Transforming Incident Response to Intelligent Response: Detect ‘19 Series

ROBERTO SANCHEZ: All right.

Good morning, everyone.

Roberto Sanchez, the director of threat and sharing analysis for Anomali.

So, what that really means is a fancy little title for pretty much just getting to know customers and sharing my lessons learned and best practices for using our platform as well as open-source tradecraft, so using a lot of techniques outside of the platform to bring it in.

The original concept that came about for this briefing-- I've been briefing iterations of this for about three years now-- so former NSAer.

At NSA, you get all the tools you can ever desire.

So I thought I really, really knew threat intelligence.

I thought I really knew how to do like network traffic analysis.

And then I come into the open space.

And I had no tools.

I know the tradecraft, but I feel like I'm really an entry-level employee because I just don't know what to access.

I don't know how to enrich data.

I don't know how to conduct analytic pivoting outside of the government space, so pretty much teaching myself the lessons learned and then started to teach the broader community.

Hopefully, it's helpful.

So today's session, I'm going to go over incident response, how to triage things like IOCs, your domains, IP addresses, URLs, [INAUDIBLE] hashes, email addresses, 100% not using the platform which is something kind of contrary, right?

We're at Anomali's conference, and I'm going to teach you how not to use the platform.

And then on the flip side of that, have Yulong here who's our enrichment SDK developer.

So If you guys haven't heard about our SDK, our Software Development Kit program, it's an effort to bring in a lot of open-source practices, enrich it into a single platform.

So that's how creating that nexus between the open-source practices into a single platform.

So as I mentioned, Roberto Sanchez.

I've been doing this about roughly 16 years.

I have also my counterpart here, Yulong.

So I'm Pinky.

He's the Brain.

If you want to look [INAUDIBLE],, I do not know how to develop.

Can't read code to save my life.

But I got Yulong.

He's a very smart guy.

And he can take all of my crazy ideas and put them together in a nice package after a couple arguments, as well.

So the agenda, just going to give a broad overview of some public resources for incident triaging as well as proactive [INAUDIBLE] research.

You guys seen at the Lens video?

I made my cameo.

And I do a lot of proactive research and behind the scenes before we release Lens out to the broader community.

We're using it internally, just going to sites like Censys, Shodan, doing botnet hunting, taking Lens, see if we have it within our data sources.

If we don't, ingest it.

Share it out with our Anomali community members.

Go over like a basic analyst's workflow at a very high level.

I won't get too granular just because of time constraints.

Then we'll go into the-- introduce SDK program, specifically enrichments, and then also give the context behind the two different types of enrichments.

And then Yulong will demo that from an engineer's perspective.

So public accessible sites, right?

Call this the analyst's toolbox.

These are a number of sources that I use.

On the top level is my use cases.

Due to real estate constraints, I cannot put them all on there.

But these are ones that I use every day.

I was literally like maybe five minutes ago in my room doing this before I came out with some threat infrastructure, which was an attack against like the UN 100% using open-source resources.

So specifically, I just hit up on the first category, like domain and IP intelligence.

First understanding is what type of attack you're encountering will allow you to illuminate the type of resources that can actually give you that type of additional context so you can start building out the threat actors infrastructure as well as producing a good narrative behind that particular event so you can better respond internally.

So typically, what I do is literally VirusTotal is my first stop.

Go to VirusTotal.

Take all the data that they have available.

Then just go down the path.

If it's a malware sample, I know-- I've talked to a lot of analysts and where do I get malware samples?

I was like, I could get malware samples on APTs all day long, either by visiting a server and extracting that payload or using public resources [INAUDIBLE] every analysis could [INAUDIBLE] data [INAUDIBLE] just pivoting off of like file hashes from a VirusTotal into a hybrid analysis.

If you guys haven't used app ANY.RUN, I highly recommend using that.

Very cheap resource.

The only thing, once again, it's public.

So if you don't have a paid account, you upload your malware.

Someone can pull it down.

Or someone can tweet it, which is-- seems to be the case in the last couple months.

But literally, I found APT33 maybe a week ago.

And then talking with my counterparts in the security community, I didn't know it was APT33.

So I have to be full disclosure on that.

Not attribution guy.

However, talking to my [INAUDIBLE] counterpart by sharing this in the community, they came back to me and told me it's APT33.

Yeah.

So number of resources.

And then just a continuation of the resources.

So like, once again, the use case is on the top and then the source is on the bottom.

So it just really depends on what it is that you're doing.

So when I look at from now being on the vendor side, I don't have, I would say, the privilege of having rich data because I always view being an enterprise the best data you have is your data.

And then layering that data with external resource, open-source, and commercial can give you better visibility into the type of threats that you're receiving.

So unfortunately, I don't have that internal data.

So I have to reach external specifically for like infrastructure analysis.

