Lots of people say menace intelligence (TI) tastes good, however few perceive the best way to cook dinner it. There are even fewer of those that know which processes to interact for TI to work and convey revenue. Furthermore, a negligible variety of folks know the way to decide on a feed supplier, the place to verify a false positives indicator, and whether or not it’s worthwhile to dam a website that your colleague has despatched you over WhatsApp.
We had two industrial APT subscriptions, ten info exchanges, a couple of dozen free feeds, and an intensive listing of TOR exit nodes. We additionally used a few highly effective reversers, grasp Powershell scripts, a Loki scanner and a paid VirusTotal subscription. Not {that a} safety incident response heart gained’t work with out all of those, however if you’re as much as catching advanced assaults you must go the entire hog.
What I used to be significantly involved with was the potential automation of checking for indicators of compromise (IOCs). There’s nothing as immoral as synthetic intelligence changing a human in an exercise that requires pondering. Nevertheless, I spotted that my firm would encounter that problem in the end because the variety of our clients was rising.
For a number of years of everlasting TI exercise, I’ve stepped on a bunch of rakes and I’d like to supply some ideas that can assist newbies keep away from frequent errors.
Tip 1. Don’t set too many hopes on catching stuff by hashes: most malware is polymorphic lately
Menace intelligence information is available in totally different codecs and manifestations. It might embrace IP addresses of botnet Command and Management facilities, e mail addresses concerned in phishing campaigns, and articles on evasion strategies that APT teams are about to start out leveraging. Lengthy story quick, these will be various things.
With a purpose to kind this entire mess out, David Bianco prompt utilizing what’s known as the Pyramid of Pain. It describes a correlation between totally different indicators that you simply use to detect an attacker and the quantity of “ache” you’ll trigger the attacker when you establish a selected IOC.
As an illustration, if you realize the MD5 hash of the malicious file, it may be simply and precisely detected. Nevertheless, it gained’t trigger a lot ache to the attacker as a result of including just one bit of data to that file will utterly change its hash.
Tip 2. Attempt utilizing the symptoms that the attacker will discover technically difficult or costly to vary
Anticipating the query of the best way to discover out whether or not a file with a given hash exists in our enterprise community, I’ll say the next: there are other ways. One of many best strategies is to make use of an answer that maintains the database of MD5 hashes of all executable recordsdata throughout the enterprise.
Let’s return to the Pyramid of Ache. Versus detection by a hash worth, it’s extra productive to establish the attacker’s TTP (ways, strategies, and procedures). That is more durable to do and requires extra efforts, however you’ll inflict extra ache to the adversary.
For instance, if you realize that the APT crew that targets your sector of the economic system is sending phishing emails with *.HTA recordsdata on board, then making a detection rule that appears for such e mail attachments will hit the attacker beneath the belt. They should modify the spamming tactic and even perhaps spend some bucks for purchasing 0-day or 1-day exploits that aren’t low-cost.
Tip 3. Don’t set extreme hopes on detection guidelines created by another person, as a result of you must verify these guidelines for false positives and fine-tune them
As you get right down to creating detection guidelines, there may be at all times a temptation to make use of available ones. Sigma is an instance of a free repository. It’s a SIEM-independent format of detection strategies that permits you to translate guidelines from Sigma language to ElasticSearch in addition to Splunk or ArcSight guidelines. The repository contains tons of of guidelines. It looks like an important factor, however the satan, as at all times, is within the element.
Let’s take a look at one of many mimikatz detection guidelines. This rule detects processes that attempted to learn the reminiscence of the lsass.exe course of. Mimikatz does this when attempting to acquire NTLM hashes, and the rule will establish the malware.
Nevertheless, it’s crucial for us – consultants who don’t solely detect but additionally reply to incidents – to verify it’s really a malicious actor. Sadly, there are quite a few reputable processes that learn lsass.exe reminiscence (e.g., some antivirus instruments). Subsequently, in a real-world state of affairs, a rule like that can trigger extra false positives than advantages.
I’m not keen to accuse anybody on this regard – all options generate false positives; it’s regular. However, menace intelligence specialists want to grasp that double-checking and fine-tuning the principles obtained from each open and closed sources continues to be obligatory.
