NG-SOC in Taiwan The realities , the difficulties and the future · 2020. 8. 14. · NG-SOC in Taiwan The realities , the difficulties and the future Senior Technical Consultant Jack

NG-SOC in Taiwan

The realities , the difficulties and the future

Senior Technical Consultant

Jack Chou

Who am I

• 證照:

• CEH CHFI

• Palo Alto Network ACE

• McAfee Vulnerability Manager

• 經歷:

• 協助調查局偵辦第一銀行盜領案

• 建置企業APT防護

• 協助企業資安事件處理

• 司法官律師學分班結業萬惡考生中…

就是一個不長

• 專長:

• Incident Response

• Penetration Testing & Exploit Research

• Malware Analysis

• Security Solution Implementation

• APT Gateway (TM DDI)

• APT Mail (TM DDEI)

• APT Endpoint (CounterTack MDR)

• 犯罪研究及調查

• What is NG-SOC?

• The Realities (罪)

• The Difficulties (苦)

• The Future (未來)

Agenda

新一代SOC-OODA(1)

• 增加監控可視性

• EDR / EPP

• 減少人為疏失及人力

• SOAR

大人物(Tactics Techniques and Procedures)

http://correlatedsecurity.com/an-ooda-driven-soc-strategy-using-siem-soar-edr/

http://correlatedsecurity.com/an-ooda-driven-soc-strategy-using-siem-soar-edr/

新一代SOC-OODA(2)包山包海的CTI

http://correlatedsecurity.com/why-cyber-threat-intelligence-informed-security-operations-is-important/

http://correlatedsecurity.com/why-cyber-threat-intelligence-informed-security-operations-is-important/

Taiwan SOCSecurity Operation Center

客戶的期望是甚麼???

罪在台灣從事資安工作本身就有很多原罪…

SOC監控共同供應契約

• 低流量

• EPS: 900

• IR: 3次

• 中流量

• EPS: 2300

• IR: 7次

• 高流量

• EPS: 4900

• IR: 15次

次就是代表不限範圍與目標數

我們都是萬能的資安從業人員…客戶還有您的老闆對我們的高度期待…

https://sansorg.egnyte.com/dl/K0PbjzWWau/

https://sansorg.egnyte.com/dl/K0PbjzWWau/

台灣的威脅情資

• 保留

資通安全情資分享辦法

苦身為一個SOC商在苦也要盡力滿足客戶的高度期望…

SOC&IR如何找未知???

• 搜尋使用近期CVE且攻擊三家客戶以上…• 甚麼!!!

• 是大規模預謀攻擊!!!

KPI用CTI

• 但依然不及友商一年二十幾萬次的情資回饋分享…

Offensive OSINTAttack Surface Management

Attack Surface Management

Asset Discovery

• APIs & Web Services

• Web Applications & Websites

• Domains & SSL Certificates

• Critical Network Services

• IoT & Connected Objects

• Public Code Repositories

• SaaS & PaaS Systems

• Public Cloud & CDN

• Mobile Apps

• Databases

來源及方法例舉Dark Web Monitoring

• Leaked/Stolen Credentials

• Pastebin Mentions

• Exposed Documents

• Leaked Source Code

• Breached IT Systems & IoC

• Phishing Websites & Pages

• Fake Accounts in Social Networks

• Unsolicited Vulnerability Reports

• Trademark Infringements

• Squatted Domain Names

Hunting Leaked & Misconfig

• 使用VTgrep 語法搜尋客戶相關資料外洩或樣本，發現可能洩漏的帳號密碼

• https://buckets.grayhatwarfare.com

API

https://buckets.grayhatwarfare.com/

Potential squatting

• https://www.immuniweb.com/radar/

• https://dnstwist.it/ (phishing domain scanner)

• 廠牌名稱+客戶域名+IT常用關鍵字(update、admin、365、windows、Microsoft…等)

• Example:

• symantecupdates.info

• kaspernsky.com

• windowsupdate.microsoft.365filtering.com

https://www.immuniweb.com/radar/https://dnstwist.it/

Leaked/Stolen Credentials

• https://raidforums.com/

• HUMINT

• https://github.com/kevthehermit/PasteHunter

• Hunchly Dark Web Report

• https://darksearch.io/

• https://github.com/s-rah/onionscan

Dark Data Discovery(暗網情資蒐集)

https://raidforums.com/https://github.com/kevthehermit/PasteHunterhttps://www.dropbox.com/sh/wdleu9o7jj1kk7v/AACmlkoLQCGQ8V0vmF4e_Y4ba?dl=0https://darksearch.io/https://github.com/s-rah/onionscan

Defensive OSINT攻擊者視角

Digital Discovery

• Open Service & Unrestricted Web

• https://www.immuniweb.com/websec/

• https://www.immuniweb.com/mobile/

• https://www.immuniweb.com/ssl/

• https://github.com/jack51706/LeakLooker-X

https://www.immuniweb.com/websec/https://www.immuniweb.com/mobile/https://www.immuniweb.com/ssl/https://github.com/jack51706/LeakLooker-X

Outbound Hunting

• https://blog.binaryedge.io/2019/07/08/guest-post-panda-banker/

• https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html

• https://app.binaryedge.io/services/query?filter=MALWARE

• https://www.shodan.io/search?query=category%3Amalware

• https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/

• https://censys.io/blog/hunting-mirai

• https://censys.io/blog/tracking-roamingmantis-mobile-banking-threat

• https://censys.io/blog/hunting-for-threats-coinhive-cryptocurrency-miner

• https://censys.io/blog/finding-hacked-web-servers

• Infiltrate C&C

• Backdoor Reversing

連線metadata

https://blog.binaryedge.io/2019/07/08/guest-post-panda-banker/https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.htmlhttps://app.binaryedge.io/services/query?filter=MALWAREhttps://www.shodan.io/search?query=category:malwarehttps://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/https://censys.io/blog/hunting-miraihttps://censys.io/blog/tracking-roamingmantis-mobile-banking-threathttps://censys.io/blog/hunting-for-threats-coinhive-cryptocurrency-minerhttps://censys.io/blog/finding-hacked-web-servers

