Looking to the Past to Better Understand Threat Intelligence

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers if I start kind of losing volume just let me know sometimes I kind of trail off a little bit kind of my Midwest monotone voice going to work but anyways thank you guys so much for being here today I'd like to kind of talk to you about some of some things that I find interesting and I'm hoping that you guys might might take an interest in some of the things I had to talk about first things first I would like to just thank my company right ups for giving some time to put together some slide decks

and be here to talk with you folks my boss was very supportive and giving me some time on Friday to feverishly put together the class the last few slides I have here so I just wanted to give them a shout out all right so today for those of you that know me either there's a few familiar faces in the room I see one of my former co speakers back there Chris how you doing Chris my name is John Leacock I've been in the InfoSec space for for quite a few years now I actually started out in forensic video many years ago and was able to pivot over into computer forensics working over at dc-3 for a long time and worked

in a couple of different directorates there after that I went over to our our commercial forensics team and kind of bumped around as you can see there I've worked at Fidelis on their threat research team for a couple of years before going over to Medicare working in their stock and currently I'm a threat Intel manager with with white ops and I have a twitter handle malware elf not really that interesting I don't think I just kind of retweet things that I find interesting maybe make a few sarcastic comments known again but if you want to reach out to me after this talk that's a pretty good place to find me so the title of my talk today as you can see is

looking to the past to better understand threat intelligence and this is something that kind of marries up to topics that I find very interesting and fascinating genealogy and thread and tell research just out of curiosity does anybody in here study their family history at all really okay great great you know so genealogy for me has been been kind of an interesting thing you know I guess you know why am I kind of talking about these two things together and you know simple answer is I like solving a puzzle you know kind of going through that family history a lot like thread and tell you know you're trying to figure out where something came from how did it

get to be there and just just figuring it out and that's something in combination with history I've always had a lot of interest in solving puzzles and just where did we come from and you know your family I mean it's it's kind of a you know kind of a really kind of basic need for me I guess I was very fortunate I had a grandmother so she really was kind of our family historian had a lot of knowledge and you know I was very close with her and so I kind of learned a lot of my own family history from her and when my son was born I kind of kind of had a renewed interest she had passed

away a couple years before that but I kind of had a new kind of a renewed interest in figuring out the word of my family come from my new bits and pieces and think that I kind of put together and you know sometimes you you kind of misremember things you know from growing up you think oh well this is what it was and then you start digging into it and you kind of realized that things were a little bit different than the way you remember them and I started just looking around so I got online you know and saw there were a lot of different sources I actually went to my Public Library and went through census data and did a lot

of the things that you know genealogists will go and do and very early on I was I had been told through our family history that we had some ancestors that were in the Revolutionary War and that really interested me I always liked having a goal when I do these things right and so I decided I wanted to try to trace my my family roots back to Revolutionary War and maybe get into the Sons of the American Revolution which is great groups anybody here remember that by chance you are okay great which chapter you with okay I'm Westminster out of Maryland so so yeah one of the first things I did is I set up an ancestry comm account and you know

I started looking around and that kind of started the seven-year effort to kick through and get to get documentation together and and and go through my lineage on the flip side here with thread Intel you know it's a kind of a similar thing I started out doing a lot of computer forensics I kind of migrated into network forensics a little bit I got to work in a sock you know I worked on a threat research team and Fred Intel was really a nice place for me to kind of take my very kind of wide background and my you know my experiences and apply them into a threat until mindset and you know kind of start doing threat analysis

and so what what I think we're going to find here is I go through this talk today is that these two topics actually have a lot of overlap I mean that's there at their essence they're just research so your basic research methodology there's going to be very similar whether it's genealogy or thread and tell analysis so what I learned and you guys can see you know up here genealogy research is not easy like I said it took me seven years to figure out you know where where and get all the documents together I needed to join the Sons of the American Revolution I also learned through a lot of trial and error to take notes and this is true

