Post on 14-Jan-2017
SESSION ID:
IOCsareDead-LongLiveIOCs!
AIR-F03
RyanKazanciyanChiefSecurityArchitectTanium@ryankaz42
Yourstruly,circa2010
2
https://buildsecurityin.us-cert.gov/sites/default/files/RyanKazanciyan-APTPanel.pdf
IOCsasadver@sed
3
Human-readable,machine-consumable
CaptureabroadsetofforensicarHfacts
FosterinformaHonsharing
Providecontextaroundthreats
DobeLerthan“signatures”
Fiveyearslater…
4
IOCqualityandsharingin2016
5
Myownpointofreference
2009-2015:Inves@gator
Large-scale,targetedaLacks
Designed,tested,andappliedIOCsforproacHveandreacHvehunHng
6
2015-Present:Builder
DesigninganEDRplaSormthatincludesIOCdetecHon
Helpingorgsbuildself-sustaining,scalable“hunHng”capabiliHes
Theerosionofindicator-baseddetec@on
7
Brittle indicators - short shelf-life
Poor quality control in threat data feeds
Hard to build effective homegrown IOCs
Indicator detection tools are inconsistent
IOCs applied to limited scope of data
“IOCs”vs.“threatdata”vs.“intelligence”
IOCsarestructuredthreatdata
Threatdata!=threatintelligence
Threatintelligenceprovidescontextandandanalysis
ThreatintelligenceisineffecHvewithoutqualitythreatdata
8
#RSAC
IOCsarebriUle
VerizonDBIR2015:MostsharedIOCtypes
10
Source:VerizonDBIR2015
IOCsintheAPTnotesdataset
11
0
2500
5000
7500
10000
141
5,083
9,096
2,237
6,639
2,512
350248
CVE E-Mail URL Hosts IP Hashes RegistryFileName
Derivedfromover340threatreports(2006-2015)archivedonhttps://github.com/kbandla/APTnotes
Thiswillneverkeeppace…
12
Source:VerizonDBIR2015
ShortlifespanofC2IPsanddomains
Malicioussitesco-locatedonvirtualhostserverIPs
LowbarriertohostmaliciouscontentonlegiHmateproviders
13
Theproblemextendsbeyondfilehashes
Sheervolumedoesnotsolvetheproblem
2007:Bit9FileAdvisortracked4billionuniquefiles,cataloggrewby50millionentriesperday
2009:McAfeeGlobalThreatIntelligencetrackedreputaHondatafor140millionIPaddresses,handling50millionfilelookupsperday
2011:SymantecInsighttrackedtensofbillionsoflinkagesbetweenusers,files,websites
14
Sevenyearsofprogress?
15
“…an intelligence-led approach to security will be key in detecting the most sophisticated threats and responding to
them quickly and effectively.”
“…innovating to provide predictive security. This approach comprises interconnected
security technology at multiple layers in the technology stack, backed by global threat intelligence. Predictive security will allow
security products to intelligently block attacks much sooner than is currently possible…”
#RSAC
PaidIOCs!=qualityIOCs
Haveyouassessedyourfeeds?
17
Jon Oltsik / ESG, http://www.networkworld.com/article/2951542/cisco-subnet/measuring-the-quality-of-commercial-threat-intelligence.html
My(incrediblyscien@fic)methodology
Chosetwotop-Herpaidthreatfeedservices
Retrievedthemostrecent~20indicatorsfromeach
Spent15minuteseyeballingtheircontents
18
Whatareyoupayingfor?
19
Toospecific-malwarehashAND’dwithafilename
(RealIOCfromacommercialfeed)
Whatareyoupayingfor?
20
Toospecific-LNKfilesareuniqueper-system
(RealIOCfromacommercialfeed)
Whatareyoupayingfor?
21
Toonoisy-matchescomponentoflegi@matesoiware
(RealIOCfromacommercialfeed)
#RSAC
BuildinggoodIOCsishard
ChallengeswithIOCdevelopment
23
Easytobuildhigh-fidelityIOCs(mayyieldhighfalse-negaHves)
HardtobuildrobustIOCs(mayyieldhigherfalse-posiHves)
EasytobuildIOCsthatdon’tevaluateproperly
(toolshaveinconsistentmatchinglogic)
“Pyramid of Pain”, David Biancohttp://detect-respond.blogspot.co.uk/2013/03/the-pyramid-of-pain.html
RunningagroundonarobustIOC
24
Toobroad-maymatchonuncommonbutlegi@matebinaries
HowmuchHmedoyouranalystshavetoconHnuouslybuild,test,andrefineIOCslikethis?
InconsistenciesinIOCdetec@ontools
25
FileItem
TaskItem
ServiceItem
EventLogItem
...
