ThreatCrowd And Other Things

Thanks thanks for coming to see me talk rather than the the talk on hacking into cars I might be in that one as well so my name is Chris Doman I bet to a good threat crowd just want to talk about a couple other things kind of a link to it as well welco comic or veteran networks but threat girl is something I built my spare time with the last couple of years so just to get an idea of where I should be pitching this how many of you like rush of hands of you threat crowd or no that is okay half I'm going to too much detail all over them so this is threat

crowd dork this is the the front page it's a threat Intel platform now that I mean it's a database of bad stuff so sandbox reports passive DNS Whois data all that kind of stuff stuck into a web front-end so you can search through it quickly I'll show you how I use it and how you might want to use it a quick demo at the end to first explain why I built this this looks a bit messy it is but this is the kind of reality of what I would do in my last job when I was doing a lot of either instant response and be trying to track down the detection on the host or network

detection sock style work where I get alert in I try and find out is that alert is it a real detection is it actually bad if it is how bad is that detection on this network and if it's really bad then what else should I be looking for me with her father indicators need to find another related note to threat Intel - can I take a little bit step further they're building up profiles and attackers and find out know who they might be targeting the infrastructure they've got the tools all that kind of stuff so that's how I built the talk recently I wanted something to do that and at the time there were some

tools I'll show you some of those in a minute they'll love it readers came down to open source intelligence by which it has been Google in the day so I do with that domain I felt happy to google it I'd go on a malware which is a great sandbox site really report get some Whois data out let me go through the virus total - another great tool and the aim of threat crowd was have something would unify that in one place another use case that I wasn't spec has more on the offensive site so there's an API in threat crowd that big database of armed domains that kind of thing and people using it in bug

bounties pentesting so when people looking for that low-hanging fruit everyone else's is looking in the main site there a lot of people are making pretty good cash bug bounties by finding the old dev server on some weird subdomain that's been left up that kind of thing so all around that too so a quick run through the interface sounds like it's half you know a bit already sort things start the search so you can search for say the name of your company or a theme and it'll find domains related to that it's nothing special there a couple of things here though is it will rank those results based on things like is there malware pointing at

that domain is a dynamic domain a couple of really basic scoring things there around what might that make that domain fishy so I mean looking up here there's a pretty easy target so to bet that's the guy thing that might be around and see down there there couple dynamic domains that haven't got anything attached to but probably a suspect this is the main interface the threat route progra is quite familiar UVM used it before views a Palantir emoji go or any of those gonna pretty graph things is pretty much works in the same way so on the left hand side you've got the graph and the dark blue spot that sauce that's indicate we're looking at then connects

to it is some IP addresses that maybe that domain resolved to there's some our in the kind of perfectly kind of color some hashes that's the malware talking to that domain there's an anti virus detection zone there it's all linked up together and the idea here is going back to that sock analyst or someone like that looking detection I'm going to quickly find out what might be related so this bit of judgment involved the compute one duel for you we can quickly get an idea of what you might be looking out anything with a really bright lime horrible green circle around the edge that's something with a report reference to it to the right hand side is all that

data more tabular view so your passive DNS data is data all that kind stuff in there you can browse through and the key of that whole process in any tool like this is the pivot so you're going through you've got the domain where do you go next where you find that next piece of information you can right-click on the graph and you can jump to it that way or on the right-hand side you can jump through say the hash to find their AV names all that kind of stuff the moment to find out and there's some thought in there so if something's not going to lead you anywhere so if it's a IP address and

there's only that one domain you know about it's not gonna be a link and there's a kind of short cuts gonna they're trying to take with a little bit of time yeah tons of stuff you can pivot on so if you're researching this kind of stuff whether or not right Intel or a sock type scenario all the things we'll know about so the domain puts an IP you can get all that data out somewhere the stuff there too so a lot we're talking reason about self difficut they're a great way of chaining through so the attackers will often we use the same as certificate on different infrastructure the track over time I was tried hashing

basically n month output of service so sometimes people reuse and gold build on a bad server then people through that way that doesn't work very well it turns out similarly I also tried hashing sandbox output there's a lot of work going on around how much can you cluster on malware based on the do that behavior see there's another piece of software just like it you know about already again that works a bit but in all that great oh yeah and there's some smarts in there again as well so on that graph if it thinks I'm is a sinkhole or a parking range to parking ranges sometimes attackers or this point the domain localhost or something so you just can't

