Lots of people say risk intelligence (TI) tastes good, however few perceive tips on how to prepare dinner it. There are even fewer of those that know which processes to have interaction for TI to work and produce revenue. Furthermore, a negligible variety of folks know the way to decide on a feed supplier, the place to verify a false positives indicator, and whether or not it’s worthwhile to dam a site that your colleague has despatched you over WhatsApp.
We had two industrial APT subscriptions, ten data exchanges, a couple of dozen free feeds, and an in depth checklist of TOR exit nodes. We additionally used a few highly effective reversers, grasp Powershell scripts, a Loki scanner and a paid VirusTotal subscription. Not {that a} safety incident response heart received’t work with out all of those, however if you’re as much as catching complicated assaults you must go the entire hog.
What I used to be significantly involved with was the potential automation of checking for indicators of compromise (IOCs). There’s nothing as immoral as synthetic intelligence changing a human in an exercise that requires pondering. Nonetheless, I noticed that my firm would encounter that problem ultimately because the variety of our prospects was rising.
For a number of years of everlasting TI exercise, I’ve stepped on a bunch of rakes and I’d like to offer some ideas that may assist newbies keep away from widespread errors.
Tip 1. Don’t set too many hopes on catching stuff by hashes: most malware is polymorphic as of late
Risk intelligence information is available in totally different codecs and manifestations. It could embody IP addresses of botnet Command and Management facilities, electronic mail addresses concerned in phishing campaigns, and articles on evasion strategies that APT teams are about to begin leveraging. Lengthy story quick, these may be various things.
In an effort to kind this entire mess out, David Bianco recommended utilizing what’s referred to as the Pyramid of Pain. It describes a correlation between totally different indicators that you just use to detect an attacker and the quantity of “ache” you’ll trigger the attacker in case you determine a particular IOC.
For example, if you realize the MD5 hash of the malicious file, it may be simply and precisely detected. Nonetheless, it received’t trigger a lot ache to the attacker as a result of including just one bit of data to that file will utterly change its hash.
Tip 2. Attempt utilizing the symptoms that the attacker will discover technically sophisticated or costly to alter
Anticipating the query of tips on how to discover out whether or not a file with a given hash exists in our enterprise community, I’ll say the next: there are other ways. One of many best strategies is to make use of an answer that maintains the database of MD5 hashes of all executable recordsdata throughout the enterprise.
Let’s return to the Pyramid of Ache. Versus detection by a hash worth, it’s extra productive to determine the attacker’s TTP (ways, strategies, and procedures). That is more durable to do and requires extra efforts, however you’ll inflict extra ache to the adversary.
For instance, if you realize that the APT crew that targets your sector of the financial system is sending phishing emails with *.HTA recordsdata on board, then making a detection rule that appears for such electronic mail attachments will hit the attacker beneath the belt. They must modify the spamming tactic and even perhaps spend some bucks for getting 0-day or 1-day exploits that aren’t low cost.
Tip 3. Don’t set extreme hopes on detection guidelines created by another person, as a result of you must verify these guidelines for false positives and fine-tune them
As you get all the way down to creating detection guidelines, there’s at all times a temptation to make use of available ones. Sigma is an instance of a free repository. It’s a SIEM-independent format of detection strategies that permits you to translate guidelines from Sigma language to ElasticSearch in addition to Splunk or ArcSight guidelines. The repository contains a whole bunch of guidelines. It looks like a terrific factor, however the satan, as at all times, is within the element.
Let’s take a look at one of many mimikatz detection guidelines. This rule detects processes that attempted to learn the reminiscence of the lsass.exe course of. Mimikatz does this when attempting to acquire NTLM hashes, and the rule will determine the malware.
Nonetheless, it’s vital for us – consultants who don’t solely detect but in addition reply to incidents – to ensure it’s truly a malicious actor. Sadly, there are quite a few authentic processes that learn lsass.exe reminiscence (e.g., some antivirus instruments). Due to this fact, in a real-world state of affairs, a rule like that may trigger extra false positives than advantages.
I’m not keen to accuse anybody on this regard – all options generate false positives; it’s regular. However, risk intelligence specialists want to know that double-checking and fine-tuning the foundations obtained from each open and closed sources continues to be needed.
