[Music] [Applause] thank you and good morning everyone my name is jake zaskin i'll be your facilitator this morning as well as monitoring our chat panel for any questions that you have during our webinar i'm joined by my colleague joe goodwin who will be walking us through our material we're excited to be here to present an introduction to indicators of compromise so let's get started good morning everybody good morning jake so this webinar covers how to use indicators of compromise or iocs to identify the occurrence of suspicious activity locate and remove threat activity in your systems and prevent cyber attacks by sharing ioc data with other organizations and using the ioc reports to stay on top of new threat activity which evolves every day in the next hour we'll introduce and define indicators of compromise and explain why they are crucial to enterprise cyber security list the uses for iocs in cyber security and threat analysis describe the categories of ioc and how they're used in incident response and then we'll introduce the mitre framework and how iocs can be used as clues to put together a picture of threat activity and the potential perpetrators involved and lastly we'll share resources that enable you and your organization to identify document interpret and share and receive ioc information with outside organizations so from a learning objective standpoint our terminal objective is to understand the importance of iocs and how they are used in cyber security and incident response enabling that terminal objective will define iocs explain why they are important understand how iocs are used and the types of iocs with a few examples introduce the miter attack framework and how it supports analysis of iocs and then use the framework to identify advanced persistent threat groups and recommended actions for protection and will provide example analyses of iocs using the attack framework so incident responders use numerous methods to identify a threat or potential compromise sometimes there are clear signs that something maybe arise such as phishing emails access issues unusual network performance to include things like slowed systems or corrupted programs or files and there's unusual activities such as unexplained file or fuller changes or configuration changes these activities are easier to identify because they are known methods or symptoms of an attack and there's often awareness training and general knowledge around these common indicators however most cyber threat activity does not result in obvious impacts cyber threat actors do not want to be detected they want access they want to access the system to perform reconnaissance and then execute their objectives without being discovered the goal of cyber security is to create a layered network defense and reduce those open vulnerabilities to keep out unauthorized users and activity so if we know that threat actors could already be in a given system how can incident responders identify a potential intrusion to find fret actors are in the system and then figure out what they're doing or what they did remember that sophisticated threat actors are not likely to leave those obvious clues behind short little uh reference to history here that so the island hopping campaign was a technique used by the marines to advance toward japan during world war ii they targeted the islands that were not as strongly defended by the japanese they took control of these of those islands and then quickly constructed landing strips and small military bases then they proceeded to attack other islands from those bases they had established it was effective because it established footholds to conquer the targeted goal which is japan this strategy is kind of similar to how threat actors compromise their victims networks gaining access layer by layer until they have the access and control that they need an indicator of compromise consists of the tactics the techniques and the procedures that threat actors use to gain access to an enterprise to compromise the environment once inside the enterprise a technique often used is pivoting through the network compromising multiple systems and then exfiltrating data okay so that does make sense but can you talk a little bit about what specifically is an indicator of compromise an indicator of compromise is a clue or a forensic artifact that can be used to indicate an intrusion or a compromise of a host in a network so in other words it's a clue that something went wrong and it needs to be investigated an indicator of compromise can reveal as stated earlier the tactic techniques and procedures used by the ttps the severity of the compromise where a mitigation should be applied or even which adversary is attempting the compromise so to start let's let's think about your car every car has a dashboard that provides measures of performance as well as safety indicators things like tire pressure engine light oil light battery so on and so forth the driver uses these indicators to see how the machinery is performing in real time like speed gauges fuel range rpms and then the dashboard also alerts the driver to potential problems some are simple like low fuel or low oil while others might require more detailed investigation depending on the circumstances like if the check engine light comes on or if the oil pressure drops suddenly so the car dashboard provides information on how the vehicle is performing and it reports safety or maintenance concerns similarly computer networks and systems must be monitored by tools and programs that scan the network and report that unusual activity so mechanics works work to identify a problem with a car and how it happened they can diagnose the problem