CYBER THREAT INTELLIGENCE - FROM 0 TO H3R0 NINO VERDE, PHD HEAD OF CYBER THREAT INTELLIGENCE CYBER & SECURITY SOLUTIONS LEONARDO - MASTER DEGREE ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cyber Threat Intelligence
From 0 to h3r0
Nino Verde, PhD
Head of Cyber Threat Intelligence
Cyber & Security Solutions
Leonardo
March 23th, 2022
Company General Use
Who are we?
• About Leonardo:
- Aerospace, defence and security sector
- One of the largest defence contractor in the world
HELICOPTERS ELECTRONICS AEROSTRUCTURES AIRCRAFTS CYBER SECURITY
- We work for the Cyber Security Research Center – Product & Technology Development
• About me:
- Nino Verde, PhD:
• Head of Cyber Threat Intelligence @verdenino
• Cyber Threat Intelligence Analyst
• Incident Reponse
© 2019 Leonardo - Società per azioni 2
Company General Use
© 2019 Leonardo - Società per azioni 3
Company General Use
This is a gaminar!
• Open joinmyquiz.com with your mobile phone, desktop or notebook 2
• Enter the following join code: 037 138
• Play with us!
• The winner will receive one of the best books about Threat Intelligence
When this icon appears on a slide it is time to play!
© 2019 Leonardo - Società per azioni 4
Company General Use
Cyber Threat Intelligence
“Cyber is such a perfect
prefix. Because nobody
has any idea what it Intent
means, it can be grafted
onto any old word to make
it seem new, cool — and
therefore strange, Capability Opportunity
spooky.” [New York
magazine, Dec. 23, 1996]
© 2019 Leonardo - Società per azioni 5
Company General Use
Why do companies want threat intelligence?
Start from monitoring and response
Help C-level make good decisions – reduce
uncertainty
TI doesn’t address all existing problems
War Room
© 2019 Leonardo - Società per azioni 6
Company General Use
CTI Platforms
© 2019 Leonardo - Società per azioni 7
Company General Use
Finally… a definition of cyber threat intelligence
• Threat Intelligence is:
- “Analyzed information about adversaries who have the Intent, Opportunity and Capability to do you harm.”
- “Analyzed information about the hostile intent, capability, and opportunity of an adversary that satisfies a requirement”
- “the products and processes across the intelligence cycle of assessing the capabilities, intentions, and activities – technical and
otherwise – of potential adversaries and competitors in the cyber domain (with cyber counterintelligence as a sub-discipline).”
- Note:
• Actionability of an intelligence product is a must!
• At the end, intelligence must reduce uncertainty
• Things to remember always:
- The threat is another human!
- The malware is just a capability of the adversary
- Organization sharing their internal threat information with each other can help community understand the largest threat landscape
- Be careful to not overvalue attribution!
• It is determining who was responsible for a cyber attack
– Mmm… isn’t it always Russia or China?
© 2019 Leonardo - Società per azioni 8
Company General Use
Process Considerations: Organizational context
2
• Understand the assets of your organization and their value
• Identify threat actors motivated to access or harm your assets
• Determine methods common to relevant threat actors who may target your organization and
its assets
• Establish monitoring and hunting processes aligned with the most likely avenues of
compromise
• Monitoring adversaries, their activities, and interests continuously, and map these against
your changing business activities that may alter your appeal as a target
© 2019 Leonardo - Società per azioni 9
Company General Use
Cyber Threat Intelligence
Concepts and models
© 2019 Leonardo - Società per azioni 10
Company General UsePlease, welcome the intelligence cycle!
© 2019 Leonardo - Società per azioni 11
Company General UseThe diamond model of intrusion analysis
Axiom 1: For every intrusion event there
Meta-features Adversary exists an adversary taking a step towards
Timestamp an intended goal by using a capability
Phase over infrastructure against a victim to
Result
Direction Methodology produce a result.
Resources
Core Features The core features of an event
are: adversary, capability, infrastructure,
Capabilities Infrastructure
and victim.
