Jak rozwijać Threat Intelligence w Twojej organizacji?

Hello everyone for this presentation dedicated to Threat Intelligence. My name is Jacek Rymudza. For more than 8 years I have been dealing with security, mainly security-operational center. During my presentation I will tell you a little bit about how to improve your security using Threat Intelligence. If any of you works in any sort of security or tries to detect security threats, I hope that someone will find out how to fix it. As for the subject of my presentation, it looks like this. I will say a few words about the recent about the recent attacks. I will tell you what is Threat Intelligence, how to develop it in the organization, a few words about the new law that will be

introduced in the European Union, the so-called General Data Protection, and a few words about the IAC Squared Challenge Poland chapter, which I am the representative of.

I would like to start my presentation with the words of the famous philosopher, philosopher, Sun Tzu, who said that to be able to win a war, you must know your enemy and also yourself. This is an analogy to cybersecurity, to protect against cybersecurity, which is very important. Not only in military operations, but also during cyber defense. is useful. As for the examples of attacks from recent years, The first was the attack on the power plant in Ukraine, where the Russians cut off hundreds of thousands of people from electricity. Another very loud attack was the attack on uranium-producing helicopters. The countries involved in this attack were the United States and Israel. and APT1 group, which stole data from many companies in Europe and

USA. Generally, I wanted to show that more and more attacks are targeted. Public information and signatures are not always able to detect all attacks. APT attacks are targeted at a certain company and are really difficult to defend. What is threat intelligence? It is knowledge about motivation and methods of attacking. Generally, how the attacker performs his activity after taking over a given company. Knowledge about this allows to take appropriate steps to detect such a threat. IOC means Indicator of Compromise and everyone thinks that Freddie is IOC. Unfortunately, it is not. IOC is a indicator that allows you to detect threats such as IP address, URL. However, it is critical is learning about attack methods, so the TTP parameter.

All this information helps in analyzing safety incidents. As for the steps, we will see them in the diagram, which I think are important for the construction of threat intelligence in our organizations. I will briefly talk about each step. However, at the very end At the very end of our presentation, I will tell you the details of these stages. The first stage is the identification of critical assets in our organizations. We should be aware of what is important for our organization and what business we have, what business we run. If we run a business related to activity, we are a political party, then for us an attack on evil, a change of side can be very dangerous. However, if we have business related to finances, then all transactions

are critical for us. The next step concerns the identification of the attacker. There are different motives related to activity. Some want to hide the money, others want to do something else. I'll tell you about it in a moment. IOC management. IOC management concerns all these compromising indicators such as IP address, URL, etc. More in a moment. Using intelligence in security systems. In almost all security systems, feeds of evil IPs are currently supplied. However, we cannot rely only on this knowledge, because because there are many available sources of data on threats, which we can further enrich our security systems to improve security even more. The next stage is related to the communication with the security community, i.e. all kinds of documents

related to the analysis of the correct programming, which very often contain many indicators of how attackers proceed and how they can be detected. Very often during such analysis there are compromising indicators at the very end, so even if we do not understand the whole analysis, it is worth simply looking at these analyses from the point of view of the compromising indicators themselves. that may be critical, but are not critical at the moment, but are some strange information, unusual behavior, with which the analyst does nothing at the moment, because according to him it is false positive, in a few months it may turn out that it is already a symptom of a malicious action, an attacking action. Therefore, let's not take any steps, and

how to use these tools to store such things. In large organizations, large SOCs, global SOCs, there is a dedicated group of people dedicated to looking for new threats, so-called head-canters. Of course, large companies can afford it, large organizations, but small ones, unfortunately, not always. monitoring of the underground, which may lead to the discovery of new trends on the black market, i.e. what viruses have been created, or what is the correct programming. Of course, a lot of security uses this knowledge base from the black market to buy out anti-virus programs, and the right programming to learn how the specific, wrong tests work, in order to prepare their signature in their security systems. Cooperation with companies specialized

