Patterson Cake - OSINT for Incident Investigations

howdy thanks uh thanks for being here uh last year I I spoke uh at bsides last year and I got the luck of the draw and I went first I guess I I failed this time and I got last so I'm glad somebody showed up I do appreciate it uh who's hanging around for the Afterparty okay just curious I figured that's the only reason you were here still in any case uh I like I like to start most of my presentations with a story and to be honest I was struggling to come up with a story that fit exactly the uh the uh the feel and emphasis that I wanted today and so I was just going

to skip it was going to skip the story and then today happened uh I get asked all the time how do you like ir and and that's a trick question I'm an incident response consultant which means I have no life uh that's just the way it works it's the tyranny of the Urgent on a Continuum so today about halfway into the third session of this conference I got a call most of my engagements start with a customer scoping call customer call say something really bad happened we need your help I have a standard operating procedure we're going to talk about that today before I engage with that customer on the scoping call I go through some

open source intelligence analysis I want to know who I'm talking to before I talk to them honestly so I spend just a couple three minutes preparing today I'm at a conference so I don't have my laptop handy I I you know so I break my own rule I get on the call customer says we just found out it's a financial services firm we just found out that someone broke into our Network broke into our financial services software and changed routing number bank routing numbers for 20 plus of our customers and begin to siphon all of their funds bummer not good and so you know in typical response where do all the attacks come from anymore they come from the internet

right that's just the way it works so I start to ask questions I'm assuming that they got somehow attacked from the outside and so I asked them of course what kind of remote access do you have to your environment none none okay no client Access VPN no remote workers nope none everything's on Prim okay so your financial services software is not available remotely from the internet and any way shape or form nope okay I have no choice but to believe this in this moment and then I'm thinking to myself so if they literally have something a system in their Network that's compromise this is hard right how am I going to find that they've already

done some initial analysis they've failed or they wouldn't have called me and so now I'm thinking about this process and how I'm going to ascertain amongst the servers and the workstations how I'm going to help them decipher what happened and I you know I can't help myself I'm like and you're sure you have no remote access none okay well I'm sorry but this is going to be expensive digital frics and inent response is expensive I'm happy to help you here's the approach we can take a metered approach blah blah blah I draft up a really quick email from my phone against my better judgment and then I can't help myself I bust out my laptop in the middle of

besides and I do what I should have done initially and I go to their corporate website and if you ever work at the financial services firm how did you get your information to them secure file transfer and there's a link that says here's how to transfer your files to us so I click the link and right next to the next page is employee login I click that link and up pups their financial services login page from the interwebs while I'm at the conference this is exactly what I want to talk to you about today it was the perfect prud the universe provides welcome to open source intelligence for incident investigation incident response today is not about the world's

deepest dive into open source intelligence open source intelligence is a topic all unto itself usually we talk about it in the context of offensive security pintest red team usually it's an exploitation of publicly available data to somehow attack you take advantage of you I'm going to flip the script a little bit because that's not what I do I do incident response and so I want to talk about less so about open source intelligence Deep dive nuanced lengthy exposes I want to talk about ENT for IR from a due diligence perspective and I'm not trying to pick on I'm talking to the it manager in my scenario a minute ago I'm not trying to pick on that person this happens all the

time you have and who here has web authentication portals that you don't know about I mean that's just real life in this case though he should have come to this talk because just a little bit of effort a little bit of due diligence can pay huge dividends in leveraging open source intelligence for incident investigation so here we are I don't have a lot of time so I'm going to go at a high rate of speed and at the very end I'm going to share I have these slides available to you on tiny url.com ocean for IR I will share that with you at the very end so you can take a picture of that you don't

have to take a picture of the rest of the deck if you don't want to the deck is available to you I've also written a bunch of this up in step by step on two black heels information security blog posts not entirely but a lot of the the specific techical components are already written up for you so relax just listen laugh if you think I'm trying to be funny and I will share those Links at the end um yeah so brief introduction we'll talk about the context because context is King much like I just talked about ENT means all sorts of things to all sorts of different folk today I get to Define what it means so thank

