From 0 to Hero Actionable Threat Intelligence Raffaele Di Taranto - - PowerPoint PPT Presentation

from 0 to hero
SMART_READER_LITE
LIVE PREVIEW

From 0 to Hero Actionable Threat Intelligence Raffaele Di Taranto - - PowerPoint PPT Presentation

Nov 17, 2023 432 likes •875 views

From 0 to Hero Actionable Threat Intelligence Raffaele Di Taranto Vito Lucatorto Our Journey in CTI : Problems & Solutions in Critical Infrastructure Vito Lucatorto Cyber Security Engineer @ FS Holding Experience in Banking

slide-1
SLIDE 1

From 0 to Hero Actionable Threat Intelligence

Raffaele Di Taranto – Vito Lucatorto Our Journey in CTI : Problems & Solutions in Critical Infrastructure

slide-2
SLIDE 2
  • Cyber Security Engineer @ FS Holding
  • Experience in Banking companies
  • Passionate about Threat Intelligence,

APT and Aviation World

  • Hunter about new cyber defense

and cyber attack techniques

  • Watchwords: Automate all, be curious, cooperate

Vito Lucatorto

vitolucatorto@gmail.com https://www.linkedin.com/in/vlucatorto/

1/41

slide-3
SLIDE 3
  • Cyber Security Engineer @ FS Holding
  • MSc Computer Eng @ Turin Politecnico
  • Experience in Defence companies
  • In love with Cyber Security
  • OffSec 4 fun and study: OSCP, ECPPT
  • Watchwords: explore cyber at 360°, go deeper in securing

architectures, monitor and automate where possible

Raffaele Di Taranto

raf.ditaranto@gmail.com https://www.linkedin.com/in/rditaranto/

2/41

slide-4
SLIDE 4

Threat Intelligence: what is it?

Context Tactics Resources Informed decisions Attack prevention Knowledge of the «threat»

3/41

slide-5
SLIDE 5

Threat Intelligence Idea

How our friends see us How we see ourselves How society see us Just to be clear…this is our myth

4/41

slide-6
SLIDE 6

Threat Intelligence as a Process

Hypotesis Collect Processing Analysis Dissemination Feedback

5/41

slide-7
SLIDE 7

Operational Threat Intelligence

Ongoing cyberattacks, events and campaigns Incident response teams insights on attacks Speed up processes and make informed decisions

6/41

slide-8
SLIDE 8

Operational Threat Intelligence Output

Indicators of Compromise (IoC)

7/41

slide-9
SLIDE 9

Operational Threat Intelligence Output

Filename MD5 SHA1 SHA256 Email src Email subject IP address Domain URL

  • Indicators of Compromise

represents technical «clues»

  • f the presence of a malicious

actor

  • More reliable are the clues,

less waste of time in security monitoring

  • Contextualize the data

Financial Data Certificate

8/41

slide-10
SLIDE 10

Operational Threat Intelligence in SOC

TI Team

RTSM Team SDM Team MA Team IR Team

9/41

slide-11
SLIDE 11

Bla bla bla … Where Is the experience?

10/41

slide-12
SLIDE 12

Employees

Our Big Farm

>83.000 >15

Companies

>106.182

Monitored IoCs

Dati aggiornati al 08/07/2020 11/41

slide-13
SLIDE 13

Tons of IoC…

Malware Analysis Team Closint Feed Threat Hunting Team

THREAT INTELLIGENCE PLATFORM

Manual

PREVENTION TECHNOLOGIES

Manual Manual

12/41

slide-14
SLIDE 14

Grow UP!

Defend the companies Give value at single IoC Avoid false positives Improve Incident Response Automate and define all processes

13/41

slide-15
SLIDE 15

1 2 3 4 5

Mind the Gap

  • IoC produced by various Teams not standardized
  • Taxonomies not unified
  • No IoC decay
  • IoC prevented not harmonical neither automatic
  • False positive management only in post-detection phase
  • Basic TIP with SIEM integration
  • IoC enrichment not present
  • Manual IoC distribution process

14/41

GAP

slide-16
SLIDE 16

Choose a Threat Intelligence Platform

1 2 3 4 5

15/41

MISP GAP

slide-17
SLIDE 17

Choose a Threat Intelligence Platform

+ Various data import modes + Tag management + Organizations management + API Availability + IoC Decay feature + Sighthing + Whitlisting

MISP

Support but NO SLA - Time-consuming customizations - Experimental 3° parties integrations -

PRO CONS

16/41

slide-18
SLIDE 18

Improve the FORCE

1 2 3 4 5

17/41

MISP FORCE GAP

slide-19
SLIDE 19

Improve the FORCE

  • Automatic Massive import development differentiated by
  • rganization and operating group
  • Historical Search into Siem
  • Whitelist-based detection for false positives avoidance
  • Automatic tag system based on fixed variables or natural language
  • IoC Enrichment

FORCE

18/41

slide-20
SLIDE 20

Improve the FORCE - Big Brain at Work

Malware Team SOC Team Threat Hunting Team Upload Upload Check Whitelist

1 2 3

Upload

MA Team IR Team

4

19/41

slide-21
SLIDE 21

Improve the FORCE - Example of Whitelisting

Check Whitelist

4

google.ae TO_IDS = FALSE

MA Team IR Team

REST API TO_IDS = TRUE

20/41

slide-22
SLIDE 22

Improve the FORCE - Big Brain at Work

Malware Analyst Team SOC Team Threat Hunting Team Upload Upload IoC Enrichment Check Whitelist