So I use Shodan and Censys all day long.

One of the use cases that seems to be a hot topic, ransomware.

So the latest ransomware comes out.

I want to know what type of vector that they used to actually against the environment.

People always associate it with phishing.

But there's also other different [INAUDIBLE] publicly accessible ports, specifically RDP, so 3389.

Shodan, Censys illuminates that for you.

So I'm quickly able to talk to a customer, say, look.

You operate in this space.

The ransomware event happened in this region.

You have this list of IPs that I did doing network reconnaissance, passive reconnaissance.

I'm not touching your network.

But these are-- according to these sources, these are the ports that you have open.

This is a tag that's out there right now.

You might want to look into this a little bit more.

And then also layer that into with the internal data that we have specifically with commercial feeds to see if I can find any correlations, once again, using So a lot of these-- here's another site right here.

Here's the website.

You can't really see it that well.

But I think the slides will be available by-- at the end of the conference.

But if you do want it in advance, just please let me know.

I'll just share it with you and the problem.

So that's like a really quick overview.

And then once again, why am I'm mentioning this stuff is because a lot of these services have APIs.

What you may not be aware of is we have our SDK program.

If you sign up for it, you can customize your own ThreatStream instance.

You can get those SDKs.

If you have programming skills or if you know someone that has programming skills, you can write this enrichment.

And it will show up on your observable details page.

Instead of going out to each one of these sites, you can actually have it within a single platform and pivot within the little tabs, within ThreatStream.

So that's another key benefit to it.

So let me go into a quick workflow.

So I mentioned earlier the different sources that I go to.

So when I start thinking about proactive [INAUDIBLE] research, so you guys have access to, once again, rich data internally.

So usually what I did when I was at PWC and I had tons of data, I look at the phishing campaigns.

And I look at the URL string and try to see patterns in that.

So I one of the [INAUDIBLE] that I always see is like login type login.

So if you do this, it's going to come up with a ton of data.

You just start pairing it down.

The one that you see over here on top, that definitely looks fishy.

So things like this.

And you see that there's a 105-ish.

So start paring it down.

So now I start finding phishing sites.

So then I got to pivot.

It's going to be a very slow process.

So you guys can go to VirusTotal.

Free.

And then I want to see the IP address that it's assigned to.

Now I have an IP address.

I can use that as a pivot point.

But first, I want to see relations, if there's any type of other sibling domains.

As you see there, it's actually going after PayPal and Facebook.

You also see the IP address.

Once again, use that as a pivot point.

Start to illuminate some more.

And then I can start bringing this data in internally.

So from your perspective, if you have an attack using these different data sources to start either proactively finding other types of threats and then bring that into do proactive blocks or to do a triage for your incident response.

So from here, you would have to actually [INAUDIBLE] within ThreatStream, plug it in, set it on range but with the Enrichment SDKs.

So if you guys weren't aware, when I say Enrichment SDKs, let me actually go to observable details.

All right.

So when I mention Enrichment SDKs, this is what I'm actually mentioning right here, these little tabs down here.

These are your Enrichment SDKs.

So imagine if I had to go to a whole bunch of sites but I've already created an SDK.

So it will be right here in this single platform.

So this is the power of doing this.

I could do the Whois history, look up the passive DNS.

I don't have to go to free resources.

So if I didn't want to go a free resource, just very quickly-- [INAUDIBLE] OK.

Hopefully, there'll be some passive DNS in here.

Nope.

No passive DNS.

But [INAUDIBLE].

So you definitely see the limitation of open-source.

But, yeah, anyways, so if you did have the various enrichments, just quickly pivot into the ThreatStream to actually conduct that triage so you're not spending all day long on a ton of tabs which you can easily lose your place.

I found that a lot of times, I get to the end of the case, I get to a conclusion, and I'm like, how did I get here?

So if you have the enrichments already in there, you could just quickly pivot in there, extract the data, and then start creating reports within ThreatStream.

So, yeah, that's just a little quick, brief demo.

All right.

So going into the Enrichment SDK program, what is it?

So it's Python-based.

So it's a very common language.

We like to think it is an easier, faster integration to our Anomali ecosystem.

And this also gives you immediate access to the various content, integrations, just making those API calls.

And a lot of them are public.

Of course, you get a little bit more of a boost if you do pay for the services.

But some of them are very, very cheap, like maybe $5, which you can actually pull that into ThreatStream.

And like I said, it integrates third-party data.

So if you have your own in-house type of data, I highly recommend using that as an enrichment source.

So the types of enrichments, right now, currently, there are two types of enrichment SDKs.

One is called the context-based.

So what I was showing you earlier with just pivoting through tabs, it's just pulling that context within the platform.

And the other one is-- one that's even less explorative in the platform is the pivot-based SDKs.