Meta-Features The meta-features are:
timestamp (both start and end), phase,
result, direction, methodology, and
resources. The meta-features are used to
Victim order events within an activity thread,
group like events in various ways, and
Sergio Caltagirone, Andreq Pendergast, Christofer Bets, http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf capture critical knowledge where possible.
© 2019 Leonardo - Società per azioni 13
Company General UseThe diamond model of intrusion analysis
An event, E, is formally defined as a
Meta-features Adversary labeled n-tuple where each element of the
Timestamp
Phase tuple is knowledge of a feature combined
Result with an independent confidence value.
Direction Methodology
Resources
Capabilities Infrastructure
Victim
Sergio Caltagirone, Andreq Pendergast, Christofer Bets, http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf
© 2019 Leonardo - Società per azioni 14
Company General UseThe diamond model of intrusion analysis
Meta-features Adversary
Timestamp
Phase
Result Axiom 6: A relationship always exists
Direction Methodology between the Adversary and their Victim(s)
Socio-Political
Resources
even if distant, fleeting, or indirect.
Technology Infrastructure
Capabilities
Victim
Sergio Caltagirone, Andreq Pendergast, Christofer Bets, http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf
© 2019 Leonardo - Società per azioni 15
Company General UseAxiom 7: There exists a sub-set of the set of adversaries which
Meta-features Adversary have the motivation, resources, and capabilities to sustain
Timestamp
Phase malicious effects for a significant length of time against one or
Result more victims while resisting mitigation efforts. Adversary-
Direction Methodology
Resources
Victim relationships in this sub-set are called persistent
adversary relationships.
Capabilities Infrastructure
Victim
© 2019 Leonardo - Società per azioni 16
Company General UsePivoting
• Pivoting is the analytic technique of extracting a data
Adversary
element and exploiting that element, in conjunction with 5. One of the IP addresses is publicly
data sources, to discover other related elements. attributed to a known adversary
• Ultimately, pivoting is about the fundamental analytic task
of hypothesis testing. 3. Domain is resolved to and
• Pivoting is the task of discovering related elements IP address
(evidence) which inform the hypothesis and also generate
new hypotheses themselves
Capabilities Infrastructure
2. The malware connects to
a Command and Control
domain
4. Firewall logs reveal
additional victims
1. A victim discover a
malware within its network
Victim
© 2019 Leonardo - Società per azioni 18
Company General Use6 types of Pivoting
• Victim-Centered Approach
Adversary
5. One of the IP addresses is publicly
• Capability-Centered Approach attributed to a known adversary
• Infrastructure-Centered Approach
• Adversary-Centered Approach
3. Domain is resolved to and
• Social-Political-Centered Approach IP address
• Technology-Centered Approach
Capabilities Infrastructure
2. The malware connects to
a Command and Control
domain
4. Firewall logs reveal
additional victims
1. A victim discover a
malware within its network
Victim
© 2019 Leonardo - Società per azioni 19
Company General UseKillchain of intrusion analysis
© 2019 Leonardo - Società per azioni 20
Company General UseOrganizing data into buckets
© 2019 Leonardo - Società per azioni 21
Company General UseOrganizing more data into buckets
© 2019 Leonardo - Società per azioni 22
Company General UseIncident 1
R
W
D
E
I
C
A
© 2019 Leonardo - Società per azioni 23
Company General UseIncident 1 Incident 2 ... Incident n
R
W
D
E
I
C
A Suspected Actor A
Suspected Actor B
© 2019 Leonardo - Società per azioni 24
Company General UseIncident 1 Incident 2 ... Incident n
R Actor A
W
D
E
I
C
A Suspected Actor A
Suspected Actor B
© 2019 Leonardo - Società per azioni 25
Company General UseKill Chain Course of Action Matrix
4
© 2019 Leonardo - Società per azioni 26
Company General UseActionable Intelligence
• We learned:
- How important is to organize data with a structured model (es. diamond model and killchain)
- How important is to investigate incidents leveraging well defined models and processes (es. Pivoting)
- How important is to work with internal data
• At this point we should be able to collect and organize data
• How to use this knowledge?
- Try to answer the following Information Requests:
• Is our organization a possible target of actor X?
