Anomali Threat Day: Evolving Threat Hunting to Adversary Hunting Using Threat Intelligence, Presented by Cybersixgill

SUMUKH TENDULKAR: My name is Sumukh Tendulkar and I'm from Cybersixgill.

Me, along with my colleague and friend, Edan Cohen, we will be talking about threatening and moving into adversary hunting.

We'll kind of cover it in two different parts.

I know we have like 15 minutes left so I will either speak super fast or I'll skip every other word, that's a bad joke.

Anyway, so I'll talk about who we are very briefly.

And then Edan will actually going to go and be able to show you the platform and how actually you take threat hunting and move it into the adversary hunting.

Because look, at the end of the day, we want to kind of find who the adversary is, what is the motivation so it doesn't become a whack-a-mole game but rather more of a strategic chess game.

So that's what we'll look to cover.

So first thing is, who we are? Cybersixgill, right? Like this headline, says it all.

Know what's out there.

And when we say there, we talk about deep and dark web and closed forums like instant message groups like Telegram, Duke, Discord, et cetera.

And there's a lot that goes on, especially under these guys are cloak of anonymity.

This is where the cyber criminals operate.

They interact with each other.

They collaborate with each other and they transact with each other.

So there's a lot that goes on there and we have AI and automation which makes us really able to cover, help provide you with the best collection from deep and dark crimen close sources.

So just taking a minute, what goes on here? This slide, I think is one of my favorite one.

It just gives you a snapshot every single minute on the deep and dark and close sources.

You have 1.6 CVEs getting exchange.

You have 67 credit cards which are offered for sale, which is more than like one every second.

Think about it.

People are sharing malware legs like almost three every second, and so on and so forth.

So there's a lot of data that gets generated on deep and dark web and close forums.

And that's why you need someone with automation who can gather this data not get detected, by the way it's not that easy, and make it available for you either to investigate, to just do plane alerts, like put your assets, put your current name, your emails URLs, et cetera, and see if there are any hits.

People and people get mentioned and none will share a part of that or really take it to the next level, get into threat hunting, or what we like to talk about as the adversary hunting.

So this is our claim to fame.

We are the biggest and the most powerful collection and threat inter-provider from deep and dark web and close forums.

We have more than seven times lead credentials than any of our closest competitor.

When it comes to collections, instant message collections, we have 13x probably, it's bigger than that at this point.

And last but not the least, I do want to kind of cover this one part, which is the extraction, because of the automation nature and not the manual.

What we can really do is we can extract this information and make it available for you.

Or we can also-- for example, when someone's buying and selling a malware, we are able to capture that and are able to create the hash and send it across to you so you can actually preempt.

It can block those indicators.

So we try to make it much more faster.

When any of your data comes up for sale, we want to tell you right away so you can actually take some action.

So that's our claim to fame.

What we offer are three different offerings.

One is Darkfeed.

It is integrated very nicely with Anomali's ThreatStream.

It is indicators of compromise.

This provides you with domains to URLs, IPs, and hashes.

Machine-to-machine, mostly unique data, lot of it is preemptive.

Very worth your free trial, by the way.

You don't have a domain? Just go to the Anomali, and you can do it from there.

Or feel free to call us, and we'll be glad to talk to you further.

The second is the Investigative Portal.

This is our unfettered, unrestricted access into our entire collection.

You can go and do searches, investigation, hunting.

Or you can just set up monitoring alerts and get to when something is being mentioned about on or comes up for sale on Deep and Dark Web.

Last but not the least is our DVE Score, which is we take the attacker interest and intent and are able to put a score on what is exploitability of a particular CVE.

It really helps you patch.

Because our score predicts in the next 90 days what will be exploited, you can actually shape your next patching cycle based on what we do.

So that's just the overview.

But I will take questions at the end of your time, but I want to pass it on to Edan.

Edan.

EDAN COHEN: Thank you.

Thank you, Sumukh.

So I think earlier in today's presentation, Joe was showing the Anomali platform.

And as Sumukh mentioned, one of our integrations into ThreatStream is with the Darkfeed.

This is a feed of malicious indicators.

So I'm going to share my screen and show an example of-- well, what does the data actually look like in Sixgill's Darkfeed within ThreatStream? Of our total collection, Sixgill is collecting a subsegment of that and looking specifically into hashes, IPs, domains, and URLs.

Within the App Store, you're able to download this and test out the information.

But what are you actually able to see with every indicator? I think oftentimes I've at least found a little bit of frustration with feeds in which I'm given a dump of IOCs, and I'm just expected to believe it's malicious.

So within the Darkfeed, you actually get additional context around each IOC.

So this is an example of an IOC pulled from the underground where a threat actor shows a link to VirusTotal.

Sometimes, threat actors share this on the underground to show that their malware is fully undetected or has low detection rates.

Now, going off of this hash, a quick way to really understand what you're looking at is seeing what's the title of the post.

