In various cases it would be useful to expire/purge older events, cleanup blocklist or delete events from a specific organization.
The MISP Purge Event tool is written in python and can assist in various cleaning operations.
The ACH model is known especially in the Cyber domain of Threat Intelligence when trying to avoid bias of the information during the analyze phase in the CTI life-cycle.
The idea is to come to the most plausible hypothesis by mapping how likely the evidence would support the hypothesis. Instead of trying to fit evidence to a single hypothesis at a time, it is better to do the comparison all at once, as this could help in removing selection bias. This method can also help the analyst to find some hypothesis, that might not normally be considered.
The model can however also be applied with good output during an incident response or investigation engagement of a potential risk,.
When working in a SOC (Security Operations Center) it is often required to perform metrics or KPI’s on the detection capabilities, and the flaw that some are doing, is the attempt to do “Time to detect” and “Time to respond” as these are known from the IT Incident Management, where it is often referred to as MTTD (Mean time to detect). The metrics/KPI’s is often to be to ensure improvements and uphold SLA’s. These metrics/KPI’s has a potential flaw that we will try to explain and come with a possible solution using the MITRE ATT&CK Framework.
Ensuring a good patch management strategy in any company often poses some big issues, pointing back to coverage vs risk vs cost.
Some companies expect to be 100% patched no matter the critical level of the patch, meaning it can be fixing anything from a button that does not work, to a critical vulnerability that are being abused in the wild.
This blog post will be focusing on patches that are related to vulnerabilities, and how organizations can optimize the cost and minimize the risk, through the usage of the MISP Threat Sharing Platform.
With the latest update of the Cratos API we now support direct integration between MISP and Carbon Black’s CB Response (https://www.carbonblack.com/products/cb-response/) through delivery with Threat Intelligence Feeds.
With this latest addition of features you can consume specific data sets automatically from your MISP instance directly into Carbon Black Response, and thereby making the power of your threat data even more operational as you can choose to alert, block or even hunt with the data.
Det er langt fra nyt, at cybertruslerne stiger i kompleksitet. Antallet af kompromitteringer, med lækage af fortrolig information til følge, er støt stigende. Trusselsaktørerne har både viden, kapacitet og midler til at omgå de traditionelle kontrolforanstaltninger. Informationssikkerhed skal suppleres med taktisk information, der kan bruges som indikator på indsatsområder.
eCrimeLabs tilbyder lige nu en 30 dages prøve periode på hosted MISP
The year has almost come to an end and what a year it has been.
A big thanks to all who has supported a small startup and believes in the path that we are on.
During the past 12 months the eCrimeLabs Cratos API has evolved on a massive level and has shown its effectiveness in detecting and mitigating various threats on an enterprise level. The API is used on top of the MISP Threat Sharing Platrform.
We are now able to deliver in formats like:
Text
XML
JSON
YAML
STIX2
RPZ
CEF
Bro/Zeek
Checkpoint
BlueCoat
SecurityOnion support
The features continue to evolve and the implementations improve, keep an eye on https://www.github.com/eCrimeLabs for new open projects
eCrimeLabs also continues to on-board customers on our hosted MISP platform, designed for costumers who was to make use of this, without having to handle the operational part of keeping a MISP instance updated and running.
So to summarize thanks to all who believes and support a small growing company like eCrimeLabs working and correlating with many to help secure your businesses from the on-going threats.
Merry Christmas and a happy new year.
Dennis Rand
Founder
For the last 3 years we have been working on a research project on UDP services who could be and are being abused in relation to DDoS Attacks.
The original idea was to attempt to identify why a large part of DDoS attacks were originating from Russia and China, could this be due to the amount of services in the different countries or ?
The answer to this was not conclusive as the services abused had a high amount in the two countries there were no direct evidence onto why.
A guess could be that take-downs of vulnerable services in these countries, were not seen as much but again nothing conclusive.
The research covered 20 different UDP services, with 21 different attacks scenarios.
During this research as often happens when you go down the rabbit hole you end up in another place and the research turned from defensive to offensive.
