Why huntung IoC fails at protecting against targeted attacks
1 like927 views
The document discusses issues around the use of indicators of compromise (IOCs) for threat hunting. It notes that highly targeted attacks use many evolving modules and few recipients. While IOCs provide some useful information, attackers often clean up traces and infrastructure is sometimes reused between groups. The document advocates using IOCs in context with behavior patterns and correlating them with internal information rather than solely relying on external feeds. Integrating IOC consumption and prioritizing prevention over hunting is also suggested. Oversharing details could risk revealing intelligence sources and helping attackers improve.
![┌─┐
│ │
│ │
│ │
│░│
│░│
│░│
│░│
│░│
│░│
│░│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▒│
│▓│
│▓│
│▓│
│▓│
──┐ │▓│
░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│
░│ ╚═╝ │█│
Commands from Taidoor
[Ping]
[Set sleep interval to 1 second]
cmd /c net start
cmd /c dir c:docume~1
cmd /c dir "c:docume~1<CurrentUser>recent" /od
cmd /c dir c:progra~1
cmd /c dir "c:docume~1<CurrentUser>desktop" /od
cmd /c netstat –n
cmd /c net use
Commands from Sykipot
ipconfig /all
netstat –ano
net start
net group "domain admins" /domain
tasklist /v
dir c:*.url /s
dir c:*.pdf /s
dir c:*.doc /s
net localgroup administrators
type c:boot.ini
systeminfo
Commands from HoneyPot sessions
18An error? Impossible! My modem is error correcting.](https://image.slidesharecdn.com/c6cybseciocwueest-161106173314/85/Why-huntung-IoC-fails-at-protecting-against-targeted-attacks-19-320.jpg)
Why huntung IoC fails at protecting against targeted attacks
- 2. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│ ░│ ╚═╝ │▒│ The issue with targeted attacks 2 Highly targeted Many components “Grey” tools and events Evolve/change over time Regin: 75 modules Duqu: 100+ modules … 10 or less recipients Specific forum users … Powershell, psExec Suspicious logins … Right tools for the job Learn and adapt … I like birthdays, but I think too many can kill you.
- 3. But attackers do leave traces Network Server or entry point Endpoint 3Just because I don't care doesn't mean I don't understand ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│ ░│ ╚═╝ │▒│
- 4. Connecting the dots… OUTPUT INDICATORS (IOC) • FILENAMES • REGISTRY KEYS • C&C SERVERS • EMAILS • ETC… INDUSTRY VERTICALS • HEALTHCARE • MANUFACTURING • FINANCE • … FROM A SINGLE IOC… RELATIONSHIPS • SOFACY • ELDERWOOD • HIDDENLYNX • … Many tools and IOC feeds, groups, etc. available Brains are wonderful, I wish everyone had one. 4 ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│ ░│ ╚═╝ │▓│
- 5. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▒│ ░│ ╚═╝ │▓│ If a turtle doesn't have a shell, is he homeless or naked? 5 …and then the guessing game begins…
- 6. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ @attributionDice 6My mind’s made up, don’t confuse me with facts
- 7. Example: HackingTeam hack “I didn't want to make the police's work any easier by relating my hack of Hacking Team with other hacks I've done or with names I use in my day-to-day work as a blackhat hacker. So, I used new servers and domain names, registered with new emails, and payed for with new bitcoin addresses. Also, I only used tools that are publicly available, or things that I wrote specifically for this attack, and I changed my way of doing some things to not leave my usual forensic footprint.” 7I always learn from mistake of others who take my advice. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▒│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│
- 8. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Parachute for sale, used once, never opened!! 8
- 9. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Threat intelligence sources Free Community Commercial Internal Costs: Free Free/$ $$/$$$ Free/$ Typology: Generic Generic/Specific Generic/Specific Very specific Based on: Public systems Public, mailinglists, private researchers products, research Internal logs Different format & tools out there: openIOC, STIX/TAXII, OSTrICa, MISP, YARA,… 9I'm on a whiskey diet. I've lost three days already.
- 10. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Threat hunting with IOCs Most commonly shared indicators: • IP addresses / domain names • File hashes / file names • Still some hits on reused infrastructure. Do they care? • Each hash is on average in <3 companies • Bad with scripts and dual-use tools • Where is the line between APT & common malware? 10I’m not arguing, I’m simply explaining why I’m right.
