SlideShare a Scribd company logo

Open Secrets of the Defense Industry: Building Your Own Intelligence Program From the Ground Up

Download as PPTX, PDF
Sean Whalen, profile picture
Sean Whalen

The document serves as a guide for building an intelligence-driven cybersecurity program, drawing from best practices in the defense industry and open source tools. It emphasizes the importance of proactive threat response, team diversity, and effective intelligence sharing. Key recommendations include using open source software, centralizing logs, tracking security work, and leveraging automation for repeatable tasks.

Technology
Related topics:
Information Security
1 of 50
Downloaded 29 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Open Secrets of the Defense Industry Building Your Own Intelligence Program From the Ground Up Sean Whalen
Disclaimer The views and opinions expressed here are my own, and may not represent those of my past, current, and post-apocalyptic employers.
Who is this guy? • I’m an Information Security Engineer • Intelligence analyst • Human log parser • I specialize in network defense • I love open source software • Most of my security experience comes from the Defense Industrial Base (DIB) • I recently moved to the healthcare industry • I’m building a DIB-style intel program • Stalk me @SeanTheGeek
Overview Respond proactively to threats like a defense contractor. It’s more realistic than you might think! A practical guide of how to build intelligence-driven cyber defenses using free software, based on real implementations of best practices, adapted from the Lockheed Martin Cyber Kill Chain model.
Security conference memes For the informative lolz
Buy lots of tools and services or…
APT has magic
Actual APT code Dropped by UltraSurf.exe 6dc7cc33a3cdcfee6c4edb6c085b869d FireEye: Operation Saffron Rose
Open Secrets of the Defense Industry: Building Your Own Intelligence Program From the Ground Up
Open Secrets of the Defense Industry: Building Your Own Intelligence Program From the Ground Up
Image credit: FireEye
Open Secrets of the Defense Industry: Building Your Own Intelligence Program From the Ground Up
They also stole creds in a more direct way Image credit: FireEye
How do we defend against this?
Intelligence! Intelligence! Intelligence! Intelligence!
People power • A diverse, interactive team is essential for any security program • Specialties, not silos • Tool development, forensics, IR, intel, malware analysis • Look for SAs, devs, and infrastructure employees who are interested in a new challenge • Scale up by training recent grads who are motivated • You need people who understand security, not just security tools • Allow fluid movement from one specialty to another
Intelligence building is a cycle Observe Collect AnalyzeShare Adapt
General ranking of intel priority by source 1. Internal 2. Trusted, “mature” industry partners 3. Developing industry partners 4. Subscription services 5. Simi-public government publications 6. OSINT/PR reports Intel collection without evaluating the source leads to noisy alerts
Your own network is your best intel source No one knows you better than you
Goals • Read the Lockheed Martin Kill Chain paper • Train employees to report phishing and other sketchy things • Collect data on phishing, malware, and other attacks sent your way • Analyze strategically • Automate the Boring Stuff with Python • Share with friends • Present findings to stakeholders • Adapt your defenses and processes
Open source software Break the kill chain without breaking the bank
Why open source? • Cost – Spend less on products and more on resources • Flexibility – You can modify it and customize it however you like • Innovation – Rapidly implement new ideas; build what doesn’t exist • Privacy – Your data is your data • Community – Share knowledge and inspiration with peers
Build a malware sandbox • The Spender fork of the Cuckoo Sandbox project is a powerful way to quickly derive actionable intelligence from malware samples • Generally higher-quality signatures and malware identification • Anti-VM and anti-sandbox countermeasures • Transparent Tor proxy support • Nice-looking PDF reports • Similar sample heuristics • Full setup guide at https://infosecspeakeasy.org/t/howto-build-a- cuckoo-sandbox/27 • Start analyzing malware in hours!
Collect all the things! • Centralize your logs • Splunk Enterprise Security (ES) • Open source ELK stack • CRITs – Collaborative Research Into Threats • Can store almost any kind of threat data • UI can get overwhelming if you try to store all the things in it • Most useful for storing phishing email data (IMO)
Document all the things! • Use a team wiki to document all processes, tools, security events, intelligence research, campaign briefings, and other unstructured data • Create canned replies and action plans • Learn from mistakes, and make success repeatable • Shorten the learning curve for new team members • I recommend XWiki • Highly extendable • LDAP and granular permissions out of the box • Much less hacking required when compared to others
Track your work • Use an InfoSec ticketing system to track all work • Store key metrics: Time-to-Detect, Time-to-Remediate • Avoid duplicated effort • Show trends, and team workload • RTIR – Request Tracker for Incident Response • Open source, extremely flexible, customizable • Can create tickets through email, such as intel emails from partners • Integration with other services requires knowledge of Perl (my eyes!) • Simple Python API wrapper • Commercial support and professional services are available
Sharing is caring Herd immunity FTW!
What intel sharing is not
What intel sharing is
Sharing can be hard, at first What do you collect? What do you share? Can you share it? How do you share it? Who do you share it with? Who can you trust? What can you do with shared information? Declassified SASC Inquiry Into Cyber Intrusions of TRANSCOM Contractors
