Incident Response tactics with Compromise Indicators

Similar documents
MySQL Attack Mitigation Using Deception Technology

Extending MISP with Python modules MISP - Malware Information Sharing Platform & Threat Sharing

Extending MISP with Python modules MISP - Malware Information Sharing Platform & Threat Sharing

Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

PyMISP - (ab)using MISP API with PyMISP MISP - Malware Information Sharing Platform & Threat Sharing

MISP Galaxy. Threat Sharing. Team CIRCL. MISP CIRCL

T H R EAT S A R E H I D I N G I N E N C RY P T E D T R A F F I C O N YO U R N E T WO R K

Yes, the Library will be accessible via the new PULSE and the existing desktop version of PULSE.

Patrol: Revealing Zero-day Attack Paths through Network-wide System Object Dependencies

Portal for ArcGIS: An Introduction. Catherine Hynes and Derek Law

Leveraging Web GIS: An Introduction to the ArcGIS portal

Introduction to Portal for ArcGIS

Portal for ArcGIS: An Introduction

Deep-dive into PyMISP MISP - Malware Information Sharing Platform & Threat Sharing

T H R EAT S A R E H I D I N G I N E N C RY P T E D T R A F F I C O N YO U R N E T W O R K

Cyber-Awareness and Games of Incomplete Information

Introduction to Portal for ArcGIS. Hao LEE November 12, 2015

Attack Graph Modeling and Generation

It s about time... The only timeline tool you ll ever need!

Web georeference of historical maps

Leveraging ArcGIS Online Elevation and Hydrology Services. Steve Kopp, Jian Lange

Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

CHAPTER 22 GEOGRAPHIC INFORMATION SYSTEMS

Web GIS Deployment for Administrators. Vanessa Ramirez Solution Engineer, Natural Resources, Esri

Account Setup. STEP 1: Create Enhanced View Account

Incorporating ArcGIS Pro in your Curriculum

Management of Geological Information for Mining Sector Development and Investment Attraction Examples from Uganda and Tanzania

Analytical data, the web, and standards for unified laboratory informatics databases

R E A D : E S S E N T I A L S C R U M : A P R A C T I C A L G U I D E T O T H E M O S T P O P U L A R A G I L E P R O C E S S. C H.

Detection and Mitigation of Cyber-Attacks Using Game Theory and Learning

Semantic 3D City Models for Strategic Energy Planning in Berlin & London

ArcGIS GeoAnalytics Server: An Introduction. Sarah Ambrose and Ravi Narayanan

EasySDM: A Spatial Data Mining Platform

What s New. August 2013

Information Security Theory vs. Reality

An IDS Visualization System for Anomalous Warning Events

ArcGIS Enterprise: What s New. Philip Heede Shannon Kalisky Melanie Summers Sam Williamson

PI SERVER 2012 Do. More. Faster. Now! Copyr i g h t 2012 O S Is o f t, L L C. 1

Winmostar tutorial LAMMPS Polymer modeling V X-Ability Co,. Ltd. 2017/7/6

GPS Mapping with Esri s Collector App. What We ll Cover

ARGUS.net IS THREE SOLUTIONS IN ONE

DATA SCIENCE SIMPLIFIED USING ARCGIS API FOR PYTHON

Evaluating Physical, Chemical, and Biological Impacts from the Savannah Harbor Expansion Project Cooperative Agreement Number W912HZ

ArcGIS Web Tools, Templates, and Solutions for Defence & Intelligence. Renee Bernstein Esri Solutions Engineer

IntelMQ - a KISS incident handling automation project (IHAP)

Unsupervised Anomaly Detection for High Dimensional Data

Solving Polynomial Systems in the Cloud with Polynomial Homotopy Continuation

MISP Training: Galaxies

Among various open-source GIS programs, QGIS can be the best suitable option which can be used across partners for reasons outlined below.

A Reconfigurable Quantum Computer

Who are we? Cesena Security and Network Applications. Why join CeSeNA?

SMS Support in Tally.CRM Table of Contents

ArcGIS Pro Q&A Session. NWGIS Conference, October 11, 2017 With John Sharrard, Esri GIS Solutions Engineer

Forensic Analysis of Database Tampering

The Geo Web: Enabling GIS on the Internet IT4GIS Keith T. Weber, GISP GIS Director ISU GIS Training and Research Center.

Why GIS & Why Internet GIS?

