Utilizing OSINT in Threat Analytics and Incident Response

Editor's Notes

• #4: Security Engineer for SLAIT Consulting performing various roles, including but not limited to Blue Team, Red Team, Forensics, Consulting, Development, Analysis, etc. 6 years in Managed IT Services, 2 years in Cyber Security Breaker & Fixer of many, many, many things. Tinkerer, H+ (I've been told they call me Rabbit) Father to a new baby girl (hopefully Star Wars sticks with this one) and a 6-Year-old future SOCOM Operator/Door Kicker.
• #5: What is OSINT and how does is impact/benefit me That is a very deep question and sadly not one we can cover here, however, resources will be provided and you are free to contact me for additional information or links. Honestly I could send the next couple hours explaining to you what Open Source Intelligence is and the history, development and future capabilities…..but honestly, these are not the droids you are looking for. Commercial vs Open the never ending battle Difficulty!?!!?? Like with any IT solution or specialization, the closer you look the deeper that rabbit hole can get. It more of a matter of when are you satisfied and will the worth outweigh the depth? Budget fun times!! Next round I son you buddy! CAPEX, OPEX, & TIMEX - as old as time itself much to the watch manufacturers dismay, and as undeniable as Death & Taxes; Capital Expense (Front of House) VS Operational Expenses (Back of House) =√ Time Expenditure This is not something we will have to worry about at the moment, except for time expenditure which I attempted to resolve, however, we must never speak of the time I folded space time. Budget for new shiny things will be there sometimes, but as you know, not most of the time. Trim the Fat Anyone in management or leadership will tell you a better business runs better when you trim the dead excess. The most common is OPEX. Build Build for the next generation capability, most of these solutions are completely free, some are paid but our focus is on the free because not everyone has an unlimited budget for whatever they want.
• #6: OSINT, Universal it is, yes! Validating implementation for Terrestrial Hominids utilization & indication for Cross Platform Capable….?? Regardless of industry, expertise, or budget; OSINT can help! Rather than relying on the feeds your may currently use which may be outdated (a great question to check your feeds for is their TTE or time to Expiration. Its just like stale cookies, don’t nobody want no stale cookies peoples!), be proactive, test the data, compare the data, spoon the data just before it dumps you for another younger byte. What matters most to you during an analysis? Is credibility of the returned data, Details provided, relevance or quality? These are all very, very important to use for leveling when building you own personal OSINT Analysis process. Always work smarter not harder, also, when you perform a digital task more than once for a routine, automate it, why not?   What currently is in your IR/Analysis/Security wheelhouse for daily operations or workflow? Do you feel as though there is too much for you to do, not enough What Framework do you use for each bucket of security from Governance, to Reporting? Who has/What has/Where is your log data being ingested from internally, externally, physically, mentally, maddeningly!
• #7: Versatility – due to the depth and scope of functionality, capability, and compatibility, OSINT requires very little, until you begin doing some serious actions, all you really need is a web browser. Logging resources – without a doubt logging resources are a mandatory for OSINT in cyber threat analysis and incident response. The more the merrier because you want to be able to form a definitive picture when developing your hypothesis as to the who, what, when, where, how, and why of the IoC before you can begin your investigative queries. Alternative Thinking – I say this lightly because many of us wear many hats, we constantly must adapt and be resilient to an ever-changing threat landscape. My focus here is merely to intone, the idea that it is okay to think like a bad guy. Its perfectly fine to think how you could accomplish your task if you were the bad guy on the outside, how would you exploit this. Even though each cyber security team and specialization follows or adheres to certain frameworks, we are all separate and unique individuals. And much like the number of variations from person to person, therefore providing the rational “there's more than one way to skin a cat”
• #8: QAI = QAO - Meaning the better you data feeds are, the more robust your analysis will become! Routines - A lot of people get stuck in the mundane and of every day checklist/repetitional routines or analysis. Don’t become a log/alarm jockey. If you are currently a tier 1 analyst or you have a tier 1 subordinates, set a target date for Tier 2 between 6 months to 1 year max. Either they need to progress, change focus to a different team such as threat hunting or switching sides to the red team or they will essentially burn out and go somewhere else, and with the current gap in security roles filled vs what is needed is mind boggling. DON’T DO IT! - Get Excited about ALL the alarms! Because even the most boring of events could be your salamander! Challenge yourself & team – fun times, if your like me, I love a puzzle, investigating, breaking things just to put them back to gather to see allot the individual components and in what order they go to make the thing whole. Its also super fun to see new patterns and behaviors in the wild and learning a way to engineer defense and/or awareness before a bad thing becomes disastrous. They way forward – continually evolve, stay sharp, never become complacent and bring more light and safety to a seemingly unending and gloomy darkness of evil.
