Respond proactively to threats like a defense contractor. It’s more realistic than you might think!
A practical guide of how to build intelligence-driven cyber defenses using open source software, based on real implementations of best practices, adapted from the Lockheed Martin Cyber Kill Chain model.
Strategies for Landing an Oracle DBA Job as a Fresher
Open Secrets of the Defense Industry: Building Your Own Intelligence Program From the Ground Up
1. Open Secrets of the Defense Industry
Building Your Own Intelligence Program
From the Ground Up
Sean Whalen
2. Disclaimer
The views and opinions expressed here are
my own, and may not represent those of my
past, current, and post-apocalyptic
employers.
3. Who is this guy?
• I’m an Information Security Engineer
• Intelligence analyst
• Human log parser
• I specialize in network defense
• I love open source software
• Most of my security experience comes from the Defense Industrial Base (DIB)
• I recently moved to the healthcare industry
• I’m building a DIB-style intel program
• Stalk me @SeanTheGeek
4. Overview
Respond proactively to threats like a defense contractor. It’s more
realistic than you might think!
A practical guide of how to build intelligence-driven cyber defenses
using free software, based on real implementations of best practices,
adapted from the Lockheed Martin Cyber Kill Chain model.
16. People power
• A diverse, interactive team is essential for any security program
• Specialties, not silos
• Tool development, forensics, IR, intel, malware analysis
• Look for SAs, devs, and infrastructure employees who are interested
in a new challenge
• Scale up by training recent grads who are motivated
• You need people who understand security, not just security tools
• Allow fluid movement from one specialty to another
18. General ranking of intel priority by source
1. Internal
2. Trusted, “mature” industry partners
3. Developing industry partners
4. Subscription services
5. Simi-public government publications
6. OSINT/PR reports
Intel collection without evaluating the source leads to noisy alerts
19. Your own network is your best
intel source
No one knows you better than you
20. Goals
• Read the Lockheed Martin Kill Chain paper
• Train employees to report phishing and other sketchy things
• Collect data on phishing, malware, and other attacks sent your way
• Analyze strategically
• Automate the Boring Stuff with Python
• Share with friends
• Present findings to stakeholders
• Adapt your defenses and processes
22. Why open source?
• Cost – Spend less on products and more on resources
• Flexibility – You can modify it and customize it however you like
• Innovation – Rapidly implement new ideas; build what doesn’t exist
• Privacy – Your data is your data
• Community – Share knowledge and inspiration with peers
23. Build a malware sandbox
• The Spender fork of the Cuckoo Sandbox project is a powerful way to
quickly derive actionable intelligence from malware samples
• Generally higher-quality signatures and malware identification
• Anti-VM and anti-sandbox countermeasures
• Transparent Tor proxy support
• Nice-looking PDF reports
• Similar sample heuristics
• Full setup guide at https://infosecspeakeasy.org/t/howto-build-a-
cuckoo-sandbox/27
• Start analyzing malware in hours!
24. Collect all the things!
• Centralize your logs
• Splunk Enterprise Security (ES)
• Open source ELK stack
• CRITs – Collaborative Research Into Threats
• Can store almost any kind of threat data
• UI can get overwhelming if you try to store all the things in it
• Most useful for storing phishing email data (IMO)
25. Document all the things!
• Use a team wiki to document all processes, tools, security events,
intelligence research, campaign briefings, and other unstructured
data
• Create canned replies and action plans
• Learn from mistakes, and make success repeatable
• Shorten the learning curve for new team members
• I recommend XWiki
• Highly extendable
• LDAP and granular permissions out of the box
• Much less hacking required when compared to others
26. Track your work
• Use an InfoSec ticketing system to track all work
• Store key metrics: Time-to-Detect, Time-to-Remediate
• Avoid duplicated effort
• Show trends, and team workload
• RTIR – Request Tracker for Incident Response
• Open source, extremely flexible, customizable
• Can create tickets through email, such as intel emails from partners
• Integration with other services requires knowledge of Perl (my eyes!)
• Simple Python API wrapper
• Commercial support and professional services are available
30. Sharing can be hard,
at first
What do you collect?
What do you share?
Can you share it?
How do you share it?
Who do you share it with?
Who can you trust?