both right if you don't take notes you start going down a path and then all of a sudden you forget where you were you know an hour ago you've been clicking through all these different websites and you lose track of your your place very easy ancestry.com as great as it is it's not the complete solution okay it doesn't beat going down to maybe a state archive somewhere going down to your Public Library maybe a local Historical Society just like virustotal great tool and I'm not bashing them they're just there with first name that popped into my head okay I use virustotal a lot it's a great tool but it's not all-inclusive you know sometimes you have no frame of reference

for where maybe a sample came from multiple sources critical you know if you can tie in multiple pieces of documentation there they're really important to help you with your analysis and you just you know the Russian proverb trust but verify okay again very important we need to be able to trust our sources you know we need to have some some ferocity to their to their information and don't jump to conclusions right it's very easy to do you want to jump you know when you start doing your research a lot of times you want to jump right to the end point slow down make sure you have your documents together your proof it's very important and

you're always going to find contradictions and think that don't line up just right okay that's true whether it's threat analysis or whether it's genealogy okay and I'll talk a little bit about some of that as we go along here but those contradictions are really important and it's okay to embrace them okay when you do your report your threat Intel report or you do your genealogy research just put it out there okay somebody else may know what that is it might trigger something okay you might help them to explain something and help you learn a little bit as well so if you're interested in getting into genealogy it's a great place to start that's with your family ask questions you know I as

close as I was to my grandmother there are a lot of questions that in hindsight I wish I would have asked and you know that's something that happens and you know when you're younger you don't think about these things there's a lot you know she was here today there's a lot of things I'd like I would like to know she was born in 1912 her grandfather was a civil war veteran think about that that's a hundred and sixty years of experiences and knowledge you know that I have stories but I wish I had more okay one other aside didn't really fit in here but I wanted to talk about it if you have old family photos

label them okay I went through my other grandmother's I have boxes of pictures some of these are pictures from the 20s and 30s and there's people on there they look like they're having a great time they're smiling the laughing but I have no clue who they are okay and I have these photos because I'm like well what do I do with these I did go through and badger a whole bunch of aunts and uncles and cousins I said hey who are these people now they will identify some but not all so if you do have some old photos take some time to label them if you know who those people are it's really important the other thing that's

useful when you're getting started in genealogy you probably have a family member that has done a lot of research already you know you're going to have a family historian and you know maybe aunt Harriet or somebody else you know cousin Bob or somebody and it's really important to identify those people maybe you don't know that there's a family historian and they they may have a lot of information for you already and that that will help you in your research maybe they've gone down a lot of paths that you're about to go on and you can benefit from their knowledge but as the picture here shows with William Wallace beware a family lore okay I have a great

great example of this from my own experiences my grandmother had told me I grew up north of Chicago in Lake County Illinois and there's a small town they're called Gray's lake I have an ancestor from the area named gray and my grandmother had told me that that was our family our kin and so I thought that was pretty cool I actually as I started to do my family family research I called down to the local Historical Society said hey yeah I'm a descendant of the graves of Grayslake and like to know you know if you have any information or anything like that and in talking to some of the folks at the Historical Society there I

found out that there were actually a couple of gray family that had located into the area there in 1850s and my family was not one of the families that Great Lake was named for and that's okay you know that's just you know you kind of get that family war where it's no balls down over a hundred and fifty years and you you very easy to make assumptions like that what I did find out about my particular line is I did some additional research is that they were actually French they had come from upstate New York and France before that obviously but they had changed their names after the Revolutionary War from Lapierre to gray so again you need to

kind of walk through these things and kind of learn about them there's some more family lore with a lap here that I haven't been able to substantiate my grandmother has told me that la pierre was apparently a doctor for general Lafayette but I haven't been able to verify that one so we have to kind of keep in mind of this as we go along and do our research so on the thread until side we have very similar things here right so when you start doing thread and tell analysis even if you're working in a sock or if you're working in a maybe a company and you have a lot of customer telemetry coming back you know great

place to start to talk to your co-workers learn about your environments that you're working in just like you would talk with your family members find Network diagrams you know understand your datasets where everything is coming from understand the relationships what kind of data is you have data you have what kind of limitations that are in place with those with that data can you use this publicly can you not use this publicly where did it come from what does it show you is it incomplete is it reliable so whether that's on a network diagram or just understanding where the data is that's that's another step that you want to put into place you learn about your

