Covert Operations: Kill Chain Actions using Security Analytics



Similar documents
Fighting Advanced Threats

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

DYNAMIC DNS: DATA EXFILTRATION

Malicious Network Traffic Analysis

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Spear Phishing Attacks Why They are Successful and How to Stop Them

Defending Against Cyber Attacks with SessionLevel Network Security

Breaking the Cyber Attack Lifecycle

Comprehensive Advanced Threat Defense

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

The Hillstone and Trend Micro Joint Solution

A New Perspective on Protecting Critical Networks from Attack:

Inspection of Encrypted HTTPS Traffic

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

A New Approach to Assessing Advanced Threat Solutions

Networking for Caribbean Development

Agenda , Palo Alto Networks. Confidential and Proprietary.

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

Content Security: Protect Your Network with Five Must-Haves

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

Defending Against Data Beaches: Internal Controls for Cybersecurity

Practical Threat Intelligence. with Bromium LAVA

DATA SHEET. What Darktrace Finds

Enterprise Security Platform for Government

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

Advanced Persistent Threats

Bio-inspired cyber security for your enterprise

Stop advanced targeted attacks, identify high risk users and control Insider Threats

Intro to Firewalls. Summary

Advanced Threats: The New World Order

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Advanced Threat Protection with Dell SecureWorks Security Services

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Perspectives on Cybersecurity in Healthcare June 2015

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Unknown threats in Sweden. Study publication August 27, 2014

After the Attack. The Transformation of EMC Security Operations

Data Loss Prevention with Platfora Big Data Analytics

Cisco Advanced Malware Protection Sandboxing Capabilities

Defending Against. Phishing Attacks

RSA Security Anatomy of an Attack Lessons learned

Data Center security trends

DETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs?

AMPLIFYING SECURITY INTELLIGENCE

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

WHITE PAPER. Understanding How File Size Affects Malware Detection

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

SPEAR PHISHING AN ENTRY POINT FOR APTS

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

UNCLASSIFIED. General Enquiries. Incidents Incidents

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Critical Security Controls

On-Premises DDoS Mitigation for the Enterprise

Addressing the Full Attack Continuum: Before, During, and After an Attack. It s Time for a New Security Model

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Protecting Your Organisation from Targeted Cyber Intrusion

RSA Security Analytics

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Cybercrime: evoluzione del malware e degli attacchi. Cesare Radaelli Regional Sales Manager, Italy cradaelli@paloaltonetworks.com

BlackRidge Technology Transport Access Control: Overview

How Lastline Has Better Breach Detection Capabilities. By David Strom December 2014

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Firewalls and Software Updates

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Introduction of Intrusion Detection Systems

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

The Value of QRadar QFlow and QRadar VFlow for Security Intelligence

Detecting peer-to-peer botnets

THREAT INTELLIGENCE CLOUD

Malicious Mitigation Strategy Guide

Detecting Threats Via Network Anomalies. Paul Martini Cofounder and CEO iboss Cybersecurity

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Technical Testing. Network Testing DATA SHEET

DoD Strategy for Defending Networks, Systems, and Data

Fighting Advanced Persistent Threats (APT) with Open Source Tools

Firewall Cracking and Security By: Lukasz Majowicz Dr. Stefan Robila 12/15/08

Unified Security, ATP and more

When attackers have reached this stage, it is not a big issue for them to transfer data out. Spencer Hsieh Trend Micro threat researcher

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Deploying Firewalls Throughout Your Organization

Continuous Penetration Testing

A Model-based Methodology for Developing Secure VoIP Systems

Cyber Watch. Written by Peter Buxbaum

Transcription:

Covert Operations: Kill Chain Actions using Security Analytics Written by Aman Diwakar Twitter: https://twitter.com/ddos LinkedIn: http://www.linkedin.com/pub/aman-diwakar-ccie-cissp/5/217/4b7 In Special Operations, there are multiple actors on either side of the battlefield, at anypoint in time, attempting to achieve tactical leverage over the enemy. This leverage comes in multiple forms, at different stages of combat and the entire process is referred to as the Kill Chain. The kill chain in special operations includes reconaissance, weaponization, payload delivery, exploitation, establishment of communication from behind the enemy lines and ultimately completion of the mission and successful exfiltration. As an Intelligence Analyst in the military, I was intimately familiar with this process and how successful actions on target, in rapid, deliberate succession would mean victory for the unit best able to execute and defeat for the opposition forces. This article will highlight how using security intelligence, you, the Network Operator can gain tactical leverage, interrupt the kill chain and successfully defend your area of responsibility against the threat actor or agressor. Your goal will be to remain eternally vigilant, it is the price we pay for security, whether in the cyber world, or physical. In order to prepare to defend your network, you need to gather all the information and intelligence you possibly can because those aiming to exploit it will be very well prepared, most of the time, better prepared than you because it is they who will be choosing the time and place. Because compiling and discussing all the possible permutations of data points is outside of the scope of this article, we will speak of the two more important pieces of information that you will need to acquire. The first will be logging and activity data from the infrastructure, the second will be packet data from network taps at strategic chokepoints in the network. You will finally need to be able to take these two pieces of network intelligence and correlate them quickly and effectively being that this information will likely be unstructured and disparate. The only commonality here will be the fact that when correctly and intelligently manipulated, this data will yield the information that is required to be able to make tactical decisions that will pave way for successful defense.