✅❌❌✅?
{…}
{…}
OR
AND
{…}
{…}AND
OR{…}{…}
✅
❌
✅
?
✅
Supported Observables Logic Handling Data Normalization
x86 or x64?
HKEY_CURRENT_USER
%SYSTEMROOT%
HKEY_USERS\{SID}
\system32\
\SysWoW64\
\WoW6432Node\
\Windows\
STIX&CybOXhaveafewtoolstohelpwiththis:maec-to-sHxpython-cybox/normalize.py
IssuesspecifictoOpenIOC
Whathappenswhenyoutrytoturnaproprietarytool’suniqueoutputschemaintoa“standard”…
26
ProcessItem/PortList/PortItem/process
“FilePEDetectedAnomalies”
FileItem/PEInfo/DetectedEntryPointSignature/Name
“ProcessPortProcess”
FileItem/PEInfo/DetectedAnomalies/string
“FileEntryPointSigName”
IssuesspecifictoOpenIOC
Example:RegistryevidenceinOpenIOC
27
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value: Backdoor Data: C:\path\to\malware.exe
RegistryItem/Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Backdoor RegistryItem/KeyPath: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegistryItem/Value: C:\path\to\malware.exe RegistryItem/ValueName: Backdoor RegistryItem/Text: C:\path\to\malware.exe
#RSAC
Broadeningthescopeofendpointindicatorusage
Focusingonscopeofdata,nottools
WhatareyoumatchingyourendpointIOCsagainst?
What’syourcadenceofdetecHon?
Whereareyourgaps?
29
DataatRest (Filesondisk,registry)
Workstations Servers
HistoricalActivity(Telemetry,logs,alerts,
historicaldata)
EXE
CurrentActivity(Processes,Network
Connections,Memory)
MatchingonSIEM/centralizedlogging
30
MostcommonendpointdatainSIEM:
AnH-virus/anH-malwarealerts(allsystems)Eventlogdata(subsetofsystems-usuallyservers)
Resourceimpactoflarge-scaleeventforwarding&storagelimitsendpointcoverage&scopeofdata
DataatRest (Filesondisk,registry)
Workstations Servers
HistoricalActivity(Telemetry,logs,alerts,
historicaldata)
EXE
CurrentActivity(Processes,Network
Connections,Memory)
Matchingonforensictelemetry
ProcessexecuHon,fileevents,networkconnecHons,registrychanges
Preserveshistoricaldata,short-livedevents
Expensivetocentralizeinlargeenvironments
LimitedscopeofdataforIOCmatching
31
Workstations Servers
HistoricalActivity(Telemetry,logs,alerts,
historicaldata)
EXE
CurrentActivity(Processes,Network
Connections,Memory)
DataatRest (Filesondisk,registry)
Matchingonliveendpoints
PotenHallythebroadestsetofavailabledata
ConsideraHonsEndpointimpactAvailabilityTime-to-assessScalability
32
DataatRest (Filesondisk,registry)
Workstations Servers
HistoricalActivity(Telemetry,logs,alerts,
historicaldata)
EXE
CurrentActivity(Processes,Network
Connections,Memory)
Theidealcombina@on
Goal:MaximizethevalueofbriLleIOCs
Telemetryforefficiency,historicaldata
On-endpointtomaximizecurrentstate&at-restdata
Increasecadenceastools&resourcespermit
Don’ttakeshortcutsonscopeofcoverage!
33
“Ionlyneedtocheckimportantsystems”
34
CredenHalscanbeharvestedfromanywhereonaWindowsnetwork
NoneedtorunmaliciouscodeonadminsystemsorDCs
BytheHmetheygetto“crownjewels”,aLackersarealreadyauthenHcaHngwithlegiHmateaccounts
Source: https://adsecurity.org/?p=1729
Anexampleofwhythisfails:
#RSAC
Shrinkingthedetec@ongap
DoingbeUerwithwhatwe'vegot
Source: hLps://www.digitalshadows.com/blog-and-research/another-sans-cyber-threat-intelligence-summit-is-in-the-books/
36
"Thedesiretotakeatechnicalfeedandsimplydumpitintooursecurityinfrastructuredoesn’tequatetoathreatintelligencewin...
