Hunting Hidden Empires with TLS - Certified Hypotheses - SANS Cyber Threat Intelligence Summit 2018
The “threat hunting” landscape has drastically changed due to the increase in encrypted transport layer security (TLS) Internet traffic. The days of adversaries registering domains with their given names are gone,and malicious actors increasingly use malware that takes advantage of TLS encryption to hide their tracks. Yet, even in this brave new world of altered tactics, techniques, and procedures, adversaries leave clues that can expose their infrastructure. To find these clues, however, blue teams need to learn some new tricks.
This talk focuses on expanding on techniques that have been researched and presented at various conferences by Mark Parsons, and specifically on his methods for using TLS certificates to find malicious malware infrastructure. We will build on
Parsons’ body of work and show how his approach to malware certificate hunting can be expanded to detect instances of PowerShell Empire servers that have self-generated SSL certifications on port 443 and 8080. These certificates have a unique fingerprint that can be detected by leveraging tools like
zmap/zgrep, python, and statistics/machine learning. The results of this research will show how network defenders can find previously unknown instances of malicious infrastructure communicating with their network and prevent them in the future.
Finally, we will discuss our creation of hypotheses, codes and techniques, and methods of validation for verification. We’ll then
release our tools and methodology for use by the community to explore other potential “hidden empires” of malware.
Dave Herrald (@daveherrald), Staff Security Strategist, Splunk
Ryan Kovar (@meansec) (@splunk), Senior Security Architect, Splunk
Bios:
Dave Herrald(@daveherrald), Staff Security Strategist, Splunk
Dave Herrald is a veteran security technologist. He holds a
number of security certifications including the GIAC GSE #79. Dave works on Splunk's Security Practice team, and rides bikes and skis for sanity.
Ryan Kovar(@meansec) (@splunk), Senior Security Architect, Splunk
Ryan Kovar worked at DARPA detecting and mitigating advanced threats. He has since moved onto Splunk as a security strategist
where he helps with incident response, hunting, and solving fun problems.
Видео Hunting Hidden Empires with TLS - Certified Hypotheses - SANS Cyber Threat Intelligence Summit 2018 канала SANS Digital Forensics and Incident Response
This talk focuses on expanding on techniques that have been researched and presented at various conferences by Mark Parsons, and specifically on his methods for using TLS certificates to find malicious malware infrastructure. We will build on
Parsons’ body of work and show how his approach to malware certificate hunting can be expanded to detect instances of PowerShell Empire servers that have self-generated SSL certifications on port 443 and 8080. These certificates have a unique fingerprint that can be detected by leveraging tools like
zmap/zgrep, python, and statistics/machine learning. The results of this research will show how network defenders can find previously unknown instances of malicious infrastructure communicating with their network and prevent them in the future.
Finally, we will discuss our creation of hypotheses, codes and techniques, and methods of validation for verification. We’ll then
release our tools and methodology for use by the community to explore other potential “hidden empires” of malware.
Dave Herrald (@daveherrald), Staff Security Strategist, Splunk
Ryan Kovar (@meansec) (@splunk), Senior Security Architect, Splunk
Bios:
Dave Herrald(@daveherrald), Staff Security Strategist, Splunk
Dave Herrald is a veteran security technologist. He holds a
number of security certifications including the GIAC GSE #79. Dave works on Splunk's Security Practice team, and rides bikes and skis for sanity.
Ryan Kovar(@meansec) (@splunk), Senior Security Architect, Splunk
Ryan Kovar worked at DARPA detecting and mitigating advanced threats. He has since moved onto Splunk as a security strategist
where he helps with incident response, hunting, and solving fun problems.
Видео Hunting Hidden Empires with TLS - Certified Hypotheses - SANS Cyber Threat Intelligence Summit 2018 канала SANS Digital Forensics and Incident Response
Показать
Комментарии отсутствуют
Информация о видео
13 апреля 2018 г. 2:00:01
00:30:58
Другие видео канала
Threat Hunting in Security Operation - SANS Threat Hunting Summit 2017
Survival Heuristics: My Favorite Techniques for Avoiding Intelligence Traps - SANS CTI Summit 2018
Using Open Tools to Convert Threat Intelligence into Practical Defenses: Threat Hunting Summit 2016
DFIR Summit 2016: Leveraging Cyber Threat Intelligence in an Active Cyber Defense
Tracking Threat Actors through YARA Rules and Virus Total - SANS DFIR Summit 2016
Profiling And Detecting All Things SSL With JA3 - John Althouse and Jeff Atkinson
Hunting Cyber Threat Actors with TLS Certificates
The Threat Intel Victory Garden: Threat Intelligence Using Open Source Tools - CTI SUMMIT 2017
Incident Response in the Cloud (AWS) - SANS Digital Forensics & Incident Response Summit 2017
Taking Hunting to the Next Level: Hunting in Memory - SANS Threat Hunting Summit 2017
Threat Hunting with Network Flow - SANS Threat Hunting Summit 2017
What Does my SOC Do?: A Framework for Defining an InfoSec Ops Strategy - SANS DFIR Summit 2016
The Challenge of Adversary Intent and Deriving Value Out of It - SANS CTI Summit 2018
AlphaBay Market: Lessons From Underground Intelligence Analysis - SANS CTI Summit 2018
Threat Intelligence and the Limits of Malware Analysis with Joe Slowik - SANS CTI Summit 2020
SANS Threat Analysis Rundown
How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017
The Myth of Automated Hunting in ICS/SCADA Networks - SANS Threat Hunting Summit 2017
What are SSL/TLS Certificates? Why do we Need them? and How do they Work?