UNMASKCONTENT: THE CASE STUDY



Similar documents
APPLICATION PROGRAMMING INTERFACE

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Monitor Network Activity

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Concierge SIEM Reporting Overview

How To Monitor Network Activity On Palo Alto Network On Pnetorama On A Pcosa.Com (For Free)

Monitor Network Activity

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

Network Security Forensics

Guidelines for Web applications protection with dedicated Web Application Firewall

Operation Liberpy : Keyloggers and information theft in Latin America

The HoneyNet Project Scan Of The Month Scan 27

Analyzing HTTP/HTTPS Traffic Logs

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Firewalls and Intrusion Detection

Multifaceted Approach to Understanding the Botnet Phenomenon

CS 356 Lecture 16 Denial of Service. Spring 2013

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Network Monitoring using MMT:

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Network Defense Tools

Unified Security, ATP and more

Firewall Firewall August, 2003

Firewalls, IDS and IPS

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

How Attackers are Targeting Your Mobile Devices. Wade Williamson

ThreatSTOP Technology Overview

Network Service, Systems and Data Communications Monitoring Policy

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

IDS and Penetration Testing Lab IIIa

A perspective to incident response or another set of recommendations for malware authors

Network Security Policy

Inspection of Encrypted HTTPS Traffic

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

A Critical Investigation of Botnet

Firewalls, Tunnels, and Network Intrusion Detection

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

Centre for the Protection of National Infrastructure Effective Log Management

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

A TASTE OF HTTP BOTNETS

Chapter 15. Firewalls, IDS and IPS

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Exercise 7 Network Forensics

Firewall Cracking and Security By: Lukasz Majowicz Dr. Stefan Robila 12/15/08

The SIEM Evaluator s Guide

Application Detection

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Arbor s Solution for ISP

Networks and Security Lab. Network Forensics

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

UNCLASSIFIED. General Enquiries. Incidents Incidents

DYNAMIC DNS: DATA EXFILTRATION

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

IndusGuard Web Application Firewall Test Drive User Registration

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

The Benefits of SSL Content Inspection ABSTRACT

How To Protect A Network From Attack From A Hacker (Hbss)

Log Management for the University of California: Issues and Recommendations

Intro to Firewalls. Summary

NewNet 66 Network Security

Enabling Security Operations with RSA envision. August, 2009

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Botnet Analysis Leveraging Domain Ratio Analysis Uncovering malicious activity through statistical analysis of web log traffic

Denial of Service Attacks, What They are and How to Combat Them

Where every interaction matters.

On-Premises DDoS Mitigation for the Enterprise

Detecting Botnets with NetFlow

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Web DLP Quick Start. To get started with your Web DLP policy

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Mitigating Web Threats with Comprehensive, Cloud-Delivered Web Security

Botnet Detection by Abnormal IRC Traffic Analysis

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

STARTER KIT. Infoblox DNS Firewall for FireEye

Chapter 9 Firewalls and Intrusion Prevention Systems

05 June 2015 A MW TLP: GREEN

About Botnet, and the influence that Botnet gives to broadband ISP

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Cisco Cloud Web Security Key Functionality [NOTE: Place caption above figure.]

Lab Configure IOS Firewall IDS

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Phone Fax

WEB ATTACKS AND COUNTERMEASURES

Use of Honeypot and IP Tracing Mechanism for Prevention of DDOS Attack

How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security

STABLE & SECURE BANK lab writeup. Page 1 of 21

End-user Security Analytics Strengthens Protection with ArcSight

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Transcription:

DIGITONTO LLC. UNMASKCONTENT: THE CASE STUDY The mystery UnmaskContent.com v1.0

Contents I. CASE 1: Malware Alert... 2 a. Scenario... 2 b. Data Collection... 2 c. Data Aggregation... 3 d. Data Enumeration... 3 e. Verifying Malware... 4 f. Summary... 4 II. Case 2: Botnet C&C Investigation... 5 a. Scenario... 5 b. Data Collection... 5 c. Data Aggregation... 6 d. Data Enumeration... 7 e. Summary... 7 III. Conclusion... 8 IV. Disclaimer... 8 1 P a g e

I. CASE 1: Malware Alert a. Scenario There has been a malware alert in a SIEM/SIM such as ArcSight, ARC or AlienVault. You have logs indicating the following: 1. Infected URL visited by an internal user. 2. User s host is redirected to a malware site. 3. User s host downloads this malware. 4. ArcSight triggered an alert for intrusion. In this case, we will look at how an analyst is handling the scenario. We will also talk about how to integrate the usage of various Unmask web-portals in the flow documentation of each web portal. b. Data Collection In this scenario, an analyst used a log aggregator to collect all the information around the time frame of the indicated intrusion. The first thing that the analyst has to do is to ensure that the logs were indicating a true intrusion or compromise, as opposed to being a false-positive, although the determination is beyond the scope of this document. There were several lines of logs around the timeframe, although few of them indicated the communication with the malware site after the user visited a compromised web portal. 2 P a g e

UnmaskContent was used to perform remote wget of one of the malware or malicious websites from the logs that looked suspicious. The analyst also has to verify the compromised website that redirected the user to the malware site, in order to determine the cause of this redirection. The analyst also has to verify if this alert was a true-positive with the malware site being active. c. Data Aggregation Now that the analyst has all the domain names and URLs of the possible intrusion, he would have to verify what caused this redirection. Analyst entered the URL of this compromised site in the text-box on UnmaskContent. Response indicated that there was a hidden <iframe> on the compromised site s webpage that the user visited. This <iframe> then redirected the user to the possible malware website. d. Data Enumeration The analyst entered the compromised website s URL in the custom Referrer section before grabbing the data from the malware site. Analyst used customized User-Agents and Content-Types in order to access the malware site. Analyst used application/octet-stream which is a pre-defined Content- Type from the drop-down list in order to obtain the Portable Executable (PE) that was downloaded. 3 P a g e

e. Verifying Malware Analyst determined that the executable changed each time he tried accessing the website with UnmaskContent, so the analyst grabbed HASH of the files and verified with UnmaskHASH. Once he obtained the list of executable, he would then write up the incident analysis report and performs steps for remediation procedures in order to clean up any compromise. PCAP recording tools, network anomaly tools and others could be used to verify the compromise at the host level. f. Summary Analyst used several tools in order to analyze and determine that there was an incident that requires remediation. UnmaskContent aided the analyst in order to prove the true cause of this intrusion or compromise. In this scenario, UnmaskContent helped the analyst determine the hidden iframe that redirected the user to a malicious website, identified the malware, determined that the malware in the remote malicious portal has been constantly changing and helped with the access to other resources. 4 P a g e

II. Case 2: Botnet C&C Investigation a. Scenario An analyst at a Fortune 500 firm was investigating traffic during non-business hours. During one such investigation, the analyst found one host that was constantly communicating with few IPs at random timeframes including both business and non-business hours. The analyst had Firewall, IDS, and Proxy and Router logs indicating the true source of this incident and the external IPs that it is communicating with. The analyst then performed logger searches from the internal source to the external IPs for a seven day timeframe. Logs indicated the following: 1. The host was sending exactly 512 byte packets. 2. The communication was randomized to 1 packet every 60-90 minutes. 3. The packets were encoded and sent over HTTP (80/TCP). 4. The destination URL had the source host information. Let us look at how an analyst would handle this situation using the Unmask series of portals. b. Data Collection Data collection is not taken serious in many work environments. Analysts should be trained well in data collection as this is the heart of any form of incident analysis. Putting the pieces of a puzzle together without all the 5 P a g e

essential pieces and without knowing the end result is often the biggest challenge an analyst faces. An analyst is not going to know that an incident is from a fake AV or a Botnet before he or she has put all the pieces of the puzzle together. There is also a tradeoff with the number of pieces collected. Any unwanted data should be discarded immediately, before it gets used unintentionally as part of the analysis or the root cause determination process. Knowing which pieces of data are required and which are not is the hardest part of an analysts' job. c. Data Aggregation Analyst used UnmaskContent to determine the content of these URL using GET request. It was then determined that GET requests are responded with a 404 with this particular domain. The analyst then delved the packet data with network traffic PCAP aggregators and IDS logs and found that these were POST requests to a well-known botnet command & control server listed under IRC bots list at EmergingThreats and ShadowServer. Analyst is then curious as to why an IRC bot would use HTTP (80/TCP) for its communication. In most enterprises the only open egress port is 80/TCP and IRC over HTTP is not hard for communication. This was then confirmed with a HTTP response 451: ERR_NOTREGISTERED ":You have not registered" response on UnmaskContent, when the POST command with the specific parameters were used to hit the site that this host was communicating with. 6 P a g e

d. Data Enumeration Collecting the various pieces of the puzzle is what we observed in data collection. Enumeration is where the analyst gets to know what exactly he should keep and /or discard in order to perform the analysis. This is where UnmaskContent comes in handy, because it helps the analyst to determine what exactly is required. If there are no results from the IRC server over HTTP response, then it cannot be determined if this indeed is an IRC over HTTP. The best part about UnmaskContent is that it does all these queries from servers that are not inside the analyst s enterprise. The attacker does not get to know who is researching or that the victim that has been compromised is researching on them. This would take the victim out of the picture, since the attacker would not know who or why their site is being hit from this neutral location. e. Summary The analyst in this scenario has used UnmaskContent to verify the legitimacy of the beacons that were determined through raw log analysis. This was done by using the IRC over HTTP response, with a combination of other open source records that indicated the nature of this botnet. Unmask series of sites is designed to help analysts globally to analyze their incidents and by far in intrusion defense. 7 P a g e

III. Conclusion UnmaskContent is a content gathering web-portal that is used by analysts and engineers across the world. APIs have been developed to extend the features and functionalities of UnmaskContent and this has been done by modularizing the code. Please contact your supervisor about the rules and limitations of the Standard Operating Procedures (SOPs) before entering any confidential or custom information into UnmaskContent. UnmaskContent could be used for out-of-band analysis and makes it harder for the attacker to determine the true source behind this investigation. IV. Disclaimer Unmask Series of web portals (referred to as UnmaskContent or any other website, suite, framework, software, code or documentation that belongs to DigitOnto LLC.) is a product of DigitOnto LLC. This series of web portals and its design is Copyright (All rights reserved) of DigitOnto LLC. Unmask Series of web portals is created and used in legitimate and for ethical usages and reasons alone. Any unwanted, illegal, unethical or any other malicious activity is strictly prohibited. Information on users who violate the terms or conditions of usage will be handed over to law enforcement upon request or if deemed prudent by DigitOnto LLC. This website is monitored and activities logged using a layered defense approach and you are requested to check our acceptable use policy before further usage. 8 P a g e

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information