IOC What You Mean - Darren Kingsnorth

um okay so my chat is I see what you mean apart from the absolute cracking pun there uh it's really about creating a high fidelity escalator to a period of page so essentially it's all about action actionable intelligence using Improvement of pain as conduit to that so who am I uh so my name is found things off so I have a terrible title of Dawson so I couldn't think of anything creative uh so I'm the first intelligence manager at Admiral group and my goodness me this is Philippines so experience so 10 years of divers so Tesla pains and terrible threats um so some of you in this room may have worked before unfortunately uh and so I

come from Samantha CGI Admiral Admiral twice actually so I love the way so much again uh NCC and ECC uh so enough of that let's go back there we go uh so just to give everyone in the room uh a quick sit rep in terms of what we discussing today so what is the intelligence so quick way to hands to get everyone involved uh who locks their doorline and who looks a car at night hey and who locks the attic door oh wow

that's my comedy gifts for the day and so the premise is ultimately you're using phone tellers on a daily basis whether you're not or not and so again it's all about informing decision making using uh threatening tell us to guide you through that and so here it just gives you kind of a visual view in terms of where intelligence comes from in terms of collection processing analysis again that's what we call the intelligence cycle so how does that work from a cyber perspective is really in this particular Avenue we're looking at effective detection so some of you may know the term indicators compromise so ioc uh so it's been heavily banded around in terms of how

it's used um so just to give you kind of again a sit rep in terms of what it actually means so an impact of compromise is what has happened so it's essentially a reactive state so as a result of that your detector workflow in terms of when you can detect that is well arbitrary figure that big and so the reason why I mentally like that is because based on print reporting from mandian and IBM time to detects mean times and sex is roughly 21 days to 323 days which is absolutely ridiculous uh when you consider the fact that based on current analysis that it takes roughly two to four days for extra Ransom uh like John

in safos mentioned earlier on so so that ends we then look to Branch out architectural window by introducing indicators of attack so what is happening and so that's considered a more so a proactive approach rather than okay we've seen bad stuff happening it's too late because they're already out the door with your crown jewels uh again so in terms of time span we're looking at T equals zero then it's infiltration however what I once proposed today is a whole new term uh well partly terms so a lot of this is uh right B's indicate these indicated terms at least we're actually uh first crowned by Bow mix uh so is a branding group but nevertheless uh an indicator of risk so

essentially what can happen so a lot of this talk is really about using what we consider indicator compromise to add actually predictively block or deny attackers using indicated risk and so of course there are detention window is far higher so what we're looking at here is really pretty compromised so in industry what we call left of band uh so that's really where we should move more to well nothing move more towards but at least focus on it something that's yes we always consider it's too compromise however at the same time I think sometimes there is a considerable degree effort that should be being placed in terms of the leopard band so again pre-compromise and how we can detect the

attacker before they get into the environment okay so how do we do that so from a side perspective you may be aware of a pyramid of pain so who better say that and watch your man around the challenge can I hear a pyramid of pain so the period of a pain is all about increasing adversary operational cost um and it's all about just making it harder for the attacker and that's essentially the premise of it and sometimes this does get confused in terms of okay these are actually really hard things to do for a dependent however trivial easy simple it's all about increasing the level of pain from an attacker just making it harder for

the attacker to move essentially swimming in treacle is far better for us as Defenders than than in the case of everything uh however an interesting piece and where this kind of chap Grew From uh is a slide I had from years ago really that I created in terms of permutations of that just like they do from the red team perspective or a an attacker perspective in terms of uh password lists array tables all that good stuff is permutations in terms of how big these faces are and so what I mean by that is Hash values so md5 2 to power 128 is a huge huge spaces there similar enough as we go up ipv4 4.3 billion

permutations you could possibly have there as you move up perimeter paying 630 million uh again based on currents uh and then similar Network who started backs tens of thousands As you move up to that again tools so you're looking at based on attack B12 718 different tools so as you can see even though these things uh are easy for them to have to change these things actually are much harder for them to have to change however you can see the permutation space is much smaller if it actually it's much easier for a Defender to apply some of these controls how however that said there's a lot of kind of state at the moment in terms of domain names IP

