i4RMHONEY Framework

Get Started. It's Free
or sign up with your email address
i4RMHONEY Framework by Mind Map: i4RMHONEY Framework

1. Objectives:

1.1. Understanding Adversaries

1.1.1. Attacker Tactics, Techniques & Procedures (TTPs) Attacker Tendencies Examples Attacker Profile Name Description Threat Types Sophistication Motivation Intended Effects Preferred Methods of Attack Examples Campaigns Group of related Events/Incidents/Indicators/Malware/etc observed over time for which a clear set of TTPs (Tactics, Techniques, and Procedures) can be defined

1.1.2. Motivation Financial Gain Attack a target for financial gain through... Political Agenda Attack a target as a means to spread their political agenda or because their target opposes their political stance Test of Skill Attacking a target as a means of testing their skills or to prove themselves to a community For "Fun" Attacking a target for the fun of it

1.1.3. Behaviour Destructive Involves destruction of critical or sensitive data belonging to either the target or the target's customers - usually in tandem with Disruptive Information Proliferation Obtaining information for their purpose, usually non-destructive to avoid raising suspicion of their presence Disruptive Disrupt target's operations, causing financial loss of the target - usually in tandem with Destructive

1.2. Current Threat Landscape

1.2.1. Gathering intelligence on adversaries, their methods and their tools can help organisations identify their adversaires and understand their threat landscape

1.3. Improving Defences

1.3.1. With proper knowledge of threat actors' method of attack, defenders are able to better deal with attacks on their organisation.

2. Sources of Data

2.1. System Logs

2.1.1. Monitor and logs ongoing activities & changes on the system

2.1.2. Collects: Changes to system files User account additions Timestamps

2.2. Access Logs

2.2.1. Monitors and logs user access to specified files/folders

2.2.2. Collects: Time Stamps Country of Origin IP address File Activity Creation Deletion Modification History

2.3. Correlation mechanism

2.3.1. Use of logs to search for particular protocols used by system Dynamic input source provided that updates in real time

2.3.2. Utilising search commands to send alerts whenever a protocol is in use Splunk search command

2.3.3. Collects from Access Logs IPS/IDS Firewall Logs System Logs Registry Monitor Process Monitor

2.4. IPS/IDS

2.4.1. Alerts user when system is being compromised

2.4.2. Collects: Time Stamps IP address File Activity Country of Origin Ports Network changes

2.5. Firewall

2.5.1. IP Address Whitelist Allows inbound/outbound connections to/from whitelisted IPs Blacklist Blocks inbound/outbound connections to blacklisted IPs

2.5.2. Stringent firewall configuration that allows certain services to be run Controls access to the resources of a network through a positive control model

2.5.3. Collects: Inbound IP Addresses Outbound IP Addresses Accessed URLs Ports Protocols

2.6. Threat Intelligence Sources

2.6.1. Provides intelligence/information done and collected by external analysts

2.6.2. Collects: Data Information

2.7. Registry Monitor

2.7.1. Monitors changes to the registry on Windows systems

2.7.2. Collects: Creation of Registry Keys Deletion of Registry Keys Modification of Registry Keys

2.8. Process Monitor

2.8.1. Monitors processes and services running on the system

2.8.2. Collects: Process ID Process Status Process Group

3. removed from final

3.1. Malware Attribute Enumeration and Characterization (MAEC)

3.1.1. Data Models Bundle (Level 1) Low Level Actions Mid Level Behaviours High Level Capabilities Bundle Output Format Package (Level 2) Package Output Format Container (Level 3) Package List

3.1.2. Use Cases Malware Analysis Static & Dynamic Analysis Malware Visualisation Analysis Oriented Malware Repositories Standardized Tool Output Intrusion Detection A single MAEC characterization, represented by a MAEC Bundle or MAEC Package, can provide data that can be used to detect multiple malware instances Cyber Threat Analysis Attribution Malware Threat Scoring System Incident Management Uniform Malware Reporting Format Malware Repositories Remediation

3.2. hide?

3.2.1. Function Database to store technical and non-technical information about malware samples, incidents, attackers and intelligence Automatic correlation finding relationships between attributes and indicators from malware, attacks campaigns or analysis Built-in sharing functionality to ease data sharing using different model of distributions MISP can synchronize automatically events and attributes among different MISP Advanced filtering functionalities can be used to meet each organization sharing policy including a flexible sharing group capacity and an attribute level distribution mechanisms Advanced filtering functionalities and warning list to help the analysts to contribute events and attributes storing data in a structured format (allowing automated use of the database for various purposes) with an extensive support of cyber security indicators along fraud indicators as in the financial sector

3.2.2. Export Formats generating IDS rules OpenIOC plain text CSV MISP XML JSON STIX

3.2.3. Import Formats bulk-import batch-import import from OpenIOC GFI sandbox ThreatConnect CSV text import tool to ease the integration of unstructured reports into MISP

3.2.4. Community Sharing Models Share with your organization only Share with this community only Share with connected communities Share with all communities

3.2.5. APIs RESTful, JSON-based PyMISP Library

3.3. hide?

