The first talk after the keynote on day 2 of TROOPERS was from Christopher Truncer about passive intelligence gathering and the analytics of that. Christopher Truncer (@ChrisTruncer) is a red teamer with Mandiant. He is a co-founder and current developer of the Veil-Framework, a project aimed to bridge the gap between advanced red team and penetration testing toolsets.
His talk is mainly about defending a network from different threats by collecting and analyzing metadata from different sources.
For this it is in the first step good to identify those threats and answer some questions:
- What are the attacker’s motivations?
- How do they operate?
- Is it a “sophisticated” attacker?
- Do we know already something about them?
For that in a first step you have to gather as much information as you can. For this it is essential to enable logging and read/use those logs and parse the useful information out of it. There you can see if someone is actually attacking or scanning your network in an easy way. You should look for this essential information to know more about your attacker:
- Behavior on web pages/resources only for employees (OWA…)
- Perform static and dynamic analysis on malware and find out callback domains/IPs
- Determine protocols used
If you have this metadata the next step would be to identify the threat and get some more information about it in a passive way so that the attacker does not notice it. For example many attackers monitor anti-virus sites like Virustotal if their malware has already been uploaded and in that case been found.
The following information could be useful about the attacker:
- What do they normally attack? (Industries, countries)
- What’s the type of the data they are targeting (PII, Intellectual Property, Defense Data?)
- What is the motivation of the attacker?
- What tools do they use?
Those informations could also gathered with “Threat Intels” but they are mostly expensive and rely on analysis on others. Also it might be possible that an attacker subscribes to such a services and the most of the information is not really needed for your company.
So his solution is to use freely available information sources in the internet and do some open source information gathering. For this purpose in talk he introduced a new tool, he developed, that is called Just Metadata and is open source available on Github: https://github.com/ChrisTruncer/Just-Metadata. For this tool the following goals should be achieved:
- Analysis of large datasets
- Identidy useful information
- Enrich metadata
- Build a framework that is easy to complement
- Be able to save the state
The tool is fed with metadata and starts then automatically the Intel Gathering on different sourced in the internet. Just-Metadata uses the following Intel sources while this process:
- Network Whois
- Geo location information
- Shodan Search
- VirusTotal
- Various Threat Feeds like Animus or Alienvault
The tool is able to analyze this information and correlates it, for example the open ports of commonly used certificates across different IPs.
To conclude this talk he showed that this tool can be used to find additional information about malware are systems that are scanning your systems and additionally do some information gathering and analysis without altering the attacker.
The slides of the talk can be found here and the recording can be viewed here.
Thanks for reading and we may see you at TROOPERS17 🙂