addresses hashems because they are easier to change they are someone pounded about that they are no longer required for use and I disagree with that because there are a number of different uh scalp board uh things you can do to help make any sense uh there's a number of different things you can do to still use IP addresses hash values Etc which are detective High Fidelity controls and so if we go from there you can actually see okay well great we've got the pyramid paying everything's solved however reality strikes so if you go to say an Intel vendor um they will provide you with a threat data feed it's not a threatened selfie um however we can see here based on

historical analysis that there is a considerable overlap well a considerable lack of overlap of Intel feeds so historically from 2014 2014 uh there's been a ongoing research in terms of how much over that has been within Intel feeds um is pretty poor I mean there's six percent in 2014 three percent of 2015 so again it shows that the sources that everyone pulling from are entirely different and so even though you think okay that's great because they all find different stuff great but from an End customer perspective you have to buy all the feeds to have any sort of overlap therefore you have no real confidence in whether that one feed that you have is any good and that's why yes we have we

use paid page within Admiral group however at the same time we fully well understand that they're not finding everything and nobody is and so that's why some of it is not to say the fallacy um but it's definitely not the POI angle just to say you have an ioc fee coming in as I mentioned just a minute ago most Fender options are in what is Hash values are being written domain names and nevertheless also it's not targeted towards yourself so it lacks the context it laps the situational awareness for example who would care from a burglar perspective in terms of okay what someone in Venezuela is doing don't get me wrong yes it's a big place however at

the same time you really want a lot of these pieces here to fall into what we care about and so that's part of the talk today similarly enough our current analysis uh well miss current analysis in terms of their feed overlapping analysometrics so if anyone uses this you'll you'll know that they do have a overlap analysis Matrix which is built on a flight which is pretty good uh as you can see here it doesn't matter you can't read this one it's all green and green essentially means bad because there is zero overlap for the most part 99 of all feeds within misp provided have zero over which again pushes towards us okay well everyone knows about nothing rather than

okay well actually this is bad confirmed by this by this mean by this mean by this week however we are going to use some of these uh for our example Central so to build up that pyramid of pain we'll first look at hash values so when people think of hashes they think of file hashes only an md5 sharp one however there are other hashes available that you can use uh one of those is Mama hash uh so MMA H3 is a non uh non-cryptographic uh algorithm to essentially hash files or hash things in this instance what we're using it for is to detect malicious infrastructure so you can see here mmh3 hash will get you closer to the Sharon hash uh so mmh3

is a algorithm used by Showdown and Xiao one is used by sensors but nevertheless I was originally looking to discuss drum hashes however there is a level of fidelity issues in terms of uh you can easily randomize Jam hashes charm hashes if you're not aware is about the hashing of SSL handshakes um so we can see here that okay well we can easily highlight default configuration 2 and Shadow pad why default why do you care about that because there's a lot out there and we know that they do require infrastructure they may not think that um they will have to change the infrastructure based on based on how high a tier of attacker they are so if

we take this and further out let's find it on I did some uh Fair analysis and actually identified 129 plugins uh 35 providential 32 meters point was huge again a lot of people use meters but nevertheless again it shows about all these attackers that actually you could easily block um or create phone without it and now it's off the back of that an interesting one you really want to know your Tesla if you really want to annoy your pen testers uh it's an easy way to identify blood collaborator so if anyone's trying some concrete without a bounds uh SQL or anything there's 540 on the web it can block straight off the bat uh similar

enough in this instances as well uh seven and seven I think I thought well maybe you could DDOS some those potentially I don't know um but really the premise of that is again to use hashes uh to jump up the perimeter pain so to identify IP addresses of the infrastructure just like we have there but also again if you're blocking their infrastructure you're impacted on their tools and potentially their tea companies as well uh so again rather than just a file hash that is only used from that one particular thing we can actually start to fingerprint their infrastructure and start to attack the attacker moving on to IP addresses um so again you know they're going to

