Open Source Threat Intelligence feeds (draft)

Open Source Threat Intelligence feeds

 STIX/STIX2 to CEF

412 126 515 Streamlining Security Operations through Artificial Intelligence 🔊 2020-02-18 10-28-17

Threat Profiling Tiers

Cyber Threat Intelligence Sources

0 2019-07-31 08-49-52

412 126 515 Streamlining Security Operations through Artificial Intelligence 🔊 2020-02-18 10-25-56

Walking The Walk: Deploying Cortex in Our SOC 🔊 2020-02-18 09-44-49

ndicator of Attack

How to Emulate Attacker Activities and Validate Security Controls

Hash Values

-Retrieve malware sample based on file hash value

-Pass malware sample through network from one endpoint to another endpoint

-Use integrations into security stack to measure prevention and detection technologies for gaps and evidence of true positives

IP Addresses

-Emulate connection to destination host IP address e.g. 6.6.6.6

-Use analytics from emulation and integrations into security stack to measure prevention and detection technologies for gaps and evidence of true positives or error that IP address is not accessible

Domain Names

-Emulate connection to destination network host domain name e.g. badguy.com

-Use analytics from emulation and integrations into security stack to measure prevention and detection technologies for gaps and evidence of true positives or error that IP address is not accessible

Network Artifacts

-Emulate Observables related to the content of various traffic protocols including exact C&C protocol to destination network resource including URI patterns, C2 information embedded in network protocols, distinctive HTTP User-Agent or SMTP Mailer values, etc.

-Use analytics from emulation and integrations into security stack to measure prevention and detection technologies for gaps and evidence of true positives or error that destination network resource is down

Host Artifacts

-Emulate specific observables on one or more endpoint/host devices including changes to registry keys or values known to be created by specific pieces of malware, files or directories dropped in certain places or using certain names, names or descriptions or malicious services or almost anything else that’s distinctive

-Use analytics from emulation and integrations into security stack to measure prevention and detection technologies for gaps or evidence of true positives

Tools

-Emulate software adversary uses to accomplish their mission e.g Tor, Windows Task Scheduler, GCC, Powershell, etc. The software itself might not be directly malicious, but the specific use, time or location might be indicative of malicious or at least suspicious

-Use analytics from emulation and integrations into security stack to measure prevention and detection technologies for gaps or evidence of true positives

Tactics, Techniques and Procedures (TTPs)

-Emulate single or multi-phase attack tactics, techniques and procedures that replicate a pattern of behavior e.g. “Spearphishing with a trojaned PDF file” or “… with a link to a malicious .SCR file disguised as a ZIP” or “Dumping cached authentication credentials and reusing them in Pass-the-Hash attacks”

-Use analytics from emulation and integrations into security stack to measure prevention and detection technologies for gaps or evidence of true positives that artifacts have been detected for each phase of the attack chain

IoCs

  • Crimeware Dynamic DNS
  • Phishing Attacks & URLs
  • Anonymous VPN
  • Hacking Tools
  • Malware C&C
  • APT IPs & Domains / APTvIP User Agent
  • Brute Force, Spammer & BotIPs
  • TOR Exit nodes

 

Types

 

 

  1. Snort/Suricata Rules
    1. https://rules.emergingthreats.net/OPEN_download_instructions.html
  2. Shadow Server
    1. https://www.shadowserver.org/what-we-do/network-reporting/
  3. Top DNS Whitelist Domains
    1. https://majestic.com/reports/majestic-million?tld=be&majesticMillionType=2
  4. Integrating Open Source Intelligence into ArcSigh – https://community.microfocus.com/t5/Archive-Discussion-Board/Integrating-Open-Source-Intelligence-into-ArcSight/td-p/1507637
  5. https://www.dhs.gov/cisa/cyber-information-sharing-and-collaboration-program-ciscp
  6. https://www.misp-project.org/features.html
  7. https://github.com/hslatman/awesome-threat-intelligence
  8. https://github.com/P1llus/getfeeds/blob/master/getfeeds.py
  9. https://panwdbl.appspot.com/
  10. https://www.anomali.com/community
  11. https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Includedthreatintelsources
  12. https://exchange.xforce.ibmcloud.com/botnet/dridex
  13. https://github.com/hslatman/awesome-threat-intelligence
  14. https://www.recordedfuture.com/threat-intelligence-sources/
  15. https://threatfeeds.io/
  16. https://www.threatcrowd.org/
  17. Spamhaus
  18. https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
  19. https://check.torproject.org/exit-addresses
  20. https://www.alienvault.com/open-threat-exchange
  21. https://www.misp-project.org/feeds/
  22. https://www.c1fapp.com/
  23. https://www.darkreading.com/threat-intelligence/8-low-or-no-cost-sources-of-threat-intelligence——-/d/d-id/1330447?image_number=2
  24. http://www.senki.org/operators-security-toolkit/open-source-threat-intelligence-feeds/
  25. https://digital-forensics.sans.org/summit-archives/DFIR_Summit/Open-Source-Threat-Intelligence-Kyle-Maxwell.pdf
  26. File Names
  27. OpenSCP
  28. https://www.nist.gov/itl/ssd/software-quality-group/nsrl-download
  29. https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/minemeld
  30. Indicators of Compromise
    1. File Names
    2. IPs
    3. URLs
    4. Domains
    5. File Hash
    6. Yara Rules
    7. – YARA rules
      – IDS signatures
      – TTP information
      – Malware and botnet configuration information including webinjects
      – Malware command and control (C&C) commands
      – File and network based indicators
      – Everything mapped to MITRE’s ATT&CK framework
Group name Reconnaissance Credential harvesting
Tick whoami, procdump, VBS WCE, Mimikatz, gsecdump
Waterbug systeminfo, net, tasklist, gpresult WCE, pwdump
Suckfly tcpscan, smbscan WCE, gsecdump, credentialdumper
Fritillary PowerShell, sdelete Mimikatz, PowerShell
Destroyer Disk usage, event log viewer kerberos manipulator
Chafer network scanner, SMB bruteforcer WCE, Mimikatz, gsecdump
Greenbug Broutlook WCE, gsecdump, browdump
Buckeye os info, user info, smb enumerator pwdump, Lazagne, chromedump
Billbug ver, net, gpresult, systeminfo, ipconfig
Appleworm net, netsh, query, telnet, find dumping SAM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s