Respond proactively to threats like a defense contractor. It’s more realistic than you might think! A practical guide of how to build intelligence-driven cyber defenses using open source software, based on real implementations of best practices, adapted from the Lockheed Martin Cyber Kill Chain model.

1. Open Secrets of the Defense Industry
Building Your Own Intelligence Program
From the Ground Up
Sean Whalen

2. Disclaimer
The views and opinions expressed here are
my own, and may not represent those of my
past, current, and post-apocalyptic
employers.

3. Who is this guy?
• I’m an Information Security Engineer
• Intelligence analyst
• Human log parser
• I specialize in network defense
• I love open source software
• Most of my security experience comes from the Defense Industrial Base (DIB)
• I recently moved to the healthcare industry
• I’m building a DIB-style intel program
• Stalk me @SeanTheGeek

4. Overview
Respond proactively to threats like a defense contractor. It’s more
realistic than you might think!
A practical guide of how to build intelligence-driven cyber defenses
using free software, based on real implementations of best practices,
adapted from the Lockheed Martin Cyber Kill Chain model.

5. Security conference memes
For the informative lolz

6. Buy lots of tools and services or…

7. APT has magic

8. Actual APT code
Dropped by UltraSurf.exe
6dc7cc33a3cdcfee6c4edb6c085b869d
FireEye: Operation Saffron Rose

11. Image credit: FireEye

13. They also stole creds in a more direct way
Image credit: FireEye

14. How do we defend against this?

15. Intelligence! Intelligence! Intelligence! Intelligence!

16. People power
• A diverse, interactive team is essential for any security program
• Specialties, not silos
• Tool development, forensics, IR, intel, malware analysis
• Look for SAs, devs, and infrastructure employees who are interested
in a new challenge
• Scale up by training recent grads who are motivated
• You need people who understand security, not just security tools
• Allow fluid movement from one specialty to another

17. Intelligence building is a cycle
Observe
Collect
AnalyzeShare
Adapt

18. General ranking of intel priority by source
1. Internal
2. Trusted, “mature” industry partners
3. Developing industry partners
4. Subscription services
5. Simi-public government publications
6. OSINT/PR reports
Intel collection without evaluating the source leads to noisy alerts

19. Your own network is your best
intel source
No one knows you better than you

20. Goals
• Read the Lockheed Martin Kill Chain paper
• Train employees to report phishing and other sketchy things
• Collect data on phishing, malware, and other attacks sent your way
• Analyze strategically
• Automate the Boring Stuff with Python
• Share with friends
• Present findings to stakeholders
• Adapt your defenses and processes

21. Open source software
Break the kill chain without breaking the bank

22. Why open source?
• Cost – Spend less on products and more on resources
• Flexibility – You can modify it and customize it however you like
• Innovation – Rapidly implement new ideas; build what doesn’t exist
• Privacy – Your data is your data
• Community – Share knowledge and inspiration with peers

23. Build a malware sandbox
• The Spender fork of the Cuckoo Sandbox project is a powerful way to
quickly derive actionable intelligence from malware samples
• Generally higher-quality signatures and malware identification
• Anti-VM and anti-sandbox countermeasures
• Transparent Tor proxy support
• Nice-looking PDF reports
• Similar sample heuristics
• Full setup guide at https://infosecspeakeasy.org/t/howto-build-a-
cuckoo-sandbox/27
• Start analyzing malware in hours!

24. Collect all the things!
• Centralize your logs
• Splunk Enterprise Security (ES)
• Open source ELK stack
• CRITs – Collaborative Research Into Threats
• Can store almost any kind of threat data
• UI can get overwhelming if you try to store all the things in it
• Most useful for storing phishing email data (IMO)

25. Document all the things!
• Use a team wiki to document all processes, tools, security events,
intelligence research, campaign briefings, and other unstructured
data
• Create canned replies and action plans
• Learn from mistakes, and make success repeatable
• Shorten the learning curve for new team members
• I recommend XWiki
• Highly extendable
• LDAP and granular permissions out of the box
• Much less hacking required when compared to others

26. Track your work
• Use an InfoSec ticketing system to track all work
• Store key metrics: Time-to-Detect, Time-to-Remediate
• Avoid duplicated effort
• Show trends, and team workload
• RTIR – Request Tracker for Incident Response
• Open source, extremely flexible, customizable
• Can create tickets through email, such as intel emails from partners
• Integration with other services requires knowledge of Perl (my eyes!)
• Simple Python API wrapper
• Commercial support and professional services are available

27. Sharing is caring
Herd immunity FTW!

28. What intel sharing is not

29. What intel sharing is

30. Sharing can be hard,
at first
What do you collect?
What do you share?
Can you share it?
How do you share it?
Who do you share it with?
Who can you trust?
What can you do with shared information?
Declassified SASC Inquiry Into Cyber
Intrusions of TRANSCOM Contractors

31. How to share phishing data
• Include full email headers (except internal ones)
• Redact the target addresses for privacy
• Include generalized targeting information (number, roles)
• Include the raw body and attachments (within encrypted zips)
• Redact any ID numbers in URLs for privacy, but note the composition
• If it is in HTML, include screenshots

