Analyzing Targeted Attacks through Hiryu An IOC Management and Visualization Tool. Hiroshi Soeda Incident Response Group, JPCERT/Coordination Center

Similar documents
DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario


Security Intelligence Services.

Security Provider Integration Kerberos Authentication

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Performing Advanced Incident Response Interactive Exercise

Concierge SIEM Reporting Overview

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

UNMASKCONTENT: THE CASE STUDY

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

RSA Security Anatomy of an Attack Lessons learned

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

SolarWinds Log & Event Manager

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Speaker Info Tal Be ery

Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security

DYNAMIC DNS: DATA EXFILTRATION

Guidelines for Web applications protection with dedicated Web Application Firewall

RSA Security Analytics

Practical Threat Intelligence. with Bromium LAVA

Enterprise Security Critical Standards Summary

A perspective to incident response or another set of recommendations for malware authors

Next Generation IPS and Reputation Services

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Unknown threats in Sweden. Study publication August 27, 2014

Security Analytics for Smart Grid

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

PineApp Surf-SeCure Quick

05 June 2015 A MW TLP: GREEN

MySQL Security: Best Practices

Where every interaction matters.

Running the SANS Top 5 Essential Log Reports with Activeworx Security Center

All Information is derived from Mandiant consulting in a non-classified environment.

Cymon.io. Open Threat Intelligence. 29 October 2015 Copyright 2015 esentire, Inc. 1

The MANTIS Framework Cyber-Threat Intelligence Mgmt. for CERTs Siemens AG All rights reserved

Configure Cisco Unified Customer Voice Portal

Deep Discovery. Technical details

Threat Intelligence: STIX and Stones Will Break Your Foes

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Speed Up Incident Response with Actionable Forensic Analytics

Security & Threat Detection: Go Beyond Monitoring

Network Monitoring using MMT:

ClearSkies SIEM Security-as-a-Service (SecaaS) Infocom Security Athens April 2014

Detecting Unknown Malware: Security Analytics & Memory Forensics. Fahad Ehsan. Cyber Security #RSAC

After the Attack: RSA's Security Operations Transformed

Phishing and Banking Trojan Cases Affecting Brazil

Advancements in Botnet Attacks and Malware Distribution

Secret Server Qualys Integration Guide

Operation Liberpy : Keyloggers and information theft in Latin America

SHARING THREAT INTELLIGENCE ANALYTICS FOR COLLABORATIVE ATTACK ANALYSIS

Why You Need to Detect More Than PtH. Matt Hathaway, Senior Product Manager, Rapid7 Jeff Myers, Lead Software Engineer, Rapid7

Things To Do After You ve Been Hacked

Theory and Practice of Cyber Threat-Intelligence Management Using STIX and CybOX Siemens AG All rights reserved

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Configuration Information

Smart Card Authentication. Administrator's Guide

CryptoLocker la punta dell iceberg, impariamo a difenderci dagli attacchi mirati. Patrick Gada 18 March 2015 Senior Sales Engineer

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Cyber Security Summit 2015

Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

Installing and Configuring vcloud Connector

This report is a detailed analysis of the dropper and the payload of the HIMAN malware.

Memory Forensics & Security Analytics: Detecting Unknown Malware

Protecting the Infrastructure: Symantec Web Gateway

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

Active Response: Automated Risk Reduction or Manual Action?

August 2014 Release Notes Version

NASA Consolidated Active Directory Overview ( August 20, 2012 ) Les Chafin Infrastructure Engineering HPES

Protecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes!

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

PART D NETWORK SERVICES

Automate the Hunt. Rapid IOC Detection and Remediation WHITE PAPER WP-ATH

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation

Centralized Oracle Database Authentication and Authorization in a Directory

Secure Your Mobile Workplace

Threat Intelligence for Dummies. Karen Scarfone Scarfone Cybersecurity

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

All about Threat Central

Altiris IT Analytics Solution 7.1 SP1 from Symantec User Guide

Cyber Security Metrics Dashboards & Analytics

NSi Mobile Installation Guide. Version 6.2

The Third Rail: New Stakeholders Tackle Security Threats and Solutions

Transcription:

Analyzing Targeted Attacks through Hiryu An IOC Management and Visualization Tool Hiroshi Soeda Incident Response Group, JPCERT/Coordination Center

