SESSION ID:

IOCsareDead-LongLiveIOCs!

AIR-F03

RyanKazanciyanChiefSecurityArchitectTanium@ryankaz42

Yourstruly,circa2010

2

https://buildsecurityin.us-cert.gov/sites/default/files/RyanKazanciyan-APTPanel.pdf

IOCsasadver@sed

3

Human-readable,machine-consumable

CaptureabroadsetofforensicarHfacts

FosterinformaHonsharing

Providecontextaroundthreats

DobeLerthan“signatures”

Fiveyearslater…

4

IOCqualityandsharingin2016

5

Myownpointofreference

2009-2015:Inves@gator

Large-scale,targetedaLacks

Designed,tested,andappliedIOCsforproacHveandreacHvehunHng

6

2015-Present:Builder

DesigninganEDRplaSormthatincludesIOCdetecHon

Helpingorgsbuildself-sustaining,scalable“hunHng”capabiliHes

Theerosionofindicator-baseddetec@on

7

Brittle indicators - short shelf-life

Poor quality control in threat data feeds

Hard to build effective homegrown IOCs

Indicator detection tools are inconsistent

IOCs applied to limited scope of data

“IOCs”vs.“threatdata”vs.“intelligence”

IOCsarestructuredthreatdata

Threatdata!=threatintelligence

Threatintelligenceprovidescontextandandanalysis

ThreatintelligenceisineffecHvewithoutqualitythreatdata

8

#RSAC

IOCsarebriUle

VerizonDBIR2015:MostsharedIOCtypes

10

Source:VerizonDBIR2015

IOCsintheAPTnotesdataset

11

0

2500

5000

7500

10000

141

5,083

9,096

2,237

6,639

2,512

350248

CVE E-Mail URL Hosts IP Hashes RegistryFileName

Derivedfromover340threatreports(2006-2015)archivedonhttps://github.com/kbandla/APTnotes

Thiswillneverkeeppace…

12

Source:VerizonDBIR2015

ShortlifespanofC2IPsanddomains

Malicioussitesco-locatedonvirtualhostserverIPs

LowbarriertohostmaliciouscontentonlegiHmateproviders

13

Theproblemextendsbeyondfilehashes

Sheervolumedoesnotsolvetheproblem

2007:Bit9FileAdvisortracked4billionuniquefiles,cataloggrewby50millionentriesperday

2009:McAfeeGlobalThreatIntelligencetrackedreputaHondatafor140millionIPaddresses,handling50millionfilelookupsperday

2011:SymantecInsighttrackedtensofbillionsoflinkagesbetweenusers,files,websites

14

Sevenyearsofprogress?

15

“…an intelligence-led approach to security will be key in detecting the most sophisticated threats and responding to

them quickly and effectively.”

“…innovating to provide predictive security. This approach comprises interconnected

security technology at multiple layers in the technology stack, backed by global threat intelligence. Predictive security will allow

security products to intelligently block attacks much sooner than is currently possible…”

#RSAC

PaidIOCs!=qualityIOCs

Haveyouassessedyourfeeds?

17

Jon Oltsik / ESG, http://www.networkworld.com/article/2951542/cisco-subnet/measuring-the-quality-of-commercial-threat-intelligence.html

My(incrediblyscien@fic)methodology

Chosetwotop-Herpaidthreatfeedservices

Retrievedthemostrecent~20indicatorsfromeach

Spent15minuteseyeballingtheircontents

18

Whatareyoupayingfor?

19

Toospecific-malwarehashAND’dwithafilename

(RealIOCfromacommercialfeed)

Whatareyoupayingfor?

20

Toospecific-LNKfilesareuniqueper-system

(RealIOCfromacommercialfeed)

Whatareyoupayingfor?

21

Toonoisy-matchescomponentoflegi@matesoiware

(RealIOCfromacommercialfeed)

#RSAC

BuildinggoodIOCsishard

ChallengeswithIOCdevelopment

23

Easytobuildhigh-fidelityIOCs(mayyieldhighfalse-negaHves)

HardtobuildrobustIOCs(mayyieldhigherfalse-posiHves)

EasytobuildIOCsthatdon’tevaluateproperly

(toolshaveinconsistentmatchinglogic)

“Pyramid of Pain”, David Biancohttp://detect-respond.blogspot.co.uk/2013/03/the-pyramid-of-pain.html

RunningagroundonarobustIOC

24

Toobroad-maymatchonuncommonbutlegi@matebinaries

HowmuchHmedoyouranalystshavetoconHnuouslybuild,test,andrefineIOCslikethis?

InconsistenciesinIOCdetec@ontools

25

FileItem

TaskItem

ServiceItem

EventLogItem

...

✅❌❌✅?