What can you do with shared information?
Declassified SASC Inquiry Into Cyber
Intrusions of TRANSCOM Contractors
31. How to share phishing data
• Include full email headers (except internal ones)
• Redact the target addresses for privacy
• Include generalized targeting information (number, roles)
• Include the raw body and attachments (within encrypted zips)
• Redact any ID numbers in URLs for privacy, but note the composition
• If it is in HTML, include screenshots
32. How to share watering hole data
• The date and time the attack was observed, with UTC offset
• The URL of the watering hole (i.e. the compromised site)
• The URLs of any malicious resources or website redirections
• A list of tactics used (e.g. iframes, plugins, etc.)
• Any malicious files (e.g. swfs) as attachments
• Defanged sample code
33. Sharing malware
• Use encrypted zips with a password of “infected”
• Avoids contamination and making AV/IDS go crazy
• Include any sandbox report you may have
• Make note of any interesting or confusing points
• Include the best indicators for detecting it, if you know them
• C2
• Stages
• Files/registry keys created/modified, or deleted
• Mutexes
• General behavior
35. • Basically the only free (as in beer), production-quality TAXII
server/application
• Freeware – Open standards, not open source software
• Support subscriptions
• Created by the NH-ISAC, in use at most ISACs
• Lots of SIEMs/IR tools can take TAXII feeds; to name a few:
• Carbon Black
• Splunk Enterprise Security
• Cyphort
• QRadar
• The STIX/TAXII standards can take a while to implement on your own
Soltra Edge
36. Malware Information Sharing Platform (MISP)
• Open source software (GPLv3)
• Indicator database
• Straightforward workflows
• Flexible, automated sharing
• Generates Snort/Suricata rules
• Imports from OpenIOC, Cuckoo, ThreatConnect CSV
• Exports to OpenIOC, plain text, CSV, MISP XML or JSON
• Simple API – Not in wide use like TAXII, but much easier to use
37. ThreatConnect
• Everything you could ever want in a SaaS Threat Intelligence Platform
• Turnkey
• Extremely Expensive
• Intel in the cloud may raise privacy and legal concerns
38. Free Threat Intelligence Platforms
• AlienVault Open Threat Exchange (OTX)
• Open threat information sharing
• Simple API
• Bro, TAXII, and Suricata integration
• Python, Java, and Go SDKs
• Facebook ThreatExchange
• Share threat indicators on Facebook’s Graph API infrastructure
• Share with the whole community, or a selected partners
• Libraries for Python, Ruby, PHP, and NodeJS
39. Automate all the things! Within reason…
• Think of ways to integrate your
intel tools and security controls
• Automate repeatable tasks
• Don’t try to automate people
• If a security product does not
have documented, robust API,
you do not want it!
41. Discourse
• The best intel sharing groups that I have been a part of are private
discussion forums. No fancy tech, just humans helping humans
• Great for: learning and sharing tactics, team discussions
• Discourse is a modern, open source forum/mailing list
• Created by the founders of stack overflow
• Responsive/mobile-friendly
• Updates in real-time
• Easy to read
42. Defanging attack data
• Defang malicious URLs and mail addresses when posting to places
that auto-link, such as IMs and some forums
• That way, a researcher doesn’t accidently click on a malicious link
• Common conventions
• Replace http with hxxp
• Replace . with [.]
43. What makes a good intel sharing community?
• Confidentiality – The Traffic Light Protocal (TLP) is a good system, if
followed. NDAs are better
• No anonymity – We need to know who is being attacked
• Made of all parts of an industry: Suppliers, contractors, competitors
• Supportive discussion
• Clear threat indicators (not a wall of text)
• Rapid dissemination
• Frequent activity
• Historic – Learn from the past
44. The InfoSec Speakeasy
• An invite-only community for InfoSec professionals
• I designed it to be a model for starting and managing other groups
• A place to build and share strategy and intel across industries
• Public tutorials
• Powered by the Discourse open source discussion platform
• Send me a request for an invite from your work email, then send your
own invites to your colleagues
https://infosecspeakeasy.org
45. Red Sky Alliance
• A private, vetted commercial intel sharing community
• Follows the Kill Chain model – Includes signatures
• All data comes from other members – across a diverse range of
industries
Red Sky Alliance FAQ
47. Deploy intel-guided countermeasures
• Block/redirect known bad x-mailers, IPs, user agents, etc.