company processes your IT stacks you know understand where things fit where we're looking inside of your network so that you can make sure that you're making the right conclusions when you do look at this stuff hey Damien how you doing thanks for coming so but just like we have to worry about family lore we also need to worry about the from what I know type of remarks okay cuz that can really lead you astray somebody may have an understanding of something that information may be outdated it may even be incorrect and so a great story I have where I encountered that I was working in a sock and we had a mouse bam campaign coming through our email and I

had a couple of emails I needed to take a look at and I started parsing the email headers just to kind of get a feel that was something I'd always do just kind of get a feel for maybe where the email originated maybe some interesting things and I started looking I realized there was a bunch of missing information in the network hops it didn't have the normal path that I would expect for our emails coming into our servers it was missing a large chunk of our security stack so it was really literally coming from the outside world right into our servers and them right to the end users and I was concerned as you can imagine

so we started looking around and because this was a large organization you know we had different teams different contracts to administrate different parts of our network so there was kind of a natural disconnect and so as I was talking to my co-workers I got a lot of from what I know type of remarks from what I know Joe handles that or Dave handled that or from what I know that configured to go here and then here and you know wind its way through our network and as I started digging around we finally got to a point where we contacted our email server team and engaged them and started talking to them and kind of explained what we thought

the issue what there was an issue going on and they were able to we had just actually recently went to office 365 and when we incorporated office 365 into our emails service the email security stack yeah office 365 has their own security within their product we had actually had a third-party security stack and so we had chosen not to go with the the Microsoft offering and when we did that we did not know we had some configuration errors within our setup and so when we did that what was happening is that anytime we got a email that looked like it was coming from an internal user it just sent it right through because it assumed

it had already gone through our security stack so we had mail spam going right to the end users never going through security obviously a big problem it was actually once we got the Microsoft engineers and involved in this they they were able to help us write up a couple of transport rules and that allowed that basically forced all emails to go through our security stack so point being here is that you know I had to dig through and kind of get through the from what I know and kind of break through the barriers a little bit make sure that I understood the problem and that that helped us improve our security posture as a result

so ancestry calm and I've mentioned it a couple times already it's really probably a starting point for a lot of folks when they get into genealogy and it's a great tool there's a lot of information up there you know in addition to just the kind of social aspects of maybe connecting with some family members you know you have massive massive amounts of database that that they've kind of incorporated into their system they alert you on it anything from census data a marriage certificates ship manifest data military records and you know we probably all seen the commercials you know when they identify a match they give you a little little leaf you know telling you you've

got some new family connection to go check out that should start to sound a little familiar to you that should be like what you may be if you've used to see a sim or a tip you know when you get an alert okay the same idea here it really is you know I had actually I mentioned the social aspect I connected with a distant cousin I had never met before he lives up over in Philadelphia he's the lawyer out there and he'd actually done a lot of research on my family and I like I said I'd never met him he had never met any of my family out in northern Illinois even though he had

actually come out a couple of times and so he you know we got to got the talking and we did a lot of research together great guy we actually worked with one of my first cousins that I know and we found the ship manifest from when my ancestor came into the country so in the 1820s I actually have a John Leacock that came to America came into Philadelphia I thought that was there was a lot of fun for me Don my cousin Don later found his citizenship applications and and kind of looking through the documents we realized that he was illiterate he actually had a mark he had to make his mark on the paperwork there's a lot

of really interesting things that you can find out from these old documents do you think you know the 1820s what am I going to learn from this well I learned he was illiterate when he came to America some people might argue I'm an illiterate but you know it's interesting to kind of know where we came from with this stuff the other thing that you have to really think about with any sort of crowdsource data is it is crowd-sourced okay what is the quality of it it may not be diligently sourced you know you have to you have to sort through a lot of extraneous information and you can look at the data as the source and figure out