and often determine what caused it such as mechanical failure improper usage or even things like sabotage mechanics can see or hear the problem or in modern times they may need to quote plug in the car to a diagnostic computer at the shop incident responders are like mechanics the incident responder will look for suspicious anomalies occurring in the network unusual outbound network traffic is an indicator of compromise that could indicate data exfiltration to a malicious remote site another indicator compromise might be an increase in database read volume prior to increase in outbound network traffic so these are just two examples of iocs but there are many more that should be considered for forensic analysis so in sorry slow on the slide change so in nist 853 indicators of compromise are defined as forensic artifacts from intrusions that are identified on organizational systems at the host or network level digital forensics is the application of scientific investigatory techniques to digital crimes and attacks in forensic science lochard's principle holds that the perpetrator of a crime will bring something into the crime scene and they will leave with something from it and that both of these can be used as forensic evidence the principal named after dr edmund lecard who lived in the late 1800s and early 1900s he was a pioneer in forensic science who kind of became known as the sherlock holmes of leon france he formulated the basic principle of forensic science as quote every contact leaves a trace so it's generally understood as with contact between two items there will absolutely be an exchange so an ioc is a trace that a threat actor leaves behind when it contacts and infiltrates an organization's system okay great so let's quickly open up for a question from the audience uh who of you has utilized digital forensic investigations for their organization so we will have a polling pod come up so ahead and just click to get a sense of as asked who has some experience with digital forensics or investigations in the organization it looks like we have pretty even split down the middle 50 50 with folks who have or have not a few folks who don't know um likely uninvolved on the i.t side of the house but okay good all right great we like to do those pulse checks every now and then on on from the audience so iocs provide valuable information on systems that have been compromised the rapid distribution and adoption of iocs can improve information security by reducing the time that systems and organizations are vulnerable to the same exploit or attack so these iocs are important as a key source for a few things the identification of the advanced persistent threat actor or group the apts indicating that something is wrong on the network the forensic identification of crime or attack understanding how a compromise even occurred in the first place or just testing your systems or your network for vulnerabilities using iocs the incident responders can kind of connect the dots in incident analysis to get a picture of threat activity iocs are all important to the following incident response activities early detection training and analysis the identification of vulnerabilities and assessing the impacts response to an incident blocking those advances from unauthorized users understanding the nature of the attack and then information sharing exchanges within an industry for example banking iocs related to emer e-commerce iocs and how do they look related to for example government iocs the patterns and the specific types of iocs can be used to identify attack methods and attackers as threat groups have known they do have known modus operandi they can lead to attribution so ultimately where and how iocs are identified can determine how a threat actor circumvents defensive mitigations and the security controls so that they can continue their unwanted activities within your enterprise david bianco defines the pyramid of pain in which he notes methods a threat actor can deploy to support their continued unwanted activities against your enterprise so this diagram shows the relationship between the types of iocs you might use to detect an adversary's activities and how difficult it is to defend against those methods and to deny those attack vectors by addressing those iocs with mitigation strategies so the underlying message is the more ioc types that are incorporated into your defense posture the more agile your capability to combat security incidents within your enterprise will be so here at the top of the pyramid are indicators of the tools tech uh tactics and procedures ttp's used specifically by the attacker these human variables specific to a group or individual actor are the most difficult to combat as skilled hackers have a variety of attack methods at their disposal and new methods that exploit new and known vulnerabilities arise continuously in the field of cyber security the pyramid organizes iocs in two ways one how difficult or painful is it to collect and apply the ioc to cyber defenses malicious hash values and ip addresses are relatively easy to acquire and integrate into security tools ttps are more difficult to identify and apply as most security tools are not well suited to take advantage of them and then second how much pain can the iocs inflict on cyber adversaries it's relatively easy for an adversary to obfuscate malware code and change the hash values ip addresses can be dynamically changed at low cost the ttps are sticky and expensive for an adversary to change as a result security tools that leverage ttps can inflict more pain on the adversary this is a hunt and incident response program or chirp is a forensic collection tool that says it