Threat Intelligence
Outline
• Strategic Intelligence
• Tactical Intelligence
• The Classic Intelligence Cycle
• Threat Hunting
• F3EAD
2
Strategic Intelligence
Intelligence Sources
(SANS 2018 CYBER THREAT INTELLIGENCE SURVEY)
4
Professional Sources – Strategic Security Intelligence
• Security News
• Security Blogs
• Mailing Lists
5
Top Cyber Security News Sites
• Dark Reading – https://www.darkreading.com/
• SC Media – https://www.scmagazine.com/
• Threat Level (Wired) – https://www.wired.com/category/threatlevel/
• Infosecurity Magazine – https://www.infosecurity-magazine.com/
• The Hacker News – https://thehackernews.com/
• PC Mag Security Watch – https://securitywatch.pcmag.com/
• The Security Ledger – https://securityledger.com/
• IT Security Guru – http://www.itsecurityguru.org/
• Mainly a news aggregator
6
Top Independent Security Bloggers
• Brian Krebs – https://krebsonsecurity.com/
• Bruce Schneier – https://www.schneier.com/
• Subscribe to his monthly Crypto-Gram newsletter at
https://www.schneier.com/crypto-gram.html
• Graham Cluely – https://www.grahamcluley.com/
• Jeremiah Grossman – http://blog.jeremiahgrossman.com/
• Richard Bejtlich – https://taosecurity.blogspot.com
• Roger McClinton – https://www.infosecblog.org/
• Elie Bursztein – https://www.elie.net/blog
• Gary Hinson – http://blog.noticebored.com/
• NoticeBored provides security awareness and training materials on a monthly
cycle
• Troy Hunt – https://www.troyhunt.com/
7
Top Corporate Security Blogs
• IBM Security Intelligence – https://securityintelligence.com/
• Kaspersky ThreatPost – https://threatpost.com/
• Cisco Security – https://blogs.cisco.com/security
• Google Security – https://security.googleblog.com/
• Microsoft Cloud Security – https://cloudblogs.microsoft.com/microsoftsecure/
• Tripwire The State of Security – https://www.tripwire.com/state-of-security/
• Symantec Security Response –
https://www.symantec.com/connect/symantec-blogs/symantec-security- response
• Malwarebytes – https://blog.malwarebytes.com/
• Bitdefender Business Insights – https://businessinsights.bitdefender.com/
8
Top Security Podcasts
• SANS StormCast – https://isc.sans.edu/podcast.html
• Security Now! (Steve Gibson & Leo LaPorte) –
https://www.grc.com/securitynow.htm
• Defensive Security – https://defensivesecurity.org/
• Down the Security Rabbithole – http://podcast.wh1t3rabbit.net/
• Open Source Security – http://www.opensourcesecuritypodcast.com/
• Paul’s Security Weekly – https://securityweekly.com/
• Five-time winner of RSA Social Security Awards for Best Security Podcast
• Southern Fried Security – http://www.southernfriedsecurity.com/
• The CyberWire – https://thecyberwire.com/podcasts/index.html
• Mainly a podcast aggregator
9
Exercise
• Go and explore one blog from each of these categories (except, perhaps, the podcasts). Take ten minutes to flip through them and find a particularly interesting story about a breach or vulnerability.
• Answer the following questions about the story you choose:
• What was the immediate cause of the breach? Is the vulnerability in software, or is it down to poor processes or a human failure?
• Other than reactive patching, how could the damage from the breach be limited?
• Was the breach or failure a low-level technical control, a failure of procedures or policy, or a failure of governance?
• Is the breach or vulnerability one that could affect many organizations?
• What key control could have prevented or limited the breach?