hey is this trustworthy can I trust this you know it's very easy to get into ancestry.com and just start clicking things all the sudden you've got you know 10 12 generations of family going back to Norway or wherever the heck it might be but if you made a wrong turn two or three generations back you know you've got to make sure you have the source of the support what you're doing and if you go online and you see somebody that's family tree and you see that they've gone through these 10 or 12 generations you might think hey you know they've done they've done the work here not necessarily okay you have to really you know parse through it a little bit

and double-check on it the little Leafs you know they might be might be getting you lead but you know might be a false positive right it might be you know another John Leacock or another you know John Smith somewhere and so you've got to really make sure that does this make sense just like you have to look at that with some of the data you might do when you're doing thread and tell analysis so corollary to using ancestry.com might be using a thread Intel platform the tip okay once you kind of evolve to a certain point in your your your analysis you know you're probably going to be wanting to look at any one of the

multitude of tips that are out there you know I won't get into the specifics of a tip but you know basically just a place to aggregate all your data take your feeds bring in your data and do some data enrichment whatever it is you need to do for your particular job function okay these systems are really important and they really help you out going through a lot of data and reaching it for you looking at your your feeds and really giving you you know a rich data set to go through and help you and your your day-to-day analysis now just like when you get that leaf you got to think about the source of the information

alright just because and I you've got a feed that says this IP address is malicious it doesn't mean it is all right how many of us have heard the story of the young stock analyst that blocked 8.88 right so I mean that it's almost kind of a trope now I don't know if it really ever happened or not but you know at some point somewhere I'm sure somebody blocked Google but they learned for that I would hope at the end of the day you've got to do your own vetting of the data just like you do in genealogy you've got to make sure you have good data that you're looking at also consider cost I didn't really speak

about this on the ancestry that's you know the answer the previous slide but there's a lot of information that's available out there some of its free some of it is free and good some of it's free and not so good and some of its gonna cost you a lot of money in the crowd some of it you know it's just defense depends on what you're doing so you need to really consider the cost you am I getting value for this is this useful or not now I should go through and do your research whether it's on thread and teller genealogy you're gonna hit a brick wall that's what we call it an ancestry I'm sorry genealogy I'm sorry

you're gonna hit a brick wall you're gonna get stuck and this is where you start to evolve and become a better genealogy researcher a better analyst is you know when you do get stuck what do you do you got to get creative you've got to start looking around get different approaches kind of break out of your bubble and and start to look at things differently maybe get out from behind the keyboard go to a library somewhere go to a local History Center maybe a church maybe mail a letter okay so my brick wall as I was going through and I said it took me seven years to get the Sons of the American Revolution application through so my brick wall was

my great-great great-grandmother Mary gray and she was buried in a small cemetery back home in Diamond Lake Illinois in 1852 and one of the problems I had with her was I knew her married name and this is not an unusual problem but because she was married in 8th in 1842 I think I don't have proof on this is just the suspicion of mine based on her children's ages but the census data starting in 1850 the all the sense of data every year every 10 years changes and they ask for different pieces of information so starting in 1850 they start to list out all the inhabitants of a house well prior to that they only told you who the head of the household

was and gave you a count of who might have lived in the house and so that makes it kind of difficult sometimes to find out you know maybe who all the children are for a particular family and so that was kind of my situation here so Mary Gray you know she's married passes away in 1852 you know I don't have older census data to link her to her family you know I mentioned I believe she was married around 1842 in upstate New York at that time there were no death records kept in Lake County Illinois in the 1850s I didn't have an obituary that I could find I did find later on Oh actually I

contacted the cemetery and she was one of the first people buried at this particular Cemetery they had to pull out the old book they didn't even have it in their their records and they had records showing that her husband bought four cemetery plots and that she was buried there along with a couple of other family members but they didn't have much more information for me however I found one of her daughter's death certificates from 1925 and it lists out her mother's maiden name so now I have her her maiden name of Soper and I'm fairly certain I know who her family is I know where they're from upstate New York I just don't have the links tying her to her

parents her I have a number of her siblings that I've managed to connect back to the parents through other records but not not Mary Grace she was one of the first ones to leave the home so her father actually was kind of interesting and so you know I would at this point I have been trying to go up to Mary Grace and now I'm kind of coming down from up on top from her from her father and her grandfather her father actually served in the war of 1812 and there are records available at the National Archives I reached out to the National Archives got a wonderful trove of information but nothing tying me to Mary gray unfortunately later on