you then I'm going to talk about my three minute intro osen for IR that's the thing I wish I had done before I got on the phone with that last customer then I'm going to talk about a couple case studies where I've actually used some uh some open source technology open source intelligence to solve a couple three cases uh and hopefully that's beneficial to you whether you're a consultant an internal representative etc etc and then of course at the very end uh I will uh I will share my contact information and again the links to the slides um and a general link to the blog post hi uh my name is Patterson cake not a pseudonym I am a digital forensics

incident response consultant for Black Hills information security uh little DF big IR cuz mostly what I do is incident response mostly what I do is help people like in the scenario that I mentioned a minute ago and I've come to be an aam fan late in life but I've discovered that in the middle of incident response things get complicated all by themselves so my Mantra I am constantly trying to keep things simple effective and repetitive simple effective and repeatable that's the only way I survive in managing the crisis of active incident response and so Simplicity is my goal in almost everything I'm sure you've heard the quote that complexity is the enemy of security it's just a

fact it's a fact so if we get all done with this and you're like well that wasn't that complicated then mission accomplished that's exactly what I'm trying to do here not uh show you whizbang complicated components when I get a call like I did today they want actionable intelligence that customer wanted to know what do I do now they don't want me to give them strategy philos philosophy that's hard to say they don't want Nuance they want results and they want them ASAP because I'm expensive okay this is huge this is the presupposition so hang with me for just a minute incident response is about unanswered questions today again perfect example thank you very much the real questions

that they want answered are how did this happen how did this happen because they want twofold they want to make sure it never happens again and they can't help themselves they're dying to know how this played out who's responsible how what the threat uh Vector was Etc ultimately they have questions and they need help answering them from my perspective it's critically important that you are asking the right questions that sounds simple but that's part of what this slide is about and I'll spare you the DI tribe you can read it yourself but this is important you you need to Define what it is you're trying to ascertain before you dive into the muck and the Meer who's a nerd here

yeah I know all of you we love the minutia we love the rabbit Trails it's really hard as a digital forensics and instant consultant not to be all excited about things that the customer doesn't care about it's harder to get paid so asking the right questions critical finding the right answers what do I mean by open source intelligence well what I mean is what does the internet know about you what does it know about your business that's it that's really all I care about I'm not talking about Deep Web dark web whatever other web I'm talking surface web easily accessible information effectively that is public knowledge whether you know it or like it or not couple things that are fun about

this some important nuances this is largely zero touch I am not interacting with the customer environment as especially at the outside of an engagement I don't have permission to do that yet and secondarily I'm not getting paid I'm I'm not doing deep dive analysis I'm just going to do initial foray and until I have permission today publicly accessible link to their financial services portal I clicked it I did not try and log in again there's a line there you define it for yourself mostly zero touch maybe light touch maybe normal touch if you will from a publicly uh available accessible perspective the next part is what does the internet know about you now what about

now what about now this is constantly changing ever evolving and this is the challenge and this is part of the value in the proposition that we're about uh about to explore is I'm talking about right now I'm not talking about yesterday two weeks ago 30 days ago we might get to that point but right now I am focused laser focused on why we're having this conversation again from a customer an investigative perspective an incident response perspective what does an internet know about you excuse me I'm going to broadly lump ENT into two categories and this is really not important but it it uh it maps with some of my workflow process and that is that

uh we have intentional exposure these are things that you meant to be public lots of things that you're mostly familiar with because you're technical folk that I'm I'm not sure again no criticism of the it manager today that I spoke to but I don't think it was a highly technical role it was more a managerial role and so there are things that fall into this category that he was I think unfortunately unaware of but we'll explore some of these things things like DNS DNS is important you make it public on purpose so people can find your website s it MX records you want people to get your email or re you want to receive email it's important that those