Tip 4. Verify domains and IP addresses for malicious habits not solely on the proxy server and the firewall but in addition in DNS server logs – and remember to focus each on profitable and failed resolving makes an attempt
Malicious domains and IP addresses are the optimum indicators from the angle of detection simplicity and the quantity of ache that you just inflict to the attacker. Nonetheless, they seem simple to deal with solely at first sight. Not less than, it is best to ask your self a query the place to seize the area log.
If you happen to limit your work to checking proxy server logs solely, you possibly can miss malicious code that tries to question the community immediately or requests a non-existent area identify generated with DGA, to not point out DNS tunneling – none of those will probably be listed within the logs of a company proxy server. Criminals may also use VPN services on the market with superior options or create customized tunnels.
Tip 5. Monitor or block – determine which one to decide on solely after discovering out what sort of indicator you found and acknowledging the potential penalties of blocking
Each IT safety knowledgeable has confronted a nontrivial dilemma: to dam a risk or monitor its habits and begin investigating as soon as it triggers alerts. Some directions unambiguously encourage you to decide on blocking, however typically doing so is a mistake.
If the indicator of compromise is a site identify utilized by an APT group, don’t block it – begin monitoring it as a substitute. The current-day ways of deploying focused assaults presuppose the presence of a further secret connection channel like, for instance, cell tracking apps that may solely be found via in-depth evaluation. Automated blocking will stop you from discovering that channel on this state of affairs; moreover, the adversaries will rapidly understand that you’ve observed their shenanigans.
Alternatively, if the IOC is a site utilized by crypto-ransomware, it must be blocked instantly. However don’t overlook to watch all failed makes an attempt to question the blocked domains – the configuration of the malicious encoder could embody a number of Command and Management server URLs. A few of them is probably not within the feeds and due to this fact received’t be blocked. Eventually, the an infection will attain out to them to acquire the encryption key that will probably be immediately used to encrypt the host. The one dependable solution to be sure to have blocked all of the C&Cs is to reverse the pattern.
Tip 6. Verify all new indicators for relevance earlier than monitoring or blocking them
Needless to say risk information is generated by people who’re liable to error, or by machine learning algorithms that aren’t error-proof both. I’ve witnessed totally different suppliers of paid reviews on APT teams’ exercise by chance including legit samples to the lists of malicious MD5 hashes. Provided that even paid risk reviews include low-quality IOCs, these obtained by way of open-source intelligence ought to undoubtedly be vetted for relevance. TI analysts don’t at all times verify their indicators for false positives, which implies the shopper has to do the checking job for them.
For example, in case you have obtained an IP handle utilized by a brand new iteration of TrickBot, earlier than leveraging it in your detection techniques, it is best to confirm that it’s not a part of a internet hosting service or one emanating out of your IP. In any other case, you should have a tough time coping with quite a few false positives every time customers visiting a website residing on that internet hosting platform go to utterly benign net pages.
Tip 7. Automate all risk information workflows to the utmost. Begin with totally automating false positives checkup by way of a warning checklist whereas instructing the SIEM to watch the IOCs that don’t set off false positives
In an effort to keep away from numerous false positives associated to intelligence and obtained from open sources, you possibly can run a preliminary seek for these indicators in warnings lists. To create these lists, you need to use the highest 1000 web sites by visitors, addresses of inside subnets, in addition to the domains utilized by main service suppliers like Google, Amazon AWS, MS Azure and others. It’s additionally a terrific thought to implement an answer that dynamically adjustments warnings lists consisting of the highest domains / IP addresses that the corporate staff have accessed through the previous week or month.
Creating these warning lists may be problematic for a medium-sized SOC, so it is sensible to think about adopting so-called risk intelligence platforms.
Tip 8. Scan the complete enterprise for host indicators, not solely the hosts related to SIEM
As a rule, not all hosts in an enterprise are plugged into SIEM. Due to this fact, it’s inconceivable to verify them for a malicious file with a particular identify or path by solely utilizing the usual SIEM performance. You’ll be able to care for this concern within the following methods:
- Use IOC scanners such as Loki. You should use SCCM to launch it on all enterprise hosts after which ahead the outcomes to a shared community folder.
- Use vulnerability scanners. A few of them have compliance modes permitting you to verify the community for a particular file in a particular path.
- Write a Powershell script and run it by way of WinRM.
As talked about above, this text isn’t meant to be a complete data base on tips on how to do risk intelligence proper. Judging from our expertise, although, following these easy guidelines will permit newbies to keep away from vital errors whereas dealing with totally different indicators of compromise.