in this field, of course, the solution for the rich, when it comes to all the steps I have presented here, they are used to help in the analysis, detection and mitigation of security threats in our company. The first step is to consider what critical assets are. Usually it is related to finances, i.e. all data related to credit cards, personal data, intellectual value, i.e. all sensitive data should be usually an object, not only because of the high amount of money, but also because of the high penalties. As a result of data leakage, there are very high damages. trading on the black market with these threats, with these data is very popular. One of such regulations, sorry, one of such regulations,

which was discussed yesterday, is GDPR regulation, which was discussed yesterday, so I just wanted to emphasize that that there are very severe penalties for mistakes related to improper storage of personal data. Therefore, the manufacturers of security systems offer various solutions to mix the data in such a way that even the attacker and not use the stolen data. Of course, this information is for... I see that there are a lot of young people in the room, so in connection with this regulation, the need for people, so-called information security administrators, will probably increase. This is a suitable DPO for the border. So here it may be worth considering the topic of choice, path of development, This bill will be introduced in 2018. The next step

is related to critical... It's the same step, but it concerns critical resources analysis. What do you think is the greatest risk for your organizations and companies? What is the greatest threat to the government? People. My colleague said people. Maybe I'll tell you... Auditor. This is a person who... Can I turn off the Facebook? Okay. So why an auditor? Because for the board of directors of our companies, the most important thing is that everything goes through the green in the audit reports, that all the columns are consistent. We have general security on paper, but it is not necessarily the case in our organization. From the business point of view, this is the most important thing for

them. Of course, security is cost. The next stage is related to motivation. The most money-making is related to financial problems. For example, a good programmer in the USA earns a lot of money, while in Brazil, it's a bit different. It's also a motivation for them to create the right software and sell it on the black market. Another group of people are sponsored to show intellectual value and various patents that make a company that provides unique services less competitive. In general, it can lose customers through such activities. Their activism is related to views. Compromising indicators. The main element related to Threat Intelligence are IOC indicators. Everyone knows them. The most popular indicator is IP address, which can be

associated with botnets, malware, DDoS, APT attacks. Another popular one is If we see traffic in our organizations from some unusual, if our business is about a specific area of one country and we see traffic from other countries, it can be a way to get interested in such connections. URL addresses related to crypto with ransomware, phishing, etc. etc. Here are the other indicators used in IOC feeds. There are several problems with IOC indicators, especially during the update period. If we have these feeds quite rarely updated, we will have many false positives. That's why it's important to consider that feeds that are not reliable for us should be monitored and alerted, not blocked, because we can block the allowed traffic. As for another problem, remember that

some feeds, for example, feeds related to Zeus or Frodo, are related to the IP address itself. Sometimes there is no information about the domain that is connected. On one server there may be several setnumers, and only one or two can be malicious. So, in fact, if we block the entire IP, we can block the allowed traffic. So we need to remember that. A so-called "Bianco pyramid" was also created. A "Bianco pyramid" shows the dependence between the compromising indicators, how much effort the attacker has to make to get to our network. Generally, the higher we are, The more we are in the pyramid, the more the attacker has to pay more to break our security. Here is a link

to this information. As for the parameters, the value of the hash can be easily modified, just add a null byte and the indicator is completely different. The value of the IP, everyone knows that attackers use various types of anonymizing mechanisms. Tor, Proxy and very often they use jump hosts for the right attack. So first they break into some university and then they do something wrong. When it comes to domains, it's a bit more difficult, but it's related to domain registration. There is a method, but it is not a big challenge for attackers. When it comes to network host artifacts, all the indicators related to strings, different peaks, catalogs, specific attributes, URL parameters, such as user agent, for

example, These indicators make the job a bit harder, it's easier to find the attacker. But if we know the tools used by the attacker, then we have a good team. We have a good team, a blue team, and we have a lot of knowledge about the attacker. The attacker must switch to other tools, the attacker must pay some costs. It is very difficult to train him in his activities. When it comes to TCP, there is already expert knowledge, and here, especially qualified companies and researchers have such knowledge about the behavior of attackers, exactly what paths, what catalogs, I once talked to a specialist who deals with returning a film to its original state after attacks. He said that they have this knowledge and after a few hours

they can tell what crime group hacked them. After a few minutes, when he knows a few specific attributes, he knows what the film did. Whether the film stole money or something else. I won't advertise this company, but generally there are companies that specialize in it. As for the next thing, I have prepared here for you a list of URLs that you can use to analyze potential compromise indicators, for example, to check the IP of the URL, I will just name the most popular indicators here, it's probably virus total, URL void, URL query. I personally like the thread system, I mean the sense page, which shows what threats were detected in the last time, related to... Oh, it stopped working. Related to the last...