Intelligence-DrivenIncident Response and

Threat Hunting問世間

情資是何物…

Pivot and Threat Attribution

Sample

• Unique Strings

• Network Communication/Encryption Algorithm

• Code / Strings Reuse

• Metadata(filename, description, version, title, author name)

• Mutexes

• Behavior

Make Enrichment Great Again

Infrastructure

• Passive DNS

• TLS certificate tracking

• Correlation through metadata (web server version, hosting provider,HTTP headers, Whois …)

• Search of domain names/IP addresses on public sandboxes results

• HTTP static content tracking

• Network flow

https://github.com/threatresearch-issdu/ITHOME2020

https://github.com/threatresearch-issdu/ITHOME2020

情資蒐集方法及來源

• IR

• VIRUSTOTAL Yara Hunting

• Event Hunting

• OSINT

• 客戶提供之不明樣本分析及後續關聯

• Honeypot( Open Proxy、Tor node)

• 主動木馬檢測(資安健診)

• 客戶資產監控

• https://www.one-tab.com/page/BQ9hxrRER9GYDMd5d_v09Q

• 多來源交叉關聯查證

https://www.one-tab.com/page/BQ9hxrRER9GYDMd5d_v09Q

CTI Lifecycle

Pivot Enrichment Attribution

HTTP_PlugX_Trojan_CnC

185.161.209.234

185.161.209.234 追蹤與分析

VT Hunting &Crowdstrike

Enrichment

Deliver & Response

IPS Detection VTsimilar-to:

VTcode-

similar-to:CTI platform

IP / DN BlockSample(175+) AV

Block

https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/

該IP經追蹤後可關聯到VMWARE提出的威脅情資報告

該入侵源頭標記為Winnti4.0

該文章可取得樣本共19隻

VT: tag:winnti

Infra enrichment

Attack Surface Management

• https://cyberint.com/solutions/

• https://www.immuniweb.com/

• https://www.riskiq.com/illuminate-platform/

Commercial

https://cyberint.com/solutions/https://www.immuniweb.com/https://www.riskiq.com/illuminate-platform/

Human-Intelligence Network Anomaly Detection

工人智慧

SOC&IR如何找未知

• TM DDI Rule:

• Executable requested from root directory of web server

設備 RULE

AI Network Anomaly Detection

• 圖論權重可視化

• 協定流量統計分析

• 攻擊途徑階段統計分析

• 資產屬性統計分析

• Network artifact metadata

ExtraHop & DarkTrace


• PASTEBIN

• GITHUB

• Vultr.com

• 頻率 + 過濾資料比對 + Dest IP/DN 不在Alexa TOP 100M

• DDNS

連線metadata


• 偵測到駭客工具 (TM OfficeScan) (HKTL_DUMP*)

• 偵測到駭客工具 (TM OfficeScan) (HKTL_PASS*)

• 偵測到駭客工具 (SEP) (Hacktool)

• 防毒不是沒用，只是要看怎麼用跟看

防毒 RULE

Endpoint Visibility and Response

傳統端點偵測應處

• https://github.com/sans-blue-team/DeepBlueCLI

• https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES

• https://www.malwarearchaeology.com/cheat-sheets

• https://github.com/mvelazc0/Oriana/wiki/Hunting-Analytics

• https://github.com/0Kee-Team/WatchAD

• https://github.com/JPCERTCC/LogonTracer

• https://blogs.jpcert.or.jp/en/2017/12/research-report-released-detecting-lateral-movement-through-tracking-event-logs-version-2.html

• https://github.com/NVISO-BE/ee-outliers

EVTX分析

https://github.com/sans-blue-team/DeepBlueCLIhttps://github.com/sbousseaden/EVTX-ATTACK-SAMPLEShttps://www.malwarearchaeology.com/cheat-sheetshttps://github.com/mvelazc0/Oriana/wiki/Hunting-Analyticshttps://github.com/0Kee-Team/WatchADhttps://github.com/JPCERTCC/LogonTracerhttps://blogs.jpcert.or.jp/en/2017/12/research-report-released-detecting-lateral-movement-through-tracking-event-logs-version-2.htmlhttps://github.com/NVISO-BE/ee-outliers

滅證

• Sdelete

• ClearEventLog

• https://github.com/Rizer0/Log-killer

• https://github.com/hlldz/Invoke-Phant0m

• Clear MBR

• Ransomware

人工IR的極限

端點偵測應處

Hunting Hypothesis

• Office 0 day

• 產生 Powershell 執行緒 (Fileless)

• 中繼站連線 (網路連線行為)

• 以客制 Threat Hunting 規則，即時發現並進行處置

• (process_name:winword.exe OR process_name:excel.exe OR process_name:powerpnt.exe) AND netconn_count:[1 TO *] AND childproc_name:powershell.exe

• APT VPN Lateral Movement ERS20191125

• cb.urlver=1&q=file_desc:PacketiX

EDR

未來如何在客戶高度期待下…

SOAR

• Security Orchestration Use Case: Automating Threat Hunting

• Playbook (436)

• Detonate

• Enrichment

• Extract

• Hunting

• Investigation

• Integration (569)

• Automation (677)

• Script (617)

如果有東西把前面講的一堆手工方法半自動化…

+

ISSDU 新世代SOC架構

=

T h a n k Y o u