NG-SOC in Taiwan The realities , the difficulties and the future - - PowerPoint PPT Presentation

ng soc in taiwan
SMART_READER_LITE
LIVE PREVIEW

NG-SOC in Taiwan The realities , the difficulties and the future - - PowerPoint PPT Presentation

Mar 09, 2024 701 likes •1.11k views

NG-SOC in Taiwan The realities , the difficulties and the future Senior Technical Consultant Jack Chou Who am I : : Incident Response CEH CHFI Palo Alto Network ACE Penetration Testing

slide-1
SLIDE 1

NG-SOC in Taiwan The realities , the difficulties and the future

Senior Technical Consultant Jack Chou

slide-2
SLIDE 2

Who am I

  • 證照:
  • CEH CHFI
  • Palo Alto Network ACE
  • McAfee Vulnerability Manager
  • 經歷:
  • 協助調查局偵辦第一銀行盜領案
  • 建置企業APT防護
  • 協助企業資安事件處理
  • 司法官律師學分班結業萬惡考生中…

就是一個不長

  • 專長:
  • Incident Response
  • Penetration Testing & Exploit Research
  • Malware Analysis
  • Security Solution Implementation
  • APT Gateway (TM DDI)
  • APT Mail (TM DDEI)
  • APT Endpoint (CounterTack MDR)
  • 犯罪研究及調查
slide-3
SLIDE 3
  • What is NG-SOC?
  • The Realities (罪)
  • The Difficulties (苦)
  • The Future (未來)

Agenda

slide-4
SLIDE 4

新一代SOC-OODA(1)

  • 增加監控可視性
  • EDR / EPP
  • 減少人為疏失及人力
  • SOAR

大人物(Tactics Techniques and Procedures)

http://correlatedsecurity.com/an-ooda-driven-soc- strategy-using-siem-soar-edr/
slide-5
SLIDE 5

新一代SOC-OODA(2)

包山包海的CTI

http://correlatedsecurity.com/why-cyber-threat- intelligence-informed-security-operations-is-important/
slide-6
SLIDE 6

Taiwan SOC

Security Operation Center 客戶的期望是甚麼???

slide-7
SLIDE 7

在台灣從事資安工作本身就有很多原罪…
slide-8
SLIDE 8

SOC監控共同供應契約

  • 低流量
  • EPS: 900
  • IR: 3次
  • 中流量
  • EPS: 2300
  • IR: 7次
  • 高流量
  • EPS: 4900
  • IR: 15次

次就是代表不限範圍與目標數

slide-9
SLIDE 9

我們都是萬能的資安從業人員…

客戶還有您的老闆對我們的高度期待…

https://sansorg.egnyte.com/dl/K0PbjzWWau/
slide-10
SLIDE 10

台灣的威脅情資

  • 保留

資通安全情資分享辦法

slide-11
SLIDE 11

身為一個SOC商在苦也要盡力滿足客戶的高度期望…
slide-12
SLIDE 12

SOC&IR如何找未知???

  • 搜尋使用近期CVE且攻擊三家客戶以上…
  • 甚麼!!!
  • 是大規模預謀攻擊!!!

KPI用CTI

  • 但依然不及友商一年二十幾萬次的情資

回饋分享…

slide-13
SLIDE 13

Offensive OSINT

Attack Surface Management

slide-14
SLIDE 14

Attack Surface Management

Asset Discovery

  • APIs & Web Services
  • Web Applications & Websites
  • Domains & SSL Certificates
  • Critical Network Services
  • IoT & Connected Objects
  • Public Code Repositories
  • SaaS & PaaS Systems
  • Public Cloud & CDN
  • Mobile Apps
  • Databases

來源及方法例舉

Dark Web Monitoring

  • Leaked/Stolen Credentials
  • Pastebin Mentions
  • Exposed Documents
  • Leaked Source Code
  • Breached IT Systems & IoC
  • Phishing Websites & Pages
  • Fake Accounts in Social Networks
  • Unsolicited Vulnerability Reports
  • Trademark Infringements
  • Squatted Domain Names
slide-15
SLIDE 15