I actually met there were a number of letters handwritten letters to the US government that were in this packet this was part of land bounty applications and when you served in the war of 1812 you were actually able to get a couple hundred acres out west they would give it to you for your service and so his dis ancestor his wife had been applying for that and she had written affidavits from people and so I had a number of handwritten letters which were interesting but again not tying me back to my ancestor Mary Gray Joseph Soper's this gentleman's name has his father actually served in the Revolutionary War and so again I don't have records you know leading back to

there as well so it's kind of frustrating but I kind of banged my head on this brick wall for quite a while and finally I realized I needed to kind of go around and come at this from a different different angle and so one of my cousins actually had has been doing a lot of research she's such kind of suggested why don't you look down this family line a little bit see if you find something and that's where I was able to kind of break through that wall and kind of go around and come at this from another angle I'll come back to that in a few slides here and talk about that the answer that I've eventually tied

into so just like in genealogy where we hit a brick wall we're gonna hit that and threat intelligence too and sometimes you'll find it just you you you know you may have something that just stops you in your tracks and this is where you have to start getting creative in your research sometimes you might want to go through some paid sources you know you may need to talk to some some folks that you work with maybe reach out to some colleagues that you've worked with in the past you know previous previous stop maybe do some good good old-fashioned Osen I know kind of an increasingly frustrating Avenue for researching domains as privacy managers you know a lot of us run into

those and we're kind of stopped because the the Whois information we've had in the past just isn't there anymore sometimes we can go through and if we have some good sources we can go through and do some historical who is registration information we might get lucky if you know the davines old enough and maybe find an old email address that had been used several years ago and start doing some searches on that one thing I've done in the been able to do is I'll go through and look at the page source on a domain I'm researching and sometimes you might find something like a Google Analytics ID or some other kind of unique string that's kind of

interesting and then I'll turn around and use public WW to do a search for that string and that'll help me tie together several domains that I might not have realized they were associated with each other so we can start to use some some different tricks to help us tie things together another thing I'll do sometimes is I'll look at the IP address maybe there's some other domains or Kolok located together again you have to be careful with that because it just may be a public IP address but if you have two or three different domains on a particular IP they might be related another area that I know there are the talk this morning about ja3

hashes does anybody here get to see that talk okay yeah I know good talk it's a good concept there's a lot of work that's being done in that space that might be might be useful for for some of this type of research so kind of break out of that mold and start thinking about different approaches and maybe kind of instead of going in through the front door me to go around to the back door and get your way in

sorry so that all kind of leads to where I am now and last year I was able to put together an application for my son's of the American Revolution membership and you know this is not only like doing a detailed report okay you have to pull all this information together you have to grab all kinds of birth certificates death certificates marriage certificates any supporting information to help you establish your relationship to your ancestors I you know I took a lot of time and went through and laid this out on a very logical I worked with my sponsor at the organization and he helped me to lay it out in a very clear concise manner so we

could get the application packets in and it has to go through several layers to review just like if you're going through a a review process for a report you're working on the very similar thing so I had to go through my local chapter state level and then up to the national level folks so one of the gaps I had in my application and the state law the state officers kind of pointed this out is my great-grandmother's death certificate wasn't included with with my application and he's like why isn't it here you need this in here well we had with my local chapter we decided to not include that because there was a discrepancy remember I talked about embracing discrepancies

right well what what we found on the death certificate was my great-uncle he had actually gone in you know he reported her death and filled out the death certificate and there was a field in there where he put father's name okay and uncle Duffy literally put his dad's name instead of his his mother's father's name so this was causing you know some confusion to add to that his father's name and his grandfather's name were both William so there was a lot of we you know we weren't sure you know who was what sweet so when I was working with my my local sponsor he said Neil let's let's put this on the side because this is gonna cause some questions well