• Which are the attackers we should take care of?
• Do our network logs show any sign of compromise by Actor Z?
• Are we prepared to defend ourselves from Actor Y?
© 2019 Leonardo - Società per azioni 27
Company General UsePyramid of pain
TTPs Tough!
Tools Challenging Adversarial Tactics, Techniques
& Common Knowledge
Network/host
Annoying
Artifacts
Domain Names Simple
IP Addresses Easy
Hash Values Trivial
© 2019 Leonardo - Società per azioni 28
Company General UseMITRE Att&ck matrix
© 2019 Leonardo - Società per azioni 29
Company General UseTechniques of Actor Y
Data sources available and detection
MITRE Att&ck matrix
rules deployed
© 2019 Leonardo - Società per azioni 30
Company General UseHow to learn more about CTI? 5
• There are several important topics we didn’t speak about here:
- Cognitive biases
- Exploring hypothesis
- Knowledge gaps
- … and many more!
• Professional training
- SANS FOR578: CYBER THREAT INTELLIGENCE
- Threat Intelligence Academy of Sergio Caltagirone
• Self study
- Read books, and CTI reports – see suggested reading at the end of this presentation
- Follow people from the CTI community
- Take a look at Katie Nickels’s suggestions on medium1 - Twitter account: @likethecoins
• Gain experience as Security Operation Center operator, Incident Responder, Malware Analyst and then move to the
CTI team
1. https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-1-968b5a8daf9a
© 2019 Leonardo - Società per azioni 31
Company General UseCyber Threat Intelligence
Uncovering the traces of State Sponsored Threat Actors:
A case study on Turla
Silvio La Porta, PhD
Nino Verde, PhD
Antonio Villani, PhD
© 2019 Leonardo - Società per azioni 32
Company General UsePlease welcome our guide for this journey through CTI
© 2019 Leonardo - Società per azioni 33
Company General UseCTI cycle: Planning phase
Intelligence Requirement: IRs, as well as RFIs are collected in
our CTI platform
• Are the capabilities of Turla threat actor evolving?
• Is there any active campaign conducted by Turla?
Planning:
- Which data can be used to satisfy this new intelligence
requirement?
• Leverage external data (open source feeds, commercial
intelligence, etc) and internal data (telemetry, alerts,
customer incidents, etc.), and fuse the collected information
through our CTI platform For this kind of threat our
• Build a collection strategy telemetry\incident data may not
provide enough coverage.
- Do we need new sources of information to be integrated in our
Threat Intelligence Platform?
• If yes: Task the collection and processing team
- Once the collection and processing is set-up, assign specific
tasks to the CTI analysts
© 2019 Leonardo - Società per azioni 34
Company General UseSome Background info about Turla
© 2019 Leonardo - Società per azioni 35
Company General UseTurla - Identikit of the adversary
Russian based threat State Sponsored
group active since 2004 at
least Innovator
Defense
Snake – WhiteBear –
Government
Venomous Bear –
Embassies
Uroburos – Waterbug
Education
Research
Pharmaceutical Companies
More than 45 Countries
To foster Russian interests and its Use any technological mean and It is known for: leveraging satellites
foreign affairs discovered vulnerability. connections to hide their traces,
conducting watering hole
and spearphishing campaigns, in-
house tools and malware.
© 2019 Leonardo - Società per azioni 36
Company General UseTurla's - Features
Skilled Cyber Operators Stealthiness
Opsec masters! Steganography
Piggibacking
Compromised Servers Versatility
Targeting vulnerable hosting
Adapting sophistication level
providers
Anonimization Network Several Implants
Peer-to-peer architecture From rootkits to javascript
Satellites connections
Compromised mail servers
© 2019 Leonardo - Società per azioni 37
Company General Use© 2019 Leonardo - Società per azioni 38
Company General UseCTI cycle: Direction phase
- How the collection phase is going? -> define KPIs
KPIs can be monitored from our
- Is the processing phase working? -> define KPIs
CTI platform
- How is the analysis phase performing? -> define KPIs
- Does the intelligence product’s quality satisfy the customer? Input data are collected during
the feedback phase
© 2019 Leonardo - Società per azioni 39
Company General UseCTI cycle: Collection phase… an example
• Configure OSINT and Social crawlers integrated with
our CTI platform with the right keywords:
• Threat Actors aliases
– Venomous Bear
– Snake
– Waterbug
– ….