Hunting Leaked & Misconfig

  • 使用VTgrep 語法搜尋客戶相關資料外洩

或樣本,發現可能洩漏的帳號密碼

  • https://buckets.grayhatwarfare.com

API

slide-16
SLIDE 16

Potential squatting

  • https://www.immuniweb.com/radar

/

  • https://dnstwist.it/ (phishing

domain scanner)

  • 廠牌名稱+客戶域名+IT常用關鍵字

(update、admin、365、windows、 Microsoft…等)

  • Example:
  • symantecupdates.info
  • kaspernsky.com
  • windowsupdate.microsoft.365filtering.
com
slide-17
SLIDE 17

Leaked/Stolen Credentials

  • https://raidforums.

com/

  • HUMINT
  • https://github.com

/kevthehermit/Past eHunter

  • Hunchly Dark Web

Report

  • https://darksearch.i
  • /
  • https://github.com

/s-rah/onionscan

Dark Data Discovery(暗網情資蒐集)

slide-18
SLIDE 18

Defensive OSINT

攻擊者視角

slide-19
SLIDE 19

Digital Discovery

  • Open Service & Unrestricted Web
  • https://www.immuniweb.com/webs

ec/

  • https://www.immuniweb.com/mobil

e/

  • https://www.immuniweb.com/ssl/
  • https://github.com/jack51706/Leak

Looker-X

slide-20
SLIDE 20

Outbound Hunting

  • https://blog.binaryedge.io/2019/07/08/guest-post-panda-
banker/
  • https://www.fireeye.com/blog/threat-
research/2020/07/scandalous-external-detection-using- network-scan-data-and-automation.html
  • https://app.binaryedge.io/services/query?filter=MALWARE
  • https://www.shodan.io/search?query=category%3Amalwar
e
  • https://blog.fox-it.com/2019/02/26/identifying-cobalt-
strike-team-servers-in-the-wild/
  • https://censys.io/blog/hunting-mirai
  • https://censys.io/blog/tracking-roamingmantis-mobile-
banking-threat
  • https://censys.io/blog/hunting-for-threats-coinhive-
cryptocurrency-miner
  • https://censys.io/blog/finding-hacked-web-servers
  • Infiltrate C&C
  • Backdoor Reversing

連線 metadata

slide-21
SLIDE 21

Intelligence-Driven Incident Response and Threat Hunting

問世間 情資是何物…

slide-22
SLIDE 22

Pivot and Threat Attribution

Sample

  • Unique Strings
  • Network Communication/Encryption

Algorithm

  • Code / Strings Reuse
  • Metadata(filename, description,

version, title, author name)

  • Mutexes
  • Behavior

Make Enrichment Great Again Infrastructure

  • Passive DNS
  • TLS certificate tracking
  • Correlation through metadata (web

server version, hosting provider, HTTP headers, Whois …)

  • Search of domain names/IP

addresses on public sandboxes results

  • HTTP static content tracking
  • Network flow
https://github.com/threatresearch-issdu/ITHOME2020
slide-23
SLIDE 23

情資蒐集方法及來源

  • IR
  • VIRUSTOTAL Yara Hunting
  • Event Hunting
  • OSINT
  • 客戶提供之不明樣本分析及後續關聯
  • Honeypot( Open Proxy、Tor node)
  • 主動木馬檢測(資安健診)
  • 客戶資產監控
  • https://www.one-

tab.com/page/BQ9hxrRER9GYDMd 5d_v09Q

  • 多來源交叉關聯查證
slide-24
SLIDE 24

CTI Lifecycle

Pivot Enrichment Attribution

HTTP_PlugX_Trojan _CnC 185.161.209.234 185.161.209.234 追蹤與分析 VT Hunting & Crowdstrike Enrichment Deliver & Response IPS Detection VT similar-to: VT code- similar-to: CTI platform IP / DN Block Sample(175+) AV Block  https://www.carbonblac k.com/2020/02/20/threa t-analysis-active-c2- discovery-using- protocol-emulation- part2-winnti-4-0/  該IP經追蹤後可關聯到 VMWARE提出的威脅情資 報告  該入侵源頭標記為 Winnti4.0  該文章可取得樣本共19隻 VT: tag:winnti Infra enrichment
slide-25
SLIDE 25

