Incident Response tactics with Compromise Indicators

Size: px

Start display at page:

Download "Incident Response tactics with Compromise Indicators"

Margaret Quinn
5 years ago
Views:

1 Vladimir Kropotov, Vitaly Chetvertakov, Fyodor Yarochkin RusCrypto 2014 March 25-28, 2014

2 Outline Basics Standards Tools Sharing IOCs IOCs composites Case Study More on Tools Questions

3 Introduction Indicators of Compromise Indicator of compromise (IOC) in computer forensics is an artifact observed on network or in operating system that with high confidence indicates a computer intrusion.

4 IOC workflow A typical flow with Indicators of Compromise: source: Sophisticated indicators for the modern threat landscape, 2012 paper

5 Standards: OpenIOC OpenIOC - Mandiant-backed effort for unform representation of IOC (now FireEye)

6 Standards: Mitre Mitre CybOX: Mitre CAPEC: Mitre STIX: Mitre TAXII

7 Open-source tools OpenIOC manipulation Mantis Threat Intelligence Framework Mantis supports STIX/CybOX/IODEF/OpenIOC etc via importers: Search splunk data for IOC indicators: Our framework:

8 Online Sharing of IOCs

9 Policies on Sharing Policies on sharing IOCs: what to be shared/can be shared who to share with when to share

10 Where to look for IOCs: Outbound Network Traffic User Activities/Failed Logins User profile folders Administrative Access Access from unsual IP addresses Database IO: excessive READs Size of responses of web pages Unusual access to particular files within Web Application (backdoor) Unusual port/protocol connections DNS and HTTP traffic requests Suspicious Scripts, Executables and Data Files

11 Challenges Why we need IOCs? because it makes it easier to systematically describe knowledge about breaches. Identifying intrusions is hard Unfair game: defender should protect all the assets attacker only needs to poop one system. Identifying targeted, organized intrusions is even harder Minor anomalous events are important when put together Seeing global picture is a mast Details matter Attribution is hard

12 Challenges All networks are compromised The difference between a good security team and a bad security team is that with a bad security team you will never know that you ve been compromised.

13 An Example A Network compromise case study: Attackers broke via a web vuln. Attackers gained local admin access Attackers created a local user Attackers started probing other machines for default user ids Attackers launched tunneling tools connecting back to C2 Attackers installed RATs to maintain access

14 Indicators So what are the compromise indicators here? Where did attackers come from? (IP) What vulnerability was exploited? (pattern) What web backdoor was used? (pattern, hash) What tools were uploaded? (hashes) What users were created locally? (username) What usernames were probed on other machines

15 Good or Bad? F i l e Name : R a s T l s. e x e F i l e S i z e : 105 kb F i l e Mo dificat ion Date /Time : 2009: 02: 09 19:42:05+08:00 F i l e Type : Win32 EXE MIME Type : a p p l i c a t i o n / o c t e t s t r e a m Machine Type : I n t e l 386 o r l a t e r, and c o m p a t i b l e s Time Stamp : : 0 2 : :38:37+08:00 PE Type : PE32 L i n k e r V e r s i o n : 8. 0 Code S i z e : I n i t i a l i z e d Data S i z e : U n i n i t i a l i z e d Data S i z e : 0 E n t r y P o i n t : 0 x3d76 OS V e r s i o n : 4. 0 Image V e r s i o n : 0. 0 S u b s y s t e m V e r s i o n : 4. 0 S u b s y s t e m : Windows GUI F i l e V e r s i o n Number : P r o d u c t V e r s i o n Number : F i l e OS : Windows NT 32 b i t O b j e c t F i l e Type : E x e c u t a b l e a p p l i c a t i o n Language Code : E n g l i s h (U. S. ) C h a r a c t e r Set : Windows, L a t i n 1 Company Name : Symantec C o r p o r a t i o n F i l e D e s c r i p t i o n : Symantec x S u p p l i c a n t F i l e V e r s i o n : I n t e r n a l Name : d o t 1 x t r a y

It really depends on context RasTls. DLL RasTls. DLL. msc RasTls. exe http://msdn.

16 It really depends on context RasTls. DLL RasTls. DLL. msc RasTls. exe Dynamic-Link Library Search Order

17 Tools for Dynamic Detection of IOC Snort Yara + yara-enabled tools Moloch Splunk/Log search

18 Tools for Dynamic Detection Moloch Moloch supports Yara (IOCs can be directly applied) Moloch has tagger plugin: # t a g g e r. so # p r o v i d e s a b i l i t y to import t e x t f i l e s with IP and/ or hostn # i n t o a s e n s o r t h a t would cause a u t o t a g g i n g o f a l l matching p l u g i n s=t a g g e r. so t a g g e r I p F i l e s=b l a c k l i s t, tag, tag, tag... t a g g e r D o m a i n F i l e s=d o m a i n b a s e d b l a c k l i s t s, tag, tag, tag

19 Sources of IOCs ioc bucket: Public blacklists/trackers could also be used as source: https: //zeustracker.abuse.ch/blocklist.php?download=ipblocklist https: //zeustracker.abuse.ch/blocklist.php?download=domainblocklist Eset IOC repository more coming?

