Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Enriching Network Threat Data with Open Source Tools to

advertisement 
Enriching Network Threat Data
with Open Source Tools to
Improve Monitoring
SECURE 2012
XVI Conference on Telecommunications
and IT Security 22-24 October 2012
Knowledge is power
Thomas Hobbes, 1658
Agenda
•
•
•
•
•
•
•
Cyber Intelligence
Network Monitoring
Cyber Kill Chain
Incident investigation
Information/indicator gathering
Processing
Act on what you learned
Data, Information, Knowledge, Wisdom
Connectedness
Wisdom
Knowledge
Understanding
Principles
Understanding
Patterns
Information
DATA
DATA
Understanding
Relationships
Understanding
Cyber Intelligence
Open
Public
Domain
Proprietary
Closed
Processes and Decision Making
Cyber Intelligence Questions
• Is action needed?
• What are the choices for action?
• Which is the best choice?
Look forward by looking backwards
• Range of different sources
– Phishing
• APWG
• Phishtank
– Vulnerability management and penetration testing
• https://community.rapid7.com/community/metasploit
• http://www.exploit-db.com/
– Research
• http://vrt-blog.snort.org/
– In depth Security News
• http://krebsonsecurity.com/
Before you Consume Open Intelligence
The following are publically available lists of known
bad IP addresses, DNS names and URLs
http://labs.snort.org/iplists/
http://www.openbl.org/
http://www.malwareblacklist.com/s http://support.clean-mx.de/cleanhowMDL.php
mx/viruses
http://malc0de.com/database/
VoIP Abuse Blacklist
ZeuS Tracker
Malware Patrol
BruteForceBlocker
ThreatExpert
Network Monitoring
Internet
VPN
Sensor
Sensor
DMZ
VOIP
Mail
Internal
Network
Web
New challenges in Network Monitoring
Internet
VPN
Sensor
Sensor
DMZ
VOIP
Mail
Internal
Network
Web
3G
Internet
4G Internet
Cyber Kill Chain
Reconnaissance Weaponization
Harvesting
Email
addresses,
conference
information,
etc
Coupling
exploit with
backdoor
into
deliverable
payload
Delivery
Delivering
weaponized
bundle to the
victim via
email, web,
USB, etc
Exploitation
Exploiting
vulnerability
to execute
code on
victim system
Installation
Installing
malware on
the victim
Command &
Control
Installing
malware on
the victim
Actions and
Objectives
With access
to systems,
intruders
accomplish
their goal
Phishing email example
Phishing
email
• Identify and stop
User opens
and clicks
• User awareness
Compromise
• Patch
Characteristics for the investigator
• Network Data
–
–
–
–
–
IP Addresses
Domains
URLs
Behavior
Content
• Host Data
– Code
– Files
– Behavior
Incident Investigation
• On Network Data
– Files
– Logs
– Observations
• Off Network Data
– Initial Access Point
– Subsequent Access
Points
– Exfiltration Destinations
– Following the tail
(infrastructure research)
Not addressing the attribution component in this example
In the News
Follow on Twitter for news/updates
Alfred Huger
tropism:group
Shawn Webb
Debit Card
Shit My Logs Say
MikkoHypponen
Travis Goodspeed
malware group
M4g1c5t0rM
Adli Wahid
Luigi Auriemma
adamjodonnell
Tavis Ormandy
dragosr
Keith Myers
Noah Everett
Aaron Portnoy
@alhuger
@tropismgroup
@lattera
@NeedADebitCard
@ShitMyLogsSay
@mikko
@travisgoodspeed
@malwaregroup
Handles
@M4g1c5t0rM
@adliwahid
@luigi_auriemma
@adamjodonnell
@taviso
@dragosr
@KeithMyers
@noaheverett
@aaronportnoy
Colin Grady
egyp7
Pedram Amini
Paul Asadoorian
enirx
Joshua J Drake
Rodrigo Branco
Katie Moussouris
Deviant Ollam
briankrebs
David Litchfield
Dino A Dai Zovi
shftleft
halvarflake
Judy Novak
Secure Tips
Dancho Danchev
@ColinGrady
@egyp7
@pedramamini
@pauldotcom
@enirx
@jduck1337
@bsdaemon
@k8em0
Handles
@deviantollam
@briankrebs
@dlitchfield
@dinodaizovi
@shftleft
@halvarflake
@judy_novak
@SecureTips
@danchodanchev
PasteBin is *valuable*!
• Take, for example,
http://pastebin.com/cTJeeTat
– If confirmed, this would be from the person
behind the recent attack on Saudi Aramco.
– It's got an open API, scrapers exist –
– I would be mining it for important keywords if I
were you.
