Network Payload Analysis for Advanced Persistent Threats Charles Smutz, Lockheed Martin CIRT

Transcription

1 Network Payload Analysis for Advanced Persistent Threats Charles Smutz, Lockheed Martin CIRT /6/2010 1

2 About Speaker Name Background Current Job Employer Education Charles Smutz Sysadmin, Networking, C&A Lead Software Developer Lockheed Martin CIRT Pursuing PhD at GMU 2

3 Background Understanding of APT Persistent, Organized, Targeted CNE Typical APT Attack Sequence Importance of Threat Focused CND/Security Intelligence You ll have this by end of Summit 3

4 Topics Motivation Why do network payload analysis Suggestions for Capabilities What data to collect Importance of Normalized Payload Analysis Importance of Information Retrieval How to implement Capabilities COTS/FOSS Build Your Own 4

5 Why Network Analysis Important Data Source 4n6 and Detection Intertwined 4n6 identifies and vets indicators Detections feed 4n6 Facilitate Pre-Compromise Detection Strong Compliment to Host Analysis Complete Attack Sequence Analysis 5

6 Network Analysis Pros/Cons Benefits Passive nature limits impact to network Omniscience at network tap points Control over data retention Drawbacks Network forensics requires explicit data retention Encryption 6

7 Net vs. Host Compromise IR Predominately Host Predominately Network Detection Malware C2 Beacon Collection Artifacts Damage Assessment Host Logs, Memory Image, Disk Images Malware, (Deleted) Tools and Staged Data, Anything in Memory/Swap/Hyberfil Commands Passwords Lateral Movement Dropped Tools Exfilled Data Days/Weeks Network Logs, Packet Captures Full Command and Control Decodes Commands Passwords Lateral Movement Dropped Tools Exfilled Data Hours/Days 7

8 Beyond FPC FPC is expensive, unwieldy Strategies for Targeted Data Collection Network Transaction Logs Payload Collection Payload Metadata Information Retrieval For Accessibility 8

9 Network Transaction Logs Situational Awareness--Inbound of HTTP Requests Direct Attacks (SQL injection etc) Attacker Reconnaissance Options: Sift through FPC Collect, normalize, centralize all webserver logs Snarf and reconstruct web activity Lots of tools to do this Bro, Suricata, HTTPry, etc What about other protocols? 9

10 Attacks Moving Up Stack Document and Multimedia Viewers, Browsers 10

11 Attacks Moving Up Stack Users Highly Targeted Social Engineering Exploits 11

12 Attacks Moving Up the Stack From: Received: from open.relay.com ([ ]) by mx.company.com Received: from now.bad.com ([ ]) by mx.relay.com Date: Thu, 17 Jun :03: (PDT) Message-Id: X-Mailer: SillyMailer v3.14 Subject: All your Base are belong to us Please review attached. Edward Spoofed Spoofed Inc InfoKey: Creator InfoValue: Acrobat PDF Printer InfoKey: Author InfoValue: TK421 InfoKey: Producer InfoKey: ModDate InfoValue: D: '00' PdfID1: 8d23f593e67be992ff3470d PdfID0: 798f9d8e3966ac586a61dc0 for(fqchp=0;fqchp<inxnh;fqchp++) {dnysj[fqchp]=dtkrx + hjnoa;} if(ingmh){hsbsd();hsbsd();try {this.media.newplayer(null);} catch(e) {}hsbsd();} <Obfuscated Embedded Malware> 12

13 Attacks Moving up Stack from legitimate relay with Trojan Document Attachment Layer Protocol Badness Embedded Object Application Transport Internet Link PDF SMTP/MIME Spoofed Sender, Social Engineering TCP - IP - Ethernet - Exploit/Social Engineering, Malware 13

14 Indicators Moving Up Stack Users Useful Indicators 14

15 Indicators Moving Up the Stack 12:03: tcp > FIN From: Received: from open.relay.com ([ ]) by mx.company.com Received: from now.bad.com ([ ]) by mx.relay.com Date: Thu, 17 Jun :03: (PDT) Message-Id: X-Mailer: SillyMailer v3.14 Subject: All your Base are belong to us Please review attached. Edward Spoofed Spoofed Inc InfoKey: Creator InfoValue: Acrobat PDF Printer InfoKey: Author InfoValue: TK421 InfoKey: Producer InfoKey: ModDate InfoValue: D: '00' PdfID1: 8d23f593e67be992ff3470d PdfID0: 798f9d8e3966ac586a61dc0 for(fqchp=0;fqchp<inxnh;fqchp++) {dnysj[fqchp]=dtkrx + hjnoa;} if(ingmh){hsbsd();hsbsd();try {this.media.newplayer(null);} catch(e) {}hsbsd();} <Obfuscated Embedded Malware> 15

16 Targeted Collection and Analysis Web USB Targeted attacks warrant targeted data collection 16

17 Data Collection Options Basic Transaction Data Network Flow Data Full Packet Capture Normalized s Reassembled, Decoded, Indexed Extended Metadata Headers: Subject, X-Mailer, Received MIME Metadata: Names, Size, md5 Links Attachments (specific type?) Attachment Metadata: Author, Creator, Dates 17

