Threat Intelligenceon the CheapOWASP Los AngelesMay 24, 2017Shane MacDougallInfoSec Drone

Disclaimer These are my opinions only, and do not reflecton my employers I am not endorsing these resources, I amsimply presenting them as players in the field YMMV Use these resources at your own risk

About MeShane MacDougallBeen an InfoSec professional since 1987Started as a pentester for KPMGAreas of interest include social engineering,threat intelligence, OSINT, machine learningand sentiment analysis Powerpoint Ninja

Why This Talk? I’ve seen many organizations spendtremendous amounts of money on TIinfrastructure Most of the outlay could have been easilydeployed via DIY Cost of TI 1-3 SOC analysts

What Is Threat Intelligence Do you need to be able to reverse malware? Do you have attackers dedicated to yourparticular enterprise? Are you in the financial industry? Military? Do you have compliance requirements? Dollar amount loss Do you need Team Cymru feeds or iSight oriDefense or similar high intelligence?

What TI Do You Need? Needs will vary by your threat modelUser facing versus B2BFraudulent transactions vs hacking attacksVolume of transactionsNeed for automation

What Is Threat Intelligence?

What Is Threat Intelligence Actionable intelligence on threat actors UK Center for Protection of NationalInfrastructure defines 4 types:– Strategic (high level info on changing risk)– Technical (attacker methodologies, tools, tactics)– Tactical (indicators of compromise)– Operational (details on attacks)

What Is Threat Intelligence Can include:– Indicators of compromise– IP address– Payloads– Device information– IP intelligence– Phone number– Forum posts

What Is Threat Intelligence Can include:– Attacker’s country– Device fingerprint– File hash– URL– TTP (tactics, techniques, procedures)– Etc etc etc etc etc

What Is Threat Intelligence No One Size Fits All YOU need to define what TI means to YOURorganization Do not fall into the trap of adopting whatothers are doing Roll your own for your environment Make sure expectations/understandings ofkeyholders are realistics and helpful

What Is Threat Intelligence Data without context is just data Threat intelligence with no association to yourorganization is (mostly) useless Without a proper platform your data might beuseless (or at least not optimally staged) Do you want to adopt a TI format (TAXII, STIX,IODEF, etc etc etc) Determine your needs/platform/formatbefore you begin or else

Threat Intelligence Frameworks

Threat Intelligence Frameworks You need a frameworkTI data comes in a multitude of formatsDifferent distribution methodsYou need the ability to take disparate datasetsand converge them into usable and actionableintelligence

CIF CIF (Collective Intelligence Framework)REN-ISAC projectAggregates private and public feedsCLI and RESTful APIComes pre-configured with feedsV3 “The Bearded om/csirtgadgets/beardedavenger

MISP Malware Information Sharing Platform (&Threat Sharing) Widely used Originally used by NATO Active community

CRITS Collective Research Into Threatshttps://crits.github.ioOpen source project from MITREWidely usedVery active community

Open Threat Exchange AlienVault Claims to be the world’s largest crowd-sourcedsecurity platform 26000 users 1,000,000 potential threats daily

Threat Intelligence Has Limitations You find out a malware package is unique toyour company. What now? You have an attacker IP address from China Is your attacker Chinese? You gonna call the Chengdu Police Dept? Amount of time you expend needs to have acomparable ROI

Internal vs External Internal – leveraging internal information toidentify attackers/threat actors (free - sorta) External – lists, services (from free to very,very, very not free )

Internal Firewall logsSIEM logsAntivirusHoneypotsIncident dataDevice fingerprintingMain costs: Storage and processing

Client SideThreat Intelligence From our webapp we can do fingerprinting This can be especially useful when your threatmodel is focused primarily on fraud Useful but needs correlation

Passive Fingerprinting Passive:– We don’t query the client– We examine TCP/IP traffic, OS fingerprints– nmap –o– - - osscan-limit– - -fuzzy

Active Fingerprint We actively query the browser Need JavaScript or other similar client-sidescripting language to harvest Different web clients will yield differentfingerprints That said, they will likely just rotate through afew clients, so repeated attacks can bedetected

Browser/Device Fingerprinting Browser information– User Agent– HTTP ACCEPT (content types)– Browser Plugins– Screen size (big one)– Fonts– Time Zone– Cookie information

Browser/Device Fingerprinting Device information– MAC address (this one DOES get changed)

Browser/Device Fingerprinting These combined give us many many manydigits worth of uniqueness Yes, they can disable JavaScript (enjoy yoursurfing) – but how frequently do you see that? NoScript will save your butt – and nobodyuses it Mobile devices a lot less unique to fingerprint

Browser/Device Fingerprinting It’s still not that difficult to do.Don’t believe me?Google “buy adult diapers los angeles”Now go to Facebook/AmazonEnjoy your banner ads for the next five years.

fingerprintjs Valentin Vasilyev (Valve)

clientjs Jack Spirou

Browser/Device Fingerprinting Cross-browser tracking now deployable king NDSS17.pdf

Browser/Device Fingerprinting EFF Panopticlick

Am I Unique?

