FIRST Cyber Threat Intelligence 2019 conference based in London

Cert-IST attended the FIRST conference on Cyber Threat Intelligence (CTI) from March 18 to 20, 2019 in London. Below are some of the conferences we selected as the most interesting and we wanted to share with our community.

At the end of the document we list the different conferences and workshops for which presentations are also available on the Internet for consultation.

 

Monday, March 18th. This session was devoted to hands-on work (Workshops)

OPSEC for investigators and researchers
Krassimir Tzvetanov (Fastly, US)
[TLP:AMBER]

This first Workshop deals with Operation Security (OPSEC), i.e. protecting people who perform an operation from being detected. In the case of a cyber security investigation, investigators must operate without being detected by the attackers. The risk is to leave tracks, attackers will use later on to carry out Doxing-type actions (i.e. release personal information) on the investigators to end the investigation.

The speaker insisted that "harmless" Google searches (e. g. an hash search), or simply doing commands such as "nslookup" on an unknown domain, leave traces and can cause an attacker to realize that he or she has been spotted. This latter for example, can insert in its malware code a useless domain name. If he then sees DNS requests for this domain, he knows that a cybersecurity team is currently analyzing his malware.

As for OPSEC itself, he explained that the various software components used in an investigation should be isolated as much as possible to avoid any traces that might be used by attackers. The host therefore prepared a workshop in which we had to create Linux containers (LXC) in order to use a web browser (such as "Chrome"), without any information about the user and his workstation (no cookies, favorite websites, browser history etc...) so we could perform searches on the web without leaving interesting and useful tracks.

 

Training: The ACT Threat Intelligence Platform
Dr. Martin Eian (mnemonic, NO)
Présentation : https://www.first.org/resources/papers/london2019/Training-The-ACT-Threat-Intelligenve-Platform-Eian.pdf
[TLP:WHITE]

The second workshop focused on structuring / organizing (with graphs) the indicators of compromise (IoCs) used in CTI. The aim of these graphs is to allow a quick understanding of the relationships between different indicators. The tool presented here "The ACT Platform" is OpenSource and developed by Mnemonic. It is based on OpenSource bricks such as ElasticSearch, Cassandra, Apache TinkerPop. The goal of the demonstration was to use this tool to gather information and context from a single indicator that seemed to be isolated. This tool allows to easily find the threat actors who can be related to a hash, then go back to the techniques and tools ("MITRE ATT&CK") used by this group, retrieve the report quoting these IoCs etc...).

 

Tuesday, March 19th (Conferences)

5 years of applied CTI discipline: where should organisations put focus on?
Andreas Sfakianakis (Royal Dutch Shell, NL)
Présentation : https://www.first.org/resources/papers/london2019/Andreas_Sfakianakis_FIRST_CTI_2019_v2.0.pdf
[TLP:WHITE]

Andreas explains that APT attacks became mainstream in 2009 and led to the development of the CTI following the first reports about APT1 in 2013. The CTI had the wind in its sails at its beginnings in 2013 and then, faced with certain disappointments, its adoption was slowed down to finally become a subject of interest again in recent years and become stable. According to the speaker, over the past 5 years, the most common mistake made by CTI teams has been to avoid identifying and communicating with stakeholders (companies subscribing to a CTI offer), and in particular by not considering their criteria and requirements. For a CTI service to be interesting, he believes that the client itself should define what it wants to obtain in terms of information/enrichments and that there should be constant interaction (meetings) between the client and the CTI teams to provide feedbacks and thus improve the quality of the information produced.

He concluded his presentation by defining the steps required to produce a high-quality CTI report, which he believed should be structured (and maintain the same structure for each new report), no longer than 2 pages long and written according to the audience who will read the document. The most important information to take away from this presentation is that in order to have a successful CTI service, it is essential to clearly define with customers their requirements and expectations, and to include stakeholders in meetings to get feedbacks and thus allow continuous improvement of the service.

