HBSS Tricks
Chris Rooney
We need a recipe, map, something…
For many people Audits are like Easter
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to
protect cardholder data
1.1 Establish firewall and router configuration standards that
include the following:
blah blah
1.2 Build firewall and router configurations that restrict
connections between untrusted networks and any system
components in the cardholder data environment.
1.4 Install personal firewall software on any mobile and/or
employee-owned computers with direct connectivity to the
Internet (for example, laptops used by employees), which are
used to access the organization’s network.
Requirement 5: Use and regularly update anti-virus software or
programs
5.1 Deploy anti-virus software on all systems commonly affected
by malicious software (particularly personal computers and
servers).
5.2 Ensure that all anti-virus mechanisms are current, actively
running, and generating audit logs.
Requirement 6: Develop and maintain secure systems and
applications
6.2 Establish a process to identify and assign a risk ranking to
newly discovered security vulnerabilities.
Requirement 8: Assign a unique ID to each person with computer
access
Requirement 10: Track and monitor all access to network
resources and cardholder data
Their own words Logging mechanisms and the ability to track user activities are
critical in preventing, detecting, or minimizing the impact of a
data compromise. The presence of logs in all environments allows
thorough tracking, alerting, and analysis when something does go
wrong. Determining the cause of a compromise is very difficult, if
not impossible, without system activity logs.
10.1 Establish a process for linking all access to system
components (especially access done with administrative
privileges such as root) to each individual user.
Requirement 12: Maintain a policy that addresses information
security for all personnel.
A strong security policy sets the security tone for the whole entity
and informs personnel what is expected of them. All personnel
should be aware of the sensitivity of data and their
responsibilities for protecting it. For the purposes of Requirement
12, “personnel” refers to full-time and part-time employees,
temporary employees, contractors and consultants who are
“resident” on the entity’s site or otherwise have access to the
cardholder data environment.
12.5.2 Monitor and analyze security alerts and information, and
distribute to appropriate personnel.
12.9.3 Designate specific personnel to be available on a 24/7
basis to respond to alerts.
NIST SP800-53A Recommended Security Controls for Federal
Information Systems
AU-2 AUDITABLE EVENTS
(1) The information system provides the capability to compile
audit records from multiple components throughout the system
into a systemwide (logical or physical), time-correlated audit trail.
AU-4 AUDIT STORAGE CAPACITY
Control: The organization allocates sufficient audit record storage
capacity and configures auditing to prevent such capacity being
exceeded.
AU-6 AUDIT MONITORING, ANALYSIS, AND REPORTING
Control: The organization regularly reviews/analyzes audit
records for indications of inappropriate or unusual activity,
investigates suspicious activity or suspected violations, reports
findings to appropriate officials, and takes necessary actions.
CA-7 CONTINUOUS MONITORING
Control: The organization monitors the security controls in the information
system on an ongoing basis.
IR-4 INCIDENT HANDLING
Control: The organization implements an incident handling capability for
security incidents that includes preparation, detection and analysis,
containment, eradication, and recovery.
IR-5 INCIDENT MONITORING
Control: The organization tracks and documents information system security
incidents on an ongoing basis.
RA-5 VULNERABILITY SCANNING
Control: Using appropriate vulnerability scanning tools and techniques, the
organization scans for vulnerabilities in the information system [Assignment:
organization-defined frequency] or when significant new vulnerabilities
affecting the system are identified and reported.
What you had to buy:
Firewall
IDS - (I Detect Stuff)
IPS - (I Prevent Stuff)
AV
Logging solution of some type - Centralized logging
HIPS
HIDS
Attacker
WHA!? The Auditor said we were “Compliant”
Following this:
In no way makes you this:
What this isn’t –
•You’re not going to replace your AV solutions
•You’re not going to replace <insert everything>
•Also we are not curing diabetes, cancer, or
insomnia
What This Will Do
This will help your internal incident response
This will possible help you find root cause faster
This might actually help you detect some thing
Defense in Depth
or
Layered Security
What this will require
Proactive monitoring
Reviewing a lot of logs
Reviewing a lot of logs
Why?
Because AV sucks.
No really, because AV sucks.