see where it's going it won't automatically pivot on that and make it the guest there and browse through there are a few thousand reports indexed in there will the indicators you probably don't want to go through and browse all those domains but all those reports but that's an option for you what's a blacklist - so listen idea of extending that functionality to actually be able to apply that automatically so blacklist I mean they've been around for 20 years the last thallus to always talk messing the problems is using big black lists as a way of stuffing stuff again not fantastic but a lot people do you feed into this so you do get some crowdsource

kind of intelligence there who for free saying this thing's bad a lot people said that goo was bad that kind of things there are problems of that so can't just trust anything like that couple other problems I have with that as well they'll go into a minute price that's feed to so it's really important to mana and the infrastructure of interests so there's an IP address that you know has hit you before always host something pretty bad use an RSS feed see every time some a new pops up or if there's a malware family particular care about any time that another sample comes in put it up there obviously the data source here isn't as

bigger than my advice total but it is free a multi go this is how I use this mostly myself there's a few of you probably use multi go already based on what you're saying earlier great tool links up the tons of things that growth has a free plugin for that threatened mine and to who's got one who haven't seen that for but was checking out the API was great see how much has been plugged into the wreck right now so so kind of random stuff people are coming up with so there's blunt apps that link into it some people got some other log processing stuff I'd actually understand how that all works but it seems to hit

on some of their the feeds coming in tons of other things too we can whack into main and from the command line you can have any interface to first version the API hotkey horrible CSV who'd actually hit a get request get CSV back and now a JSON format looks a bit like virustotal and the idea there is that if you really got coder virustotal you don't need to change everything in order to integrate this and quite a few people have asked me what threat crowds built on it's not that it's not as cool as those kind of graphs up there it's actually really simple and the people that asked me like what's it built on they've been asking because

they've tried to build similar things because when there's so many people that built a threat into a platform because that's the big cool thing at least was a couple years ago and then they gave up because they got all that cool databases in they're linked everything up and then like you know six months down the line nothing was working I've gone for the opposite approach and that's just because I was programming my spare time at home honestly I wrote some of the code a bit drunk but that's okay because you can do that a few my sequel don't trust all of that but you know you can't do it and yet it's simple it works I mean a

Sherlock will behave in curry and PHP and sequel since they're 15 you know you can just pick it up you might not want to build a something Enterprise on that but the work this so far the only magic on there is that pretty graph I didn't write the code for that sketch yes the underrated library if you ever want to have a beautiful graph on some other thing you're building it's great it's way quicker than d3 I'm pretty nice tool and they're hack tops and stuff on there to try and make it showing a little bit prettier yeah and also simply I'm strong with that graph data you can use a graph database they're great for some stuff

you can use a no sequel database like MongoDB that's great for things like sandbox output where you got all these kind of random different types of indicators in my case I just used my sequel and it's whacked it all in there it's faster than index a couple hacks on there so all domains and they're also stored in reverse just so I can do a really fast lookup in subdomains about having a property index and we think and then the secret to building a graph kind of interface on top of sequel is a pivot function so just tell me everything is linked to this one indicator touch the table so no magic you can create something yourself at home just like

that simply if people have asked about what the data sources are there quite a few these are the main ones though so lots of love for these people who actually let me use their data virustotal have a great public API so you can use that free alienvault otx really cool guys great community tool again they have an API there Maur and payload security really good sandbox is worth checking out I checked the term simulations to make sure I was allowed to use the non-commercial use and then substance POC these people but I didn't always ask in advance and that's kind of maybe less than two in terms of free community projects to extend that there's so many

building itself people generally pretty friendly and no one's complained yet so that was very nice of them and subsequently a lot of them have talked spoken about on integrate some that back into them too so everybody wins why might you want to build something like this well I get to come to Belfast it's got my name out there so if you're building a free tool you can get something back the taxi driver on the way here told me that that wheel is actually no longer here probably that's been moved to Leeds so I would have changed that picture if I known that advanced still it's a nice picture though and also get to use it so for me I built

this because I wanted to use it I wasn't even sure as Molly said publicly at first it was just something that I thought might be quite useful another reason is yeah back in end of 2014 was building this a bit ill over Christmas I just sat there program for a little while who won't quite so many tools that wasn't that kind of threat Intel buzz explosion that's been the last couple years so things like crits I don't think was publicly available there was if you if you knew them and then they get a bit later tools that passes total I think we round threatened it's great to be around well miss was awesome if you want to have a bunch of data and

