Operationalizing Threat Intelligence to Battle Persistent Actors

1All material confidential and proprietary

December 2015

OPERATIONALIZING THREAT INTELLIGENCE TO BATTLE

PERSISTENT ACTORS

© 2015 ThreatConnect, Inc. All Rights Reserved


Monzy Andy


INTROS

3All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved

AGENDA

• Threat intel: Brief definition and “Why the heck should I care?”

• How to develop threat intelligence using the Diamond Model

• Use case: How ThreatConnect investigated Chinese state-sponsored threats using the Diamond Model

• Demo: How to operationalize threat intelligence using Splunk and ThreatConnect


THREAT INTELLIGENCEWhat it should be.



NO!AN INDICATOR FEED?

THREAT INTELLIGENCEis knowledge of your adversaries

that is useful for defense.


THREAT INTELLIGENCE DEFINEDIn the slightly more verbose terms, threat intelligence is the applicable knowledge of a threat’s capabilities, infrastructure, motives, goals, and resources.

Why do I care?

Intelligence will drive security. Your knowledge of threats consistently translates into your organization’s ability to take action

KNOW YOUR ENEMY

KNOWLEDGE IS POWER


WHAT DOES INTELLIGENCE-DRIVEN SECURITY MEAN?


• You’re mitigating issues across teams and sensors

• Feedback loops: not just “red” feeding “blue”

• Security becomes more proactive

• Not an end state, but a modus operandi

Awesome, how do I start? … It’s easier than you think.


A METHODOLOGY IS NEEDED


• Simple framework

• Ask questions to move from reactive to proactive state

• Grow knowledge & understanding of relevant threats

• Drive decisions for mitigation

THE DIAMOND MODEL OF INTRUSION ANALYSIS:


PUTTING THE METHODOLOGY TO WORKA Use Case



An md5sum discovered during investigation d19ba12127f48a4341ce643c819052f6

1


An md5sum discovered during investigation

d19ba12127f48a4341ce643c819052f6

1

2Malware domains in C2 greensky27.vicp.net


1

2 3

C2 contains IP addresses Clusters of IPs in ASNs in:Kunming, China;Bangkok, Thailand;Seoul, South Korea;etc.

Malware domains in C2 greensky27.vicp.net


d19ba12127f48a4341ce643c819052f6



a2378fd84cebe4b58c372d1c9b923542

3

Malware domains in C2

greensky27[.]vicp[.]netaseannew[.]8866[.]orgmyanmartech[.]vicp[.]netphilnews[.]oicp[.]netthailand[.]vicp[.]net

4

C2 contains IP addresses

Clusters of IPs in ASNs in:Kunming, China;Bangkok, Thailand;Seoul, South Korea;etc.


35

Domains all used bycommon malwarefamily NAIKON


a2378fd84cebe4b58c372d1c9b923542

Malware domains in C2

greensky27[.]vicp[.]netaseannew[.]8866[.]orgmyanmartech[.]vicp[.]netphilnews[.]oicp[.]netthailand[.]vicp[.]net

4




3

Malware domains in C2 greensky27[.]vicp[.]netaseannew[.]8866[.]orgmyanmartech[.]vicp[.]netphilnews[.]oicp[.]netthailand[.]vicp[.]net

45

Common targeting themes Southeast Asian decoy docs, most likely delivered in spearphishing attempts


6

Domains all used bycommon malwarefamily NAIKON


a2378fd84cebe4b58c372d1c9b923542




STACK UP YOUR DIAMONDS

C2 callbacks



INTELLIGENCE-DRIVEN SECURITY: BLOCK THE IPS?IPs are fleeting.Adversaries are

focused.Diamonds are forever.



CONFLICT WITHIN THE SOUTH CHINA SEAWHO’S BEHIND NAIKON?

Background

• ⅓ of the world's oil / $5 trillion in global trade, energy-rich area

• Multi-national dispute over territorial claims

• China claims the most of the region; has been the most assertive

• China’s cyber efforts support a robust political, economic, and military effort



THE PURPOSE OF INTELLIGENCE IS TO DRIVE DECISION ADVANTAGE


● What kind of decisions are you trying to make?