But it works. Excuse me. I just mentioned that I use the SAMS website because there is a history of information about a given IP address in the context of several threats. So there... Okay. There are also many reputational websites for verifying the reputation of suspicious IPs and suspicious URLs. It is worth using many of them because, as I said, some reputational databases generate a lot of false positives related to spam or some more dangerous Therefore, we can block it, because if we do, it may turn out that the address will disappear from the blacklist and the normal traffic will be left on the IP and some part of the business may stop working. If we have companies that cooperate with us, they want to get

to us. Here is an example of a list from a feed that provides information about the correct programming, mainly about the CryptoLocker. It works on the basis of the DGA algorithm. DGA, which is used by many, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of

people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of

people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of

people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot of people, by a lot but it shows interesting dependencies between various IPs. For example, the IP address that is suspected is connected with other reporting indicators, with reporting databases like Zeus Tracker or Alien Vault, which I will talk about in a moment. Here you can see other dependencies. So if you see something in your network that you are not sure about, it is worth checking on several websites for free what is happening, if something suspicious is happening in your network. And you can quickly make an analysis. If you have a problem with some suspicious files, you can upload them to a free

cloud, to some netbox, and it can analyze some peaks. Of course, you should remember that these peaks to avoid sending any corporate data, because we never know who will analyze this data. Usually companies that work with anti-virus companies have special communication channels for such files for companies, so you can do it directly with a company, with a safe method, with the use of some appropriate legal regulations to ensure that this data I do not recommend sending any files from clients with some infected Excel to anywhere. As for the security community, generally, if we monitor security, we must remember that to be up to date with the current attack vectors, threats, and tricks used by attackers. Of course, this knowledge is

available on the Internet and you can use the CERT websites, where there are various warnings related to certain sectors. Of course, all the blogs, forums, social media. People who are engaged in defense, it's a day for them to do a review every day. I wanted to present here a few more advanced solutions that show a little more about threats. The first one is related to the AlienVault product. The next one is a data mining, a thread miner. ISEC provides advanced IOC feeds, but they are paid feeds. So you have to pay them to send them to our sector. We can choose a sector, whether it is a financial sector or any other. I honestly don't know. I don't know, but as far as I

know, it's a lot. But we can talk here, because I know... I would have to ask. I know that... At this point, ISEC provides information, for example, that the titles and mails are related to a given campaign. Of course, it provides other information, such as popular IPs, URLs, etc. However, there are a lot of details that are not on open source websites. Of course, companies from the industry, large companies, can afford it. It's a little bit worse. There is a website called Hackmageddon, where threats are presented. And of course, all the blogs related to security. I personally read Talos, Spadia Labs and Unite42. These are blogs that I try to read regularly. Here you can see the view from AlienVault. What do we

see in this field? If you log in to the AlienVault website, you can see what threats have been observed recently. Yesterday, there were 117 domains related to the config. Here is information about a new threat to POS a few days ago. There is information The description of the threat, the classification, i.e. green, you can share this information according to the community. Here we got three IOC indicators that help us to detect threats related to the domain, file hash and URL. Generally, by implementing a search in our systems, after these three attributes, there is a possibility to search for such communication in our company. Of course, we can also implement mechanisms that will create such a situation

in the future. Another website, Fredminer, also provides a number of information about threats, along with a detailed analysis of what is happening, what is the vector of attack, what to pay attention to. All this information can be used in organizations to check. To check if we have something like that. Hackmageddon. I'll go into this by accident. Here are all attacks in the sector, for example non-profit organizations, health organizations, sports. And there is a group described, that the APT28 group who attacks such and such agency, such and such company and what they do. And whether it is related to cybercrime, or it is related to activism. It is also worth following such information, because it is never known who

targets something or has already targeted something. Of course, using IOC. Not every security system is able to provide a lot of feeds automatically to their products. They put sensors, manufacturers put their sensors in all parts of the world to collect as much information as possible and use them in security products. I would like to talk about a few tools that help manage IOC.