developed to help network defenders find iocs associated with activity detailed in the following cis alerts first advanced persistent threat compromise of government agencies critical infrastructure and private sector organizations which primarily focuses on an advanced persistent threat or apt actors compromise of solarwinds orion products affecting u.s government agencies critical infrastructure entities and private network organizations next detecting post-compromised threat activity in microsoft cloud environments which addresses apt activity within microsoft 365 azure environments and offers an overview of and guidance on available open source tools the alert includes the scissor develop sparrow tool that helps network defenders detect possible compromised accounts and applications in the azure microsoft 365 environment similar to sparrow which scans for signs of apt compromise within a microsoft 365 or azure environment chirp scans for signs of apt compromise within an on premises environment so here we want to show a great video created by sizza that explains chirp [Music] hello my name is ricardo davidson senior i have 21 years in information technology with seven years cyber security having worked in the stock for four years with a specialization in digital forensics and incident response i will conduct a high level demonstration of tool usage and performing syslog analysis we've covered different security information in event management or sim tools throughout this presentation i will cover a sim solution as well as another tool wireshark that analysts can use for analyzing network traffic first i want to reiterate the importance of performing syslog analysis conversely called network forensics cyber security logs provide a wealth of information that allows an analyst to identify ip addresses affected hosts and connections that were maintained when an anomaly occurred that sparked the alert an anomaly consists of anything that's outside normal network traffic activity this could be adding a user outside of designated hours or suspicious traffic connections to a host within your environment so with that being stated let's log into our windows 10 virtual machine where i have access to stem solution and wireshark then we'll use chrome to log into security on it which is our sim solution okay i've logged into a windows 10 where the necessary tools already installed launching chrome i can now log into our sim solution now we've logged into security onion our sim solution and as you can see you have an overview tab but if you hit these pancakes you have you'll see the other functionality that you have in this same solution you you see overview alerts hunt pcap etc for monitoring purposes most sims will have this functionality i'll operate from the scenario that alerts regenerated indicating suspicious behavior is occurring in the enterprise so i'll scroll to the alerts tab and you can you can receive an alert via email or if you're monitoring your scene so you can just scroll to your alerts app here and you see the following alerts occur all right these are these particular alerts were generated over a two week period but you could scale them from weeks to seconds to minutes to hours days etc all the way to months now considering this is a small environment a lot of alerts were low alerts are usually classified as high medium and low with high needing immediate attention now i've escalated some alerts for this demonstration selecting options and selecting escape you'll see medium learn to should raise an analyst curiosity if that's great i want to refresh [Music] and this is the immediate alert that i'm talking about so again there are low alerts but the medium hit draws my curiosity to investigate further the alert list a new user was added this could be a legitimate alert if this new user was added after normal working hours and had elevated privileges mainly they elevated them to a administrative uh access this would be a indicative of a compromised system if that's the case an extreme amount of damage could occur in your environment analysts would need to perform deeper analysis for this particular alert another feature contained in the stem is the the packet capture function where you can obtain a pcap file packets are a small segment of a larger message data sent over the internet are divided into packets these packages then re-combine by the receiving computer or device packet capture is intercepting that data for for analysis purposes packets traversing through your network will provide crucial information in identifying what systems are communicating with each other or remote hosts clear indicator of compromise the promote host is deemed malicious so let's power on wireshark and review a pcap file that i've captured earlier and observe what information an analyst can gather from that instance i'm going to open up a previously captured pcap file [Music] important items to view and wireshark are your your timestamp our timestamp which indicates the time that this uh this traffic was being transmitted your source which is the source ip address and the destination ip address and you also want to look at the tcp that's the protocol transmission control protocol so you can see that tcp was a protocol used between the source 192.168.200.135 to the destination 192 168 200.21 the analyst will need to perform more in-depth analysis determine what is occurring if this destination holds identified as malicious if it's a command and control host that is delivering commands to gain more access to pivot through the environment these are but a few questions that should be raised when using these tools and i'll do a quick deep dive into what i