cti knowledge using osint · 2019-12-02 · agenda cti analysis at anssi role and position of...
TRANSCRIPT
CERT-FR / ANSSI
CTI knowledge using OSINT
ENISA Summer School, September 17, 2019
TLP:GREEN
Learning more about adversaries behaviors
Speaker
Head of Cyber Threat Intelligence @ ANSSI
ssi.gouv.fr
@SamuelHassine Samuel Hassine
Samuel HASSINE
TLP:GREEN
AGENDACTI ANALYSIS AT ANSSI
ROLE AND POSITION OF ANALYSTS
THE INVESTIGATION ECOSYSTEM
FOLLOW ADVERSARIES INFRASTRUCTURES
INVESTIGATION ON A MALICIOUS CLUSTER
WHAT’S NEXT FOR THREATS ANALYSIS
OSINT DATA AND ANALYSIS INFRASTRUCTURE
HEURISTICS AND MONITORING
TARGETING AFRICAN GOVERNEMENTS AND INTERNATIONAL ORGS
HOW TO STORE AND EXPLORE INTELLIGENCE
BUILDING TOOLS AND NEW CAPABILITIES
TLP:GREEN
KNOWLEDGE MANAGEMENT
CTI ANALYSIS AT ANSSITLP:GREEN
CTI unit position in the operations “hand spinner”
INCIDENT RESPONSE
KNOWLEDGE & ANTICIPATION
DETECTION
CTI TeamB
elo
ng
sto
CTI ANALYSIS AT ANSSI
Intelligence for partner CTI teams
Indicators and signatures for SOC teams
Tactics, techniques and procedures for DFIR teams
Behaviors to help prioritizing EDR and IDS development roadmaps
Red team scenarios for hackers and pentesters teams
Provide knowledge about threat actors of interest
Daily work of an analyst
Investigate adversary behaviors, arsenals and infrastructures
Pivoting on technical elements
Correlating behaviors and finding patterns
< QUALITY OF CTI MUST BE THE PRIORITY >
TLP:GREEN
CTI ANALYSIS AT ANSSICTI workflow
CTI analyst
PartnersVendorsOSINTSIGINT
Technical data
EnrichInvestigate
Intelligence
< CTI ANALYSTS ARE NOT JUST LIBRARIANS >
Documents Extraction
TLP:GREEN
SOCDFIRIDS / EDR
Intelligence
KNOWLEDGE MANAGEMENT
TTPs
Tools
Host/network artefacts
Domain names
IP addresses
Hash values
Handle all stages of the adversaries “pyramid of pain”
TLP:GREEN
< KNOWLEDGE REQUIRES KNOWLEDGE MANAGEMENT >
KNOWLEDGE MANAGEMENTUsing MISP at ANSSI
TLP:GREEN
Define a common taxonomy between SOC, DFIR and CTI
Custom galaxies for classification, diffusion and internal names for SOC teams
Develop common scripts to manage MISP events
Implement data quality tools to check regularly the data consistency
KNOWLEDGE MANAGEMENTOpenCTI in a nutshell
TLP:GREEN
OpenCTI is a platform aimed at storing, exploring,
visualizing and sharing information about cyber threats
Authored by
CTI knowlesdge management
https://oasis-open.github.io/cti-documentation/stix/intro https://attack.mitre.org
< STIX2 RULES >
github.com/OpenCTI-Platform
749 92 11
Released 2 months ago (2019-06-28)
www.opencti.io
Data model TTPs framework
KNOWLEDGE MANAGEMENTSTIX2 in a nutshell
{"id": "intrusion-set--bef4c620-0787-42a8-a96d-
b7eb6e85917c","type": "intrusion-set","name": "APT28","aliases": [
"APT28","Sednit","Sofacy","Fancy Bear",
],"description": "APT28 is a threat group that has been
attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2019-07-27T00:09:33.254Z","created": "2017-05-31T21:31:48.664Z","object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]}
STIX2 is composed of entities,
embedded relationships and
relationships.
