Yes, this is your epilepsy warning. Close your eyes for the next 25 minutes.
I'm just going to run it like this. We will make do, because I think we might be running behind gang at this point.
Alright, so we're going to talk about the basics of threat intelligence.
And the goal of doing the basics of threat intelligence is it gets very over-complicated.
Because it's never boiled down to its very base before we get into it.
As I've been told growing up, it's like learning to fly before you've learned to crawl.
So, with threat intelligence, we're going to get to the guy who's actually talking about threat intelligence today.
Now, the handle is Man in Black. I've been at InfoSec for 10 years.
Companies as small as 3 to 10,000 or bigger. Experienced in quite a bunch of industries over that time.
And right now, I focus on incident response and threat intelligence.
Now, from the idea of a misunderstanding like we have with threat intelligence,
when I requested to speak at CypherCon, Mike came to me and said,
Alright, we want a handle. This is a hacker conference. We want to feel like hackers.
Well, looking at it, I submit this. I go to the website.
I'm the only person who is not identified by name.
And I'm the only person who does not have a Facebook-style picture out there to identify who I am.
So, like threat intelligence, we're going to start from that misunderstanding.
I had an idea of what I was supposed to do, and I did not skip the landing at all.
So, looking at threat intelligence, my whole premise was we need to boil it down, as I said, to as simple as it gets.
Now, in my pre-IT life, I worked for a very large printing company here in Wisconsin.
And the owner of that company, with its worldwide footprint,
boiled his entire printing operation from plating, press, finishing, shipping, quality control, to three words.
Ink on paper. That was his entire business model that he ever explained to anyone.
So, transferring that to an IT standpoint, we're going to take a slight detour and talk about the cloud.
And in a presentation where we're trying to skip past buzzwords, I apologize for opening with one.
But right now, in the world, in the land of AWS and S3 outages, this is something that's foremost on a lot of people's minds.
So, just a shot in the dark, does anybody like to throw out there, what is the cloud?
Someone else's computer.
Actually, very well done.
When you talk to the vendors, they're going to come at you.
This is a network. This is getting rid of your data center.
This is your chance to export your costs.
This is a chance to have other people helping with your infrastructure.
It's going to minimize your downtime.
Blah, blah, buzzword, buzzword.
Are you distracted? Have you signed my statement of work yet?
But, as my very astute member of the crowd mentioned, it's someone else's server.
You boil it down, you're still doing all the stuff you're doing in your data center, or we're doing in your data center,
but now somebody else is worried about the hardware.
So, applying that to threat intelligence, let's try it out.
What is threat intelligence?
This is open to the crowd.
All right, this is good, because it means you've actually come to hear me talk,
and you're not just keeping the seat for the next presentation.
All right, you're going to get your vendors.
All right, this is crowdsourced. This is real-time.
This is deep-thinking analytics.
This is spread out across the world looking at all of our attack vendors.
Blah, blah, blah. Ooh, that's a big check.
It's someone else's log.
In order for this to be actionable intelligence,
it has had to have happened to someone somewhere first.
So the basis when we look at threat intelligence is someone else's logs.
So, where can I get this mythical threat intelligence?
Number one, we have governments.
Mostly our government, but some others actually share real threat intelligence from time to time.
This is where we have things like the U.S. CERT, NIST sometimes,
several other groups that, here, we're going to publish a vulnerability,
or we're going to talk about something that has attacked critical infrastructure in the United States,
and we're going to make it public so that you then have the chance to take this information,
defend against it, or see if it's too late to defend against it
and you need to remediate something that's happened.
That are the vendors.
If a vendor out there is not talking about threat intelligence,
they're still probably breaking into the cloud space and trying to get you to buy their cloud offering.
Everybody at this point has threat intelligence, whether it's a feed.
We're going to give you our real-time information,
and you're going to make a decision on what to do with that.
Or, for a lot of the products now, it is baked in.
They will talk about how it's analyzed from wherever across so many countries in your industry,
and that is their baked-in threat intelligence.
And then some of the more common ones are the sharing lists.
For just about every industry there is out there,
we have an ISAC list, Information Sharing and Analysis Center.
And there, it's going to be other businesses and groups in your same industry,
sharing their information, bouncing ideas off you, you bounce ideas off them,
to come to a better understanding.
And those lists are moderated.
Then you have these sticks-and-taxi groups out there.
Sticks-and-taxi being the protocols people are using to share threat intelligence
if it's not coming through a list or a vendor.
Now, when threat intelligence was really coming out,
a gentleman by the name of Dave Bianco came up with the Pyramid of Pain.
And his Pyramid of Pain works from the bottom of hash values
up to the tools, techniques, and procedures at the top.
And as you go up the pyramid, they go from everyday commodity,
this will not matter in two minutes,
to something that will help you repeatedly identify hackers of a specific group in your networks.
Now, with all these vendors out there, we have all this threat intelligence,
whether it's baked in, whether they're lists, whether it's feeds,
what are they actually selling?
It breaks down into three groups.
We have the good, the bad, and the ugly.
