by, John Strand
There has been a lot of discussion about threat intelligence lately. The idea is that other organizations who get hacked or attacked should share the techniques and malware used by the attackers with the public to stop it from happening again.
So, it kind of sounds like a more complicated implementation of AV... And AV has not worked all that well.
The reason I say this is because at BHIS we launch a lot of attacks. What we do this week will not be the same as next week. Our customers/targets change, so our tools need to be constantly modified. Most importantly every target is different, it requires us to change our approach and orientation in relation to our attack methods.
Further, there may even be times where "attacking" and "malware" are not even used. For example, if we find externally compromised credentials via Pwnedlist and find a simple User ID and Password VPN or Webmail portal we are in. No IDS triggers. No alerts. No noise.
We are not trying to get across the idea that treat intelligence is useless, but rather, understand that it has its limitations. And, for the record, when talking with our customers we find the informal exchange between peers tends to have far more value than data from a purchased threat intel feed.
Having friends is good.
So, wouldn't it be nice to get heads up threat intelligence in real-time that is tied to your network? This is where Cyber Deception and Active Defense come into play. Let's go through a few tools in ADHD and cover how they can feed a robust threat intelligence program.
HoneyBadger and Jar Combiner - There are two tools in ADHD that seem to be perfectly matched for real-time threat intelligence. We can use HoneyBadger to track an attacker who runs a Java app to within 20 meters of their location via a wireless site survey. However, it is a standalone tool and can often be detected easily. Wouldn't it be nice if we could wrap in into another Java app? Kind of like a back door? Turns out, you can! Simply run jar combiner with a Java based VPN, a web management interface for a firewall or a app like VNC and see how quickly the attacker runs it.
Honeypots - Honeyports trigger only in the event of a full-established TCP connection to a port. We did this because we did not want to make it easy for the attacker to spoof a connection from something sensitive causing a self-inflicted DoS attack. However, if you set these ports up effectively, they can alert you to an attacker snooping around your parameter. The advantage of this is that it can detect more targeted and slow attacks that IDS/IPS systems tend to miss.
Kippo - Why not give the attacker something to chew on for a while: something like a fake SSH server. Kippo can be configured to grant fantasy-land access to an attacker. You will want to modify its core scripts so it is not obviously a hippo server, but that is easy. When an attacker is snared in Kippo you will learn quite a lot about their capabilities, motives and ambitions. Or, another way to call it? Threat Intelligence.
Here is a cool Kippo bonus. When an attacker tries to exit the SSH server the Kippo prompt will change to root@localhost? While the attacker thinks they have left the SSH server they were just at, it is in fact still capturing their commands and passwords. We have seen attackers try and ssh into other systems they have compromised and captured the bad guys' password.
Above are just some cool things you can do to utilize Active Defense to help fill out a solid threat intelligence program. Remember, the best intelligence comes from the things you learn, not what others taught you.
About John Strand
John Strand is a senior instructor at SANS Institute. He is also the author of the new Active Defense course SEC550: Active Defense, Offensive Countermeasures, and Cyber Deception.
Besides blogging, teaching and flyfishing (yes, he enjoys that), John is a co-host on the popular security podcast: Security Weekly. Tune in weekly to hear him on Security Weekly and follow him on Twitter for daily cybersecurity updates @strandjs.