then share it with our people if you've got some kind of seem solution anything you want to get your data in not only do you miss bomb have a great free solution for that they also have some free fees too so they've got pretty high fidelity trusted date you can get 2016 I wouldn't build threat crowd today there's so many tools like this now so a threat minor book by the guy to sit next to him about a month ago they work in slightly different ways that brilliant tool again otx IBM at first you use their threat exchange it's free you can use it at first wasn't very good now it's got a lower data in it's a lot

better now never use Facebook a threat exchange but is it on here using Facebook's threat thing it's like a long application process I hear it's good but how many personal experience with it yeah tons tons of them now I guess that's the point and quit a couple of tricks in case it's useful on some of those tools so threat minor as well as doing all the normal kind of such indicators stuff ago and everything else if there's a sector you're particularly interested in or maybe a business that you're interested in you do a free text search over a bunch of reports and it index the morn presents to you nicely so I can a business side thing if you're gonna

meter a customer or something and you need to quickly know who's targeting that sector and walk it into that site and you can find a bunch reports in it in this case is one thing that works better than Google for that oh yeah and also it's kind of diving the weeds a bit but if you've used florian ross loci it's a great free scanning tool that you can buy on your ass against other kind of custom antivirus stuff too three disks there's also really nice integration there will download a ton of um Intel from a lot of these free sites and us to get a nice format for you so you can have hack on top of florins code

and get a bunch of bad things a nice CSV file so that's that a sheep not sure how many people remember that woman there's ninety five but they were great in terms of stats mr. pryzbo how popper throat cows become so it's nice chatting to people and small entity they happen to have used threat crowd as well I think most people that come to the site you can see it's sixty thousand users last month there's been at Google at domain or anti-virus definition they're not full-time cyber security people and then wonder what the hell is that graph and like a tumbleweed but there are a few hundred people these are everyday repeatedly has got a good kind of user

base there and nothing to keep in mind to any kind of online platform like this whether it be virus total and online sandbox of site even some a sense um that Google as well is what happens that data when someone like me then has it sent my server so my case I'm not going to hunt through individual users I mean I've got the locks these analytics and not one person but we use it to get trends and that can provide a bit like ghetto AV vendor and get like a really kind of a small version of what a vendor might see so there's some way better data in that last Alice talk you know visibility over a hundred thousands and

billions of users but here you can see here's some rough correlation around some Merrill I tried X to the long tapering out than a peak this is a subset of the people hitting this as people that came straight from Google very particular steps and they're looking for it's not as pretty researcher this is someone who's AV has flagged up on this lucky similar you can see there's a big pick up yeah I guess around January February February see member the drop-down droid x2 gonna tell us talk a lot that was musingly interesting when they're talking about some of the takedowns there but giving it uses the same distribution botnets has tried it I hear does it overlap and

maybe that's why dried X has been dropped in favor of lucky for a while also insight into some rare malware so Sophocles an interesting piece of my live been around for a while a few detections around it from notable now because they've been there DNC leak you know all those hacks in the news recently when the group's integrated there this one their main piece of malware this gives you kind of very rough idea of some potentially targeting there so see Germany is flashing out quite strongly there Ukraine Romania so given who is perhaps behind some those attacks it's not that surprising where he'd be infected with an AV vent that would have this contact at times a

thousand but listen still given over off trending ideas issues always fun running a public website and there are tons of problems so I saying before I did write a bit the code asked a couple of beers that's the kind of reason why I started against having using them passwords on the site I don't trust my own code particularly in my spare time to protect that data thankfully no issues I'm aware of yet so that's good one interesting thing I've seen to is us investigating a campaign and I noticed that a lot of the it was of quite a small campaign I was on the radar nothing was just normal commodity code targeted attack stuff and someone went

through flagging all domains in that campaign is not malicious and they were coming from a network that was geographically located the same area maybe coincidence maybe someones didn't know what they were doing but that was interesting if mu Sora Claudio's talked recently on a rainy attacks he had a far better example app where there was someone going on to the forum of the support forum of a navy vendor and then ask him to whitelist their malware that was a great example every week I'll get about two or three people emailing me asking why their websites on my website it can be pretty frustrating they don't understand you know what does this mean is my site bad what are you

telling people but it's quite understandable to lots of mum pop shops they get infected with things like tell script and then get users the first stage compromised downloader I've had that a few times also being used command control service and then there's one person's talking to you where their small business and in ruins and then having to change website it's guessing the worst thing because will behave in eight events a block their site after got compromised so for them they've seen their their money shut down so both of those kind contacts also ddos to so you made me start getting DDoS so there are some non service attacks against threat crowd in January beginning that

