PRACTICAL THREAT INTELLIGENCE é Define your requirements. Understand international relations and the geopolitical context. Collect & classify intelligence reports: ZN Advanced Persistent Threat, Threat Actors © Tactics, Techniques and Procedures © Vulnerability reports eS ne aay G Collect & classify Indicators of Compromises (IOC): d © Incident Response XO) — © OpenSource Inteligence (OSIND @ Threat Hunting © Challenging sy Analyze & triage I0Cs: a © Malware and/or vulnerability analysis L whitew 1 © Infrastructures mapping New domains == Hunt & pivot for new attacks: Create Yara, Sigma, Snort Rules Identify code similarities Search for infrastructure overlap & passive DNS (GP Mersey MaseSeanning te uncover new C2s Set up honeypots Capabilities - Get information from private sources By Gcreerieree Understand victimology: © Who/where are the targets? Which sectors? Q © Make the connections to past attacks Re le © Find a link with the geopolitical context © Share intelligence, dispatch IOCs, improve the knowledge base. Iterate & improve the process. WeFROGGER_ THomas RocciaTACTICS TECHNIQUES AND PROCEDURE CTTP) TTP is a military term describing the operations of enemy forces In InfoSec TTP is an approach for profiling and contextudlizing cyberattack operations @ Being able to break down complex TTP attacks will make detection much easier to understand TACTICS TECHNIQUES PROCEDURE Oo & @ ATTACK LIFECYCLE - MITRE OQ Wearonze O Explor OQ ExecuTe =O RECON ° DeLweR OQ Controu MawTaIn | > Tactics describes how an attacker operates during his operation (infrastructure reused, amount of entry point, compromised targets.) Techniques describes the approach used to facilitate the tactical phase Tools used, malware, phishing attacks.) Procedures describes a special sequence of actions used by attackers to execute each step of their attack cycle WF ROccER_ Tuomas RocciaMirre ATTECK MatTRix The matrix ATT&CK is a knowledge base of adversary tactics and techniques based on real- world observations ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. It documents tactics, techniques, and procedures (TTPs) that advanced persistent threats use. ATT&CK organizes techniques into a set of tactics to provide context. It can be used to profile each step of a cyberattack operation. Tact TECHNIQUE {nt Aeon Erector [Porstrce PR [ete Essen © Understand the operating method of an attacker, © Tdentify the techniques and tactics used. © Assess defensive coverage and identify high priority gaps. WeFROGGER_ Source : https://attackmitre.org. Tuomas RocciaDIAMOND MODEL OF INTRUSION ANALYSIS The Diamond Model is an approach to conducting intelligence on network intrusion events. Rta This model relates four basic elements of an © @- intrusion adversary, capabilities, infrastructure and victim An intrusion event is defined as how the attacker demonstrates dnd uses certain capabilities and techniques over infrastructure against a target. Adversary o OD in adversary is the actor responsible Gy) for utilizing a capability against the victims to achieve their intent. Capabilities The capability describes the tools and techniques of the adversary used in the event. Infrastructure The infrastructure describes the physical and/or _ logical communication structures, the ddversary uses to deliver a cdpability, maintain control of Victim A victim is the target of the adversary oO capabilities (C2) and effect and against whom vulnerabilities and results from the victim. exposures dre exploited and capabilities Gh) used W @FROGGER_ Source : https://apps.dtic. mil/dtic/tr/fulltext/u2/a586960.paf Tuomas RocciaAnatomy of a fjyara Rue J# Nara is a tool used to identify file, based on Q o textual or binary pattern ug that determine its logic. A rule consists of a set of strings and conditions Rules can be compiled with “yarac” to increase the speed of multiple Yara scans. Rute Name The rule name identifies your Yara rule Tt is recommended to add « meaningful name There are different types of rules: oa Mopute Yare modules allow you to extend its Functionality The PE module cen be used to match specific data from a PE where List of modules pe, elf, hash, math, cuckoo, dotnet, time STRINGS The field strings is used to define the strings that should match your rule Tt exists 3 type of strings © Text st © Hexadecimal strings Conorrion Conditions are Boclean expressions used fo match the defined pattern © Boolean operstors ADVANCED CONDITION * Bitwise operators © Accessing deta at « given position uintl6(0) = OxSAYD = &lams> © Check the size of the file filesize < 2000KB. © Counting strings © Set of strings any of Gsting®, hex!) i © Same condition to many strings: for all of them : (it > 3) © Strings offset © Scan entry point value at peenty.point © string! at 100 Match length: !e1[1] =: hin a range of of 32 Search value in (0100) Meravata Rules can alse have a metadata section yeu can put additional information about your rule TexT STRINGS