Desenmascara.me

How to verify whether a website is legitimate or not?: desenmascara.me

domingo, 8 de abril de 2018

RFC1918 IP Addresses in APT reports being used as IOCs by "Intelligence" providers

The title of this article was published some days ago as a tweet. Unfortunately by seeing the responses it seems this is not a so uncommon issue:





All started as a heads´up about a high priority incident in a sensitive environment. A watchlist that matches an internal private IP against a botnet?. This incident needed confirmation as got escalated with urgency. As its common in this scenario dealing with different stakeholders, the private IP being categorized as botnet was anonymized in order to protect sensitive information, but we need such information in order to further investigate it. To request such information sum up time to the investigation.

Once we have the private IP details we can do some cross checks to get the additional context needed in this scenario. The additional cross-checks are to verify which intelligence feed contained the private IP and then to gather the details. After some investigation we were unable to find any correlation, none of the watchlists we do provide (from public and private sources around the world, including product vendors, industry experts, government agencies, professional associations, media, news groups..) contained such info. Next step was to seek the private IP into any public report, cause at this time it was a bit clear which the issue was, and Bingo !! - Anunak: APT against financial institutions is a great report released by Group-IB and Fox-IT and contained the private IP address as a C&C IP and without any additional info. This is likely a common mistake about not vetting the information provided by reverse engineers to the intel team responsible to craft up the APT report, then this mistake is chained by Intelligence providers who do not perform any vet into the IOCs they ingest, packed and then sell. It turns out the customer affected was using additional threat intelligence providers, and was one of them who did provide the private IP address as an IOC.

Based on The cost of bad intelligence: "Security professionals practicing threat intelligence must understand the implications of mistakes and poor analysis. Bad intelligence can and does decrease the security effectiveness of an organization." 










No hay comentarios:

Publicar un comentario

Trata a los demás como te gustaría ser tratado.