Enriching Network Threat Data with Open Source Tools to Improve Monitoring

Similar documents
Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

Cymon.io. Open Threat Intelligence. 29 October 2015 Copyright 2015 esentire, Inc. 1

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

Practical Steps To Securing Process Control Networks

Defending Against Data Beaches: Internal Controls for Cybersecurity

DYNAMIC DNS: DATA EXFILTRATION

Software that provides secure access to technology, everywhere.

How We're Getting Creamed

Digital Evidence and Threat Intelligence

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

Advanced Threat Protection with Dell SecureWorks Security Services

Zero-Day Attack Finding Advanced Threats in ALL of Your Data. C F Chui, Arbor Networks

Things To Do After You ve Been Hacked

Internet Monitoring via DNS Traffic Analysis. Wenke Lee Georgia Institute of Technology

ONLINE RECONNAISSANCE

Concierge SIEM Reporting Overview

Modular Network Security. Tyler Carter, McAfee Network Security

Security A to Z the most important terms

A Love Affair: Cyber Security, Big-data and Risk

Performing Advanced Incident Response Interactive Exercise

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Fighting Advanced Threats

Can We Become Resilient to Cyber Attacks?

Spear Phishing Attacks Why They are Successful and How to Stop Them

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

Protecting Your Organisation from Targeted Cyber Intrusion

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

How Attackers are Targeting Your Mobile Devices. Wade Williamson

SPEAR-PHISHING ATTACKS

Cyber Security Metrics Dashboards & Analytics

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

Defense Security Service

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

Next Generation IPS and Reputation Services

Practical Threat Intelligence. with Bromium LAVA

September 20, 2013 Senior IT Examiner Gene Lilienthal

Unified Security Management and Open Threat Exchange

Network attack and defense

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

Into the cybersecurity breach

Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

APT Advanced Persistent Threat Time to rethink?

Covert Operations: Kill Chain Actions using Security Analytics

SANS Top 20 Critical Controls for Effective Cyber Defense

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

SES / CIF. Internet2 Combined Industry and Research Constituency Meeting April 24, 2012

Security Incidents And Trends In Croatia. Domagoj Klasić

Indian Computer Emergency Response Team (CERT-In) Annual Report (2010)

CERT-GOV-GE Activities & International Partnerships

CryptoLocker la punta dell iceberg, impariamo a difenderci dagli attacchi mirati. Patrick Gada 18 March 2015 Senior Sales Engineer

Advanced Persistent Threats

Presented by:!!dave Kennedy (RELIK)"!!!!!Ryan Macfarlane "

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Cyber Essentials. Test Specification

Integrating MSS, SEP and NGFW to catch targeted APTs

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Malicious Network Traffic Analysis

The Information Security Problem

Threat Spotlight: Angler Lurking in the Domain Shadows

Agenda , Palo Alto Networks. Confidential and Proprietary.

Course Title: Penetration Testing: Network & Perimeter Testing

APPLICATION PROGRAMMING INTERFACE

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Security & Threat Detection: Go Beyond Monitoring

Critical Security Controls

Speed Up Incident Response with Actionable Forensic Analytics

Security Incident Management Essentials Compiled as a service to the community by Internet2, EDUCAUSE, and REN-ISAC

Unknown threats in Sweden. Study publication August 27, 2014

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Fostering Incident Response and Digital Forensics Research

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Promoting Network Security (A Service Provider Perspective)

Streamlining Web and Security

Security Intelligence Blacklisting

Targeted attacks: Tools and techniques

Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures

Using Big Data to Align IT Security with Business Risk Mark Seward, Senior Director, Security and Compliance

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

13 Ways Through A Firewall

SPEAR PHISHING UNDERSTANDING THE THREAT

UNCLASSIFIED. General Enquiries. Incidents Incidents

Introducing IBM s Advanced Threat Protection Platform

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

The anatomy of an online banking fraud

ICS-CERT Incident Response Summary Report

Transcription:

Enriching Network Threat Data with Open Source Tools to Improve Monitoring SECURE 2012 XVI Conference on Telecommunications and IT Security 22-24 October 2012

Knowledge is power Thomas Hobbes, 1658

Agenda Cyber Intelligence Network Monitoring Cyber Kill Chain Incident investigation Information/indicator gathering Processing Act on what you learned

Data, Information, Knowledge, Wisdom Connectedness Wisdom Knowledge Understanding Principles DATA Information Understanding Relationships Understanding Patterns Understanding

Cyber Intelligence Open Proprietary Public Domain Closed

Processes and Decision Making

Cyber Intelligence Questions Is action needed? What are the choices for action? Which is the best choice?

Look forward by looking backwards Range of different sources Phishing APWG Phishtank Vulnerability management and penetration testing https://community.rapid7.com/community/metasploit http://www.exploit-db.com/ Research http://vrt-blog.snort.org/ In depth Security News http://krebsonsecurity.com/

Before you Consume Open Intelligence The following are publically available lists of known bad IP addresses, DNS names and URLs http://labs.snort.org/iplists/ http://www.openbl.org/ http://www.malwareblacklist.com/s howmdl.php http://malc0de.com/database/ ZeuS Tracker BruteForceBlocker http://support.clean-mx.de/cleanmx/viruses VoIP Abuse Blacklist Malware Patrol ThreatExpert

Network Monitoring VPN Internet Sensor Sensor DMZ VOIP Internal Network Mail Web

New challenges in Network Monitoring VPN Internet Sensor Sensor DMZ VOIP Internal Network Mail 3G Internet Web 4G Internet