Text strings can be used wih modifiers: © wid ed strings with 2 bytes per ter © fullword non alphanumeric © xorlOxOLOxFA): look For xor @ _basebtt baset encoding HEXADECIMAL Hex strings can be used to match piece of © Wild-cards: {00 72 A? } © Jump: (38 (24) BY e456) © Alternatives: { F Recex Regular expression can also be and defined as text strings WeFROGGER_ THomas ROCCcIAAnatomy OF A %)sicii\ RULE w*< Sigma is d tool used to identify patterns in log events using rules. Arule consists of a set of detection fields that describes malicious G=? events to identify. Sigma is for log files what Snort is for network traffic and YARA is for files. Tire Title of your rule that als to quickly deny {> the goal Ths isthe art name Rue 10 Unnersally Unique Tdentifier (UID) bipallawwudgeneraternet Related rule types FieLos Use for the evaluation of certain events Fase Posirves Describe possible falze pesitves were) Ne eye sees attack. t1003.001 ieee aCe Usa aes asa cL yaYBUIL TS Pies OR Ree mC ccs Root cutie Pe Cea Cem ear rtca ty: DescripTiON Description of the eurent rule Rererences External ink or document for the rules This field must be list Tacs Tege from Mitre ATTICK, AUTHOR Specify the authors) of the rules Dare Used to specify date of rule creation Loe Source [dentify the lag source that tigger the rule TF there isnot @ single rule use the fallewang Lever Indeates the lev! of the rules GENERAL Derecrion nad fo trigger your detection using selection and condition FlecoName VALUE Mooiriers Cowomion 1 Logeal ANDIOR Goyer ot haywordi2) © Vallof serhridertior © age o ares eienatves) Dal age end aeons © allo thers Lgl OR 0 of them) se AND of them) ‘Val of sowchviertiferpalir: Sao oe serch donors 1 Nagtan with ot Cheyne ad not fiterd 1 Bracke loch! and Canon end) Noa eggragstion expression © naar sesh (Cand seucha 2 Vand not searcie'31-) Operator Precedence Lr, en no of serch ‘donb (xgression) - WerrOccer_ THomas RocciaLoG PARSING CHEAT SHEET Q GreP GREP allows you to search patterns in files. ZGREP for GZIP files. $grep filelog —N Number of lines that matches -i: Case insensitive ~v: Invert matches -E: Extended regex =C: Count number of matches -|: Find filenames that matches the pattern gs NGREP NGREP is used for analyzing network. packets. $ngrep -I filepoap ~d: Specify network interface ~i: Case insensitive. -X: Print in alternate hexdump -t: Print timestamp -I: Read peap file 4 CUT The CUT command is used to parse fields from delimited logs $cut -d” -f 2 filelog -d: Use the field delimiter -f: The field numbers ~C: Specifies characters position 3 SED SED (Stream Editor) is used to replace strings in a file. $sed s/regex/replace/g S: Search -@: Execute command g} Replace “MN: Suppress output d: Delete W: Append to file SORT is used to sort a file. $sort footxt ~C: Check if ordered —U: Sort and remove. -f: Ignore case —h: Human sort ~0: Output fo file -f: Reverse order -1: Numerical sort -k: Sort by column. UNIGQ is used to extract uniq, occurrences. $uniq, foot =C: Count the number of duplicates ~d: Print duplicates “i: Case insensitive DIFF is used to display differences in files by comparing line by line. $diff foolog barlog How to read output? q: Add #£ Line numbers C: Change <<: File | d: Delete >: File 2 AWK is a programming language use to manipulate data. $awk {print $2} foolog Print first column with separator $awk -F: {print $1} /etc/passwd Extract uniq, value from two files: awk 'FNR=NR {al$O}+; next} (0 in a} flict f2txt a WeOFROGGER_ THOMAS ROCCIALoG PARSING CHEAT SHEET 2 HEAD HEAD is used to display the first 10 lines of a file by default. $head filelog =N: Number of lines to display =C: Number of bytes to display TAIL Ie 2 TAIL is used to display the last IO lines of a file by default. $tail filelog =N: Number of lines to display -f: Wait for additional data -F: Same asf even if file is rotated LESS is used to visualize the content of a file, faster than MORE. ZLESS for compressed files. $less filelog SPACE: Display next page |; Search Nn: Next J} Beginning of the file G: End of the file +P: Like tail COMM is used to select or reject lines common to two files. tcomm foolog barlog Three columns as output Column k lines only in file | Column 2: lines only in file 2 Column 3: lines in both files <1, -2, 3 Suppress columns output CSVCUT is used to parse CSV files. $csveut -c 3 datacsv “1: Print columns name ~C: Extract the specified column -C: Extract all columns except specified one -x: Delete empty rows JQ is used to parse JSON files. $)q,. foojson Jo.- Fjson: Pretty print Jo! Fjson: output elements from arrays ja LOl' fjson TR is used to replace a character in a file. Str" < footxt -d: Delete character ~S: Compress characters to a single one Lower to upper every character: tr "Llower:]" "Lupperl" < footxt CCZE is used to color logs. $ceze < foolog -h: Output in html -C: Convert Unix timestamp -|: List available plugins ~p: Load specified plugin WeOFROGGER_ THOMAS ROCCIA