• #9: (This is not a real protocol, merely one I designed for myself) Framework - If you don’t, there are many types of frameworks out there. Luckily Some of them are included in my shared resources SLA’s – some of us have them, some of us don’t, however, it never hurts to have some internal or public goal to drive us. Whether is Sports, Games, etc. I thinks its time we applied these same desires and drive to how to become better at our security. Don’t confuse this with recklessness, I am not inferring that we should churn stuff out the alarm mill, or get as much done with lack to detail. No, I mean reasonable goals that challenge you to be better at what you do, how you do it, and where you do it. If it takes you on average 2 hours to write a well written, forensically accurate and concise Alarm event, set it to 1 hour ½. Test your self, compare yourself and fix what you think needs fixing. This mentality can be applied to you teams and developing their growth as well. Define extremely narrow internal SLA's, see example below. PURPLE Critical! Someone, anyone, needs to respond and attend to this within 5 minutes of the trigger for this Alarm event type This indicates Real Badness, against Crown Jewels and critical value assets, networks or data. RED HIGH This triggered SLA alarm type should be in process or acknowledged with 15 minutes This indicates badness usually company wide or may affect the network/communications infrastructure. ORANGE This triggered SLA alarm type should be in process or acknowledged between 15 - 30 minutes This usually indicates badness against end users who are neither DA or have any escalation privileges YELLOW This triggered SLA alarm type should be in process or acknowledged with 15 - 30 minutes This also usually indicates low level badness against end users who are neither DA or have any escalation privileges GREEN This triggered SLA alarm type should be in process or acknowledged with 30- 45 minutes also Usually indicates a False Positive, however it should not be ignored for several reasons. 1st, it may be real badness. (Wolf in Sheep's Clothing) 2nd, may indicate a need for tuning. 3rd, May lead to other artifacts elsewhere. BLUE TESTING - this SLA event should be used to mimic test events that would in the real world match one of the SLA's listed above. This helps build your teams confidence, makes for better reporting as practices makes perfect provides a secondary data point for future KPI analysis
• #11: Apply appropriate RRTLP Tag Determine if you Have seen this before? Is it historical, recurring, or new? run query for Key indicators against my available resources and/or IR Reports (As a failsafe, integrate another team member for review of Data for Assurance.)
• #12: Monitor (However, if SLA is RED or PURPLE, emergency containment protocols should be followed) Many attackers are not advanced, but instead are usually, Adamant, adept, or alright. Attackers always following a methodology, it may not be the one printed on the posters you see, but they follow a routing much like the machines, and biology. Quality attacker will be subtle and advance in stages in order to b successful, much like a frog, before they start eating all your proteins. What does the traffic look like, if possible, attempt to perform network/system/behavioral analytics If possible, run packet captures on everything in and out from the targeted host. Sometimes the data may appear encrypted, sometimes, a larger data set may reveal clues Aggregate, compile data points for IoC & Parse Bring a bulk of the data together and carve out useless data and pare down to critical data points Compare these data points against historical reports and/or historical events to determine further if this has happened before, is recurring, or is new.
• #13: Request for External OSINT analysis - before submitting any data to public or private open sources, make sure there is not any confidential data points. Keep in mind a lot of this is public, so the bad guys are using this info just as much as you are, especially as Recon is a primary phase in their process. If you do have any confidential data points, get approval from either you higher ups, or the board, or select an alternate non-confidential piece of data. (be careful, when submitting data points or IoC's, determine if they are confidential and when submitted to an external vendor, is stored and used for their internal analytics, which may or may not be shared publicly, and which of course, can put you under the light) Itemize and prioritize collected/known data points Use whatever resources you have, however, one very important factor to keep in mind. It doesn’t matter if you have the latest SHINY, never, ever, ever, ever; rely on one resource for intel. From my experience, depending on the data type, investigation and environment, a minimum of 3 resources is recommended, sometimes 5 or more if you need it. It sounds like overkill but its called intelligence for a reason, not datasets to compare against.
• #14: Step 4. Terminate observation and analysis, initiate containment and remediation protocols Compile report Disseminate report to all stake holders
• #15: Step 5. Track, monitor, and defend Train, & repeat
• #16: If you are using three highly reputable intel resources to rate the IoC data, and 2 say its bad but 1 say its good, then you have an external confidence rating of 66% To move the bar a bit further, use the age of the intel. If older than 18 months, reduce the percentage of confidence utilizing some form of internal measurement KPI. I like to use a mean average of 12% + or - Lets indicate our Intel resources are as follows Resource 1 = 1 month old | Resource 2 = 14 months old | Resource 3 = 36 months old = add 12% to the positive as this intel source is outdated A final measurement resource that you can set at + or - 5% is peer confirmation. If your peer agrees with you hypothesis, +5%, if not -5%. Peer Agrees = +5% | Peer is not useful = 0% | Peer Disagrees = -5% We will theoretically inter our peer agrees = +5% With this formula, and the theoretical data provided in addition to 3 Intel resources: 2 Indicate Malicious Activity | 1 indicates non-malicious activity 66% confidence Intel Age Indicates the positive report is older than 18 months indicating outdated/possibly incorrect data: +12% Intel Reliability Analysis Peer Review Peer Agrees with Hypothesis: +5% Reliability review rating 66% + 12% + 5% = 83% Reliability Confidence Rating on analysis As we all may well know, history changes, and when it does, who gets to write about it this time and how accurate is it. Enrich your data. Instead of trying to use all the data (I know its hard, all the data's are belong to us) Condense your data to build a fuller, more defined explanation. This will cut down on page count as well the need to continually regurgitate information that has already discussed.
