Tactical Threat Intelligence - IOC Lifecycle and Tools
Video Activity
In this video we cover the IOC lifecycle and emphasize its importance in the analysis phase of threat identification and prioritization. During the discover phase some level of event checking is required in order to prioritize. The analyze phase is where the analyst executes a repeatable methodology that is essential to maintaining credibility. Fin...
Video Description
In this video we cover the IOC lifecycle and emphasize its importance in the analysis phase of threat identification and prioritization. During the discover phase some level of event checking is required in order to prioritize. The analyze phase is where the analyst executes a repeatable methodology that is essential to maintaining credibility. Finally, the leverage phase is where the analyst proves that an event occurred and potentially correlates an event with other events. Dean introduces and reviews several free IOC tools such as FireEye, Redline, and Memoryze among others. These tools provide a wealth of functions to the CTI analyst and form an essential part of his/her toolbox.
Video Transcription
00:04
Now we can move on to
00:06
the actual
00:09
lifecycle of IOC's.
00:12
Naturally, an indicator compromise must be discovered
00:17
through whatever means it could be through reviewing logs. It could be assumed device.
00:21
It could be through doing some auditing or some just general maintenance.
00:26
As we saw earlier module.
00:29
An indicator compromise could take many different forms,
00:32
and
00:34
they are when something interesting is discovered. It's not always
00:38
to be treated suspiciously.
00:40
There should be some level of checking to verify that something is good or bad or
00:45
or slightly suspicious, for instance, and then you must dig deeper in order to make that determination. That's where the analysis comes in.
00:54
And as I already mentioned, the concept of crying wolf
00:58
if and and I'll see is too quickly interpreted to be a true threat.
01:03
Very true breach.
01:06
And now you've put some forces into motion for incident response.
01:11
It's very wasteful and embarrassing even to do that when it's not working. So the analysis phase should be done carefully with a solid methodology that's repeatable
01:22
so that
01:23
the organization doesn't waste time,
01:25
and so that analysts don't lose credibility
01:30
once an IOC has been discovered and it's been confirmed or validated by by some means
01:34
that it can be leveraged.
01:37
And by this, what we What we mean is that the
01:40
since we can prove, for instance, that
01:44
even a happened,
01:46
that must mean that other events, like event be an event. See, for instance,
01:49
might be related. You might be able to establish some correlation between these different events
01:56
and
01:57
because you've got a solid foundation to work from
02:00
other conclusions and other,
02:02
even other estimates of validity can also carry a little bit more weight such an important thing to think about.
02:13
All right, so let's think about some free tools.
02:15
There's a great company called Fire. I have some links here
02:20
and bring up their website really quick,
02:23
actually bring it up in just a moment, but
02:24
ah, fire i dot com. They've got free tools for creating
02:29
IOC's
02:30
tools that help you display them.
02:32
You can run some scans on systems. I'll demonstrate that tool here in just a moment,
02:38
and you're collecting information from the file system from
02:42
Web browsing from memory, for instance,
02:45
others tools to analyze the information
02:47
and then lastly, we'll look at some cyberthreat maps which are freely available
02:53
all right. So here's Fireeye.
02:55
They've got a lot of different products, and service is
02:59
one area that is interesting to look at. Right away, though, is under resource is will go to free software downloads.
03:09
And here's where you can get to really useful tools. The one that will be looking at
03:14
is a red line.
03:15
And as it sounds, it's a free utility
03:17
and lets you look at
03:20
a suspected
03:22
and ah, system that's been compromised.
03:23
I'm gonna run it just on my local machine here, which is an option you can use.
03:28
But, General, you're going to launch this tool
03:30
and
03:30
try to get to run on a remote machine so that you can see
03:36
what some suspicious activity might be doing on a system in your network.
03:42
We also have this memorized tool for members run six
03:46
highlighter,
03:49
also useful for
03:51
looking at information gathered from the other tools
03:54
and then got some other ones here like D. N s response. Looking at your heap
04:02
looking at Microsoft database files.
04:05
And then there's some IOC tools.
04:09
So
04:10
and I'll see,
04:12
as far as these tools are concerned, is just a small collection of information typically in XML format,
04:17
and you just create some details about
04:21
what? The indicator of compromises,
04:25
the more detail you can put into the entry, the more useful it might be.
04:30
So these editors
04:31
and the finder and writer tools allow you to manipulate this information so that you can better
04:39
utilize the information better utilize the IOC data within your environment.
04:45
We'll have a look at that, those in a little bit as well.
04:48
And there's a couple more tools they provide,
04:53
like doing room our reverse engineering work,
04:56
setting up a reverse proxy,
05:00
cash parsing
05:00
and so on.
05:01
It was a really good stuff here.
05:06
So before I demonstrate the tool,
05:09
I like to look at
05:11
a couple of these different cyberthreat naps.
05:13
Uh, one of them is from Fire. I themselves you confined this link on their on their website, go full screen.
05:20
As you can see, it's showing different actions going on in the world. Right now.
05:27
We can see that there's financial service is is the
05:30
the top industry that's being attacked right moment.
05:33
Consulting service is insurance companies,
05:38
and these were all going on in real time,
05:42
and it gives you some information about how many attacks have been seeing today we can see some other information the top here.
05:48
It's a decent tool just to kind of get a very big picture view of what's happening
05:54
on the Internet right now.
