Leveraging Threat Intelligence on your SOC operations

Transcription

1 NCS TechConnect 2018 Human-Centred Digital Innovation Leveraging Threat Intelligence on your SOC operations Ryan Flores Senior Manager, Forward Looking Threat Research Trend Micro Inc

2 What is Threat Intelligence? 22/5/18 Confiden'al Copyright 2013 TrendMicro Inc. Knowledge Management 2 in the Intelligence Enterprise By Edward Waltz

3 What is Indicator Analysis? v The purpose of Indicator Analysis is provide actionable intelligence to support a Cyber Threat Intelligence program v Includes a variety of activities, including: v Validating third party provided indicators v Malware behaviour analysis v Network traffic forensics v Trend analysis v Open source research v Cross referencing indicators across multiple sources to validate

4 Its pretty simple actually

5 Basic Indicators (network)

6 Basic Indicators (endpoint) Fuzzy hash MD5/SHA1/SHA256 Cer'ficates File Path Registry Entry Related Files Parent Process Code

7 What else can be used? Timestamps frequency, volume Error Codes NXRecords anyone? Response Codes ICMP echo 3 3 (should never exist) TCP Flags TCP Flag 27 (why not? use mousepad) URI Query parameters will cover this later There ALWAYS are neat combinations of fields and data that can be combined in order to generate new intel.

8 What have I learned studying data v It really doesn t matter what log type you look at, eventually they all look the same.. Erg.. wait.? v roughly the same fields v roughly the same data types v roughly the same characteristics

9 Transportation Layer - Netflow

10 Transportation Layer - pcap

11 Session Layer SMPT Logs

12 Session Layer Server Side HTTP Logs

13 Session Layer Web Reputation Log

14 Creating IOCs v Signals Intelligence v Network traffic and other logs can be considered just another signal type v Know your baseline, changes to it likely are something to look further at v What if we don t have time to constantly watch? v Fingerprints for the win!

15 Creating IOCs Showme Fingerprint Real World Ques'on e.g Show me any domains that we ve never interacted with before than now appear more than 100 'me over mul'ple users in a 24hr period? Takes the Showme Ques'on, applies it to a specific log grep proxy.log awk F {print $3} sort uniq c egrep v ^[1-9]{1 2} grep v f yesterday.log Indicator If the fingerprint > 0 results, resul'ng outputs are indicators Need to assess if damage occurred Incident If indicator analysis results in vic'ms and damage, its an incident

16 How to generate IOCs In order to generate your own IOCs, first you need to understand the data elements in your data set A lot of these are based on frequency analysis, deviation analysis, and timeline analysis <- these basically are your main go to friends when generating IOCs

17 Frequency Analysis is your friend! v There are a bunch of stats one can make.. e.g.: v Frequency of a single IOC v Counts of a single IOC by distinct_count of another IOC v Frequency of a single IOC day over day / month over month

18 Deviation Analysis One you have frequency analysis mastered, you start to get the general feel for what the data is like, what is normal and not normal The real part of IOC generation is to then start learning what changes from the normal. There are many different ways to do this: Domain resolution changes in IPs New traffic Any field element changes in volume hour over hour, day over day, week over week

19

20 What s In It For Me? Data collection is key Log files are everywhere Web server Mail server Firewall Security Products You can build your own Threat Intelligence Threat Intelligence can be used to guide SOC response

21

22 Threat Intelligence and SOC Prioritization Establishing Timeline Scale of Incident Rate of Spread Classification of Affected Assets Appropriate Response

23 QUESTIONS? What did I miss? What did you want covered but wasn t?