When prevention FAILS: Extending IR and Digital Forensics to the corporate network. Ismael Valenzuela

When prevention FAILS: Extending IR and Digital Forensics to the corporate network Ismael Valenzuela

# whoami Global ICT Security Manager at isoft, a CSC company SANS Community Instructor for Intrusion Detection In- Depth & Computer Forensics tracks CISSP, CISM, SANS GCFA, GCIA, GPEN, GWAPT, GCWN, IRCA 27001 LA, ITIL Certified Member of SANS Advisory Board & contributor for the SANS Forensic Blog http://blog.ismaelvalenzuela.com twitter: @aboutsecurity

> Do you have a Canary in your network? Famously used by miners to test the purity of air. They d take up to 3 canaries in a cage. If one showed signs of distress or died, it indicated dangerous levels of carbon monoxide and/or methane. Our networks are also at risk, but many haven t adopted the modern day canary What is this? How can it help you? Where do you place them?

Security is like dodge ball. You can avoid losing if you re not targeted, but you re done if the opponent decides you re the next victim. - Richard Bejtlich [insert company name here] announced today that it was a victim of a targeted attack that may have compromised the personal credentials of [number] of customers and stolen IP property related to their [insert product here]

The reality is that the motives for each attack have been different, but they all share something in common: The perpetrators wanted access to the company's crown jewels.

> Phase 1: Initial Compromise Once malware is created, typically using a 0-day exploit, you can be a victim of several campaigns: Pay per install, based on geography, quota sytem, etc... Targeted campaigns (who you are, your role, your IP address...) The distributor of malware can be working on multiple campagins at the same time! It all starts with an initial infection: Fake AV alert, Bogus LinkedIn invites, email attachments, phising campaings, USB drives, etc...

But users will not click on malicious LINKS!! right?? They re told not to do so!!

Now, seriously, MY USERS WON T CLICK ON ANYTHING!!

http://blog.ismaelvalenzuela.com/2009/01/26/embassy-of- india-in-spain-found-serving-remote-malware-through- iframe-attack/ Now, seriously, MY USERS WON T CLICK ON ANYTHING!!

> Phase 2: Remote Access Dropper disables local security, prevent update/patches and learns about the machine It then contacts to an updater to report status and downloads a RAT or bot agent which starts communicating with CnC portals through CnC proxies for remote access and control i.e. RSA breach: Poison Ivy (PI-RAT), performs a reverse connection from client to TCP port 3460 on CnC server

> Phase 3: Exfiltration Attackers then move laterally towards other internal resources in search for the crown jewels Data is acquired from target servers and staged for exfiltration (i.e. compressed and password protected) Data is exfiltrated via HTTP or FTP to an outside staging server

> Common Patterns Limited AV detection Use of common TCP/IP ports, process injection and persistance of rootkits Will only initiate outbound connections!

> DEMO: Metasploit + Op Aurora + Prablinha Educational Botnet http://itsm3.com/aplicaciones/prablinha/

> What are you looking for?? Unless you re filtering and monitoring your outbound connections, you ll never be able to detect the indicators generated by these attacks.

> So you re telling me that... Attackers have more resources than us The enemy can evade AV, IDS and under-equipped incident responders We re all TARGETS: Government, Military, Organizations, home users... Sooner or later ASSUME you ll get P0wned!

So WHEN I m P0wned, WHAT IS LEFT? Detect ASAP Find out WHAT happened What is the extent of the damage Recover and apply LESSONS LEARNT

> But if I have all this... Proxies Firewalls Host-based Intrusion Detection Systems (HIDS) Network-based Intrusion Detection Systems (NIDS) Network-based Intrusion Prevention Systems (NIPS)

> Firewalls Completely useless to prevent attacks against vulnerable services opened to the Internet Can log both authorized and unauthorized access, but they re usually configured to log DENIED traffic only Typically configured to filter INBOUND traffic only, missing any other traffic behind the perimeter.

> IDS Far from being dead as Gartner predicted in 2003, IDS are still a key element of a defense in-depth strategy Essentially, they inspect packets at various levels of the TCP/IP layer, including headers and content. To do so, they must implement protocol decoders Based on signatures or behavioral analysis, they can detect anomalies in the application, transport, network and even link layer in some cases

> IDS But... What if the protocol used in the attack is not a standard one? What if the connection is encrypted? And what if the attacker is using a 0-day exploit for which there is no signature available already? Can you distinguish between a false positive and a false negative?

> IPS The new best-seller of all security vendors is nothing but... an IDS + Firewall!! We call that, an Application Layer Firewall. The rest is just marketing speech As its IDS brother it s unable to stop attacks for which there is no signatures or rules It s enough to stop common, non-targeted attacks, but no more than that

> Looking beyond the obvious You should be able to collect and identify indicators and warnings that characterize intrusions, looking beyond AV and IDS, and integrating: Information at NETWORK level Information at HOST level Collect and examine the traffic traversing your network (headers + content), files, emails and even the physical RAM of your systems.

> The machine vs The Analyst Our fight is not against machines, codes or aplications. It s against human intelligence. We need methods and tools that can integrate with the way of thinking, the methods and the abilities of those that are responsible of defening our organizations: the security analysts. What information does the analyst need in order to make the right decisions during the IR and postmortem (forensics) phase?

