The views / opinions / assumptions expressed in this presentation/resource is for educational & research purposes only. Do not attempt to violate the law with anything contained here. Neither the author of this material, nor anyone else affiliated in any way, is liable for your actions.
The purpose of this presentation is to share what is happening in cyber and what is possible...
1. EVERY INCIDENT LEAVES A TRAIL OF EVIDENCE
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
2. The Technology World Always has the Sharpest Brains...
There are equally sharp minds, working against you…
Src : Securus First
Cyber Threat Intelligence: Medium D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
3. DISCLAIMER
The views / opinions / assumptions expressed in this presentation/resource is for educational & research
purposes only. Do not attempt to violate the law with anything contained here. Neither the author of this
material, nor anyone else affiliated in any way, is liable for your actions.
The purpose of this presentation is to share what is happening in cyber and what is possible...
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
4. ONCE THE DOCUMENTS HAVE BEEN POSTED
ONLINE, THE
GENIE IS OUT OF THE BOTTLE
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
Cyber Threat Intelligence: Medium
5. We live in the digital age
Actors/Criminals do too
What are the top cyber threats ?
Think Adversarial Perspective
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
Cyber Threat Intelligence: Medium
6. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
CRITICAL INFRASTRUCTURE
GOVERNMENT
MANUFACTURING
BANKING
FINANCIAL SERVICES & MOBILE MONEY RETAIL
STRATEGIC & PUBLIC ENTERPRISES. PROFESSIONAL SERVICES
HOSPITALITY
INSURANCE
TELECOMMUNICATIONS
Cyber Threat Intelligence: Medium
7. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
CYBER of THINGS
C Factor and all are interrelated
CYBER
CRIME
CYBER
SECURITY
CYBER
TERRORISM
Cyber Threat Intelligence: Medium
8. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
Example: RANSOMWARE Now Crypto
Hackers Mindset : Too much risk......but the target is too sweet
Cyber Threat Intelligence: Medium
9. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
Anything Likely to cause damage or danger
+
Ability to acquire and apply knowledge and skills
=
Threat Intelligence
Another Buzz
Cyber Threat Intelligence: Medium
11. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
OSINT ≠ Actionable Intelligence
What exactly : OSINF Open Source Information
Players are Firewalls, Endpoint Detection & Response, Endpoint protection platform, Anti-Virus Intel Stakeholders & OPSEC Firms
Online Social media : Sentiments, Statistics, Trends
Threat Intel firms:
Good intel
No Responsible Disclosure Policy; No verification
Shift towards Data breach and Free media PR
Defacement Days gone… APT , Malware, Ransomware, Honeypots, Bots, Watering Hole etc.
Present Scenario
Cyber Threat Intelligence: Medium
12. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
34% of
respondents
didn't have any
prior experience
with OSINT-
related research;
85% reported
they received
little or no
training in OSINT
techniques and
risk prevention
from their current
employer;
55% are
venturing into
the Dark Web as
part of their
OSINT activity 10
or more times
per month;
38% do not use
managed
attribution tools
to mask or hide
their online
identities or
personas;
29% report no
oversight
procedures to
ensure that tools
are not being
abused by
analysts;
83% of cyber
threat
intelligence
analysts use a
web browser as
their primary
tool.
Cyber Threat Intelligence: Analysts Undertrained, Unsupported
Cyber Threat Intelligence: Medium
Source: Authentic8
13. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
i. Hypothesis Driven: Data Leak/Breach, IOC, TTPS (Post incident)
ii. Analytics and Machine Learning : Data set, Signatures, Anomalies, Historical repo, UEBA, SOAR etc.
iii. Manual Interventions: Customised sensors, crawlers, parsers, API
iv. Human Intelligence always Win : Expertise, SME, Coordination agencies/organisations, etc.
Types and Approaches
Cyber Threat Intelligence: Medium
Strategic: Broader threat trends typically meant for a non technical audience
Tactical: Outlines of tactics, techniques, and procedures (TTP) of threat actors
for a more technical audience
Operational: Technical details about specific attacks and campaigns
14. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
• Threat Intel Cycle: Plan, Collect, Analysis, Dissemination
• Capacity building: Detailed subject training as Ramayana can't be finished in 1 hour
• PPT factor with proper effective coordination
• Proactive Threat Hunting required : Data and Patience
• Understand the Threat and Actor and what to hunt
REQUIRED ACTION
Cyber Threat Intelligence: Medium
15. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
Sophisticated actors penetrating networks using "publicly" available
information demonstrate they don’t need to develop advanced malware/tactics
when the vulnerabilities are sitting in plain sight. Using open-source
information (OSINF) to assess publicly available information is somehow
sufficient to serve the purpose
Cyber Threat Intelligence: Medium
The best defence start with good OSINF
16. GOOD THINGS OF TECHNOLOGY
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
DEEP-WEB / REDDIT
LEAD (SOCIAL NETWORKING)
IOT / Sync
COOKIES INTELLIGENCE
Cyber Threat Intelligence: Medium
CTI COMMUNITIES
GOOGLE
17. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
SOCMINT
• Disseminate to Concern
• Need to add
Output
COTS
Twitter
iMessengers
Maltego
Etc.
