Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
NG-SOC in Taiwan
The realities , the difficulties and the future
Senior Technical Consultant
Jack Chou
Who am I
• 證照:
• CEH CHFI
• Palo Alto Network ACE
• McAfee Vulnerability Manager
• 經歷:
• 協助調查局偵辦第一銀行盜領案
• 建置企業APT防護
• 協助企業資安事件處理
• 司法官律師學分班結業萬惡考生中…
就是一個不長
• 專長:
• Incident Response
• Penetration Testing & Exploit Research
• Malware Analysis
• Security Solution Implementation
• APT Gateway (TM DDI)
• APT Mail (TM DDEI)
• APT Endpoint (CounterTack MDR)
• 犯罪研究及調查
• What is NG-SOC?
• The Realities (罪)
• The Difficulties (苦)
• The Future (未來)
Agenda
新一代SOC-OODA(1)
• 增加監控可視性
• EDR / EPP
• 減少人為疏失及人力
• SOAR
大人物(Tactics Techniques and Procedures)
http://correlatedsecurity.com/an-ooda-driven-soc-strategy-using-siem-soar-edr/
http://correlatedsecurity.com/an-ooda-driven-soc-strategy-using-siem-soar-edr/
新一代SOC-OODA(2)包山包海的CTI
http://correlatedsecurity.com/why-cyber-threat-intelligence-informed-security-operations-is-important/
http://correlatedsecurity.com/why-cyber-threat-intelligence-informed-security-operations-is-important/
Taiwan SOCSecurity Operation Center
客戶的期望是甚麼???
罪在台灣從事資安工作本身就有很多原罪…
SOC監控共同供應契約
• 低流量
• EPS: 900
• IR: 3次
• 中流量
• EPS: 2300
• IR: 7次
• 高流量
• EPS: 4900
• IR: 15次
次就是代表不限範圍與目標數
我們都是萬能的資安從業人員…客戶還有您的老闆對我們的高度期待…
https://sansorg.egnyte.com/dl/K0PbjzWWau/
https://sansorg.egnyte.com/dl/K0PbjzWWau/
台灣的威脅情資
• 保留
資通安全情資分享辦法
苦身為一個SOC商在苦也要盡力滿足客戶的高度期望…
SOC&IR如何找未知???
• 搜尋使用近期CVE且攻擊三家客戶以上…• 甚麼!!!
• 是大規模預謀攻擊!!!
KPI用CTI
• 但依然不及友商一年二十幾萬次的情資回饋分享…
Offensive OSINTAttack Surface Management
Attack Surface Management
Asset Discovery
• APIs & Web Services
• Web Applications & Websites
• Domains & SSL Certificates
• Critical Network Services
• IoT & Connected Objects
• Public Code Repositories
• SaaS & PaaS Systems
• Public Cloud & CDN
• Mobile Apps
• Databases
來源及方法例舉Dark Web Monitoring
• Leaked/Stolen Credentials
• Pastebin Mentions
• Exposed Documents
• Leaked Source Code
• Breached IT Systems & IoC
• Phishing Websites & Pages
• Fake Accounts in Social Networks
• Unsolicited Vulnerability Reports
• Trademark Infringements
• Squatted Domain Names
Hunting Leaked & Misconfig
• 使用VTgrep 語法搜尋客戶相關資料外洩或樣本,發現可能洩漏的帳號密碼
• https://buckets.grayhatwarfare.com
API
https://buckets.grayhatwarfare.com/
Potential squatting
• https://www.immuniweb.com/radar/
• https://dnstwist.it/ (phishing domain scanner)
• 廠牌名稱+客戶域名+IT常用關鍵字(update、admin、365、windows、Microsoft…等)
• Example:
• symantecupdates.info
• kaspernsky.com
• windowsupdate.microsoft.365filtering.com
https://www.immuniweb.com/radar/https://dnstwist.it/
Leaked/Stolen Credentials
• https://raidforums.com/
• HUMINT
• https://github.com/kevthehermit/PasteHunter
• Hunchly Dark Web Report
• https://darksearch.io/
• https://github.com/s-rah/onionscan
Dark Data Discovery(暗網情資蒐集)
https://raidforums.com/https://github.com/kevthehermit/PasteHunterhttps://www.dropbox.com/sh/wdleu9o7jj1kk7v/AACmlkoLQCGQ8V0vmF4e_Y4ba?dl=0https://darksearch.io/https://github.com/s-rah/onionscan
Defensive OSINT攻擊者視角
Digital Discovery
• Open Service & Unrestricted Web
• https://www.immuniweb.com/websec/
• https://www.immuniweb.com/mobile/
• https://www.immuniweb.com/ssl/
• https://github.com/jack51706/LeakLooker-X
https://www.immuniweb.com/websec/https://www.immuniweb.com/mobile/https://www.immuniweb.com/ssl/https://github.com/jack51706/LeakLooker-X
Outbound Hunting
• https://blog.binaryedge.io/2019/07/08/guest-post-panda-banker/
• https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html
• https://app.binaryedge.io/services/query?filter=MALWARE
• https://www.shodan.io/search?query=category%3Amalware
• https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/
• https://censys.io/blog/hunting-mirai
• https://censys.io/blog/tracking-roamingmantis-mobile-banking-threat
• https://censys.io/blog/hunting-for-threats-coinhive-cryptocurrency-miner
• https://censys.io/blog/finding-hacked-web-servers
• Infiltrate C&C
• Backdoor Reversing
連線metadata