AV is signature based, you are always playing “catch up”
Tools sets are rarely going to be picked up by AV. Malicious
DLL’s, Memory Resident, etc etc…
AV is not designed or capable of detecting nearly anything
related to a compromise!
After initial compromise Attacker will use available system
tools against you.
Anatomy of an Attack
Recon
Scanning
Exploit Systems
Keeping Access
Covering Tracks
Recon – Hard to Detect
Not Detectable:
Web Searches (Google , Bing, etc)
Whois – Registrar info etc
Detectable:
DNS Zone transfers – AXFR or IXFR
DNS Reverse Lookup – Brute force
Servers named <company>DC#, <company>MAIL#, etc or
Mythological Dieties, Heroes, Lord of the Rings, etc
Firewall, IDS/IPS, and Server Logs help here
Basic Network monitoring – DO IT.
Review the Logs, Detections etc
Forget about the “color” Red, OJ, Yellow etc. Look at the
finding, evaluate it, Act Appropriately
Manager Receipt Time
Mar 27 2013 12:00:32
Mar 27 2013 12:03:37
Mar 27 2013 12:04:17
Mar 27 2013 12:23:30
Mar 27 2013 12:24:30
Mar 27 2013 12:13:38
Mar 27 2013 12:27:35
Mar 27 2013 12:15:09
Mar 27 2013 12:16:14
Mar 27 2013 12:16:19
Mar 27 2013 12:20:04
Mar 27 2013 12:20:39
Mar 27 2013 12:23:35
Name
Transport Protocol
Priority
SERVER-IIS view source via translate header
TCP
Mandiant WebC2-GDOCUPLOAD User-Agent 3
TCP
DNS SPOOF query response with TTL of 1 min. and no authority UDP
SERVER-IIS view source via translate header
TCP
Mandiant WebC2-GDOCUPLOAD User-Agent 3
TCP
DNS SPOOF query response with TTL of 1 min. and no authority UDP
Mandiant WebC2-GDOCUPLOAD User-Agent 3
TCP
SCAN UPnP service discover attempt
UDP
SCAN UPnP service discover attempt
UDP
SCAN UPnP service discover attempt
UDP
DNS SPOOF query response with TTL of 1 min. and no authority UDP
SCAN UPnP service discover attempt
UDP
DNS SPOOF query response with TTL of 1 min. and no authority UDP
Severity
5
9
5
5
8
5
7
3
3
3
5
3
5
Device Action
3
10
3
0
5
3
0
0
0
0
3
0
3
Source Address Source Port
Gray -- Unknown 74.82.248.186
Gray -- Unknown 10.78.66.100
Gray -- Unknown 199.66.238.112
6
52.129.8.51
Gray -- Unknown 10.80.29.105
Gray -- Unknown 199.66.238.112
Gray -- Unknown 10.80.174.11
Gray -- Unknown 176.10.35.241
Gray -- Unknown 176.10.35.241
Gray -- Unknown 176.10.35.241
Gray -- Unknown 199.66.238.112
Gray -- Unknown 94.142.155.123
Gray -- Unknown 199.66.238.112
OK…
Reviewing pages of this is “No Bueno”
It needs to be usable convey something
Destination Address
4609
137.161.202.92
42853
68.142.251.159
53
10.161.231.150
41314
10.82.250.31
45382
165.254.99.35
53
192.161.231.150
32137
165.254.99.24
30987
10.78.84.67
45317
192.152.169.252
2032
10.83.194.160
53
192.161.231.150
23396
10.83.192.239
53
192.161.231.150
Destination Port
80
80
11758
80
80
62800
80
1900
1900
1900
35177
1900
20869
Now that makes it a heck of a lot easier to read
Scanning
Port Scans
Service Scans
Scanning Web Servers
VPN Gateways
FTP
DNS
Citrix
Database (Yes we do find databases in DMZ
sometimes)
Detected with - Firewall, IDS/IPS, Logging
Exploit Systems
Web browsers, Operating
System vulnerabilities
and
JAVA
and
Everything made by Adobe
EVER!!!!!!
Let’s talk users
Shouldn’t have admin rights
They just want to see the kittehs
They will keep you up at night
With out them you’d be unemployed
Are you familiar with Indicators of Compromise?