Agenda 1. Advanced attacks specifically targeting Japanese organizations APT Campaigns Getting IOC Motivation to Develop a Tool 2. Development of the tool Components Structure 3. Introducing Hiryu Web UI Import/Export Data Visualization 2

1. ADVANCED ATTACKS SPECIFICALLY TARGETING JAPANESE ORGANIZATIONS 3

APT Campaign (1) Cloudy Omega (Symantec) / Blue Termite (Kaspersky) Various targets Government, Defence industry, Energy sector, Think tank, Media TTP Before intrusion Malware called Emdivi used Malware attached emails disguising medical bill notifications Drive-by download attacks After intrusion Steal domain administrator s account Active directory privilege escalation Kerberos KDC vulnerability (MS14-068) Behavior Gather information from network Exfiltration Using password protected RAR file Domain credentials, sensitive information 4

APT Campaign (2) Winnti (Kaspersky) / Axiom (Novetta) Target TTP Online gaming company Pharmaceutical industry Use malware signed by legitimate code signing certificates Register a task to install malware on the server Create a service to activate the malware and execute Behavior Steal code signing certificates Steal information 5

Getting IOC Victim Organization Firewall logs: -IP address of Source & Destination Proxy server logs: -IP address of Source (& Destination) -Destination URL C2 has: -Malware -Information of victim DNS server logs: -IP address of client -Query Access to C2 Query Connect Malware has: -C2 information Infected PC has: -Malware -Event log 6

Motivation to Develop a Tool Organizing information What types of malware are used in which attacks Correlation among IOCs in different incidents Overall picture of attack campaigns Collecting public information Need to organize IOCs published in blogs/reports by security vendors, as they sometimes link to the incidents Need to sort out attack groups and campaigns that are named uniquely by different security vendors 7

2. DEVELOPMENT OF THE TOOL 8

Components Django Web application framework vis.js Visualization library Neo4j (Optional) Graph Database Python modules pythonwhois ipwhois Py2neo for domain whois for ip whois Neo4j client library ioc_writer export IOC as OpenIOC format python-stix export IOC as STIX format 9

Neo4j Graph DB stores Nodes and Relations Using Cypher query language 10

Structure (1) Node Components include Relation Host name Domain name IP address Organization Malware (hash) File name Relation of Nodes Host name tied to IP address Organization tied to IP address Host name tied to domain name Malware connecting to IP address Multiple Properties can be registered to Nodes/Relations Property Combination of an arbitrary key and value e.g. Property of malware A Node md5: sha1: sha256: type: HTTP bot Relation B Property key1:value A key2:value B 11

Structure (2) Cluster Includes SubClusters e.g. Campaign name APT-x Operation X Data source SubCluster Include Nodes/Relations e.g. Incident Communication with C2 Malware attached emails System s ticket 12

3. INTRODUCING HIRYU 13

Cluster 14

SubCluster(1) 15

SubCluster(2) 16

Additional Processing of Nodes Additional processing is performed when registering a specific type of Node Register host name Extracts domain names Searches whois for the domain name Extracts registrant s email address from whois results DNS lookup for IP address Searches whois for the IP address Extracts organization name from whois results Hostname parse Domain whois Registrant lookup IP Address whois Organization 17

Schema 18

Import/Export Data CSV Able to import/export Node, Relation, Cluster, SubCluster Neo4j Able to push/pull Need to register an Index (a combination of the Node s label and main key) to import data OpenIOC Need a table of how OpenIOC terms and Index correspond STIX Able to import/export the following data Host name, Domain name, IP address 19

OpenIOC/STIX Correspondence Table Hiryu OpenIOC STIX & CybOX SubCluster metadata report:header name short_description Title description description Description Node Index term Cybox:Object Label Key IP address PortItem/remoteIP AddressObj Host name DnsEntryItem/Host HostnameObj Domain name - DomainNameObj 20

Visualization IP address Malware Registrant Domain Hostname Filename Organization 21

Visualization 22

ToDo Improve import/export of OpenIOC, STIX Currently, only limited data can be imported from STIX Import/Export is irreversible Implement a new feature on incident response timeline Record date/time and events A suspicious file created on the server A suspicious communication performed from the server May be achieved to a certain extent by adding time information to the Relations field Some events may be difficult to fit in Relations Received a malware sample from victim organization Reported analysis results to victim organization 23

Thank you for your attention My email address hiroshi.soeda@jpcert.or.jp Repository of Hiryu https://github.com/s03d4-164/hiryu Incident report notifications info@jpcert.or.jp 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information