How to share phishing data • Include full email headers (except internal ones) • Redact the target addresses for privacy • Include generalized targeting information (number, roles) • Include the raw body and attachments (within encrypted zips) • Redact any ID numbers in URLs for privacy, but note the composition • If it is in HTML, include screenshots
How to share watering hole data • The date and time the attack was observed, with UTC offset • The URL of the watering hole (i.e. the compromised site) • The URLs of any malicious resources or website redirections • A list of tactics used (e.g. iframes, plugins, etc.) • Any malicious files (e.g. swfs) as attachments • Defanged sample code
Sharing malware • Use encrypted zips with a password of “infected” • Avoids contamination and making AV/IDS go crazy • Include any sandbox report you may have • Make note of any interesting or confusing points • Include the best indicators for detecting it, if you know them • C2 • Stages • Files/registry keys created/modified, or deleted • Mutexes • General behavior
The state of sharing solutions
• Basically the only free (as in beer), production-quality TAXII server/application • Freeware – Open standards, not open source software • Support subscriptions • Created by the NH-ISAC, in use at most ISACs • Lots of SIEMs/IR tools can take TAXII feeds; to name a few: • Carbon Black • Splunk Enterprise Security • Cyphort • QRadar • The STIX/TAXII standards can take a while to implement on your own Soltra Edge
Malware Information Sharing Platform (MISP) • Open source software (GPLv3) • Indicator database • Straightforward workflows • Flexible, automated sharing • Generates Snort/Suricata rules • Imports from OpenIOC, Cuckoo, ThreatConnect CSV • Exports to OpenIOC, plain text, CSV, MISP XML or JSON • Simple API – Not in wide use like TAXII, but much easier to use
ThreatConnect • Everything you could ever want in a SaaS Threat Intelligence Platform • Turnkey • Extremely Expensive • Intel in the cloud may raise privacy and legal concerns
Free Threat Intelligence Platforms • AlienVault Open Threat Exchange (OTX) • Open threat information sharing • Simple API • Bro, TAXII, and Suricata integration • Python, Java, and Go SDKs • Facebook ThreatExchange • Share threat indicators on Facebook’s Graph API infrastructure • Share with the whole community, or a selected partners • Libraries for Python, Ruby, PHP, and NodeJS
Automate all the things! Within reason… • Think of ways to integrate your intel tools and security controls • Automate repeatable tasks • Don’t try to automate people • If a security product does not have documented, robust API, you do not want it!
TTPs > Indicators
Discourse • The best intel sharing groups that I have been a part of are private discussion forums. No fancy tech, just humans helping humans • Great for: learning and sharing tactics, team discussions • Discourse is a modern, open source forum/mailing list • Created by the founders of stack overflow • Responsive/mobile-friendly • Updates in real-time • Easy to read
Defanging attack data • Defang malicious URLs and mail addresses when posting to places that auto-link, such as IMs and some forums • That way, a researcher doesn’t accidently click on a malicious link • Common conventions • Replace http with hxxp • Replace . with [.]
What makes a good intel sharing community? • Confidentiality – The Traffic Light Protocal (TLP) is a good system, if followed. NDAs are better • No anonymity – We need to know who is being attacked • Made of all parts of an industry: Suppliers, contractors, competitors • Supportive discussion • Clear threat indicators (not a wall of text) • Rapid dissemination • Frequent activity • Historic – Learn from the past
The InfoSec Speakeasy • An invite-only community for InfoSec professionals • I designed it to be a model for starting and managing other groups • A place to build and share strategy and intel across industries • Public tutorials • Powered by the Discourse open source discussion platform • Send me a request for an invite from your work email, then send your own invites to your colleagues https://infosecspeakeasy.org
Red Sky Alliance • A private, vetted commercial intel sharing community • Follows the Kill Chain model – Includes signatures • All data comes from other members – across a diverse range of industries Red Sky Alliance FAQ
Leveraging intel Use it or loose it
Deploy intel-guided countermeasures • Block/redirect known bad x-mailers, IPs, user agents, etc. • Write custom IDS/IPS rules • Compare attack techniques to current security controls • Infer attacker intentions based on targeting and actions • Block domains based on DNS recon using services like whoisxmlapi • Keep users and leadership aware of attack trends against your network
DIY Endpoint Monitoring and Remediation • Use the power of open source software and mature, internal intel • LIMA CHARLIE – Endpoint monitoring stack • Constantly monitor your endpoints • Recursively investigates • Present findings to IR analyst • Use native tools such as PowerShell • PSRecon • Kansa
Defenses to deploy yesterday • Microsoft EMET (0-day killer) • Multi-factor authentication (DUO is easy-to-use and extremely flexible) • Remove local admins (Avecto DefendPoint, ByondTrust PowerBroker) • Email sandboxing (Your custom sandbox, Proofpoint, or a combination) • Block all uncategorized sites at your web proxy • Block any outflow that isn’t your from your mail servers or web proxies • WAFs, seriously • Bro NSM, Suricata IDS/IPS with Emerging Threats • Forced, multi-factor full-time VPNs for all remote workers • Tune your AV (It isn’t dead; you might not be using it right) • Application Whitelisting (Windows AppLocker is included with Windows Enterprise)
Questions? Sean@SeanPWhalen.com @SeanTheGeek