10
Security Mailing Lists
• Full Disclosure
• Subscription – https://nmap.org/mailman/listinfo/fulldisclosure
• Web archive and RSS feed – http://seclists.org/fulldisclosure/
• Security Metrics
• Low volume, high quality list
• Subscription – https://www.securitymetrics.org/mailman/listinfo/discuss
• Patch Management
• Not sure how active this one is – I’m no longer a member • Was started by Shavlik (who developed MBSA)
• Subscription – http://www.patchmanagement.org/
• Also a WSUS (Windows Server Update Services) list
• Web archive – https://marc.info/?l=patchmanagement
• Many other mailing lists are archived at https://marc.info/
11
Typical Full Disclosure Email
KL-001-2017-022 : Splunk Local Privilege Escalation
Title: Splunk Local Privilege Escalation
Advisory ID: KL-001-2017-022
Publication Date: 2017.11.03
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001- 2017-022.txt
Vulnerability Details
Affected Vendor: Splunk
Affected Product: Splunk Enterprise
Affected Version: 6.6.x
Platform: Embedded Linux
CWE Classification: CWE-280: Improper Handling of Insufficient
Permissions or Privileges Impact: Privilege Escalation
Attack vector: Local
12
Typical Full Disclosure Email (cont)
2. Vulnerability Description
Splunk can be configured to run as a non-root user. However, that user owns the configuration file that specifies the user to run as, so it can trivially gain root privileges.
3. Technical Description
Splunk runs multiple daemons and network listeners as root by default. It can be configured to drop privileges to a specified non-root user at startup such as user splunk, via the SPLUNK_OS_USER variable in the splunk- launch.conf file in $SPLUNK_HOME/etc/ (such as /opt/splunk/etc/splunk- launch.conf). However, the instructions for enabling such a setup call for chown’ing the entire $SPLUNK_HOME directory to that same non-root user. For instance: http://docs.splunk.com/Documentation/Splunk/6.6.2/Installation/RunSplunkasa differentornon-rootuser
13
Typical Full Disclosure Email (cont)
“4. Run the chown command to change the ownership of the splunk directory and everything under it to the user that you want to run the software.
chown -R splunk:splunk $SPLUNK_HOME“
Therefore, if an attacker gains control of the splunk account, they can modify $SPLUNK_HOME/etc/splunk-launch.conf to remove/unset SPLUNK_OS_USER so that the software will retain root privileges, and place backdoors under $SPLUNK_HOME/bin/, etc. that will take malicious actions as user root the next time Splunk is restarted.
4. Mitigation and Remediation Recommendation
The vendor has published a mitigation for this vulnerability at:
https://www.splunk.com/view/SP-CAAAP3M
14
Typical Full Disclosure Email (cont)
5. Credit
This vulnerability was discovered by Hank Leininger of KoreLogic, Inc.
6. Disclosure Timeline
2017.08.17 – KoreLogic submits vulnerability details to Splunk. 2017.08.17 – Splunk confirms receipt.
2017.08.22 – Splunk notifies KoreLogic that the issue has been assigned an internal ticket and will be addressed.
2017.09.29 – 30 business days have elapsed since the vulnerability was reported to Splunk.
2017.10.17 – KoreLogic requests an update from Splunk.
2017.10.18 – Splunk informs KoreLogic that they will issue an advisory on October 28th.
2017.10.23 – 45 business days have elapsed since the vulnerability was reported to Splunk.
2017.10.30 – Splunk notifies KoreLogic that the advisory is published. 2017.11.03 – KoreLogic public disclosure
15
Typical Full Disclosure Email (cont)
7. Proof of Concept
See 3. Technical Description.
The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share- Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability- Disclosure-Policy.v2.2.txt
16
Other Security News Sources
• Social Media – Facebook, Google+, Twitter
• But Facebook is a time suck. Google+ provides better signal/noise ratio
• Can take quite some time to identify good contacts to follow
• Start with some of the bloggers mentioned previously and see who they follow
17
Tactical Intelligence
18
Intelligence Cycle
Direction
Dissemination
Collection
Analysis
Processing
19
Classic Intelligence Cycle
• Direction
― From the customer – what uncertainty do they need to resolve?
• Collection
― Using sources (HUMINT, SIGINT, etc.)
