Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

IOCs for modern threat landscape-slideshare

Download as PPTX, PDF
Sai Kesavamatham
Sai Kesavamatham

The document discusses recommendations for implementing IOCs (indicators of compromise) to improve security investigations and incident response. It recommends using the Collective Intelligence Framework (CIF) to manage IOC feeds from multiple sources, generate actionable IOCs, and implement DNS sinkholing to redirect suspicious traffic. It also provides an overview of tools like IOC Editor, IOC Finder, Redline, and GRR that can be used to develop, analyze, and search for IOCs during investigations.

1 of 19
IOCs for Modern Threat Landscape IOCs for IR An Overview and Recommendations Sai Kesavamatham
Overview • IOC and Samples • IOC Life Cycle • Current Process • Tools • Implementation Recommendations
References: The Open IOC Framework Collective Intelligence Framework (Google Code) GRR (Google Rapid Response)
IOCs • IOCs – Indicators Of Compromise are forensic artifacts left behind by an intrusion that can be identified on a host or network • Artifacts left in Physical Memory, File System, Registry, Running processes • Bad MD5 hashes, File Names, Registry settings, URLs, IP addresses etc. • Usually developed using Static or Dynamic Analysis • Sources • External feeds – free, commercial, Govt. agencies • Developed from internal IR incidents - e.g. malware analysis, packet captures etc.
Sample IOCs Host URI: sp-storage.spccinta.com Network Activity: User-Agent: Mozilla/4.0 (compatible; ) Sighted: 2014-07-09 Killchain Phase: Exploitation Characterization: Domain Watchlist Notes: Stage 1 Malicious Domain GET statement: AutoUpdate.zip Malicious Domain observed usually occurring in a pairing with Stage 2 Domain & POST _____________________________________ Host IPv4: 184.28.64.243 Sighted: 2014-07-09 Killchain Phase: Command and Control Characterization: C2 Notes: Comcast Cable Comm - Cambridge, MA
IOCs in the Investigative Life Cycle
IOCs and the need to manage • Lack of or incomplete and inefficient use and maintenance of IOCs • Not using IOCs effectively across available security stack layers • Anti-Virus • DNS • Firewalls • IDP • Lists do not provide context  Who did the list come from?  An MD5 of what?  Where is the history and past reports?  How can I maintain?  How do I report and share?
Some Tools and Sources in the market • IOC Feeds  Getting from external agencies and commercial subscriptions  Free feeds e.g. CIF – Collective Intelligence Framework (Open Source) • IOC - Recording, Managing and Sharing Information  OpenIOC standard - Released by Mandiant  IOC Editor and IOC Finder (Free) – Released by Mandiant  GRR - Google Rapid Response (Open Source) • Live Forensics and Malware Analysis  GRR - Google Rapid Response (Open Source, supports many platforms)  RedLine – Free from Mandiant for individual Windows hosts  Encase – Are we using it for other than legal investigations?
Implementation Recommendations
CIF – Collective Intelligence Framework CIF – Cyber Threat Intelligence Management System • Allows to combine known malicious threat information from many sources (Reputation Feeds) • Creates actionable IOCs to feed into  Detection – IDP signatures, DNS Sinkholing  Mitigation – Null Route  Identification – Incident Response • IOCs are generated dynamically every hour  Can be generated with different confidence levels on a scale of 1 to 10
Typical DNS query flow – CIF Use Case CLIENT 1. Email with a Target URL link (Could be phishing) DNS Server 2. Client asks for IP address of Target URL link 3. DNS Server responds with IP Address 4. Client contacts the Target TARGET
DNS query flow with Sinkhole in place CLIENT DNS Server BAD GUY 1. Phishing Email with a Target URL link 2. Client asks for IP address of Target URL link 3. DNS Server responds with Fake IP Address 4. Client contacts the Target (DSN Sinkhole) DNS Sinkhole Dynamic IP Reputation Feeds (Replace Bad Guy with DNS Sinkhole IP Address) Log client queries Send to SIEM Follow up with IR
CIF – DNSSinkhole in production (Example) • Client query to DNS on 19-Sep-2014 16:56:24 Who is: www.000007.ru (Bad Guy as per CIF) • DNS response to client www.000007.ru is 192.168.3.4 • In the above example, 192.168.3.4 is the address of the DNSSinkhole • Client connections end up in sinkhole Legend RED – URLs with bad reputation BLUE – DNS sinkhole
CIF – Query and Submission Browser Plugins for CIF Query and Data Submission • Standard Browser plugins are available  Query individual IOCs  Submit new IOCs
Next Steps - DNS Sinkhole reports • Aggressive Response  Find the clients that are trying to contact the bad URLs Proactively analyze DNS query logs and clean up the machines Improve CIF database with internal IOCs Needs resources with hands-on experience • Passive Response  Continue with the current CIF setup in Production End user machines continue to fail to contact bad guys No difference to end user experience Use the data in reactive mode for future investigations
IOC Editor - Maintaining IOCs in OpenIOC format IOC Editor  Creates IOCs in OpenIOC format  Easy to use UI  Ability to add each entity from provided IOCs  Add IOC entities as OR or AND conditions  Creates s simple XL format that can be used to convert to other IOC formats like STIX
IOC Finder IOC Finder  Command line utility used in host level analysis  Tow-phased workflow  Collect data suitable for general IOC matching  Analyze the collected data looking for and reporting IOC hits  Can be used to collect data from multiple hosts to a common network location  Run analysis to find IOC hits
RedLine – Single Host Malware Analysis Host Investigation Redline from Mandiant (Free) and can be used for individual hosts Memory, File System, Running processes, Registry Perform IOC analysis if supplied with a list of IOCs Provided Redline Malware Risk Index to find high value processes Only for Windows
GRR – Google Rapid Response (Centralized) GRR - Google Rapid Response (Open Source, supports many platforms) Central console for multiple hosts Advanced Malware Analysis features Can run scheduled hunts for IOCs across multiple systems Can do Registry, File System, Memory, Process Anaylsys