{…}

{…}

OR

AND

{…}

{…}AND

OR{…}{…}

✅

❌

✅

?

✅

Supported Observables Logic Handling Data Normalization

x86 or x64?

HKEY_CURRENT_USER

%SYSTEMROOT%

HKEY_USERS\{SID}

\system32\

\SysWoW64\

\WoW6432Node\

\Windows\

STIX&CybOXhaveafewtoolstohelpwiththis:maec-to-sHxpython-cybox/normalize.py

IssuesspecifictoOpenIOC

Whathappenswhenyoutrytoturnaproprietarytool’suniqueoutputschemaintoa“standard”…

26

ProcessItem/PortList/PortItem/process

“FilePEDetectedAnomalies”

FileItem/PEInfo/DetectedEntryPointSignature/Name

“ProcessPortProcess”

FileItem/PEInfo/DetectedAnomalies/string

“FileEntryPointSigName”

IssuesspecifictoOpenIOC

Example:RegistryevidenceinOpenIOC

27

Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value: Backdoor Data: C:\path\to\malware.exe

RegistryItem/Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Backdoor RegistryItem/KeyPath: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegistryItem/Value: C:\path\to\malware.exe RegistryItem/ValueName: Backdoor RegistryItem/Text: C:\path\to\malware.exe

#RSAC

Broadeningthescopeofendpointindicatorusage

Focusingonscopeofdata,nottools

WhatareyoumatchingyourendpointIOCsagainst?

What’syourcadenceofdetecHon?

Whereareyourgaps?

29

DataatRest (Filesondisk,registry)

Workstations Servers

HistoricalActivity(Telemetry,logs,alerts,

historicaldata)

EXE

CurrentActivity(Processes,Network

Connections,Memory)

MatchingonSIEM/centralizedlogging

30

MostcommonendpointdatainSIEM:

AnH-virus/anH-malwarealerts(allsystems)Eventlogdata(subsetofsystems-usuallyservers)

Resourceimpactoflarge-scaleeventforwarding&storagelimitsendpointcoverage&scopeofdata

DataatRest (Filesondisk,registry)

Workstations Servers

HistoricalActivity(Telemetry,logs,alerts,

historicaldata)

EXE

CurrentActivity(Processes,Network

Connections,Memory)

Matchingonforensictelemetry

ProcessexecuHon,fileevents,networkconnecHons,registrychanges

Preserveshistoricaldata,short-livedevents

Expensivetocentralizeinlargeenvironments

LimitedscopeofdataforIOCmatching

31

Workstations Servers

HistoricalActivity(Telemetry,logs,alerts,

historicaldata)

EXE

CurrentActivity(Processes,Network

Connections,Memory)

DataatRest (Filesondisk,registry)

Matchingonliveendpoints

PotenHallythebroadestsetofavailabledata

ConsideraHonsEndpointimpactAvailabilityTime-to-assessScalability

32

DataatRest (Filesondisk,registry)

Workstations Servers

HistoricalActivity(Telemetry,logs,alerts,

historicaldata)

EXE

CurrentActivity(Processes,Network

Connections,Memory)

Theidealcombina@on

Goal:MaximizethevalueofbriLleIOCs

Telemetryforefficiency,historicaldata

On-endpointtomaximizecurrentstate&at-restdata

Increasecadenceastools&resourcespermit

Don’ttakeshortcutsonscopeofcoverage!

33

“Ionlyneedtocheckimportantsystems”

34

CredenHalscanbeharvestedfromanywhereonaWindowsnetwork

NoneedtorunmaliciouscodeonadminsystemsorDCs

BytheHmetheygetto“crownjewels”,aLackersarealreadyauthenHcaHngwithlegiHmateaccounts

Source: https://adsecurity.org/?p=1729

Anexampleofwhythisfails:

#RSAC

Shrinkingthedetec@ongap

DoingbeUerwithwhatwe'vegot

Source: hLps://www.digitalshadows.com/blog-and-research/another-sans-cyber-threat-intelligence-summit-is-in-the-books/

36

"Thedesiretotakeatechnicalfeedandsimplydumpitintooursecurityinfrastructuredoesn’tequatetoathreatintelligencewin...