• Processing
― Normalization, indexing, translation, enrichment, filtering, prioritization, visualization
• Analysis
― Correlating information: does the evidence cumulatively support claims?
• Dissemination
― Back to the customer(s)
• Feedback / Process Improvement
― Improve direction phase, or increase data collection, etc.
20
Honeypots and Honeynets
• Excellent for collecting intelligence – bring the adversary to you
• A way of testing your IDS capabilities, getting warning of imminent attack
― Place honeypot/honeynet in unused low address space Assuming hackers scan from low to high!
― Or switch untrusted client IP’s to honeypot rather than real systems
• Attackers spend time compromising honeypot while you observe and secure
your systems on higher addresses
• Real systems are risky
― What if someone compromises your honeypot then launches a damaging attack on someone else?
Probably not worth it for smaller enterprises
Justified for high-value targets intelligence feeds and security researchers only
• Non-real honeypots cannot be used to pivot
• High-end systems have advanced intelligence collection capabilities
― E.g. Cymmetria MazeRunner
21
Tactical/Operational Threat Intelligence
• Exchanged at the security appliance (“next-gen firewall”) level
• Initially, proprietary protocols developed by firewall vendors
• US Govt (NIST/MITRE) project for security automation
• Indicators of compromise:
― Digests of malware files
― Signatures
Hex strings
ASCII Strings
― IP addresses
― C2 domains
• Can be found using “next-gen” firewalls, IDS, YARA
22
Open Source Feeds
• Includes lists of known C&C servers and domains, botnet IP addresses, compromised IP addresses, IP addresses launching SSH brute force attacks, malware domains, sites infected by Monero cryptominers, ransomware IP addresses and URL’s, etc
• From sources like
― Alienvault (now AT&T Cybersecurity)
Alienvault OSSIM is an open-source SIEM IP Reputation information (218,000 entries)
• See also https://threatfeeds.io/
23
Threat Intelligence Protocols
• STIX – Structured Threat Information Expression • TAXII
• CybOX – Cyber Observables Exchange
24
F3EAD
MILITARY INTELLIGENCE CYCLE
• Find
― Identify the target
• Fix
― Locate the target
• Finish
― Impose
• Exploit
― Deconstruct information gained from the “Finish” phase
• Analyze
― Integrate the deconstructed information with the wider strategic context
• Disseminate
― Publish the results to customers
25
F3EAD in a Cyber Context
• Find
― Confirm unauthorised activity within your network – eliminate alternative explanations
• Fix
― Use suspicious behaviours (network traffic, IDS alerts, etc.) to identify and catalogue malware and tools on infected hosts
• Finish
― Remove infections – either replace hosts and reimage or remove malware
• Exploit
― Analyse malware and develop Indicators of Compromise (signatures, strings, etc.)
• Disseminate
― Disseminate IOC’s to tactical customers – SOC, vendors, etc. – and report to strategic customers (C Suite)
26
Coupling the Two Cycles
Strategic (Management)
Dissemination
Direction
Collection
Find
Tactical (Technical)
Analysis
Processing
Disseminate
Fix
Analyse
Finish
Exploit
27
Production and Consumption
• More enterprises consume threat intelligence than produce it
― And that trend is accelerating
Source: SANS 2018 Cyber Threat Intelligence Survey
28
Traffic Light Protocol
CONTROL OVER INTELLIGENCE SHARING
• CSIRT’s used the traffic light protocol to control dissemination and sharing of intelligence information
• In emails, place in the Subject: field
• In documents, right-justify in headers and footers
• Do not confuse with Chatham House Rules
When to use
How may it be shared?
TLP:RED
Not for disclosure, restricted to participants only.
Do not share outside the specific meeting or conversation
TLP:AMBER
Limited disclosure, restricted to participants’ organizations.
Recipients can share within their own organisation or with clients & customers who need the information
TLP:GREEN
Limited disclosure, restricted to the community.
Recipients can share within their industry sector or community but not via public channels
TLP:WHITE
Disclosure is not limited.
May be distributed without restriction (but consider classified information handling and copyright, etc.)
29