mean by the data that's been transmitted in this pcap file so i'll just go down here follow and do a tcp stream and it's sending basically hello packers this is very generic stuff but that data could be it could be real lengthy because it contains whatever data you're transmitting into it but for instructional purposes is just transmitting hello so i performed two different scenarios in the use of security onion and virus identifying in security onion the use of alerts to begin investigation on added user and communication between two systems in wireshark this is a very brief high-level overview of syslog analysis slash network forensics and tools that can be used to perform this endeavor most sams offer this functionality but multiple tools are used to deep dive into what is considered malicious activity in your environment and doing further analysis on exactly what has occurred and that concludes this demonstration and thank you for your time okay that actually looks really cool uh so you mentioned apts a few times joe can you expand on those a little sure so an advanced persistent threat or an apt is a cyber attack executed by criminals or nation states with the intent to steal data or surveil systems over an extended period of time so the attacker has a specific target and goal and has spent time and resources to identify which vulnerabilities they can exploit to gain access and then to design an attack that will likely remain undetected for a long time the attack often includes the use of custom malware the motive for an apt can be either financial gain or political espionage apts were originally associated mainly with nation state actors who wanted to steal government or industrial secrets cyber criminals now use apts to steal data or intellectual property that they can sell or otherwise monetize in some way abt hackers and malware are more prevalent and sophisticated than ever before for some professional hackers working either for their government or relevant industries their full-time job is to hack specific companies and targets they perform actions relevant to their sponsors interests which can include assessing or accessing confidential information planting destructive code or placing hidden backdoor programs that allow them to sneak back into the target network or the computer at their will apt hackers are very skilled and have the huge operational advantage and that they won't be arrested imagine how much more successful and persistent any other thief might be if they knew they could get away with some level of guarantee but still they don't want their activities to be immediately noticed by their targets because it would complicate their mission a successful advanced persistent threat hacker breaks into networks and computers gets what is needed and then slips out unnoticed they prefer to be kind of slow and low they don't want to generate a lot of strange looking auditable events error messages or traffic congestion or cause service disruptions most apts use custom code to do their activities but prefer at least at first to use publicly known vulnerabilities to do their dirty work that way if their activities are noticed it's harder for the victim to realize that it's an apt versus the regular less serious hacker or malware program the mitre attack framework is a framework for describing the different ways that attackers have been able to both target and attack their victims this is a living framework and it's regularly updated and it's a compilation of real world attacks it consists of adversarial techniques that can be correlated to the ttps employed by the atp apt groups a collection of multiple iocs can help to identify which perpetrators may be involved the iocs correlate to the techniques in the framework which are mapped back to known apts based on the capabilities employed to strengthen security organizations can use these techniques to simulate the threat actor and identify vulnerabilities in their network based on ioc findings defenders can create and apply signatures to their intrusion detection systems or intrusion prevention systems to identify or prevent future threat activity so putting it all together an example a tactic might be gaining initial access the technique might be through fishing or spear fishing procedure description would be spear phishing via service is a specific variant of fishing it's different from other forms of spear fishing that employs the use of third-party services like twitter or linkedin rather than directly via enterprise email channels so an example of a procedure might be one of your employees that gets targeted via facebook at work to visit a malicious url mitigations for this might be anti-malware user training or the restriction of these services that are on your enterprise like like facebook detections might be ssl or tls inspection or endpoint protections so this is not meant to be an ipart on an eye chart and i meant to read all these but just to give you an overview of what the matrix from for an enterprise would look like so in the framework tactics represent the the why of a technique so what is the advertary's objective when they perform a given action so if if we look across the tactics across the top we see things like um high level sequences of actions that map to techniques things like reconnaissance uh privilege escalation defense evasion lateral movement discovery so on and so forth there are pre-attack and attack matrices along with distinctions made for different operating system platforms for example windows mac etc there's also distinctions made for cloud and mobile options the distinctions are necessary because not all attacks will be applicable to all operating