More Related Content

IOCs for modern threat landscape-slideshare

  • 1. IOCs for Modern Threat Landscape IOCs for IR An Overview and Recommendations Sai Kesavamatham
  • 2. Overview • IOC and Samples • IOC Life Cycle • Current Process • Tools • Implementation Recommendations
  • 3. References: The Open IOC Framework Collective Intelligence Framework (Google Code) GRR (Google Rapid Response)
  • 4. IOCs • IOCs – Indicators Of Compromise are forensic artifacts left behind by an intrusion that can be identified on a host or network • Artifacts left in Physical Memory, File System, Registry, Running processes • Bad MD5 hashes, File Names, Registry settings, URLs, IP addresses etc. • Usually developed using Static or Dynamic Analysis • Sources • External feeds – free, commercial, Govt. agencies • Developed from internal IR incidents - e.g. malware analysis, packet captures etc.
  • 5. Sample IOCs Host URI: sp-storage.spccinta.com Network Activity: User-Agent: Mozilla/4.0 (compatible; ) Sighted: 2014-07-09 Killchain Phase: Exploitation Characterization: Domain Watchlist Notes: Stage 1 Malicious Domain GET statement: AutoUpdate.zip Malicious Domain observed usually occurring in a pairing with Stage 2 Domain & POST _____________________________________ Host IPv4: 184.28.64.243 Sighted: 2014-07-09 Killchain Phase: Command and Control Characterization: C2 Notes: Comcast Cable Comm - Cambridge, MA
  • 6. IOCs in the Investigative Life Cycle
  • 7. IOCs and the need to manage • Lack of or incomplete and inefficient use and maintenance of IOCs • Not using IOCs effectively across available security stack layers • Anti-Virus • DNS • Firewalls • IDP • Lists do not provide context  Who did the list come from?  An MD5 of what?  Where is the history and past reports?  How can I maintain?  How do I report and share?
  • 8. Some Tools and Sources in the market • IOC Feeds  Getting from external agencies and commercial subscriptions  Free feeds e.g. CIF – Collective Intelligence Framework (Open Source) • IOC - Recording, Managing and Sharing Information  OpenIOC standard - Released by Mandiant  IOC Editor and IOC Finder (Free) – Released by Mandiant  GRR - Google Rapid Response (Open Source) • Live Forensics and Malware Analysis  GRR - Google Rapid Response (Open Source, supports many platforms)  RedLine – Free from Mandiant for individual Windows hosts  Encase – Are we using it for other than legal investigations?
  • 10. CIF – Collective Intelligence Framework CIF – Cyber Threat Intelligence Management System • Allows to combine known malicious threat information from many sources (Reputation Feeds) • Creates actionable IOCs to feed into  Detection – IDP signatures, DNS Sinkholing  Mitigation – Null Route  Identification – Incident Response • IOCs are generated dynamically every hour  Can be generated with different confidence levels on a scale of 1 to 10
  • 11. Typical DNS query flow – CIF Use Case CLIENT 1. Email with a Target URL link (Could be phishing) DNS Server 2. Client asks for IP address of Target URL link 3. DNS Server responds with IP Address 4. Client contacts the Target TARGET
  • 12. DNS query flow with Sinkhole in place CLIENT DNS Server BAD GUY 1. Phishing Email with a Target URL link 2. Client asks for IP address of Target URL link 3. DNS Server responds with Fake IP Address 4. Client contacts the Target (DSN Sinkhole) DNS Sinkhole Dynamic IP Reputation Feeds (Replace Bad Guy with DNS Sinkhole IP Address) Log client queries Send to SIEM Follow up with IR
  • 13. CIF – DNSSinkhole in production (Example) • Client query to DNS on 19-Sep-2014 16:56:24 Who is: www.000007.ru (Bad Guy as per CIF) • DNS response to client www.000007.ru is 192.168.3.4 • In the above example, 192.168.3.4 is the address of the DNSSinkhole • Client connections end up in sinkhole Legend RED – URLs with bad reputation BLUE – DNS sinkhole
  • 14. CIF – Query and Submission Browser Plugins for CIF Query and Data Submission • Standard Browser plugins are available  Query individual IOCs  Submit new IOCs
  • 15. Next Steps - DNS Sinkhole reports • Aggressive Response  Find the clients that are trying to contact the bad URLs Proactively analyze DNS query logs and clean up the machines Improve CIF database with internal IOCs Needs resources with hands-on experience • Passive Response  Continue with the current CIF setup in Production End user machines continue to fail to contact bad guys No difference to end user experience Use the data in reactive mode for future investigations
  • 16. IOC Editor - Maintaining IOCs in OpenIOC format IOC Editor  Creates IOCs in OpenIOC format  Easy to use UI  Ability to add each entity from provided IOCs  Add IOC entities as OR or AND conditions  Creates s simple XL format that can be used to convert to other IOC formats like STIX
  • 17. IOC Finder IOC Finder  Command line utility used in host level analysis  Tow-phased workflow  Collect data suitable for general IOC matching  Analyze the collected data looking for and reporting IOC hits  Can be used to collect data from multiple hosts to a common network location  Run analysis to find IOC hits
  • 18. RedLine – Single Host Malware Analysis Host Investigation Redline from Mandiant (Free) and can be used for individual hosts Memory, File System, Running processes, Registry Perform IOC analysis if supplied with a list of IOCs Provided Redline Malware Risk Index to find high value processes Only for Windows
  • 19. GRR – Google Rapid Response (Centralized) GRR - Google Rapid Response (Open Source, supports many platforms) Central console for multiple hosts Advanced Malware Analysis features Can run scheduled hunts for IOCs across multiple systems Can do Registry, File System, Memory, Process Anaylsys

