@va

len

ber

g.d

evia

nta

rt.c

om

┌─┐│ ││ ││ ││ ││ ││ ││ ││ ││ ││ ││░││░││░││░││░││░││░││▒││▒││▒││▒│

───┐ │▒│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│░│ ╚═╝ │▒│░│ │▒█│

The issue with targeted attacks

2

Highly targeted Many components “Grey” tools and events

Evolve/change over time

Regin: 75 modulesDuqu: 100+ modules…

10 or less recipientsSpecific forum users…

Powershell, psExecSuspicious logins…

Right tools for the jobLearn and adapt…

I like birthdays, but I think too many can kill you.

But attackers do leave traces

Network Server orentry point

Endpoint

3Just because I don't care doesn't mean I don't understand

┌─┐│ ││ ││ ││ ││ ││ ││ ││ ││ ││ ││░││░││░││░││░││░││░││▒││▒││▒││▒│

───┐ │▒│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│░│ ╚═╝ │▒│░│ │▒█│

Connecting the dots…

OUTPUT

INDICATORS (IOC)

• FILENAMES• REGISTRY KEYS• C&C SERVERS• EMAILS• ETC…

INDUSTRY VERTICALS

• HEALTHCARE• MANUFACTURING• FINANCE• …

FROM A SINGLE IOC…

RELATIONSHIPS

• SOFACY• ELDERWOOD• HIDDENLYNX• …

Many tools and IOC feeds, groups, etc. available

Brains are wonderful, I wish everyone had one. 4

┌─┐│ ││ ││ ││ ││ ││ ││ ││ ││ ││░││░││░││░││░││░││░││▒││▒││▒││▒││▒│

───┐ │▒│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│░│ ╚═╝ │▓│░│ │▒█│

┌─┐│ ││ ││ ││ ││ ││ ││ ││ ││ ││░││░││░││░││░││░││░││▒││▒││▒││▒││▒│

───┐ │▒│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│░│ ╚═╝ │▓│░│ │▒█│

If a turtle doesn't have a shell, is he homeless or naked? 5

…and then the guessing game begins…

┌─┐│ ││ ││ ││ ││ ││ ││ ││ ││░││░││░││░││░││░││░││▒││▒││▒││▒││▒││▒│

───┐ │▒│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│░│ ╚═╝ │▓│░│ │▒█│

@attributionDice

6My mind’s made up, don’t confuse me with facts

Example: HackingTeam hack“I didn't want to make the police's work any easier by relating my hack of Hacking Team with other hacks I've done or with names I use in my day-to-day work as a blackhat hacker.

So, I used new servers and domain names, registered with new emails, and payed for with new bitcoin addresses. Also, I only used tools that are publicly available, or things that I wrote specifically for this attack, and I changed my way of doing some things to not leave my usualforensic footprint.”

7I always learn from mistake of others who take my advice.

┌─┐│ ││ ││ ││ ││ ││ ││ ││ ││░││░││░││░││░││░││░││▒││▒││▒││▒││▒││▒│

───┐ │▒│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│░│ ╚═╝ │▓│░│ │▒█│

┌─┐│ ││ ││ ││ ││ ││ ││ ││░││░││░││░││░││░││░││▒││▒││▒││▒││▒││▒││▒│

───┐ │▓│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│░│ ╚═╝ │▓│░│ │▒█│

Parachute for sale, used once, never opened!! 8

┌─┐│ ││ ││ ││ ││ ││ ││ ││░││░││░││░││░││░││░││▒││▒││▒││▒││▒││▒││▒│

───┐ │▓│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│░│ ╚═╝ │▓│░│ │▒█│

Threat intelligence sources

Free Community Commercial Internal

Costs: Free Free/$ $$/$$$ Free/$

Typology: Generic Generic/Specific Generic/Specific Very specific

Based on: Public systemsPublic, mailinglists, private researchers

products, research

Internal logs

Different format & tools out there:

openIOC, STIX/TAXII, OSTrICa, MISP, YARA,…

9I'm on a whiskey diet. I've lost three days already.

┌─┐│ ││ ││ ││ ││ ││ ││ ││░││░││░││░││░││░││░││▒││▒││▒││▒││▒││▒││▒│

───┐ │▓│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│░│ ╚═╝ │▓│░│ │▒█│

Threat hunting with IOCs

Most commonly shared indicators:

• IP addresses / domain names

• File hashes / file names

• Still some hits on reused infrastructure. Do they care?

• Each hash is on average in <3 companies

• Bad with scripts and dual-use tools

• Where is the line between APT & common malware?

10I’m not arguing, I’m simply explaining why I’m right.

┌─┐│ ││ ││ ││ ││ ││ ││░││░││░││░││░││░││░││▒││▒││▒││▒││▒││▒││▒││▓│

───┐ │▓│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│░│ ╚═╝ │▓│░│ │▒█│

Now you see me - now you don’t

• Are you hunting IOCs in real time or on snapshots?

• Many APT groups clean up after the attack• Wipe files, admin account is enough for later

• Delete emails, browser history,... to hide incursion vector

• Do nation-state APTs really care if they get traced back?• At the latest since Snowden, everyone knows that everyone spies

• Unlikely that they get arrested in their own country

• Taunt opponent - show force

11Stress is when you wake up screaming and you realize you haven't fallen asleep yet.

┌─┐│ ││ ││ ││ ││ ││ ││░││░││░││░││░││░││░││▒││▒││▒││▒││▒││▒││▒││▓│

───┐ │▓│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│░│ ╚═╝ │▓│░│ │▒█│

Trust issues?