system platforms or technologies pre-attack refers to the range of activities attackers may use before they actually attack activities are more than just reconnaissance but but also about acquiring and maintaining infrastructure you probably heard about ttps we've discussed them many times what do they really mean again they refer to the tactics the techniques and the procedures tactics are the reason for performing the action again the why gaining initial access executing something persisting elevating privileges discovering credentials take note that an attacker may not necessarily use all tactics for an attack each column of the headers in the attack matrix is a is a tactic that you'll see the techniques are the how how the attacker may leverage a tactic such as exfiltration to move data out of the system and there's hundreds of techniques those techniques again fall under their tactic columns so they would be read vertically examples of techniques are exfiltration has eight techniques under the window uh in the matrix and then the procedures the details of performing the technique or in a practical sense how the attacker got in or how they could get i think again assuming you're planning for proactive measures can you give an example of how attack will be applied sure so attack can be utilized to understand an attack like stuxnet which is an ics attack stuxnet was a devastating cyber weapon that impacted iran's nuclear capability back in 2010. by some estimates their uranium enrichment was set back by over 30 percent so stuxnet was a malware that was initially dropped onto computers at the natanz nuclear facility via usb sticks so the malware basically searched for ics software on infected computers on the network once it found a controller the real attack began the malware caused the control software to malfunction resulting in the centrifuges spinning at uncoordinated and varying rates of speed thereby burning them out physically the tactic was successful as over a thousand centrifuges were damaged or destroyed so this version of the attack framework shows the techniques used here are a couple examples those are the boxes i've kind of highlighted so we see replication through removable media usb sticks man in the middle needing somebody um to come in and introduce that the network sniffing commonly used ports on impacts we see damage to property the physical damage to the centrifuges manipulation of those controls uh making them spin at those uncoordinated speeds and then manipulation of views controllers didn't even know that the uh the centrifuges were were out of sync so to speak because of a manipulated dashboard view so let's throw out another question to the audience um since we talked about the minor attack framework just want to get a sense of who has experience with the framework either having seen it or actually used it before okay so we have a fair number it's a little 50 50 sort of more folks have experience than do not but not by a large margin okay good it's good to see hopefully for those of you who have not used it or not aware of it have been introduced to it is something you can look into some more great okay so the following apt examples show the correlation of tactics tied to state actor groups groups are mapped to their documented activities throughout the framework and range from state actors to criminal groups focused on specific targets like the financial sector or attack types like ransomware the tools and techniques link pieces of code malware files to known attack types and groups that use that product so let's start with looking at apt-12 this is otherwise known as numbered panda is a china attributed threat group that targeted media outlets tech companies and multiple governments the group is believed to be operating since 2009. although the group has typically targeted east asia in 2012 they were believed to have breached the new york times in terms of tools and techniques dns calculations multiplying the first two octets of an ip address and adding the third octet to that value in order to get in order to get a resulting command and control port phishing which is sending emails with malicious microsoft office documents and pdfs attached user execution melissa malicious files getting victims to open the malicious word and pdf files sent via spear phishing and web service bi-directional communications these blogs and wordpress for c2 infrastructure and there are also a few associated groups that are listed there with apt-12 now as noted apt-12 is linked to known tactics in the areas in initial access execution and command and control of the miter attack framework at the enterprise level this dashboard view is a summary of known iocs for this threat actor but should not be considered a complete profile and again not meant to be an eye chart but to show how you can utilize the mitre attack framework to highlight specific apts and is used within the framework next we've got 33 otherwise known as azelfin it's an iranian suspected threat group that targeted organizations across multiple industries in the u.s saudi arabia and south korea with particular interest in aviation and energy sectors the group is believed to have been formed no later than 2013. 