potentially well you know they're likely you've got to attempt to scan us from a reconnaissance perspective so therefore again our own faithful tour appreciate everyone thinks oh well you know you know let's let's rock it let's not block you uh it could be uh for business use uh but nevertheless doing some quick analysis on that based on our paper feeds that we have uh 98 of the current torno lists uh apart so I recognize them so um just easily distracted Magpie um uh yes so 98 of the traffic uh has seen historical attacks on that so again it really lends itself to up here that's probably not a good thing uh to actively let them scan or actually learn

uh and Caesar recommend a blended approach so which is a case of block all on particular traffic so whether that be the vpns any sort of crown jewels that uh traffic you really should care about and then detect a monitor on others for example over inside main brand starts things like that uh what events at all again it's an easy route that people think okay there's a level of anonymity to it however there's a lot of analysis again largely driven by Chinese in terms of detective tour nodes obviously to kill privacy we want to use it for a particular different purpose in terms of blocking under texting attackers when I said deny a course of action with any of these of

course it's a detect and deny rather than just detectors uh moving from that to asn's tldes and Main Service um Financial Point BPH so bulletproof hosting providers uh the premise here is there's a number of different preventative techniques that we can use to frustrate attackers and really it's a case of bullet preparation providers they're great in terms of they don't care if you you know submit a takedown wherever you udrp or what have you however you need to make a concerted effort to actually block these blood group hosting providers based on the asms and that okay they may have some uh genuine traffic however at the same time what's the trade-off between the genuine traffic and the malicious traffic in

there so again deny by association and that does push the attackers potentially towards more legitimate infrastructure and therefore if they're using more legitimate infrastructure of whether we absorb gcp what have you then it potentially gives us a better chance of taking that perspective infrastructure down because then they're on the legitimate infrastructure rather than public reviewers but really you submit any swap takedown a lot of care um and then soon enough um in terms of DNS operators as well again they're starting to use uh legitimate DNS operators uh what was the example but um yeah there's quite a few Chinese DNS operators that are actively allowing a lot of malicious traffic therefore we can pretty good much confirm that okay

we could just sling that if you're not using you know Chinese infrastructure or if you're not using Chinese customers things like that so again it all comes back to a systematic catalog of maliciousness and not say let's just board the ocean but at the same time we can use a different of these uh we can use some of the analysis uh for example scripts teams they have a tour Bridges collector uh which again you may think our Bridge knows uh you know hidden things like that they're not um and so then we can sort of pile some of these things up to say okay these would be uh credible um incredible list to essentially put

the Block in so again appreciate these are all very much of these based approaches however there's still plenty of mileage on the clock so just actively using them to again frustrate the attacker because again the queen if we're getting holding those supervisors we're hitting DNS operators that are heavily seen in malicious cases then again start to kill the tool start to kill the ttps off and make it harder for the attacker domain names so this is where a lot of this kind of drove from um and from that indicator of risk perspective we all know that they'll likely attempt to type spots in their attack and I did some analysis on the top eight top fish domains

um so again DocuSign Microsoft PayPal all those good things um and I identified that 50 of them have been registered of permutation so what I mean by that is if you had admiral.com a permutation of that would be bad wolf.com and so just like we do with passwords just like we do with how we create hashes is we get every single possible permutation we can find uh and then generate it using in this instance um circles typo squatter really good tool and it has a number of different algorithms in terms of detect you know respective tlds uh respective you know uh behaviors in terms of how you typo uh squat those respective domains so again really useful for us

because we can say okay well actually if this is the whole if this is the whole permutation space of those particular domains and it gives us a pretty good chance to say okay well actually if we bought one of those it's a higher chance very high likelihood of us potentially blocking real live attacks I mean we do actually use this as an ad mode and it has actually worked um there we go okay yes so um as you can see here microsoft.com again it's not very soft it's the same our web but nevertheless got a much higher likelihood of a success compared to ezpq.2.com um so again their behaviors just like we are right in terms of they are gonna go