Processing
There are three main steps in
analysing social media:
• Data identification,
• Data analysis, and
• Information interpretation.
Gather actionable insights in raw
form concerning to Subject, etc.
Input
Cyber Threat Intelligence: Medium
18. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
Cyber Kill Chain
MITRE ATT&CK MATRIX
Recon Weaponise Delivery Exploitation Installation C2
Actions &
Objectives
Task: Identify the Attackers’ Step by Step Process
Goal: Disrupting Attackers’ operations
Motivation
Preparation
SE
OSINT
Configuration
Packaging
Powershell
Add
Mechanism
of Delivery
Infection
Vector
Phishing
Technical or
human?
Applications
affected
Method &
Characteristics
Persistence
Characteristic
s of change
Self0signed
Driver
Communication
between victim
& adversary
VPN
What the adversary
does when they
have control of the
system
Data Exfil
APT
MITRE ATT&CK:
Active Scanning
Passive Scanning
Determine Domain
& IP Address Space
Analyze Third-Party
IT Footprint
MITRE ATT&CK:
Malware
Scripting
Service
Execution
MITRE ATT&CK:
Spearphishing
Attachment/Link
Exploit Public-
Facing
Application
Supply Chain
Compromise
MITRE ATT&CK:
Local Job
Scheduling
Scripting
Rundll32
MITRE ATT&CK:
Application
Shimming
Hooking
Login Items
MITRE ATT&CK:
Data
Obfuscation
Domain
Fronting
Web Service
MITRE ATT&CK:
Email Collection
Data from Local
System/Network
Share
Surveillance
Cyber Threat Intelligence: Medium
19. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
CYBER SECURITY PREPAREDNESS
LEGALMEASURES
• Measures the
legal
framework of a
country that
streamlines
basic response
mechanisms to
breaching of
cyber law
TECHNICAL
• Measures the
adequacy of
technical
measures and
the strength of
capabilities
based on the
number of
existing
technical
institutions
and
frameworks
dealing with
cybersecurity
ORGANISATIONAL
• Measures the
organisational
strategy of a
countries
cybersecurity
imitative. This
is based on
the number of
institutions
and strategies
organizing
cybersecurity
development
at national
level
CAPACITYBUILDING
• Measures the
awareness
campaign and
the availability
of resources
for each
country. (
Includes the
existence of
research and
development
education and
training
programs and
certified
professionals
and public
sector
agencies.
COOPERATION
• Measures the
active
engagement
of different
sectors and
stakeholders in
preventing
threats and
combating
cyber-attacks.
Cyber Threat Intelligence: Medium
20. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
i. OSINT Tools and Framework : Domain Based, Searching, Clustering, Grouping etc.
ii. OSINT Services websites: osint, start.me, midasearch, toddington, osintgeek, intel technique etc.
iii. Commercial vendors: Feeds, Alerts
iv. Government off-the-shelf Tools : In-House, Integrated APIs and Data Lake
v. Common Sense
Tools
Cyber Threat Intelligence: Medium
CIA Director: We kill people based on metadata
Open Network
Top OTT platforms, Social media domains Twitter,
Facebook, YouTube, Instagram, Parler, 4chan, 8chan,
Stream, Kiwi, countries specific search engine
Close Network
Encrypted channels keybase, chirpwire, signal, Kirk,
FaceTime, Riot, discord, gaming platform etc.
invitation /participation basis
22. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
Don't believe marketing hype regarding Cyber Threat Safety
"oh, we spent $$$ in $Vendor product, so we are safe"
Any "tool", regardless of the price, is still a "tool“
Take a Break
Cyber Threat Intelligence: Medium
23. D3pak@Protonmail.com
Resources : D3pakblog.wordpress.com
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
Thank You
References
o Cyber Threat Intelligence Command Centre - SC3
o GitHub/SANS/Lockheed Martin Corporation
Cyber Threat Intelligence: Medium