05:57
But this tool does not give a whole lot of detailed information
06:01
so we can go to another one by North Technologies
06:06
actually has quite a bit of data. Did you conceal it? It kind of looks a little bit like
06:12
the movie wargames when there's
06:15
simulations of thermonuclear war between different countries, because we can see
06:18
the attacks going from the source to the destination.
06:23
And very helpfully, it also provides the origins of where the attacks came from, listed by country What kind of attack?
06:30
It actually is. But the destination looks like,
06:34
and we could see a little more detail in I P addresses and so on,
06:39
and you can even zoom in on certain areas
06:43
if you want. For instance, you want to focus on the United States.
06:48
You could do that,
06:51
and you could pause the activity
06:54
and even
06:56
get more information about
06:58
so I can pause.
07:03
So if you
07:08
mouse over certain things, you can get information about
07:11
where that country is or what kind of attack? Waas
07:16
And you could also set filters
07:18
so I could just say I want to only look at us and China related to tax.
07:24
Go back to playing that
07:25
that way you're not cluttering up your interface with
07:29
with the
07:30
information. Not really interested in. Maybe I'm only interested in http attacks between
07:35
how the U. S. And China
07:38
actually doesn't look like it lets me do that exactly what I wanted to.
07:41
It's a nice tool
07:43
and it could give you some additional information
07:48
when you're trying to confirm that something's really going up. Maybe there's a, you know, de dos attack happening,
07:54
and quite a few of these attacks might actually be de dos related.
08:01
All right, so let's bring up our
08:03
red line tool.
08:09
So you're blowing.
08:11
This is freely installed.
08:13
I'm sorry. Freely downloaded from
08:16
fine, right,
08:18
and you'll find it underneath. The resource is free software
08:22
area that I showed earlier.
08:24
You want to run this as administrator
08:28
because it's going to give you a lot more detail of thinking and have full of mystery privileges when it's running on that system
08:35
so you can create what are known as collectors
08:39
Standard Collector,
08:39
a more detailed, comprehensive collector
08:43
search collector. These will go out to a target system
08:46
and,
08:48
ah, go look for information that's been generated
08:52
by running a scan
08:54
we can see here
08:56
got
08:58
the ability to edit the script that will run.
09:01
And this basically lets you define what kinds of information you're interested in. Collecting a lot of choices.
09:07
A lot of different information about processes,
09:11
drivers
09:13
hooks, which are one program hooking into another program. Thio. Use some function
09:18
like a DLL library recall, for instance,
09:22
and also acquire a memory image.
09:26
And we can see this is just the memory cap. We also have information related to disk.
09:31
So a new rating, different kinds of files, disk volumes themselves,
09:37
information about the system
09:39
that logs registry and so on
09:41
the network
09:46
and then some other areas. There's even advanced parameters, which will give a little bit more detail for these
09:50
very sections,
09:56
a little bit more granularity as far as what you're looking at hand,
10:01
what kind of data you can actually gather.
10:05
So it's
10:07
quite sophisticated,
10:07
and it's pretty amazing when you think about the fact that this is a free tool.
10:15
I gotta cancel this.
10:16
And what I really want to do
10:18
is if I wanted to, I could save the collector after I've configured it, and then send that to a
10:26
target system
10:26
once that's run, then you can analyze the results
10:31
so I can open the previous analysis I was working on or analyze the results from a recent stand
10:37
in this case. But I wanted to do was running on my local machine. So from this little menu appear
10:41
we get these other choices, which is the same thing we just saw from the main interface.
10:46
Except I get the chance to analyze this local computer
10:52
so I can add a script to make sure it's gonna have everything I want.
10:58
I'll get my memory image.
11:01
Uh, usually the defaults are pretty, uh, pretty good, but you may want to tweet thes
11:07
the more things that you select,
11:09
obviously, the longer
11:11
your scan will take to run.
11:15
So I'm gonna look at my digital signatures.
11:18
Look at deleted files, look for file anomalies.
11:24
Look at my discs and my volumes.
11:28
We'll analyze my sister and restore points. Look at my registry and event logs,
11:35
Port information was like most of these
11:37
browser history.
11:41
All this could be relevant for an investigation because
11:43
any one of these areas could contain artefacts or events
11:48
that indicates the compromise happen
11:50
and that there's something there that that needs to be investigated further.
11:56
And it goes without saying that if you do this kind of work on a system that that is
12:01
suspected,
12:03
that you want to do it all system is still up and running because obviously, you're gonna lose the memory image if you reboot
12:09
so I can verify signatures. And when I look at my
12:13
tasks,
12:20
OK, it's a lot to quite a few options here.
12:22
I'm more or less randomly selected these right now because I just want to get some information.
12:28
You need to look at the documentation for this tool and dig in deeper
12:31
to decide how much of this date is really useful,
12:35
the more options that you select, of course, the more time it will take to run the scan.
12:41
So I'm gonna go ahead and
12:41
look okay,
12:43
uh, this ready set to save to my desktop,
12:46
So I'm gonna go ahead and click okay again to get this to start running
12:50
and you see that it's it'll countdown the different sections
12:54
as needed. North Run the tool.
12:58
So I'm gonna go ahead and pause the video here because this will take some time to run.
13:01
It could take up maybe 15 20 minutes or more. So
13:03
come back in a little bit and have a look.
13:07
Thank you.
Up Next
Intro to Cyber Threat Intelligence
The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.
Instructed By