• Specific malware families
– Uroburos
– Nautilus
– Carbon
– Mosquito
– ….
© 2019 Leonardo - Società per azioni 40
Company General UseCTI cycle: Collection phase… another example
• Deploy custom signatures (i.e. Yara rules) to collect malicious capabilities,
that means malware, on prem or globally through third party services (es.
Virus Total)
• All our yara rules are stored in our CTI platform
• We do use different types of yara rules. They differ on the usage that we make
of them:
• Yara rules to use on Virus Total
• Yara rules to use on our managed systems
• Yara rules to use on metadata that we collect from the Virus Total stream
CTI Platform
© 2019 Leonardo - Società per azioni 41
Company General UseCTI cycle: Processing phase… an example
• Once samples are ingested in our CTI platform (manually or automatically by some
process), processing playbooks will start
• Playbook example:
• Perform static analysis:
– Depending on the file format execute tools like: peframe, pefile, exiftool, floss,
olevba, oledump, etc.
– Output is collected by our CTI platform
• Perform dynamic analysis:
– We leverage a proprietary technology that is a sort of multisandbox; it integrates
several sandboxes (commercial and opessource) and normalizes their results
• Perform similarity search:
– Find other samples known by our CTI platform with similar ssdeep,
export/import functions, etc.
• etc.
• Finally, notify the CTI analysts that were tasked on the planning and direction phase
© 2019 Leonardo - Società per azioni 42
Company General UseCTI cycle: Processing phase… another example
• Once URLs or domains are ingested in our CTI platform (manually or automatically
by some process), processing playbooks will start automatically
• Playbook example:
• If the entity is new:
– Interrogate external service to enrich the data:
» Shodan
» Cisco Umbrella Investigate/RiskIQ PassiveTotal
» …
– Interrogate internal systems to see if they have been spotted in the perimeters
we monitor
» SIEM
» Ticketing platform
» Internal DBs
» …
– Create automatically a description for this entity based on the collected data
© 2019 Leonardo - Società per azioni 43
Company General UseCTI cycle: Analysis Phase
• The analysis phase cannot be automated
- Don’t trust people that say the opposite!
• It is the only phase that should be performed manually by CTI analysts by leveraging their
know how, their tradecrafts, CTI models, and also taking into account their biases.
• This phase can require deep technical skills but also good reporting and writing skills.
• The target here is to build an actionable and timely intelligence product
© 2019 Leonardo - Società per azioni 44
Company General UseCTI cycle: Analysis Phase
During the monitoring of Turla evolution:
• Most of the collected and automatically processed samples have been quickly analyzed by
our CTI analyst and marked as similar to something we already were aware of
• In April 2020, three samples submitted to VT captured our attention
• They were similar to something seen in 2014:
- A well engineered passive backdoor for linux sistems
- With respect to other samples already known, these new samples targeted 64 bits
architectures.
© 2019 Leonardo - Società per azioni 45
Company General UseHow does this passive backdoor work?
Sniff packet,
WOLOLOO Verify signature
LISTEN: PORT XYZ
HOST-B, PORT XYZ,
HOST-A TCP-CONNECT HOST-B
SIGNATURE PENQUIN
RESET SEND PAYLOAD
OPERATOR
© 2019 Leonardo - Società per azioni 46
Company General UseComparing Architecture and Capabilities
Penquins’ main Penquin_x86
Penquin_2.0
Penquin_x64
• Passive • Active • Passive
• Get cmd • Hardcoded C2 IP • Hardcoded
parameters (ID, • It is the only Penquin parameters (ID, INT)
INT) which does not • Drop/run cron
require root (/root/.sess)
• Use command privileges • Use
function to • Use command do_callback
process C2 function to process function to process
received data C2 received data C2 received data
Samples Samples
known known 3 new
before our before our samples
© 2019 Leonardo - Società per azioni
report report 47
Company General Usehttps://bit.ly/2yZ1rKJ
Once upon a time a there was a "Penquin"
2014 2016 2017 2020
© 2019 Leonardo - Società per azioni 48
Company General UseChallenges that we had to face with
Evaluate the novelty of the collected samples Provide a way to detect a well-engineered passive
Why? backdoor for Linux
Turla operates since 2004 at least, they Why?
could be old samples resubmitted to Virus To defend ourself, our customers and the
Total entire community
Is it a problem?