https://blog.binaryedge.io/2019/07/08/guest-post-panda-banker/https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.htmlhttps://app.binaryedge.io/services/query?filter=MALWAREhttps://www.shodan.io/search?query=category:malwarehttps://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/https://censys.io/blog/hunting-miraihttps://censys.io/blog/tracking-roamingmantis-mobile-banking-threathttps://censys.io/blog/hunting-for-threats-coinhive-cryptocurrency-minerhttps://censys.io/blog/finding-hacked-web-servers
Intelligence-DrivenIncident Response and
Threat Hunting問世間
情資是何物…
Pivot and Threat Attribution
Sample
• Unique Strings
• Network Communication/Encryption Algorithm
• Code / Strings Reuse
• Metadata(filename, description, version, title, author name)
• Mutexes
• Behavior
Make Enrichment Great Again
Infrastructure
• Passive DNS
• TLS certificate tracking
• Correlation through metadata (web server version, hosting provider,HTTP headers, Whois …)
• Search of domain names/IP addresses on public sandboxes results
• HTTP static content tracking
• Network flow
https://github.com/threatresearch-issdu/ITHOME2020
https://github.com/threatresearch-issdu/ITHOME2020
情資蒐集方法及來源
• IR
• VIRUSTOTAL Yara Hunting
• Event Hunting
• OSINT
• 客戶提供之不明樣本分析及後續關聯
• Honeypot( Open Proxy、Tor node)
• 主動木馬檢測(資安健診)
• 客戶資產監控
• https://www.one-tab.com/page/BQ9hxrRER9GYDMd5d_v09Q
• 多來源交叉關聯查證
https://www.one-tab.com/page/BQ9hxrRER9GYDMd5d_v09Q
CTI Lifecycle
Pivot Enrichment Attribution
HTTP_PlugX_Trojan_CnC
185.161.209.234
185.161.209.234 追蹤與分析
VT Hunting &Crowdstrike
Enrichment
Deliver & Response
IPS Detection VTsimilar-to:
VTcode-
similar-to:CTI platform
IP / DN BlockSample(175+) AV
Block
https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/
該IP經追蹤後可關聯到VMWARE提出的威脅情資報告
該入侵源頭標記為Winnti4.0
該文章可取得樣本共19隻
VT: tag:winnti
Infra enrichment
Attack Surface Management
• https://cyberint.com/solutions/
• https://www.immuniweb.com/
• https://www.riskiq.com/illuminate-platform/
Commercial
https://cyberint.com/solutions/https://www.immuniweb.com/https://www.riskiq.com/illuminate-platform/
Human-Intelligence Network Anomaly Detection
工人智慧
SOC&IR如何找未知
• TM DDI Rule:
• Executable requested from root directory of web server
設備 RULE
AI Network Anomaly Detection
• 圖論權重可視化
• 協定流量統計分析
• 攻擊途徑階段統計分析
• 資產屬性統計分析
• Network artifact metadata
ExtraHop & DarkTrace
SOC&IR如何找未知
• PASTEBIN
• GITHUB
• Vultr.com
• 頻率 + 過濾資料比對 + Dest IP/DN 不在Alexa TOP 100M
• DDNS
連線metadata
SOC&IR如何找未知
• 偵測到駭客工具 (TM OfficeScan) (HKTL_DUMP*)
• 偵測到駭客工具 (TM OfficeScan) (HKTL_PASS*)
• 偵測到駭客工具 (SEP) (Hacktool)
• 防毒不是沒用,只是要看怎麼用跟看
防毒 RULE
Endpoint Visibility and Response
傳統端點偵測應處
• https://github.com/sans-blue-team/DeepBlueCLI
• https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
• https://www.malwarearchaeology.com/cheat-sheets
• https://github.com/mvelazc0/Oriana/wiki/Hunting-Analytics
• https://github.com/0Kee-Team/WatchAD
• https://github.com/JPCERTCC/LogonTracer
• https://blogs.jpcert.or.jp/en/2017/12/research-report-released-detecting-lateral-movement-through-tracking-event-logs-version-2.html
• https://github.com/NVISO-BE/ee-outliers
EVTX分析
https://github.com/sans-blue-team/DeepBlueCLIhttps://github.com/sbousseaden/EVTX-ATTACK-SAMPLEShttps://www.malwarearchaeology.com/cheat-sheetshttps://github.com/mvelazc0/Oriana/wiki/Hunting-Analyticshttps://github.com/0Kee-Team/WatchADhttps://github.com/JPCERTCC/LogonTracerhttps://blogs.jpcert.or.jp/en/2017/12/research-report-released-detecting-lateral-movement-through-tracking-event-logs-version-2.htmlhttps://github.com/NVISO-BE/ee-outliers
滅證
• Sdelete
• ClearEventLog
• https://github.com/Rizer0/Log-killer
• https://github.com/hlldz/Invoke-Phant0m
• Clear MBR
• Ransomware
人工IR的極限
端點偵測應處
Hunting Hypothesis
• Office 0 day
• 產生 Powershell 執行緒 (Fileless)
• 中繼站連線 (網路連線行為)
• 以客制 Threat Hunting 規則,即時發現並進行處置
• (process_name:winword.exe OR process_name:excel.exe OR process_name:powerpnt.exe) AND netconn_count:[1 TO *] AND childproc_name:powershell.exe
• APT VPN Lateral Movement ERS20191125
• cb.urlver=1&q=file_desc:PacketiX
EDR
未來如何在客戶高度期待下…
SOAR
• Security Orchestration Use Case: Automating Threat Hunting
• Playbook (436)
• Detonate
• Enrichment
• Extract
• Hunting
• Investigation
• Integration (569)
• Automation (677)
• Script (617)
如果有東西把前面講的一堆手工方法半自動化…
+
ISSDU 新世代SOC架構
=
T h a n k Y o u