It has been a while since I did not take time to write a security conference wrap-up. With all these COVID restrictions, we were stuck at home for a while. Still today, some events remain postponed and, worse, canceled! The energy crisis in Europe does not help, some venues are already increasing their prize to host events! How will this evolve? No idea, but, fortunately, they are motivated people who are motivated to organize excellent events! Still no hack.lu this year but, people from CIRCL.lu decided to organize the first edition of the Cyber Threat Intelligence Summit in Luxembourg. Before the pandemic, there was also the MISP summit organized close to hack.lu. This event, held last week, was a mix of pure CTI- and MISP-related presentations. Here is a quick wrap-up and some links to interesting content.
The first-day keynote was performed by Patrice Auffret and was about “Ethical Internet Scanning in 2022”. Patrice is the founder of Onypthe. If you don’t know the service, it’s a very good concurrent to Shodan. They collect data about Internet connected objects and URLs. Today, scanning is accepted by most of network owners. IMHO, if you care about port-scanning, you failed. It’s part of the “background noise”. What about the ethical aspect of this? Questions that won’t be covered: law aspects, is it useful/useless? Patrice made 10 recommendations to follow when scanning the Internet:
- Explain the purpose
- Put an opt-out
- Provide abuse contacts
- Provides lists of scanners IP addresses
- Have good reverse DNS
- Handle abuse requests
- Don’t fuzz, just use standard packets/protocols
- Scan slowly
- Use fixed IP addresses (no trashable ones)
- Remote collected data (upon request – GDPR)
They are many active players (Shodan, Censys, ZoomEye, LeakIX, …). Don’t blame them because they scan you. Buy an account, use their REST API and query the information they know about you and increase your footprint visibility. Don’t forget that bad guys do it all the time, they know your assets better than you. Also “You can’t’ secure assets you don’t know”
Robert Nixon presented two talks related to MISP: “In Curation we trust” and, later, “MISP to Power BI”. He explained the common problem that we are all facing when starting to deal with threat intel. The risks of “noise” and low-level information. If you collect garbage, you’ll enrich garbage and generate more garbage. Think about the classic IOC “18.104.22.168”. He explained the process of curating MISP events to make them more valuable inside an organization. Example of processing:
- Remove potential false positive
- Reduce the lack of contextualization or inconsistencies
- Are IOCs actionable?
Robert stayed on stage for the 2nd part of his presentation: “MISP + Power BI”. The idea is to access the MISP SQL db from Power BI (of course in a safe way) and create powerful dashboards based on data available in MISP. Be careful with the tables you will open (correlation is not the best one). Robert explained how data can be prepared for better performances (transform some data), convert them, and remove unwanted columns).
The next presentation was called “What can time-based analysis say in Ransomware cases?” by Jorina Baron & david Rufenacht. Like many MSPP, they’ve been busy with ransomware for a while. The compiled data from multiple incidents were used to generate some useful statistics. They focused on:
- Initial access
- Lateral movement
- Effect on target
The dataset was based on 31 ransomware attacks. Some facts:
- 14d between initial to lateral
- 40h between lateral to encryption
Interesting approach for ransomware attacks, besides the classic technical details.
Then Sami Mokaddem presented “Automation with MISP workflows”. Recently, a new feature was added to MISP: Workflows. You may roughly compare it to a small XOAR tool inside MISP that helps to trigger actions based on parameters. Example of uses:
- Chat notifications
- Prevent publication with a specific sanity check
After lunch, we had some lightning talks and “HZ Rat goes China – Following the tail of an unknown backdoor” by Axel Wauer. The malware was analyzed and some numbers were reported:
- 120 samples analyzed
- 2 delivery techniques
- 3 malware versions identified
- C2 servers are online
- Campaign is ongoing for 2y
- Focus on Asia/China
As usual, Andras Iklody presented some quick updates about MISP. What changed recently, what’s in the pipe. The amount of work is impressive: 16 releases, 3768 commits, and 100+ contributors.
Cyril Bras came on stage to present his view on sharing IOCs with customers and partners.
And we had another interesting tool to expand the MISP capabilities. Koen Van Impe presented his tool “Web Scraper“. The idea is to feed a MISP instance with instructed informations or structured (CSV, TXT, …). You definitely need to check it if you are struggling with a lot of documents to ingest in MISP!
Another topic that comes often on the table about MISP: How to use it and the cloud and, more important, how to scale it properly? Mikesh Nagar came to talk about his experience with high-level MISP instances hosted in the cloud.
The last presentation of the day was not public.