Is it a problem? Low visibility on Linux machines
ELF files (executables for Linux) do not Difficult to develop network signatures
have a compilation timestamp like windows and probably not effective (low traffic)
executable Difficult to detect this backdoor through
How? network scans
Dig into our Knowledge Base Several checks to identify well-
Find a way to estimate the build date formed packets
How?
Reverse Engineering the network protocol
© 2019 Leonardo - Società per azioni 49
Company General UseBuild date estimation ABI Penquin_x86 Penquin_2.0 Penquin_x64
2.2.0 X
• ABI Version 2.2.5 X
2.4.18 X
• Statically linked library GCC ABI Release Date
3.4.6 2.6.8 March 6, 2006
• Linux Distribution (cron) 4.4.4 2.6.15 April 29, 2010
4.8.2 2.6.24 October 16, 2013
4.9.1 2.6.32 July 16, 2014
6.2.0 2.6.32 August 22, 2016
6.3.0 2.6.32 December 21, 2016
Linux Kernel 7.2.0 3.2 August 14, 2017
Version dates 7.3.0 3.2 January 25, 2018
7.5 3.2 November 14, 2019
© 2019 Leonardo - Società per azioni 50
Company General UseBuild date estimation
• ABI Version
• Statically linked library OpenSSL Penquin_x Penquin_2 Penquin_x Year
Version 86 .0 64
• Linux Distribution (cron) 0.9.6 X 2000
0.9.7.e X 2004
1.0.1j X 2014
© 2019 Leonardo - Società per azioni 51
Company General UseBuild date estimation
• ABI Version
x64
only
• Statically linked library
Cron SHA-256 Linux First release
• Linux Distribution (cron) Distro
3309e8f29e53d56d177ab2ad4b814cd3 >= Ubuntu April 2016 - April 2017
d8215944a0bbe233e4987661d1db5afd 1604Build date estimation
• ABI Version
x64
only
• Statically linked library
Cron SHA-256 Linux First release
• Linux Distribution (cron) Distro
3309e8f29e53d56d177ab2ad4b814cd3 >= Ubuntu April 2016 - April 2017
d8215944a0bbe233e4987661d1db5afd 1604WOLOLOO
Analysis of the network behaviour
• PCAP Filter
(tcp[8:4] & 0xe007ffff = 0x6005bdbd) or (udp[12:4] & 0xe007ffff =
0x6005bdbd)
(tcp[8:4] & 0xe007ffff = 0x6005bebe) or (udp[12:4] & 0xe007ffff =
0x6005bebe)
UDP TCP
0 sport dport 0 sport dport
4 length checksum 4 1° dword
Sequence number
8 1° dword 8 2° dword
Ack number
12 2° dword 12 …
Payload
© 2019 Leonardo - Società per azioni 54
Company General Use1° dword
First Dword 2° dword
Second Dword (0xbdbd0560)
a a a a x x x x x x x x x
3 2 1 0
1011110110111101 8 7 6 5 4
1010110 3 2 1 0
31
31
15
15
0
0
Source Port
DATA
x x x x s s s s s s s
s s s s s s s s s s s s s
1 1 1 1 1 1 1
0 8 7 6 9 8 7 9 8 7 6 5 4 3 2 1 0
5 5 4 3 2 1 0
15
31
15
0
0
Final IP (endian-flipped)
CONDITIONS
x x x
n1 n4 = 0 3 2 1
n8
s s
s 8 7 n5
n2 1
s
9 + +
5
a s s s s s s s
0 6 5 4 3 2 1 0
n6
a s s s s s
a a
n3 3
1 1 1 1 1
2 1 if ((n1 n2 n3) (n4 n5 n6 n7) ) == n8
4 3 2 1 0 x x x x n7
1010 3 2 1 0 return success
© 2019 Leonardo - Società per azioni
+ Company General Use
55There was still something missing: The internal status
LISTEN: PORT XYZ
GOOD_PKTStatus2
PENQUIN HOST-B
Status=0
© 2019 Leonardo - Società per azioni 56
Company General Use3
Internal status
ZzZZzzZZzzzzZ
LISTEN: PORT XYZ
PENQUIN HOST-B
GOOD_PKTStatus2
Status=2
© 2019 Leonardo - Società per azioni 57
Company General UseAlmost done with the analysis…
• At this point we had a complete understanding of the network behavior
• More importantly: we were able to activate Penquin instances and make it call back to an infrastructure
of our choice
