BSidesAtlanta 2019 - Xavier Ashe - IOC's - Indicators of Crap

I'm saviors here currently participating engineering SunTrust the Georgia Institute alumnus has 25 years of hands-on experience and information support working for arrives for various security vendors lieutenant Colonel's for the last 15 years the IBM partners other lab saviors focus on helping security companies of all sizes Xavier is the first part of startup drawbridge networks are irresistible bringing the first micro segmentation solution for servers and workstations apart mr. Ashe holds many industry certifications including Spanish I I so yeah end of the day and there's a lot of very technical talks probably learn to hold us and I'm just going to get up here and complain for the next 25 minutes hopefully getting a little bit energy to keep you awake so we get to

the market on free stuff right so today I wanted to kind of go off on about indicators are compromised love you guys have probably been introduced to this concept before and so we're going to go a couple aspects of it and I hope people take away some if not yeah you're just here for the free stuff after I'm done talking a little bit about me I'm old I've been around started hacking black babies anybody here at the center meetings late 80s early 90s they were still doing it same place of the Linux mom food court we were dragging in paid funding to be ripped off and also just pretty interesting I love it is still going on

so like I said I've been working from a bunch of companies I did consulting for a lot of my career so I have lots of little really interesting experiences a couple of years back inside you know I was done telling people how to do security and I went back into doing security started doing taking corporate roles and so so back into that role leading the group of really great engineers and I'm gonna paint that soon will be the six largest denominations pretty excited about that and so there's my contacts all right so what is entire city that started off LLO so we make sure that we're all talking about the same thing so they are things that

indicate compromise right

[Applause] so Google whose fault is this why are we going so what's interesting about I did some research on this Richard number of books he was a historian by my education and so he did a story look to see Gwynn did we actually start using the term educators compromise now you found a bunch of books that decide that yeah we said the term indicators programming around mid 90s or so indicators of compromising was used but they actually use of the term as like a thing was the right round about the same time both firm mandiant their first mandate nem trans report published on January 25th 2010 and then about the house is the next day I'm 36

mat Fraser publishes the combat the ABT by sharing indicators are compromised at the manual forever changing our world and making an ally or seasoned thing now once you take a good note about how what is an indicator that's probably not what you guys think of is the one an indicator is that's a lot more advanced my indicators we've lost a little bit of education one way so in 2010 that's what a indicator was and so now because of their lovely apt reports we all must collect all the IRCs alright so I RC Bonanza would let's think about all the different things IR seems to be most of us are used to thinking by overseas and

he addresses hashes URL filenames but there's a couple other interesting ones who can get into some of these and dive into how crappy each of them are but we've got our register keys and values email subject lines I love that one because you know that one's very consistent but some good when there's is the TLS certificate numbers and and we've got source names point interesting buy used Bitcoin addresses any other reports brick MAC addresses freedom to your location so a lot of different things that can be misused a lot of a lot of opportunity for misuse now what the geolocation thing we actually use a lot of geolocation stuff but any geography nerds out there

alright so the center of the nation all right is in northern Kansas near the Nebraska border if center spot is 29 degrees 1550 North 98 degrees 35 west which comes up to in the digital map is thirty nine point eight three three two three and negative 98 five point eight five five two two so back in 2002 when that little company called maps mind everybody news backs plans now I was first using their digital point to say what is the center of the day they said close enough we're going to use negative thirty or thirty eight thirty eight point zero and negative ninety southern winter as the third default location well this default location ended up in the front yard of

this poor groups are for poor families of Kansas home this was James and Teresa Arnold the the plaintiffs were repeatedly awakened from their sleep disturbed from their daily activities by local state and federal officials would be a retrial missing person evidence of computer fraud or call for an attempted suicide this is from a complaint that they filed actually sued max line I thought it was a very interesting story how much we dedicated ourselves on come to our deal location information so if you have an apt coming from central Kansas you probably look at today and again that's that's the default location but there's lots of interesting stories about how we've got the geo locations wrong we have interesting where geo

locations are different from different systems and systems in North Korea this one says Canada all right so how can I give me some of these IRCs right first you steal from the internet right so they're just lots of threee IFC's out there you generally get what you pay for but there's a really good place to start there's some good places to start looking for all of these Direct Connect I'll talk a little bit about that in a future we've got Breck Netcom slash free place now you have to create a press connect account to get to those there's couple of things on github that I found but lots of good places to get lots of bio