things are public social media job postings etc etc again I'm I'm not going deep dive but this is just categorically things that we mean to expose I guess I lied I sort of bifurcated the second into unintentional Andor unauthorized and there's once again a fine line there this is sort of a gray area and this is sort of the second part of our foray into ENT for IR as we progress through this conversation these are things that they may have been intentional at one point and or they were published intentionally by someone who didn't understand what they were doing some of my favorite ENT resources are labeled test Dev there are things that people stood

up I'm just going to test this real quick like excuse me what all the time so again again not really important but this does extend beyond the things that we would know and expect to be public like standard dnsa records a mapping to a website name MX records Etc so we'll talk a little bit about this this gets more nuanced all the time and uh especially depending on the business uh I'll stop there because I said I wasn't going to go deep dive I have to control myself I have to be a good example for you all so ENT for IR when when when and where this again when where and why this is important now my situation is

probably a little different than yours any IR consultants in the room why are you even here little different for you honestly in some ways easier for you because your due diligence can be repetitive my due diligence is uh is Crisis driven it's crud I got to step out of session number three to go do some ENT for IR but there's a lot of overlap and a of parallels I hope for you and really this is what I'm after situational awareness number one when I go on a scoping call Andor if you're responsible for an environment this is stuff that you should know you you should know if you have an authentication portal published on the internet to access your most

business critical resource you think again yes I am being critical the it manager there's no way around it perimeter check this is this is the ENT for IR what does the internet know right now what does it know right now what does it know right now you have to Define that Cadence that's up to you for me again usually it's point in time at the outset for you it may be weekly it may be monthly again it depends on who you are it depends on your business model the third is the neighborhood watch the internet is a big place and at some point it behooves you to not just do a perimeter check but to look around

at your broader surroundings to take a survey of the larger landscape and we'll see again some dividends from that a little bit later on my presupposition for this entire conversation is if the internet knows the threat actors know and I need to know that is my due diligence as a responsible consultant and I think if you're in an information security role for your company you should feel similarly somebody in your environment should be paying attention to this stuff you with me y'all look so serious all

right so what follows is my pres scoping call three minute ENT for IR three minutes is is a long time truthfully I can get a lot done in very little time and I'm just setting the stage this is situational awareness for me I don't have permission to interact with customer environment I'm not getting paid I just want to know who I'm talking to and to be blun I look smart when I get on the call I'm like so I see you're using M365 for email he's a wizard I see you have online access to your financial software I blew it anyway I'll be critical of me in that particular instance so three minute drill and

literally I I often only have a couple three minutes sometimes I'm doing this while the customer's talking they're telling me a story I'm like yes I'm NS lookup hold on yes go I'm listening corporate website I use this cool thing called a browser fortunately in our modern day and age most of my scoping calls come in via email email alert often and or at least at the outset I have an email address think of all the cool things you learn from an email address top level domain possibly username format those are places for me to start again who am I talking to who I'm about to talk to DNS is a gold mine we'll see that in

just a minute and then I'll probably spend a little bit of time on evil search engines which I'll show you momentarily situational awareness bit of a perimeter check I probably don't have time to get into neighborhood watch particularly at the outset or prior to scoping call but I may I may try corporate website is obvious but it it gives me a flavor who is it what kind of business how big a business might they be targeted might they actually be targeted by APS all I mean all sorts of fascinating things I don't really do much I just click around who is it do they have any money can they afford our services no I don't think that

way DNS as mentioned we'll take a look at some of this mail exchanger business email compromise is the new ransomware I made that up you're welcome I I swear business email I'm so tired of doing business email compromise cases it's just exhausting over and over and over and 98% of the universe uses M365 and literally I want to know that before I get on the call who's your mail provider Google somebody else heaven forbid on Prim exchange I definitely want to know that all available to me super quick and easy as we'll see what DNS I can learn all sorts of other things who use cloud service providers who has Cloud infrastructure AWS Azure gcp

no everybody right I can answer that without ever talking to you often at least get a feel get a flavor ISP internet ranges etc etc etc evil search engine which we'll talk about in a minute like I said I don't often have time for this but I can do a quick search and just look for glaring seriously things like if the know latest and greatest zero day came out yesterday exchange version whatever or a new log for J or a Palo Alto or you know heaven forbid might give me some real quick Insight before I jump on a call so let's step through those momentarily corporate website you're on your own um you have a browser you can