And yes, that is going to be a very bad movie reference for the next couple of slides.
Starting at the top, the good is where these things are auto-updating in near real-time.
They are crowdsourced, so they're looking across the industries that you are in
to get real data of things that are actually happening in a recent time frame.
And most importantly, and this should be highlighted, bolded,
and if you're going to take anything away, write this down,
it needs to be contextualized.
Because when we get to the ugly,
we are going to talk about how uncontextualized data can actually cause damage in your networks
if the threat intelligence vendor is not doing their job right.
And then the bad is just those bottom lines of the pyramid, where here's an indicator.
This might be a fresh indicator, this might be an old indicator,
but we're going to package it up so we can say that we're sending all this data out to you.
So the good. The good will look at the top three steps of the pyramid,
where we're looking at the artifacts on the machines, or artifacts on the network.
When you're looking at your logs, do we see certain machines that are making these calls
going to very similar URLs?
Are there similar patterns in the URI stems?
Something that would indicate the LAN attacker plans his setup, uses his algorithms.
Okay, that's me. My bad.
Are there changes in the host file?
So when you look at the host file,
there are some basic entries that have been overridden,
so it can dodge most of your network defenses.
Do you have a managed DNS?
And is your DNS now routing out to a public DNS space?
Then you have the tools.
Are they using the same compression kits?
Are they using what you natively have, your WinZips, your 7-Zips?
Are they downloading WinRAR?
What exploit kits are they using?
Are they using the latest commoditized thing that you'll hear about?
Is it the kits that are being sold as ransomware as a service?
Or is it something they're homebrewing?
Or is it something much older, like a forgotten-about black hole?
And then, what shells are they using?
Are they able to just simply bring up a command shell and do something within Windows?
Are they using PowerShell, which is the new flavor of the day,
because everybody has it, it's always turned on, it's very rarely restricted?
Or are they dropping down, like in just a simple Netcat,
because your defenses are not seeing it?
And then the TTPs is how they take all the indicators you'll find,
how they apply those in their specific order to get into your network,
obscure that they're in your network, get the data out,
and then clean up so you can't figure out how they did what they did.
Now, it should be mentioned with all these,
the number one thing to make this work is you need visibility in those networks.
If you are not seeing any of this, or how they're doing any of this,
threat intelligence will not do you much good.
Not the bad.
These are the most basic of indicators,
because these things can be outmoded and irrelevant in moments to minutes
to by the time you discover on the average of, I believe it's a year plus in the network.
Here, what domains do they register?
Are they going to keep using those domains?
Generally speaking, repeatable domains are usually commoditized in Sol.
So, yes, putting domains in a block list means you're going to stop the script kitties,
who then found the same vulnerabilities the Chinese People's Third Army exploited five years ago.
But arguably, most of that should be getting caught by your semantic,
by your trend, your AVG, or any other anti-virus you're using.
The same thing with the IP addresses.
You can have an IP address as an indicator of compromise.
You don't know if that server was originally hacked,
if it was something staged at a hosting provider,
if it's something that you may end up needing because it's a relevant source,
like, say, Yahoo and their ad servers,
that you may end up blocking when you need some of that data.
More so than just the ads, obviously.
And then the hash values.
You've hashed out, this is a bad person that's attacking my network,
and this is what we're going to share.
Oh, they changed the variable.
Your hash values are now as outdated as Hydrox cookies.
Okay, I'm not the only old person in here. Outstanding.
All right, now we get into the ugly.
There are some vendors in the past who found that one indicator of compromise
showed that the malware is repeatedly hitting on 127.0.0.1.
No place like home.
So tied into their system, if you see this indicator,
you need to protect your network and get your host to block that.
Oh my god, my entire enterprise team no longer get out to the internet
or talk to each other.
What happened?
The sad thing is both of these are very true stories that have happened.
The second one, what is a subdomain?
Now, why img.com?
This is Yahoo's content delivery network.
Now, after the past six months, we can have an argument about
whether or not blocking that whole subdomain is a bad thing.
That's up to you and your policies.
But in this situation, a bad guy created a subdomain.
They were able to get in under the registrar, create a subdomain,
get a DNS record set up for it.
So now they were hosting all their badness at s.yimg.com.
Now, one of the vendors with Threat Intelligence says,
well, it's very simple.
Maybe we didn't pay attention to what img.com is,
but they might just spin up another subdomain.
So we'll just block the whole thing.
Now, a lot of us think of Yahoo as email, outdated, and very poor security.
They also serve Yahoo finance pages,
which are very widely used in the finance industry.
More importantly, this happened in March.
Imagine having to walk into a VP's office,
because all of a sudden he can't fill out his March Madness bracket,
because you have blocked it on the Internet.
Where I come from, we refer to those as RGEs,
or Resume Generating Events.
Those you want to avoid actively.
So, how do we take some of these bad indicators,
which are very common, and make them actionable and good?
In one scenario, a threat intelligence sharing list said,
hey, we have somebody who's been hit by 25 IPs.
These IPs have shown up as indicators.
Has anybody else seen anything similar?