By using the large dataset collected in this case only on UDP the attack scenario of “MaxPain” came to life. The thought behind this is that the closer to the target and attacker can come.
Looking at a “standard” anti-DDoS solution it could look like the below illustration
When applying the attack analysis of MaxPain you start searching as close to the victim for and work you way out. This can have the effect that instead of having to reach the DDoS size of 1-2 Tbit/s you just need to reach line speed on the internet connection.
It was also during this research that I found another UDP protocol that can be abused in DDoS attacks, in this case an IoT protocal named CoAP
“The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained networks in the Internet of Things.
The protocol is designed for machine-to-machine (M2M) applications such as smart energy and building automation.”
The service was not really being used when the research project started, however around between november 2017 and december 2018 it jumped from 6500 instances to 26.000 and last month it was close to 600.000 just in China and still raising.
This can be due to implementation in a service in China providing “The worlds first decentralized mobile network” (http://qlink.mobi)
I has been an honor to present this research at RVASec 2018 (US), Hack.lu(LU), IDA Driving IT(DK) and Erhvervsakademi Aarhus(DK)
Now this research project has come to an end and we are happy to announce that Censys has allowed eCrimeLabs to share the raw scanning dataset on the scans.io project page - https://scans.io/study/ecrimelabs-amplifiers.
The dataset consist of 3 large *.tar files, that again contains a lot of bz2 compressed json files.
If you like to work with PCAP’s instead a JSON file, the json2pcap conversion tool is located on Github. This can be used as “simulated” attacks, in your security products.
The structure of the JSON
https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork
Dennis Rand will be attending the MISP Threat Intelligence Summit 0x04 at hack.lu 2018 the upcoming week, and will at hack.lu be presenting the latest updates around the DDoS research project, where research around an MaxPain attack will be presented.
The MaxPain attack is where an attacker is using amongst other data mining in order to prepare for the best possible attack scenario. By using this it can be possible to bypassing ISP based and enterprise anti-DDoS solutions.
If you are in Luxembourg the upcomming week and want to meet up, please feel free to reach out.
Update from the conference:
Video’s from the conference as well as the slides
The integration to the eCrimeLabs Threat API continues to grow.
Previously we added integration to Symantec BlueCoat, RPZ DNS format and the latest support was the generation of Bro rules.
The Bro IDS rules generation was implemented to create a full support for SecurityOnion (https://securityonion.net/)
with the continuous growth of integrations we are working on giving the power back to companies and corporations and allow for the usage of various sources of threat data from both open and closed source relations.
It is important to be able to react on the and incident and this is where the eCrimeLabs Threat API in corporation with MISP Threat data sharing platform and close the gap.
eCrimeLabsFeeds (https://github.com/eCrimeLabs/eCrimeLabsFeeds)
The tool allows to fetch all the feeds presented through the API. The following script can be used to fetch IOC data from the eCrimeLabs Broker API and stores it into files or bulk can be choosen. This is usefull if you want to push the data into your security solutions ourself or if you have an off-site engangement with no internet connection.
SecurityOnion eCrimeLabs (https://github.com/eCrimeLabs/securityonion-ecrimelabs)
This script allows for an easy integration of the eCrimeLabs feeds into any SecurityOnion installations.
The below illustration is the most used implementation of the eCrimeLabs solution.
As a strong believer and supporter of the MISP Threat Sharing Platform as well as a long time user I've often while working and adding event based on external reports and in relations to incidents we have worked on. This usually also include searching for additional attributes or IOC data to build up knowledge on the event.
This also includes going to VirusTotal to see if there are any information about e.g. hashes. Often in external reports there are only mentioned MD5, SHA1 or SHA256 however the work of doing this manually searching for every hash
and copy-paste this into MISP can be somewhat tedious and will take a long time to add file objects and virustotal-report objects and last but not least make a relation between these two.
For this reason I've created the tool VT2MISP thereby making the data more actionable as I have more data and content around the original hash.
The MISP event of the following case "QUASAR,SOBAKEN AND VERMIN: A deeper look into an ongoing espionage campaign" from ESET.