figure that one out I Believe In You DNS lots of different ways to do this I'm old so I like NS lookup it makes me feel cool to use a command line you don't have to do that the other thing that's cool about in lookup is it is fairly ubiquitous it's on all operating systems for the most part and the command syntax is the same which also makes me look good and feel smart about myself I can transition from Linux to Windows to WSL to Mac whatever and use the same syntax and and makes me happy inside if you're not happy with that totally fine I also really like DNS dumpster this is not an exhaustive list

these are the ones I like if you have another tool use that one as per the bottom of the slide which you may or may not be able to see remember I'm usually starting this conversation with a couple pieces of information top level domain name potential username format I'm going to use that to feed into these tools NS lookup super simple super easy pull up a command prompt type in in a lookup match the inner key you're now at an interactive prompt and if you want this is usually where I start I want MX records I want to know who your mail provider is I don't care who hosts your website who hosts their own website

anymore don't raise your hand seriously this is the attack Vector of choice so I want to know this so set type equals MX Mash Enter key type in top level domain name Mash Enter key and nine times out of 10 I will see some derivative of protection. outlook.com they're on M365 done occasionally it's PP hosted if you see PP hosted that's probably also M365 and then you might see other things but almost always it's that and point in fact does this work speaking of Point uh this is an important URL that you should be aware of this should be part of your internal situational awareness and if you don't know what I'm talking about talk to me later and let's look up now

if you don't want to do that you don't have to do that DNS dumpster is also your friend that same information is on DNS dumpster.com thex record information I've pulled a snippet because I'm picking on automobile manufacturers today this is Dodge and Ford visit DNS dump.com type in a TLD top level domain name dodge.com for.com whatever mash the enter key and that quick I now know that Dodge uses sales SCE has resources in AWS has some gcp uses M365 for their mail I know something about their G the geographical locations I I know that's Ford over there but same thing I just use Snippets from each I know about their IP address ranges I know who their internet service

providers are often I know their ASN I've just learned a tremendous about talking is very difficult a tremendous amount about their internet footprint with 20 seconds maybe hugely advantageous ton of information which we'll build on shortly evil search engine there are it used to be that you could choose from anyone you wanted as long as it was showan and now we have lots of choices there's lots and lots and lots of choice I don't care which one you use although I would strongly suggest that you have more than one it is always surprising to me I don't know why um slow learner I guess how how the the difference in results I get between pivoting from

multiple of these providers so I think you ought to have at least a couple three be careful of these you can find not for safe work things on these sites you can get misinformation on these sites I I I start to say trust but verify but I guess I would say don't trust and verify so take it with a grain of salt it's just a quick snapshot some initial foray into our three-minute drill we'll Circle back and talk a little bit more about this but choose one choose two and then again you just visit these in many instances you'll need to register in some instances you need to pay uh but armed with the information

that we just gathered from DNS dumpster we poised to move to showan leix census or some other flavor of your own choosing and drop in again in this case I'll just drop in a top level domain toyota.com and instantly I get a pretty interesting picture of Toyota's internet footprint what's publicly accessible that's what we're after right situational awareness perimeter check neighborhood watch now I've drilled in just a little bit here for some facet analysis because a bunch of IP addresses are not super exciting to me I can see IP addresses associated with region remember we looked at DNS dumpster Dodge did not look to have anything in Africa if I pivot to showan and I see a bunch

of Africa IP addresses I go huh ironically they have a bunch of stuff in the Netherlands which should be suspicious indicator maybe I'll call them the next thing is ports and if this doesn't mean anything to you don't worry about it you don't need to fret over it but if it does if you're familiar with TCP ports you immediately look at a couple things on there and go oops that doesn't look good once again in all seriousness I've invested a couple minutes time in examining Toyota for example I know who their mail provider is I know who their Cloud infrastructure providers are I know their geogra rical regions and I know that they have systems with RDP accessible to the