Okay, well, as we discussed with IPs, that doesn't mean very much.
We can trace them back, and maybe they are hosting companies
in Amsterdam, or Russia, or Ukraine.
Places that, if your policy allows,
I would recommend blocking at the IP or domain level.
Some of us are not that fortunate.
So, we go into our SIEM, and this is where visibility kicks in.
What do we see?
Well, what I see first is the one typo in my presentation.
1111 should be 5200 hits.
This will be relevant on the next slide.
And for the record, I'm sure many of you recognize some of these IPs.
For obvious reasons, this has been somewhat sanitized.
Please do not block these.
You will find issues do abound.
Now, what we see is, over different time frames,
some of these IP attacks are far noisier than others.
Are these random? Are these related?
What we do see is, okay, one is far noisier than the rest.
Another one is also very noisy.
But things then taper off very dramatically after that,
so you only see a small number of hits.
Context.
What we saw was, the big amount of noise was just
port 80, port 443.
What can I connect to in your IP space?
And ironically, when it was discovered, it was even going after
some IP space that was not attributed to
the company in question that they in fact owned.
Then, at the same time, we saw the port scans.
Look, somebody is just bringing an Nmap scan
against my infrastructure over and over and over again.
What could they possibly figure out that they didn't see
the first 200 times they scanned
the IP space?
Well, what we start seeing now, the idea was very simple.
How much stuff can we stick in their logs
to make it hard to find what we have?
Fortunately, we have a little bit of
log foo-grab-ability and a good sim that we can just,
okay, I'm just going to strip out these IPs one by one and see what's left.
Then, we see our web-facing servers are getting hit
by shell-shock attacks.
Okay, we patch those
almost... I'm saying slightly after when Rango was president.
Then we see other attacks where, okay,
now they're going after things where they think they see an SSH port
or a port that they might think parallels to SSH
and they're going to start throwing SSH attacks at there.
Can they brute force these? Can they get in?
And then, most importantly, we then see
four very specific FTP connection attempts.
In those situations, though, we do not allow anonymous login.
I am sorry, bad guy, but I applaud the attempt.
What we later found out is for these other people
who have seen more hits than what we had,
as the additional hits came down, there were some more noisemakers in there,
but then they explicitly went after
make noise over here, do things that seem very alarming over here,
and then take one poke at this.
Maybe two pokes over there.
Oh, look, we're able to get in here. Let's throw some more noise at it
and do everything we can to obscure what we're doing.
So what we see here, one, is a pattern of attack.
Where are they making noise? How are they making noise?
And then how are they trying to attack us?
And then for those who actually saw them get in,
all right, now we have actionable intelligence to share.
This is what they're doing. This is how they're trying to do it.
So if you start to see these patterns, go ahead and skip to the bottom of the list.
Because if you start working your way up from the bottom,
if you see these IPs, you are really in trouble.
But this is explicitly what you need to look for,
because this is how they would have gotten your data.
And if they got that far, this is how they got it out.
And if you still don't see that, Burger King's hired.
So, would you like to know more?
In this situation, as mentioned previously,
yes, well, I'm still not the oldest person here.
All right, number one, look for an information sharing and analysis center list in your industry.
Like I said, they exist across every major broad category that's out there.
You're in real estate, they got a list.
You're in manufacturing, they got a list.
You're in financial services, retail, hospitality, they all have lists.
And all they really ask you to do is to be able to share information back.
You will join this, it will authenticate that you're in that industry.
And then, all right, here's the information we're going to give you.
Please share back or respond when we have discussions,
so we can all contribute and make it a better internet for everybody else.
Rainbows, unicorns, and Care Bears.
Number two is your vendor offerings.
Especially if you're just getting started, you're dipping your pinky toe in,
this is where you look at what the vendors can get you.
Because in most cases, vendors...
I'm trying to say vendor agnostic here, I'm just going to leave it at vendors...
have offerings where your data will come in, come through, pass through one of their signatures,
signature readers, pass pet, one of their devices on the endpoints of the network,
maybe get read by an agent on your host.
And they will compare it in their cloud to, well, we have all these clients around the world.
What else do we see from them that is real-time, that is happening right now,
that based on what industry you're in, may be a relevant indicator to you.
And in those cases, there's usually an automated response.
Trying to stay away from vendors, there's a firewall vendor somewhere out in California there
that has a product that when your stuff gets scanned, it crosses your boundary.
And it checks against their cloud, and within five minutes, I believe it is,
it will come back, hey, that's something new we haven't seen,
or we've seen it in one or two places, and that's really bad.
You should do something about that.
Or in several cases, we've seen this in quite a number of places,
so we're blocking it immediately and it doesn't come in.
That threat intelligence is relatively invisible, but it is still threat intelligence,
and once again, a very good place to start.
Especially if your organization does not have money for dedicated teams
or amazingly charismatic, beautiful, well-dressed people like myself.
I appreciate your troubles on that one.
So, to paraphrase Ronald Reagan,
does anybody have any questions before I run for the door?
All right, ladies and gentlemen, thank you.