 

Building, Running, and Maintaining a CTI Program
Michael J. Schwartz (Target, US); Ryan Miller (Target, US)
Présentation : https://www.first.org/resources/papers/london2019/10-Building-Running-Maintaining-Schwartz-Miller.PPTX
[TLP:WHITE]

The two Cybersecurity engineers from Target (a chain of stores similar to Walmart, USA) presented the different services a CTI team can provide, depending on the size of the team (number of full time engineers).

• 1 full-time engineer can provide a monitoring and analysis service for new vulnerabilities in order to prioritize the most important threats and help BlueTeam teams for mitigation.
• 2 full-time engineers can additionally analyze ongoing phishing to get an overview of the threat and current campaigns.
• 4 full-time engineers can also analyze captured data to get a view of trends and produce a daily report on current threats and related indicators (DailyDigest).
• 5 full-time engineers can develop a system to track groups of attackers, analyze their strategies and provide support in cases of fraud and assess risks to customers.

 

To summarize, according to them, a CTI team increases its capabilities step by step by improving the various services they offer. Teams need to prioritize and maintain a focus on interesting campaigns rather than reacting to each campaign. They must focus on quality rather than quantity. And therefore carry out investigations. Teams also need to focus on the impact of a threat (or could have) rather than the result of it (number of machines compromised, indicators). Finally, they stressed the importance of sharing and communicating with other CTI teams.

 

Adventures in Blunderland
Allison Wikoff (Secureworks, US); Matt Webster (Secureworks, GB)
[TLP:AMBER]

Very interesting talk about the different ways in which Cybersecurity researchers have identified the threat actors involved in an attack. Usually, the clues collected are due to carelessness by some members of a group. Concrete examples were presented in which an identification of the attacker was possible thanks to a section of code present in malware and found on a website such as "stackoverflow" to get advice regarding a bug in the code. In another campaign, a forgetful omission to mount the VPN before connecting to the infected machine allowed the identification of the actors. Typo mistakes found in the attackers' writings are also a clue to identify the actors behind a threat. For example, a smiley with 3 brackets - like ")))" - is typically Russian. All the errors identified in this presentation have made it possible to trace back to the group of hackers who were at the origin of the attack, hence the fact that this presentation was classified as TLP:AMBER.

 

The Hitchhiker's Guide to Threat Research
Bryan Lee (Palo Alto Networks, US)
présentation : https://www.first.org/resources/papers/london2019/1530-Hitchhikers-Guide-Lee.pptx
[TLP:WHITE]

This presentation was very instructive. The speaker (Bryan Lee) is part of the Palo Alto Unit 42 teams, and he summarized how from 3 IoCs identified in their internal logs as interesting, they perform a CTI analysis and highlight a new ongoing campaign.

The fictive scenario set up during this presentation is as follows: after a phishing received by email containing a malicious "doc" document as an attachment, the teams initially recover 3 IoCs: a domain name, an IP and a hash. Then, they split their work into 3 main stages:

• Search for information on IoCs related to the attackers' infrastructure
  Domain name retrieve, IP used.
• Searching for information about binaries
  Retrieving strings that are generally reused in different malware, searching for similarities with other malicious files....

The speaker emphasizes on the need to perform several successive pivots on each indicator (IoC) in order to try to gather as much information as possible. On the other hand, if on a pivot (for example of passivedns type) the result returned contains more than a hundred items, it is necessary to stop there, because they are probably false-positive. Usually the number of pivots to be performed per indicator is a maximum of 3 or 4.

• Identifying the tactics used
  Finally, it is necessary to identify the different tactics used by the attacker.

Once these 3 steps are completed, all that remains is to write the CTI report. The presenter's advice is to produce a report according to the type of audience for which it will be intended, write it as if you were telling a story (without necessarily going into too much technical detail), give priority to the use of images and screenshots in the reports and finally be meticulous: all the elements and assumptions made in the report must be factual.