• Early sharing is often done only in private groups• If the group is too small you might not see much, but it can be high quality

• If the group is too large you might not trust everyone

• Do you trust the Uber-NG-ATP-vendor XY?• Do you double check any IP address before blacklisting?

• What is the motivation for sharing?

IoCs are good if you need context

or when fighting common malware

12hmm... I didn’t tell you... Then It must be none of your business...

┌─┐│ ││ ││ ││ ││ ││░││░││░││░││░││░││░││▒││▒││▒││▒││▒││▒││▒││▓││▓│

───┐ │▓│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│░│ ╚═╝ │▓│░│ │▒█│

Improved IoCs

• Following threat families instead of variants• Better, but they might use common tools like PoisonIvy, Meterpreter,…

• Follow TTPs and behavior patterns• Better, but different companies might require different TTPs

• Apply them to your company, as the attackers would do too

Go higher in the pyramid of pain, track exploits,…

… but that’s what your security software should do too

13Always remember you're unique, just like everyone else.

Integrate the IoC consumption

┌─┐│ ││ ││ ││ ││░││░││░││░││░││░││░││▒││▒││▒││▒││▒││▒││▒││▓││▓││▓│

───┐ │▓│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│░│ ╚═╝ │█│░│ │▒█│

• Use context for IOCs, patterns of behavior where available

• If possible correlate it with in house information• Check which IoCs you can actually ingest internally

• It is still better to prevent the incursion, instead of hunting it later

Rate the effectiveness of different types for you (and drop bad ones)

• Why spend resources on external IOC feeds, when not even the internal basics are monitored properly yet?

14A day without sunshine is like, night.

┌─┐│ ││ ││ ││ ││░││░││░││░││░││░││░││▒││▒││▒││▒││▒││▒││▒││▓││▓││▓│

───┐ │▓│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│░│ ╚═╝ │█│░│ │▒█│

Of course I don't look busy...I did it right the first time. 15

┌─┐│ ││ ││ ││ ││░││░││░││░││░││░││░││▒││▒││▒││▒││▒││▒││▒││▓││▓││▓│

───┐ │▓│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│░│ ╚═╝ │█│░│ │▒█│

Oversharing? How much is too much?

• The bad guys can learn how much you know

• Learn how they can improve their attacks• Example: Zeroaccess P2P botnet, started to sign their commands

• Most APT crews are not dumb, they could adapt if they want to

• Some indicators might contain sensitive information• Internal IP addresses

• Stolen passwords hardcoded in 2nd-wave malware

• Spear phishing emails, e.g. myYellowCompany.exe

16Happiness does not buy you money.

┌─┐│ ││ ││ ││░││░││░││░││░││░││░││▒││▒││▒││▒││▒││▒││▒││▓││▓││▓││▓│

───┐ │▓│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│░│ ╚═╝ │█│░│ │▒█│

I need a six month vacation, twice a year. 16

┌─┐│ ││ ││ ││░││░││░││░││░││░││░││▒││▒││▒││▒││▒││▒││▒││▓││▓││▓││▓│

───┐ │▓│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│░│ ╚═╝ │█│░│ │▒█│

Debug Strings – Fake or Real?

Turla/Waterbug

Stuxnet

Strider

17If brute force doesn’t solve your problems, then you aren’t using enough.

«CloudAtlas» is clearly messing with us:• Arabic strings in the BlackBerry version• Hindi characters in the Android version• “God_Save_The_Queen” in the BlackBerry version• “JohnClerk” in the iOS version Thx BlueCoat/Kaspersky

┌─┐│ ││ ││ ││░││░││░││░││░││░││░││▒││▒││▒││▒││▒││▒││▒││▓││▓││▓││▓│

───┐ │▓│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│░│ ╚═╝ │█│░│ │▒█│

Commands from Taidoor

[Ping]

[Set sleep interval to 1 second]

cmd /c net start

cmd /c dir c:\docume~1\

cmd /c dir "c:\docume~1\<CurrentUser>\recent" /od

cmd /c dir c:\progra~1\

cmd /c dir "c:\docume~1\<CurrentUser>\desktop" /od

cmd /c netstat –n

cmd /c net use

Commands from Sykipot

ipconfig /all

netstat –ano

net start

net group "domain admins" /domain

tasklist /v

dir c:\*.url /s

dir c:\*.pdf /s

dir c:\*.doc /s

net localgroup administrators

type c:\boot.ini

systeminfo

Commands from HoneyPot sessions

18An error? Impossible! My modem is error correcting.

┌─┐│ ││ ││░││░││░││░││░││░││░││▒││▒││▒││▒││▒││▒││▒││▓││▓││▓││▓││▓│

───┐ │█│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│░│ ╚═╝ │█│░│ │▒█│

Following the red hering

• Sometimes you have multiple infections on same machine• Which IOC came from which actor?• “Everyone” uses common tools: Mimikatz, psExec,…

• Attackers can easy plant some files from other APT groups• Example: Equation group/shadow brokers• Do you trust the compilation times, timestamps, language settings?

• Most companies do not really care who it was• They just want to prevent it from happening again• Or do you plan to hack back or sue them?

19Sometimes you succeed and other times you learn.

┌─┐│ ││░││░││░││░││░││░││░││▒││▒││▒││▒││▒││▒││▒││▓││▓││▓││▓││▓││█│

───┐ │█│░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│░│ ╚═╝ │█│░│ │▒█│

©ta

ran

tula

20My therapist says I have a preoccupation with vengeance. we'll see about that

Conclusion

• Do your internal homework first

• Be smart in what you share

• We need to be effective in checking IoC

• Try them and rate effectiveness

• Mistakes do happen, but they still get in