1 / 35

Weaponizing Intelligence: Interdiction in Today’s Threat Landscape

Weaponizing Intelligence: Interdiction in Today’s Threat Landscape. Matthew Olney. SP01-W11. Manager, Threat Intelligence and Interdiction Cisco Systems @kpyke. WEAPONIZING INTELLIGENCE INTERDICTION IN TODAY’S THREAT LANDSCAPE. Matthew Olney

fleetwood
Télécharger la présentation

Weaponizing Intelligence: Interdiction in Today’s Threat Landscape

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Weaponizing Intelligence: Interdiction in Today’s Threat Landscape Matthew Olney SP01-W11 Manager, Threat Intelligence and Interdiction Cisco Systems @kpyke

  2. WEAPONIZING INTELLIGENCEINTERDICTION IN TODAY’S THREAT LANDSCAPE Matthew Olney Talos Threat Intelligence & Interdiction Group

  3. WHO AM I? Matthew Olney Manager of Threat Intelligence and Interdiction 11 Years with Sourcefire VRT and Cisco Talos Prior to that 10 years in network engineering and security I’m on Twitter @kpyke

  4. TALOS INTEL BREAKDOWN THREAT INTEL INTEL SHARING 600 BILLION Daily Email Messages 1.5 MILLION Daily Malware Samples Provider Coordination Program Customer Data Sharing Programs 16 BILLION Daily Web Requests Internet-Wide Scanning 20 BILLION Threats Blocked 500+ Participants Open Source Intel Sharing Industry Sharing Partnerships (ISACs) Product Telemetry Honeypots Open Source Communities Vulnerability Discovery (Internal) 3rd Party Programs (MAPP) 250+ Full Time Threat Intel Researchers MILLIONS Of Telemetry Agents 4 Global Data Centers 1100+ Threat Traps 100+ Threat Intelligence Partners

  5. WHAT IS INTERDICTION? “Interdiction is a military term for the act of delaying, disrupting,or destroying enemy forces or supplies en route to the battle area.” • Threat Intelligence and Interdiction takes action: • Outside the border of our customer’s networks • To disrupt and degrade actor capability • Using linguists, reverse engineers, incident responders, mathematicians, researchers and developers • Working with law enforcement organizations (LEO), government and industry organizations, hosting providers and other intelligence partners

  6. WE ARE SUCCESSFUL WITH FRIENDS — NOT TECHNOLOGY • Easy • ISAC (Information Sharing and Analysis Center) • Industry, National and Multinational CERTs • Internet Service Providers • Individual Researchers and Research Groups • Industry Partners • Competitors (Seriously) • Tricky • Web Hosting Providers • Strategic • Law Enforcement • Military • Government “I apologize for being a black hole.” – Undisclosed Government Agency

  7. TRICKY: WEB HOSTING PROVIDERS • Legal and economic barriers to cooperation • Narrow profit margins • Limited investment in abuse and security services • But there are costs incurred by hosting malicious actors • LEO interactions • Abuse handling • Bandwidth, engineering, charge-backs • Let’s help each other “It seems like they gave up after about 4 days of 2-3 orders a day. We have not seen any order attempts since 5/15. Thanks for the quick heads up, getting those C&C IPs into our netflow system stopped them cold.” – Intelligence Partner, Angler Investigation

  8. INTERDICTION CASE STUDY #1: SAMSAM & JBOSS

  9. TWO CRITICAL JBOSS CVES • CVE-2007-1036 • “…JBoss does not restrict access to the consoleand web management interfaces…” • CVE-2010-0738 • “The JMX-Console web application … performs access control only for the GET and POST methods...”