 

A Lightweight Markup Language for Graph-Structured Threat Sharing
Mayo Yamasaki (NTT-CERT, JP)
Présentation : https://www.first.org/resources/papers/london2019/1730-A-Lightweight-Markup-Yamasaki-2-.pptx
[TLP:WHITE]

A very promising presentation from the Japanese CERT on the development of an OpenSource language and tool allowing to extract important information from a threat report and present it in the form of a graph with the different relationships among the indicators. The programming language used here seems less constraining to use than STIX and more easily comprehensible. After being used on a CTI report, it is then possible to retrieve both a JSON output using the STIX standard and a graph showing the different relationships between the indicators. At the time of its presentation, the tool was not ready yet and therefore not yet available in OpenSource.

 

Wednesday 20 Mars (Conferences)

Quality Over Quantity: Determining Your CTI Detection Efficacy
David J. Bianco (Target, US)
Présentation : https://www.first.org/resources/papers/london2019/11-Quality-over-Quantity-Bianco.pptx
[TLP:WHITE]

This was one of the most appreciated presentations at this CTI conference. David Bianco (creator of the famous "pyramid of pain" explains that he received the following request from his superior:

“Will our current threat intelligent allow us to face cyber attacks that may be targeting us during the next sales?”

To answer this question, David identified the main actors who could represent a threat to his company, gathered all the information known so far concerning these actors, evaluated the current CTI, and finally identified gaps in this information.

With respect to the evaluation of the company's current CTI, the speaker decided to ask himself the following questions:

• Does the company know the different recurrent behaviors of the actors who represent a threat to the company?
• Are the company's IoCs (indicators) ephemeral? In which phases of an attack could opponents go unnoticed?
• Is the current threat intelligence recent enough to be used? Is there also enough history to provide context for the attackers?
• Where should efforts to improve the current CTI focus?

In summary, an analysis of the company's internal CTI was carried out by the speaker:

1. by identifying the main threat actors who would represent a threat to the company,
2. by extracting and cleaning (merging data and removing duplicates) the company's IoCs databases.

Subsequently these different markers were mapped with MITRE ATT&CK and the pyramid of pain. An analysis of the results then followed, to identify the various gaps in the database that could lead to a loss of visibility. Finally, the presenter advises to automate these different processes to run them regularly on CTI databases and thus remain focused on quality CTI information.

 

Your Requirements are not my Requirements
Pasquale Stirparo (Google, CH)
Présentation : https://www.first.org/resources/papers/london2019/1430-1500-Your-Requirements-are-Not-My-Requirements-Speaker-Pasquale-Stirparo.pdf
[TLP:WHITE]

The objective of this presentation was to insist on the fact that without requirements made with the client there cannot be Threat Intelligence. It is necessary to provide threat intelligence information that is prioritized and to emphasize quality over quantity to ensure that the most critical information is not overwhelmed by other information considered as "noisy". The specifications are therefore composed of two requirements: data collection (defined by the CTI team) and production requirements (defined by the client and managers). The purpose of these specifications is to clearly identify with the customers, the threats that will be interesting to be prioritized by the company, which attacks are the most critical, which are the threat actors who would potentially be interested in the company's business, but also to identify with the customer the technical elements that will allow him to have visibility on his network (what equipment will send the logs and what information will be useful to process the Threat Intelligence information).

 

 

Appendix : slides available for the presentations

Beginner Tracking Adversary Infrastructure
Michael Schwartz (Target, US), Tim Helming (DomainTools, US)
Presentation: https://www.first.org/resources/papers/london2019/9-Beginner-Tracking-Adversary-Schwartz-Helming.pptx
[TLP:WHITE]

TIBER: connecting threat intelligence and red teaming
Marc Smeets, Stan Hegt (Outflank, NL)
[TLP:WHITE]

5 years in adversary emulation
James Chappell (Digital Shadows, GB)
Presentation: https://www.first.org/resources/papers/london2019/james-cha.pdf
[TLP:WHITE]

All Your Heatmap Are Belong To Us - Building an Adversary Behavior Sighting Ecosystem
Richard Struse (MITRE, US)
[TLP:WHITE]

