HOW AN IOC CAN LEAD TO ANOTHER? Sad Kadhi TheHive Project Automate - - PowerPoint PPT Presentation

how an ioc can lead to another
SMART_READER_LITE
LIVE PREVIEW

HOW AN IOC CAN LEAD TO ANOTHER? Sad Kadhi TheHive Project Automate - - PowerPoint PPT Presentation

Jan 26, 2024 356 likes •444 views

BEERUMP 17 / 2017-06-22 TLP:WHITE HOW AN IOC CAN LEAD TO ANOTHER? Sad Kadhi TheHive Project Automate bulk observable analysis through a REST API Can be queried Web UI Analyzers can be developed in any programming language that

slide-1
SLIDE 1

BEERUMP 17 / 2017-06-22

TLP:WHITE

Saâd Kadhi
 TheHive Project

HOW AN IOC CAN LEAD TO ANOTHER?

slide-2
SLIDE 2

▸ Automate bulk observable analysis through a REST API ▸ Can be queried Web UI ▸ Analyzers can be developed in any programming

language that is supported by Linux

▸ Two-way MISP integration ▸ While originally created for Blue Teams, Cortex can be

useful for Red Teams too

slide-3
SLIDE 3

ARCHITECTURE

BACKEND STORAGE FRONTEND REST
 APIS

HTTP

A A A A ANALYZERS REST
 APIS

HTTP

CORTEX

slide-4
SLIDE 4

23 ANALYZERS (AND MORE ARE COMING) FORTIGUARD URL CATEGORY CIRCL PDNS CIRCL PSSL MISP SEARCH DOMAINTOOLS PASSIVETOTAL VIRUSTOTAL ABUSE FINDER FILEINFO OUTLOOK MSG PARSER NESSUS OTXQUERY HIPPOCAMPE GOOGLE SAFE BROWSING DNSDB YARA PHISHING INITIATIVE PHISHTANK MAXMIND JOE SANDBOX SPLUNK SEARCH FIREHOL VMRAY IRMA MCAFEE ATD CUCKOO FAME INTELMQ WHOISXMLAPI FIREEYE AX HYBRID ANALYSIS

slide-5
SLIDE 5

Analyzers Expansion Modules E x p

  • r

t c a s e s Enrich events Additional analyzers Analyze observables Search observables within MISP events Alert Sources
 (SIEM, email, …) Raise alerts Alert Feeders P

  • l

l e v e n t s

slide-6
SLIDE 6

LET’S GET TO WORK

▸ In February, numerous Polish FIs were infected after

visiting the Polish Supervision Authority (www[.]knf[.]gov[.]pl) -> Watering hole attack -> Custom EK with exploits stolen from Neutrino & RIG

▸ Later on, it was found that other websites were used to

carry the same attack: Comisión Nacional Bancaria y de Valores (MX), Banco República (UY)

▸ https://badcyber.com/several-polish-banks-hacked-

information-stolen-by-unknown-attackers/

slide-7
SLIDE 7

HOW CAN AN IOC LEAD TO ANOTHER?

▸ IOC = www[.]knf[.]gov[.]pl ▸ How can we pivot to find other IOCs (that are less brittle

maybe?)

knf[.]gov[.]pl MISP Search 1 event knf[.]gov[.]pl VirusTotal

hxxp://knf.gov.pl/DefaultDesign/Layouts/ KNF2013/resources/accordian-src.js? ver=11

d4616f9706403a0d5a2f9a872 6230a4693e4c95c58df5c753c cc684f1d3542e2 VirusTotal 47/61 sap[.]misapor[.]ch MISP Search Galaxy Lazarus Group, Target Finance

slide-8
SLIDE 8

GET THE SOFTWARE

▸ Cortex is available under an AGPL license ▸ Can be installed using RPM, DEB, Docker image, binary

package or built from the source code

▸ Pre-requisites: Linux with JRE 8+, Chrome, Firefox, IE (11),

and a decent computer

▸ https://thehive-project.org/