So this is pulled directly from the source, and the title of the post says "Xtreme-RAT-3.7-Latest-Remote-Access-Tool." I think this is a good way to kind of save time and investigations.

If something does pop up on your network, you can get a pretty good understanding of what you are looking at.

There's additional context as well in the source name, the name of the threat actor, as well as external references to MITRE ATT&CK.

And built into the Anomali ThreatStream, there's also linkage to VirusTotal where here we can see with this particular indicator actually no antivirus vendor has detected it.

And this has been around for quite some time.

So this is some of what you're able to do from first glance within ThreatStream.

Now, all the Sixgill solutions are complementary.

So one possible course of action would be taking a look a little bit deeper and pivoting it over into the Sixgill Investigative portal and seeing what else can I gleam from this IOC.

So from here, we will take that indicator and search for it within the Sixgill portal.

Now, from here, you can actually see the raw data from the post itself.

So what else are we able to see here? We can see that somebody is providing additional information.

They've even provided a link to download the tool.

I often think that, when somebody is sharing a link to download a tool, that's probably going to help proliferate it across the underground.

More people are likely to download it and use it for their own means.

For advanced use cases, a malware engineer could reverse this as well and also glean additional information into it.

Now, when we look at this initial post, we've got a little bit of background.

And oftentimes, when threat actors are advertising their hacking tools, they're also providing their capabilities as well.

So this can also help understand a little bit more context on top of what's in ThreatStream, going the next layer.

You're also able to see maybe what's the interest around this specific post within the forum by seeing people respond to it.

Now, this IOC was funneled to ThreatStream based on our own parameters, but you might not necessarily know the name "XTreme-RAT." So people using Sixgill are able to also then conduct their own ad hoc queries.

So let's say you are looking for additional malware.

You're looking for other items that aren't name-specific, rather keyword-specific.

You're able to conduct a query.

So this is an example RAT, remote access Trojan, looking for a mention of remote access Trojan.

Anytime somebody uses a FUD-- in this context, it's not "fear, uncertainty or doubt." It's "fully undetectable." And then we're pivoting more looking into specifically English sources, English posts, as well as sites within a type of source that we collect from forums.

So this is another way where you can go that extra step and try and find additional results also related to hacking tools.

And there is full flexibility to conduct these searches based on your own requirements.

Going off of this example, we find an additional post-- another type of remote access Trojan.

Again, this type of information would also be funneled through ThreatStream where you can automatically block or detect it.

And from here, where else do we go? We have the initial post.

However, we might want to kind of find out a little bit more about the threat actor.

With every post, you're actually able to look into the threat actor profile.

Why is this useful? I think one way to look at this is we can kind of get a much better understanding of what threat actors are all about by maybe seeing what's their activity level on the specific source.

An analyst might look a little bit differently at a threat actor that maybe doesn't have a lot of activity and only recently joined a forum as opposed to somebody that has high activity levels.

Additionally, what else are we able to see? You're able to look at their social network analysis.

And what this is helpful for is-- I think we're familiar with the phrase "show me who your--" something like "show me who your friends are, and we'll tell you who you are." Here, we can see, who is the threat actor interacting with? How this could be useful is trying to understand what are their motivations.

Is this related to an anonymous campaign, a hacktivist campaign? Are they financially motivated? Maybe there's other actors that have higher activity that should also be looked at.

So this can help to build an understanding of what their motivations are, what they're all about, and also help to try and understand, are they targeting me, my industry, my geography, or my sector? And that's one way that you can start exploring those different motivations.

Additionally, I think a lot of times, when we're looking more deeply into threat actors, we're trying to look at attribution-- who they are.

Many times on the underground, the main goal is to try and keep your anonymity.

However, you're also able to see what's the time of day that they are posting.

This can also help determine maybe geographically where they might be located-- for example, if there isn't activity during certain times of the day.

Once we look at the initial post, it might be helpful to also look at all of their historical data as well.

So we can actually go much deeper and start to look at that information as well and see maybe they've sold other hacking tools as well or they've been targeting certain sectors.

So utilizing this is one way to use the Sixgill portal, where you're able to conduct ad hoc queries for anything that may be relevant to your own intelligence requirements-- whether it's looking at specific malware, searching leak sites, looking in instant messaging platforms, and going off of a number of other use cases.

The other broad way to use the Sixgill portal is to receive alerts based on your own organization-- so different types of ways in which your organization could be targeted in a number of different categories on top of domains, IPs, executives.

There's no limitation to the amount of organization-specific keywords that you can add into our system, which is then being cross-correlated with our data lake-- all the sources that we're adding from on an ongoing basis.

Going off of this, you would then be able to receive an alert based on that asset's exposure.

This is helpful for having the system work automatically for you.

As an item is posted, you would receive an alert and then be able to go through and dive deeper into the post and look at the raw data.