year this year that's nice it means it's someone cared so there's a compliment CloudFlare is awesome though so I'm thanking cleaned up most of that which is good there's a real tenuous link to Taylor Swift's um sorry about that it's not a real thing so yeah like I said a lots changed in 2014 blank space came out in 2014 that's why that's there and going on from that will they build this today a lots changed not just in terms of how many platforms there are out there as it's written tell based on that big growth in the industry I thought they tax the people are seeing obviously changing too and there's been a lot of discussion around to what

extent a target tax decreasing how much they've been overblown and all the reporting which arm you saw Braun Campbell's great talk earlier I think he touched as well I think most people say they've got the apt fatigue and the tallit threat Intel really was originally designed to trap this kind of targeted domains together it's been used a lot now though to target for the crimeware but it does change the use case book to weather so a couple of examples of that so 2013 was all that big buzz around targeted attacks Hanover was quite a famous example so another shark wrote a report on a pretty low standard attack group there's some crazy things like they left their own

apparently company name in their malware which was a bit mistake there there are a few times they also did things like they registered domains for command and control to their own names and a company name did that a few times and their then add who is privacy a week later obviously doesn't stop people from getting that data steal best thing though this wasn't really reports it was in very small report didn't get picked up from an Indian company that's looking at the put be also use essentially their own file server as a command control server left to open as well and then they had their company's intellectual property just sitting there on their command control server and they were

targeting all kinds of people they were talking telcos and the West's really why targeting big campaign and their yeah so a lot to pivot on and the Tourette's threat crowd anything like that could just light up the whole campaign straight wing day this has been a lot reporting on a campaign called patchwork still pretty crappy I think every vendor was tracking these guys for a good year or so and there's some links there between the malware and a little bit in the infrastructure to those original hangover campaigns and I think most people say probably same group but gone are the PDB strings in the malware with their own company's name Donna the file servers being used command control and

the problem here is that these reports spoil that great and they do inform people they are making it harder that's all slight threat Krauss to actually get you those results suddenly this was a great talk I think that was mark Parsons did this there was a couple of times recently Belsize last week and this is on chaining three SSL certificates so saying before itself it's great pivot point attackers we use them he's got so many nice examples in there so one of them was there again the recent DNC attacks that links to an SSL certificate through two attacks in the Bundestag couple years ago in two well-known group from softly a PT 28 so when the group

but they've been using that for a long time and a lot of it been truckin that SSL certificate and they've tracked many many different attach to that through tools like threat crowd or passive total or threat minor the probably I can use that anymore so again it's also a threat crowd have a slight for this type of research dimension value I think a final amount is to bring their the Ishii back in there again there's been a lot discussion about the extent those counter attacks have been dropping off so this is fireeyes graph of mandiant responses to they say are Chinese groups where they've responded to them so pretty clicker off here and I know a lot of people would question the

data first I think they have pretty good data here as much as anyone in the privacy it's going to have you can see a clear drop-off I mean also given it they are investigating these things and they will have maybe first started those attacks maybe a year before hand depending on how they were told about the attack and have identified it you can't shift their graph back a year so again for lot those groups that really eases a trap and we've all been tracking for a long time there are less of them to track however if you look at the marketing reports again touching on what Brian Campbell was to when the last talk before last

this is the stats for apt notes so a collection of talking tap reports there's no clear correlation here I'm not sure what those summer Peaks are I thought maybe that was security computers and people releasing them then but no clear correlation there between what's probably going on of those real attacks obviously you can't trust all the marketing sets so going a bit off-topic here but I thought I'd give a couple examples just to a terrific controversy around the room so Norse and saw that map before they published couple reports on Amazon have Rainey attacks against infrastructure there may well be some good evidence that happening they didn't have any evidence there's made up sent around a congressman around the time

that voting on legislation bit responsible there's a rename B report on zero-day hashes about how that the same guys linked to the DNC attacks were attacking banks they just found a name server that was being used by a lot of people including a Nigerian scammers they're linked it by that name server and then said it was all the same stuff and obviously not very accurate another one broke up a 12 year old campaign targeting government there was just adware and as soon as he looked it was obvious adware had a EULA the malware made you agree to a license agreement for it install that wasn't that massive campaign see how the correlation there and the IBM ones to be unfair I'd say

that's not that bad it's just perhaps poor phrasing but on the corollary for one thing I mean just cuz attacks against there you can us from some places might be decreasing and talking to friends or other ir firms and things i think that might be a trend other countries are not experiencing that so family optic and some attacks against russia have you been following some attacks in Japan last year massive problems their whole spate of gigantic instance all linked to a few groups big up to their India to mobs they can't focus on one country Ross has been the news a lot recently not viewing the will not agree that attribution but there's a lot of other