• Write custom IDS/IPS rules
• Compare attack techniques to current security controls
• Infer attacker intentions based on targeting and actions
• Block domains based on DNS recon using services like whoisxmlapi
• Keep users and leadership aware of attack trends against your
network
48. DIY Endpoint Monitoring and Remediation
• Use the power of open source software and mature, internal intel
• LIMA CHARLIE – Endpoint monitoring stack
• Constantly monitor your endpoints
• Recursively investigates
• Present findings to IR analyst
• Use native tools such as PowerShell
• PSRecon
• Kansa
49. Defenses to deploy yesterday
• Microsoft EMET (0-day killer)
• Multi-factor authentication (DUO is easy-to-use and extremely flexible)
• Remove local admins (Avecto DefendPoint, ByondTrust PowerBroker)
• Email sandboxing (Your custom sandbox, Proofpoint, or a combination)
• Block all uncategorized sites at your web proxy
• Block any outflow that isn’t your from your mail servers or web proxies
• WAFs, seriously
• Bro NSM, Suricata IDS/IPS with Emerging Threats
• Forced, multi-factor full-time VPNs for all remote workers
• Tune your AV (It isn’t dead; you might not be using it right)
• Application Whitelisting (Windows AppLocker is included with Windows
Enterprise)
Skeptical? When I left the industry, I was worried that much of what I had learned would not be translatable outside because the approach is so different than in many other industries.
What I’ve discovered that the same basic tactics are effective everywhere; the differences are a matter of risk-based priorities and scale.
Cyber security consulting has become a major growth market for defense contractors, and for good reason. They had to mature their security programs before almost anyone else.
How often does a tool not live up to the hype? How long has a simple change been “on the roadmap?” Does it really meet your needs?
APTs are often more Persistent than Advanced – taking advantage of well-known flaws. Use of 0-day exploits are rare, because they often aren’t needed. Lots of APT code is a mess, but it still works.
Here we have the creatively named “Stealer” program used by the “Ajax Security Team” in Iran. They are my favorite APT group to talk about because there’s
so much public documentation on them. Not because FireEye is so awesome, but because their OPSEC was so poor as they transitioned from hacktivisim to
espionage.
I did some digging on VirusTotal, and found a sample of their Stealer bundled with a copy of UltraSurf, a legit tool to circumvent internet censorship.
This suggests that their espionage targets included Iranian dissidents, thus aligning themselves with an Iranian government agenda.
The main part of the program is an unobfiscated .NET PE, so you can decompile it to source code in a few clicks with ILSpy. Winning!
Reverse engineering is rarely this easy.
You can see they set static variables for a passphrase and salt; bad practices right off the bat…
They also run a DLL, whose sole purpose in life is to ship out files Stealer makes via FTP.
Then they proceed to completely ignore the variables they created in AES crypto calls, which are copypastad over and over...and they misspelled proxy.
The combination of FTP and symmetric encryption left the attackers open to being pwned.
Yet, once you start digging through the rest of the code beyond the main class, you’ll find it is well-written. There’s even code to send and receive files via various protocols, including FTP and HTTP (which would be most successful), and stubs for SFTP and SMTP. That makes AppTransferWiz.dll completely unnecessary. The stark contrast in quality suggests that Ajax team appropriated most of this code from someone else, which isn’t surprising given their start as hacktivists.
It’s easy to laugh about this, until you see they were targeting the aerospace industry with well-designed phishing attacks during a time of heightened US-Iran tensions.
According to FireEye, there is evidence that they continued to use this malware for some time. This suggests that Stealer was successful at least some of the time.
If it ain’t broke, don’t fix it. Right?
Stealer can steal credentials from common browsers and IM programs
Intelligence is great, but it’s often misunderstood or glossed over because of hype. Intel services don’t have reports of every domain, IP address, email, and malware sample. They only know what they have seen, largely through their customers.
You can start collecting data yourself that is much more relevant to you.
Finding qualified candidates can be challenging. Information security is still an up-and-coming field. Expecting to find lots of experience in your area may not be realistic. However, your current IT staff have very valuable experience with your network and your organization, which might represent a sharp learning curve to a knowledgeable newcomer. They may also gleam insights that others would miss.
