From 0 to Hero Actionable Threat Intelligence Raffaele Di Taranto – Vito Lucatorto Our Journey in CTI : Problems & Solutions in Critical Infrastructure
Vito Lucatorto • Cyber Security Engineer @ FS Holding • Experience in Banking companies • Passionate about Threat Intelligence, APT and Aviation World • Hunter about new cyber defense and cyber attack techniques • Watchwords: Automate all, be curious, cooperate vitolucatorto@gmail.com https://www.linkedin.com/in/vlucatorto/ 1/41
Raffaele Di Taranto • Cyber Security Engineer @ FS Holding • MSc Computer Eng @ Turin Politecnico • Experience in Defence companies • In love with Cyber Security • OffSec 4 fun and study: OSCP, ECPPT • Watchwords: explore cyber at 360°, go deeper in securing architectures, monitor and automate where possible raf.ditaranto@gmail.com https://www.linkedin.com/in/rditaranto/ 2/41
Threat Intelligence: what is it? Context Informed decisions Tactics Knowledge of the «threat» Attack prevention Resources 3/41
Threat Intelligence Idea How our friends see us How society see us Just to be clear … this is our myth How we see ourselves 4/41
Threat Intelligence as a Process Hypotesis Feedback Collect Dissemination Processing Analysis 5/41
Operational Threat Intelligence Ongoing cyberattacks, events and campaigns Incident response teams insights on attacks Speed up processes and make informed decisions 6/41
Operational Threat Intelligence Output Indicators of Compromise (IoC) 7/41
Operational Threat Intelligence Output • Indicators of Compromise represents technical « clues » Financial Data IP address of the presence of a malicious actor URL Domain • More reliable are the clues, Certificate less waste of time in security monitoring Email src Filename Email subject MD5 • Contextualize the data SHA1 SHA256 8/41
Operational Threat Intelligence in SOC RTSM Team TI IR SDM Team Team Team MA Team 9/41
Bla bla bla … Where Is the experience? 10/41
Our Big Farm >83.000 Employees >15 Companies >106.182 Monitored IoCs Dati aggiornati al 08/07/2020 11/41
Tons of IoC… Manual Malware Analysis Team PREVENTION Manual Threat Hunting TECHNOLOGIES Team Manual Closint Feed THREAT INTELLIGENCE PLATFORM 12/41
Grow UP! Defend the companies Give value at single IoC Avoid false positives Improve Incident Response Automate and define all processes 13/41
Mind the Gap • IoC produced by various Teams not standardized 3 • Taxonomies not unified • No IoC decay 1 • IoC prevented not harmonical neither automatic • False positive management only in post-detection phase 5 GAP 4 • Basic TIP with SIEM integration • IoC enrichment not present 0 • Manual IoC distribution process 2 14/41
Choose a Threat Intelligence Platform 3 MISP 1 5 GAP 4 0 2 15/41
Choose a Threat Intelligence Platform PRO + Various data import modes + Tag management + Organizations management + API Availability + IoC Decay feature + Sighthing + Whitlisting Support but NO SLA - Time-consuming customizations - Experimental 3° parties integrations - MISP CONS 16/41
Improve the FORCE 3 MISP 1 5 GAP 4 0 FORCE 2 17/41
Improve the FORCE • Automatic Massive import development differentiated by organization and operating group • Historical Search into Siem • Whitelist-based detection for false positives avoidance • Automatic tag system based on fixed variables or natural language • IoC Enrichment FORCE 18/41
Improve the FORCE - Big Brain at Work IR MA Team Team Upload Check Whitelist Malware Team 4 Upload 3 SOC Team Upload Threat Hunting Team 1 2 19/41
Improve the FORCE - Example of Whitelisting IR MA Team Team Check Whitelist 4 REST API google.ae TO_IDS = FALSE TO_IDS = TRUE 20/41
Improve the FORCE - Big Brain at Work IR MA Team Team Upload IoC Enrichment Check Whitelist Malware Analyst 5 Team 4 Automatic Tag 6 Upload 3 SOC Team Upload Threat Hunting Team 1 2 21/41
Improve the FORCE - Example of Automatic Tag Automatic Tag 6 URSNIF APT28 22/41