internet remote desktop protocol looks like maybe they host their own email servers again just a couple really quick that's I'll probably stop there okay because again I don't have permission to enumerate this is publicly accessible I didn't touch anything I like showan but showan is proud of themselves now used to be you could get very inexpensive subscriptions every so often their annual sale Black Friday kind of thing now it's like 50 bucks a month which is kind of steep uh I paid for it when it was cheap oh it's $69 a month ouch that's a lot of money if you do this all the time you do it for a living they have other features

and services it's pretty powerful but that's that's expensive leix for example you can pay for leix I think the base is 26 $27 a month but if you register with leix you get pretty full featured access I do not pay for this and this is newish so I'm a little I'm a little more skeptical of this as a platform but still I do the same things and often I get pretty similar results with some slight nuance and variation it does me good honestly to do both real quick just compare contrast might see something interesting here we're specifically calling out toyota.com Plus Port 3389 because I want to replicate what I just saw on showan for those of you who are unfamiliar that

is a a potential way to remotely access a Windows system which should generally not be accessible over the interwebs not not a good sign and I'm done 3 minutes 3 minutes is generous I have all those bookmarked as you might imagine and takes me a couple three probably can do it in a minute and a half if you want to hurry it's hard to stop I do that intentionally I'm like stop stop because I'm oh oh 3389 I gota go check that out control yourself and now I transition to what do I now know about you and then for me at least whether it's your business or whether it's a customer engagement now you feel

informed I I know a lot more than I did a couple minutes ago and I would have been in instantly in a better position to help the customer in my introductory statements that's it I'm prepared for that conversation you're prepared potentially for a conversation this is the kind of thing you probably want to pay attention to if you're responsible for an environment pay attention and then diff it on a regular basis if you didn't see 3389 yesterday and you do today call somebody call the security team whoever's responsible for the fire whatever that that is super powerful in terms of regular maintenance regular observation and then what changed which is a beautiful segue into my next

slide that is often one of the most important questions in instant response what changed something changed almost invariably when something really bad happens in your environment it's because something changed misconfiguration zero day Etc if you had weak passwords and 3389 open to the internet for the last three months you'd have called me sooner that's the way it works it's the way it works so something happened probably recently that led us to this point in time in this conversation so this is where I begin to move into the next portion of the conversation once I get permission and once I'm going to get reimbursed for some of my time and energy I will likely go into some additional attack surface

management it's all the things that we just did it's all poised write this stuff down everything I just did in your three minute exercise write it down screen cap it you will never be sad that you took a screenshot of what you saw on showan you never look at it again bummer who cares whatever you have to come back later and I've done this before I've learned the hard way 3389 was open yesterday I had I literally had a demo from a company named Armstrong something or something that I was going to show you today and I went yesterday to double check it and it's gone now dang it I didn't screenshot it I was going to do

it live like you're G be so impressed with me I'm glad I checked because you've been like what nothing there so screenshot it date and time stamp it and you'll be glad that you did and then you're poised for this next step should you need to go further should you need to go deeper remember that on our previous fora I'm already armed with this information I have your IP ranges I paid attention to DS dumpster and you use contiguous IP space of 7213 69.1 through 40 super useful information I know about your domains I know about your Dev test VPN remote all those cool things you publish on the internet and then we're going to go to

the next step

I got a call from a customer just a few months ago and they were extremely concerned because they were experiencing what they beli to be an internal denial uh uh uh of of service attack on their corporate land somebody was beating the crap out of active directory and false missed password alignment and guessing passwords and locking out accounts and they're freaking out because this is bad right there's somebody in their corporate environment trying to guess passwords locking out the CEO account Etc they're panicking they call us and say we need help this is a large Enterprise once again I'm thinking they can't figure it out they can't determine the host name association with the authentication

