« Previous 1 2
Diving into infrastructure security
Trackers
More Sources
In addition to structured information, you will also find simple verbal descriptions of analysis results in various places. Proofpoint, for example, publishes detailed reports on its blog [5]. The authors describe and reference the TTPs and IoCs they were able to identify during their investigations. To provide an overview, all IoCs are once again clearly presented at the end of the articles and enriched with additional data such as URLs and hash values of files and programs or libraries. Some contributions add Yara signatures, which are basically regular expressions you can use to search for patterns in text and binary data with different tools.
The more sources you find and consult, the more descriptions of attacks, malware, and procedures you will have. However, this knowledge alone does not give you any information about how your own systems may be affected. You can collect this information at various points in your infrastructure. Network-based IoCs can be located in centralized locations in most cases. You will want to block IP addresses directly in the packet filter and use your internal DNS server to redirect listed domains to local destinations and route the requests into a black hole. Of course, you will want to log the requesting computers and, if possible, isolate them automatically for further analysis in special network areas. The same applies to URLs, which you can easily transfer to your HTTP proxy to log and prevent access attempts.
To detect host-based IoCs on your organization's computers, you need technical support. One possibility is the well-known GRR Rapid Response open source tool [6]. With its client-server architecture, GRR enables centralized management and asynchronous processing of requests (known as hunts) on the clients. For a defined runtime, clients receive the requests as soon as they are connected to the corporate network.
The results are then published at the next opportunity. This approach also covers mobile devices and home office computers that only sporadically connect to the corporate network. Of course, this means you need to install the GRR clients on your systems; it is not suitable for use on the fly. To test the tool, you can simply store a file named notepad.*
in the Windows system folder after installation (Figure 1).
After clicking Create Hunt , you need to enable the hunt and wait some time for the first clients to execute the target. While the hunt is active, increasing numbers of clients will receive it and run the search until you disable it again. Next, you evaluate the search. Figure 2 shows the results for one of the clients. This response also reveals the variety of search options with GRR for files in terms of timestamps or hash values. To practice, just compare the patch level of your Windows installations with different hash values.
Handling Security Incidents
If you have the capabilities in your company to run incident analysis for attacks and malware infections yourself, you can use The Hive [7] in addition to GRR. In combination with Cortex, I looked at The Hive for incident analysis in a previous article [8], which gives you both an overview and a comprehensive automation tool for the required analysis work. Cortex also lets you automatically enable protections in your infrastructure in the form of responders.
Finally, threat intelligence can also be incorporated into a company's risk analysis. If your company is part of a sharing community, you will receive valuable information, such as attacker groups, attacks within your industry, and attacks against specific classes of software. If you use the software in question, or something similar, in your organization, you need to look into the increased risk and try to respond to it. The systematic use of publicly available information on vulnerabilities (Common Vulnerabilities and Exposures, CVEs) means you are always aware of attack vectors on your infrastructure.
Conclusions
Threat intelligence is a way to learn about an attacker's modus operandi, methods, and tools. Additionally, it gives you valuable advice on what to look for when searching for malware or backdoors on your systems. The data you find in structured threat information mostly consists of signatures used by virus scanners in the same or a similar way.
Meanwhile, polymorphic or other types of dynamic malware cannot be tracked down reliably with the rather static descriptions in STIX/CybOX or similar formats. You will find several providers of commercial threat intelligence feeds online; however, the content can differ significantly. Before subscribing, you should consider whether a feed is useful and up to date.
Infos
- Poison Ivy: https://www.mandiant.com/resources/poison-ivy-assessing-damage-and-extracting-intelligence
- Poison Ivy example: https://oasis-open.github.io/cti-documentation/examples/example_json/poisonivy.json
- MISP Threat Sharing platform: https://www.misp-project.org
- MISP Communities: https://www.misp-project.org/communities/
- Proofpoint blog: https://www.proofpoint.com/us/blog/threat-insight
- GRR Rapid Response: https://github.com/google/grr
- The Hive: https://thehive-project.org
- "Incident Analysis with The Hive and Cortex" by Matthias Wübbeling, ADMIN , issue 66, 2021, https://www.admin-magazine.com/Archive/2021/66/Incident-Analysis-with-The-Hive-and-Cortex/
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.