Blue team reboot - HackFest

● Security Consultant - Researcher
● Twitter: @haydnjohnson
● Talks: BsidesTO, Circle City Con, BsidesLV, SecTor
● Offsec, Purple Team, Gym??
● Big 4 experience
● http://www.slideshare.net/HaydnJohnson
Haydn Johnson

Cheryl Biswas
● Security researcher/analyst Threat Intel
● APTs, Mainframes, ICS SCADA, Shadow IT, StarTrek
● BSidesLV, Circle City, BSidesT0, SecTor, Hackfest, TiaraCon
● https://whitehatcheryl.wordpress.com
● Twitter: @3ncr1pt3d

DISCLAIMER: The views represented
here are solely our own and not those of
our employers, past or present, or
future.

Props to DarkReading
This started with a webinar for DarkReading on Threat
Intel and how to use it effectively. We received some
great feedback, a lot of interest, and built upon it for
HackFest.
Our Webinar:
https://webinar.darkreading.com/2492?keycode=SBX
&cid=smartbox_techweb_upcoming_webinars_8.500
000620

What We Will Cover
All. That. DATA
Logging towards Alerts
Threat Intel
Visibility
Context
Pinpointing an Attack
Kill Chains & OODA Loops

Terminology
IOC - Indicator of Compromise - Domain, IP
address, URL
IOA - Indicator of Attack
COA - Course of Action - What can we do to prevent,
mitigate, detect, EG - Implement a block on an
email address
TTP - Tactics, Techniques, and Procedures

Your Take-Away Lootbag
What it is
Relevance
Example cases
Tools & software applicable

Logs
CIA
Confidentiality
Integrity
Availability

Web Application Logs
Knock Knock
Who was there?
The first place to
detect
scanners
recon
data scraping

Firewall Logs
Ingress | Egress
Websites | Email | FTP
End Point

Host Logs
Whitelisting applications - KNOWN GOOD
Execution of Macros
Terminal Commands executed
Time of logins
Average use

Network Logs
Internal traffic
Domain connections
Internal Scanning
https://www.sans.org/reading-room/whitepapers/logging/importance-
logging-traffic-monitoring-information-security-1379
2003

Big Data
A Little Talk About ...

So. Much. Data
Crown
Jewels
Relevance
Asset
Management

Create A Baseline
Have a starting place
Known traffic
Known good
Regular review
Know Your Normal

Just Say NO!!!
Macros: Disable
Adobe Anything: I can’t even
PowerShell: Are you worthy?
Admin for all - ORLY?

@InvokeThreatGuy
https://github.com/invokethreatguy/DC416October?files=1

Wait!
Who’s the
all-powerful admin here?

Tools / Software
Carbon Black / Bit9
SysMon
Log-MD
WireShark
https://www.wireshark.org/
https://msdn.microsoft.com/en-us/library/windows/desktop/dd408124(v=vs.85).aspx
http://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon
http://log-md.com/
http://brakeingsecurity.blogspot.ca/2015/10/2015-042-logmd-more-malware-archaeology.html

VISIBILITY
Visibility:
What’s in
your sights

CONTEXT
Context
I haz
meaning?

Good Alerts
Give enough information to correlate
Understand all you can from the one log
Actionable
Standard procedures for each for IR team
Time is NOT on your side

Example Time
Workstation 2 Workstation

A: Lateral Movement
@raffertylaura | @haydnjohnson
https://www.youtube.com/watch?v=KO68mbk9-
OU&list=PL02T0JOKYEq52plvmxiJ1cSbwUgHHvP7H&index=8

Threat Intel: What it Ain’t
Threat actor information
Campaigns
Indicators of
Compromise (IOCs)
Identify known threats
Exploitation in the wild

Threat intel: What it is
A product from
collection, processing,
exploitation, analysis
dissemination and
feedback of
information.