uh for those particular angles that people would be set up to uh So based on those 50 of top fish domains uh essentially if you claim there's a number that's 5675 so further announced into that uh revealed a number of different C2 name servers and historical malware operations so again it's more than all the reason so they can do this analysis within your own environments whether it be you know Admiral pdfc where would be what have you it's definitely worth double checking uh to give you again a concise list of what possible of what possible options there are to potentially again deny as a result so again from there okay uh it's my awesome lead um

so ultimately is a word I used to work all the time it hurts me as well um so yeah so essentially what we do here we're blocking the mains there is a result that we're impacting tgps and make it harder on the tablet to actually again create a an attack that would have a high chance of success if you want to read further into that one of the guys on the team did some really good typo squat domain capacity um but and it's an offside to this again not t2p but related uh is unintentional Insider correct and so this is typically some everyone can do and take away as a result is again create this list based

on your your domain based on your top 10 domains that you have in your environment and the reason why I say that is because six percent of all breaches based on Verizon's dbr again so this is in third but nevertheless uh six percent of operating system agree so essentially that's going to pretty much near enough high percentage I push ten percent of the time uh in terms of attacks So based on factors so Insider threat is something that is yes it's known about but it's definitely not given the attention that it deserves uh and this is all about this delivery of again type has gotten the whole reason for it right um so yeah definitely worth recommended

uh to do this within your environment and you will actually be quite interested or no like no doubt surprise at what we find um so if you try to email me at admiralgroup.com you'll be sending emails without the sensitive data what have you to an admiral recruitment site which is in the states so it's again it's a flippant thing uh that can create a potential breach and there'll be an absolute habit for the industry response to it simple enough nope nope um yeah it's gone um yeah so definitely want to check it out uh because it's really interesting what you can find there uh and again you may identify a number of different trends of your

behaviors as well ah yes uh auto complete so order complete is not your friend um full of terrible phrases um yeah so autocomplete so as soon as you email someone uh you'll identify that if you do get it wrong then that will also complete based on how that's helpful advice and because of that you could then keep on sending similar data out to that perspective the respected recipient uh so yes it's great and it's helpful for us however essential if you do wrong it will constantly send out emails uh or potentially sensitive data to other parties if we move now into Network and artifacts uh is an IR these women like it we know they'll articular infrastructure and so

some of the analysis based off cybering is that 60 of all phishing attacks are based on a one-to-one clone of our own websites which you get based on the information or based on intelligence area uh we can then think well actually what does our site look for what is it what is the specific indicators uh that we can find the result for example

yeah so uh Google tag manager um so again if we are uploading uh a website uh then we're gonna put the dog we're going to pull everything out including JavaScript and identifies such as Google Technologies so tracking IDs are a really easy way that we have used in the past to identify um other pros of animal group and others so again simple things to check on similar enough it's not a technique that is heavily used speaking to vendors uh because we're probably beaten up so we're actually why aren't we doing this but nevertheless uh nevertheless um Google tag manager I need to find some new words seriously uh Google tag manager um has been detected and has been cataloged

by risk IQ so they are one of the vendors among others group IB Etc who are actually cataloging this data so you can actually identify if others are actually using your Google tracking IDs again because they're highly unique nobody absolutely using unless it's either for legitimate purposes or malicious similarly enough Sorry by the way I've got this massive thing because I lost my clicker um okay so again Falcon's highly unique yes it's an old thing but nevertheless um but uh it was like is this guy real um yeah family times again it's a fantastic thing to detect upon because again if you get a hash of that job done gives you a really good chance to

