Enriching Network Threat Data with Open Source Tools to Improve Monitoring

Transcription

1 Enriching Network Threat Data with Open Source Tools to Improve Monitoring SECURE 2012 XVI Conference on Telecommunications and IT Security October 2012

2 Knowledge is power Thomas Hobbes, 1658

3 Agenda Cyber Intelligence Network Monitoring Cyber Kill Chain Incident investigation Information/indicator gathering Processing Act on what you learned

4 Data, Information, Knowledge, Wisdom Connectedness Wisdom Knowledge Understanding Principles DATA Information Understanding Relationships Understanding Patterns Understanding

5 Cyber Intelligence Open Proprietary Public Domain Closed

6 Processes and Decision Making

7 Cyber Intelligence Questions Is action needed? What are the choices for action? Which is the best choice?

8 Look forward by looking backwards Range of different sources Phishing APWG Phishtank Vulnerability management and penetration testing Research In depth Security News

9 Before you Consume Open Intelligence The following are publically available lists of known bad IP addresses, DNS names and URLs howmdl.php ZeuS Tracker BruteForceBlocker VoIP Abuse Blacklist Malware Patrol ThreatExpert

10 Network Monitoring VPN Internet Sensor Sensor DMZ VOIP Internal Network Mail Web

11 New challenges in Network Monitoring VPN Internet Sensor Sensor DMZ VOIP Internal Network Mail 3G Internet Web 4G Internet

12 Cyber Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Actions and Objectives Harvesting addresses, conference information, etc Coupling exploit with backdoor into deliverable payload Delivering weaponized bundle to the victim via , web, USB, etc Exploiting vulnerability to execute code on victim system Installing malware on the victim Installing malware on the victim With access to systems, intruders accomplish their goal

13 Phishing example Phishing Identify and stop User opens and clicks User awareness Compromise Patch

14 Characteristics for the investigator Network Data IP Addresses Domains URLs Behavior Content Host Data Code Files Behavior

15 Incident Investigation On Network Data Files Logs Observations Off Network Data Initial Access Point Subsequent Access Points Exfiltration Destinations Following the tail (infrastructure research) Not addressing the attribution component in this example

16 In the News

17 Follow on Twitter for news/updates Alfred Colin Shawn Pedram Debit Paul Shit My Logs Joshua J Travis Rodrigo malware Katie Handles Deviant Handles Adli Luigi David Dino A Dai Tavis Keith Judy Noah Secure Aaron Dancho

18 PasteBin is *valuable*! Take, for example, If confirmed, this would be from the person behind the recent attack on Saudi Aramco. It's got an open API, scrapers exist I would be mining it for important keywords if I were you.

19 Protecting the Network

20 The Role of DNS in Malware For example Bots resolve DNS names to locate their command and control servers Spam mails contain URLs that link to domains that resolve to scam servers.

21 DNS Root 1. sub.example.com? 5. SUB.EXAMPLE.COM = sub.example.com TLD Nameserver Workstation Authoritative

22 Indicator Transforms: IP-Domain/Domain-IP Potential Problems Which of several names/ip s do you want? Mappings change, what date/time are you interested in? What if the bad guys are watching for DNS lookups?

23 Fundamentals of Correlation Crime? Incident Source Artifact Methodology EVENT EVENT (Context) EVENT DomainURL, (Context) spam EVENT source, etc. Phishing CONTEXT URL, spam source, etc. Malicious URL, file hash, etc. ARTIFACT ARTIFACT IP Address + Timestamp IP Address ARTIFACT + Timestamp IP Address + Timestamp

24 The Expansion Process Most Recent i.e. 0-day Sept 14 Initial Indicator c2 exchange.likescandy.com Passive DNS Search # exchange.likescandy.com youzzsun.ddns.info PDNS Search #2 PDNS Search #3 exchange.likescandy.com exchange.likescandy.com exchange.likescandy.com exchange.from-sc.com aol.selfip.com exchange.is-a-landscaper.com ns18.doomdns.com exchange.likescandy.com

25 The Role of DNS in Malware By using DNS, they acquire the flexibility to change the IP address of the malicious servers that they manage Using domain names gives attackers the flexibility of migrating their malicious servers with ease.

26 Hard Coded Address Malware C2 Server

27 DNS Based C2 Server Address DNS Server Malware Example.com: Example.com C2 Server

28 The Role of DNS in Security Analysis Use passive DNS analysis techniques to detect domains that are involved in malicious activity. Look for names that change according to certain patterns. If the IP address of the command and control server is hard-coded into the bot binary, there exists a single point of failure for the botnet.

29 The Role of DNS in Security Analysis Mitigate Internet threats by identifying malicious domains that originate from sources such as botnets, phishing sites, and malware hosting services. Analysis of large enterprise data volumes, permits us to distinguish between benign and malicious domains

30

31

32

33 The Expansion Process Passive DNS Initial Indicator c2 armyclub.net Passive DNS Search # armyclub.net safeoil.net PDNS Search #2 PDNS Search #3 safeoil.net 4/14/ safeoil.net 4/14/ safeoil.net 4/14/ host.0zz0.com host5.0zz0.com host6.0zz0.com www10.0zz0.com threatexpert.com; bfk

34

35

36

37 Some Cool Tools SWFInvestigator (free Flash analysis from Adobe) IDA Free (disassembler) OllyDBG All of the MS SysInternals tools

38 Thank you References: APWG SourceFire VRT John Boyd s The Essence of Winning and Losing The Burton Matrix