More Related Content

PPTX
Intro to INFOSEC
Sean Whalen
 
PPTX
Lofty Ideals: The Nature of Clouds and Encryption
Sean Whalen
 
PDF
Ransomware ly
Lisa Young
 
PPTX
Red team Engagement
Indranil Banerjee
 
PDF
Statistical analysis of HTTPS reachability
APNIC
 
PPTX
Ed McCabe - Putting the Intelligence back in Threat Intelligence
centralohioissa
 
PPT
Security Intelligence: Advanced Persistent Threats
Peter Wood
 
PPTX
online investigation
fortune777
 
Intro to INFOSEC
Sean Whalen
 
Lofty Ideals: The Nature of Clouds and Encryption
Sean Whalen
 
Ransomware ly
Lisa Young
 
Red team Engagement
Indranil Banerjee
 
Statistical analysis of HTTPS reachability
APNIC
 
Ed McCabe - Putting the Intelligence back in Threat Intelligence
centralohioissa
 
Security Intelligence: Advanced Persistent Threats
Peter Wood
 
online investigation
fortune777
 

What's hot (20)

PPTX
Cyber Incident Response & Digital Forensics Lecture
Ollie Whitehouse
 
PDF
AI for CyberSecurity
Satnam Singh
 
PDF
Advanced persistent threats(APT)
Network Intelligence India
 
PDF
The Internet of Things: We've Got to Chat
Duo Security
 
PPTX
Chris Haley - Understanding Attackers' Use of Covert Communications
centralohioissa
 
PPTX
Top Cybersecurity Challenges Facing Your Business
Nicholas Davis
 
PPTX
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Zivaro Inc
 
PDF
Smart Nation, smart hacks and legal liability for cybersecurity breaches in t...
Benjamin Ang
 
PPT
Mark Arena - Cyber Threat Intelligence #uisgcon9
UISGCON
 
PDF
Cyber of things 2.0
Deepak Kumar (D3)
 
PPTX
Jason Samide - State of Security & 2016 Predictions
centralohioissa
 
PPTX
Login cat tekmonks - v3
TEKMONKS
 
PDF
Ethical hacking and social engineering
Sweta Kumari Barnwal
 
PDF
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Clare Nelson, CISSP, CIPP-E
 
PPTX
I want to be a cyber forensic examiner
Neeraj Aarora
 
PPT
Have the Bad Guys Won the Cyber security War...
Andrew Hammond
 
PDF
Physical Penetration Testing - RootedCON 2015
Hykeos
 
PDF
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...
EENA (European Emergency Number Association)
 
PDF
OSINT - Open Source Intelligence
c0c0n - International Cyber Security and Policing Conference
 
PDF
Cyber forensics and auditing
Sweta Kumari Barnwal
 
Cyber Incident Response & Digital Forensics Lecture
Ollie Whitehouse
 
AI for CyberSecurity
Satnam Singh
 
Advanced persistent threats(APT)
Network Intelligence India
 
The Internet of Things: We've Got to Chat
Duo Security
 
Chris Haley - Understanding Attackers' Use of Covert Communications
centralohioissa
 
Top Cybersecurity Challenges Facing Your Business
Nicholas Davis
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Zivaro Inc
 
Smart Nation, smart hacks and legal liability for cybersecurity breaches in t...
Benjamin Ang
 
Mark Arena - Cyber Threat Intelligence #uisgcon9
UISGCON
 
Cyber of things 2.0
Deepak Kumar (D3)
 