1 2 6 5 3

Automatic Tag Upload

MA Team IR Team

4

21/41

slide-23
SLIDE 23

Improve the FORCE - Example of Automatic Tag

6

URSNIF Automatic Tag APT28

22/41

slide-24
SLIDE 24

Improve the FORCE - Big Brain at Work

Malware Analyst Team SOC Team Threat Hunting Team Upload Upload IoC Enrichment Check Whitelist

1 2 6 5 3 8

Automatic Tag Upload SOC Team

7

MA Team IR Team

4

Malware Playground

9

23/41

slide-25
SLIDE 25

Sandbox System Vendor 1 Sample Malware

Proxy Navigazione AntiSpam

AV System Vendor 2

COMING SOON

Company Group

SDM Team

9

Improve the FORCE - Example of Share knowledge

REST API

24/41

slide-26
SLIDE 26

Explore the Farm

35/41

1 2 3 4 5

MISP FORCE DOMINO EFFECT GAP

slide-27
SLIDE 27

Explore the Farm - Prevention

SDM Team curl -k -X POST -H "Content-Type: application/json" -H "Authorization: apitoken" -d '{"returnFormat": "json", "type": {"OR": ["url"]}, "published":true, "to_ids":true, "enforceWarninglist": 1, "includeEventTags":1, "tags": {"NOT": ["Only Detection"]}, "includeDecayScore": 1, "excludeDecayed":1,"modelOverrides": {"threshold": 1},"decayingModel": [21]}' https://misp/attributes/restSearch > /tmp/json/mispUrlBase

1

Data processing and normalization http://realmalicious.com/bad.php ... *//realmalicious.com/bad.php ... Sec System Vendor1 List Sec System Vendor2 List

TO_IDS = TRUE

2

26/41

slide-28
SLIDE 28

Explore the Farm - Prevention

FIREWALL, WAF & PROXY OTHER COMPANIES SEC/ICT TEAMS

SDM Team

REST API Web exposed IoC lists

3

Data processing and normalization

1

TO_IDS = TRUE

2

27/41

slide-29
SLIDE 29

Explore the Farm - Detection

ACTION

IoC Data Enrichment Metadata normalization Automated scheduled data preparation for SIEM ingestion

IR Team RTSM Team

28/41

slide-30
SLIDE 30

Explore the Farm - Detection

TI Automated Import

3

Data processing and normalization

1

RTSM Team IR Team

2

TO_IDS = TRUE

29/41

slide-31
SLIDE 31

Explore the Farm – Focus on SIEM

Sep 27 12:22:22 proxy1 CEF:0|webnavig| url=http://realmalicious.com/bad.php src_ip=10.10.10.5 src_port=6734 Sep 27 12:22:22 fw1 CEF:0|fwinternet| domain=realmalicious.com uri=bad.php srv=80 sip=10.10.10.5 sport=6734

url: http://realmalicious.com/bad.php domain: realmalicious.com ip src: 10.10.10.5 IoC list match IoC value: http://realmalicious.com/bad.php IoC type: url IoC campaign: lokibot IoC source: MA team IoC Threat type: malware IoC date: 26/09/2020

RTSM Team IR Team

30/41

slide-32
SLIDE 32

Explore the Farm - Detection

ACTION RETROACTION

Real Time correlation rules for IoC detection and report sighting via API to MISP Register IoC sightings

DOMINO EFFECT

IoC Data Enrichment Metadata normalization Automated scheduled data preparation for SIEM ingestion

IR Team RTSM Team

slide-33
SLIDE 33

Explore the Farm - Detection

ALERT: IoC Detected

IR Team

Data processing and normalization SOC Team

4 5

IoC sighting TI Automated Import

RTSM Team

3 1 2

TO_IDS = TRUE TO_IDS = TRUE

32/41

slide-34
SLIDE 34

Explore the Farm - Detection

ALERT: IoC Detected

IR Team

SOC Team

4 5

IoC sighting

RTSM Team

curl -d "{\"source\":\"SIEM\", \"values\":"http://realmalicious.com/bad.php"}" -H "Authorization: apitoken" -H "Accept: application/json" -H "Content-type: application/json" -k -X POST "https://misp/sightings/add

33/41

slide-35
SLIDE 35

Winnie the Pooh is a threat actor

slide-36
SLIDE 36

Destroy the diamond…

35/41

1 2 3 4

39/41

5

MISP FORCE DOMINO EFFECT DIAMOND GAP

slide-37
SLIDE 37

Destroy the diamond…

IoCs are NOT forevah !

http://realmalicious.com/bad.php

SINCE 01/01/2015

  • When URL is no more malicious?
  • Waste of resources preventing it nowaday ?
  • And if you have 100 billions sculptured on sec techs?

36/41

slide-38
SLIDE 38

In Practice

1 2

http://realmalicious.com/bad.php

t0 ts1 t0 ts0

3

t0 ts0 t1 ts1

Sighting to MISP IoC time is

  • ver

37/41

slide-39
SLIDE 39

…Propagate the news

FIREWALL, WAF & PROXY OTHER COMPANIES SEC/ICT TEAMS REST API Automated email

3

Processing Decayed IoCs

1

http://realmalicious.com/bad.php

Data feed

RTSM Team SDM Team

2

38/41

slide-40
SLIDE 40

From Train to Rocket

1 2 3 4 5

MISP FORCE DOMINO EFFECT DIAMOND GAP MARS

39/41

slide-41
SLIDE 41

From Train to Rocket

  • Integrated Dashboard & report

system

  • TLP-based IoC visibility for different

roles

  • Incident full prioritization
  • Threat data feeds supply input for

threat intelligence, but by themselves are not threat intelligence

  • COLLABORATION !

MARS

40/41

slide-42
SLIDE 42

THANK YOU

…QUESTIONS?