Enriching Network Threat Data with Open Source Tools to
advertisement
Enriching Network Threat Data with Open Source Tools to Improve Monitoring SECURE 2012 XVI Conference on Telecommunications and IT Security 22-24 October 2012 Knowledge is power Thomas Hobbes, 1658 Agenda • • • • • • • Cyber Intelligence Network Monitoring Cyber Kill Chain Incident investigation Information/indicator gathering Processing Act on what you learned Data, Information, Knowledge, Wisdom Connectedness Wisdom Knowledge Understanding Principles Understanding Patterns Information DATA DATA Understanding Relationships Understanding Cyber Intelligence Open Public Domain Proprietary Closed Processes and Decision Making Cyber Intelligence Questions • Is action needed? • What are the choices for action? • Which is the best choice? Look forward by looking backwards • Range of different sources – Phishing • APWG • Phishtank – Vulnerability management and penetration testing • https://community.rapid7.com/community/metasploit • http://www.exploit-db.com/ – Research • http://vrt-blog.snort.org/ – In depth Security News • http://krebsonsecurity.com/ Before you Consume Open Intelligence The following are publically available lists of known bad IP addresses, DNS names and URLs http://labs.snort.org/iplists/ http://www.openbl.org/ http://www.malwareblacklist.com/s http://support.clean-mx.de/cleanhowMDL.php mx/viruses http://malc0de.com/database/ VoIP Abuse Blacklist ZeuS Tracker Malware Patrol BruteForceBlocker ThreatExpert Network Monitoring Internet VPN Sensor Sensor DMZ VOIP Mail Internal Network Web New challenges in Network Monitoring Internet VPN Sensor Sensor DMZ VOIP Mail Internal Network Web 3G Internet 4G Internet Cyber Kill Chain Reconnaissance Weaponization Harvesting Email addresses, conference information, etc Coupling exploit with backdoor into deliverable payload Delivery Delivering weaponized bundle to the victim via email, web, USB, etc Exploitation Exploiting vulnerability to execute code on victim system Installation Installing malware on the victim Command & Control Installing malware on the victim Actions and Objectives With access to systems, intruders accomplish their goal Phishing email example Phishing email • Identify and stop User opens and clicks • User awareness Compromise • Patch Characteristics for the investigator • Network Data – – – – – IP Addresses Domains URLs Behavior Content • Host Data – Code – Files – Behavior Incident Investigation • On Network Data – Files – Logs – Observations • Off Network Data – Initial Access Point – Subsequent Access Points – Exfiltration Destinations – Following the tail (infrastructure research) Not addressing the attribution component in this example In the News Follow on Twitter for news/updates Alfred Huger tropism:group Shawn Webb Debit Card Shit My Logs Say MikkoHypponen Travis Goodspeed malware group M4g1c5t0rM Adli Wahid Luigi Auriemma adamjodonnell Tavis Ormandy dragosr Keith Myers Noah Everett Aaron Portnoy @alhuger @tropismgroup @lattera @NeedADebitCard @ShitMyLogsSay @mikko @travisgoodspeed @malwaregroup Handles @M4g1c5t0rM @adliwahid @luigi_auriemma @adamjodonnell @taviso @dragosr @KeithMyers @noaheverett @aaronportnoy Colin Grady egyp7 Pedram Amini Paul Asadoorian enirx Joshua J Drake Rodrigo Branco Katie Moussouris Deviant Ollam briankrebs David Litchfield Dino A Dai Zovi shftleft halvarflake Judy Novak Secure Tips Dancho Danchev @ColinGrady @egyp7 @pedramamini @pauldotcom @enirx @jduck1337 @bsdaemon @k8em0 Handles @deviantollam @briankrebs @dlitchfield @dinodaizovi @shftleft @halvarflake @judy_novak @SecureTips @danchodanchev