Jason Samide - State of Security & 2016 Predictions
centralohioissa
 
Login cat tekmonks - v3
TEKMONKS
 
Ethical hacking and social engineering
Sweta Kumari Barnwal
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Clare Nelson, CISSP, CIPP-E
 
I want to be a cyber forensic examiner
Neeraj Aarora
 
Have the Bad Guys Won the Cyber security War...
Andrew Hammond
 
Physical Penetration Testing - RootedCON 2015
Hykeos
 
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...
EENA (European Emergency Number Association)
 
OSINT - Open Source Intelligence
c0c0n - International Cyber Security and Policing Conference
 
Cyber forensics and auditing
Sweta Kumari Barnwal
 
Ad

Viewers also liked (20)

PPT
concepto de colección local
guestf488db7
 
PDF
Internationale clusters in vergelijkend perpsectief
Anika Snel
 
PDF
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
David Ware
 
PDF
Turn Data Into Actionable Insights - StampedeCon 2016
StampedeCon
 
PPTX
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
grecsl
 
PPT
Delphi XE2, door André Mussche op de 4DotNet Developers Day
Hanneke Dotnet
 
KEY
Performance Pack
day
 
PDF
Microservices Tracing with Spring Cloud and Zipkin
Marcin Grzejszczak
 
PDF
Home Brewing R.U.M - Analyzing application performance with real user monitoring
Ankit Rastogi
 
PDF
Open Development
Paolo Mottadelli
 
PPTX
Tic’s y enfermería
Valentina Arboleda
 
PDF
Incident Command: The far side of the edge
Fastly
 
PDF
Open Source Approach to Design and Deployment of Microservices-based VNF
Open Networking Summit
 
DOC
Creating a personal narrative
Emily Kissner
 
PDF
The Lost Tales of Platform Design (February 2017)
Julien SIMON
 
PPTX
WTF is Sensu and Monitoring
Toby Jackson
 
PPTX
Lost in Translation - Blackhat Brazil 2014
Rodrigo Montoro
 
PDF
Mohamed Ahmed Abdelkhalek
Mohamed A. Abdelkhalek
 
PPT
IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...
OpenWhisk
 
PDF
Metrics, Logs, Transaction Traces, Anomaly Detection at Scale
Sematext Group, Inc.
 
concepto de colección local
guestf488db7
 
Internationale clusters in vergelijkend perpsectief
Anika Snel
 
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
David Ware
 
Turn Data Into Actionable Insights - StampedeCon 2016
StampedeCon
 
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
grecsl
 
Delphi XE2, door André Mussche op de 4DotNet Developers Day
Hanneke Dotnet
 
Performance Pack
day
 
Microservices Tracing with Spring Cloud and Zipkin
Marcin Grzejszczak
 
Home Brewing R.U.M - Analyzing application performance with real user monitoring
Ankit Rastogi
 
Open Development
Paolo Mottadelli
 
Tic’s y enfermería
Valentina Arboleda
 
Incident Command: The far side of the edge
Fastly
 
Open Source Approach to Design and Deployment of Microservices-based VNF
Open Networking Summit
 
Creating a personal narrative
Emily Kissner
 
The Lost Tales of Platform Design (February 2017)
Julien SIMON
 
WTF is Sensu and Monitoring
Toby Jackson
 
Lost in Translation - Blackhat Brazil 2014
Rodrigo Montoro
 
Mohamed Ahmed Abdelkhalek
Mohamed A. Abdelkhalek
 
IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...
OpenWhisk
 
Metrics, Logs, Transaction Traces, Anomaly Detection at Scale
Sematext Group, Inc.
 
Ad

Similar to Open Secrets of the Defense Industry: Building Your Own Intelligence Program From the Ground Up (20)

PDF
2023 NCIT: Introduction to Intrusion Detection
APNIC
 
PDF
ISACA Ethical Hacking Presentation 10/2011
Xavier Mertens
 
PPTX
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
PDF
Top 10 Essential Ethical Hacker Tools Everyone Should Know.pdf
daksh908982
 
PPTX
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
PDF
Security Training: Making your weakest link the strongest - CircleCityCon 2017
Aaron Hnatiw
 
PPTX
Security in the age of open source - Myths and misperceptions
Tim Mackey
 
PPTX
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
PPTX
Advanced Persistent Threats
ESET
 
PPTX
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
TechSoup
 
PPTX
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
PPTX
How To Start Your InfoSec Career
Andrew McNicol
 