ZeroAccess/Siref.P
This is looking for indicators found from a recent ZeroAccess/Siref variant. Files are
located in users profile\local settings\application data\{}\@ or \n and also seen in
c:\windows\installer. Registry KeyPath Classes\CLSID\{F3130CDB-AA52-4C3A-AB3285FFC23AF9C1}\InprocServer32
WinLogon Shell Persistence
<IndicatorItem id="f0a5abaa-41f4-488e-9acf-8c7654a71122" condition="contains">
<Context document="RegistryItem" search="RegistryItem/Value" type="mir" />
<Content type="string">%Temp%</Content>
</IndicatorItem>
Trojan-Tinba-Zusy
<IndicatorItem id="fcfc3866-836f-4a0c-8939-fc23dc22d0a4" condition="contains">
<Context document="FileItem" search="FileItem/FullPath" type="mir" />
<Content type="string">All Users\Application Data\default</Content>
</IndicatorItem>
They’re not admins
So we shouldn’t see them executing stuff from:
Internet\local\temp
AppData\local\Temp
Temporary Internet Files\
Set up some HIPS rules and let them run
When ever the HIPS triggers creates an event
Pipe it to centralized logging/monitoring
Review often
Does this work?
Typical AV alert report:
JS/Exploit-Blacole.gq trojan
deleted c:\Documents and Settings\b1odpsaj\Local Settings\Temporary Internet
Files\Content.IE5\3LYHPBW3\adds_youngs-tickets[1].htm
FakeAlert-Rena!mem trojan
deleted C:\Users\g6edxjfs\AppData\Local\ber.exe
JS/Blacole-Redirect.y trojan
deleted c:\Users\g2odBJPB\AppData\Local\Microsoft\Windows\Temporary Internet
Files\Low\Content.IE5\6DRU6D7E\jcap[1].js
JS/Blacole-Redirect.y trojan
deleted c:\Users\g2odBJPB\AppData\Local\Microsoft\Windows\Temporary Internet
Files\Low\Content.IE5\6EQZXI8W\md5[1].js
JS/Blacole-Redirect.y trojan
deleted c:\Users\g2odBJPB\AppData\Local\Microsoft\Windows\Temporary Internet
Files\Low\Content.IE5\6EQZXI8W\mm_menu[1].js
JS/Blacole-Redirect.y trojan
deleted c:\Users\g2odBJPB\AppData\Local\Microsoft\Windows\Temporary Internet
Files\Low\Content.IE5\6EQZXI8W\textsizer[1].js
Generic.dx!bhml
trojan
deleted c:\Documents and Settings\L4ECCEER\Application
Data\Sun\Java\Deployment\cache\6.0\18\5b0dbf92-27b00084\ConvertVal.class
Generic.dx!bhnq
trojan
deleted c:\Documents and Settings\U4GGYNT3.ERD\Application
Data\Sun\Java\Deployment\cache\6.0\62\51833e7e-6f4af747\Qe9hq0c.class
Generic.dx!bhmj
trojan
deleted c:\Documents and Settings\l2cocbhs\Application
Data\Sun\Java\Deployment\cache\6.0\17\2e230d1-2627f1e2\glof.class
What if you could detect
malware without a signature
anywhere from 1 to 15 days
before AV?
3/5/2013 12:20 NB-NB-02606043 3776
Microsoft Internet Explorer Vector Markup Language Vulnerability (2)
C:\Program Files\Internet Explorer\iexplore.exe
Permitted bad_parameter
Vulnerability Name Vulnerable ActiveX Control Loading A
Please Remove and Investigate - Exploit-FEW!Blacole,NB-NB-02606043 3/10/2013
Evidence:
9 Mar 2013 04:04:06 EST,9 Mar 2013 10:03:21 EST,trojan,Exploit-FEW!Blacole,1 NB-NB02606043
c:\Users\ctxctx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\662c0a3d68bf0762,Infected file deleted.