Maybe I will not mention Apollo Automime, but the company boasts that it delivers a lot of feeds from various sources. I would like to know this product in order to consider whether to use the feeds that they use in their products. Mandiant gives a notepad for collecting information about IOC. IOC attributes are very interesting, so you can use it for notifying. I like wooden structures, so you can notify them. This is useful for SOC analysts. who can add their notes to help the colleague who has more experience in analysis.

Ok, and actually I like the tool called Malware Information Sharing Platform. It is used by NATO and many CERTs around the world. As far as I know, in Poland banks have agreed to use this tool to exchange information about banking threats. I don't know at what stage it is. However, I would like to say a few words that here A few months ago, there was a training organized by the authors of this tool during the SCS conference. Of course, everyone has access to the materials related to this system. You can go there, play, have fun, and see if you need it. Generally, this tool allows It allows to add information about threats, which makes it easier to work in detection teams.

Detection with threat analysis, because we can add information about certain threats, certain indicators to such a common database. We can communicate with different communities. for example, related to our business sector, the sector we work in, and so on. I think this platform makes more and more sense. Is it free? It is free. This is Opel SOS, you can create various things there. Here at the bottom is... Sorry, I went the wrong way. Here is a link to the training, there is a number of presentations and information. Of course, the authors are asking to help in improving these tools. Of course, there may be some feeds that are paid somewhere, but the platform itself is open source. I also heard that the

exchange of knowledge with other companies is also possible. If a company logs in and wants to use the system externally, not only for its own internal threats, but also for public ones, but also exchanges with various information, then you have to take into account that if we do not provide anyone with any knowledge about threats, it will also be difficult for someone to pass on this information to us. This is what the platform looks like. In short, you can add any kind of information, various indicators, links to analyses. I think it must make it easier for people who are in the security industry, because many people, perhaps, analyze one problem on one threat and everyone,

when adding their thoughts on a given threat, should better organize work for such people and exchange information. Regarding a given threat, Ok, here are some examples of attributes that are used in this system. Of course, you can create your own attributes, taxonomies, also implement a number of them, depending on what we need. We can do mixes. In fact, there are many of these software. If someone is interested, I recommend just to take a look at this product. Maybe it will be useful to you. As for... knowledge, update knowledge. As I mentioned before, at the moment, many of our internal analyses may end up with the statement of "false positive", but after a few months it may turn out that these

were some indicators that actually which were actually a whole of greater activity. So it is worth knowing what we have in the organization and noting all kinds of threats, at least from the MISP system, to be able to correlate this information later. Of course, the knowledge in your company is quite interesting. We would like to say that the attackers know the company better than the administrators in our companies. Why? because there is often such a mess in large organizations that the administrators themselves do not know about services that have not been turned on for many years and in fact the attacker, when he catches such a machine, he can make his plan very quickly. And in large companies such a mess can be useful. I

once saw an analysis such an attack, then later people who were engaged in research, analyzed this problem, showed a list of hosts and so on, the whole structure of the company, the administrators were surprised that it was their company, because many hosts did not even know. So, in fact, That's how it looks. As for in-house research, large companies can afford it, some certs, but small companies don't always have the right people to dedicate them to finding new threats, to analyze the movements of other sensors. But large companies like Global Soki or certs do these things to detect anomalies. Another thing is related to observation of black market. On black market you can buy software without any special

knowledge, for 1000$, without any knowledge about attacking, later use this tool and earn money on this "croc". Based on RAND documentation, which is one of the best documents describing how the black market works, I have put a few slides for presentation. As we know, at the bottom there are people who buy and sell these products. There are also intermediaries who provide services. As you know, you can buy a video channel, you can buy many other services. There are also people who are experts in security, who are looking for zero-day activities, who create malicious software, and at the top there are administrators who manage all of this. It's getting harder and harder to recognize the communication between people who provide such