So the pivot-based SDKs are exactly like this.

You'll pop in a little node, whether that be domain, IP address, the whatnot.

And then you can actually right-click on it and conduct your pivoting within there.

So you can get that quick visual of that threat actor's infrastructure to better quickly determine whether it's something worth investigating further or whether it's just benign and just move on to the next case.

YULONG GAN: I'm a senior software engineer in Anomali and mainly work on the current [INAUDIBLE] on the Enrichment SDK platform and developing all the enrichment framework itself and also like from the application level, a leverage Enrichment SDK and to create out of box [INAUDIBLE] me offered [INAUDIBLE]..

So I'm going to give you-- first give you a quick demo about what does Enrichment SDK offer?

So as per Roberto previously presented, so you have to jump through different browsers, like sources and to triage and do an investigation.

But with the Enrichment SDK's capability, once you build application and install it and activate it over a platform, ThreatStream become the single source of all these enrichments.

And you can either do pivot from a single graph node from the section.

Or you can go down to see the enrichments section.

It has multiple types.

It's either offered by Anomali out of the box.

Or you can create your own secret sources application that facilitate your investigation.

And [INAUDIBLE].

So let's do a real demo.

So it's actually one of the recipes.

So it's called like a compromise account.

And we want to investigate this very suspicious email address.

And the way you do that first, so let's say you magically create your own bundles in your platform.

And you just ingest it.

And this is all [INAUDIBLE] where [INAUDIBLE] apps sits.

You can see a for now, it's already tons of them available for you to use.

But of course, if you have secret sources, you just directly ingesting the platform and can use it.

And we categorize a private bundle.

So if you really don't want to share with others, sure, you can just keep it in your organizations.

But if you want to leverage like out of the box Anomali offer or even in the future, let's say, OK, this is a really cool [INAUDIBLE] that I want to share with community, we can even promote it and publish to the triage circle or community.

So it can be pretty flexible.

But I think most of you, you really want to create some secret private bundles that only used to your own organizations.

But it's not a problem at all.

And once you install and activate into our platform, in the integration page, and then, let's say, I want to leverage this, how am I to use it?

So first SDK is content awareness, so based on the input type.

So this is content awareness.

So if like you input an IP into the platform, and immediately, the SDK know that this is an email.

And if you see from here the dropdown lists, these are all the wonders or applications that accepts email as an input type.

It automatically figured out for you.

And also that has to be activated, which means, let's say I have 100 sources, but I am only interested in using 50 of them.

Either it depends on their open-source.

So you can just one click away where you have put your own credentials to activate them.

But once they are all treated as active and also input type is email, all these wonders are in the dropdown list at your hands.

So in this case, we are leveraging urlscan.io.

It's a free one that you can just preregister.

So you don't have to pay ton of money.

And let's say I want to do urlscan.io.

This is the wonder.

And I want to do the transform from an email address to URLs.

I want to pivot from there.

Then we have two URLs.

And if you check the urlscan.io, their official portal, the two really malicious URL that we can handle, we can get from there.

And then they use Anomali built-in capability, like this extracted domains from these two URLs.

And you get these two really malicious one.

And then you-- back again, you use domain to IP.

Yep.

And they are coming back, linking back, and group them.

You can check.

The one of good things for me, known pivoting perspective.

The known type is an entity.

It has its value, its type.

And also it has some metadata.

We caught additional fields you can use like as a facility to do some more metadata information to enrich that specific node.

Like in this case, the value entity like what ASN.

And A is a number in a country.

And all this stuff, and if you want to do more-- because this one is offered by urlscan.

In Anomali, we also have our built-in Anomali GYP.

So essentially, we allows you to leverage the out of the box stuff.

And you can see it's either what's the name-- what's the country name or the geographic information of it.

So this is-- 'cause all this if you are threat analyst, you know exactly which direction to go.

But from engineer's perspective, that's not only what Enrichment SDK can offer.

So essentially, it has two parts.

One is from the graph.

We call it pivoting part.

It do the link analysis for it.

But as you know, this graph doesn't offer you too much when you're doing investigations.

I want to see what's going on with this domain.

Is this registered?

And what's the more Information of data to facilitate, to triage and pivot from there.

So then we also have the enrichment-- the real content spacing enrichments, which is also content awareness.

So if you are doing with domain, it's will list all the wonders that can offer to enrich a domain.

And let's take, for example-- let me show you right quick.

Yeah, let's say I have a domain.

And I want to leverage Cisco Umbrella.

And what it does for you-- generally, you can-- just if you have account from Cisco, you just log in their portal and do all this stuff.

But now we have already integrated with-- out of the box the Cisco Umbrella.

So you already can see all these information here.

So it's allows you to leverage all the information from Cisco Umbrella, from a specific wonder.