Tip 4. Verify domains and IP addresses for malicious habits not solely on the proxy server and the firewall but additionally in DNS server logs – and remember to focus each on profitable and failed resolving makes an attempt
Malicious domains and IP addresses are the optimum indicators from the attitude of detection simplicity and the quantity of ache that you simply inflict to the attacker. Nevertheless, they seem simple to deal with solely at first sight. At the very least, you must ask your self a query the place to seize the area log.
Should you prohibit your work to checking proxy server logs solely, you may miss malicious code that tries to question the community immediately or requests a non-existent area identify generated with DGA, to not point out DNS tunneling – none of those can be listed within the logs of a company proxy server. Criminals can even use VPN services on the market with superior options or create customized tunnels.
Tip 5. Monitor or block – determine which one to decide on solely after discovering out what sort of indicator you found and acknowledging the potential penalties of blocking
Each IT safety skilled has confronted a nontrivial dilemma: to dam a menace or monitor its habits and begin investigating as soon as it triggers alerts. Some directions unambiguously encourage you to decide on blocking, however typically doing so is a mistake.
If the indicator of compromise is a website identify utilized by an APT group, don’t block it – begin monitoring it as an alternative. The current-day ways of deploying focused assaults presuppose the presence of a further secret connection channel like, for instance, cell tracking apps that may solely be found by in-depth evaluation. Automated blocking will stop you from discovering that channel on this state of affairs; moreover, the adversaries will shortly understand that you’ve seen their shenanigans.
Alternatively, if the IOC is a website utilized by crypto-ransomware, it ought to be blocked instantly. However don’t overlook to observe all failed makes an attempt to question the blocked domains – the configuration of the malicious encoder might embrace a number of Command and Management server URLs. A few of them will not be within the feeds and due to this fact gained’t be blocked. Ultimately, the an infection will attain out to them to acquire the encryption key that can be immediately used to encrypt the host. The one dependable strategy to be sure you have blocked all of the C&Cs is to reverse the pattern.
Tip 6. Verify all new indicators for relevance earlier than monitoring or blocking them
Needless to say menace information is generated by people who’re vulnerable to error, or by machine learning algorithms that aren’t error-proof both. I’ve witnessed totally different suppliers of paid experiences on APT teams’ exercise unintentionally including legit samples to the lists of malicious MD5 hashes. On condition that even paid menace experiences include low-quality IOCs, these obtained through open-source intelligence ought to positively be vetted for relevance. TI analysts don’t at all times verify their indicators for false positives, which implies the client has to do the checking job for them.
As an illustration, in case you have obtained an IP tackle utilized by a brand new iteration of TrickBot, earlier than leveraging it in your detection techniques, you must confirm that it’s not a part of a internet hosting service or one emanating out of your IP. In any other case, you should have a tough time coping with quite a few false positives each time customers visiting a web site residing on that internet hosting platform go to utterly benign net pages.
Tip 7. Automate all menace information workflows to the utmost. Begin with totally automating false positives checkup through a warning listing whereas instructing the SIEM to observe the IOCs that don’t set off false positives
With a purpose to keep away from a lot of false positives associated to intelligence and obtained from open sources, you may run a preliminary seek for these indicators in warnings lists. To create these lists, you need to use the highest 1000 web sites by site visitors, addresses of inside subnets, in addition to the domains utilized by main service suppliers like Google, Amazon AWS, MS Azure and others. It’s additionally an important thought to implement an answer that dynamically adjustments warnings lists consisting of the highest domains / IP addresses that the corporate staff have accessed throughout the previous week or month.
Creating these warning lists will be problematic for a medium-sized SOC, so it is smart to contemplate adopting so-called menace intelligence platforms.
Tip 8. Scan the complete enterprise for host indicators, not solely the hosts linked to SIEM
As a rule, not all hosts in an enterprise are plugged into SIEM. Subsequently, it’s inconceivable to verify them for a malicious file with a selected identify or path by solely utilizing the usual SIEM performance. You’ll be able to maintain this subject within the following methods:
- Use IOC scanners such as Loki. You need to use SCCM to launch it on all enterprise hosts after which ahead the outcomes to a shared community folder.
- Use vulnerability scanners. A few of them have compliance modes permitting you to verify the community for a selected file in a selected path.
- Write a Powershell script and run it through WinRM.
As talked about above, this text isn’t meant to be a complete information base on the best way to do menace intelligence proper. Judging from our expertise, although, following these easy guidelines will permit newbies to keep away from crucial errors whereas dealing with totally different indicators of compromise.