Editor's Notes

  1. We live in a connected world and the foundation for these connections is the network. Broadband Internet traffic is doubling each and every year (according to IDC) [or] Internet traffic worldwide will grow three-fold by the year 2017. (Internet Trends, Mary Meeker (KCPB) Today we have 2.5 billion Internet users in the world – roughly one-third of the Earth’s population. In the next decade, the number of Internet users will double to 5 billion (Mary Meeker, KPCB) That means that two-thirds of the world will be connected by 2023. When you add in the big trends of cloud, mobility, video and security, the combined rate of acceleration is placing unprecedented demands on the network. [Optional stats/factoids] 100 hours of video uploaded every single minute to YouTube (YouTube)   Mobile video traffic exceeded 50 percent for the first time in 2012. (Cisco VNI)   Mobile network connection speeds more than doubled in 2012. (Cisco VNI)   In 2012, a fourth-generation (4G) connection generated 19 times more traffic on average than a non-4G connection. Although 4G connections represent only 0.9 percent of mobile connections today, they already account for 14 percent of mobile data traffic. (Cisco VNI)   [NOTE: Consider finding alternate source for above stats to avoid siting Cisco] As you just described (refer to pain points from previous slide), you are living in this world and feeling the pressure every day. Pradeep Sindhu founded Juniper 17 years ago on the belief that we should solve technology problems that matter most to our customers and that make a difference in the world. He recognized the importance of the network and the impact it would have on our world. Our mission is simple, but powerful; to connect everything and empower everyone. In today’s connected world, this mission is more relevant than ever. Here at Juniper we are focused on helping alleviate those pain points through our portfolio of high performance networking products. [T] And we do this by listening to our customers and helping them address their challenges and capitalize on their opportunities.