Embedded relations
Entity Intrusion Set
uses
Embedded relation
TLP:GREEN
KNOWLEDGE MANAGEMENTSTIX2 in a nutshell
{"id": "malware--af2ad3b7-ab6a-4807-91fd-51bcaff9acbb","type": "malware","name": "USBStealer","description": "USBStealer is malware that has used by APT28 since at
least 2005 to extract information from air-gapped networks.","created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified": "2018-10-17T00:14:20.652Z","created": "2017-05-31T21:33:17.716Z","object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]
}
{"id": "relationship--d26b3aeb-972f-471e-ab59-dc1ee2aa532e","type": "relationship","relationship_type": "uses","description": "APT28 uses USBStealer.","source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c","target_ref": "malware--af2ad3b7-ab6a-4807-91fd-51bcaff9acbb""created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified": "2019-07-27T00:09:36.949Z","created": "2017-05-31T21:33:27.041Z","object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]
}
Entity Malware
Relationship
Embedded relations
Embedded relation
Embedded relation
Embedded relations
TLP:GREEN
Database
Indexing
Main storage
Storage for speed-uplists and search
Frontend
Workers
Subscriptions
Messaging system
Push dataConnectors
Background jobs suchas importing, exporting, etc.
Consume messages
API
Outside world
KNOWLEDGE MANAGEMENTOpenCTI architecture
TLP:GREEN
Stix-Domain sub entity,abstract,has internal_id,has stix_id,has stix_label,has created,has modified,has revoked,plays so;
Stix-Domain-Entity sub Stix-Domain,abstract,has name,has description,has alias;
Intrusion-Set sub Stix-Domain-Entity,has first_seen,has last_seen,has goal,has sophistication,has resource_level,has primary_motivation,has secondary_motivation,plays attribution,plays source,plays user,plays origin;
KNOWLEDGE MANAGEMENTData model using the Grakn hypergraph database
TLP:GREEN
KNOWLEDGE MANAGEMENTOpenCTI hypergraph query and visualization
match $intrusionSet isa Intrusion-Set;{$intrusionSet has name "APT28";} or {$intrusionSet has name "Turla";} or {$intrusionSet has name "FIN6";};$attackPattern isa Attack-Pattern;$relations($intrusionSet, $attackPattern) isa uses;get;
TLP:GREEN
KNOWLEDGE MANAGEMENTOpenCTI visualization of a campaign
TLP:GREEN
THE INVESTIGATION ECOSYSTEMAdversary infrastructures & arsenals
TLP:GREEN
Intrusion sets and threat actors targeting French ministries and critical infrastructures
State-sponsored and/or advanced persistent threats
Sophisticated cybercrime groups and/or malicious clusters
We are focusing on:
We are studying:
Capabilities Infrastructure
Victimology
Adversary
THE INVESTIGATION ECOSYSTEMAdversary infrastructures & arsenals
TLP:GREEN
THE INVESTIGATION ECOSYSTEMFunctional needs
A centralized API endpoint for all external and internal data lakes and sources
Tools to easily pivot on technical elements and qualify them using all data sources
A tool to easily query all data sources about a set of technical elements
Unified platform to store and explore all investigations
Monitoring system to play heuristics (auto-discovery) and replay investigations
According to this context, we need:
TLP:GREEN
THE INVESTIGATION ECOSYSTEMCTI infrastructure
TLP:GREEN
Database
CORTEX
ON
LIN
E
Database Database Database Database Database
OF
FL
INE
MaltegoQualification tool OpenCTI enrichment
#!/usr/bin/env python# encoding: utf-8import sysimport osimport jsonimport codecsimport datetime
from cortexutils.analyzer import Analyzerfrom cortexlib import Cortex
'''Author: ANSSI/SDO/DCA/AMR/MOADescription: fork from officiel Cortex Analyser for DNSDBServices:
domain_to_ipdomain_to_fqdndomain_to_nsdomain_to_mxdomain_to_soaip_to_domainreverse_domainsearch
Parameters:tool = "dora" | "maltego" | "tag"
'''
THE INVESTIGATION ECOSYSTEMCustom Cortex analyzers
TLP:GREEN
#!/usr/bin/python
from Maltego import *
[...]
from cortexlib import Cortex, CortexMulti
"""
This transform is related to the Cortex API.
