IOC What You Mean - Darren Kingsnorth

um okay so my chat is I see what you mean apart from the absolute cracking pun there uh it's really about creating a high fidelity escalator to a period of page so essentially it's all about action actionable intelligence using Improvement of pain as conduit to that so who am I uh so my name is found things off so I have a terrible title of Dawson so I couldn't think of anything creative uh so I'm the first intelligence manager at Admiral group and my goodness me this is Philippines so experience so 10 years of divers so Tesla pains and terrible threats um so some of you in this room may have worked before unfortunately uh and so I come from Samantha CGI Admiral Admiral twice actually so I love the way so much again uh NCC and ECC uh so enough of that let's go back there we go uh so just to give everyone in the room uh a quick sit rep in terms of what we discussing today so what is the intelligence so quick way to hands to get everyone involved uh who locks their doorline and who looks a car at night hey and who locks the attic door oh wow that's my comedy gifts for the day and so the premise is ultimately you're using phone tellers on a daily basis whether you're not or not and so again it's all about informing decision making using uh threatening tell us to guide you through that and so here it just gives you kind of a visual view in terms of where intelligence comes from in terms of collection processing analysis again that's what we call the intelligence cycle so how does that work from a cyber perspective is really in this particular Avenue we're looking at effective detection so some of you may know the term indicators compromise so ioc uh so it's been heavily banded around in terms of how it's used um so just to give you kind of again a sit rep in terms of what it actually means so an impact of compromise is what has happened so it's essentially a reactive state so as a result of that your detector workflow in terms of when you can detect that is well arbitrary figure that big and so the reason why I mentally like that is because based on print reporting from mandian and IBM time to detects mean times and sex is roughly 21 days to 323 days which is absolutely ridiculous uh when you consider the fact that based on current analysis that it takes roughly two to four days for extra Ransom uh like John in safos mentioned earlier on so so that ends we then look to Branch out architectural window by introducing indicators of attack so what is happening and so that's considered a more so a proactive approach rather than okay we've seen bad stuff happening it's too late because they're already out the door with your crown jewels uh again so in terms of time span we're looking at T equals zero then it's infiltration however what I once proposed today is a whole new term uh well partly terms so a lot of this is uh right B's indicate these indicated terms at least we're actually uh first crowned by Bow mix uh so is a branding group but nevertheless uh an indicator of risk so essentially what can happen so a lot of this talk is really about using what we consider indicator compromise to add actually predictively block or deny attackers using indicated risk and so of course there are detention window is far higher so what we're looking at here is really pretty compromised so in industry what we call left of band uh so that's really where we should move more to well nothing move more towards but at least focus on it something that's yes we always consider it's too compromise however at the same time I think sometimes there is a considerable degree effort that should be being placed in terms of the leopard band so again pre-compromise and how we can detect the attacker before they get into the environment okay so how do we do that so from a side perspective you may be aware of a pyramid of pain so who better say that and watch your man around the challenge can I hear a pyramid of pain so the period of a pain is all about increasing adversary operational cost um and it's all about just making it harder for the attacker and that's essentially the premise of it and sometimes this does get confused in terms of okay these are actually really hard things to do for a dependent however trivial easy simple it's all about increasing the level of pain from an attacker just making it harder for the attacker to move essentially swimming in treacle is far better for us as Defenders than than in the case of everything uh however an interesting piece and where this kind of chap Grew From uh is a slide I had from years ago really that I created in terms of permutations of that just like they do from the red team perspective or a an attacker perspective in terms of uh password lists array tables all that good stuff is permutations in terms of how big these faces are and so what I mean by that is Hash values so md5 2 to power 128 is a huge huge spaces there similar enough as we go up ipv4 4.3 billion permutations you could possibly have there as you move up perimeter paying 630 million uh again based on currents uh and then similar Network who started backs tens of thousands As you move up to that again tools so you're looking at based on attack B12 718 different tools so as you can see even though these things uh are easy for them to have to change these things actually are much harder for them to have to change however you can see the permutation space is much smaller if it actually it's much easier for a Defender to apply some of these controls how however that said there's a lot of kind of state at the moment in terms of domain names IP addresses hashems because they are easier to change they are someone pounded about that they are no longer required for use and I disagree with that because there are a number of different uh scalp board uh things you can do to help make any sense uh there's a number of different things you can do to still use IP addresses hash values Etc which are detective High Fidelity controls and so if we go from there you can actually see okay well great we've got the pyramid paying everything's solved however reality strikes so if you go to say an Intel vendor um they will provide you with a threat data feed it's not a threatened selfie um however we can see here based on historical analysis that there is a considerable overlap well a considerable lack of overlap of Intel feeds so historically from 2014 2014 uh there's been a ongoing research in terms of how much over that has been within Intel feeds um is pretty poor I mean there's six percent in 2014 three percent of 2015 so again it shows that the sources that