Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

Transcription

1 Sharing What Matters Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data Dan Gunter, Principal Threat Analyst Marc Seitz, Threat Analyst Dragos, Inc. August 2018

2 Today s Talk at a Glance You won t with a magic, turnkey solution You will leave with some good, tested ideas Outcome can hopefully improve maturity of any existing programs We will talk about what we ve seen that works well

3 Why Share: Ideal Scenario Accelerate remediations Strengthen mitigations through risk reduction Reduce adversary dwell time Respond with fewer resources Strengthen relationships with community Higher quality threat intelligence Internal cooperation Site Site IT OT Industry Partners

4 Reaction Process First Reaction Oh wow! Information sharing sounds great! Attempt to Implement Plenty of government programs and vendors to do this right! Program Implemented I haven t seen any results and I m spending too many resources on this Final Reaction Lets stop this nonsense

5 What Happened?

6 No Tangible Results Accelerate Remediations Strengthen Mitigations through risk reduction Reduce adversary dwell time Respond with fewer resources Strengthen relationships with community

7 Objective: Show how information sharing can actually be useful

8 Addressing False Perceptions 1. Introduces additional risk to reputation 2. Isn t immediately useful 3. Isn t worth the time/resources 4. Network defense/architecture exposure When information sharing is done with the less effective data, then these perceptions are justified

9 What is the less effective data? IOC feeds based on just atomic indicators are of limited use Attackers can test their attacks with these feeds Attacker might have insight into your IOC strategy Specific addressing information Internal addressing space will most likely put any network admins and management in an uncomfortable situation Each company is networked differently, thus specific addresses will not be useful

10 What is the less effective data? Attempted attribution From the asset owner perspective, the origin should not matter Asset owners cannot decide who targets them Guessing Intent Leads to bias during investigation Usually not rooted in evidence Company information Each company is unique, specific information is not useful

11 Wrong Data Examples File Hash Attacking IP infrastructure Internal Compromised IP 9e107d9d372bb682 6bd81d3542a419d

12 Great. You ve made a point, now what s your solution?

13 BEHAVIORAL DATA

14 What is behavioral data? A chain of events rooted in observables with high confidence in activity VPN connection established to network RDP session to Historian machine Malicious download executes code Data exfiltration to external source

15 Behavioral Data: What its not No specific IP information No company specific information Not typically IOCs, but they can help No attribution No intent guessing

16 Behavioral Data: What to share? Description of compromised assets Asset function Historian Asset Management Vulnerability scanner Etc OS, Software, Firmware versions

17 Behavioral Data: What to share? Description of traffic Protocols (and versions) used Time stamps of attack sequence Frequency of attack infrastructure communication External to Internal Internal to External Etc..

18 Behavioral Data: What it is VPN connection established to network RDP session to Historian machine Malicious download executes code Data exfiltration to external source Tactics, Techniques, and Procedures of attacker activity Rooted in observable evidence in network and host Abstracted from too specific information to what can be shared

19 Why is sharing behavioral data useful for IR/Threat hunting? Attackers generally won t build malware specific to one victim Not a good use of limited attacker resources You probably aren t that special Asset owners might see attacks before publishing cycle Some threat intel sources can get you ahead of the attack curve Effectiveness of threat intelligence depends on sources, methods and analysis techniques Generic IR/Hunting is good but not as focused as behavioral driven IR/Hunting

20 How do I actually share behavioral data effectively?

21 Boils down to: 1.Know what and how to share with others 2.Know how to consume data from others

22 Sharing With Others: Threat Intel ADVERSARY: Development and likely initial access team for SANDWORM group. Does not appear to be directly involved in pre-2016 Ukraine events However, group appears solely responsible for 2016 event. INFRASTRUCTURE: Leveraging dual-use infrastructure, such as public servers used for TOR to host C2. VICTIM: At this time, only observed victim is Ukrainian utility companies. CAPABILITY: Group appears well organized and financed. CRASHOVERRIDE required existing, long-term access to enumerate network, gain access to ICS, and identify appropriate communication protocols. Group deployed a fully-featured ICS effects module focused on European electric transmission substations as part of attack, implying a separate test and development environment for ICS software.

23 Sharing With Others: Threat Intel ADVERSARY: Development and likely initial access team for SANDWORM group. Does not appear to be directly involved in pre-2016 Ukraine events However, group appears solely responsible for 2016 event. INFRASTRUCTURE: Leveraging dual-use infrastructure, such as public servers used for TOR to host C2. VICTIM: At this time, only observed victim is Ukrainian utility companies. Notice: No specific system information Information is TTP focused We will show how to consume this CAPABILITY: Group appears well organized and financed. CRASHOVERRIDE required existing, long-term access to enumerate network, gain access to ICS, and identify appropriate communication protocols. Group deployed a fully-featured ICS effects module focused on European electric transmission substations as part of attack, implying a separate test and development environment for ICS software.