PPTX
EthicalHack{aksdladlsfsamnookfmnakoasjd}.pptx
dagarabull
 
PPTX
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
 
PDF
The_Pentester_Blueprint.pdf
gcara4
 
PPTX
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter
 
PPTX
SplunkLive! Customer Presentation – athenahealth
Stephanie Bies
 
PPTX
SplunkLive! Customer Presentation – athenahealth
Stephanie Bies
 
PDF
OSINT for Attack and Defense
Andrew McNicol
 
PPTX
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 
2023 NCIT: Introduction to Intrusion Detection
APNIC
 
ISACA Ethical Hacking Presentation 10/2011
Xavier Mertens
 
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
Top 10 Essential Ethical Hacker Tools Everyone Should Know.pdf
daksh908982
 
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
Security Training: Making your weakest link the strongest - CircleCityCon 2017
Aaron Hnatiw
 
Security in the age of open source - Myths and misperceptions
Tim Mackey
 
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
Advanced Persistent Threats
ESET
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
TechSoup
 
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
How To Start Your InfoSec Career
Andrew McNicol
 
EthicalHack{aksdladlsfsamnookfmnakoasjd}.pptx
dagarabull
 
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
 
The_Pentester_Blueprint.pdf
gcara4
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter
 
SplunkLive! Customer Presentation – athenahealth
Stephanie Bies
 
SplunkLive! Customer Presentation – athenahealth
Stephanie Bies
 
OSINT for Attack and Defense
Andrew McNicol
 
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 

Recently uploaded (20)

PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Approach and Philosophy of On baking technology
30anthuong17
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Encapsulation theory and applications.pdf
gurumoop
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
KodekX | Application Modernization Development
KodekX
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 

Open Secrets of the Defense Industry: Building Your Own Intelligence Program From the Ground Up