C's because that's what you need right is there's lots and lots of IRC and especially when you're Boston to get some of these IRC why aren't you checking the IOC's we need some IR sees you can get some free ones alright so then next that you can pay for this is the lovely one so this is the company that says we are going to sell security threat intelligence intelligence I wish to work for IBM I was a part of doubling and I was part of the security group and then we've got the cube radar radar was not so it was threatened intelligence so then I said well well not that that threat intelligence there's all these

other companies selling threat intelligence and there's threat intelligence companies are actually selling IFC's with some reports and so it's very confusing for the marketing folks over at IBM to say no we really meant some neuroses but there are some I think the most enterprises you you're poor you're going to have some level of this paid for and they do provide IP fees they also provided reports and a lot of contexts around them and so please don't take these fairly expensive services and say yeah I'm just pulling all the idea dresses off of our recorded futures feed or not only or whatever you go so be sure I understand the context and understand how to put this day

together as we go forward I guess lucky you already pay for so this is where I had a thing called Cisco tells you might know what Cisco tells us good data good threat intelligence company does lots of good stuff do you know how you get threatened Cisco don't tell us threat these can you go buy them anybody no no you get them when you buy Cisco equipment right so if you buy Cisco there WUSA the is there security equipment you get all that valuable stuff and so so some of these you might actually be able to get you know threat intelligence or IR seized from some of the existing equipment you have some of the other

ones that don't kind of restrict but allow you to get an additional if you actually have a product exports exchange for my BM crop strike dress records it's now on but either way if you think that you you go and you asked do we have any threat intelligence companies in your sourcing team says now we never we don't pay for that go look at the screening tools you have their problem they're going to have their own level of threat deliveries now the most valuable one that up there says is the ones that you make up yourself so I wanted to get a good idea of who we got in here so how many people are blue teamers they're

going to use io C's to catch bad guys alright so how many overs are incident responders forensics folks that break and break things apart

so when you make them up when I was eight years that you need to generate your own magazine and and this is from all of your your your current technologies that protect you that you know all that noise from the front end IDS's and firewalls all of those virus detection alerts that you you know you probably ignore those are indicators are compromised and they're very valuable because those are the ones that are threatening you so we get to later on how to prioritize these but if you're already being attacked by them that's pretty much by Ortiz so again if you're not currently have an IRC program where you are taking in the other season your song is generating

faces this needs to be a priority for you sorry curating collecting started about a couple of these in my mentor has been too much time on on each of these myths of great places to start the collection and curation talk about how you deal with all of your IRA sees I miss anybody any unused missus malware information sharing purple your platform yeah this was good opening source told another good - correct I was just being told earlier this morning about how awesome crit is and there's so much better than mess with you so totally use press a couple of others that they're not there that I've used them I want ways like alien alien law as always got some good stuff out

there got a pretty good community I don't know what happens with some time I guess last year 18 T bottom so just definitely not compare an effort in their ATT company oh that makes it better or not but more information right connect just is I would point to these guys because some point at Def Con when I was good that perfect inebriation where I'm coming up with a really good ideas I completely thought if recommend like I'm like eight years ago oh we're going to keep this thing in the cloud realize I put together your make it awesome and then like when trekking there came out like hey I already thought of that I'm actually but yeah reconnect this is

a pretty good service offers a service for we're doing this type of collection of curating of information also I was another and then now I throw out these these other terms here in case you confronted you so overnight see says is so open that mandiant knows uses it a couple of others there now are still do but and generally has been moved more to more common formats taxi and sticks everybody were wrestling around with some of these open source tools trying to get those six speeds but this is basically the kind of common language between sharing these these IOC s and types of bone building information I think it's Mike or make I always forget to have

pronounced that the malware had treatable attributable enumeration and characterization Aragon this probably not many people use it so if somebody asked me throw that in because that was so much better than sticks which since I've wrestle with sticks so many times I can I can definitely the test of that and then sigh box which now is part of sticks but throwing up therefore also verbs that used to use it back in the deck all right so we start generating our own IFC's or we're collecting them over stealing them whatever we're doing with them and so let's talk about I have suplex cycle obviously what I saw was that these IOC s do not live forever we

need to throw them out we need to be able to say sorry that domain is it's no good anymore that IP address is no good anymore so when you create this program make sure that you're not just feeding and databases just using bigger and bigger and bigger but you have put life's that we've put a life time on each of your C's make sure this is part of your program alright so how how to do threatening with IRC so still one is done like Brett this is not hunting okay so this one pull-up described from also good Richard here from his prep the practice of network security Viborg from our lovely guy lovely guys over