PasteBin is *valuable*! • Take, for example, http://pastebin.com/cTJeeTat – If confirmed, this would be from the person behind the recent attack on Saudi Aramco. – It's got an open API, scrapers exist – – I would be mining it for important keywords if I were you. Protecting the Network The Role of DNS in Malware • For example – Bots resolve DNS names to locate their command and control servers – Spam mails contain URLs that link to domains that resolve to scam servers. DNS Root 1. sub.example.com? 3. sub.EXAMPLE.COM 5. SUB.EXAMPLE.COM = 1.2.3.4 TLD Nameserver Workstation Authoritative Indicator Transforms: IP-Domain/Domain-IP • Potential Problems – Which of several names/IP’s do you want? – Mappings change, what date/time are you interested in? – What if the bad guys are watching for DNS lookups? Fundamentals of Correlation Crime?| Incident EVENT Source Artifact Methodology EVENT EVENT (Context) (Context) DomainURL, spamEVENT source, etc. PhishingCONTEXT URL, spam source, etc. Malicious URL, file hash, etc. ARTIFACT ARTIFACT IP Address + Timestamp ARTIFACT IP Address + Timestamp IP Address + Timestamp The Expansion Process Most Recent i.e. 0-day Sept 14 Initial Indicator c2 exchange.likescandy.com 108.171.193.92 Passive DNS Search #1 108.171.193.92 exchange.likescandy.com 108.171.193.92 youzzsun.ddns.info PDNS Search #3 142.4.46.203 142.4.46.203 142.4.46.203 142.4.46.203 142.4.46.203 9-9-12 9-12-12 9-9-12 9-5-12 9-12-12 PDNS Search #2 exchange.likescandy.com 2012-09-18 108.171.193.92 exchange.likescandy.com 2012-09-12 142.4.46.203 exchange.likescandy.com 2012-08-31 180.210.204.180 exchange.from-sc.com aol.selfip.com exchange.is-a-landscaper.com ns18.doomdns.com exchange.likescandy.com http://labs.alienvault.com/labs/index.php/2012/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explorer-zeroday/ The Role of DNS in Malware • By using DNS, they acquire the flexibility to change the IP address of the malicious servers that they manage • Using domain names gives attackers the flexibility of migrating their malicious servers with ease. Hard Coded Address Malware 192.0.43.10 C2 Server 192.0.43.10 DNS Based C2 Server Address DNS Server Example.com: 192.0.43.10 Malware Example.com C2 Server 192.0.43.10 The Role of DNS in Security Analysis • Use passive DNS analysis techniques to detect domains that are involved in malicious activity. Look for names that change according to certain patterns. • If the IP address of the command and control server is hard-coded into the bot binary, there exists a single point of failure for the botnet. The Role of DNS in Security Analysis • Mitigate Internet threats by identifying malicious domains that originate from sources such as botnets, phishing sites, and malware hosting services. • Analysis of large enterprise data volumes, permits us to distinguish between benign and malicious domains The Expansion Process Passive DNS Initial Indicator c2 armyclub.net 108.174.52.164 Passive DNS Search #1 124.207.179.120 armyclub.net 108.174.53.11 safeoil.net PDNS Search #3 64.15.129.80 host.0zz0.com 174.142.97.176 host5.0zz0.com 174.142.97.177 host6.0zz0.com 64.15.129.80 www.resalah.0zz0.com 70.38.12.147 www10.0zz0.com http://www.google.com; threatexpert.com; bfk safeoil.net 4/14/2012 173.192.221.44 safeoil.net 4/14/2012 201.144.18.196 safeoil.net 4/14/2012 221.194.146.109 PDNS Search #2 Some Cool Tools • SWFInvestigator (free Flash analysis from Adobe) • IDA Free (disassembler) • OllyDBG • All of the MS SysInternals tools Thank you • References: – APWG – SourceFire VRT – John Boyd’s The Essence of Winning and Losing – The Burton Matrix