  • 1. Open Secrets of the Defense Industry Building Your Own Intelligence Program From the Ground Up Sean Whalen
  • 2. Disclaimer The views and opinions expressed here are my own, and may not represent those of my past, current, and post-apocalyptic employers.
  • 3. Who is this guy? • I’m an Information Security Engineer • Intelligence analyst • Human log parser • I specialize in network defense • I love open source software • Most of my security experience comes from the Defense Industrial Base (DIB) • I recently moved to the healthcare industry • I’m building a DIB-style intel program • Stalk me @SeanTheGeek
  • 4. Overview Respond proactively to threats like a defense contractor. It’s more realistic than you might think! A practical guide of how to build intelligence-driven cyber defenses using free software, based on real implementations of best practices, adapted from the Lockheed Martin Cyber Kill Chain model.
  • 5. Security conference memes For the informative lolz
  • 6. Buy lots of tools and services or…
  • 8. Actual APT code Dropped by UltraSurf.exe 6dc7cc33a3cdcfee6c4edb6c085b869d FireEye: Operation Saffron Rose
  • 13. They also stole creds in a more direct way Image credit: FireEye
  • 14. How do we defend against this?
  • 16. People power • A diverse, interactive team is essential for any security program • Specialties, not silos • Tool development, forensics, IR, intel, malware analysis • Look for SAs, devs, and infrastructure employees who are interested in a new challenge • Scale up by training recent grads who are motivated • You need people who understand security, not just security tools • Allow fluid movement from one specialty to another
  • 17. Intelligence building is a cycle Observe Collect AnalyzeShare Adapt
  • 18. General ranking of intel priority by source 1. Internal 2. Trusted, “mature” industry partners 3. Developing industry partners 4. Subscription services 5. Simi-public government publications 6. OSINT/PR reports Intel collection without evaluating the source leads to noisy alerts
  • 19. Your own network is your best intel source No one knows you better than you
  • 20. Goals • Read the Lockheed Martin Kill Chain paper • Train employees to report phishing and other sketchy things • Collect data on phishing, malware, and other attacks sent your way • Analyze strategically • Automate the Boring Stuff with Python • Share with friends • Present findings to stakeholders • Adapt your defenses and processes
  • 21. Open source software Break the kill chain without breaking the bank
  • 22. Why open source? • Cost – Spend less on products and more on resources • Flexibility – You can modify it and customize it however you like • Innovation – Rapidly implement new ideas; build what doesn’t exist • Privacy – Your data is your data • Community – Share knowledge and inspiration with peers
  • 23. Build a malware sandbox • The Spender fork of the Cuckoo Sandbox project is a powerful way to quickly derive actionable intelligence from malware samples • Generally higher-quality signatures and malware identification • Anti-VM and anti-sandbox countermeasures • Transparent Tor proxy support • Nice-looking PDF reports • Similar sample heuristics • Full setup guide at https://infosecspeakeasy.org/t/howto-build-a- cuckoo-sandbox/27 • Start analyzing malware in hours!
  • 24. Collect all the things! • Centralize your logs • Splunk Enterprise Security (ES) • Open source ELK stack • CRITs – Collaborative Research Into Threats • Can store almost any kind of threat data • UI can get overwhelming if you try to store all the things in it • Most useful for storing phishing email data (IMO)
  • 25. Document all the things! • Use a team wiki to document all processes, tools, security events, intelligence research, campaign briefings, and other unstructured data • Create canned replies and action plans • Learn from mistakes, and make success repeatable • Shorten the learning curve for new team members • I recommend XWiki • Highly extendable • LDAP and granular permissions out of the box • Much less hacking required when compared to others
  • 26. Track your work • Use an InfoSec ticketing system to track all work • Store key metrics: Time-to-Detect, Time-to-Remediate • Avoid duplicated effort • Show trends, and team workload • RTIR – Request Tracker for Incident Response • Open source, extremely flexible, customizable • Can create tickets through email, such as intel emails from partners • Integration with other services requires knowledge of Perl (my eyes!) • Simple Python API wrapper • Commercial support and professional services are available
  • 27. Sharing is caring Herd immunity FTW!
  • 30. Sharing can be hard, at first What do you collect? What do you share? Can you share it? How do you share it? Who do you share it with? Who can you trust? What can you do with shared information? Declassified SASC Inquiry Into Cyber Intrusions of TRANSCOM Contractors
  • 31. How to share phishing data • Include full email headers (except internal ones) • Redact the target addresses for privacy • Include generalized targeting information (number, roles) • Include the raw body and attachments (within encrypted zips) • Redact any ID numbers in URLs for privacy, but note the composition • If it is in HTML, include screenshots
