Post on 07-Mar-2018
SESSION ID:
#RSAC
Travis Smith
Dreaming of IoCsAdding Time Context to Threat Intelligence
AIR-W04
Senior Security Research EngineerTripwire, Inc.@MrTrav
#RSAC
@MrTrav
What is an Indicator of Compromise
3
An artifact observed on the network or operating system
#RSAC
@MrTrav
What Is Threat Intelligence
5
“Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
“Intelligence is information that has been analyzed and refined so that it is useful to policymakers in making decisions.”
#RSAC
@MrTrav7
THREAT INTELLongitude: -117.9190333Latitude: 33.8120584Culprit: Billy Two ToneAffiliations: SlingersVictims: ElderlyTactics: SlingshotTime: 1949
#RSAC
@MrTrav8
THREAT INTELLongitude: -117.9190333Latitude: 33.8120584Culprit: Billy Two ToneAffiliations: SlingersVictims: ElderlyTactics: SlingshotTime: 1949
#RSAC
@MrTrav
TAXII/STIX/CYBOX
10
Data Model• Package• Report• Campaign• Couse of Action• Exploit Target• Incident• Indicator• Threat Actor• TTP
http://stixproject.github.io/data-model/
#RSAC
@MrTrav
Sharing is Caring
11
Threat Intelligence / Information SharingAggregators of data sources
Open Source
Sandbox SolutionsWalled Gardens
Closed Source
#RSAC
@MrTrav
Aggregators
12
I know this is bad, do I see it?Search logs for hash/IP
I have something, is it bad?
Pros – proactive response
Cons – open source/free providers, questionable sanitization
#RSAC
@MrTrav
Walled Gardens
13
I have something, tell me what you think of itFind a file, reference it
See an IP, reference it
Pros – Sanitized and timely data
Cons Can be expensive
Performance - lots of lookups
#RSAC
@MrTrav
Collective Intelligence Framework
15
http://csirtgadgets.org/collective-intelligence-framework
https://github.com/csirtgadgets/massive-octo-spice
#RSAC
@MrTrav
Collective Intelligence Framework
16
RequirementsSmall: 16GB/8 cores/250GBLarge: 32GB/16 cores/500GBExtra Large: 64GB/32 cores/500GB
CIFv1 InstallationLots of dependencies, lots of effort
CIFv2 InstallationEasyButton!
#RSAC
@MrTrav
Collective Intelligence Framework
17
cif --otype ipv4 --format csvMD5
URL
FQDN
cif --otype ipv4 --format csvCSV
JSON
#RSAC
@MrTrav
Intro to Logstash
20
INPUTS
FILTERS
OUTPUTS
FILE SYSLOG EVENTLOG STDIN 40+ More
GROK GEOIP TRANSLATE DATE 30+ More
ElasticSearch SYSLOG EMAIL STDOUT 50+ More
#RSAC
@MrTrav
Logstash Filtering
21
Utilizing Custom Patterns
GROK Message Filtering
Adding Custom Fields
Date Match
Using Translations for Threat Intelligence
#RSAC
@MrTrav
Logstash Filtering
22
filter { grok {
match => { "message" => "%{IP:client} %{WORD:method}
%{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" }
} }
#RSAC
@MrTrav
Logstash Filtering
23
filter { grok {
patterns_dir => "/opt/logstash/custom_patterns"match => {
message => "%{123456}"}
} }
#RSAC
@MrTrav
Remove Capture Groups
Logstash Filtering
25
filter {if [message] =~ /^(([^,]+),([^,]+),([^,]+),([^,]+),...)/ {
grok { patterns_dir => "/opt/logstash/custom_patterns"match => {
message => "%{123456}"}
} }
}
(?<node_name>[^,]+),(?<node_type>[^,]+),(?<rule_name>[^,]+),(?<element_name>[^,]+),…
#RSAC
@MrTrav
Logstash Filtering
26
filter { if [message] =~ /^(([^,]+),([^,]+),([^,]+),([^,]+),...)/ {
grok { patterns_dir => "/opt/logstash/custom_patterns"match => {
message => "%{291001}“} add_field => [ "rule_id", “123456" ]add_field => [ "Device Type", “FIM" ]add_field => [ "Object", “File" ]add_field => [ "Action", “Modified" ]add_field => [ "Status", “Success" ]
} }
}
#RSAC
@MrTrav
Logstash Filtering
27
filter { ....all normalization code above here .... date {
match => [ "change_time", "M/d/YY h:m a" ]}
}
change_time: 3/2/16 10:20 AM
#RSAC
@MrTrav
Logstash Filtering
28
filter { ....all normalization code above here….translate {
field => “md5"destination => “maliciousMD5"dictionary_path => /opt/logstash/maliciousMD5.yaml'
}}
• Logstash will check the YAML for updates every 300 seconds• Configurable by adding refresh_interval => numSeconds
#RSAC
@MrTrav
Yet Another Python Script
29
cif –otype md5 --format csv
https://github.com/travisfsmith/iocdreaming
#RSAC
@MrTrav
Intro to Logstash
30
INPUTS
FILTERS
OUTPUTS
FILE SYSLOG EVENTLOG STDIN 40+ More
GROK GEOIP TRANSLATE DATE 30+ More
ElasticSearch SYSLOG EMAIL STDOUT 50+ More
#RSAC
@MrTrav
Logstash Filtering
31
Custom Fields:"Device Type" => "FIMDevice""Object" => "File""Action" => "Added""Status" => "Success"
Threat Intel Translations: "maliciousMD5" => "YES"
Date Matching: "change_time" => "3/2/16 10:20 AM""timestamp" => “2016-03-02T18:20:00.000Z"
#RSAC
@MrTrav
Logstash Filtering
32
1. Collect intelligence feeds
2. Update security tools with intel
3. Monitor observable which doesn’t match any feed
4. Feeds updated with observable previously already inspected….
#RSAC
@MrTrav
TARDIS
Threat Analysis, Reconnaissance, & Data Intelligence System
Historical Exploit/IOC Detection
Time Lord of Forensic Log Data
Available at: https://github.com/tripwire/tardis
#RSAC
@MrTrav
Yet Another Python Script
35
cif –otype md5 --format csv
https://github.com/travisfsmith/iocdreaming
#RSAC
@MrTrav
TARDIS
37
1. Collect intelligence feeds
2. Update security tools with intel
3. Monitor observable which doesn’t match any feed
4. Feeds updated with observable previously already inspected….
5. Search repository for observable
#RSAC
@MrTrav
Notable Resources
https://github.com/tripwire/tardis
https://github.com/travisfsmith/iocdreaming
http://www.elastic.co
http://csirtgadgets.org/collective-intelligence-framework/
#RSAC
@MrTrav
Next Steps
52
0-3 MonthsIdentify Security Components
Which currently don’t integrate with Threat Intel?Which capture valuable observables?
3-6 MonthsIntegrate security tools with actionable threat intelligence
6+ MonthsFine tune workflows