request but don't worry I'll do it so I'm okay all right we can do this it's going to be expensive can I start with just a couple hours of attack surface management I just just give me a couple hours can I have authorization to enumerate your environment can I have authorization to do some ENT let me get back back to you uh within I don't know an hour or so through the attack service management process I took everything I learned in my three minute drill and I pivoted to a couple additional things specifically IP address ranges and then keyword searches and we'll see an example of this in just a minute keyword searches led me to find a machine on the internet

with no other specific relation to their environment but it was tied to their internal domain so it was my company .lo instead of my company.com showed in Port 3389 and a very very nice accounting lady had been given permission to work from home she took her laptop home she didn't know about this wi-fi thing so she plugged a network cable from her laptop into her cable modem no firewall at all she's like what that's a firewall no it isn't so her Windows system split VPN split tunnel VPN so every time she attached to the VPN the internet's like aha 3389 445 all the ports that you would expect open on Windows the internet is beating the tar

that thing trying to log in when she's attached to the VPN all the office sent over the VPN tunnel to the active directory domain controller and quite literally I'm that's not there's no genius involved in that I'm not like oh man I'm so dang smart but I went from solving their case in an hour to potentially a 40 60 80 hour engagement in trying to enumerate the entirety of the internal environment to find patient zero due diligence so the next step in this process for me often is switching from domain to IP address ranges that's the that's the next step and this is an example just a singular example of this is a healthcare environment I was going

to do this for Armstrong but apparently they they found me out this is a snippet on the left is me feeding top level domain company.com to showan and on the right I'm feeding it just company not the URL let's say again my company ABC versus my company abc.com and you can see the result difference this is a real example for a real domain that I'm familiar with it's a healthcare services provider and with the D with the TLD I get three results looks pretty clean looks pretty clear pivot to keyword search effectively which is just the name of their business and the world is opened up and this is opened up up they have SSH another potential

remote access solution accessible to some of their IP ranges not rocket surgery as you might imagine yes I said that on purpose this is the exact same process I think I have it bigger oh my goodness wow blind myself this is the exact same process again through census and/or leix they all have slightly different syntax I'm sorry it's not my fault you'll get used to it copy and paste so that you remember how to put in an IP range usually it's a cider range but again you'll figure it out we learned the IP addresses from DNS dumpster I'm using private ranges here on purpose obviously uh you're not going to find you shouldn't find 10.10 on the internet but

you get the idea this is the this is again the next step in my process that's easy that's often quite Illuminating to be frank the next step in the process is a takes a little more time effort energy takes a little creativity on your part and this it's actually fun uh this part I really like uh because the first part's just pretty straight up pretty simple contacted by a financial services firm not the same Financial Services firm that I spoke of earlier Financial Services firm calls and says we have seen a 400% increase in fraudulent home equity line of credit transactions in the last 90 days and we have no idea why and this is a mature environment not

like my previous scenario they are segmented they have all the latest and greatest they have dedicated security teams they have separation of Duties they're they're doing it right and I'm honestly I'm talking to them like wow I'm impressed and we've and they've done everything they can do to figure it out internal threat what is happening some crazy zero day malware that somehow is bridging our internal air gap systems and I'm like to be frank I want this case a lot like I'd almost do it for free because it's like fascinating and it's going to be expensive you noce a theme but once again I say you know time out just let forgive me can I have a couple

hours you give me a couple hours authorization and let me do some attack Service uh uh uh enumeration and let me see what I can find and this one this one took some time so in this CA in this scenario I'm using tetious Financial Services institution bank that's a fair approximation of the title of the actual company and I'm just not very creative so you get the idea but it's like that and frankly their their TLD is something life fs. org it's it's kind of unique it's a character string that you wouldn't encounter a lot it's not like my company.com for example so for me in the next phases this is where I get to put on my

thinking cap if you will and I am looking for the lowest level of granular uniqueness that I can come up with I can't very well search for bank I found something I need something that is unique to the organization but I need it to be vague enough that it doesn't just come up under their top level domain name and then I'm going to pull on all the previous strings and correlate what I already know is legitimate public intentional and this is this is if there was a secret sauce it's not very secret but this is the secret sauce for the next portion and this is where I got to get creative I have to start thinking okay