And good thing about that is enrichment, it's like content space.

And also, we use chart widgets to do great rendering.

We use high charts, which is a third-party library.

But it's already-- you can feel free to use it.

And I think it's open-source.

And the good thing is they offer tons of them.

And let's take, for example, we can do the real interactive obviously or graph.

Most of the case, you care-- really care about a specific temp range.

And you can probably leverage this time-zoomable widgets to facilitate your investigation.

The only thing is you just programmatically just insert this piece of code into your bundle.

And it's all under your control.

And you do all your investigations.

They are all in eye-catchy sugaring stuff.

But they are all at your disposal.

I think the good stuff is in general, previously, without SDK, whatever Anomali offers, you have to live with it.

It's pretty limited, no matter it's from the source level or it's content enrichment level where it's like-- it's pretty limited.

You have no control.

But the good thing of Enrichment SDK, it's basic give you a capability to be something from end to end because literally, you can control the UI rendering part now with-- of course, with high chart facilitate.

You control all the behavior of your enrichers of your applications so that, OK, I have this secret sources.

Probably they leverage some superpower like this time-zoomable charts which will give you a sense from a timeline perspective what's the behavior of this domain.

Because previously, I don't think any [INAUDIBLE] building like hardcoded source enricher like allows you to do so.

But now he does.

And you can do all the tricks there.

And it's very useful.

And it kind of highlights all the threat score that it's very important for you so it immediately catch what's most important-- will be important to you.

And then you go back to the graph and continue with your investigation.

So this is a very high level of what Enrichment SDK offers.

But I would say you just wonder, how can I get started?

I can write Python.

I know probably most of you, you are threat analysts I assume.

So I'm just curious, what's your positions?

How many of your threat analysts?

OK.

And developers?

OK.

And what's the other portion of you?

Like you are a C level or-- OK.

Just because the reason is I'm always curious, what's the real end users of Enrichment SDK?

It's just the developer because from my perspective, I think the brain is not a developer.

Not at all.

We only give you tools.

The most important thing that the brain is the threat analysts.

Let me tell me why.

Because anyone can write Python.

Anyone can, OK, I know this API.

I read their API documentation.

I just can grab all this content.

But I don't know which information is useful.

The key piece is I have to know from urlscan what API I should use and what query I should specify to integrate it into my specific piece of code.

The important thing is like, say, if I want to do the as a [INAUDIBLE] email to URL.

The key piece is I have to know this query specifically to urlscan that will grab me the information back.

All other informations, they are just kind of not the key piece.

Once you get the URL, you just following the steps.

You create this piece of Python code.

And that's it.

You zip it.

You tar it.

And you send us.

And we can verify for you.

And then you can just install in your own organizations so you can leverage.

The beauty of that is the iteration of this is really quick because I was previously asked [INAUDIBLE] was like, OK, I want these five pivoting apps.

Show me progress everyday.

So miss the SDK.

Of course, the main purpose of SDK is to first to let you quickly on board to create prototypes and iterate fast.

So the beauty of that is anybody can use Python to create these bundles.

And with this SDK, I can just [INAUDIBLE] five apps within five days.

From a software engineer perspective, it will be pretty quick if you are familiar with the whole [INAUDIBLE] flow.

So the beauty of it is you can quick iterate them and show your concepts to you boss or anything that's to prove value to it.

And you can iterate on that because we have also support versions.

And we have an in-place upgrade.

So once you have a new version of it, you don't have to say, OK, like a data scientist.

I built some models.

But I have to wait all the data engineers to set up infrastructures through-- like grab the data for me to form the analysis.

You don't have to wait.

You control all this flow and say, OK, I don't like this rendering.

Or I think it this is URL endpoint's not good.

OK.

And just change it.

Zip it.

And bump up a-- bump up the version of it here.

It's a higher version.

You can do the in-place upgrade immediately.

And just like install any apps-- install any apps.

The experience is really identical to anything that either you install some apps from your app store.

It's really similar.

So the process itself is very smooth.

And we tried to make it very user-friendly.

And that's how you like once you create it, install on the ThreatStream platform.

And since it's already content and input awareness, so it immediately will get the value from out of the box.

And you don't have-- in that case, in [INAUDIBLE] set, you grab all the sources, build them as apps, adjust them to the platform so that Anomali became the one stop shop for all your investigation or your processor flows.

And [INAUDIBLE] said if you want to sit in ThreatStream because I know some of your use cases you want to pull data out of it.

But if you think that ThreatStream will be your final endpoint to do all your daily work, they will dramatically facilitate and accelerate your daily work, which makes more flexible and more, I would say, to show value more quickly.

So yeah, and that's about it so.

ROBERTO SANCHEZ: All right.

This concludes our briefing.

Thank you for attending.

Yeah.

Thank you.