Whether hiring internally, or recruiting recent graduates, look for motivation. If they have a security mindset, a passion for figuring out how things work, and get along well with others, that can easily trump a lack of experience, especially with training.
Observe – Identify your most critical systems and security controls. Monitor industry trends. Keep track of internal IT projects
Collect – Gather any information you can from inventories, logs and sensors
Analyze – Look at the data you have collected, and identify the biggest threats and risks. Weed out bad or useless intel.
Share – Share attack details and countermeasures with industry partners. Share posture, risks, successes, and failures with the IT org and corporate leadership. Get “front line” details from the IR team to evaluate the quality of collected intel
Adapt – Make adjustments to security controls, strategies, and processes based on all of the above
Integrate this cycle as a part of your IR process. IR and intel should be a feedback loop. Both should drive tool development and product purchase decisions.
The best source of intelligence starts with you, and works its way out from there. You don’t know what to prioritize if you don’t know what your risks are.
By relying on a subscription intelligence service, you are dependent on their reactions and observations, which might not have anything to do with your network or industry.
Conversely, the same people who are attacking your supplier or competitor are probably going after you too.
Unclassified government flashes are old by the time they reach the end recipients, and are frequently leaked to the press shortly thereafter.
Comprehensive campaign exposés are great PR for security vendors, and terrible for other intelligence analysts, who may be monitoring the campaign in secret.
Exposure doesn’t make attackers go away. They will change tactics, or their patron will hire someone else. A whitepaper is not going to stop a
nationstate; it’s just going to make them smarter.
By building intelligence yourself and within your industry, you have the greatest possible context -- much more than “ this IP address is related to bad things”.
Your incident responders know what their biggest headaches are. Their biggest headaches are caused by your biggest risks. By focusing on those, you improve the overall security posture of the entire organization.
Sometimes people focus more on the high-profile InfoSec news than what is going on in their own network. You have no hope of finding advanced threats if you are perpetually overwhelmed by opportunistic attacks.
Wouldn’t you rather spend support contract money on creating a team that can build whatever you needed, rather than one-size-fits-all solutions?
Many commercial vendors are building data sets based on activity they have observed in the networks of their customers, raising privacy and OPSEC concerns. I’m not saying all commercial tools are bad, some are great, but consider if you really need it first.
Giving back to the community helps everyone, and is great PR. Be a trailblazer for your industry!
My dev Cuckoo box was an old Dell PowerEdge 2950 – Circa 2009
Hosting 4 Windows sandbox VMs concurrently
Max throughput ~ 85 samples/hour
Even if you can’t act on ALL on the the security data RIGHT NOW, it gives you a picture of what your biggest threats are risks are, Even if you find yourself constantly documenting playing whack-a-mole with opportunistic attacks, that tells you that you need to work on the fundamentals before you go hunting for APTs. Your processes will never be perfect, and if you try to make them perfect, you will freeze. Get started today. Learning how to intel will involve trial and error.
Some of the biggest hindrances to information sharing are unfounded fears of embarrassment and liability. Intel sharing is NOT airing dirty laundry.
You simply report attacks you have observed, and the tactics, techniques, and procedures that the attackers used. You don’t have to say “Yeah, these guys totally kicked our asses!”. Weather they were successful or not is nowhere near as important as how they tried. Sharing that information builds herd immunity. For example, you can tell if a specific industry vertical is being targeted, and start to define campaigns.
STIX/TAXII are great if everything you use already speaks it, but it is very complicated and time-consuming to implement on your own.
Yes, you read that right. Disable opportunistic TLS in SMTP so Suricata can read the traffic and provide alerts and file extraction. If something is going over email that is confidential, the message itself should be encrypted as a best practice anyway.
ISACs are doing it wrong
I haven’t used it myself yet, but I’ve heard good things from people I trust
While not all of these solutions are free or open source, they are simple to implement, and provide some of the most important defenses against today’s tactics
By blocking all non-mail server/proxy traffic, you are limiting exfil paths to what you know about
AppLocker works best on task-specific workstations such as kiosks, SCADA, surveillance systems, PoS, etc.