● Who is making those decisions?

● What processes need to be in place to support those decisions?

● How does the intelligence need to be delivered to be actionable?


TI Team

SOC Team

IR Team

ISAC/ISAO

SIEM

IPS/IDS

End-Point Protection

Firewalls/UTMIntelligence Feeds

Network Controls

Vulnerability Scanner

Web Proxy

Public Community

Private Community

CISO/CIO

C-Suite/Board

CONNECTED ON ONE PLATFORM

Copyright © 2015 Splunk Inc.

Operationalizing Threat intelligence

Demo

COLLECT DATA FROM ANYWHERE

SEARCHAND ANALYZE EVERYTHING

GAIN REAL-TIME OPERATIONAL INTELLIGENCE

The Power of Splunk

22

Why Splunk?

FAST TIME-TO-VALUE

ONE PLATFORM, MULTIPLE USE CASES

VISIBILITY ACROSS STACK, NOT JUST SILOS

ASK ANY QUESTION OF DATA

ANY DATA, SOURCE OR DEPLOYMENT MODEL

23

Turning Machine Data into Operational Intelligence

INDEX ANY MACHINE DATA: ANY SOURCE, TYPE, VOLUME

Online Services Web

Services

ServersSecurity GPS

Location

StorageDesktops

Networks

Packaged Applications

CustomApplicationsMessaging

TelecomsOnline

Shopping Cart

Web Clickstreams

Databases

Energy Meters

Call Detail Records

Smartphones and Devices

RFID

On-Premises

Private Cloud

Public Cloud

GAIN REAL-TIME VISIBILITY

Application Delivery

Security and Compliance

IT Operations

Business Analytics

Internet of Things

24

ITOperations


Developer Platform (REST API, SDKs)

Business Analytics

Industrial Data and Internet of

Things

Delivers Value Across IT and the Business

Business Analytics


Things

Security, Compliance,

and Fraud

ITOperations


Developer Platform (REST API, SDKs)

Business Analytics


Things

Delivers Value Across IT and the Business

Security, Compliance,

and Fraud

26

Splunk for Security

27

SECURITY APPS & ADD-ONS SPLUNK ENTERPRISE SECURITY

SIEM Security Analytics Fraud Platform for Security Services

SPLUNK USER BEHAVIOR ANALYTICS

Wire data

Windows = SIEM integration

RDBMS (any) data

28

Developing Threat Intelligence - 3 Take Aways

Disruptive Security

Operations

Track your adversary – not just alerts

Enrich event data to develop context

Develop your own threat intelligence

28

29

Demo Scenarios

Enrich alerts with intel from

ThreatConnect

Execute the Diamond Model in Splunk Enterprise

Security

Create new threat intel using Splunk

Enterprise Security

30

Demo

31

Backup Demo Slides

32

33

34

35

36

37

Demo Review

Enrich alerts with intel from

ThreatConnect

Execute the Diamond Model in Splunk Enterprise

Security

Create new threat intel using Splunk

Enterprise Security

Developing Threat Intelligence - 3 Take Aways

Disruptive Security

Operations

Track your adversary – not just alerts

Enrich event data to develop context

Develop your own threat intelligence

38

39

Traditional SIEMSplunkNext Steps

• https://www.splunk.com

Download Splunk

• https://splunkbase.splunk.com/app/1893/

Splunk app for ThreatConnect

• http://docs.splunk.com• https://answers.splunk.com/

Getting started and help

Thank YouQuestions?

[email protected]

@monzymerza


• Download the full CAMERASHY report for free on www.threatconnect.com

• Indicators shared in the common community & available to all Splunk users

THANK YOU! The following incidents are associated to the Naikon Threat:

20150730A: Satanserv Naikon Related APT20150619A: cmcsan Naikon APT20150617D: battale307 Naikon APT20150619A: cmcsan Naikon APT


http://www.threatconnect.com/

Technology

Operationalizing Threat Intelligence to Battle Persistent Actors