identify if if somebody is covering the website and again similar as same time referral logs off the back of that in any successful fishing attack yes if they redirect you to a login page what you're going to push for after that is going to be hugging you back to say admiral.com which is again gonna have a referral header to that so definitely remember Jessica referral Hobbs yes it's more an indicative attack in terms of yes if someone is actively attacking you around the indicative risk um that said a really good source of collection and that's really what this all is all about is identifying new collection sources that you can use to again detect the attackers so as you can

see here we're going up and down the perimeter page uh secondly last tools so again it comes back to the collection and cataloging of respected data sets and so we are moving towards that space there's a number of different areas um as you can see here file set.io if you're not going to cross it essentially every single possible uh file extension that can be used in phishing attacks again this is where we need to move towards to identify whether they are worthy within our environment because again if you never use for example dot OneNote which is you know the popular one right now um then hey why not just remove this uh from an attacker's tool set moving on to

low battery uh it was a big apparently easy time when it came out and I think they still have plenty miles on the clock um if we add all those together you can identify this 532 binaries and if yeah it sounds like a big number but when you compare that to uh 2.5 billion IP addresses it's definitely worth doing the hard yards to identify their use uh within your within your respective environments again this moves somewhat into the front side of things so again if you do have a threat as a team pass after them then you have a problem um and then moving on to that again as we have access actions and generally it's

lovely they've got external data it's likely based on behaviors so far and a current reporting that they are going to use some level of established C2 framework um a lot of the nation states obviously of course have attribution aspects things like that all of them are generally using some form of popular city framework as a result of that there's only 124 of those uh based on cgmetrics.com so it's worth uh breaking these down and seeing again on Trends how they look within your environment which is why you need the threaten relationship um and so again it's all these active again again comes down to what that attacker looks like within your environment and identifying Anonymous

data and ultimately uh stopping that actually and as you can see here we're moving towards tdps in terms of how they can how they take those actions as a result so here you can see every single every single uh title had a t number again assigns to miter attack

excuse me is that's a bunch of American Savage so how does the adversary go about accomplishing the emission so ttps again are the top of the pyramids and again it's generally the established thing that okay this is what we need to really look for with their environment they are harder than most um and when somebody says yes we can search for a t2b environment uh they're generally half right and half wrong because there are a multitude of different no knowns we also no knowns as well in terms of identifying that behavior uh micro Ingenuity have done a fantastic job uh well might have done a fantastic job in creating Ingenuity it's quite a recently released thing if you haven't

come across it but it's all about again exactly what I mentioned here in terms of cataloging uh in introducing insights into that data set rather than saying oh here's 400 techniques that you need to go into text there you go so it's all about that broad hust approach uh where we can use things for example using prevalence choke points uh actionability to identify significant techniques um as you can see it's top 20 so I'm not going to go through them but nevertheless it's definitely an interesting Insight on that is micro Ingenuity in terms of how they overlay with the other respective lists so to ransomware top 20 here again uh considerable overlap 70 overlap uh which

shows us again that these are legitimate ctps that we do need to prioritize as a result uh most often used by for actors get 95 of course it's going to be heavily skilled towards that as a result but as you can see here it does move it's time to also continue checkpoints so checkpoints just like you would potentially do in the military not saying military business or not um but choke points in terms of where people have to go to to get to the next stop and so again they have fantastic sources to hit up all day long and no matter what everyone's going to be pulling their command and scripted interpreter whether it be Powershell or

what have you fantastic sources that give you a data-driven evidence-based approach to ensure that okay yes we need to do that first one and everything else uh rather than the screen capture or you know maybe there's some further obscurity views that may think oh yeah that's great that's the new hotness at the moment oh great is it going to be worth your while compared to hitting uh women or sketch your tasks for valued accounts thanks uh and then we also uh did some further analysis of this using mitizen data set uh so TTP Nets uh is all about technique co-occurrence so essentially establishing techniques that have uh been seen and then also a secondary to

technique off the back of that uh so our very own uh made this uh lovely schematic uh of essentially a coconuts Matrix um and it's all about really identifying using the data we have again using data-driven approach to identify uh insights and behaviors so we can see here that based on miter's current data sets that phishing and user execution have a 94 suit coccurrence percentage rating even thinking of course that's common sense foreign