9 Mar 2013 04:04:06 EST,9 Mar 2013 10:02:20 EST,CENAD,N/A,trojan,JS/ExploitBlacole.kf, NB-NB-02606043
c:\Users\ctxctx\AppData\Local\Microsoft\Windows\Temporary Internet
Files\Low\Content.IE5\7KIUL6H4\q[1].htm,Infected file deleted.
3/5/2013 16:02 LOL-NB-01583721 3776 Microsoft Internet Explorer
Vector Markup Language Vulnerability (2) C:\Program Files\Internet
Explorer\iexplore.exe Permitted bad_parameter Vulnerability
Name Vulnerable ActiveX Control Loading A
Please Remove and Investigate - JV/Blacole-FFV!4EBC81B2A371,
LOL-NB-01583721 -3/11/2013 9 KB
11 Mar 2013 08:24:07 CDT,Infected file deleted.,JV/BlacoleFFU!9DB0385E2EC8, LOL-NB01583721,c:\Users\CTMCTM\AppData\LocalLow\Sun\Java\Deploy
ment\cache\6.0\0\4eb38805296bc4f\BadRun.class,8,McAfee,ePolicy Orchestrator
3/5/2013 7:28 MNT-LM01NOL "CMD Tool Access by a Network Aware
Application“ C:\windows\system32\services.exe Permitted read,execute
C:\windows\system32\sc.exe
Please Remove and Investigate - Possible Malware, MNT-LM01NOL
3/14/2013
33 KB
Evidence:
MNT-LM01NOL MCHTJOPJcvgnWvWrnaqeyLRo
C:\windows\BhZvccld.exe Own Process Manual
3/4/2013 18:38 TS05CPC
3/4/2013 18:38 TS05CPC
3/4/2013 18:36 TS05CPC
3/4/2013 18:35 TS05CPC
3/4/2013 18:38 TS05CPC
3/4/2013 18:45 TS05CPC
3/4/2013 18:39 TS05CPC
3/4/2013 18:46 TS05CPC
3/4/2013 18:45 TS05CPC
3/4/2013 18:37 TS05CPC
"CMD Tool Access by a Network Aware Application“
"CMD Tool Access by a Network Aware Application“
"CMD Tool Access by a Network Aware Application“
"CMD Tool Access by a Network Aware Application“
"CMD Tool Access by a Network Aware Application“
"CMD Tool Access by a Network Aware Application“
"CMD Tool Access by a Network Aware Application“
"CMD Tool Access by a Network Aware Application“
"CMD Tool Access by a Network Aware Application“
"CMD Tool Access by a Network Aware Application“
C:\Windows\Explorer.EXE Permitted
C:\Windows\system32\svchost.exe
C:\Windows\Explorer.EXE Permitted
C:\Windows\Explorer.EXE Permitted
C:\Windows\Explorer.EXE Permitted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\Explorer.EXE Permitted
C:\Windows\Explorer.EXE Permitted
C:\Windows\Explorer.EXE Permitted
Read
Permitted
Read
Read
Read
Permitted
Permitted
Read
Read
Read
C:\Windows\system32\cmd.exe
Read C:\Windows\System32\cmd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
C:\windows\system32\mmc.exe
Read C:\Windows\system32\tasklist.exe
Read C:\Windows\system32\tasklist.exe
C:\Windows\SysWOW64\mmc.exe
C:\Windows\SysWOW64\mmc.exe
C:\Windows\SysWOW64\mmc.exe
Please Remove and Investigate - Possible Malware, TS05CPC 3/15/2013
Evidence:
TS05CPC Mujkqgnqoz C:\Windows\dcdlGcwB.exe Own Process Manual
TS05CPC MSmnVhUJZvFOTMWlOqJ C:\Windows\HgcYJFmB.exe Own Process Manual
TS05CPC MYdVQuZoWaSQlQ C:\Windows\KrmWoUKS.exe Own Process Manual
Did I mention that AV cannot be counted on
Keeping Access/Lateral Movement
System Tools used – Netstat, Net View, Create
and start services –SC
HIPS/HIDS and Event Logs are key
Visualize them, look at access times, parse
them and write them to a spreadsheet
Covering Tracks
Deleting Logs
Hiding Files
Tunnels
HIDS/HIPS, IPS/IDS, Centralized Logging, Egress
Filtering