there start to press 2013 so I have probably have a lot over the years and I've got a lot sim work as a consultant and but I want this to be coming up and I said a burger I ever see centric analysis or magic versus IO C 3 analysis are hunting this was 2013 very early on in this whole life of the IRCs but really says that this is a you're doing either seek magic do not call yourself a threat hunter now the red hunting can't start with irises I'm not going to get into how to do hunting that's a rant but this is just make sure that you're completely articulate about what you're doing and it is not just using IRC

alright so if you're gonna do this matching mm-hmm do you have the data to begin with now there you know we the previous slide all this great stuff you know maybe you're paying for and like I like the time you Texas and other things that you can normally get if you're really doing forensic analysis but if you were a blue team and that's why I put sock up here if you're part of the blue team that has to defend and do this kind of IOC matching on ongoing basis then you probably have things like IPAs URLs domains this is all coming in as from DS of your existing mobile platforms but do you have something out there that's

actually can stand and produced registry key and values there's a couple of tools out there you know that can do you know on demand question answer they can do some scanning think of your tools and say okay for you're going to get these as IFC's make sure that you can have match them up on a real-time basis if that if that is reused oops now if you don't want to then it's been you're pushing this off too you're a forensics team that once they give the invent or they get whatever that they can then do the matching but don't expect to be able to do that registry come at you if you're not producing then on basis TLS search does

another one I really think that this is a very important baby not only because I work for midnight for a while and we made a big deal about this but there's a lot of these cases of being able to know those digital signatures are really useful that helps us to be able to definitely determine you don't have to necessarily do hash lookups to be able to determine go to bed when you're doing a big analysis you know the forensics team stuff they they basically do be quite less going to make sure they get away off and all them good other way and you can easily do this with with search serials but that that finding those

stolen certain serials in your environment is really a high fidelity indicator but if you're not looking for them you know it's only the princi skies are going to get it in this way after you've already been out so look at your your tools to figure out how you can start pulling those in others letting ETR cold that's sometimes is if you're going configured if you actually turned it on so so make sure that it's portable point addresses so anybody in here that actually has a security tool that automatically pulls those out for you anybody yeah all right one all right so this is something I've configured in and bro I've configured in other proxies you

know looking for coin traffic not just because I'm afraid of miners landing in my system which that's that's what I tell my boss is that's the big you know scared but there are people doing Bitcoin transactions and it would be interesting to see be able to see that if you can capture that be some of your network analysis or score or web browser in houses very again high fidelity IRC is there all right MAC address is one of those good ones you know is uh because nobody really cares about MAC addresses until this last wave of supply chain attacks with a surge right did you get the list of MAC addresses let me go and

check here I think I have them I'm a six month ago Bob houses uh put in is rare because unless so so there are certain types of software I used to work for one that that did a complete state table of your environment knew exactly where every executable file was create a big old database it's really hard to run but it really was very useful in knowing exactly what every single hash is now to do that once you install an agent it's got to scan the entire drive it's got sitting that data back to it remember database you gotta keep up with all that's a heavy lift for a lot company along somewhere and and so a lot of Idi

our products they really don't get that hash until it executes sort it's written there's some some other type of trigger so I'll have to do a full scan so when you think that you have a database of your of your file hashes in your environment we really think about it how did I get those financials when is that house executed and so that I can know that I have a complete answer alright so if so this is was here and saw right the I was able to find a graphical for all the forensics guys that are using this because it's a little bit my forensics guys they're gonna go into town because once you have the image

there it's pretty much you know that's what a lot of forensics you know processes do is there you're scanning em you know those images making sure that you have that you can extract up streams of mutexes and all sorts of really good juicy information so when you're looking into lists of IRC figuring out how to use them I understand that some of them are the blue team and for ongoing monitoring and some of them are eager for your forensics and and then your forensics team are going to help you feed these IDs back into your system records are going to get to get this set up so that you're actually you're creating your own IRC is 94 all right so let's talk about

diving a couple things more in detail so IP addresses best best way you know an easiest way of getting I started without seasons into proxy logs your fire alarms get a list of bad IP addresses with me is the Zeus list still advanced over thing right so we can still have we stopped Zeus infections out there and so there's a specific open-source IRC for Zeus and in matchup so if I got connection up to the side beef dress that that means that guys defected right so I'm going to automate that and automatically reimage that guys left officers he sends a ID arrested here we got the choke you didn't choke the problem is is that IP address