illegal things because they are getting more and more secure using various TORs, VPNs, etc. It used to be some forums, emails, IRCs, now it's a bit harder to track them. But what products can you buy? Export kits, zero-day, services, botnet, DDoS. It's a few dollars, and buying DDoS services for an hour, I don't know, I'll probably have a price list in a moment, maybe not up to date, but it should be somewhere. As far as such important data is concerned, we can buy credit card data and use it later. Here is the entire portfolio related to services that are available on the black market. I don't know if you can see it further down there, but there is a link to

it down there. Here we can see the prices of such exploit kits, that these are hundreds of dollars, hundreds of several dozen dollars. An ordinary user can buy such a tool on the market and try to fight the world, earn money from it. When it comes to cooperation with companies specialized in this, of course, this service is already dependent on the size of our organization, on our portfolio. However, very often companies, only after the attack, when nothing can be done, use cooperation with such companies. In Poland, it is not so popular. Maybe there were some situations when companies were not so popular. I don't know why it is happening, but in the West many companies use such services and are still in

consultation with such companies. These are the data from the document which was worked by the group of researchers in cooperation with some independent experts. From what I know... It's not complete. How do you... When it comes to the price, credit card prices are getting cheaper. It's getting cheaper and cheaper to buy data, data leaks. However, I suspect that when it comes to some zero-day iPhones, they are very expensive. This study was done two years ago, so the latest entries were from 2013-2014. I recommend this document, maybe there will be more information about these price tags. Of course, this is probably some average price based on which it was estimated. Returning to the topic, slowly ending this presentation,

generally, why do we need all these feeds? Why should we bother to look at IPs and download them? Generally to improve our security. Monitoring should be 24/7. Our logs, which are correlations of different types of threats, should be also correlated with IOC indicators. We can use specific threats We can check in systems that have a knowledge base about threats and we can do the opposite. We can power our security systems with IOC indicators. Why? You have to remember that having knowledge Fred Intelligence knows what can happen to us and we know what happened to us. We know what happened to us, what attacks, what problems we had, what our disabilities are. It is very helpful

in shortening the time. Why? I will tell you why in a moment. There is also a methodology of defense, of fighting against cybercrime. Cyber click chain, in general, depending on the attack phase, appropriate methods of action are taken. I talked a little bit more about it during Confidence this year, so if someone is interested, they can google it. or about this method at all. When it comes to such important information for us, there are times of detection, according to many companies, this indicator looks a bit different, but it certainly does not look good, that advanced APT attacks are detected only after 469 days, for example, according to the Manian company. It also looks better in the world. But let's

think about these feeds. If we see in the context of these feeds, how many attackers can do in this time. It is very, very much. We don't even know that someone can sit at our servers at this moment, and we will find out about it after some time, when the data will be out. Let's take an example, for example, a necessary programming that will be detected within 6 months can be caused by the following: usually data leakage, we lose a lot of credit cards, of course, it is a big cost, a big loss, but if we detect this data, let's assume after 18 months, then these credit cards will be used. We can still do something there, we can still block these

cards, inform users, do something. However, after 18 months, these accounts are already cleaned very often. To sum up, Fred Intelligence aims to speed up detection of safety incidents by improving our knowledge about attackers. If we know our enemy, we know what methods he can use. We can prepare for something new, we don't know about something. Of course, on the basis of this, we can improve our security policies, improve and prevent the appropriate Often, when you see threats, notifications, warnings from US or Poland, you can get a lot of recommendations, that you should turn off a certain service, set up a certain configuration on the devices. Maybe we don't have a system and we need to take care

of this to improve the security.