Protecting the Network
The Role of DNS in Malware
• For example
– Bots resolve DNS names to locate their command
and control servers
– Spam mails contain URLs that link to domains that
resolve to scam servers.
DNS
Root
1. sub.example.com?
3. sub.EXAMPLE.COM
5. SUB.EXAMPLE.COM = 1.2.3.4
TLD Nameserver
Workstation
Authoritative
Indicator Transforms: IP-Domain/Domain-IP
• Potential Problems
– Which of several names/IP’s do you want?
– Mappings change, what date/time are you
interested in?
– What if the bad guys are watching for DNS
lookups?
Fundamentals of Correlation
Crime?| Incident
EVENT
Source
Artifact
Methodology
EVENT
EVENT
(Context)
(Context)
DomainURL,
spamEVENT
source, etc.
PhishingCONTEXT
URL, spam source, etc.
Malicious URL, file hash, etc.
ARTIFACT
ARTIFACT
IP Address + Timestamp
ARTIFACT
IP Address
+ Timestamp
IP Address + Timestamp
The Expansion Process
Most Recent i.e. 0-day Sept 14
Initial Indicator c2
exchange.likescandy.com 108.171.193.92
Passive DNS Search #1
108.171.193.92 exchange.likescandy.com
108.171.193.92 youzzsun.ddns.info
PDNS Search #3
142.4.46.203
142.4.46.203
142.4.46.203
142.4.46.203
142.4.46.203
9-9-12
9-12-12
9-9-12
9-5-12
9-12-12
PDNS Search #2
exchange.likescandy.com 2012-09-18 108.171.193.92
exchange.likescandy.com 2012-09-12 142.4.46.203
exchange.likescandy.com 2012-08-31 180.210.204.180
exchange.from-sc.com
aol.selfip.com
exchange.is-a-landscaper.com
ns18.doomdns.com
exchange.likescandy.com
http://labs.alienvault.com/labs/index.php/2012/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explorer-zeroday/
The Role of DNS in Malware
• By using DNS, they acquire the flexibility to
change the IP address of the malicious servers
that they manage
• Using domain names gives attackers the
flexibility of migrating their malicious servers
with ease.
Hard Coded Address
Malware
192.0.43.10
C2 Server
192.0.43.10
DNS Based C2 Server Address
DNS Server
Example.com: 192.0.43.10
Malware
Example.com
C2 Server
192.0.43.10
The Role of DNS in Security Analysis
• Use passive DNS analysis techniques to detect
domains that are involved in malicious
activity. Look for names that change
according to certain patterns.
• If the IP address of the command and control
server is hard-coded into the bot binary, there
exists a single point of failure for the botnet.
The Role of DNS in Security Analysis
• Mitigate Internet threats by identifying
malicious domains that originate from sources
such as botnets, phishing sites, and malware
hosting services.
• Analysis of large enterprise data volumes,
permits us to distinguish between benign and
malicious domains
The Expansion Process
Passive DNS
Initial Indicator c2
armyclub.net 108.174.52.164
Passive DNS Search #1
124.207.179.120 armyclub.net
108.174.53.11 safeoil.net
PDNS Search #3
64.15.129.80 host.0zz0.com
174.142.97.176 host5.0zz0.com
174.142.97.177 host6.0zz0.com
64.15.129.80 www.resalah.0zz0.com
70.38.12.147 www10.0zz0.com
http://www.google.com; threatexpert.com; bfk
safeoil.net 4/14/2012 173.192.221.44
safeoil.net 4/14/2012 201.144.18.196
safeoil.net 4/14/2012 221.194.146.109
PDNS Search #2
Some Cool Tools
• SWFInvestigator (free Flash analysis from
Adobe)
• IDA Free (disassembler)
• OllyDBG
• All of the MS SysInternals tools
Thank you
• References:
– APWG
– SourceFire VRT
– John Boyd’s The Essence of Winning and Losing
– The Burton Matrix
Related documents
Intrusion Detection
Intrusion Detection
Super G on Raven PTarmigan January15th, 2009 RACE JURY
Super G on Raven PTarmigan January15th, 2009 RACE JURY
Being the one eyed man
Being the one eyed man
Lab 11 - Personal Web Pages
Lab 11 - Personal Web Pages
Name Services
Name Services
Final Exam Part 1
Final Exam Part 1
Al-Dubaisi.Yaser.Test2Part1
Al-Dubaisi.Yaser.Test2Part1
sample_cato_cust_ed
sample_cato_cust_ed
WISCORS Change over 12-2014
WISCORS Change over 12-2014
Hiding in Plain Sight
Hiding in Plain Sight
Security: Next Generation Topics and
Security: Next Generation Topics and
The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers
The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers
Download
advertisement