everyone pulling from are entirely different and so even though you think okay that's great because they all find different stuff great but from an End customer perspective you have to buy all the feeds to have any sort of overlap therefore you have no real confidence in whether that one feed that you have is any good and that's why yes we have we use paid page within Admiral group however at the same time we fully well understand that they're not finding everything and nobody is and so that's why some of it is not to say the fallacy um but it's definitely not the POI angle just to say you have an ioc fee coming in as I mentioned just a minute ago most Fender options are in what is Hash values are being written domain names and nevertheless also it's not targeted towards yourself so it lacks the context it laps the situational awareness for example who would care from a burglar perspective in terms of okay what someone in Venezuela is doing don't get me wrong yes it's a big place however at the same time you really want a lot of these pieces here to fall into what we care about and so that's part of the talk today similarly enough our current analysis uh well miss current analysis in terms of their feed overlapping analysometrics so if anyone uses this you'll you'll know that they do have a overlap analysis Matrix which is built on a flight which is pretty good uh as you can see here it doesn't matter you can't read this one it's all green and green essentially means bad because there is zero overlap for the most part 99 of all feeds within misp provided have zero over which again pushes towards us okay well everyone knows about nothing rather than okay well actually this is bad confirmed by this by this mean by this mean by this week however we are going to use some of these uh for our example Central so to build up that pyramid of pain we'll first look at hash values so when people think of hashes they think of file hashes only an md5 sharp one however there are other hashes available that you can use uh one of those is Mama hash uh so MMA H3 is a non uh non-cryptographic uh algorithm to essentially hash files or hash things in this instance what we're using it for is to detect malicious infrastructure so you can see here mmh3 hash will get you closer to the Sharon hash uh so mmh3 is a algorithm used by Showdown and Xiao one is used by sensors but nevertheless I was originally looking to discuss drum hashes however there is a level of fidelity issues in terms of uh you can easily randomize Jam hashes charm hashes if you're not aware is about the hashing of SSL handshakes um so we can see here that okay well we can easily highlight default configuration 2 and Shadow pad why default why do you care about that because there's a lot out there and we know that they do require infrastructure they may not think that um they will have to change the infrastructure based on based on how high a tier of attacker they are so if we take this and further out let's find it on I did some uh Fair analysis and actually identified 129 plugins uh 35 providential 32 meters point was huge again a lot of people use meters but nevertheless again it shows about all these attackers that actually you could easily block um or create phone without it and now it's off the back of that an interesting one you really want to know your Tesla if you really want to annoy your pen testers uh it's an easy way to identify blood collaborator so if anyone's trying some concrete without a bounds uh SQL or anything there's 540 on the web it can block straight off the bat uh similar enough in this instances as well uh seven and seven I think I thought well maybe you could DDOS some those potentially I don't know um but really the premise of that is again to use hashes uh to jump up the perimeter pain so to identify IP addresses of the infrastructure just like we have there but also again if you're blocking their infrastructure you're impacted on their tools and potentially their tea companies as well uh so again rather than just a file hash that is only used from that one particular thing we can actually start to fingerprint their infrastructure and start to attack the attacker moving on to IP addresses um so again you know they're going to potentially well you know they're likely you've got to attempt to scan us from a reconnaissance perspective so therefore again our own faithful tour appreciate everyone thinks oh well you know you know let's let's rock it let's not block you uh it could be uh for business use uh but nevertheless doing some quick analysis on that based on our paper feeds that we have uh 98 of the current torno lists uh apart so I recognize them so um just easily distracted Magpie um uh yes so 98 of the traffic uh has seen historical attacks on that so again it really lends itself to up here that's probably not a good thing uh to actively let them scan or actually learn uh and Caesar recommend a blended approach so which is a case of block all on particular traffic so whether that be the vpns any sort of crown jewels that uh traffic you really should care about and then detect a monitor on others for example over inside main brand starts things like that uh what events at all again it's an easy route that people think okay there's a level of anonymity to it however there's a lot of analysis again largely driven by Chinese in terms of detective tour nodes obviously to kill privacy we want to use it for a particular different purpose in terms of blocking under texting attackers when I said deny a course of action with any of these of course it's a detect and deny rather than just detectors uh moving from that to asn's tldes and Main Service um Financial Point BPH so bulletproof hosting providers uh the premise here is there's a number of different preventative techniques that we can use to frustrate attackers and really it's a case of bullet preparation providers they're great in terms of they don't care if you you know submit a takedown wherever you udrp or what have you however you need to make a concerted effort to actually block these blood group hosting providers based on the asms and that okay they may have some uh genuine traffic however at the same time what's the trade-off between the genuine traffic and the malicious traffic in there so again deny by association and that does push the attackers potentially towards more legitimate infrastructure and therefore if they're using more legitimate infrastructure of whether we absorb gcp what have you then it potentially gives us a better chance of taking that perspective infrastructure down because then they're on the legitimate