Reducing False Positives
IOC Validation
Alert Tuning from IOCs
https://quadrantsec.com/about/blog/the_false_positives_of_threat_intelligence/

Threat Reports
Is it relevant to business?
Could it have an impact?
Are there IOCs?
COA for prevention, detection, mitigation
KEY CRITERIA

Threat Report - Example
Landing Page
Downloader URL
C2 traffic

Threat Report - Example 2
http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-
evolves-adds-japan-target-list/

C2 via blogs
Hard coded tags
http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-
evolves-adds-japan-target-list/

Downloader
C2

IOCs - MD5
Not strong but can
put in place fast!

THREAT
CORRELATION
Combining Data and Threat intel

The 4 C’s
Collect
Consolidate
Control
Communicate

Visibility
Take a big picture view
Know what’s going on from
end to end
Cuz you don’t know what you
don’t know

How to Play With Data
Not what you got but how you use it
Ask the right questions - get the right answers
What have we been missing?

Security Analytics - Example
The Game Changers
Machine Learning
Analytics
IAM

BIG DATA - TOOLS
OpenSoc - Cisco
RITA - Real Intelligence Threat Analysis
BreakoutDetection R package - Twitter
http://opensoc.github.io/
RITA - http://www.blackhillsinfosec.com/?page_id=4417
https://github.com/twitter/BreakoutDetection

Pinpointing an Attack
Identification of malicious-ness

Detecting an attack - Visibility & Patterns
Known Good
Alerts
Investigation
Lessons learned
http://www.scmagazine.com/five-tips-to-detect-contain-and-control-cyber-threats/article/467856/

Detecting an attack
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
SANS IR Steps!

Cyber Kill Chain +
Extended Version

Lockheed Martin Cyber Kill Chain
“The seven steps of the Lockheed Martin Cyber Kill
Chain® enhance visibility into an attack and
enrich an analyst’s understanding of an
adversary’s tactics, techniques and procedures.”
http://cyber.lockheedmartin.com/solutions/cyber-
kill-chain

Cyber Kill Chain
1. Reconnaissance
2.Weaponization
3.Delivery
4.Exploitation
5.Installation
6.Command & Control
7.Action on Objectives

Cyber Kill Chain Extended
7 - Actions on
Objectives
Internal Kill
Chain
Target
Manipulation
Kill Chain
http://www.seantmalone.com/docs/us-16-Malone-
Using-an-Expanded-Cyber-Kill-Chain-Model-to-
Increase-Attack-Resiliency.pdf

Cyber Kill Chain Extended
Map & understanding specific systems
Subvert target systems & business processes
Raise Attackers Cost

OODA LOOP
Attackers
Observe Orient Decide Act

Your Blue Team Fighter Pilots
Goose Maverick

OODA Loop - for the defender
Practice
Be ready to change direction
Take Action

Relevance
Use to actively identify security controls
People Process Procedures
Identify Gaps
Confirm assumptions
Tune

Visibility on Blind Spots
Looking at each step allows a methodical
approach to defense.
Reduces Bias and Blind spots.
Can lead to Threat Hunting

Malicious Attachments
https://github.com/carnal0wnage/malicious_file_maker

Test your email filters
Understand which attachments come through
Build | refine | controls

Send various types of malicious attachments via
multiple sources
How many emails does it take to block a sender?
What types of attachments generate alerts?

In summary
LOGS
ALERTS
THREAT INTEL
CORRELATION
CYBER KILL CHAIN
PROACTIVE=

Take awaysAKA - what you should remember

Total success!
❖Be proactive
❖Back2Basics
❖Visibility
❖Context

❖Test it
❖Look for it
❖Patterns
❖Anomalies
Total success!

Thank You!
Any questions?
Feel free to reach out to us later!
@haydnjohnson @3ncr1pt3d

Blue team reboot - HackFest

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Blue team reboot - HackFest (20)

More from Haydn Johnson (6)

Recently uploaded (20)

Blue team reboot - HackFest