by not putting it in there and explaining it and taking the time to explain hey yes we have this death certificate we know there's some errors in here we have supporting documentation showing the proper relationships here it cost some questions when it went up to the state level and actually slowed down my application process so sometimes we think we're trying to be clear and you know not you know don't pay attention to this sometimes it's important to embrace those those discrepancies and so we went ahead and put that in and it it cleared some things up you know the other thing that I did you know most of the time you're looking for census records and

the kind of the the big three that they look for when they can get them are birth certificates marriage and death certificates but when you start getting back into the seventeen and eighteen hundred you have to get a little creative and one of the unusual sources the data that I had might actually had to mail away for this I couldn't just you know pull it up online right I actually had to you know kind of get out there and do some things the old way is I had to send away for a copy of a local history book and in particular this was out of a sage County from Missouri where my grandmother had grown up and there

was a local history book from 1890 that had a bunch of my family history in there and had a bunch of so and so begat so I'm so begat so and so kind of read like this somewhere reeling in a little bit but it was really kind of an interesting thing to go through and see how they came to Osage County and they later came up to northern Illinois where I grew up but this was a really useful source for me as well because it allowed me to get back a couple more generations so similar to what I had to go through with the Sons of the American Revolution application you know when you do thread

and tell analysis at some point you're going to have to put together a report right up it could be a summary it could be a long detailed report and you can have to do the same types of things you're going to have to document the work that you did you're gonna have to prove you know what your assert Asians are you know how much confidence do you have in your your your assessments right and it's really it's it's the same same type of work you know you have to carefully go through that right up you have to support it and you know document your different things yeah okay so as far as my actual application itself my

the ancestor I ended up going back to his name of James Ford and he's kind of an interesting person you can see here the stock of the fact the the top picture there is from a document called the Journal of the House of Burgesses of Virginia and James was kind of an interesting guy like I said he his father was a Huguenot he came over from he was a French Protestant who came over to America to escape religious persecution in the late 1700s and so James was born to his father job here and James grew up in just outside of Richmond Virginia and he actually participated in the French and Indian War and he was in the Battle of

the meadows it's also called the Battle of Fort Necessity which just just up over the line in Pennsylvania which was one of the first battles that the French and Indian War really started and you can see he lost an eye and so this document that I found was him submitting a claim for restitution and he he was granted some relief I forgot the amount but they did approve his his his pension request later on during the Revolutionary War you can see in the bottom dock document there a picture there during the Revolutionary War we didn't necessarily as a country or as a colony that didn't have a lot of money we would give certificates to say hey

we'll pay you back later and so James Ford senior actually was given a certificate for three bushels of corn and he allowed seventeen horses to pasture on his land he was supporting the Virginia militia I haven't done any any look a research on that arm on Legion but that might be something I do down the road now I also know I haven't done the research yet but I know his son James Ford seat jr. excuse me was also he was a soldier for the Virginia militia and I'm gonna probably do a supplemental application to get get him notated as well but this is all you know part of this is the the end result right

so now because I've done all this work I've done all this research you know now I'm a member of the Sons of the American Revolution and I can go walk in parades and others you know things like that we do a lot of different grave markings and things like that to recognize other Revolutionary War members do a lot of research or outreach to kids in the schools and things like that but at the end of the day when we look at whether we're looking at family history or whether we're looking at thread until research there's a rigor we need to make sure that we're actually you know going through and documenting things properly or we're putting in the

work we're making sure we vet the sources and and all of those those things that we have to do [Music] so I'll give you guys back a couple of minutes here but I want to thank everybody here for coming in and listen to me drone on about my own personal family history I know it probably not as interesting to you as it is to me but thank you for your indulgence if you if you haven't been doing any of this and you'd like to you know talk about how to get started please come up and see me afterwards to organizations here's on to the American Revolution Daughters of the American Revolution there is another group for children

particularly like when I know when I applied my son and I are both considered Sons of the American Revolution my daughters aren't 18 yet so they can't join the Daughters of the American Revolution but there is a children of the American Revolution organization that they can join but you know I'll be here for a little bit if anybody wants to talk shop at all or ask any questions and just want to thank everybody for your time and thanks for being here [Applause]