supply chain compromise and fishing have an almost 100 cochlear percentage I get it it really drives forward that fact that's yes we need to consider fishing also we need to do our third parties in four parties as well because of these uh because of these insights uh again this is also shared on our GitHub as well um so yeah users as you will um but again it's all about driving uh the industry towards how frequently the attackers use these techniques uh for my last slides again if we compare all this together as our sole Focus which is to increase operational cost right and that is the sole focus of the perimeter pain uh it's not just create some flash gimmicks and

things like that it is to slow down attackers and also inject it into their process as well so if we come back to the examples that I showed you today we will be impacting the taco infrastructure whilst also predictively defending uh predictive defensive actions uh that would also reduce those permutation spaces from billions or Powers uh to thousands to hundreds uh potentially tens so we can prioritize that another layer again and again it all comes back to Paradise prioritization informing that decision making based on side effects questions appreciate us a lot that's uh not in the front I don't know one of your slides you mentioned about potentially blocking large sways at the internet like uh tour and different

providers so have you had any pushback from the business on potentially blocking legitimate customers from accessing them well so that's uh well British business because no um so that that's really where it comes to the size of balance approach in terms of yes blocking things for example VPN and ultimately customers aren't going to be hitting your VPN for them for the most part depends how much of a customer they really are um so at the same time detection monitoring uh based on digital yeah and then detection monitoring uh based on again main brand traffic so as you mentioned the customers things like that so that would be okay in general consensus if people don't eat it or you

know some yes we have you know toy users perspective who may be hitting online sites then absolutely you know you have to allow

that internal situation awareness identify whether it is

to be put in it strips me and some of this is yes and picking up some of the indicators but surely a lot of the rest of it is actually designing your systems and your infrastructure so that you block those attacks in a way that they're hard and secured so where do you think yeah what's the ratio um absolutely I mean it's we're always going to have to look at these pieces being the sacrosancts kind of the top of that chain in terms of what we should focus on First and so that's why I really like the uh miter um Ingenuity piece because they give you top 20 IP they're top 20 TPS not just to

detect uh but also to architect against uh so whoever we can you know Powershell what have you these should all be our potential decisions that should be fed into those decision as well so I definitely say those top 20 gives you a pretty good view in terms of bang for your buck and as you rightly say that yeah they shouldn't just be considered from a detection perspective it should be being fed into the architecture process as well yeah

builds my own sentence using that to actually point to you need to do these things absolutely that yeah and so further on much Ingenuity definitely worth having a look if you haven't seen already um but they do have uh Focus collection sources so where would be Cloud Network Etc so depending on how your infrastructure looks that might not be the top 20 for you uh there may be more like how specific top 20 that may be more useful for yourself

a lot of oh um kind of these off my question actually so you're one of the initial slides of um yeah how much of that is influencing around your activities in more practices proprietary

what do you all see is is

[Music] uh no I mean the thing is you in yes we've had some really good wins um using these techniques um so as you say I mean if you go to paid flight pay provider they're never going to provide you with any of this stuff just because to scale that out is huge right in terms of we need you know well based on the type of question there's roughly around about 6 000 permutations in terms of the respective different changes they make or the key terms they use so to scale that out to every single uh company brand name is huge right so it's not something that they I I would think would be useful enough or big enough for them to

say okay here's our feed of what your typescript domains or Publications look like um so yeah for us it's more a case of value we do have the luxury to have a TI team in the house uh and so yeah for us that does make it much easier for us however for others absolutely I I think there is a balancing act in terms of uh yeah there is a balancing act in terms of where is the value out there and I I don't think the value adds from a paid perspective is to say okay here's the small bad stuff it has to be focused towards yourself uh yeah good how would it become if we um take the

rest of the questions offline yeah absolutely I think otherwise we'll stop running over yeah yeah thank you so much [Applause]