The second started with another keynote presented by Gregory Boddin: “Internet Leak Exchange Platform“. LeakIx could be seen as a competitor of Onyphe but they focus more on searching for vulnerabilities instead of “mapping the Internet”. The idea could be resumed to “Get there before the threat actors”. Gregory explained how the platform works, what they are searching for, and how they handle collected data.
Then, Markus Ludwig came with a presentation called “Communities – the underestimated super power of CTI“. Not technical at all, the idea was to have a broader view of the huge amount of security researchers. They are more free researchers than paid ones! The community is big and people deserve credits to keep them motivated and, in this case, they tend to contribute more! Great presentation!
Paul Jung presented “How to fail your TI usage?“. I like the idea. When you have to support multiple infrastructures, tools and customers, it’s very easy to make mistake and to fail in distributing high-value CTI. Paul reviewed his top-14 fails and annoying stuff when using CTI for detection
- RFC1918 IPs, multicast IP, … (Tip: use warning lists from MISP)
- Wrong URLs http://p or http://https://xxx -> Validate FQDN
- Human FP – use top Alexa, 22.214.171.124 in reports?
- NDA & other funny limitations (TLP, sharing across multiple customers)
- Automation issues
- Babel issues (deal with tags/taxonomies/humans). Naming conventions!
- Keep control (control what if you have … or not)
- Hardware limitations: SSL Ex: www.pastebin.com/xxxxx This FQDN is useless without ID/path/…
- Hardware limitation: SIEMs : Parameters to URLs can be removed, will never match
- Hardware limitation: SIEMs’2: Too much data to ingest, try to reduce
- Decaying and life-cycle
- Maintaining TI takes time
- Avoid “Void-ification” of events…An IP alone is not relevant (context)
- Keep data relevant for an analyst (what kind of threat is it? ingress? egress?
Then Louise Taggart presented her view about “Strategic Intelligence“. Threat Intelligence does not only rely on technical information. They are different levers:
- Tactical “what” -> IOCs
- Operational “how” -> TTPs
- Strategic “why? what’s next? so what?” (context, motivation, …)
Then, we switched back to technical content with a presentation by the French ANSSI: “Problematic of air-gapped MISP instances“… MISP is a tool that requires a lot of networking resources. By design, a MISP instance must exchange information (events) with other instances. But sometimes, MISP is used in high-security environment that are disconnected from the Internet (air-gapped). In this case, how to use MISP? How to deploy it and how to feed it? Some processes were describe, like how to build and deploy a MISP instance without connectivity. A tool was presented: sftp2misp. I already worked with air-gapped MISP instances and, trust me, it’s not easy!
Paul Rascagneres came on stage to talk about “The state of the art of webshells in 2022”. Webshell remains a classic way to interact with a compromised computer. Once a vulnerability can be exploited, attackers drop a webshell to perform the next steps of the attack. Paul reviewed different types of webshells (of course, not all of them have the same quality and anti-detection defenses). The example of in-memory webshell based on a Tomcat Valve was pretty cool.
After the lunch and a new serie of lighthing talks, Antoine Cailliau presented his tool: DocIntel. We all have thousands of CTI-related documents like blog posts, PDF reports, RSS feeds, … The goal of DocIntel is to index them, extract useful information and enrich them. This way, you’ll build your own CTI repository. I just installed my own instance as a test and it deserves to be invstigated.
The next talk was about the similar topic: “Report Curation and Threat Library – How to organize your. Knowledge” by Patrick Grau.
Koen came back on stage to present “CTI Operational Procedures with Jupyter Notebooks and MISP“. Jupiter notebooks are pretty popular for a while. Koen explained how to use MISP, PyMISP with Jupyter notebooks to document your CTI operational procedures.
The next talk was “The holy grail for STIX and MISP format” by Christian Studer.
Quentin Jerome presented “WHIDS Update“. WHIDS is an open source EDR for Windows. Great project that is directly linked to MISP to get IOC and detect suspicious activites.
During the lightning talks, some cool projects/tools were presented:
- RamsonLook is a web frontend to track ransomware gangs and their victims
- IOCMite is a Python script to connect MISP and Suricata
The event was intensive: 2 days, talks of 30 mins with great content. Of course, the social dimension was the best one. It’s so cool to see good old (and new!) friends. Teasing: a second edition of the CTI-Summit should be organized next year in parallel to hack.lu.
All talks (expect the non-TLP:Clear ones) have been recoreded and are available on Youtube, thanks to Cooper who made an awesome job as usual!