"""
class CortexTransform():
def __init__(self, analyzer, dataType, reverse_link, count, entity_value, transform, timer, parameters):
if self.ANALYZER not in ["qualify_offline","qualify_online"]:
cortex = Cortex(self.SERVER,
[...]
parameters=self.PARAMETERS,
timeout=str(self.TIMER)+"minutes",
message="Sent from Maltego")
cortex_res = cortex.run()
if("status" in cortex_res and cortex_res["status"] == "Success"):
res = cortex_res["report"]["full"]
if(self.COUNT):
self.add_entities({'entities':[{"type": "string", "value": str(len(res["entities"]))}]})
else:
self.add_entities(res)
print(self.TRANSFORM.returnOutput())
elif("status" in cortex_res and cortex_res["status"] == "Failure" and "report" in cortex_res and "errorMessage" in cortex_res["report"]):
self.TRANSFORM.addException(sanitize(cortex_res["report"]["errorMessage"]))
print(self.TRANSFORM.throwExceptions())
[...]
THE INVESTIGATION ECOSYSTEMCustom Maltego transforms set
TLP:GREEN
Proxy aware C2 framework
Main implant written in Powershell
Features for penetration testers with post-exploitation and lateral movement
https://github.com/nettitude/PoshC2
FOLLOW ADVERSARIES INFRASTRUCTURESLet’s begin !
TLP:GREEN
Our use case is based on the PoshC2 sofware
HTTPResponse = """<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title >404 Not Found </title ></head><body><h1>Not Found </h1><p>The requested URL was not found on thisserver.</p><hr><address >Apache (Debian) Server </address ></body ></html>"""
Default HTTP response
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache (Debian) Server at Port 80</address></body></html>
Default HTTP response
Default parameters for x509 certificate
C = "US"ST = "Minnesota"L = "Minnetonka"O = "Pajfds"OU = "Jethpro"CN = "P18055077"
Used by at least one intrusion set followed by ANSSI: APT33
Linked intrusion set
TLP:GREEN
Why PoshC2?
APT33 is a suspected Iranian threat group that has carried out operations since at least 2013.
The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.
FOLLOW ADVERSARIES INFRASTRUCTURES
Finding PoshC2 pages on scanning services
TLP:GREEN
SHODAN ssl:"O: Pajfds" ssl:"CN: P18055077" ssl:"OU: Jethpro"
CENSYS 443.https.tls.certificate.parsed.subject_dn:"C=US, ST=Minnesota, L=Minnetonka, O=Pajfds, OU=Jethpro, CN=P18055077"
ZOOMEYE "Jethpro"
FOFA "Jethpro"
Searching X509 certificate
SHODAN http.html_hash:"-159349520"
CENSYS 443.https.get.body_sha256: c09661c86c90e94743c18fdc9ad1f2acf6b8064c6b8e0ae00fbab21790fbfbc2
ZOOMEYE
FOFA header="404 Not Found" && title="404 Not Found" && body="Apache (Debian) Server</address>" && port=443
Searching HTTP default pages
FOLLOW ADVERSARIES INFRASTRUCTURES
INVESTIGATION ON A MALICIOUS CLUSTERTargeting of African governments and international organizations
TLP:GREEN
Study of CIDR 104.238.223.0/27
INVESTIGATION ON A MALICIOUS CLUSTERTLP:GREEN
Victimology
TTPs
Targeting of African governments and international organizations
Implement correlation
and clustering features
for TTPs in OpenCTI
Automated pivots replay for discovering
new infrastructure elements
WHAT’S NEXT FOR THREATS ANALYSISNew tools and methodologies
TLP:GREEN
For knowledge purposes
Extract named entities and relationships in context using NLP and ML
https://www.microsoft.com/security/blog/2019/08/08/from-unstructured-data-to-actionable-intelligence-using-machine-learning-for-threat-intelligence/