Andrew Morris, formerly an Intrepidus Group employee and currently researcher at Endgame, proves at ShmooCon that threat intel doesn’t have to be expensive.
Andrew Morris: So, this is “No Budget Threat Intelligence – Tracking Malware Campaigns on the Cheap”. First of all, thank you guys all for being here at 10:00 am after the ShmooCon party, when you’re all really hungover. Hopefully, some of you guys are still drunk, because it’s going to make this talk a lot more interesting. Actually, I wanted to give a quick shout-out to people who almost got in a fight last night when we were standing next to the ash tray, and one of them was like “Dude, AT&T syntax is so much better.” I was like “What?!”Alright, my name is Andrew Morris. I work at Intrepidus Group, which is part of NCC Group. My background is actually in offense, and this is more of a defense-oriented talk. I don’t really have much incident response or operations defense experience, so if I say anything that’s stupid or if there’s anything that is not completely accurate or anything like that, feel free to shoot me an email or whatever. This is my information down here (see right-hand image) if you guys want to follow me on any various social media. So, we are going to go through the background: a little bit of info on threat intelligence, why you should care, a little bit of previous work that I’ve done in the same topic. We are going to talk about the infrastructure – setting up your no budget threat intelligence infrastructure. We are going to just quickly kind of breeze over that, because I’ve actually done another presentation that focuses on that a lot more, which I’ll talk about in a little bit. Discovery and investigation – we are going to look at analyzing sensor data, honeypot data, securing malware samples and doing a little bit of reverse engineering to look at the capabilities and look at some of the stuff that malware is talking to and things like that.
And then, we are going to talk about automation. We are going to talk about this thing called the “Animus”, which is something that I have been building for a little while. We are going to talk about publishing automated reports, automating mass scanning and looking for adversary infrastructure, and publishing signatures. And then, defensive thoughts – we are going to talk about hardening machines, leveraging the data (how you can use the data that you collect doing the stuff that we are going to talk about today), implementing firewall rules, sharing IOCs and stuff like that. And we are going to talk about roadmap for the future, some of the stuff I want to look at doing the work in this space.
But why? What’s the difference between that? Antivirus, as I would say, is so 2005. It’s dead. Everyone keeps saying that. Antivirus is dead. It’s checking some file, and you can just change one byte in that, and it’s going to change the checksum completely. Modifying binaries is really easy for bad guys to do, so A/V is super-dead.
Threat intelligence is so 2015. It’s really hard to change infrastructure, and it’s really-really hard to change your tactics as a bad guy. I mean, if the products and if the people are actually looking at the tactics that you are using as a bad guy, you can’t just change the way you operate in order to get around defenders anymore, or at least you are forcing people to.Today the bad guys, the actual adversaries that I’m going to talk about, are bad guys that target the open Internet (see left-hand image). They just target everything that they can possibly see. I don’t do incident response; this was kind of the network that I had to work with. The bad guys we are going to be talking about are not terribly smart. They are not advanced. There’s a lot of them, and they compromise a lot of machines. It turns out you don’t actually have to be super-advanced to compromise lots of machines on the Internet. And they use really-really lame stuff like SSH default creds, open JMX consoles, shellshock, MS08_067 facing the Internet, whatever. We are not talking about these people (see leftmost part of the image). We are talking about these people (right-hand part of the image). It’s a spray and pray. It’s like Modern Warfare 2. It’s the numbers game trying to pop as many boxes as humanly possible, missing 99.9% of the time.