- 11. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Now you see me - now you don’t • Are you hunting IOCs in real time or on snapshots? • Many APT groups clean up after the attack • Wipe files, admin account is enough for later • Delete emails, browser history,... to hide incursion vector • Do nation-state APTs really care if they get traced back? • At the latest since Snowden, everyone knows that everyone spies • Unlikely that they get arrested in their own country • Taunt opponent - show force 11Stress is when you wake up screaming and you realize you haven't fallen asleep yet.
- 12. ┌─┐ │ │ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Trust issues? • Early sharing is often done only in private groups • If the group is too small you might not see much, but it can be high quality • If the group is too large you might not trust everyone • Do you trust the Uber-NG-ATP-vendor XY? • Do you double check any IP address before blacklisting? • What is the motivation for sharing? IoCs are good if you need context or when fighting common malware 12hmm... I didn’t tell you... Then It must be none of your business...
- 13. ┌─┐ │ │ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │▓│ Improved IoCs • Following threat families instead of variants • Better, but they might use common tools like PoisonIvy, Meterpreter,… • Follow TTPs and behavior patterns • Better, but different companies might require different TTPs • Apply them to your company, as the attackers would do too Go higher in the pyramid of pain, track exploits,… … but that’s what your security software should do too 13Always remember you're unique, just like everyone else.
- 14. Integrate the IoC consumption ┌─┐ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │█│ • Use context for IOCs, patterns of behavior where available • If possible correlate it with in house information • Check which IoCs you can actually ingest internally • It is still better to prevent the incursion, instead of hunting it later Rate the effectiveness of different types for you (and drop bad ones) • Why spend resources on external IOC feeds, when not even the internal basics are monitored properly yet? 14A day without sunshine is like, night.
- 15. ┌─┐ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │█│ Of course I don't look busy...I did it right the first time. 15
- 16. ┌─┐ │ │ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡▓│ ░│ ╚═╝ │█│ Oversharing? How much is too much? • The bad guys can learn how much you know • Learn how they can improve their attacks • Example: Zeroaccess P2P botnet, started to sign their commands • Most APT crews are not dumb, they could adapt if they want to • Some indicators might contain sensitive information • Internal IP addresses • Stolen passwords hardcoded in 2nd-wave malware • Spear phishing emails, e.g. myYellowCompany.exe 16Happiness does not buy you money.
- 17. ┌─┐ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ I need a six month vacation, twice a year. 16
- 18. ┌─┐ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ Debug Strings – Fake or Real? Turla/Waterbug Stuxnet Strider 17If brute force doesn’t solve your problems, then you aren’t using enough. «CloudAtlas» is clearly messing with us: • Arabic strings in the BlackBerry version • Hindi characters in the Android version • “God_Save_The_Queen” in the BlackBerry version • “JohnClerk” in the iOS version Thx BlueCoat/Kaspersky
- 19. ┌─┐ │ │ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ ──┐ │▓│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ Commands from Taidoor [Ping] [Set sleep interval to 1 second] cmd /c net start cmd /c dir c:docume~1 cmd /c dir "c:docume~1<CurrentUser>recent" /od cmd /c dir c:progra~1 cmd /c dir "c:docume~1<CurrentUser>desktop" /od cmd /c netstat –n cmd /c net use Commands from Sykipot ipconfig /all netstat –ano net start net group "domain admins" /domain tasklist /v dir c:*.url /s dir c:*.pdf /s dir c:*.doc /s net localgroup administrators type c:boot.ini systeminfo Commands from HoneyPot sessions 18An error? Impossible! My modem is error correcting.
- 20. ┌─┐ │ │ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ │▓│ ──┐ │█│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ Following the red hering • Sometimes you have multiple infections on same machine • Which IOC came from which actor? • “Everyone” uses common tools: Mimikatz, psExec,… • Attackers can easy plant some files from other APT groups • Example: Equation group/shadow brokers • Do you trust the compilation times, timestamps, language settings? • Most companies do not really care who it was • They just want to prevent it from happening again • Or do you plan to hack back or sue them? 19Sometimes you succeed and other times you learn.
- 21. ┌─┐ │ │ │░│ │░│ │░│ │░│ │░│ │░│ │░│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▒│ │▓│ │▓│ │▓│ │▓│ │▓│ │█│ ──┐ │█│ ░╞══════════════════════════════════════════════════════════════════════════════════════╦═╦═══╡█│ ░│ ╚═╝ │█│ ©tarantula 20My therapist says I have a preoccupation with vengeance. we'll see about that Conclusion • Do your internal homework first • Be smart in what you share • We need to be effective in checking IoC • Try them and rate effectiveness • Mistakes do happen, but they still get in