3.3.1. APIs RESTful, JSON-based Write own module to access Use existing community projects

4. Intelligence

4.1. Definition

4.1.1. Processed, contextualised and analysed information

4.1.2. Production of Intelligence should be done by either in-house or external Intelligence Analysts.

4.1.3. Since intelligence is very contextual, specific examples cannot be listed here. Instead, we will provide generic examples of things to consider.

4.2. Things to Consider

4.2.1. Context The data you collect and intelligence that you produce should be relevant to your organisation/operating environment

4.2.2. Operating Environment Consider what threats/attack vectors out there affect your operating environment & prioritise your defenses accordingly What vulnerabilities are relevant to your operating environment?

4.2.3. Threat Landscape Who are the main threat actors that you have to be wary of? What are the most common attacks that your organisation faces?

4.2.4. Comprehensiveness How comprehensive is your generated intelligence? How well does it cover your bases?

4.2.5. Volume Do you want large sets of data to identify more threats, or smaller but more comprehensive and contextual data?

4.3. Examples:

4.3.1. Attacker Profile Attacker Information Threat Actor IPs TTPs Attack Vector Exploited Apps Exploited Services Malware Phishing Attempts

4.3.2. Areas of Compromise Assets Servers Files Computers

5. Information

5.1. Definition

5.1.1. Processed, sorted Data

5.1.2. Can be used as basic intelligence, although not complete

5.2. Obtained From

5.2.1. Logging Description Logs can help to see if any changes were made to the operating environment (network, policy changes, suspicious installations, permission changes etc) Contains File Changes Permission Changes Timestamps Network changes User account additions

5.2.2. Network Traffic Description Network Traffic can help determine if suspicious traffic by a system has been encountered which may contain malicious payloads Contains IP Addresses Ports Commonly used Protocols Accessed URLs

5.2.3. Files Description Files helps to see if any new files were added to the system. A new file that does not appear to be a part of normal file downloads Contains File Data File Activity

5.2.4. Processes/Services Description Processes/ Services helps to see if any new processes/services were added to the existing processes. A new process/service that is added may indicate a execution of a malicious software Contains DLLs Loaded Presence Process ID Status Group

5.2.5. Registry Activity Description Registry Activity helps to see if any suspicious processes/services have made any changes to registry keys. Changes or addition of registry keys may indicate if the process is malicious Contains Creation of Keys Deletion of Keys Modification of Keys

5.2.6. Email Description Emails help to see if any suspicious emails have been received from unknown parties. These emails may contain attachments or links which are malicious in nature. Contains From Attachments

6. Artefacts

7. Production & Sharing of Information & Intelligence

8. Raw Data

8.1. Definition

8.1.1. Disorganised statistics collected for the purpose of analysis or reference

8.2. Consists of:

8.2.1. File Changes Which files have been created or deleted

8.2.2. Permission Changes Which files have had their permissions modified

8.2.3. Email From List Incoming email addresses should be tracked to check for phishing attempts from phishing email addresses

8.2.4. Email Attachments Attachments may be of a malicious nature and should be monitored / checked.

8.2.5. Creation of Registry Keys Installations can create new registry keys for the program, same is applicable for malicious programs.

8.2.6. Deletion of Registry Keys Keys are deleted occasionally by the operating system, but malware can also delete keys for destructive purposes

8.2.7. Modification of Registry Keys Malware can modify registry keys for various purposes, most commonly to run on startup.

8.2.8. Timestamps Timestamps in logs of suspicious connections can shed light on... Time of day that the threat actor operates in Local time of target of which they'd target Timestamps can also help to see when files or folders were accessed without authorisation Show presence of possible malicious insider or whether the network has been breached

8.2.9. Network changes Firewall changes Changes to the firewall can include "backdoor" like behaviour (opening up ports), disruptive behaviour (closing important ports, dropping traffic), etc IP whitelist/blacklist Changes to the IP whitelist/blacklist can allow inbound/outbound connections to malicious IPs.

8.2.10. User account additions Granting admin control/permissions

8.2.11. IP Addresses IP Addresses are able to help determine where attacks originate from or whether there was inbound or outbound connections made by the compromised system Location Connections to and from suspicious locations (eg China, CIS region [Commonwealth of Independent States]) may help to narrow down the threat actor behind an attempted/already successful attack. Inbound Connections Inbound connections from a suspicious IP address can indicate an attempted attack on the target Outbound Connections Outbound connections to a suspicious IP address can indicate that a breach has occurred

8.2.12. Ports Ports used by applications Suspicious connections to ports used by certain applications can indicate that a threat actor is they are attempting to exploit vulnerabilities in said application. Commonly used/targeted ports 1. Port 445 (Microsoft DS) 2. Port 23 (Telnet) 3. Port 1433 (Microsoft SQL Server) 4. Port 3389 (Microsoft Terminal Services) 5. Port 80 (HTTP) 6. Port 22 (SSH) 7. Port 135 (Microsoft RPC) 8. Port 8080 (HTTP Alternate) 9. Port 3306 (MySQL) 10. Port 443 (SSL) Idle Ports Ports may be opened by malware to "listen" for a command from attackers