K D A A M P L I F I E R S F I R M W A R E U S E R G U I D E

arxiv: v1 [cs.cr] 20 Dec 2012

Lord of the Bing. Taking Back Search Engine Hacking From Google and Bing. 18 MAY 2011 TakeDownCon 2011 Dallas, TX

KL12LM Corded Cap Lamp

An Optimization Approach In Information Security Risk Management

Office of Technology Partnerships GIS Collaboration

The iplant Collaborative Semantic Web Platform

combined with the computing power of the W4M infrastructure

University of New Hampshire Scholars' Repository

Magnetar Games Corporation

NV-DVR09NET NV-DVR016NET

TreesCount! NYC Innovation & Emerging Technologies Workgroup. Culture of Innovation in NYC Government Series. Session will begin at 1:00 pm

Administering your Enterprise Geodatabase using Python. Jill Penney

Integration of ArcFM UT with SCADA, SAP, MAXIMO and Network Calculation

From Geographics Stella to Bentley Map Stella Map. Kimmo Soukki, Account Manager Bentley Finland

Roberto Perdisci^+, Guofei Gu^, Wenke Lee^ presented by Roberto Perdisci. ^Georgia Institute of Technology, Atlanta, GA, USA

Enabling ENVI. ArcGIS for Server

Rapid Application Development using InforSense Open Workflow and Daylight Technologies Deliver Discovery Value

ArcGIS Deployment Pattern. Azlina Mahad

A study of entropy transfers

Lesser Sunda - Banda Seascape Atlas

Python. Tutorial. Jan Pöschko. March 22, Graz University of Technology

Effective Entropy for Memory Randomization Defenses

MassHunter TOF/QTOF Users Meeting

Technical Specifications. Form of the standard

ArcGIS Enterprise: What s New. Philip Heede Shannon Kalisky Melanie Summers Shreyas Shinde

31 Dec '01 07 Jan '02 14 Jan '02 21 Jan '02 28 Jan '02 M T W T F S S M T W T F S S M T W T F S S M T W T F S S M T W T F S S

GIS-based Smart Campus System using 3D Modeling

GIS Functions and Integration. Tyler Pauley Associate Consultant

Using OGC standards to improve the common

Cryptographic Hashing

ionos The most advanced stable isotope software ever created

Introduction to ArcGIS Maps for Office. Greg Ponto Scott Ball

Web GIS Administration: Tips and Tricks

Leveraging Your Geo-spatial Data Investments with Quantum GIS: an Open Source Geographic Information System

Hosted by Esri Official Distributor

Esri WebGIS Highlights of What s New, and the Road Ahead

MantaRay Documentation

Extremes analysis: the. ETCCDI twopronged

FIRE DEPARMENT SANTA CLARA COUNTY

Data Aggregation with InfraWorks and ArcGIS for Visualization, Analysis, and Planning

IH 35 at Blanco River May 2015

We re at the height of the homebuying season. Buyers, sellers and bad guys are out in abundance.

Transcription:

Vladimir Kropotov, Vitaly Chetvertakov, Fyodor Yarochkin RusCrypto 2014 March 25-28, 2014

Outline Basics Standards Tools Sharing IOCs IOCs composites Case Study More on Tools Questions

Introduction Indicators of Compromise Indicator of compromise (IOC) in computer forensics is an artifact observed on network or in operating system that with high confidence indicates a computer intrusion. http://en.wikipedia.org/wiki/indicator_of_compromise

IOC workflow A typical flow with Indicators of Compromise: source: Sophisticated indicators for the modern threat landscape, 2012 paper

Standards: OpenIOC OpenIOC - Mandiant-backed effort for unform representation of IOC (now FireEye) http://www.openioc.org/

Standards: Mitre Mitre CybOX: http://cybox.mitre.org/ https://github.com/cyboxproject/tools https://github.com/cyboxproject/openioc-to-cybox Mitre CAPEC: http://capec.mitre.org/ Mitre STIX: http://stix.mitre.org/ Mitre TAXII http://taxii.mitre.org/

Open-source tools OpenIOC manipulation https://github.com/stixproject/openioc-to-stix https://github.com/tklane/openiocscripts Mantis Threat Intelligence Framework https://github.com/siemens/django-mantis.git Mantis supports STIX/CybOX/IODEF/OpenIOC etc via importers: https://github.com/siemens/django-mantis-openioc-importer Search splunk data for IOC indicators: https://github.com/technoskald/splunk-search Our framework: http://github.com/fygrave/iocmap/

Online Sharing of IOCs http://iocbucket.com/

Policies on Sharing Policies on sharing IOCs: what to be shared/can be shared who to share with when to share

Where to look for IOCs: Outbound Network Traffic User Activities/Failed Logins User profile folders Administrative Access Access from unsual IP addresses Database IO: excessive READs Size of responses of web pages Unusual access to particular files within Web Application (backdoor) Unusual port/protocol connections DNS and HTTP traffic requests Suspicious Scripts, Executables and Data Files

Challenges Why we need IOCs? because it makes it easier to systematically describe knowledge about breaches. Identifying intrusions is hard Unfair game: defender should protect all the assets attacker only needs to poop one system. Identifying targeted, organized intrusions is even harder Minor anomalous events are important when put together Seeing global picture is a mast Details matter Attribution is hard

Challenges All networks are compromised The difference between a good security team and a bad security team is that with a bad security team you will never know that you ve been compromised.