The VT2MISP is a small python script that can be downloaded HERE.
What is MISP for those who do not know. This is in short a Open Source Threat Sharing platform that allows users to share Threat data between each others, while also using it as an internal tool to collect all the threat data you received whether something you collect yourself or from external sources. The sharing part can be seen as a form of crowdsourcing, so if your network has seen a threat this platform can be used to easily share this with only trusted partners or everyone based on the sensitivity of the data.
So don't store your valuable information in your inbox but get it into an ever evolving platform designed and developed by security professionals, Threat hunters and Incident response team.
If you are interested in MISP in general or our MISP SaaS solution a fully managed and detected MISP instance, where you can take advantage of the MISP platform without having to think of the operational part. While also eCrimeLabs has build a custom broker service that allows you to use the data in MISP to add into your security products in a simple way. You can read more on our services Threat Intelligence Software-as-a-Service or contact us directly
On the 7. of June 2018 Dennis Rand presented on the RVASec conference in Richmond, Virginia on the topic of how we in the future will see attacks that are not easily or even possible to mitigate.
The need to do digital hygiene if we want to protect our networks.
The videos from the conference has now been released.
eCrimeLabs is proud to announce Dennis Rand will be attending as speaker at RVAsec 2018 in Richmond Virginia.
"RVAsec is the first Richmond, Virginia, security convention to bring top speakers to the mid-atlantic region. The conference will be held on Thursday, June 7th and Friday June 8th 2018 at the Commonwealth Ballroom at VCU’s University Commons."
https://rvasec.com/
The research presented started originally back in 2016 with analysis of DDoS attacks.
As the research and analysis of data evolved, I discovered that there is a large gap in the Anti-DDoS defenses that are existing today allowing attackers with a minimal of effort and some data mining to bypass the enterprise and ISP based DDoS solutions out there.
Also during the research I was looking through alternate UDP service that could in the future pose a problem and here came upon an IoT protocol, introducing the same possibilities as services designed over 20 years ago.
The problem exists in the still large and growing amount of vulnerable services exposed to the internet. The numbers from April 2018 was close to 19.000.000 IP's that has a potential of being abused.
Threat intelligence is a word used and abused by both media and organizations and many makes the assumption that threat Intelligence is only applicable to government sponsored attacks and malicious groups with a highly technical capability. This is also why every company
should have some sort of TIP(Threat Intelligence Platform).
I do agree that, however threat intelligence can also be applicable to something as simple as ransomware attacks as I will try to explain in this little write-up.
But before we come to this lets make it clear that Threat Intelligence is not a feed with domains, IP's, MD5/SHA1/SHA256 etc. this should be defined as a threat feed. In order for something to be "intelligence", it need to have some sort of context, something that relates data from a threat feed to something else, this could again be ransomware.
What is a TIP (Threat Intelligence Platform):
As very good paper has recently been released by ENISA called "Exploring the opportunities and limitations of current Threat Intelligence Platforms".
https://www.enisa.europa.eu/publications/exploring-the-opportunities-and-limitations-of-current-threat-intelligence-platforms
I'm personally a big fan of the MISP Threat Sharing Platform, this is an ongoing development of many possibilities and is available to everyone due to being a very maintained open source platform backed by many, end with endless possibilities to expand or contribute to.
http://www.misp-project.org/ so If you don't allready have a TIP in your organization this is definitely worth a look.
The case:
I will try to describe a case with ransomware as it is something we all heard of and most of us experienced, in some form or another. The context I'll describe
it is from an incident response perspective and with that in mind the well known triage model from NIST (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf)
this is not the only model that incident responders use but properly one of the most known.
The loop goes like "Preperation" -> "Detection & analysis" -> "Containment, Eradication and Recovery" -> "Post incident activity".
Now from my perspective Threat Intelligence goes well into all of these steps, as it is a matter of logging and analyzing the incident both while it is going on and also when
coming to an "end". This is where the TIP comes in handy, and why everyone should have one big or small it is a matter of learning.
Case example:
A user calls help desk with the information that his screen looks a bit weird there is a message that "All of your files are encrypted with RSA-2048 and AES-128 ciphers."