24 Sharing With Others: *Kill Chain Mapping Stage 1: Cyber Kill Chain Stage 2: ICS Cyber Kill Chain Deliver

25 Sharing With Others: Case Study DNS queries are noticed successfully reaching beyond internal network boundaries Kicks off investigation Reporting begins as teams uncover full scope of intrusion

26 How to share: IR Case Study Details DNS and HTTP queries beyond network were successfully reaching Suspected watering hole attack from (p1csuperstore.com) as multiple files were downloading on host machine Persistence connection over DNS to ICMP Scanning to internal subnets *.* and *.* Large data exfiltration to over HTTP Quarantine of infected machine

27 How to Share: Suspected Timeline Query to water hole site Flood of DNS traffic to external IP ICMP Scanning Data exfiltration over HTTP to external IP Detected abnormal DNS queries Response from external IP Start: January 18, 2015, 4:43 AM EST HTTP queries to external IP Finish: March 24, 2015, 9:36 AM EST

28 What matters?

29 How to Share: Tactics, Techniques, Procedures Details DNS and HTTP queries beyond network were successfully reaching Suspected watering hole attack from , (p1csuperstore.com) as multiple files were downloaded on host machine ICMP Scanning to internal subnets *.* and *.* Connections were made to , , etc.. None connected to *.* Large data exfiltration to over HTTP Quarantine of infected machine

30 How to Share: Behavior over Time Query to water hole site Flood of DNS traffic to external IP ICMP Scanning Data exfiltration over HTTP to external IP 4 Days 10 Days 15 Days Detected abnormal DNS queries Response from external IP Start: January 18, 2015, 4:43 AM EST 36 Days 2 Hours HTTP queries to external IP Finish: March 24, 2015, 9:36 AM EST

31 How to Share: Kill Chain Mapping Waterhole attack at domain p1csuperstore.com Deliver 40 Days, one internal asset (transient laptop, Windows 7) reached out once to evil domain ICMP scanning to internal addresses Scanning was slow and steady scanning at a rate of 5 addresses/30 minutes Command and control over DNS inbound from external IP 10 Days, traffic between internal asset and malicious external IP started to pick up in traffic Data exfiltration over HTTP to external IP address

32 How to share: Methods Whatever works best for your community Find what works: Encrypted Phone Tabletop Exercise Fax Define a format for sharing: We like diamond model summaries Kill chain mapping Simple or word document summary Get the right data in the right hands!

33 How to consume shared information

34 Informed Threat Hunting

35 How to consume shared information Take actionable information and actually do actions with it = Threat Hunting Not a real definition but you get the point

36 Threat Hunt Cycle Purpose Why are we threat hunting? What are we hoping to achieve? What does success look like when the hunt is finished?

37 Threat Hunt Cycle Scope Phase 1: Location Where does the hunt need to take place? Subnet, System, Network, Facility Phase 2: Hypothesis Generation Creating hypotheses that can be confirmed or denied Do the hypotheses cover the entire set of objectives from Purpose stage? Asset owners should share TTP focused hunt hypotheses

38 Threat Hunt Cycle Equip Phase 1: Collection Management Framework What data do I currently have available? What data according to the information sharing mapping do I need to collect to enable success? Do I have the right storage duration to be successful? Phase 2: Resource Allocation Team members assigned to hunt Senior and Junior members mixed Tools Required Open source Custom development External Resources

39 Threat Hunt Cycle Plan Review All stakeholders need to know what the plan is moving forward Does the final plan make sense? Is the final plan addressing all objectives from Purpose stage?

40 Threat Hunt Cycle Execute Do the hunt Search for observables in available data sources Produce a report based on findings from hunt

41 Threat Hunt Cycle Feedback Discuss what worked and what can be improved at each stage Internal: What are collection gaps? What are policy and procedure gaps? How would we have done if we were patient 0? External: Provide additional findings back to source Understand what information was useful and what was not Develop the relationship further

42 Wrapping Up

43 How does behavioral data address false perceptions? 1. Introduces additional risk to reputation If anything, it creates a stronger community bond in the ability to hunt and respond to adversaries across the industry 2. Isn t immediately useful If the information shared is timely, then hunting can be immediately useful to confirm or deny adversary presence 3. Isn t worth the time/resources How bad do you want to know the network is clean and not compromised? 4. Network defense/architecture exposure Abstracting sensitive information that is not useful to investigation removes the fear of exposure network defense and network architecture

44 ACCELERATE INCIDENT RESPONSE

45 Informed Threat Hunting

46 Just the beginning Current information sharing methods exist and plenty of work has already been done for sharing How do we evolve the current state to be more valuable? Driving new requirements Asset owners, analysts, anyone who is boots on the ground Behavioral sharing is a process and this talk is a conversation starter

47 Thank you for the opportunity to present Dan Marc