• #17: How I plan to help is not just another shiny toy(I mean there are a couple in here), or next be the big thing right around the corner, but a process and resource to help respond faster, with higher confidence, and maybe even get that sucker autonomous in some form, so as to free up time for you to be the best you!
• #19: Where does one even get started? How do I know what's useful, what's not, how do I not waste my time? These are all great questions some of you have asked yourselves, others, or didn’t even need to bother, because, lets face it, your pretty awesome! Review and determine what resources are going to work best for you, because all knives can fork, but not all forks can knife! Continuously build/redesign. Sometimes good solutions go away and better ones come. Never assume that what you have is the bee knees because your landscape is evolving at such a rapid pace, be idle for too long and soon, you the only one left sitting at the terminal while your cohorts are off playing baseketball! Also keep in mind, that always trying to find the next thing, to do that thing, for that thing is just as bad if not worse because everything is always in test/beta mode. 1. Validate You are indeed experiencing an actionable event 2. Do homework on the subject (know your client and its adversary) 3. Define the main questions ⁃ what, ⁃ where, ⁃ when, ⁃ what with, ⁃ which method, ⁃ when, ⁃ who, ⁃ why 4. Define sources 5. Gather keywords on each research (sub)question 6. Think of what (osint) tools should be needed for this research and match the question to the tool 7. Quick scan search 8. Are preliminary findings what you expected to find? Otherwise repeat step 1 to 5. 9. Gather the needed info, exhaust your sources. 10. Refine & analyze the found information. 11. Are the secondary findings what you expected to find? Otherwise repeat step 1 to 8. 12. Report. And include everything! The things you found & analyzed also the things you didn’t find. Test your findings with methods like ACH techniques. 13. Let the report rest, really. Do not immediately send your report out. After letting it rest be your own devils advocate. Ask yourself If i was a client or subscriber to this report would it contain all the right (objective) findings? Maybe let someone read it who isn’t familiar with the research subject matter also, they tend to be objective and could come up with some great questions to dig in and make your findings even better. 14. When one gets back on your findings/report with new questions repeat all above steps.
• #21: Some of these resources share similarities or links, but there is still quite a diversity here. My personal favorites in no particular order OSINT Framework -https://osintframework.com/ Bellingcat - https://docs.google.com/document/d/1BfLPJpRtyq4RFtHJoNpvWQjmGnyVkfE2HYoICKOGguA/edit?usp=sharing i-intelligence - https://www.i-intelligence.eu/wp-content/uploads/2018/06/OSINT_Handbook_June-2018_Final.pdf OSINT by Michael Bazzell - https://inteltechniques.com/menu.html Build your Repo – You do you booboo! I myself have at least 2,000 links and references for resources and tools. Do I use them all, no, not for every investigation, I match my investigative resources to the type of event I am investigating. Also, links die, companies get bought or don’t, just like the threat Landscape, OSINT is an ever changing profession and state of mind. Contributing – Make the world a better place. Help you peers, the community, be a mentor
• #22: Excellent tools, each with their own caveats.
• #23: I highly recommend requesting Spiderfoot HX. However, I understand if the cloud is worrisome. If you can Python, the local version allows to to create your own modules, just remember API Key management! Maltego CE – API, KEY, Management Sn1per – Normally used by the red team, I highly recommend this. It is free, however, if you pony up $20 for the pro edition, you get automation and report generation.
• #24: Kitploit is one of my favorite tool resources and has been for years – DaBest! Cameyo – if you have time and are willing, this solutions solves a few issue with tools, availability, local footprint, compatibility
• #25: Intrigue was designed to be defensive as such that the tool could be used to map your attack surface in. a lightweight, lower cycle cost, searchable and reportable tool. While that may be the case, there is the obvious blackhat use, but me personally, I use it widely between both Blue and Red.
• #26: There are many others but these are some of the ones I am know right off the top of my head that were specifically designed to do this when everyone else was focusing on standard SIEMs
• #28: Paliscope has to be my absolutely most importantly, just favorite reporting tool! So much use!
• #29: Bad guys – They do this as part of their framework for recon, public data is probably the cheapest and useful way to hack. Bg the bg – Turn the tides and use their tools against them. Real hero's – real hero's don’t do the right thing because they are looking for something, they do the right thing because they know it’s the right thing to do. Saving all the things - Many of us become overworked, burned out, and frustrated. Everyone wants more done than can be accomplished in such small time frames, with smaller and smaller budgets because the breaches are bleeding us dry man! Enrichment – in everything you do, try to compliment, as in pair or enrich something. Data, family, coworkers, whatever it is you do, enrichment will deliver in volumes.