io C's has an extremely low fidelity and so much that I say don't use them in this manner all right so I went in this is just crap alright IOC's I because this is more like security intelligence right this is more context if you're soon or your ability to monitor has a way of like coloring they're having context to the traffic coming in I wouldn't have the tag saying that this this is this IP address has been known to okay then you can start doing some of the thread hunting but do not do any type of automatic ticket creation or metrics or anything based on this because you're gonna look like you're completely home now if you're trying to

get security funding and that's what you want to do then that's correct doctor but unless you're you know you're just trying to budge the numbers absolutely avoid IP addresses so in domain names this is another one that comes down in the investigation on this but I think there's a pretty good information about how to do domain name IRCs one thing I work for a company that like just a company but love to block these top-level domains dot whatever is bad right we kind of a couple of attacks with duct band so let's just walk about man right so I think vocalist information now this one this is the state has fairly recent from the anti-phishing working group they showed

us that the you know for the last quarter of last year over half of the stuff that we're getting from phishing attacks the calm and then what's called the traditional TLDs that because 2002 before they started creating that with new weird ones all over haven't been coming back and the other one of the other gray slice there is country level UK there are some things so vast majority of even the fishing attacks are still using standard top-level domains is not necessarily a good Fedeli there so so push back under Persephone just block top-level domains there's really no reason to do that but new domains are evil I try to find some good day on this

this the this anti vision workers stop collecting information to 2016 I'd seen something recently but couldn't find it for this presentation but this this situation has only got a little bit worse but you can see from this data and you can see the data but it basically shows that the highest bar there says that my oldest domains is between three days or one week I've seen data that shows that that now we're up to like between you know like three days ago like 72 hours is like the average lifetime for fishing domain they pop them up they send the emails out and you know our stock is pretty good about right now fishing take down go risk IQ

or whatever going to use don't take down those fenders but the thing is is that that is that that's not a good use of viruses because you know necessarily is this is that you've got the process of getting all these domains up to this street Intel company that's going to feed you all these domains they're going to be gone and within a couple days so domains eternal is low fidelity but that if you have a process of being able to look at the age of that domain in real time as you're doing you're proxying and you're blocking this could be a way of easily solving some of the phishing attack problems all right so Wow hashes so this is a bad guy he's

been used in lots of attacks eighty one eighty twenty to eight between so you should definitely block the tension okay just block it I actually went to a company had this set to wooden blocked but it was locked down it looked like a question of domain GPL object out says all the administrators can run even like WinZip install using that is a everything uses that that you see but the point is is that you know there is a limitation on using box especially if you're going to start generating around so don't get overzealous and start you know I'm making a lot of this because you'll end up blocking something very important now one way that we get fixes

is if you're checking for certificate right I'm looking at this is signed by Microsoft alright stop using md5 every company every tool and I've got will use md5 everybody still can process in d5 the mess and my security controls and everything like that they can use but if we stop using it they will stop making them stop supporting and so let's all just to ensure that we are released using sha-256 and then I obviously use a fuzzy hat this is the particularly when you're you know actual malware that does volume or big words maybe we've looked a little bit different they're also creating some good research on fuzzy hashes for all the word and macro viruses so we're having to deal

with so definitely look into that so again the bridge tests and you have probably done this process but then I get it is that you take your gold image whatever scan and put all those known good hashes into your database so when you're creating your honor seon-young plan is that you're creating all these IRCs from always the virus detection and ETR don't like that you're feeding all these known bad do you know milk your own duck understand what your known good as yell up lots of software out there that you're probably developed a drone you know get them get a process in you start scanning those hashes as they're pushed up to your environment the other

SCC young or whatever automation and get make sure you know what you're going to do this so all of this you know like I was describing to a non late word minute or late my personal about what you know what is next-gen Amy alright well looks at the painting their stuff and signature the signatures values a signature like a you mean the hash or the signature and so make sure that you understand that if you set up your eat our EDR tool and pretty much the only feature you're using on that is to look for in scan your your your files and then check against by our struggle or something like that you're doing something slightly worse than old lady

so this is not you know for you straights is not going to bring much value and so not to say that it's not part of a complete breakfast but it is something that you don't want to do only so while I gave IP addresses the crack I'm thinking all right so I you know I I was looking through this you know living through this this situation a couple years back we were going from you know they kind of static signature based detection isms in the CPR world of doing these cave your own base attacks and so you know as we're looking at our sees I also like to describe you know behaviors of compromise because I our