• We prepared a script that could be used by system administrator and security experts to check if their
linux systems were infected
- Without such a script our intelligence product wouldn’t have been used easily
• We finished to write the report and moved to the next intelligence phase…
© 2019 Leonardo - Società per azioni 58
Company General UseDissemination
https://bit.ly/2yZ1rKJ
• We released our report, findings and tools progressively:
- To law enforcement and national security agencies
- To our customers and our corporate security
- To the worldwide community of CERTs through MISP (First.org)
- To every one else
© 2019 Leonardo - Società per azioni 59
Company General UseFeedback: Penquins in the world
We didn’t perform massive scans of the internet but…
other researchers did it and shared the results with us.
We verified the results and confirmed the infections…
© 2019 Leonardo - Società per azioni 60
Company General UseFeedback: Penquins in the world – 28/02/2022
© 2019 Leonardo - Società per azioni 61
Company General UseFeedback: improvements
• The first version of the network scanning script we publicly released was incorrect
- In specific cases two bits were flipped and caused the malware to call back to another IP address (not
the one intended to)
• The careful eye of a researcher working for a large security company spotted it and notified to us the
misbehavior
• After a few hours we fixed the script and disseminated the new version
© 2019 Leonardo - Società per azioni 62
Company General Use1. Planning&Direction:
Recap • Intelligence Requirement:
Are the capabilities of the Turla threat 2
actor evolving?
• Prepare your collection plan and task
analysts
2. Collection:
• Build a collection strategy: Leverage open
source feeds, commercial intelligence, and
fuse the collected information through a
CTI platform
• Deploy custom signatures (i.e. Yara rules)
to collect malicious capabilities, that means
malware, on prem or globally through third
party services (es. Virus Total)
3. Processing and exploitation:
• Perform static and dynamic analysis of
collected samples
• Extract build dates, etc.
• Verify novelty
4. Analysis and Production:
• The most challenging part
5. Dissemination and Feedaback:
• Inform your stakeholders
• Share information with your peers
• Provide actionable intelligence!
© 2019 Leonardo - Società per azioni 63
Company General Use© 2019 Leonardo - Società per azioni 64
Company General UseWork with us
• We are hiring!
• Other collaborations:
- Stage
- Thesis
• Send your CV and collaboration proposal to:
cybersecurityrecruitment@leonardocompany.com
Specify your interests and the seminar that you attended
For the winner:
Send us a tweet with the screenshot of your result and we will send you the book! @verdenino
© 2019 Leonardo - Società per azioni 65
Company General UseSuggested Readings
• Threat intelligence and me, Robert M. Lee
• Intelligence Driven Incident Response: Outwitting the adversary
• Watch Week 6 of Chris Sanders’ free Cuckoo’s Egg course.
• The Security Intelligence Handbook, Third Edition. How To Disrupt Adversaries and Reduce Risk With Security Intelligence,
Recorded Future
• APT1 - Exposing One of China’s Cyber Espionage Units. Report by Mandiant (2004)
© 2019 Leonardo - Società per azioni 66
Company General UseTHANK YOU FOR YOUR ATTENTION
Company General UseYou can also read