Now in this case the case should already be pretty clear that there is something not that good going on, however it is a matter of detaching the users computer from the
network so that one can't do any more harm than properly already the case.
Now this is usually where the internal security team comes in play, but you might be a small team but still applicable.
In the detection process you now need to start checking multiple things on is your backup OK, and second has anyone else been affected.
The security team now gets a hold of the machine, while also looking into their log system to try to identify what ever they can on the current threat. A sample has been collected from the machine and the sample has been collected.
Adding the data into the TIP and storing checksum like MD5, SHA1, SHA256.
After this execute the sample in a sandbox, if you don't have one yourself there are public sandboxes or services like virustotal that can be used. Remember that this is not always, a good idea if there is a suspicion of a more targeted attack, as it can give the threat-actor indication on that they have been spotted. But in this case we suspect that this is a standard ransomware attack.
After uploading to virustotal.com it confirms that we are taking about a ransomware binary in the family Locky.
https://www.virustotal.com/#/file/bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3/detection
This gave some additional information of network connections
And the Payment URL's
Now you have the capability to search your logs for anyone connected to any of these as they are indicators of potential infections. This show 2 more computers infected
DESKTOP-DS0VFGI
DESKTOP-UU1KCDG
DESKTOP-XJSHESU (The initial machine)
From interviews and analysis of the employees and analysis of their machines it was also found that the threat came in through email
from: svc_apacnts_274@herbalife.com
subject: HERBALIFE Order Number: 6N01001367
And with a .7z attachment that included a .vbs file.
All in all at the current time you will have a lot of IOC (Indicators of compromise)
Also while you do you analysis and enters data the TIP will give you any relations that can assist you in how you should act.
Meaning this is more than just an IOC database as it will assist in giving the analyst information for what he or she is up against.
As shown in the right in there are already many indicators from other events, that help you make decisions.
When all of these indicators are added into the TIP it allows the analyst to visually describe the infection and also in this part be able to identify what security solutions the infection bypassed.
Initial security solution that was bypassed was what is implemented on the mail server.
Second when the attached file"6N01001367_1.7z" was opened the stage one was not detected by the antivirus.
Third a file was downloaded so if any web proxy with scanning capabilities failed.
Fourth failure was when the Locky was initiated as stage two this was not detected either.
And last but not least either the web proxy or a DNS blacklist failed to detect the communication with both C2 servers and any interaction with payment site.
So conclusion on the post-analysis part, there would need to be looked at:
Lesson learned are that we have to learn from the incidents we meet, register what happens respond and act.
For this I like to merge the concept of the OODA Loop and the Incident response lifecycle.
The Incident response life cycle are used and re-evaluated as the word says it to be a life cycle.
This means you have to have systems, procedures, processes and people in place and tuned to act when an incident takes place. This is where you need to work in the "Detection & Analysis" and "Continment, Eradication & Recovery" -phase.
In these two cycles I personally look to the OODA loop to be able to decide how to act.
The OODA states you need to Observe and Orientate based on this you should be able to make a decision and the act.
In the above case the initial observation and the data received, resulted in the decision that this case was at first a "standard" ransomware case, that could be acted upon, however always remember to do a full analysis to see if the ransomware is a cover-up for something more targeted.
And finally remember to do you post incident analysis.
So back to why you need to be able to maintain a Threat Intelligence Platform it will give you insight, relations and data to act upon in a structured way and if you implement your Threat intelligence into your security products it can assist you in acting faster, while also recording what has to be done in the future to avoid this from happening again.
Remember a Threat Intelligence platform does not need to be fully utilized from day one, this is a path you are on and the TIP can help you and your team grow and learn.
So back to the topic you should have, build and maintain a Threat Intelligence platform to categorize the data you receive, and the incidents you analyze. It will give you an amazing insight into threats towards your organisation.
Source of the above information can be found here: https://github.com/eCrimeLabs/IOC/blob/master/b606aaa402bfe4a15ef80165e964d384f25564e4_locky.json
If you want to hear more or have any questions please contact us.