Attack Surface Management

  • https://cyberint.com/solutions/
  • https://www.immuniweb.com/
  • https://www.riskiq.com/illuminate-

platform/

Commercial

slide-26
SLIDE 26

Human-Intelligence Network Anomaly Detection

工人智慧

slide-27
SLIDE 27

SOC&IR如何找未知

  • TM DDI Rule:
  • Executable requested from root directory of web server

設備 RULE

slide-28
SLIDE 28

AI Network Anomaly Detection

  • 圖論權重可視化
  • 協定流量統計分析
  • 攻擊途徑階段統計分析
  • 資產屬性統計分析
  • Network artifact metadata

ExtraHop & DarkTrace

slide-29
SLIDE 29

SOC&IR如何找未知

  • PASTEBIN
  • GITHUB
  • Vultr.com
  • 頻率 + 過濾資料比對 + Dest IP/DN 不在Alexa TOP 100M
  • DDNS

連線 metadata

slide-30
SLIDE 30

SOC&IR如何找未知

  • 偵測到駭客工具 (TM OfficeScan) (HKTL_DUMP*)
  • 偵測到駭客工具 (TM OfficeScan) (HKTL_PASS*)
  • 偵測到駭客工具 (SEP) (Hacktool)
  • 防毒不是沒用,只是要看怎麼用跟看

防毒 RULE

slide-31
SLIDE 31

Endpoint Visibility and Response

slide-32
SLIDE 32

傳統端點偵測應處

  • https://github.com/sans-blue-
team/DeepBlueCLI
  • https://github.com/sbousseaden/EVTX-
ATTACK-SAMPLES
  • https://www.malwarearchaeology.com/cheat-
sheets
  • https://github.com/mvelazc0/Oriana/wiki/Hu
nting-Analytics
  • https://github.com/0Kee-Team/WatchAD
  • https://github.com/JPCERTCC/LogonTracer
  • https://blogs.jpcert.or.jp/en/2017/12/research
  • report-released-detecting-lateral-movement-
through-tracking-event-logs-version-2.html
  • https://github.com/NVISO-BE/ee-outliers

EVTX分析

slide-33
SLIDE 33

滅證

  • Sdelete
  • ClearEventLog
  • https://github.com/Rizer0/Log-killer
  • https://github.com/hlldz/Invoke-Phant0m
  • Clear MBR
  • Ransomware

人工IR的極限

slide-34
SLIDE 34

端點偵測應處

Hunting Hypothesis
  • Office 0 day
  • 產生 Powershell 執行緒 (Fileless)
  • 中繼站連線 (網路連線行為)
  • 以客制 Threat Hunting 規則,即時發現並進
行處置
  • (process_name:winword.exe OR
process_name:excel.exe OR process_name:powerpnt.exe) AND netconn_count:[1 TO *] AND childproc_name:powershell.exe
  • APT VPN Lateral Movement
ERS20191125
  • cb.urlver=1&q=file_desc:PacketiX

EDR

slide-35
SLIDE 35

未來

如何在客戶高度期待下…
slide-36
SLIDE 36

SOAR

  • Security Orchestration Use Case:

Automating Threat Hunting

  • Playbook (436)
  • Detonate
  • Enrichment
  • Extract
  • Hunting
  • Investigation
  • Integration (569)
  • Automation (677)
  • Script (617)

如果有東西把前面講的一堆手工方法半自動化…

slide-37
SLIDE 37

+

ISSDU 新世代SOC架構

=

slide-38
SLIDE 38

Thank You