HEXANE
Identified mid-2018 with activity ongoing. Targeting oil and gas in the Middle East. Has links to other groups but is a unique cluster of tradecraft and victimology.
Malware human fingerprints are?
Maps to the Capability / TTP vertices of the Diamond Model. Depending on your requirement, can support all four points of the Diamond Model. Human fingerprints include:
- Header metadata
- Code reuse
- Configuration data
Malware configuration data - common types are:
PE version info Mutexes Text Formatting Method of persistence Communication details
Where do you get malware?
- First party data
- Partners
- Sharing Groups
- Commercial datasets
Common Malware analysis tools
VirusTotal
VT Enterprise
DC3 Malware Configuration Parser
malwareconfig.com
What’s the five major points of data pivoting?
- Critical CTI analyst skills
- Might seem like common sense, but often overlooked
- Quickly builds knowledge between automic indicators
- Historically manual, time-intensive
- New tools help to automate
What are the four steps of data pivoting?
Start -> Pivot -> Validate -> Identify
Basic (most pivotable) indicator types
- IP addresses
- Domains
- Accounts
- Unique Strings
C2 Domain registration
- Domains can be moved from IP to IP to allow for dynamic adversary infrastructure
- Typo-squatted domains can fool targeted users
- Three classes of C2 domains:
° Adversary registered
° Dynamic DNS domains (free or paid)
° Legitimate but compromised
DDNS
Dynamic DNS Domains
Originally developed for use with dynamic addressing ISPs such as DSL. Have short Time to Live (TTL) to expedite propagation.
ASN
Autonomous System Number. Determines organizational ownership of IP addresses.
Lookup tool: asn.cymru.com
Passive DNS
Collection of DNS domain query responses collected passively.
PDNS Providers
LookingGlass LGScout Mnemonic Farsight RiskIQ / PassiveTotal Internet Identity OpenDNS DomainTools
Iris
Iris is a powerful engine looking for collocations between domains, IPs, registrars, ASNs, emails ,etc.
GlassRAT
Uncovered in November 2015 by RSA. Previously undetected Trojan targeting Chinese nationals. In operation for at least 3 years.
TIQ
Threat Intelligence Quotient.
The TIQ Test can be used to get an idea of the value of existing threat feeds you are using by evaluating the following:
- Novelty Test
- Overlap Test
- Population Test (by country / ASN)
CIV
Collective Intelligence Framework is a management system for threat data by CSIRTGadgets.org. Integrates with tools such as: Splunk, ELK, Logstash, ArcSight.
Additional OSINT Open-Source Tools
DataSploit Discover InfoGo AlienVault OTX (Threat information feed) Shodan GCHQ's Cyber Chef Recorded Future
TLS Certificate
A digital certificate used in secure host-to-host network communications. Previously referred to as a SSL certificate. Not to be confused with a code signing certificate used to sign applications.
TLS Certificate Scan Providers
Censys.io
Shodan.io
Circl.lu
RiskIQ
TLS Cert Search Tips
- Start with pivoting between TLS certs and IP adr
- Then search Subject, Issuer, Not Before, and Not After fields
- Distinguish between self-signed, free, and paid certificates
Maltego
Maltego is a link analysis tool that allows analysts to establish and define relationship between different nodes. It has two major concepts:
- Entities
- Links
Malware maps to which pilar of the diamond model?
Capability
What is “DC3 Malware Configuration Parser” used for?
This framework can be used to develop decoding modules for malware families that your adversaries use to target your users.