Generally, it is about getting to know attackers, to know what they can do to us, and to be able to reduce the time of winning such an attack. If someone is interested in this topic or in security operation center, I recommend the first position related to threat intelligence. If someone wants to know more about this topic, I recommend this position. If someone works in the defensive, Blue Team Handbook is quite interesting. or crafting the infosec playbook. Additional links related to Threat Intelligence, APT analysis made by a company. There is exactly described what the attacker does, what mails, All the details can be seen, how such a professional company describes such an attacker and boasts about these successes after a few years,

when many security manufacturers have already recognized this threat and a given company wants to boast of its achievements. Of course, to have current information about attackers, you have to work with companies that specialize in this. Ok, now a few words about chapter, about chapter, chapter IIS CISP, which I belong to. I would like to ask how many people in the room have a CISP certificate here? Are there such people? Oh, there are a few, nice. In general, I will tell you what we do. CISP is one of the most popular certifications. I will not generally talk about what the IISC organization is, I just want to say that Poland has 415 people who have CISPs. Is it a lot or

not? It's hard to say. In my opinion, it's not a large number in Europe. Maybe that's why this certificate is so recommended or so respected. As for other certificates, This is how the security of this organization looks like. I don't know if anyone is interested in this. A few words about our association. Our association is engaged in meetings every month. We have a meeting that lasts two hours, we talk about security, usually there are two presentations. We have some more ambitious plans, but only when we have the association, we will be something more active. Meetings are free for everyone. If someone would like to come to the meeting, we invite you to come. Another meeting will

probably take place on October 27. As for here is our e-mail address, our profile on LinkedIn and sorry, our website www. If you want to be our government, you can be our president, we are not interested in that. All the security issues are taken care of by us. Generally, we focus on talking about security This is the main goal of our activity. As for the topics we discussed at our meeting, there were topics related to Security Operations Center, topics related to tax detection, pen tests, cryptography, here one of our colleagues is in the room, topics related to cryptography, but also soft topics such as recommendation D or some other topics. I warmly invite you to join and come to the meeting. It costs nothing. At

this point I can't say when the next meeting will be because it is not confirmed yet, so I'm sending you the link to check the information on our website. Or send us an e-mail with a question. If you are interested, we will add you to the distribution list and you will be informed about everything that is happening here. That would be enough for my presentation. Sorry for being so fast, but I thought I wouldn't make it, but I have a few minutes left. Recently, when I was practicing this presentation, it took me an hour and a half, today a little faster, so I probably missed some things. So if there are any questions, please. Microphone, can I ask

a microphone? Or maybe you can just speak. Okay. Have you ever had any problems with your equipment and maintenance?

What is the cost of running and implementing Threat Intelligence? Do you know any research? I don't know. I don't want to guess. You can ask companies that have big global stocks, but I don't know. I won't answer this question. I think that small company is easier to buy a service from outside than to make a team. However, a big company that wants to boast something I usually build. Yesterday I presented one of the representatives, and you can see that companies build their own PR based on their capabilities. These are giant and big companies. So that's how it looks. So 15 people to SOC. SOC has first, second, third line. These are some basic mechanisms, operations related to the detection. But they

have an additional team of people who detect, do research and they are scattered around the world. That's how it looks. My question is quite simple. It's mainly about if someone thinks about it and would like to convince the management of their own company to launch such a program, So this is one of the basic variables that are needed to make decisions by the board. You're right. I'm not hiding that there are many open source solutions. Many solutions can be introduced for free. Not everyone has to buy paid feeds. You can use open source as much as possible. You just need to know that open source can generate a lot of false. But any indicators of potential threats can be useful during analysis.

If an analyst sees an unusual behavior or threat, or an employee, and checks an email in a data repository, it doesn't have to be paid. it can be blocked automatically. But in AlienVault or some other system, it's like "Wow, this system is something evil, we're blocking it or we're doing something with it". There are few companies that use such paid solutions. But it's probably starting to develop in the topic that companies want to develop their services. One company, I won't say its name, but it has installed its sensors in China. It claims that first attacks are in China, and then it hits Europe. But China doesn't monitor it. Having its sensors in China, are able to prepare

signatures in their safety products. As far as I know, it is hard to say, but according to their research, they detect certain threats much faster, because they have a lot of sensors in China. Are there any more questions? Okay, I don't think so. Thank you very much for your attention.