Recent trends in Threats How to Respond?

Freddy Dezeure November 2016

About CERT-EU

•  EU Institutions’ own CERT •  Defence against sophisticated, targeted cyber threats •  Operational support to 60 organisations, 100.000 users •  Constituents are high value targets •  Decentralised, heterogeneous, environment

2

Peers - Partners

Infection Vectors

Under The Radar

•  Mails appearing as originating from a trusted origin -  Typo squatting -  Spoofed -  Compromised

•  Bypassing protective layers: -  Unpatched vulnerabilities (Flash, Java, MSFT) -  Non-active or low-active content (JavaScript, Macros) -  Encrypted, password protected, attachments

•  File-less lateral movements (PowerShell, WMI…) •  Removing forensic evidence after stealing legit credentials •  Encrypted or legit C&C communication

Architecture

6 DNS EmailProxy

FireEye

Splunk Indexer

Constituent X

DNSEmail

Proxy

SourceFireSplunk Indexer

Constituent Y

Splunk Search Head

Cyber Threat Intelligence

Intelligence Sources- Partners- OSINT- Monitoring

CERT-EU

AbuseHelper IncidentHandling

Team

SourceFire

DNS Proxy

Splunk Indexer

Constituent Z

Architecture advantages

•  Two-tier architecture, infrastructure-agnostic

•  Constituents decide what to share with us

–  (but we would like as much visibility as possible)

•  Logs stay where they are generated

–  Little impact on bandwidth

–  Mitigates concerns on data protection

–  Constituents stay in control 7

Log Sources Web traffic: »  DNS »  Proxy

Emails: »  Exchange »  Mimesweeper

Hosts: »  Sysmon »  Applocker »  McAfee

Appliances: »  Sourcefire »  Ironport »  FireEye

Future development: ►  Firewalls ►  Active Directory ►  Servers ►  Reverse Proxy

8

DNS EmailProxy Mimesweeper SourceFire

AV (McAfee)

Splunk Indexer

Sysmon:powershell, applocker, events, cmd

Constituent

CERT-EU Splunk App

9

Normalisation: CIM

10

●  Common language and conventions to control all data

●  CIM makes apps and searches much more portable

●  The abstraction level helps to stay focused

●  Timesaving

●  Less human error

●  More visibility

Intelligence Correlation

Daily / Weekly searches

BeginningLastWeek Yesterday

Today EndofWeek

Daily Logs

Logs (until last week)

Week’s IoC’s

All IoC’s

* Simplified for the presentation

Daily Report

Weekly Report

11

Processing Alerts

12

Network:· DNS· ProxyMalware:· Hash· Url· Email

Triage:· CollectCTIinfo· SearchonSplunk· SearchonIDS· QueryAnalystPortal· SearchonVTetc.· AnalyzeinSandbox

Incident?

UpdateCTI

Report

Alert

Splunk

SourceFire

Workflow

13

Direct link to CTI

14

Drill-Down

15

Correlation Across

16

Correlation through searches on all available data.

Detection

Search:· Hash· Filename· Timestamp· C&C· DNS· Proxy· etc

Newfinding

Splunk Search Head

Constituent XSplunk Indexer

Constituent YSplunk Indexer

Constituent ZSplunk Indexer

ConstituentAConstituentA

XX

YY...

ZZ

* email

* *

Kill Chain - Tools

Recon IDS DNS

Weaponis. DNS

Delivery IDS AV Proxy

Exploitation IDS AV Sysmon

Installation IDS AV Sysmon

Command & Control IDS Sandbox DNS/

Proxy 17

Orchestration

Incident report to the constituent: •  Incident history •  Incident type •  Technical details (timestamp, user, hash etc) •  Recommended actions

Incident file handed over to the analysts: •  Incident Report. •  Correlated information from other sources. •  Malware sample / pcap etc. •  Intelligence report related to the detection.

18

Take Aways •  Infrastructure-agnostic •  Logs stay where they are generated •  Constituents decide what to share with us •  CERT-EU App helps dramatically in detection and triage •  Correlation across all constituents •  Constituents benefit from:

–  incident response in timely manner –  cost effective / remote support –  the best threat intel + the most powerful tools –  a very committed team J

19

Thank You

Cert.europa.eu iPhone/ Android App