Professional Documents
Culture Documents
Chuong 3. (Them) Openioc
Chuong 3. (Them) Openioc
Chuong 3. (Them) Openioc
Threat Information
with OpenIOC
NIST IT SAC -- 11/01/11
Doug Wilson, Principal Consultant
doug.wilson@mandiant.com
1 © Copyright 2011
Important Note
2 © Copyright 2011
We are MANDIANT
VISA Qualified Incident
Response Assessor (QIRA)
APT & CDT experts
MCIRT – newly launched
Application and Network
Security Evaluations
Located in
− Washington (2 locations)
− New York
− Los Angeles
− San Francisco
Professional and
managed services,
software and education
3 © Copyright 2011
About Me
DOUG WILSON
Principal Consultant
− OpenIOC Advocate
Background
− Incident Response
− Multi-Tiered Application
Architecture
Supports IAD Center for
Assured Software (CAS)
DC Local: OWASP DC,
AppSec DC, DHS SwA Forum
4 © Copyright 2011
Our Agenda
Introduction to OpenIOC
IOC Examples
IOCs and the Investigative Process
Free Tools for use with OpenIOC
And one more thing. . .
5 © Copyright 2011
Intro to OpenIOC
6 © Copyright 2011
The OpenIOC Format
OpenIOC =
− Way to organize your Threat Intelligence
− XML based
− Logical groupings of forensic artifacts
− Based on real world experience
− Extendable & expandable
7 © Copyright 2011
Before OpenIOC
Lists of stuff to find evil
− Easy to create
− Difficult to maintain
− Terrible to share
Lists do not provide context
− An MD5 of what?
− Who gave me this?
− Where is the report?
− Where is the intelligence??
Lists encourage reliance on
easily mutable forensic
artifacts
8 © Copyright 2011
OpenIOC allows this…
9 © Copyright 2011
…to become this
10 © Copyright 2011
OpenIOC Terms
37 terms
shown (out of
over 500)
MANDIANT
terms drawn
from real
world
Terms easily
added if
needed.
11 © Copyright 2011
IOC Examples
12 © Copyright 2011
IOC Functionality
13 © Copyright 2011
Stuxnet IOC
File Section: .stub
File Certificate Subject: Realtek Semiconductor Corp
Registry Path:
SYSTEM\ControlSet001\Services\MRxCls\ImagePath
AND
Registry Text: mrxcls.sys
Registry Path:
SYSTEM\ControlSet001\Services\MRxNet\ImagePath
AND
Registry Text: mrxnet.sys
14 © Copyright 2011
Stuxnet IOC
Process Injection: True
AND
Process Section Imports: advapi32.dll
Process Section Imports: kernel32.dll
Process Section Imports: user32.dll
15
15 © Copyright 2011
Combining Functionality
Malware Analysis
Report
...This malware is a
"GINA" (Graphical
Specific Identification and
Authentication)
replacement. It
records all users who
log on to the system
and their passwords to
file "outhk.dat"...
Generic
Specific
16 © Copyright 2011
Working on a collection
Known Services (excerpts)
Whitelist by
ServiceDLL name
Whitelist by service
Digital Signatures
17 © Copyright 2011
Methodology
Activity-based:
•Files opened
•CHM file opened
•Website visited
Compromised User:
•Events generated
•Files owned
Evidence of
suspicious
scheduled tasks
18 © Copyright 2011
IOCs and the
Investigative Process
19 © Copyright 2011
The Current Threat
Buzzwords Aside. . .
20 © Copyright 2011
Investigative Challenges
21 © Copyright 2011
Using IOCs in the
investigative lifecycle
22 © Copyright 2011
Scoping the incident
What is a All Systems
Investigative “compromised”
Process system? Unauthorized Access
Malware
Analysis
IOC Hits
Backdoors
Attacker
Tools
Backdoored systems
Systems with malware Staged
Accessed systems Data
Systems with staged
data
Compromised
credentials
23 © Copyright 2011
Superior logical
indicators
Customizable and
expandable
25 © Copyright 2011
Free Tools and Resources
for Use with OpenIOC
26 © Copyright 2011
MANDIANT IOC Editor
www.mandiant.com/products
/free_software/ioce/
27 © Copyright 2011
MANDIANT IOC Finder
www.mandiant.com/products
/free_software/iocfinder/
28 © Copyright 2011
Just one more thing . . .
29 © Copyright 2011
OpenIOC.org
30 © Copyright 2011
Free resources
Free tools Resources
− IOC Finder − OpenIOC.org
− IOC Editor − M-trends Reports
− forums.mandiant.com
− Redline
− M-unition
− Memoryze
blog.mandiant.com
− Audit Viewer
Education
− Highlighter
− Black Hat classes
− Red Curtain − Custom classes
− Web Historian Webinar series
− First Response − Sign up
31 © Copyright 2011
M-Trends 2011
32 © Copyright 2011
Identifying & Sharing
Threat Information
with OpenIOC
33 © Copyright 2011