Youcannotgetmorerelevantthreatintelligencethanwhatyoudevelopfromwithinyourownenvironment.Thisshouldthenbeenrichedwithexternalintelligence"

-RickHolland,Forrester,2016CTISummit

Myownpointofreference

Asaninves@gator:Rela@veefficacyofIOCsvs.methodology&outlieranalysisover@me

37

0

20

40

60

80

2010 2011 2012 2013 2014 2015

IOCs

Methodology & outlier analysis

(Rough approximation for the sake of having a pretty graph)

Resemngexpecta@ons

38

Categorizeandcontextualizeknownthreats,streamlineresponse

ProvideaddiHonallayerofautomateddetecHon

PreventativeControls

Signature-baseddetecHon

UndetectedThreats

Threatdata&intelfeeds

Internalanalysis

Reality

PreventativeControls

Threatdata&intelfeeds

Signature-baseddetecHon

UndetectedThreats

Expectation

Tellyouwhat’snormalinyourownenvironment

Exceedthebenefitsofwell-implementedpreventaHvecontrols

Closethegapofundetectedthreats

...butitcannot...

High-qualitythreatdataandintelligencecanhelpyou…

Lookinginwardtohunt

Deriveintelligencefromwhat’s“normal”

Buildrepeatableanalysistasks

CombinewithautomateduseofIOCsandthreatdata

MoreisnotalwaysbeLer!EasytooverwhelmyourselfTakeondiscrete,high-valuedatasetsoneataHme

39

AligningtotheaUacklifecycle

40

Whatarethe"lowestcommondenominators"acrosstargetedintrusions?

Whatreadily-availableevidencedotheyleavebehind?

Whateasily-observableoutliercondiHonsdotheycreate?

ConductReconnaissance

StealCreden@als&EscalatePrivileges MoveLaterally

Establish&RetainPersistence

Example:Hun@ngforDuqu2.0

41

“Inaddi@ontocrea@ngservicestoinfectothercomputersintheLAN,aUackerscanalsousetheTaskSchedulertostart‘msiexec.exe’remotely.TheusageofTaskSchedulerduringDuquinfec@onsforlateralmovementwasalsoobservedwiththe2011version...”

Source:https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf

WhatwasthesharedIOC?

42

HowcouldwedobeUer?

43

WecouldjustaddaspecificTaskItemtotheIOC...

…butwhataboutothervariants?

HowcanwefindevidenceofothermaliciousacHvitythatabusesthesame(incrediblycommon)lateralmovementtechnique?

Example:Lateralcommandexecu@on

44

ScheduledTasks

WinRM&PowerShell

PsExec

AttackerMethods

Otherforensicartifacts

E

Logon&serviceevents

Processhistory

SourcesofEvidence

Accountsused

Executedcommands,droppedfiles,etc.

Time&frequency

Where?

When?

What?

Who?

Source&targetsystems

AnalysisCriteria

Assessoutliers

Resul@ngstackanalysis

45

Resul@ngstackanalysis

46

Resul@ngstackanalysis

47

Resul@ngstackanalysis

48

Foraddi@onalexamples

49

“HunHngintheDark”hLps://speakerdeck.com/ryankaz

Includescoverageof:MoretaskanalysisShimCacheandprocesshistoryServiceEventsWMIeventconsumersAlternaHveauthenHcaHonmechanisms

#RSAC

Closingthoughtsandtakeaways

PlaSormsMISPhLp://www.misp-project.org

HubsandexchangesFacebookThreatExchangehLps://threatexchange.t.com

StandardsCybOX3.0refactoringandsimplificaHon

Evolvingstandards&plaoorms

51

Feweffortsto-date-thisisdifficult!ThreatIntelligenceQuo@entTest(Hq-test)

StaHsHcalanalysisofIPsanddomainsinthreatfeedsReferences:hLps://github.com/mlsecprojecthLps://defcon.org/images/defcon-22/dc-22-presentaHons/Pinto-Maxwell/DEFCON-22-Pinto-and-Maxwell-Measuring-the-IQ-of-your-threat-feeds-TIQtest-Updated.pdf

Quan@ta@veassessmentofthreatfeeds

52

Askyourthreatfeedvendor

53

Where’stheintelcomingfrom?ProfessionalservicesManagedsecurityservicesPartnersHoneypots“Opensource”datagatheringAuto-generatedsandboxdata

What’sthebreakdownofobservabletypes?WhatQCisinplace?

Test-casesDocumentaHonSpot-checking

MaximizeyourIOCs&threatdata

54

Whereareyourgapsinendpoint&networkvisibility?

CanyouexpandthescopeofdatamadeavailableforendpointIOCmatchinginyourenvironment?

Areyourtoolsandthreatdatasourcesfullycompa@ble?

Howquicklyareyouconsumingnewthreatdata?Atwhatscale?

EventhebestsourcesofthreatdatawillneverkeeppacewithemergingaLacks

Knowyournetworkaboveall

InvestinaLacksurfacereducHonand“hygiene”.Itreallydoesmakeadifference.

Haveyourinvestmentsmadeyoumoresecure?

55

SESSION ID:

Thankyou!

AIR-F03

RyanKazanciyanChiefSecurityArchitectTanium@ryankaz42