  • 32. How to share watering hole data • The date and time the attack was observed, with UTC offset • The URL of the watering hole (i.e. the compromised site) • The URLs of any malicious resources or website redirections • A list of tactics used (e.g. iframes, plugins, etc.) • Any malicious files (e.g. swfs) as attachments • Defanged sample code
  • 33. Sharing malware • Use encrypted zips with a password of “infected” • Avoids contamination and making AV/IDS go crazy • Include any sandbox report you may have • Make note of any interesting or confusing points • Include the best indicators for detecting it, if you know them • C2 • Stages • Files/registry keys created/modified, or deleted • Mutexes • General behavior
  • 34. The state of sharing solutions
  • 35. • Basically the only free (as in beer), production-quality TAXII server/application • Freeware – Open standards, not open source software • Support subscriptions • Created by the NH-ISAC, in use at most ISACs • Lots of SIEMs/IR tools can take TAXII feeds; to name a few: • Carbon Black • Splunk Enterprise Security • Cyphort • QRadar • The STIX/TAXII standards can take a while to implement on your own Soltra Edge
  • 36. Malware Information Sharing Platform (MISP) • Open source software (GPLv3) • Indicator database • Straightforward workflows • Flexible, automated sharing • Generates Snort/Suricata rules • Imports from OpenIOC, Cuckoo, ThreatConnect CSV • Exports to OpenIOC, plain text, CSV, MISP XML or JSON • Simple API – Not in wide use like TAXII, but much easier to use
  • 37. ThreatConnect • Everything you could ever want in a SaaS Threat Intelligence Platform • Turnkey • Extremely Expensive • Intel in the cloud may raise privacy and legal concerns
  • 38. Free Threat Intelligence Platforms • AlienVault Open Threat Exchange (OTX) • Open threat information sharing • Simple API • Bro, TAXII, and Suricata integration • Python, Java, and Go SDKs • Facebook ThreatExchange • Share threat indicators on Facebook’s Graph API infrastructure • Share with the whole community, or a selected partners • Libraries for Python, Ruby, PHP, and NodeJS
  • 39. Automate all the things! Within reason… • Think of ways to integrate your intel tools and security controls • Automate repeatable tasks • Don’t try to automate people • If a security product does not have documented, robust API, you do not want it!
  • 41. Discourse • The best intel sharing groups that I have been a part of are private discussion forums. No fancy tech, just humans helping humans • Great for: learning and sharing tactics, team discussions • Discourse is a modern, open source forum/mailing list • Created by the founders of stack overflow • Responsive/mobile-friendly • Updates in real-time • Easy to read
  • 42. Defanging attack data • Defang malicious URLs and mail addresses when posting to places that auto-link, such as IMs and some forums • That way, a researcher doesn’t accidently click on a malicious link • Common conventions • Replace http with hxxp • Replace . with [.]
  • 43. What makes a good intel sharing community? • Confidentiality – The Traffic Light Protocal (TLP) is a good system, if followed. NDAs are better • No anonymity – We need to know who is being attacked • Made of all parts of an industry: Suppliers, contractors, competitors • Supportive discussion • Clear threat indicators (not a wall of text) • Rapid dissemination • Frequent activity • Historic – Learn from the past
  • 44. The InfoSec Speakeasy • An invite-only community for InfoSec professionals • I designed it to be a model for starting and managing other groups • A place to build and share strategy and intel across industries • Public tutorials • Powered by the Discourse open source discussion platform • Send me a request for an invite from your work email, then send your own invites to your colleagues https://infosecspeakeasy.org
  • 45. Red Sky Alliance • A private, vetted commercial intel sharing community • Follows the Kill Chain model – Includes signatures • All data comes from other members – across a diverse range of industries Red Sky Alliance FAQ
  • 46. Leveraging intel Use it or loose it
  • 47. Deploy intel-guided countermeasures • Block/redirect known bad x-mailers, IPs, user agents, etc. • Write custom IDS/IPS rules • Compare attack techniques to current security controls • Infer attacker intentions based on targeting and actions • Block domains based on DNS recon using services like whoisxmlapi • Keep users and leadership aware of attack trends against your network
  • 48. DIY Endpoint Monitoring and Remediation • Use the power of open source software and mature, internal intel • LIMA CHARLIE – Endpoint monitoring stack • Constantly monitor your endpoints • Recursively investigates • Present findings to IR analyst • Use native tools such as PowerShell • PSRecon • Kansa
  • 49. Defenses to deploy yesterday • Microsoft EMET (0-day killer) • Multi-factor authentication (DUO is easy-to-use and extremely flexible) • Remove local admins (Avecto DefendPoint, ByondTrust PowerBroker) • Email sandboxing (Your custom sandbox, Proofpoint, or a combination) • Block all uncategorized sites at your web proxy • Block any outflow that isn’t your from your mail servers or web proxies • WAFs, seriously • Bro NSM, Suricata IDS/IPS with Emerging Threats • Forced, multi-factor full-time VPNs for all remote workers • Tune your AV (It isn’t dead; you might not be using it right) • Application Whitelisting (Windows AppLocker is included with Windows Enterprise)