18 Usability Is Nice 18

19 Tiered Collection Data Retention Length Size / Day Total Size FPC (entire network) 1 week 1 TB 7 TB Network Flow (entire network) 1 year 4 GB 1.5 TB Standard Mail Logs 2 year 50 MB 36 GB Normalized, Indexed s 6 weeks 20 GB 800 GB Extended Metadata 6 months 500 MB 100 GB Attachment Metadata 6 months 100 MB 20 GB 19

20 Accessibility Is Critical Rapid accessibility is critical: Historical Detections Identifying and vetting indicators Time to research an indicator matters 1s, 1 minute, 1 hour, 1 day? The faster you can research activity over large spans of time, the faster you ll build threat intelligence 20

21 From: Received: from open.relay1.com ([ ]) by mx.company.com Received: from now.bad.com ([ ]) by mx.relay.com Date: Mon, 28 Dec :48: Message-Id: X-Mailer: SillyMailer v3.14 <Malware 1.3> From: Received: from mx.openrelay2.com ([ ]) by mx.company.com Received: from now.bad.com ([ ]) by mail.openrelay2.com Date: Mon, 5 Mar :35: (PDT) Message-Id: < @mailer> X-Mailer: SillyMailer v3.14 <Malware 2.0> From: [email protected] Received: from relay.all.com ([ ]) by mx.company.com Received: from now.bad.com ([ ]) by mx.relay.com Date: Thu, 17 Jun :03: (PDT) Message-Id: < @mailer> X-Mailer: SillyMailer v3.14 <Malware 2.01> 21

22 Ultra Light Weight Indexing Rapidly Search Key Indicator Types IP addresses, Domains, etc Low Resolution Log Type: proxy, , etc Time: ~Day Per Device: proxy1, proxy2, proxy3 Huge Scope Time: indefinite retention Data Sources: All Performance Fast, << 1s response times 22

23 Ultra Light Weight Indexing Example search for : Data Type Source Date Indicator -metadata mx inbound-http sensor metadata mx

24 Implementing Payload Analysis Tools Passive Collection: Adapt an FPC Tail collection, filter normalize, extract Adapt an IDS Filter, normalize, extract, archive Inline Collection Milter, ICAP, etc Differences probably nuances, End goal is the same 24

25 Payload Analysis Issues Issues to be addressed: Latency Computational Expense Implementing Payload Specific Capabilities 25

26 Payload Analysis: Latency IDS/IPS bound by real time FPC provides on-demand data/processing (arbitrarily long) High Latency Analysis to be preformed (lookups) Payload analysis for 4n6 usually should be somewhere in between Usually no benefit to be quicker than minute For some applications slower than hour can slow down response Often daily processing makes sense 26

27 Payload Analysis: Complexity Expensive Tasks Decoding, decompression, etc Parsing, tokenizing, metadata extraction Normalized archival (buffer copies) Payload Identification Any inherently computationally expensive things Statistical analysis Compression Etc 27

28 Latency and Complexity Heavy Buffering 1 Gpbs * 60s = 7.5 GB RAM (dirt cheap) True Parallelism Load balancing needs to move up stack also Example later 28

29 Implementing Payload Specific Capabilities Use existing network capabilities Protocol Parsers Mime::Parser, etc Use payload capabilities Payload Analyzers pdftk, pdf-parser, Officecat, etc Use your in-house tools on extracted payloads Build network tools that work on objects (Abstraction) 29

30 Near Real Time IDS Platforms vortex (Lockheed Martin) Abstracts capture and TCP stream reassembly, simple method for multithreading snort-nrt (Sourcefire VRT) Commitment to payload analysis Ruminate (George Mason University) Focus on efficiency, scalability, completeness of parsing 30

31 Vortex Overview Captured Network Traffic Vortex Stream Management, Flow Control Libnids TCP Stream Reassembly Libpcap Stream Metadata (STDOUT) Analyzer Program Reads Metadata, Loads Stream Data, Analyzes, optionally Purges Stream Data Packet Capture/Filtering Stream Data File System 31

32 Vortex Multithreaded Captured Network Traffic Vortex Stream Metadata (STDOUT) Xpipes Load Balancing Analyzer Program Analyzer Program Analyzer Program Analyzer Program Stream Data File System 32

33 Conclusions Network Data is important source for 4n6 Strategies for Network Data Collection Conventional (netflow, logs, FPC) Targeted (playloads, payload metadata) Importance of data accessibility Normalization Search and Retrieval Ideas on Implementation 33

34 Questions? Personal Blog: 34

35 35

36 APT Attack Sequence Pre-Compromise Reconnaissance Weaponization Delivery Exploit Installation Reconnaissance Initial Intrusion Post-Compromise Command & Control Actions on Intent Establish Backdoor Obtain User Credentials Install Various Utilities Priv. Escalation, Lateral Move., Data Exfil. Maintain Persistance 36