External Sources

Best TI Resource Of All

Best Network Is your social network Peers in your industry People you can call up and ask if they’veseen/heard information that can help People who can ask other people Lean on your friends

Breach Detection Majority of organizations don’t discoverbreaches internally 5-6 months on average before detection Osterman Research

Pastebin (and friends) Pastebin alertsPastemonitor stemonMany others

Breach Alerting Honeypots (internal)

Reddit gineering

Twitter Top resource for threat intelligence Most active infosec community anywhereonline Noisy Data overload Prepare for thedrama llama YMMV

Twitter Your lists are your friend Other people’s lists are your friend Outside of data feeds (which we will soondiscuss), most of the valuable informationneeds to be processed manually Very time consuming Get emotionally vested DRAMA!!!!!

HoneyPots Golden A must have for any environment Internal yield real time/near real-timeintelligence Free / Paid New hotness

HoneyPots External Twitter feeds My list: intel/honeypots Normalizing data is a PITA RegEx are your friend

My Favorites [email protected] @[email protected] [email protected]@[email protected] [email protected]@eis bfb *@olaf j *@pancak3lullz **

Bambinek C&C List terlist.txt List of C2 IP addresses

Critical Stack Intel Aggregated and parsed by Critical Stack andready to deploy to BRO IDS You specify which feeds to deploy

Emerging Threats Emerging Threats Firewall Rules– Collection of rules for various firewalls(pfsense, iptables, etc)– Emerging Threats IDS Rules– Collection of Snort and Suricata rules for blockingor alerting–

HailATaxii A free repository of Open Source threatintelligence feeds in STIX format Over 825k indicators

Firehol.org of feeds (400 )Attack/abuse/malware/botnets/C2Click a link and then download thecorresponding github file Constantly maintained Collection of tons of sources Firehol and Fireqos languages Feed aggregatorPrivate and open source feeds includedNice interfaceMinimal feeds for free sourceTakes a while to get activated


ThreatMiner You can hesEmailSSL infoFilenames, mutex stringsUser AgentsRegistry Key Stringsand more .

ThreatCrowd 2000 malicious IP addresseswget/curl/API30 minute time limitHas Snort pluginP0f (OS fingerprinting) plugin


recon-ng By Tim TomesReconnaissance frameworkComes with KaliMy favorite

recon-ng Terminal based Similar structure/commands to Metasploit show modules use recon/domains-contacts/pgp search show info run

SpiderFoot http://spiderfoot.netOSINT automation toolWindows/LinuxAnother data aggregation/lookup tool50 hosts

ThreatPinch @threatpinch on Twitter Chrome extension

Malware Many of the aforementioned engines supportmalware sampling VirusTotal ( Totalhash ( Malwr ( Virus Share ( Yara Rules (

Malware 99% of malware hashes are seen for 58seconds or less Vast majority of malware only seen once Verizon Data Breach Investigations Report, 2016

MaltegoIndustry standard viztool?The first. Perhaps the best.Easy to write your own transformsFree version is fine but doesn’t scaleCheck out ital4rensics/Malformity) Some of the earlier resources also have maltegotransforms (ie @threatcrowd et al)

Crowdsourced TI ThreatConnect (TC Open)–– Allows you to see/share intelligence– Free tool is limited, but it’s free so – 100 OSINT feeds– Threat/incident/adversary info– Intelligence validation w/ other users

Facebook ThreatExchange Invite only Need to have large web presence ge/v2.9


Great TI List ence H/T to Herman Slatman

DarkWeb Onerous and time consuming Not necessarily worth the investment of timeunless high value target IMHO IME regular web monitoring yields muchmore/better intel than DarkWeb When it hits, it often hits big YMMV

Speed Is Of The Essence 84% of phishing sites exist for less than 24hours Webroot Phishing Threat Trends Report, 2016 IP reputation sites often rank sites as badbased on badness 6 months prior

Common Pitfalls Oversubscription– Data overload is a real thing– Irrelevant/unrelated data Improper implementation– Data deployed to the wrong people– Data not acted on– Data not validated

TI Efficiencies Ways you can reduce costs/increaseefficiencies:– Reduce archiving (do you really need 2 yearsworth of data)– Focus scope– Roll your own

Thank You Email: [email protected] Twitter: @tactical intel Tinder: @infosec-studmuffintop