Editor's Notes

  • #5: Skeptical? When I left the industry, I was worried that much of what I had learned would not be translatable outside because the approach is so different than in many other industries. What I’ve discovered that the same basic tactics are effective everywhere; the differences are a matter of risk-based priorities and scale. Cyber security consulting has become a major growth market for defense contractors, and for good reason. They had to mature their security programs before almost anyone else.
  • #7: How often does a tool not live up to the hype? How long has a simple change been “on the roadmap?” Does it really meet your needs?
  • #8: APTs are often more Persistent than Advanced – taking advantage of well-known flaws. Use of 0-day exploits are rare, because they often aren’t needed. Lots of APT code is a mess, but it still works.
  • #9: Here we have the creatively named “Stealer” program used by the “Ajax Security Team” in Iran. They are my favorite APT group to talk about because there’s so much public documentation on them. Not because FireEye is so awesome, but because their OPSEC was so poor as they transitioned from hacktivisim to espionage. I did some digging on VirusTotal, and found a sample of their Stealer bundled with a copy of UltraSurf, a legit tool to circumvent internet censorship. This suggests that their espionage targets included Iranian dissidents, thus aligning themselves with an Iranian government agenda. The main part of the program is an unobfiscated .NET PE, so you can decompile it to source code in a few clicks with ILSpy. Winning! Reverse engineering is rarely this easy. You can see they set static variables for a passphrase and salt; bad practices right off the bat… They also run a DLL, whose sole purpose in life is to ship out files Stealer makes via FTP.
  • #10: Then they proceed to completely ignore the variables they created in AES crypto calls, which are copypastad over and over...and they misspelled proxy.   The combination of FTP and symmetric encryption left the attackers open to being pwned.
  • #11: Yet, once you start digging through the rest of the code beyond the main class, you’ll find it is well-written. There’s even code to send and receive files via various protocols, including FTP and HTTP (which would be most successful), and stubs for SFTP and SMTP. That makes AppTransferWiz.dll completely unnecessary. The stark contrast in quality suggests that Ajax team appropriated most of this code from someone else, which isn’t surprising given their start as hacktivists.
  • #12: It’s easy to laugh about this, until you see they were targeting the aerospace industry with well-designed phishing attacks during a time of heightened US-Iran tensions. According to FireEye, there is evidence that they continued to use this malware for some time. This suggests that Stealer was successful at least some of the time. If it ain’t broke, don’t fix it. Right?
  • #13: Stealer can steal credentials from common browsers and IM programs
  • #16: Intelligence is great, but it’s often misunderstood or glossed over because of hype. Intel services don’t have reports of every domain, IP address, email, and malware sample. They only know what they have seen, largely through their customers. You can start collecting data yourself that is much more relevant to you.
  • #17: Finding qualified candidates can be challenging. Information security is still an up-and-coming field. Expecting to find lots of experience in your area may not be realistic. However, your current IT staff have very valuable experience with your network and your organization, which might represent a sharp learning curve to a knowledgeable newcomer. They may also gleam insights that others would miss. Whether hiring internally, or recruiting recent graduates, look for motivation. If they have a security mindset, a passion for figuring out how things work, and get along well with others, that can easily trump a lack of experience, especially with training.
  • #18: Observe – Identify your most critical systems and security controls. Monitor industry trends. Keep track of internal IT projects Collect – Gather any information you can from inventories, logs and sensors Analyze – Look at the data you have collected, and identify the biggest threats and risks. Weed out bad or useless intel. Share – Share attack details and countermeasures with industry partners. Share posture, risks, successes, and failures with the IT org and corporate leadership. Get “front line” details from the IR team to evaluate the quality of collected intel Adapt – Make adjustments to security controls, strategies, and processes based on all of the above Integrate this cycle as a part of your IR process. IR and intel should be a feedback loop. Both should drive tool development and product purchase decisions.
  • #19: The best source of intelligence starts with you, and works its way out from there. You don’t know what to prioritize if you don’t know what your risks are. By relying on a subscription intelligence service, you are dependent on their reactions and observations, which might not have anything to do with your network or industry. Conversely, the same people who are attacking your supplier or competitor are probably going after you too. Unclassified government flashes are old by the time they reach the end recipients, and are frequently leaked to the press shortly thereafter. Comprehensive campaign exposés are great PR for security vendors, and terrible for other intelligence analysts, who may be monitoring the campaign in secret. Exposure doesn’t make attackers go away. They will change tactics, or their patron will hire someone else. A whitepaper is not going to stop a nationstate; it’s just going to make them smarter. By building intelligence yourself and within your industry, you have the greatest possible context -- much more than “ this IP address is related to bad things”.
  • #20: Your incident responders know what their biggest headaches are. Their biggest headaches are caused by your biggest risks. By focusing on those, you improve the overall security posture of the entire organization. Sometimes people focus more on the high-profile InfoSec news than what is going on in their own network. You have no hope of finding advanced threats if you are perpetually overwhelmed by opportunistic attacks.
  • #23: Wouldn’t you rather spend support contract money on creating a team that can build whatever you needed, rather than one-size-fits-all solutions? Many commercial vendors are building data sets based on activity they have observed in the networks of their customers, raising privacy and OPSEC concerns. I’m not saying all commercial tools are bad, some are great, but consider if you really need it first. Giving back to the community helps everyone, and is great PR. Be a trailblazer for your industry!
  • #24: My dev Cuckoo box was an old Dell PowerEdge 2950 – Circa 2009 Hosting 4 Windows sandbox VMs concurrently Max throughput ~ 85 samples/hour
  • #25: Even if you can’t act on ALL on the the security data RIGHT NOW, it gives you a picture of what your biggest threats are risks are, Even if you find yourself constantly documenting playing whack-a-mole with opportunistic attacks, that tells you that you need to work on the fundamentals before you go hunting for APTs. Your processes will never be perfect, and if you try to make them perfect, you will freeze. Get started today. Learning how to intel will involve trial and error.
  • #29: Some of the biggest hindrances to information sharing are unfounded fears of embarrassment and liability. Intel sharing is NOT airing dirty laundry.
  • #30: You simply report attacks you have observed, and the tactics, techniques, and procedures that the attackers used. You don’t have to say “Yeah, these guys totally kicked our asses!”. Weather they were successful or not is nowhere near as important as how they tried. Sharing that information builds herd immunity. For example, you can tell if a specific industry vertical is being targeted, and start to define campaigns.
  • #36: STIX/TAXII are great if everything you use already speaks it, but it is very complicated and time-consuming to implement on your own.
  • #40: Yes, you read that right. Disable opportunistic TLS in SMTP so Suricata can read the traffic and provide alerts and file extraction. If something is going over email that is confidential, the message itself should be encrypted as a best practice anyway.
  • #44: ISACs are doing it wrong
  • #46: I haven’t used it myself yet, but I’ve heard good things from people I trust
  • #50: While not all of these solutions are free or open source, they are simple to implement, and provide some of the most important defenses against today’s tactics By blocking all non-mail server/proxy traffic, you are limiting exfil paths to what you know about AppLocker works best on task-specific workstations such as kiosks, SCADA, surveillance systems, PoS, etc.