if if it was fs.com or ffsi bank.org or whatever I need permutations I need to start thinking about granular uniqueness and I'm going to feed these phrases into the aforementioned search engin census Shodan leix and see what I can see this is fun how do you spell Bank who cares is it close enough someone would click on it I didn't make that one up by the way I'm not that smart but that was actually a legitimate doppelganger domain that was used in the rest of this story so I pivot to leix in this example I'm putting in ffsi that's really hard to say I should have come with something easier to say in a presentation in any

case and remember all that I know about them based on my initial for I know who their mail provider is I know their geographical reasons this particular Financial Service institution is in the west coast of the United States exclusively not Japan not on digital ocean not on a random mail server okay remember don't trust but verify like okay this could this be something if you look at the minutia down here you can see ffsi bank.com or bank there's a little bit additional that I've obfuscated obviously and this this is starting to look that's a bizarre character string I have yet to see it used outside of relationship to the bank and to cut a long story short

as it turns out yes I visited that IP address okay I browse there that's what I do I browse to that IP address and it turns out it's a Cambodian gambling site I apologize for the quality of that image that is the actual image of the Cambodian gambling site which no longer exists so I go to ffs bank.com and I land on a Cambodian gambling site and i' I'm I'm smart this way I'm like I don't think that's right I don't think that's right so I dig a little deeper and on the right hand side you'll see I'm now enumerating the mail server which we looked at in the previous slide and this that blacked out entry this is the

actual entry so I've obfuscated that was ffsi bank. HTML file of course I clicked on that carefully and then I rendered a very very nice Recreation of the financial services login page and again moderately long story slightly shorter through this process enumerated three four five six of these sites spread all around the globe actively targeting this financial services organization stealing their users creds the user would log in they would fail log in be redirected to the actual authentication page for the bank the threat actors now have the credentials and they were able to log into the users banking portals and for whatever reason they were targeting home equity line to credit loans and trying to write and

create Financial uh transactions small plug for browserling decom if you've never used browserling you should check it out it's a virtualized web interface it's designed for uh web developers to test different browsers but I abuse it I use it for enumerating things that I'm scared of because it's completely isolated in their virtual infrastructure so I can browse someplace download malware I have no direct interaction between that browser session and my PC it's pretty cool it's worth the money you can try it for free and actually the free version works pretty good it's just time uh time limited but huge huge shout out to them because that's how I enumerated all these things safely without having to impact my be

scared to impact my environment and I got to hurry now told you I was going to cram a lot in here so I'm not done yet though in in this particular analysis I have some Clues and this is important the thread actors have ttps right what that means is they're lazy and they do it the same way over and over again so if you can discern any pattern of their behavior you should then take that pattern and cast a wider net now we're going to the neighborhood watch I see some things there this is Awesome by the way they cataloged all of the visits I know all the IP addresses that visited this site which I really appreciate so I was

actually able to take that provide it to the bank and say if you have a way to correlate which may be challenging here's everybody who went to the site and probably gave up their credentials I take that information and I dig a Little Deeper here I am on census search. census. and I feed it the same unique granular search phrase and I determin a pattern initially and that is they use let's encrypt anybody know about let's encrypt thank you so much they're free encryption certificates which changed the whole world of thread actors as we know it because now they encrypt everything because it's free that doesn't mean they're illegitimate but again I find some patterns I feed those patterns into

census and long story short once again you can see these are legitimate for this bank they use actually use GoDaddy and satigo and Google they don't use letun Crypt so I take that component in conjunction with key phraseology and find that's how I found the next three or four portals scattered all over the country based on the combination of key phraseology and the type of encryption certificate I'm almost

done the uh the upper left-hand one is an actual financial services company that I found by accident while making this presentation I I legitimately had to reach out to this company and say did you know that you have people have with forged login Pages for your bank I was building the slides obus skating them making them up and in the process of doing that found that these this entirely unrelated financial services company was being targeted by the same threat actors and the Australian government which is the right hand side of this slide um fortunately they already knew about that somebody else found about that a couple days before I did so I didn't have to call the