8.2.13. Commonly used Protocols TCP/IP SSH SSH is commonly used and if not secured properly, can become a vector of attack. UDP HTTP Exploits to web servers will often use the HTTP protocol TLS Exploits related to transmission of sensitive data may require that this protocol to not be in use NTP NTP amplification DDoS Attack SSL Exploits related to transmission of sensitive data may require that this protocol to not be in use DNS Exploits to vulnerable domain name systems may be used to poison the DNS cache SMTP Malicious traffic may be sent via this protocol to disrupt mail servers with poor security

8.2.14. Accessed URLs URLs to phishing sites are commonly posted in phishing emails. Employees of organisations may be social engineered into accessing phishing/malicious sites If Internet Access is not properly controlled in the organisation environment, employees may be able to access malicious sites.

8.2.15. File Data File Type Executables Microsoft Office Documents PDFs Hashes Hashes of malware can also be compared against a database of known malware to identify the type and variant Hashes of files can be used to verify the integrity of the file Examples Size Changes to a file's size can indicate that modifications may have been made to it

8.2.16. File Activity File Creation Files can be created by malware or malicious installs. This can be for configuration purposes, downloading more malware, etc File Deletion File may be removed by attackers via malware or other means. This may be for destructive purposes or in order to leverage on an exploit File Modification Files may be modified by attackers themselves or by malware (depending on the motive) File History Logging changes to files can help to alert to intruders in the network and track intruders' movements and tendencies.

8.2.17. Status Running Stopped

8.2.18. Group The Group that owns the process

8.2.19. Process ID Processes have IDs that can be tracked, and can be used to monitor running processes

8.2.20. Presence Viewable in Task Manager Most processes and services can be seen in Task Manager However, you can also use it to monitor when services that you have disabled start running out of the blue. Background Process Malware usually mask their presence by running in the background and their process is not visible from the task manager

8.2.21. DLLs Loaded DLLs loaded by malware can help to identify the variant being used and what it possibly does

9. Sharing of Information & Intelligence

9.1. Sharing Standards

9.1.1. Trusted Automated Exchange of Indicator Information (TAXII) defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries empowers organizations to achieve improved situational awareness about emerging threats, and enables organizations to easily share the information they choose with the partners they choose all while using a single, common, set of tools Sharing Models Hub and Spoke Source/Subscriber Peer-to-Peer Specifications Services Message Binding Protocol Binding Query Format Content Binding

9.1.2. Cyber Observable Expression (CybOX) Is a highly standardised language for encoding and communicating high-fidelity information about cyber observables, whether dynamic events or stateful measures that are observable in the operational cyber domain Provides a common structure for representing cyber observables across and among the operational areas of enterprise cybersecurity Cyber Observables Can be dynamic events or stateful properties Examples Can be used for threat assessment, log management, malware characterization, indicator sharing and incident response Incident response and management can then take advantage of all of these capabilities to investigate occurring incidents, improve overall situational awareness and improve future attack detection, prevention and response

9.1.3. Structured Threat Information Expression (STIX) A language for having a standardized communication for the representation of cyberthreat information improves consistency, efficiency, interoperability, and overall situational awareness Components Observable Indicator Incident Tactics, Techniques and Procedures (TTP) Exploit Target Course of Action (COA) Campaign Threat Actor

9.2. Sharing Intelligence

9.2.1. Intelligence Sharing Platforms Open Source MISP ThreatConnect Eclectic IQ Closed Source IBM X-Force Exchange

9.2.2. Sample Sharing Malware/Threat Repositories Collaborative Research Into Threats (CRITs) Zeltser Offensive Computing theZoo Vulnerability Repositories VulnHub Other Useful Resources VirusTotal

10. Production of Intelligence

10.1. Things to Consider When Choosing a Platform

10.1.1. Nature/Type of Data The kind of data you collect can influence the tools that you use. Sensitive data (from govt, etc) may restrict usage of cloud-based platforms Compatibility with the data collected

10.1.2. Capabilities of Chosen Platforms Not all platforms are alike, and some platforms may have features that others do not have Important to weigh your options and choose one that suits your needs Examples Having immediate access to shared pool of intel Managing your own collections GUI Visual Correlation of data/information

10.1.3. Compatibility with Chosen/Existing Mechanisms Some sharing platforms provide seamless integration with certain mechanisms/filetypes Allows for fast and easy integration with existing systems Compatibility with many mechanisms/file types also allow for "futureproofing" when integrating new mechanisms in the future

10.1.4. Ease of Use Some sharing platforms provide user-friendly interfaces for traversing and managing the data collected Many also provide visual correlation options and functionality to help with analysing

10.1.5. Limiting Sharing of Intel/Data for Purposes of Security Distribution of threat information can be limited by the originator by using a traffic light protocol (TLP) code Restricting distribution for ongoing investigations can minimise the risk of attackers reading how your investigation is progressing