Quantcast

No Budget Threat Intelligence – Tracking Malware Campaigns on the Cheap

Andrew Morris, formerly an Intrepidus Group employee and currently researcher at Endgame, proves at ShmooCon that threat intel doesn’t have to be expensive.

Andrew Morris: So, this is “No Budget Threat Intelligence – Tracking Malware Campaigns on the Cheap”. First of all, thank you guys all for being here at 10:00 am after the ShmooCon party, when you’re all really hungover. Hopefully, some of you guys are still drunk, because it’s going to make this talk a lot more interesting. Actually, I wanted to give a quick shout-out to people who almost got in a fight last night when we were standing next to the ash tray, and one of them was like “Dude, AT&T syntax is so much better.” I was like “What?!”

Who’s Mr. Morris

Who’s Mr. Morris

Alright, my name is Andrew Morris. I work at Intrepidus Group, which is part of NCC Group. My background is actually in offense, and this is more of a defense-oriented talk. I don’t really have much incident response or operations defense experience, so if I say anything that’s stupid or if there’s anything that is not completely accurate or anything like that, feel free to shoot me an email or whatever. This is my information down here (see right-hand image) if you guys want to follow me on any various social media.

Agenda for the presentation

Agenda for the presentation

So, we are going to go through the background: a little bit of info on threat intelligence, why you should care, a little bit of previous work that I’ve done in the same topic. We are going to talk about the infrastructure – setting up your no budget threat intelligence infrastructure. We are going to just quickly kind of breeze over that, because I’ve actually done another presentation that focuses on that a lot more, which I’ll talk about in a little bit. Discovery and investigation – we are going to look at analyzing sensor data, honeypot data, securing malware samples and doing a little bit of reverse engineering to look at the capabilities and look at some of the stuff that malware is talking to and things like that.

And then, we are going to talk about automation. We are going to talk about this thing called the “Animus”, which is something that I have been building for a little while. We are going to talk about publishing automated reports, automating mass scanning and looking for adversary infrastructure, and publishing signatures. And then, defensive thoughts – we are going to talk about hardening machines, leveraging the data (how you can use the data that you collect doing the stuff that we are going to talk about today), implementing firewall rules, sharing IOCs and stuff like that. And we are going to talk about roadmap for the future, some of the stuff I want to look at doing the work in this space.

Background

Background topics to be covered

Background topics to be covered

Let’s start off with the background (see right-hand image). We are going to have a quick threat intelligence primer; set up cheat honeypots; examine attacks being executed on the open Internet; manage and aggregate data; locate malware artifacts; emulate malware traffic; track DDoS targets; automate C2 discovery; and we are going to report some data.

Explaining the concept

Explaining the concept

So, threat intelligence (see left-hand image). What is threat intelligence? If you just break down the word, “threat” refers to bad guys, and “intelligence” refers to predicting the future, so “threat intelligence” refers to studying bad guys to predict what they are going to do, usually to defend yourself, but not always. Conventional threat intelligence – there’s a lot of people who actually do this and aren’t just random assholes giving presentations about it. They kind of study bad guys to develop IOCs, which are “indicators of compromise”. IOCs can take a bunch of different forms. Basically, an IOC can go anywhere from the MD5 of a file that it known bad, it’s an indicator of compromise; or it could be a URL, it could be an IP address, it could be a domain name, it could be a registry key – a ton of different forms that an IOC can take.

Conventional threat intel

Conventional threat intel

A lot of these threat intelligence vendors, people who provide this stuff, are going to deploy agents on endpoints of their customer network (see right-hand image). It’s kind of like A/V – they are going to have sensors that are going to sit on desktops that are going to, basically, flag on anomalous behavior like seeing an indicator or something like that. Once is bad, right? You got one flag, one thing that shoots off – okay, that’s bad. It’s not that bad. But if you get two or more across the enterprise, that’s where they are going to say “Oh, this is really bad, it might be an APT,” whatever. And that’s how it usually functions. Threat intelligence vendors do a lot more than that also. I mean, they do a lot of big write-ups and reports talking about tactics and procedures and all this other stuff.

Antivirus is so 2005.

But why? What’s the difference between that? Antivirus, as I would say, is so 2005. It’s dead. Everyone keeps saying that. Antivirus is dead. It’s checking some file, and you can just change one byte in that, and it’s going to change the checksum completely. Modifying binaries is really easy for bad guys to do, so A/V is super-dead.

Threat intelligence is so 2015. It’s really hard to change infrastructure, and it’s really-really hard to change your tactics as a bad guy. I mean, if the products and if the people are actually looking at the tactics that you are using as a bad guy, you can’t just change the way you operate in order to get around defenders anymore, or at least you are forcing people to.

The bad guys aren’t too smart

The bad guys aren’t too smart

Today the bad guys, the actual adversaries that I’m going to talk about, are bad guys that target the open Internet (see left-hand image). They just target everything that they can possibly see. I don’t do incident response; this was kind of the network that I had to work with. The bad guys we are going to be talking about are not terribly smart. They are not advanced.
Witty parallels

Witty parallels

There’s a lot of them, and they compromise a lot of machines. It turns out you don’t actually have to be super-advanced to compromise lots of machines on the Internet. And they use really-really lame stuff like SSH default creds, open JMX consoles, shellshock, MS08_067 facing the Internet, whatever. We are not talking about these people (see leftmost part of the image). We are talking about these people (right-hand part of the image). It’s a spray and pray. It’s like Modern Warfare 2. It’s the numbers game trying to pop as many boxes as humanly possible, missing 99.9% of the time.
 

Read next: No Budget Threat Intelligence 2: Setting up Cheap Honeypots

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: