Search and Destroy the Unknown FROM MALWARE ANALYSIS TO INDICATIONS OF COMPROMISE

Similar documents
Chapter 14 Analyzing Network Traffic. Ed Crowley

GRC & Cyber Security Conference - Bringing the Silos Together ISACA Ireland 3 Oct 2014 Fahad Ehsan

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

Memory Forensics & Security Analytics: Detecting Unknown Malware

Detecting Unknown Malware: Security Analytics & Memory Forensics. Fahad Ehsan. Cyber Security #RSAC

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

APPLICATION PROGRAMMING INTERFACE

Network Security Monitoring

Lab exercise: Working with Wireshark and Snort for Intrusion Detection

Network Intrusion Analysis (Hands-on)

EITC Lessons Learned: Building Our Internal Security Intelligence Capability

Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC

Analyzing HTTP/HTTPS Traffic Logs

AppSec DC November 13, The OWASP Foundation Custom Intrusion Detection Techniques for Monitoring Web Applications

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Breach Found. Did It Hurt?

Exercise 7 Network Forensics

An Introduction to Incident Detection and Response Memory Forensic Analysis

Network Monitoring using MMT:

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Network/Internet Forensic and Intrusion Log Analysis

All Information is derived from Mandiant consulting in a non-classified environment.

Active Response: Automated Risk Reduction or Manual Action?

Plugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help

When prevention FAILS: Extending IR and Digital Forensics to the corporate network. Ismael Valenzuela

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

Detecting Malware With Memory Forensics. Hal Pomeranz SANS Institute

Missing the Obvious: Network Security Monitoring for ICS

A perspective to incident response or another set of recommendations for malware authors

Testing Network Security Using OPNET

Deep Discovery. Technical details

Beyond 'Check The Box': Powering Intrusion Investigations Jim Aldridge 11 March 2014

Nemea: Searching for Botnet Footprints

WHEN THE HUNTER BECOMES THE HUNTED HUNTING DOWN BOTNETS USING NETWORK TRAFFIC ANALYSIS

How To Protect A Network From Attack From A Hacker (Hbss)

Network Forensics: Log Analysis

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS

CHAD TILBURY.

Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Know Your Enemy Lite: Proxy Threats - Socks v666

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

Context Threat Intelligence

Visa Data Security Bulletin (AP)

Penetration Test Methodology on Information-Security Product Utilizing the Virtualization Technology

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Monitor Network Activity

How To Monitor Network Activity On Palo Alto Network On Pnetorama On A Pcosa.Com (For Free)

Monitor Network Activity

APT Detection with Whitelisting and Log Monitoring

Beyond Check The Box

Understand Troubleshooting Methodology

Modern Approach to Incident Response: Automated Response Architecture

One-Man Shop. How to build a functional security program with limited resources DEF CON 22

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Hunting for Indicators of Compromise

Computer Security: Principles and Practice

Computer Security DD2395

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Using Network Based Security Systems to Search for STIX and TAXII Based Indicators of Compromise

Redline Users Guide. Version 1.12

Computer Security DD2395

Guide to Computer Forensics and Investigations, Second Edition

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

Streamlined Malware Incident Response with EnCase

Digital Forensic analysis of malware infected machine Case study ***

How to speed up IDENTIKEY DNS lookup of the Windows Logon DAWL client on Windows 7?

UNMASKCONTENT: THE CASE STUDY

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Richard Bejtlich / taosecurity.blogspot.com BSDCan 14 May 04

Dynamic Rule Based Traffic Analysis in NIDS

Implementing Network Monitoring Tools

PAN-OS Syslog Integration

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

How to effectively respond to an information security incident

Security & Threat Detection: Go Beyond Monitoring

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

Performing Advanced Incident Response Interactive Exercise

Networks and Security Lab. Network Forensics

Chapter 9 Firewalls and Intrusion Prevention Systems

RSA Security Analytics

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

Old Web Shells, New Tricks

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Network Defense Tools

Building a Security Operations Center Lessons Learned. active threat protection

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

Using Argus to analyse network flows. David Ford OxCERT Oxford University Computer Services

Open Source Network Security Monitoring With Sguil

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

FALSE ALARM? Incident Management Case Study. Carlos Villalba

Malicious Network Traffic Analysis

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Transcription:

Search and Destroy the Unknown FROM MALWARE ANALYSIS TO INDICATIONS OF COMPROMISE

Who am I? Michael Boman, Malware Researcher Malware Research Institute Provide the community with knowledge and tools

Detecting the Unknown FBI: There are only two types of companies: those that have been hacked, and those that will be. Always assume that you have been compromised and look for signs to confirm the assumption

Where to look There is gold in those logfiles! Firewall IDS / IPS Proxy DNS System logfiles Netflow data

Firewall New sessions are enough, no need to log every packet Ingress (incoming) AND Egress (outgoing) Denied AND Permitted

IDS / IPS Detecting attacks are nice, detecting compromises are cool You need actionable information from your IDS / IPS system Custom rules are the path to salvation

Proxy Detecting known bad sites Trace infections to source Detecting outliers

DNS Log queries Establish DNS query & response baseline Analyze NXDOMAIN responses Analyze successful DNS lookups Identify domain name abnormalities

System Windows 7 regular logfiles expressions SOURCE EventID Number.*APPCRASH.* Application 1001.*he protected system file.* Application 64004.*EMET_DLL Module logged the following event:.* Application 2.*your virus/spyware.* Application Depends.*A new process has been created\..* Security 4688.*A service was installed in the system\..* Security 4697.*A scheduled task was created\..* Security 4698.*Logon Type:[\W]*(3 10).* Security 4624, 4625.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.* Security 4657.*service terminated unexpectedly\..* System 7034.*service was successfully sent a.* System 7035.*service entered the.* System 7036.*service was changed from.* System 7040

Netflow data WHO is talking to WHOM When doing incident response, being able to narrow down the scope is key

Aquire the sample Exctraction from network traffic File on disk Memory dump

Extracting from Network Traffic Wireshark GUI Network Miner GUI Foremost Dshell foremost v i /path/to/pcap DShell> decode d rip-http --rip-output_dir=output/ /path/to/pcap

Extracting from Memory Creating the memory dump PsExec.exe \\HOSTNAME_OR_IP -u DOMAIN\privileged_account -p passwd - c mdd_1.3.exe - -o C:\MEMORY.DMP Extracting the executable / DLL from the memory dump volatility dlldump -f MEMORY.DMP -D dumps/ volatility procmemdump -f MEMORY.DMP -D dumps/

Analyze the sample Confirm the malicious nature of the suspected sample Identify behavior that can be used to identified infected machines

Confirming the sample Static analysis Dynamic analysis

Cuckoo Sandbox Uses DLL-injection techniques to intercept and log specific API calls Uses TCPDump to capture network traffic

Minibis Uses Microsoft ProcMon inside the instrumented environment Uses TCPDump to capture network trafic ProcDOT can be used to analyze / visualize the execution process

Identify IOCs Identifiable patterns in the sample Created files Created / Modified registry keys Network traffic Memory patterns

Mandiant IOC Editor

Yara rule silent_banker : banker { meta: description = "This is just an example" thread_level = 3 in_the_wild = true strings: $a = {6A 40 68 00 30 00 00 6A 14 8D 91} $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9} $c = "UVODFRYSIHLNWPEJXQZAKCBGMT" condition: $a and $b and $c }

Snort alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( \ content: " 6A 40 68 00 30 00 00 6A 14 8D 91 "; \ content: " 8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9 "; \ content: " UVODFRYSIHLNWPEJXQZAKCBGMT"; \ msg: " silent_banker : banker C2 Traffic"; \ ) Finds unknown C2 servers

Mandiant IOC Finder Collecting: mandiant_ioc_finder collect [-o output_dir] [[-d drive]...] [-q] [-v] [-h] Reporting: mandiant_ioc_finder report [ [-i input_iocs]...] [-s source_data] [-t html doc] [-o output_folder (html) or file (doc)] [-q] [-v] [-h] [-w verbose summary off]

Searching Network Traffic Firewall Detection, Block specific communication IDS / IPS Proxy DNS Create signatures to Detect and Prevent C2 communication, additional infections Detection, Block specific communication Detection, Block communication to sites

Conclusion Contact information Website: blog.malwareresearch.institute Twitter: @mboman Email: michael@michaelboman.org Tools mentioned Snort, DaemonLogger, PassiveDNS, SANCP, Wireshark, Network Miner, Xplico, Dshell, PsExec, MDD, Volatility, Cuckoo Sandbox, Minibis, ProcDot, Mandiant OpenIOC Editor, Yara, Mandiant IOC Finder, Mandiant Redline

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information