1 of 38

Automating Cyber Threat Intelligence: A Practical Approach to Managing Emerging Vulnerabilities

�Fred Baguelin & Andy Giron

2 of 38

Agenda

2

01

Whoami

02

Background

03

Excel meets Workflow

04

Bash meets CI/CD

05

Hunting across telemetry

06

Takeaways

07

Questions

3 of 38

Whoami

Frederic Baguelin

Senior Security Researcher

Andy Giron

Senior Security Researcher

  • Former CERT analyst / DFIR practitioner
  • Open Source enthusiast
  • Botconf organization committee
  • Previously worked at Arista Networks, Disney and financial industry
  • Previously taught Incident Response in a college in California
  • Loves ALL malware
  • /in/andy-was-here

4 of 38

Background

5 of 38

Threat Research at Datadog

  • Detection rule deation
  • Security Labs publications
  • Product improvements (sometimes)
  • Intelligence collection
  • Telemetry hunting
  • Emerging Vulnerabilities

6 of 38

Vulnerability

Vulnerabilities are flaws in a computer system

that weaken the overall security of the device/system.

So What?!

7 of 38

CVE Statistics

7

https://www.cvedetails.com/

8 of 38

NVD Backlog

https://nvd.nist.gov/general/news/nvd-program-transition-announcement

9 of 38

CVE Gone Viral

10 of 38

Emerging Vulnerabilities

Enters the chat

11 of 38

Excel Meets Workflow

12 of 38

What we want

12

13 of 38

From (repetitive and boring) Manual Process…

13

14 of 38

14

… To Automated Workflow

15 of 38

15

How?

16 of 38

Score >= High

16

Rely on NVD API

JSON format with CVSS metrics and more

Alternative to consider

CIRCL cve-search public API http://cve.circl.lu

wget "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-22515" -q -O - | jq ".vulnerabilities.[].cve.metrics.cvssMetricV31"

17 of 38

trending == True

17

Rely on search engines results

More advanced parsing: https://github.com/jarun/googler

Rely on Feedly CVE trends

Requires a paid subscription

Social network mentions

Twitter was great before Elon

Mastodon instances need indexing

18 of 38

PoC == True

18

Rely on Github API search

  • Number of repos
  • Number of stars

Let’s be careful with the results

  • Fake Proof of Concept with Backdoor Malware (https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware)

Social network mentions

Twitter was great before Elon

19 of 38

19

Advanced CVE AI powered scoring

20 of 38

Emerging vulnerability detected!

20

Create a case management

Include stakeholders, keep track of actions, lessons learned, …

Reproduce the vulnerability

Help us to build accurate detection, share with community

Monitor

Detect in the wild activity

21 of 38

Bash�

Meet CI/CD�

honeypots

22 of 38

Intelligence Collection via Honeypots

22

Cloud Setup

Honeypot Setup

Manual Deployment

Ansible

Terraform

23 of 38

PoC that turns into production

23

24 of 38

Infrastructure as Code

24

Body, �24pt Normal

Body, �24pt Normal

CI/CD

Ansible

Terraform

Cloud Setup

Honeypot Setup

Auto-deployment

25 of 38

HASH (HTTP Agnostic Software Honeypot)

25

HASH is a framework for creating and launching low interactive honeypots.

  • Single framework to deploy HTTP/HTTPs based honeypots
  • Easily configurable via YAML files
  • Built-in honeytraps
  • Powerful randomization based on fakerjs to avoid honeypot detection
  • Optionally, integration with Datadog to ingest and analyze honeypots logs and HTTP requests through APM�

https://github.com/DataDog/HASH

26 of 38

Honeynet

26

27 of 38

HASH (HTTP Agnostic Software Honeypot)

27

28 of 38

Hunting Across Telemetry

29 of 38

Jupyter

29

Sharable and reproducible

Rapid prototyping

Connect data from different services

Live data analysis and visualisations with Python!

30 of 38

IoC and payloads

30

IP addresses

  • Scanners / Exploiters

Payloads

  • Gather new exploitation payloads / obfuscation

Stagers

  • Get more samples

Trends

  • Is this a thing?

https://securitylabs.datadoghq.com/articles/confluence-vulnerability-cve-2023-22515-overview-and-remediation/

31 of 38

31

Store vulnerability entities

  • CISA KEV feed
  • Manually created

Link observables

  • IP addresses
  • Payloads (hashes)
  • Credentials

Telemetry to TIP

https://github.com/yeti-platform/yeti

32 of 38

CVE Search

32

Internal IR / Security team

  • Get more samples

Impacted customers

  • Notify if needed

33 of 38

Takeaways

34 of 38

Run Forrest Run

34

35 of 38

Publish Faster

35

https://securitylabs.datadoghq.com/

36 of 38

Timeline XZ

36

03-29

Discovery

Issue discovered by Andres Freund

CVE

CVE assignment CVE-2024-3094

03-29

Datadog Notifies

Security Research Team at Datadog publishes a Security Center advisory to its CSM customers

03-29

Datadog Rule

Datadog Product Detection Engineers release a detection rule

04-01

Datadog Publishes

Datadog publishes a blog post detailing the vulnerability and detection

04- 03

https://securitylabs.datadoghq.com/articles/xz-backdoor-cve-2024-3094/

37 of 38

Digest

37

Built a process around emerging vulnerabilities

    • An automated way to monitor and classify vulnerabilities as emerging
      • Don’t let great get in the way of good!

Developed a process around deploying honeypots

    • An automated process for intelligence collection
      • Real world context

Integrated an automated process for hunting

    • An automated process for hunting across customers telemetry
      • Intelligence is only useful if its actionable

38 of 38

Thank you