infrastructure rather than public reviewers but really you submit any swap takedown a lot of care um and then soon enough um in terms of DNS operators as well again they're starting to use uh legitimate DNS operators uh what was the example but um yeah there's quite a few Chinese DNS operators that are actively allowing a lot of malicious traffic therefore we can pretty good much confirm that okay we could just sling that if you're not using you know Chinese infrastructure or if you're not using Chinese customers things like that so again it all comes back to a systematic catalog of maliciousness and not say let's just board the ocean but at the same time we can use a different of these uh we can use some of the analysis uh for example scripts teams they have a tour Bridges collector uh which again you may think our Bridge knows uh you know hidden things like that they're not um and so then we can sort of pile some of these things up to say okay these would be uh credible um incredible list to essentially put the Block in so again appreciate these are all very much of these based approaches however there's still plenty of mileage on the clock so just actively using them to again frustrate the attacker because again the queen if we're getting holding those supervisors we're hitting DNS operators that are heavily seen in malicious cases then again start to kill the tool start to kill the ttps off and make it harder for the attacker domain names so this is where a lot of this kind of drove from um and from that indicator of risk perspective we all know that they'll likely attempt to type spots in their attack and I did some analysis on the top eight top fish domains um so again DocuSign Microsoft PayPal all those good things um and I identified that 50 of them have been registered of permutation so what I mean by that is if you had admiral.com a permutation of that would be bad wolf.com and so just like we do with passwords just like we do with how we create hashes is we get every single possible permutation we can find uh and then generate it using in this instance um circles typo squatter really good tool and it has a number of different algorithms in terms of detect you know respective tlds uh respective you know uh behaviors in terms of how you typo uh squat those respective domains so again really useful for us because we can say okay well actually if this is the whole if this is the whole permutation space of those particular domains and it gives us a pretty good chance to say okay well actually if we bought one of those it's a higher chance very high likelihood of us potentially blocking real live attacks I mean we do actually use this as an ad mode and it has actually worked um there we go okay yes so um as you can see here microsoft.com again it's not very soft it's the same our web but nevertheless got a much higher likelihood of a success compared to ezpq.2.com um so again their behaviors just like we are right in terms of they are gonna go uh for those particular angles that people would be set up to uh So based on those 50 of top fish domains uh essentially if you claim there's a number that's 5675 so further announced into that uh revealed a number of different C2 name servers and historical malware operations so again it's more than all the reason so they can do this analysis within your own environments whether it be you know Admiral pdfc where would be what have you it's definitely worth double checking uh to give you again a concise list of what possible of what possible options there are to potentially again deny as a result so again from there okay uh it's my awesome lead um so ultimately is a word I used to work all the time it hurts me as well um so yeah so essentially what we do here we're blocking the mains there is a result that we're impacting tgps and make it harder on the tablet to actually again create a an attack that would have a high chance of success if you want to read further into that one of the guys on the team did some really good typo squat domain capacity um but and it's an offside to this again not t2p but related uh is unintentional Insider correct and so this is typically some everyone can do and take away as a result is again create this list based on your your domain based on your top 10 domains that you have in your environment and the reason why I say that is because six percent of all breaches based on Verizon's dbr again so this is in third but nevertheless uh six percent of operating system agree so essentially that's going to pretty much near enough high percentage I push ten percent of the time uh in terms of attacks So based on factors so Insider threat is something that is yes it's known about but it's definitely not given the attention that it deserves uh and this is all about this delivery of again type has gotten the whole reason for it right um so yeah definitely worth recommended uh to do this within your environment and you will actually be quite interested or no like no doubt surprise at what we find um so if you try to email me at admiralgroup.com you'll be sending emails without the sensitive data what have you to an admiral recruitment site which is in the states so it's again it's a flippant thing uh that can create a potential breach and there'll be an absolute habit for the industry response to it simple enough nope nope um yeah it's gone um yeah so definitely want to check it out uh because it's really interesting what you can find there uh and again you may identify a number of different trends of your behaviors as well ah yes uh auto complete so order complete is not your friend um full of terrible phrases um yeah so autocomplete so as soon as you email someone uh you'll identify that if you do get it wrong then that will also complete based on how that's helpful advice and because of that you could then keep on sending similar data out to that perspective the respected recipient uh so yes it's great and it's helpful for us however essential if you do wrong it will constantly send out emails uh or potentially sensitive data to other parties if we move now into Network and artifacts uh is an IR these women like it we know they'll articular infrastructure and so some of the analysis based off cybering is that 60 of all phishing attacks are based on a one-to-one clone of our own websites which you get based on the information or based on intelligence area uh we can then think well actually what does our site look for what is it what is the specific indicators uh that we can find the result for example yeah so uh Google tag manager um so again if we are uploading uh a website uh then we're go