iocs for modern threat landscape-slideshare
DESCRIPTION
Indicators of Compromise (IOCs) for Security IR using Open sources and other toolsTRANSCRIPT
IOCs for Modern Threat Landscape
IOCs for IR
An Overview and Recommendations
Sai Kesavamatham
Overview
• IOC and Samples
• IOC Life Cycle
• Current Process
• Tools
• Implementation Recommendations
References:
The Open IOC FrameworkCollective Intelligence Framework (Google Code)GRR (Google Rapid Response)
IOCs
• IOCs – Indicators Of Compromise are forensic artifacts left behind by an intrusion that can be identified on a host or network
• Artifacts left in Physical Memory, File System, Registry, Running processes
• Bad MD5 hashes, File Names, Registry settings, URLs, IP addresses etc.
• Usually developed using Static or Dynamic Analysis
• Sources• External feeds – free, commercial, Govt. agencies
• Developed from internal IR incidents - e.g. malware analysis, packet captures etc.
Sample IOCs
Host URI: sp-storage.spccinta.com
Network Activity: User-Agent: Mozilla/4.0 (compatible; )
Sighted: 2014-07-09
Killchain Phase: Exploitation
Characterization: Domain Watchlist
Notes: Stage 1 Malicious Domain
GET statement: AutoUpdate.zip
Malicious Domain observed usually occurring in a pairing with Stage 2 Domain & POST
_____________________________________
Host IPv4: 184.28.64.243
Sighted: 2014-07-09
Killchain Phase: Command and Control
Characterization: C2
Notes: Comcast Cable Comm - Cambridge, MA
IOCs in the Investigative Life Cycle
IOCs and the need to manage
• Lack of or incomplete and inefficient use and maintenance of IOCs
• Not using IOCs effectively across available security stack layers• Anti-Virus
• DNS
• Firewalls
• IDP
• Lists do not provide contextWho did the list come from?
An MD5 of what?
Where is the history and past reports?
How can I maintain?
How do I report and share?
Some Tools and Sources in the market
• IOC Feeds Getting from external agencies and commercial subscriptions
Free feeds e.g. CIF – Collective Intelligence Framework (Open Source)
• IOC - Recording, Managing and Sharing InformationOpenIOC standard - Released by Mandiant
IOC Editor and IOC Finder (Free) – Released by Mandiant
GRR - Google Rapid Response (Open Source)
• Live Forensics and Malware AnalysisGRR - Google Rapid Response (Open Source, supports many platforms)
RedLine – Free from Mandiant for individual Windows hosts
Encase – Are we using it for other than legal investigations?
Implementation Recommendations
CIF – Collective Intelligence Framework
CIF – Cyber Threat
Intelligence Management
System
• Allows to combine known malicious
threat information from many
sources (Reputation Feeds)
• Creates actionable IOCs to feed
into
Detection – IDP signatures,
DNS Sinkholing
Mitigation – Null Route
Identification – Incident
Response
• IOCs are generated dynamically
every hour
Can be generated with
different confidence levels on
a scale of 1 to 10
Typical DNS query flow – CIF Use Case
CLIENT
DNS Server
1. Email with a Target URL link (Could be phishing)
2. Client asks for IP address of Target URL link
3. DNS Server responds with IP Address
4. Client contacts the Target TARGET
DNS query flow with Sinkhole in place
CLIENT
DNS Server
BAD GUY1. Phishing Email with a Target URL link
2. Client asks for IP address of Target URL link
3. DNS Server responds with Fake IP Address
4. Client contacts the Target (DSN Sinkhole) DNS Sinkhole
Dynamic IP Reputation Feeds
(Replace Bad Guy with DNS Sinkhole IP Address)
Log client queriesSend to SIEMFollow up with IR
CIF – DNSSinkhole in production (Example)
• Client query to DNS on 19-Sep-2014 16:56:24
Who is: www.000007.ru (Bad Guy as per CIF)
• DNS response to client
www.000007.ru is 192.168.3.4
• In the above example, 192.168.3.4 is the address of the DNSSinkhole
• Client connections end up in sinkhole
Legend
RED – URLs with bad reputation
BLUE – DNS sinkhole
CIF – Query and Submission
Browser Plugins for CIF
Query and Data Submission
• Standard Browser plugins are
available
Query individual IOCs
Submit new IOCs
Next Steps - DNS Sinkhole reports
• Aggressive ResponseFind the clients that are trying to contact the bad URLs
Proactively analyze DNS query logs and clean up the machines
Improve CIF database with internal IOCs
Needs resources with hands-on experience
• Passive ResponseContinue with the current CIF setup in Production
End user machines continue to fail to contact bad guys
No difference to end user experience
Use the data in reactive mode for future investigations
IOC Editor - Maintaining IOCs in OpenIOC format
IOC Editor
Creates IOCs in OpenIOC
format
Easy to use UI
Ability to add each entity
from provided IOCs
Add IOC entities as OR or
AND conditions
Creates s simple XL
format that can be used to
convert to other IOC
formats like STIX
IOC Finder
IOC Finder Command line utility used
in host level analysis
Tow-phased workflow
Collect data suitable
for general IOC
matching
Analyze the collected
data looking for and
reporting IOC hits
Can be used to collect data
from multiple hosts to a
common network location
Run analysis to find IOC
hits
RedLine – Single Host Malware Analysis
Host InvestigationRedline from Mandiant (Free) and can be used for individual hostsMemory, File System, Running processes, RegistryPerform IOC analysis if supplied with a list of IOCsProvided Redline Malware Risk Index to find high value processesOnly for Windows
GRR – Google Rapid Response (Centralized)
GRR - Google Rapid Response (Open Source, supports many platforms)Central console for multiple hostsAdvanced Malware Analysis featuresCan run scheduled hunts for IOCs across multiple systemsCan do Registry, File System, Memory, Process Anaylsys