” 7I always learn from mistake of others who take my advice. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│
  8. 8. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Parachute for sale, used once, never opened!! 8
  9. 9. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Threat intelligence sources Free Community Commercial Internal Costs: Free Free/$ $$/$$$ Free/$ Typology: Generic Generic/Specific Generic/Specific Very specific Based on: Public systems Public, mailinglists, private researchers products, research Internal logs Different format & tools out there: openIOC, STIX/TAXII, OSTrICa, MISP, YARA,… 9I'm on a whiskey diet. I've lost three days already.
  10. 10. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Threat hunting with IOCs Most commonly shared indicators: • IP addresses / domain names • File hashes / file names • Still some hits on reused infrastructure. Do they care? • Each hash is on average in <3 companies • Bad with scripts and dual-use tools • Where is the line between APT & common malware? 10I’m not arguing, I’m simply explaining why I’m right.
  11. 11. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Now you see me - now you don’t • Are you hunting IOCs in real time or on snapshots? • Many APT groups clean up after the attack • Wipe files, admin account is enough for later • Delete emails, browser history,... to hide incursion vector • Do nation-state APTs really care if they get traced back? • At the latest since Snowden, everyone knows that everyone spies • Unlikely that they get arrested in their own country • Taunt opponent - show force 11Stress is when you wake up screaming and you realize you haven't fallen asleep yet.
  12. 12. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Trust issues? • Early sharing is often done only in private groups • If the group is too small you might not see much, but it can be high quality • If the group is too large you might not trust everyone • Do you trust the Uber-NG-ATP-vendor XY? • Do you double check any IP address before blacklisting? • What is the motivation for sharing? IoCs are good if you need context or when fighting common malware 12hmm... I didn’t tell you... Then It must be none of your business...
  13. 13. ┌─┐ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Improved IoCs • Following threat families instead of variants • Better, but they might use common tools like PoisonIvy, Meterpreter,… • Follow TTPs and behavior patterns • Better, but different companies might require different TTPs • Apply them to your company, as the attackers would do too Go higher in the pyramid of pain, track exploits,… … but that’s what your security software should do too 13Always remember you're unique, just like everyone else.
  14. 14. Integrate the IoC consumption ┌─┐ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │█│ • Use context for IOCs, patterns of behavior where available • If possible correlate it with in house information • Check which IoCs you can actually ingest internally • It is still better to prevent the incursion, instead of hunting it later Rate the effectiveness of different types for you (and drop bad ones) • Why spend resources on external IOC feeds, when not even the internal basics are monitored properly yet? 14A day without sunshine is like, night.
  15. 15. ┌─┐ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │█│ Of course I don't look busy...I did it right the first time. 15
  16. 16. ┌─┐ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │█│ Oversharing? How much is too much? • The bad guys can learn how much you know • Learn how they can improve their attacks • Example: Zeroaccess P2P botnet, started to sign their commands • Most APT crews are not dumb, they could adapt if they want to • Some indicators might contain sensitive information • Internal IP addresses • Stolen passwords hardcoded in 2nd-wave malware • Spear phishing emails, e.g. myYellowCompany.exe 16Happiness does not buy you money.
  17. 17. ┌─┐ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ I need a six month vacation, twice a year. 16
  18. 18. ┌─┐ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ Debug Strings – Fake or Real? Turla/Waterbug Stuxnet Strider 17If brute force doesn’t solve your problems, then you aren’t using enough. «CloudAtlas» is clearly messing with us: • Arabic strings in the BlackBerry version • Hindi characters in the Android version • “God_Save_The_Queen” in the BlackBerry version • “JohnClerk” in the iOS version Thx BlueCoat/Kaspersky
  19. 19. ┌─┐ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ Commands from Taidoor [Ping] [Set sleep interval to 1 second] cmd /c net start cmd /c dir c:docume~1 cmd /c dir "c:docume~1<CurrentUser>recent" /od cmd /c dir c:progra~1 cmd /c dir "c:docume~1<CurrentUser>desktop" /od cmd /c netstat –n cmd /c net use Commands from Sykipot ipconfig /all netstat –ano net start net group "domain admins" /domain tasklist /v dir c:*.url /s dir c:*.pdf /s dir c:*.doc /s net localgroup administrators type c:boot.ini systeminfo Commands from HoneyPot sessions 18An error? Impossible! My modem is error correcting.
  20. 20. ┌─┐ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ │▓│ ──┐ │█│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ Following the red hering • Sometimes you have multiple infections on same machine • Which IOC came from which actor? • “Everyone” uses common tools: Mimikatz, psExec,… • Attackers can easy plant some files from other APT groups • Example: Equation group/shadow brokers • Do you trust the compilation times, timestamps, language settings? • Most companies do not really care who it was • They just want to prevent it from happening again • Or do you plan to hack back or sue them? 19Sometimes you succeed and other times you learn.
  21. 21. ┌─┐ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ │▓│ │█│ ──┐ │█│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ ©tarantula 20My therapist says I have a preoccupation with vengeance. we'll see about that Conclusion • Do your internal homework first • Be smart in what you share • We need to be effective in checking IoC • Try them and rate effectiveness • Mistakes do happen, but they still get in

    Soyez le premier à commenter

    Identifiez-vous pour voir les commentaires

Candid Wueest, Cyber Security Conference 2016

Vues

Nombre de vues

761

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

5

Actions

Téléchargements

14

Partages

0

Commentaires

0

Mentions J'aime

0

×