  10. JEXBOSS “JoãoFilho Matos Figueiredo, what did you do?” – João’s mother, probably

  11. SAMSAM • Telemetry indicates December, 2015 start date • Network-wide ransomware attack • Ransom paid via Bitcoin • Seen in many verticals, but best known for activity in healthcare • Uses ‘Jexboss’ • Multiple Cisco IR engagements • Strong LEO interest 22BTC Total for all keys • 0.7-1.5BTC • BTC/workstation

  12. TALOS RESPONSE (MARCH) • Preliminary blog post: • Samsam: The Doctor Will See You, After He Pays The Ransom • Research: How bad is this JBoss problem? • Full IPv4 scan Found roughly 3.2M IP addresses that behaved in a way suggesting they were vulnerable JBoss servers • Express mild concern on social media:

  13. EMAIL OF THE YEAR: CISCO IR SHARES CRITICAL INTEL Forensic Timeline Developed By Cisco IR • Day X • JexBossInvocation & JBossAss backdoor installation • X+47 Days • File Upload Installed on web server • X+49 Days • Full Webshell installed and CVSDE Executed – Active Directory dump • X+73 Days • tunnel.jspinstalled allowing IP Tunnel • Elevated privileged user connect via RDP • Recon with Hyena • Likely first use of admin credential • X+74 Days • Samsamencryption operation begins

  14. “ACTIONABLE” • There is a window between shell installation and file encryption • I dramatically fail at math and also manage to underestimate the capabilities and determination of my team. They finished it over the weekend and had the results waiting for me Monday morning.

  15. 1575 Unique IPs 88 Countries • 2104 • Shells

  16. http://<Jboss IP address>/status

  17. http://<Jboss IP address>/status&full=true

  18. 2,176 Uniquely-named shells

  19. STATUS CHECK • New actors tracked • JBoss status pages • JBoss honeypots • Tracking compromised servers • Almost 2000 notifications • Intel partners • Sales staff • 20 Talos researchers • 2 Weeks • Samples gathered • IR specialists on site • Sample exchange with Follett and intel partners

  20. NEW DATA FROM CISCO IR • IR received a SAMSAM engagement from an unmarked IP address • Could be SSL on 443 • Or, fairly often, on port 8080 • Run the same play • 2^32 scan for all 443 and 8080 ports displaying vulnerable JBOSS behavior • Scan potentially vulnerable hosts for known backdoors

  21. 625 New backdoor IPs • 2,104 • New targets

  22. JBOSS – THE SAGA CONTINUES • Notified servers not 100% remediated • Actors continue to attack JBOSS servers • Working with LEO

  23. Floki Bot StrikesTalos and Flashpoint Respond

  24. What Is Floki Bot?

  25. Shellcode Injection

  26. Tor Support

  27. Using FIRST to Analyze Floki Bot

  28. Collaboration with Flashpoint

  29. Shortly After Publication…

  30. TAKEAWAYS

  31. WHAT SHOULD YOU DO? • There is more to defense than just what happens on your network • Demand that your information security operation spend time building relationships with peers • Demand that your security software supports customized detection • Snort Rules • ClamAV Signatures • IP and domain blacklisting • Arbitrary IOC tracking and blacklisting • Ensure you have the visibility and policies necessary to share critical information with your partners before you reach out for help • Maneuver yourself in advance into a position that allows for flexibility and speed when a crisis occurs

  32. Q&A

  33. talosintelligence.com @talossecurity @kpyke

  34. INTELLIGENCE COMMUNITIES Project Aspis – collaboration between Talos and host providers • Talos provides expertise and resources to identify major threat actors • Providers potentially save significant costs in fraudulent charges • Talos gains real world insight into threats on a global scale, helping us improve detection and prevention, making the internet safer for everyone CRETE– collaboration between Talos and participating customers • Talos provides a FirePower NGIPS sensor to deploy inside the customer network • Talos gathers data about real world network threats and security issues • Customers receive leading-edge intel to protect their network AEGIS– information exchange between Talos and participating members of the security industry • Open to partners, customers, and members of the security industry • Collaborative nexus of intelligence sharing in order to provide betterdetection and insight into worldwide threats

More Related