people out there Swift this is the kind of thing which really is a gaining news lot more killed men attacking Swift for quite a long time there are a few different groups doing it it's really picked up because of the bandwidth that case and these kind of cases that's perhaps from the bread and butter for a lot of the kind of a case studies people are using a bit less there though in terms of pivoting the kind of campaigns are seen from that there are some links there you can go through malware there some reuse of infrastructure there's a lot less than our classic cases with used to tracking finally obviously we look at what people

are caring about and talking about by the last talk things that ransomware I mean you can talk we want about the sexy targeted attacks but things like ransom a what people are really worrying about right now so is in black at last month and I saw a talk by crash strike and they had the normal kind of arm you have a very problem not on malware problem and they've got great guys and never got some great statements there at the end of that they tacked on we also do ransomware because that's what people worrying about right now and using a tool like threat ground and other kind of things have been built up in the last

two years in investment to track around somewhere just isn't as effective just the way that people don't reuse the in destructor so much great we don't register domains there who is it no I don't mind have you ever seen the thing where some was on the theater and then they got on some famous actor and he got he answered the phone and then spoke to them for a while I'm not so famous so that would be worth doing unfortunately and yeah obviously so yeah the summary of those last four slides apart from the filler to make this a 30 45 minute talk was that crime has a big problem tracking that's a bit trickier guys like talus have got great

visibility there towards that mine are useful they're not quite so good so this they are great so alien volt otx fantastic community project that's given away with book and add those indicators in there they rely on crowdsourcing doing it properly not a crappy black list like what I have and they can share those indicators you say if you trust people to someone as Google calm to to that list you can just say no you idiot let me trust you anymore great tool and then these kind of things here as well like this low-key tracker the Droid X tracker for euro tracker they've been around for years and years and years and they're really really good

tool so that's perhaps where a lot of the kind of threat Intel is going and a way back to where it was maybe if anyone disagrees in this well Michelle a lot more interesting discussion in terms of where threat Kyle's going well I don't know I've got a lot of ideas so that's my Trello where I list them that's not all the things I'm not sure how much time he's been building on it it depends on what people want so if Alan's main ideas really keen to hear about it I love office support so what's people offering to help me with a hosting particular got down time and I run over hard disk space also other kind of

companies to help them to often to pick up the slack maybe help the coding and finally I'm thing about maybe turning at open source community if people willing to put that time in and if there is a value to people not sure how much that's the case so yeah any ideas hit me off finally in terms of what I might be doing next I've been building a Linux distro per threat Intel for a while and I solve a couple of problems there so one thing is that there's the empathic echo chamber everyone's building the same damn tool to save the same same problem so you can't solve the same problem twenty different ways there's so many sim that

open source projects and that's great that people are building them but it takes so long to evaluate them all so the kind of things I'm sticking there are put them all in there just let you rather quit docker instance or built into the installation try out and see australe ink into the open source Intel - so before I stuck them at some those great free feeds they're all linked up in their integrated with arm tools to apply it to you so totally imply that against the network data it's always you comply against host data so yeah it's gonna be free obviously just a Linux distro it's a bit different to things like REM Knox for malware or sit for

forensics everyone's got any ideas or contributions awesome to hear from you finally I was going to show a demo if I've got time but I don't have it running I tend to talk a bit quick yeah so I should have put some more memes in to take some more time

they haven't connect to the Wi-Fi yet is this gonna work is there Wi-Fi here trustworthy em free Aussie

oh well what's gonna happen to my laptop now on the CDF network yeah I was only a stick in the demo at the end anyway but if you wanna try out the right crowd just go throught card org it's not like if people have used it anyway so do check it out and if you want to find out about car hacking I think you have enough time to do that but if anyone has any questions do you ask John yeah yeah so I released it in the worst way in a sense just to make sure I don't lose the script and it's basically big shell script that installs on Ubuntu box I whacked on paste bin just in case I lost

my hard drive some time and didn't announce it to anyone so yeah it will be alright yeah yes at least so if you've seen sift or somehow that has the same time install it runs through so yeah I'll clean it up a little bit first and then I'll stick on Twitter something like that he owns many views then yeah I'd love to hear some feedback on it yeah great do it any other questions great well if you like to your own correct crowd demo and you have a working internet connection you know your trial Cheers [Applause]