> CSI: Assume Nothing Collect FULL evidences from the crime scene Identify the clues and indicators that will limit the scope of the investigation (who knew the victim, who he talked with...) Detect false trails left by the attacker

> Network Security Monitoring

> NSM In 2002, Bamm Vischer y Richard Bejtlich defined NSM as the collection, analysis and escalation of indications and warnings to detect and respond to intrusions It s a key element in the foundation of a SOC Observed Traffic Events Indicators and Warnings All traffic Collection Identification Validation Escalation Incidents

> NSM NSM is a methodology, is not a product! NSM relies upon four forms of traffic-centric-data Statistical data Session data Alert data Full content data Will provide you the canaries you need to detect, react and recover from APT

> Statistical data Provides analysis of protocols and their distribution, obtaining statistics from all generated data: bandwidth consumed number of packets sent/received average size of packets, etc Available tools: wireshark, tcpstat, capinfo, etc...

> Session data Provides a record of connection pairs and conversations between two hosts. Information captured include: Source and destination IP address Source and destination port Available tools: argus, sancp, netflow

> Alerts Alert data originates in an IDS that generate warnings or intrusion indicators that can be correlated with the rest of the data available to verify an incident Available tools: snort, bro-ids, prelude, and other IDS.

> Full content data Captures every bit of traffic going through a network segment. Data is archived for forensic and investigative purposes (is admissible). While a computer forensic analyst needs bit by bit copies or images of a hard disk for further investigation, a network forensic analyst requires full packet network capture, bit by bit, for later investigation. Available tools: tcpdump, windump, Wireshark, snort (in sniffer mode).

> Tcpdump tcpdump n i eth0 s0 w capture.pcap -n to disable IP and port number resolution -i eth0 to set the network interface (tcpdump will see all traffic going through that NIC) -w capture.pcap to dump the output of tcpdump to disk in binary format (pcap)

> NSM Methodology Analyst sees an alert in SGUIL and uses a SQL query to see if the same alert has been triggered in other systems. The query returns only one alert. The analyst queries the SGUIL database again to check all TCP sessions related to the alert. There are FTP sessions in the results. The analyst reconstruct the FTP sessions out of the full packet traces captured in the SGUIL sensor and sees that a backdoor has been installed. Now the analyst can investigate other sessions related to the evidence found.

> NSM tools: SGUIL Available at www.sguil.net Implements most of the NSM philosophy into an open source platform 3 tier architecture: client, server and sensors Still in Beta, but project is not dead (v 0.8) GUI in Tcl/Tk for Unix/Linux/Windows and OS X Server run on Unix/Linux only

> Sensor components IDS (Snort) Barnyard to decouple output overhead from Snort IDS rules: Sourcefire VRT, bleeding threats or userdeveloped rules. I used to recommend the use of IDS Policy Manager for Windows. It s now a dead project... Use Pulled Pork on Linux instead Session data (SANCP) Records who talks to whom, start & end times, the nr of bytes and the nr of packets transferred

> Sensor components Full packet captures (Snort) pcap binary format; can be read with tcpdump, wireshark, etc. Needs LOTS of disk space Automatically manages available storage (packet dumps rotation) Data retention varies by traffic observed and size of storage area

> Server components Sguil daemon (sguild) Accepts connections from clients Coordinates client requests with sensor data and MySQL DB MySQL DB IDS alerts Session information and misc. related data

> Server components SQL queries against network security data is a HUGE benefit for the analyst as: Greatly speeds up routine investigations Easier to confirm/deny rerports from external sources Great for statistical anomaly detection and trend analysis Allows us to capture metrics and generate reports

> Data flow Sensors collect data from the IDS (alerts) and SANCP (session) Data is forwarded to the central server where it s inserted into the MySQL database The IDS alerts can be sent via email/pager if necessary (and if sensors are well tuned! Once alerts are sent, they disappear from the sensor Full packet traces are always stored on sensors. Server requests these only when needed.

> Other characteristics Whois, reverse DNS y port related information with Dshield Communication with the analyst team Generation of transcripts Integration with Wireshark and Nessus Reports Escalation and categorization of events

> Sguil DEMO with SecurityOnion http://securityonion.blogspot.com/

> Where do I put the canaries? Collect evidence at critical points: Watch Egress traffic Watch DNS traffic (DNS sinkholes) Watch Proxy traffic

> Challenges Lots of data generated: Use of Splunk for crosscorrelation Lack of IDS signature: Importance of multiple detection methods (i.e. statistical, host-based, etc...) Encryption: Look at data flows (i.e. netflow) Malware using IP addresses or built-in DNS servers: allow outbound queries only from corporate DNS While network canaries aren t perfect, they have a valuable role as part of a layered defense-indepth

> References http://taosecurity.blogspot.com http://geek00l.blogspot.com http://infosecpotpourri.blogspot.com Mandiant M-Trends: http://blog.mandiant.com/archives/720 Shadows in the Cloud: http://shadows-in-the-cloud.net/ The Tao of Network Security Monitoring, Richard Bejtlich, Addison-Wesley; July 2004 (available at http://www.taosecurity.com/books.html) Assessing Outbound Traffic to Uncover Advanced Persistent Threat (available at http://www.sans.edu/) Advanced Malware, APTs and Targeted Attacks (http:// www.damballa.com/) George Kurtz s Blog at http://blogs.mcafee.com/author/georgekurtz

> Q&A Ismael Valenzuela - @aboutsecurity http://blog.ismaelvalenzuela.com