Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threat Intelligence with Open Source tools Cornerstones of

Published byAlban Higgins Modified over 9 years ago

Similar presentations

Presentation on theme: "Threat Intelligence with Open Source tools Cornerstones of"— Presentation transcript:

1 Threat Intelligence with Open Source tools Cornerstones of Trust 2014 @jaimeblasco @santiagobassett

2 Presenters JAIME BLASCO Director AlienVault Labs Security Researcher Malware Analyst Incident Response SANTIAGO BASSETT Security Engineer OSSIM / OSSEC Network Security Logs Management

3 The attacker’s advantage They only need to be successful once Determined, skilled and often funded adversaries Custom malware, 0days, multiple attack vectors, social engineering Persistent

4 The defender’s disadvantage They can’t make a mistake Understaffed, jack of all trades, underfunded Increasing complex IT infrastructure: – Moving to the cloud – Virtualization – Bring your own device Prevention controls fail to block everything Hundreds of systems and vulnerabilities to patch

5 What is Threat Intelligence? Information about malicious actors Helps you make better decisions about defense Examples: IP addresses, Domains, URL’s, File Hashes, TTP’s, victim’s industries, countries..

6 State of the art Most sharing is unstructured & human-to- human Closed groups Actual standards require knowledge, resources and time to integrate the data

7 How to use Threat Intelligence Detect what my prevention technologies fail to block Security planning, threat assessment Improves incident response / Triage Decide which vulnerabilities should I patch first

8 The Threat Intelligence Pyramid of Pain

9 Standards & Tools IODEF: Incident Object Description Exchange Format MITRE: – STIX: Structured Threat Information eXpression – TAXXII: Trusted Automated eXchange of Indicator Information – MAEC, CAPEC, CyBOX CIF: Collective Intelligence Framework

10 Collective Intelligence Framework

11 Collecting malware Some malware tracking sites: http://malc0de.com/rss http://www.malwareblacklist.com/mbl.xml http://www.malwaredomainlist.com/hostslist/mdl.xml http://vxvault.siri-urz.net/URL_List.php http://urlquery.net http://support.clean-mx.de/clean-mx/xmlviruses.php Some Open Source malware crawlers: Maltrieve: https://github.com/technoskald/maltrieve Ragpicker: https://code.google.com/p/malware-crawler/

12 Collecting malware

13 Other malware collection tools Dionaea honeypot: http://dionaea.carnivore.it/ Thug Honeyclient – Drive by download attacks: https://github.com/buffer/thug Emulates browsers functionality (activeX controls and plugins)

14 Analyzing malware Yara: Flexible, human-readable rules for identifying malicious streams. Can be used to analyze: files memory (volatility) network streams. private rule APT1_RARSilent_EXE_PDF { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $winrar1 = "WINRAR.SFX" wide ascii $winrar2 = ";The comment below contains SFX script commands" wide ascii $winrar3 = "Silent=1" wide ascii $str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/ $str2 = "Steup=\"" wide ascii condition: all of ($winrar*) and 1 of ($str*) }

15 Analyzing malware Cuckoo Sandbox: Used for automated malware analysis. Traces Win32 API calls Files created, deleted and downloaded Memory dumps of malicious processes Network traffic pcaps

16 Analyzing malware

17 Sandbox – CIF integration In our example: hxxp://www.garyhart.com, domain

18 CIF External feed example

19 Thank you!! @jaimeblascob @santiagobassett

Download ppt "Threat Intelligence with Open Source tools Cornerstones of"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Mike Goffin and Wesley Shields 2014-11-14 Approved for Public Release; Distribution Unlimited. Case Number 14-3467.

Mike Goffin and Wesley Shields Approved for Public Release; Distribution Unlimited. Case Number
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
“White Hat Anonymity”: Current challenges security researchers face preforming actionable OSINT Christopher R. Barber, CISSP, C|EHv7 Threat Analyst Solutionary.

“White Hat Anonymity”: Current challenges security researchers face preforming actionable OSINT Christopher R. Barber, CISSP, C|EHv7 Threat Analyst Solutionary.
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.

SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.
Mike Goffin 2014-10-17. Who am I? Mike Goffin Lead DeveloperProject Manager Senior Cyber Security Research Engineer The MITRE Corporation.

Mike Goffin Who am I? Mike Goffin Lead DeveloperProject Manager Senior Cyber Security Research Engineer The MITRE Corporation.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.

1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.
* The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era Ted Gruenloh Director of Operations Sentinel.

* The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era Ted Gruenloh Director of Operations Sentinel.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Copyright Justin C. Klein HECTOR Security Intelligence Platform Developed for: University of Pennsylvania School of Arts & Science.

Copyright Justin C. Klein HECTOR Security Intelligence Platform Developed for: University of Pennsylvania School of Arts & Science.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Smart Protection Network Kelvin Liu AVP, Core Tech Development.

Smart Protection Network Kelvin Liu AVP, Core Tech Development.
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

Similar presentations

Ads by Google