Once the above preparations are successfully executed, the majority of the time spent should be in indentifying and monitoring the network for malicious activity. The determined adversary will first attempt to gain intelligence on the target, your role will be to take that opportunity to gather counterintelligence. This counteritelligence will be critical in identifying the specific threat from the sea of adversaries that your network faces on a daily basis, however, it is an extremely challenging objective as the advanced threat actor will be attempting to thwart counterintelligence activities. Information regarding the potential attacker can often be ascertained from coding in malware that can reference a language or country of origin, the attackers modus operandi (based on historical data) or ways in which commonly used tools are customized. Because the attacker is constantly seeking to avoid detection or mislead you, any one of the above mentioned telltale signs can easily be spoofed, thus it is best to take into account all possible activities holistically when attempting identification. Security analytics tools that consume network telemetry data and deduce possible suspicious or malicious traffic are instrumental in the identification phase as well as in the containment of such activities on the network. In the rest of this article, we will be utilizing information attained from RSA s Security Analytics to demonstrate the identification of malicious activity on the network that manifests itself in traffic that hides itself in benign HTTP or IRC traffic. This type of network evasion is generally referred to as covert channels as the attacker attempts to hide C2 (Command and Control) and data exfiltration traffic as well as subvert traditional security controls such as IPS/IDS Signature- based mechanisms and additionally, firewall filters. Security Analytics is designed to track and identify those threats on the network that are not identified in the wild using traditional detection methods because the attacker is exploiting an as- of- yet unidentified vulnerability in the infrastructures components. There are two methods of searching for suspicious activity, both methods are checking for data leaks, potentially unauthorized file transfers as well as C2 activity. The first method searches for traffic to suspicious countries, files that were sent outside the US by systems that should not be engaging in this behavior, the second method searches file transfer and IRC communication traffic over non- standard port. In the snapshot illustrated above, SA has identified potential data exfiltration acitivity by correlating different pieces of network data together such as IP- by- country and packet capture that confirms a data channel.

One common method of obfuscating a file transfer is by tunneling ftp traffic over non- standard ports. This method is commonly referred to as a covert- channel, however, it is not limited to just ftp traffic. Covert channel is a method by which packet data is transmitted through ports over which they would generally not travel as is common in many P2P applications. The concern with this type of traffic is that it is a common vector for C2 communications as C2 traffic is commonly sent over IRC. As we follow a suspected file transfer, we re able to simply click the suspicious activity and identify the destination country that the file was sent to, in this case, Uzbekistan. Off course, many organizations do business with Uzbekistan and it is totally plausible that this is legitimate traffic in those organizations, however, in this case, we did not and as such, tagged this as a suspicious activity. The screen below identifies the file transfer, including username/password, ports and the file name that was transmitted. This activity will now trigger and investigation and determination as to why this took place and if there is any need for further action.

The illustration below demonstrates an IRC based covert channel activity, the IRC traffic is attempting to hide in a non- standard port, upon inspection of which, it is discovered that the exchange has attempted to download and execute malicious code. This code could be the basis of a botnet C2 establishment or installation of other virus or malware. One might think that a hardened operation system along with good Antivirus protection would mitigate this type of an attack or activity, however, with remote command shell exploitation and zero day threats, these attacks commonly bypass antivirus and antimalware filters and detection engines. Now the attacker can pivot to an escalation of privilege attack and get this host to either participate in malicious activity or simply is the destination system the hacker was attempting to infiltrate. The last example below is a capture of another service, Gnutella, as it was being utilized to download a Flash installation from Macromedia/Adobe s website. This is a perfect example of a P2P site that tunnels traffic over HTTP, but because the HTTP header information is suspicious (low header count), this traffic is flagged by SA for an administrator to further review. Here, Gnutella triggered a get HTTP command and we are able to dissect the event

and reconstruct it per preceding screenshots and packet samples. The packet capture indicates that the session initiated to get an updated of Flash Player.

The figure above is a live packet capture event reconstruction as it indicates Gnutella traffic over port 80 during a GET http command execution from host fpdownload2.macromedia.com of Flash. To summarize, C2 and malicious traffic evasion tactics are evolving, as malicious actors attempt to stay ahead of the malware research community. Malware is becoming more difficult to analyze as writers prevent execution of the malicious code in a sandbox if the code detects a human is not executing it via mouse or keyboard commands or if the process is not executing on a human interfacing system, i.e a user PC or server. Furthermore, such activity hides behind encrypted, covert channels to take it up another notch. The adversary will become more sophisticated and determined as the motivation for such actions continue to be either financial or political edge, placing you, on the front lines of a full- fledged cyber warfare.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information