1 / 19

Threat Intelligence with Open Source tools

Cornerstones of Trust 2014. Threat Intelligence with Open Source tools. @ jaimeblasco @ santiagobassett. Presenters. JAIME BLASCO Director AlienVault Labs Security Researcher Malware Analyst Incident Response. SANTIAGO BASSETT Security Engineer OSSIM / OSSEC Network Security

gary-dean
Download Presentation

Threat Intelligence with Open Source tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cornerstones of Trust 2014 Threat Intelligencewith Open Source tools @jaimeblasco @santiagobassett

  2. Presenters JAIME BLASCO Director AlienVault Labs Security Researcher Malware Analyst Incident Response SANTIAGO BASSETT Security Engineer OSSIM / OSSEC Network Security Logs Management

  3. The attacker’s advantage • They only need to be successful once • Determined, skilled and often funded adversaries • Custom malware, 0days, multiple attack vectors, social engineering • Persistent

  4. The defender’s disadvantage • They can’t make a mistake • Understaffed, jack of all trades, underfunded • Increasing complex IT infrastructure: • Moving to the cloud • Virtualization • Bring your own device • Prevention controls fail to block everything • Hundreds of systems and vulnerabilities to patch

  5. What is Threat Intelligence? • Information about malicious actors • Helps you make better decisions about defense • Examples: IP addresses, Domains, URL’s, File Hashes, TTP’s, victim’s industries, countries..

  6. State of the art • Most sharing is unstructured & human-to-human • Closed groups • Actual standards require knowledge, resources and time to integrate the data

  7. How to use Threat Intelligence • Detect what my prevention technologies fail to block • Security planning, threat assessment • Improves incident response / Triage • Decide which vulnerabilities should I patch first

  8. The Threat Intelligence Pyramid of Pain

  9. Standards& Tools • IODEF: Incident Object Description Exchange Format • MITRE: • STIX: Structured Threat Information eXpression • TAXXII: Trusted Automated eXchange of Indicator Information • MAEC, CAPEC, CyBOX • CIF: Collective Intelligence Framework

  10. Collective Intelligence Framework

  11. Collecting malware Some malware tracking sites: • http://malc0de.com/rss • http://www.malwareblacklist.com/mbl.xml • http://www.malwaredomainlist.com/hostslist/mdl.xml • http://vxvault.siri-urz.net/URL_List.php • http://urlquery.net • http://support.clean-mx.de/clean-mx/xmlviruses.php Some Open Source malware crawlers: • Maltrieve: https://github.com/technoskald/maltrieve • Ragpicker: https://code.google.com/p/malware-crawler/

  12. Collecting malware

  13. Other malware collection tools Dionaea honeypot: • http://dionaea.carnivore.it/ Thug Honeyclient – Drive by download attacks: • https://github.com/buffer/thug • Emulates browsers functionality (activeX controls and plugins)

  14. Analyzing malware Yara:Flexible, human-readable rules for identifying malicious streams. Can be used to analyze: • files • memory (volatility) • network streams. private rule APT1_RARSilent_EXE_PDF { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $winrar1 = "WINRAR.SFX" wide ascii $winrar2 = ";The comment below contains SFX script commands" wide ascii $winrar3 = "Silent=1" wide ascii $str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/ $str2 = "Steup=\"" wide ascii condition: all of ($winrar*) and 1 of ($str*) }

  15. Analyzing malware Cuckoo Sandbox: Used for automated malware analysis. • Traces Win32 API calls • Files created, deleted and downloaded • Memory dumps of malicious processes • Network traffic pcaps

  16. Analyzing malware

  17. Sandbox – CIF integration In our example: hxxp://www.garyhart.com, domain

  18. CIF External feed example

  19. Thank you!! @jaimeblascob @santiagobassett

More Related