20 where to mine IOC passive HTTP (keep your data recorded) passive DNS These platforms provide ability to mine traffic or patterns from the past based on IOC similarity show me all the packets similar to this IOC We implemented a whois service for IOC look-ups whois h i o c. h o s t. com a t t r i b u t e : v a l u e+a t t r i b u t e : v a l u e

21 Mining IOCs from your own data find and investigate incident Or even read paper determine indicators and test it in YOUR Environment use new indicators in the future see IOC cycle we mentioned earlier

22 Example If event chain leads to compromise h t t p : / / h t t p : / / h t t p : / / h t t p : / / l i a p o l a s e n s [. ] i n f o / indexm. h t m l l i a p o l a s e n s [. ] i n f o / c o u n t e r. php? t=f&v=win %2011,7,700,169& a=t r u e l i a p o l a s e n s [. ] i n f o /354 R I c x l i a p o l a s e n s [. ] i n f o /054 R I c x What to do?

23 Use YARA, or tune your own tools r u l e { susp_params_in_url_kind_of_fileless_bot_drive_by meta : date = " oct 2013 " d e s c r i p t i o n = " L a n d i n g hxxp : / / j d a t a s t o r e l a m e. i n f o / indexm. h t m l : d e s c r i p t i o n 1 = " J a v a S p l o i t hxxp : / / j d a t a s t o r e l a m e. i n f o /054 RIwj " s t r i n g s : $ s t r i n g 0 = " h t t p " $ s t r i n g 1 = " indexm. h t m l " $ s t r i n g 2 = " 054 RI " } c o n d i t i o n : a l l o f them

24 Use snort to catch suspicious traffic: # many plugx d e p l o y m e n t s c o n n e c t t o g o o g l e DNS when n o t i n u s e a l e r t t c p! $DNS_SERVERS any > ( msg : "APT p o s s i b l e PlugX G o o g l e DNS TCP p o r t 53 c o n n e c t i o n a t t e m p t " ; c l a s s t y p e : misc a c t i v i t y ; s i d : ; r e v : 1 ; )

25 GRR: Google Rapid Response: Hunting IOC artifacts with GRR

26 GRR: Creating rules

27 GRR: hunt in progress

28 IOC management portal

29 IOC exportable to json { " 8000 " : { " IP " : [ , , , , 2 1 " f y f l a s h " : { " IP " : [ , , , , , , ], " Domain " : [ wmi. n s 0 1. u s, p r o x y. ddns. i n f o, windows. ddns. u s, m i c r o s a f e s. no i p. o r g, f u c k c h i n a. govnb. com, i d s. n s 0 1. u s, u p d a t e d n s. n s 0 1. u s, u p d a t e d n s. n s 0 2. u s, a d s e r v i c e. no i p. o r g, j a v a. n s 1. name ], "MD5" : [ 7d810e3564c4eb95bcb3d11ce191208e, 1ec ec9092db ] }, " b t c " : { " IP " : [ ] }, " s l v b u s o " : { "MD5" : [ F17E3B014B9BCE89A793F5775B2 ], " Domain " : [ h e l l d a r k. b i z ] }, " s p " : { " IP " : [ , , , , , , ] }, "pw" : { " IP " : [ , ] }, " sophmdropfqi " : { "MD5" : [ c f f d 9 f a 5 c d 5 6 b b a 4 9 ], " Domain " : [ s a m i o l l o. o r g ] " s y m s r " : { " IP " : [ , , ], " Domain " : [ w e r t d g h b y r u k l. ch, r g t r y h b g d d t y h. b i z ] } " f a k e i n s t r " : { " IP " : [ , , ] }, " m s P r o l a c o " : { " Domain " : [ k a t h e l l. com, c o g i n i x. o r g ] } }

30 and every manager loves graphs :p

31 Q and A Or contact us at...

MySQL Attack Mitigation Using Deception Technology

1 RESEARCH REPORT : MySQL Attack Mitigation Using Deception Technology RESEARCH REPORT MySQL Attack Mitigation Using Deception Technology A Report by TrapX Labs December 31, 2016 2 RESEARCH REPORT : MySQL