Australian [Music] government this is all this is important this is all based on that thread actor standard operating procedures they reuse the same tactics and it's incredibly valuable to extract that information and then use it for your ongoing investigation and Analysis I am not suggesting to you that this is the key to unlock every instant incident investigation that you will ever encounter I've worked somewhere around 50 60 significant incidents in the last couple couple three years and I've solved I think I've pretty close to solv four or five cases through this type of process that's not a bad track record considering I'm investing often less than a couple hours time that's why I revert back to the due diligence

component I would feel really bad if I had done a deep dive and spent 40 hours of that customer's time at a significant billable rate to go I couldn't really find anything without having done all of this so for me now it's just part of the process the three minute introduction I want to know who it I'm talking to and then if I move on beyond that into the nuan to tax surfice analysis pays dividends stuff you should know current state High return on investment for your due diligence process I think I'm done slides tinyurl.com oent for IR my contact information let's be friends uh I don't know if you know anything about Black Hills but one of our mantras

is reinvesting in the cyber security Community we constantly give away free training we constantly give away free resources that's what we do so if you have questions you want to talk more about this I am seriously interested in uh in talking with you send me an email uh I have a GitHub repo with some additional components check out the blog because I've actually written up the first two use cases in step-by-step detail

qu okay thanks Patterson that was great um so you were talking about taking diffs of the results of those three minute drills how do you record the information so that you can take the diff and like what what kind of time span does that diff exist over do you make up that these questions because if you do that's you you make up really good questions so fantastic question so first and foremost like I mentioned screenshots for the win one thing I forgot to mention is that most of them showan in particular but almost all of them will give you day and's timestamp of the most recent occurrence so it will actually show you 3389 was open on that

IP last scene yesterday at 3:22 a.m. that's huge hugely important you will want to go back to that at some point I promise you especially after you explain it to the customer so screenshots number one and then almost all of those portals will give you an export in CSV or XLS XL Spreadsheet you probably have to register in order to do that but usually registration is free and so uh exporting that information is a great way to compare and contrast and or save for your records that's a great question and I actually meant to mention that so thank you well done we didn't even stage that um so uh if anybody else has any questions um come up to the front and

ask him into the microphone that way we can get it on the recording um does anybody in asig have any questions no okay yes Wesley Wesley thank you very much come on

up that was awesome thank you um ironically actually did a lot of the DNS stuff like you were talking about and I don't know if this is something you've already done or not um but two sites I really liked were DNS trails and view

dns.com off provider uh the additional like 90 seconds that I found from doing it is I I don't understand why the companies do but I've seen so many from the consultancy role they just come in it's like oh yes we're just going to write our own off provider and every single time it's just absolute hot garbage and every single time that is their ioc totally just more of a story more totally yeah the moral of story is don't roll your own o or your own crypto ever you're welcome any more questions yeah wonderful presentation um I know know the 3389 jumps out immediately uh how often do you see Port 22 being leveraged in ATT tax

successfully great question so Port 22 leveraging a tax for those of you who aren't aware Port 22 is default for SSH for secure shell access For Better or For Worse for most Cloud providers you spin up an instance and if it's a Linux Unix box for example Port 22 is going to be open to the Internet by default which is not great uh so I I I don't see a lot of abute I don't see a lot of successful abuse I see constant attempts at abuse uh most of the world has gotten to the point where they're no longer using just straight up password off for SSH so at least they're using certificate off and

if they're not then they're they're hosed uh I I worked a case week before last where they thought they had certificate off enable and it was password off and it took 24 hours or so for the internet to see it beat the snot out of it log into the account assign secure passwords which is fascinating um assign certificate off on be they secured the box for the people so nobody else could get in but great question that is a common a common problem and definitely something you want to be on the lookout for in your environment Port 22 port 3389 and For the Love of All Things holy if you see Port 445 publicly accessible call

infosec right now great question thank you any other questions okay let's thank Patterson once again that was fantastic