Youcannotgetmorerelevantthreatintelligencethanwhatyoudevelopfromwithinyourownenvironment.Thisshouldthenbeenrichedwithexternalintelligence"
-RickHolland,Forrester,2016CTISummit
Myownpointofreference
Asaninves@gator:Rela@veefficacyofIOCsvs.methodology&outlieranalysisover@me
37
0
20
40
60
80
2010 2011 2012 2013 2014 2015
IOCs
Methodology & outlier analysis
(Rough approximation for the sake of having a pretty graph)
Resemngexpecta@ons
38
Categorizeandcontextualizeknownthreats,streamlineresponse
ProvideaddiHonallayerofautomateddetecHon
PreventativeControls
Signature-baseddetecHon
UndetectedThreats
Threatdata&intelfeeds
Internalanalysis
Reality
PreventativeControls
Threatdata&intelfeeds
Signature-baseddetecHon
UndetectedThreats
Expectation
Tellyouwhat’snormalinyourownenvironment
Exceedthebenefitsofwell-implementedpreventaHvecontrols
Closethegapofundetectedthreats
...butitcannot...
High-qualitythreatdataandintelligencecanhelpyou…
Lookinginwardtohunt
Deriveintelligencefromwhat’s“normal”
Buildrepeatableanalysistasks
CombinewithautomateduseofIOCsandthreatdata
MoreisnotalwaysbeLer!EasytooverwhelmyourselfTakeondiscrete,high-valuedatasetsoneataHme
39
AligningtotheaUacklifecycle
40
Whatarethe"lowestcommondenominators"acrosstargetedintrusions?
Whatreadily-availableevidencedotheyleavebehind?
Whateasily-observableoutliercondiHonsdotheycreate?
ConductReconnaissance
StealCreden@als&EscalatePrivileges MoveLaterally
Establish&RetainPersistence
Example:Hun@ngforDuqu2.0
41
“Inaddi@ontocrea@ngservicestoinfectothercomputersintheLAN,aUackerscanalsousetheTaskSchedulertostart‘msiexec.exe’remotely.TheusageofTaskSchedulerduringDuquinfec@onsforlateralmovementwasalsoobservedwiththe2011version...”
Source:https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf
WhatwasthesharedIOC?
42
HowcouldwedobeUer?
43
WecouldjustaddaspecificTaskItemtotheIOC...
…butwhataboutothervariants?
HowcanwefindevidenceofothermaliciousacHvitythatabusesthesame(incrediblycommon)lateralmovementtechnique?
Example:Lateralcommandexecu@on
44
ScheduledTasks
WinRM&PowerShell
PsExec
AttackerMethods
Otherforensicartifacts
E
Logon&serviceevents
Processhistory
SourcesofEvidence
Accountsused
Executedcommands,droppedfiles,etc.
Time&frequency
Where?
When?
What?
Who?
Source&targetsystems
AnalysisCriteria
Assessoutliers
Resul@ngstackanalysis
45
Resul@ngstackanalysis
46
Resul@ngstackanalysis
47
Resul@ngstackanalysis
48
Foraddi@onalexamples
49
“HunHngintheDark”hLps://speakerdeck.com/ryankaz
Includescoverageof:MoretaskanalysisShimCacheandprocesshistoryServiceEventsWMIeventconsumersAlternaHveauthenHcaHonmechanisms
#RSAC
Closingthoughtsandtakeaways
PlaSormsMISPhLp://www.misp-project.org
HubsandexchangesFacebookThreatExchangehLps://threatexchange.t.com
StandardsCybOX3.0refactoringandsimplificaHon
Evolvingstandards&plaoorms
51
Feweffortsto-date-thisisdifficult!ThreatIntelligenceQuo@entTest(Hq-test)
StaHsHcalanalysisofIPsanddomainsinthreatfeedsReferences:hLps://github.com/mlsecprojecthLps://defcon.org/images/defcon-22/dc-22-presentaHons/Pinto-Maxwell/DEFCON-22-Pinto-and-Maxwell-Measuring-the-IQ-of-your-threat-feeds-TIQtest-Updated.pdf
Quan@ta@veassessmentofthreatfeeds
52
Askyourthreatfeedvendor
53
Where’stheintelcomingfrom?ProfessionalservicesManagedsecurityservicesPartnersHoneypots“Opensource”datagatheringAuto-generatedsandboxdata
What’sthebreakdownofobservabletypes?WhatQCisinplace?
Test-casesDocumentaHonSpot-checking
MaximizeyourIOCs&threatdata
54
Whereareyourgapsinendpoint&networkvisibility?
CanyouexpandthescopeofdatamadeavailableforendpointIOCmatchinginyourenvironment?
Areyourtoolsandthreatdatasourcesfullycompa@ble?
Howquicklyareyouconsumingnewthreatdata?Atwhatscale?
EventhebestsourcesofthreatdatawillneverkeeppacewithemergingaLacks
Knowyournetworkaboveall
InvestinaLacksurfacereducHonand“hygiene”.Itreallydoesmakeadifference.
Haveyourinvestmentsmadeyoumoresecure?
55
SESSION ID:
Thankyou!
AIR-F03
RyanKazanciyanChiefSecurityArchitectTanium@ryankaz42