season in today's world generally means this atomic indicator when somebody says give me the IFC's they expect a list of things like passions and I keep us in the domains but when you hit someone for my archives in here my friends discuss this is what we need meat behaviors of compromise because this is what's going to help us detect the next attack all right and these are just examples I won't read through them but you can see the the idea here and this is a lot of what the you know media products are trying to figure out is how do we get these behavioral analysis down and find out what is bad you know old school and

then we can I used to use a lot to kind of explain the one of the bad behavior is is executing how to the recycle bin that shouldn't happen right and so those are the type of behaviors that we can look for and those are the things that we need to start triggering on as opposed to just my indicators now this has evolved and one vendor that has come up with indicators of attacks and start using this term so we're going to go ahead and give that lip service because you hear it I like that you know because I've been talking but behavior rules compromise the viruses because these then they come up with a highway so

they've got a lot more but the marketing budget so I'm sure that you'll probably hear indicators of attacking exercise opposed to behaviors of compromised buddies that your actual here indicator attack by comma by and eyebrows right but the same idea that is there is that you can basically capture the the way that software runs and compare against what no good software activity is and get those actual actions down and those it's that so about the behavioral analysis two indicators of attack and then we come involved to this point where minors released this is an attack framework and I think it looks really good because it is a nice evolution of where we're gone and it talks a lot about what we call

techniques tactics and procedures TTP's won't be cool like oh man I guess my OCD is because of TTP's alright so tactics in general is what is a bad guy trying to do right what's their tactic here a couple of examples here and this is from the miner a website that you can look out beyond trying to gain persistence trying to execute vulnerability privilege escalations we can tie that together with techniques right so how are they doing it so that the attacker was trying to do an escalation of privileges but how do they do it what's the technique that they use all right so the point of the mine framework is to give all of us a common

way of talking about this because if we looked at a lot of our reports when I go back to the gun I have that behavior all compromised I had some behaviors described there what each of us did use different words when you wanted like to start creating metrics about what is the most common behavior or indicator of attack we need a common language and that's what the miner group is done is given us a set of common languages here we can start tying things and understanding you know how we need to prioritize so here's the example con ties it together right so this is a register key so my writing to Bridget Ricki and so it gives us this level of

detail and this you can you can see the value of this compared to somebody wrote to this particular key my friends expose how many places can you start put something in the start cheer anybody how many different keys we got I mean there's the user hi you know there's gonna be tested everybody so instead of describing those and saying that them you know they use these different keys we can more you know more aptly described that they this is the tactic and technique abilities so the reason I bring this up in this song is really you know you're probably having to deal with I are sisters you got management says we need to do our season and you've got

regulators that expect you to do my receipts and so which IRC should you use well you can start with no well I've got a 500 so left or do you take a step back and say I pay for all of this you know or a future or anomaly attacks they have also the mystery told you pretty good idea who's after me who my attackers might be and I can look at the tactics and techniques they've previously used and then I can prioritize it and I can say hey boss we don't have a good way of looking for finances and an order knowing when my run registry treaty has been headed so I need investment here

and here's the proof that we need some type of tool is that look at all of these groups and I pick up dust on a slide that I lost when I was editing this earlier is that on the miter site they're all the different groups and they showed like just just like this they show the different types of techniques their menus you say you know see so you are afraid the fuzzy wasn't there and you want us to defend against it we need a tool to be able to detect these attacks the techniques and I've got this highlighted for you they've got if you haven't been to the mitre site yet they're gonna slice of

the goodness screen up in this like flexible application that you can create your own colors and dragging all the maps and success get all your projects funded all right so so which one is this it is a TT TT PS or iris ease right well let's do it you can use both right I don't want you to go back to this and saying well Xavier said honors using perhaps oh we should stop using them all right I'm saying that higher seats are perhaps you should minimize using them but this is the tool skander he has been published by fighters one minutes on the minor github as well and will allows you to kind of mix and match and start playing around

with being able to use TTP's and Isis alright so in summary so I see matching is you know a necessary evil there are some times we can provide yourself with some extreme high fidelity stuff there are a lot of places where it gives you middling fidelity and can really throw off metrics and the understanding of others about how bad things are very atomic very situational make sure that you have to do that that you're using in the IMC's appropriately TTP analytics this is where you are stepping you know other level and really talking about what the attacker is trying to do and how they're doing it and this is allows for a you know more you know broader

conversation on the protecting your enterprise and allows for you know lower clock and you know lower quantity entire quality results all right well I'll had a couple of you falsely but I appreciate you saying and I sticking around you have any questions to me I'll be around for the rest of day thank you very much