33 uses a dropper program written in farsi to deploy a wiper application that installs a back door excuse me spear phishing emails loaded with malicious code to deliver the program to victims and impersonating commercial entities like boeing or northrop grumman through registered web domains as noted the known methods to achieve um as they have and have known methods to achieve enough initial access execution persistence and privilege escalation as well as credential access discovery command and control the dashboard view seen here is the initial level of known iocs for this thread actor but again should not be considered complete profile but as compared to 12 we see many more of those boxes highlighted on this miter attack framework and last but not least we'll look at abc28 otherwise known as fancy bear it's a russian attributed threat group that targeted the hillary clinton campaign the dnc and the good democratic congressional campaign committee in 2016 to interfere with the us presidential election they're believed to be operating since at least 2004. some of their tools and techniques are spearfishing emails with zero day vulnerabilities that were delivered to victims they've been consistently updating their malware since 2007 and they periodically wipe log events and reset timestamps to avoid forensic analysis of their hacks we see there some of theirs listed some of their associated groups that you may have heard of and as noted they have known iocs in all areas of the mitre attack framework at the enterprise level great so uh thank you joe this concludes the case study portion of the webinar we'll finish up today by walking through a knowledge check reviewing some of the core concepts from this course we'll cover seven questions when the question is read make a note of your answer and after a few moments we'll reveal the correct answer follow along and see how actors attempt to defeat a layered defense with methods that could be described as a island hopping campaign hackathon full press or spearfishing campaign okay it looks like we have everybody jumping on that first option the island happened campaign nobody's biting for any of the others it's great looks like we have most people responding or are going to respond and that is correct again it's that cyber security we want to look at that layered defense to prevent that island hopping like gaining footholds slowly but surely through the enterprise next question an ioc can reveal severity of attack where the attack occurred who is responsible the tactics or all of the above okay so we've got a few folks taking on tactics a lot of people on all the above you wait another few seconds and correct answer is all of the above again iocs are important in revealing not just tactics but responsible parties where occurred and how bad the attack really is next question this is the application of scientific investigatory techniques to cyber related crimes the low card principle digital forensics the bayesian analysis or computer engineering all right some folks with the locard principle which we discussed as well as digital forensics all right i throw in bayesian analysis try and trick people computer engineering nobody all right so the correct answer is digital forensics and although we did talk about the l'card principle that fed into the discussion of digital forensics which is the general application of that technique excellent next question yes or no security logs show multiple failed logins followed by successful login this is a potential indicator of compromise okay so we've got most people jumping on the yes then here we're seeing multiple failed logins is this a potential ioc so fail fail fail and all of a sudden they get in and yes that would be a potential indicator of compromise next question the recent forensic collection tool developed by cizza is called spark chirp uasi or cyber trace okay we've got some folks dabbled in cyber trace and nuasi but backed out most people are on chirp somebody's standing by spark oh we just lost the spark vote all right everybody is on chirp correct that's the tool that was demoed which dhs is has put out and uh made available excellent next question the mitre attack framework consists of techniques employed by domestic terrorists nation states environmental hacktivists or apt groups okay we've got nation states domestic terrorists backed off environmental hacktivists no so a lot of folks pointing to apt got a handful of folks with nation states and correct answer is apt groups uh is in particular what mitre attack framework consists of in terms of techniques great and then we do have one extra credit question all right extra credit put the affiliated apt numbers described in the case studies in the same order as the countries below russia iran and china now you can go ahead and do this in the in the chat since we don't have a polling plot that's able to do the the numbers but just go ahead and throw those in in the order that correspond to the apt numbers in the in each of them so we're looking for again the name numbers like and the word bank so to speak for these is 12 28 and 33. so yeah this is difficult this isn't just putting them in order it's putting the number assigned to them so what would russia be that would be the first one which numbers for iran and then which numbers for china making people's head smoke on this one i can feel it i still have some answers coming in okay and as to not leave you in suspense numbers are russia's apt-28 the iranian disgust was apt 33 and the chinese one we discussed was good job everybody so with that this concludes the imr 108 webinar on indicators of compromise so we hope you've enjoyed the webinar and come away with some knowledge that helps you better understand iocs if you would like to learn more we encourage you to visit any of the resources listed below these include dhs office of cyber security communications fnr division high value asset control overlay scissor insights mitre attack framework and us cert indicator alerts and bulletins thank you for your participation a certificate of completion is available for download a wonderful day [Music] [Applause]