Cyber Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Actions and Objectives Harvesting Email addresses, conference information, etc Coupling exploit with backdoor into deliverable payload Delivering weaponized bundle to the victim via email, web, USB, etc Exploiting vulnerability to execute code on victim system Installing malware on the victim Installing malware on the victim With access to systems, intruders accomplish their goal

Phishing email example Phishing email Identify and stop User opens and clicks User awareness Compromise Patch

Characteristics for the investigator Network Data IP Addresses Domains URLs Behavior Content Host Data Code Files Behavior

Incident Investigation On Network Data Files Logs Observations Off Network Data Initial Access Point Subsequent Access Points Exfiltration Destinations Following the tail (infrastructure research) Not addressing the attribution component in this example

In the News

Follow on Twitter for news/updates Alfred Huger @alhuger Colin Grady @ColinGrady tropism:group @tropismgroup egyp7 @egyp7 Shawn Webb @lattera Pedram Amini @pedramamini Debit Card @NeedADebitCard Paul Asadoorian @pauldotcom Shit My Logs Say @ShitMyLogsSay enirx @enirx MikkoHypponen @mikko Joshua J Drake @jduck1337 Travis Goodspeed @travisgoodspeed Rodrigo Branco @bsdaemon malware group @malwaregroup Katie Moussouris @k8em0 Handles M4g1c5t0rM @M4g1c5t0rM Deviant Ollam @deviantollam Handles Adli Wahid @adliwahid briankrebs @briankrebs Luigi Auriemma @luigi_auriemma David Litchfield @dlitchfield adamjodonnell @adamjodonnell Dino A Dai Zovi @dinodaizovi Tavis Ormandy @taviso shftleft @shftleft dragosr @dragosr halvarflake @halvarflake Keith Myers @KeithMyers Judy Novak @judy_novak Noah Everett @noaheverett Secure Tips @SecureTips Aaron Portnoy @aaronportnoy Dancho Danchev @danchodanchev

PasteBin is *valuable*! Take, for example, http://pastebin.com/ctjeetat If confirmed, this would be from the person behind the recent attack on Saudi Aramco. It's got an open API, scrapers exist I would be mining it for important keywords if I were you.

Protecting the Network

The Role of DNS in Malware For example Bots resolve DNS names to locate their command and control servers Spam mails contain URLs that link to domains that resolve to scam servers.

DNS Root 1. sub.example.com? 5. SUB.EXAMPLE.COM = 1.2.3.4 3. sub.example.com TLD Nameserver Workstation Authoritative

Indicator Transforms: IP-Domain/Domain-IP Potential Problems Which of several names/ip s do you want? Mappings change, what date/time are you interested in? What if the bad guys are watching for DNS lookups?

Fundamentals of Correlation Crime? Incident Source Artifact Methodology EVENT EVENT (Context) EVENT DomainURL, (Context) spam EVENT source, etc. Phishing CONTEXT URL, spam source, etc. Malicious URL, file hash, etc. ARTIFACT ARTIFACT IP Address + Timestamp IP Address ARTIFACT + Timestamp IP Address + Timestamp

The Expansion Process Most Recent i.e. 0-day Sept 14 Initial Indicator c2 exchange.likescandy.com 108.171.193.92 Passive DNS Search #1 108.171.193.92 exchange.likescandy.com 108.171.193.92 youzzsun.ddns.info PDNS Search #2 PDNS Search #3 exchange.likescandy.com 2012-09-18 108.171.193.92 exchange.likescandy.com 2012-09-12 142.4.46.203 exchange.likescandy.com 2012-08-31 180.210.204.180 142.4.46.203 9-9-12 exchange.from-sc.com 142.4.46.203 9-12-12 aol.selfip.com 142.4.46.203 9-9-12 exchange.is-a-landscaper.com 142.4.46.203 9-5-12 ns18.doomdns.com 142.4.46.203 9-12-12 exchange.likescandy.com http://labs.alienvault.com/labs/index.php/2012/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explorer-zeroday/

The Role of DNS in Malware By using DNS, they acquire the flexibility to change the IP address of the malicious servers that they manage Using domain names gives attackers the flexibility of migrating their malicious servers with ease.

Hard Coded Address Malware 192.0.43.10 C2 Server 192.0.43.10

DNS Based C2 Server Address DNS Server Malware Example.com: 192.0.43.10 Example.com C2 Server 192.0.43.10

The Role of DNS in Security Analysis Use passive DNS analysis techniques to detect domains that are involved in malicious activity. Look for names that change according to certain patterns. If the IP address of the command and control server is hard-coded into the bot binary, there exists a single point of failure for the botnet.

The Role of DNS in Security Analysis Mitigate Internet threats by identifying malicious domains that originate from sources such as botnets, phishing sites, and malware hosting services. Analysis of large enterprise data volumes, permits us to distinguish between benign and malicious domains

The Expansion Process Passive DNS Initial Indicator c2 armyclub.net 108.174.52.164 Passive DNS Search #1 124.207.179.120 armyclub.net 108.174.53.11 safeoil.net PDNS Search #2 PDNS Search #3 safeoil.net 4/14/2012 173.192.221.44 safeoil.net 4/14/2012 201.144.18.196 safeoil.net 4/14/2012 221.194.146.109 64.15.129.80 host.0zz0.com 174.142.97.176 host5.0zz0.com 174.142.97.177 host6.0zz0.com 64.15.129.80 www.resalah.0zz0.com 70.38.12.147 www10.0zz0.com http://www.google.com; threatexpert.com; bfk

Some Cool Tools SWFInvestigator (free Flash analysis from Adobe) IDA Free (disassembler) OllyDBG All of the MS SysInternals tools

Thank you References: APWG SourceFire VRT John Boyd s The Essence of Winning and Losing The Burton Matrix

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information