Logistical Budget
Éireann Leverett (Conconnity Risks, GB)
Presentation: https://www.first.org/resources/papers/london2019/1430-Logistical-Budget-Leverett.pptx
[TLP:WHITE]

Cloudy with low confidence of Threat Intelligence: How to use and create Threat Intelligence in an Office365 Environment
Dave Herrald, Ryan Kovar (Splunk, US)
Presentation: https://www.first.org/resources/papers/london2019/1600-1630-Cloudy-with-Low-Confidence-Herrald-Kovar.pptx
[TLP:WHITE]

Drawing the line: cyber mercenary or cyber threat intelligence provider?
Stewart Bertram (Digital Shadows, GB)
[TLP:WHITE]

Going from Guilt to Guild: Confessions of a TI Provider
Diederik Perk (Fox-IT, NL)
[TLP:WHITE]

Turning intelligence into action with MITRE ATT&CK™
Adam Pennington, Katie Nickels (MITRE, US)
[TLP:WHITE]

ATT&CK™ Is The Best Form Of…Reconnaissance: Using MITRE PRE-ATT&CK™ To Enrich Your Threat Model
Richard Gold (Digital Shadows, GB)
Presentation: https://www.first.org/resources/papers/london2019/rich-gold.pdf
[TLP:WHITE]

Metrics and ATT&CK. Or how I failed to measure everything.
Francesco Bigarella (ING Bank, NL)
Presentation: https://www.first.org/resources/papers/london2019/Metrics-and-attack-website.pdf
[TLP:WHITE]

How to get promoted: Developing metrics to show how threat intel works
Marika Chauvin, Toni Gidwani (ThreatConnect, US)
Presentation: https://www.first.org/resources/papers/london2019/1130-How-to-Get-Promoted-Gidwani.pdf
[TLP:WHITE]

EVALUATE OR DIE TRYING - A Methodology for Qualitative Evaluation of Cyber Threat Intelligence Feeds
Sergey Polzunov, Jörg Abraham (EclecticIQ, NL)
Presentation: https://www.first.org/resources/papers/london2019/EVALUATE-OR-DIE-TRYING-Abraham-Polzunov.pdf
[TLP:WHITE]

Insights and Challenges to Automated Collaborative Courses of Action
Allan Thomson (LookingGlass CERT – LookingGlass, US); Bret Jordan (Symantec, US)
Presentation: https://www.first.org/resources/papers/london2019/1330-1400-Insights-and-Challenges-Thomson-Jordan.pptx
[TLP:WHITE]

A Place for Analysis of Competing Hypothesis (ACH) in CTI: Applications and Evolution of ACH in CTI
Caitlin Huey (EclecticIQ, NL)
Presentation: https://www.first.org/resources/papers/london2019/A-Place-for-Analysis-of-Competing-Hypothesis-ACH-in-CTI-Huey.pptx
[TLP:WHITE]

Semi-intelligence: trying to understand threats on a country level
Paweł Pawliński (CERT.PL, PL)
[TLP:WHITE]

Statistical Techniques to detect Covert Channels Employing DNS
Dhia Mahjoub, Thomas Mathew (Cisco Umbrella (OpenDNS), US)
[TLP:WHITE]

Code Reuse Analysis: Transforming a Disadvantage into a Game-Changing Advantage
Shaul Holtzman (Intezer, US)
Presentation: https://www.first.org/resources/papers/london2019/1630-Code-Reuse-Analysis-Holtzman-.pdf
[TLP:WHITE]

File-Centric Analysis through the Use of Recursive Scanning Frameworks
David Zawdie (US)
Presentation: https://www.first.org/resources/papers/london2019/1700-1730-File-Centric-Analysis-Through-Zawdie.pptx
[TLP:WHITE]

Building STINGAR to enable large scale data sharing in near real-time
Jesse Bowling (Duke University, US)
Presentation: https://www.first.org/resources/papers/london2019/1730-1800-Building-STINGAR-Bowling.pptx
[TLP:WHITE]