Improve the FORCE - Big Brain at Work IR MA Team Team Upload IoC Enrichment Check Whitelist Malware Analyst 5 Team 4 Automatic Tag 6 Upload 3 SOC Team 7 9 8 Upload Threat Hunting SOC Team Team Malware 1 2 Playground 23/41
Improve the FORCE - Example of Share knowledge SDM Team Sandbox System Vendor 1 COMING SOON 9 REST API AV System Vendor 2 Sample Malware Proxy AntiSpam Navigazione Company Group 24/41
Explore the Farm DOMINO EFFECT MISP 3 1 5 GAP 4 0 FORCE 2 35/41
Explore the Farm - Prevention SDM Team curl -k -X POST -H "Content-Type: application/json" -H TO_IDS = TRUE "Authorization: apitoken" -d '{"returnFormat": "json", "type": {"OR": ["url"]}, "published":true, "to_ids":true, "enforceWarninglist": 1, "includeEventTags":1, "tags": {"NOT": ["Only Detection"]}, "includeDecayScore": 1, "excludeDecayed":1,"modelOverrides": {"threshold": 1},"decayingModel": [21]}' https://misp/attributes/restSearch > /tmp/json/mispUrlBase 1 Sec System Vendor1 List http://realmalicious.com/bad.php ... *//realmalicious.com/bad.php 2 ... Data processing and normalization Sec System Vendor2 List 26/41
Explore the Farm - Prevention SDM Team TO_IDS = TRUE REST API FIREWALL, WAF & PROXY 3 1 2 Web exposed IoC lists OTHER COMPANIES SEC/ICT TEAMS Data processing and normalization 27/41
Explore the Farm - Detection RTSM IR Team Team Metadata normalization Automated scheduled data preparation for SIEM ingestion IoC Data Enrichment ACTION 28/41
Explore the Farm - Detection RTSM IR Team Team TO_IDS = TRUE 1 3 TI Automated Import 2 Data processing and normalization 29/41
Explore the Farm – Focus on SIEM RTSM IR Team Team IoC type : url IoC campaign: lokibot IoC source : MA team IoC Threat type : malware IoC date : 26/09/2020 IoC list match IoC value : http://realmalicious.com/bad.php url : http://realmalicious.com/bad.php domain : realmalicious.com ip src : 10.10.10.5 Sep 27 12:22:22 proxy1 CEF:0|webnavig| url=http://realmalicious.com/bad.php src_ip=10.10.10.5 src_port=6734 Sep 27 12:22:22 fw1 CEF:0|fwinternet| domain=realmalicious.com uri=bad.php srv=80 sip=10.10.10.5 sport=6734 30/41
Explore the Farm - Detection RTSM IR Team Team Metadata normalization Automated scheduled data preparation for SIEM ingestion IoC Data Enrichment ACTION RETROACTION Register IoC sightings Real Time correlation rules for IoC detection and report sighting via API to MISP DOMINO EFFECT
Explore the Farm - Detection RTSM IR Team Team TO_IDS = TRUE TO_IDS = TRUE 1 3 4 TI Automated ALERT: IoC SOC Team Detected Import 2 5 IoC sighting Data processing and normalization 32/41
Explore the Farm - Detection RTSM IR Team Team 4 ALERT: IoC SOC Team Detected 5 IoC sighting curl -d "{\"source\":\"SIEM\", \"values\":" http://realmalicious.com/bad.php "}" -H "Authorization: apitoken" -H "Accept: application/json" -H "Content-type: application/json" -k -X POST "https://misp/sightings/add 33/41
Winnie the Pooh is a threat actor
Destroy the diamond… DOMINO EFFECT MISP 3 1 DIAMOND 5 GAP 4 0 FORCE 2 35/41 39/41
Destroy the diamond… IoCs are NOT forevah ! SINCE 01/01/2015 http://realmalicious.com/bad.php • When URL is no more malicious? • Waste of resources preventing it nowaday ? • And if you have 100 billions sculptured on sec techs? 36/41
In Practice 1 http://realmalicious.com/bad.php t 0 ts 0 Sighting to 2 MISP t 0 t 1 ts 0 ts 1 3 IoC time is over t 0 ts 1 37/41
…Propagate the news SDM RTSM Team Team REST API FIREWALL, WAF & PROXY 1 3 Automated email 2 OTHER COMPANIES SEC/ICT TEAMS Processing Decayed IoCs Data feed http://realmalicious.com/bad.php 38/41
From Train to Rocket DOMINO EFFECT 3 MISP 1 MARS DIAMOND 5 GAP 4 0 FORCE 2 39/41
From Train to Rocket • Integrated Dashboard & report system • TLP-based IoC visibility for different roles • Incident full prioritization • Threat data feeds supply input for threat intelligence, but by themselves are not threat intelligence • COLLABORATION ! MARS 40/41
THANK YOU …QUESTIONS?
Recommend
More recommend