32. How to share watering hole data
• The date and time the attack was observed, with UTC offset
• The URL of the watering hole (i.e. the compromised site)
• The URLs of any malicious resources or website redirections
• A list of tactics used (e.g. iframes, plugins, etc.)
• Any malicious files (e.g. swfs) as attachments
• Defanged sample code

33. Sharing malware
• Use encrypted zips with a password of “infected”
• Avoids contamination and making AV/IDS go crazy
• Include any sandbox report you may have
• Make note of any interesting or confusing points
• Include the best indicators for detecting it, if you know them
• C2
• Stages
• Files/registry keys created/modified, or deleted
• Mutexes
• General behavior

34. The state of sharing solutions

35. • Basically the only free (as in beer), production-quality TAXII
server/application
• Freeware – Open standards, not open source software
• Support subscriptions
• Created by the NH-ISAC, in use at most ISACs
• Lots of SIEMs/IR tools can take TAXII feeds; to name a few:
• Carbon Black
• Splunk Enterprise Security
• Cyphort
• QRadar
• The STIX/TAXII standards can take a while to implement on your own
Soltra Edge

36. Malware Information Sharing Platform (MISP)
• Open source software (GPLv3)
• Indicator database
• Straightforward workflows
• Flexible, automated sharing
• Generates Snort/Suricata rules
• Imports from OpenIOC, Cuckoo, ThreatConnect CSV
• Exports to OpenIOC, plain text, CSV, MISP XML or JSON
• Simple API – Not in wide use like TAXII, but much easier to use

37. ThreatConnect
• Everything you could ever want in a SaaS Threat Intelligence Platform
• Turnkey
• Extremely Expensive
• Intel in the cloud may raise privacy and legal concerns

38. Free Threat Intelligence Platforms
• AlienVault Open Threat Exchange (OTX)
• Open threat information sharing
• Simple API
• Bro, TAXII, and Suricata integration
• Python, Java, and Go SDKs
• Facebook ThreatExchange
• Share threat indicators on Facebook’s Graph API infrastructure
• Share with the whole community, or a selected partners
• Libraries for Python, Ruby, PHP, and NodeJS

39. Automate all the things! Within reason…
• Think of ways to integrate your
intel tools and security controls
• Automate repeatable tasks
• Don’t try to automate people
• If a security product does not
have documented, robust API,
you do not want it!

40. TTPs > Indicators

41. Discourse
• The best intel sharing groups that I have been a part of are private
discussion forums. No fancy tech, just humans helping humans
• Great for: learning and sharing tactics, team discussions
• Discourse is a modern, open source forum/mailing list
• Created by the founders of stack overflow
• Responsive/mobile-friendly
• Updates in real-time
• Easy to read

42. Defanging attack data
• Defang malicious URLs and mail addresses when posting to places
that auto-link, such as IMs and some forums
• That way, a researcher doesn’t accidently click on a malicious link
• Common conventions
• Replace http with hxxp
• Replace . with [.]

43. What makes a good intel sharing community?
• Confidentiality – The Traffic Light Protocal (TLP) is a good system, if
followed. NDAs are better
• No anonymity – We need to know who is being attacked
• Made of all parts of an industry: Suppliers, contractors, competitors
• Supportive discussion
• Clear threat indicators (not a wall of text)
• Rapid dissemination
• Frequent activity
• Historic – Learn from the past

44. The InfoSec Speakeasy
• An invite-only community for InfoSec professionals
• I designed it to be a model for starting and managing other groups
• A place to build and share strategy and intel across industries
• Public tutorials
• Powered by the Discourse open source discussion platform
• Send me a request for an invite from your work email, then send your
own invites to your colleagues
https://infosecspeakeasy.org

45. Red Sky Alliance
• A private, vetted commercial intel sharing community
• Follows the Kill Chain model – Includes signatures
• All data comes from other members – across a diverse range of
industries
Red Sky Alliance FAQ

46. Leveraging intel
Use it or loose it

47. Deploy intel-guided countermeasures
• Block/redirect known bad x-mailers, IPs, user agents, etc.
• Write custom IDS/IPS rules
• Compare attack techniques to current security controls
• Infer attacker intentions based on targeting and actions
• Block domains based on DNS recon using services like whoisxmlapi
• Keep users and leadership aware of attack trends against your
network

48. DIY Endpoint Monitoring and Remediation
• Use the power of open source software and mature, internal intel
• LIMA CHARLIE – Endpoint monitoring stack
• Constantly monitor your endpoints
• Recursively investigates
• Present findings to IR analyst
• Use native tools such as PowerShell
• PSRecon
• Kansa

49. Defenses to deploy yesterday
• Microsoft EMET (0-day killer)
• Multi-factor authentication (DUO is easy-to-use and extremely flexible)
• Remove local admins (Avecto DefendPoint, ByondTrust PowerBroker)
• Email sandboxing (Your custom sandbox, Proofpoint, or a combination)
• Block all uncategorized sites at your web proxy
• Block any outflow that isn’t your from your mail servers or web proxies
• WAFs, seriously
• Bro NSM, Suricata IDS/IPS with Emerging Threats
• Forced, multi-factor full-time VPNs for all remote workers
• Tune your AV (It isn’t dead; you might not be using it right)
• Application Whitelisting (Windows AppLocker is included with Windows
Enterprise)

50. Questions?
Sean@SeanPWhalen.com
@SeanTheGeek