An Example A Network compromise case study: Attackers broke via a web vuln. Attackers gained local admin access Attackers created a local user Attackers started probing other machines for default user ids Attackers launched tunneling tools connecting back to C2 Attackers installed RATs to maintain access

Indicators So what are the compromise indicators here? Where did attackers come from? (IP) What vulnerability was exploited? (pattern) What web backdoor was used? (pattern, hash) What tools were uploaded? (hashes) What users were created locally? (username) What usernames were probed on other machines

Good or Bad? F i l e Name : R a s T l s. e x e F i l e S i z e : 105 kb F i l e Mo dificat ion Date /Time : 2009: 02: 09 19:42:05+08:00 F i l e Type : Win32 EXE MIME Type : a p p l i c a t i o n / o c t e t s t r e a m Machine Type : I n t e l 386 o r l a t e r, and c o m p a t i b l e s Time Stamp : 2 0 0 9 : 0 2 : 0 2 1 3 :38:37+08:00 PE Type : PE32 L i n k e r V e r s i o n : 8. 0 Code S i z e : 49152 I n i t i a l i z e d Data S i z e : 57344 U n i n i t i a l i z e d Data S i z e : 0 E n t r y P o i n t : 0 x3d76 OS V e r s i o n : 4. 0 Image V e r s i o n : 0. 0 S u b s y s t e m V e r s i o n : 4. 0 S u b s y s t e m : Windows GUI F i l e V e r s i o n Number : 1 1. 0. 4 0 1 0. 7 P r o d u c t V e r s i o n Number : 1 1. 0. 4 0 1 0. 7 F i l e OS : Windows NT 32 b i t O b j e c t F i l e Type : E x e c u t a b l e a p p l i c a t i o n Language Code : E n g l i s h (U. S. ) C h a r a c t e r Set : Windows, L a t i n 1 Company Name : Symantec C o r p o r a t i o n F i l e D e s c r i p t i o n : Symantec 8 0 2. 1 x S u p p l i c a n t F i l e V e r s i o n : 1 1. 0. 4 0 1 0. 7 I n t e r n a l Name : d o t 1 x t r a y

It really depends on context RasTls. DLL RasTls. DLL. msc RasTls. exe http://msdn.microsoft.com/en-us/library/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order

Tools for Dynamic Detection of IOC Snort Yara + yara-enabled tools Moloch Splunk/Log search

Tools for Dynamic Detection Moloch Moloch supports Yara (IOCs can be directly applied) Moloch has tagger plugin: # t a g g e r. so # p r o v i d e s a b i l i t y to import t e x t f i l e s with IP and/ or hostn # i n t o a s e n s o r t h a t would cause a u t o t a g g i n g o f a l l matching p l u g i n s=t a g g e r. so t a g g e r I p F i l e s=b l a c k l i s t, tag, tag, tag... t a g g e r D o m a i n F i l e s=d o m a i n b a s e d b l a c k l i s t s, tag, tag, tag

Sources of IOCs ioc bucket: http://iocbucket.com Public blacklists/trackers could also be used as source: https: //zeustracker.abuse.ch/blocklist.php?download=ipblocklist https: //zeustracker.abuse.ch/blocklist.php?download=domainblocklist Eset IOC repository https://github.com/eset/malware-ioc more coming?

where to mine IOC passive HTTP (keep your data recorded) passive DNS These platforms provide ability to mine traffic or patterns from the past based on IOC similarity show me all the packets similar to this IOC We implemented a whois service for IOC look-ups whois h i o c. h o s t. com a t t r i b u t e : v a l u e+a t t r i b u t e : v a l u e

Mining IOCs from your own data find and investigate incident Or even read paper determine indicators and test it in YOUR Environment use new indicators in the future see IOC cycle we mentioned earlier

Example If event chain leads to compromise h t t p : / / h t t p : / / h t t p : / / h t t p : / / l i a p o l a s e n s [. ] i n f o / indexm. h t m l l i a p o l a s e n s [. ] i n f o / c o u n t e r. php? t=f&v=win %2011,7,700,169& a=t r u e l i a p o l a s e n s [. ] i n f o /354 R I c x l i a p o l a s e n s [. ] i n f o /054 R I c x What to do?

Use YARA, or tune your own tools r u l e { susp_params_in_url_kind_of_fileless_bot_drive_by meta : date = " oct 2013 " d e s c r i p t i o n = " L a n d i n g hxxp : / / j d a t a s t o r e l a m e. i n f o / indexm. h t m l 0 4. 1 0. 2 0 1 3 1 3 : 1 4 1 0 8. 6 d e s c r i p t i o n 1 = " J a v a S p l o i t hxxp : / / j d a t a s t o r e l a m e. i n f o /054 RIwj " s t r i n g s : $ s t r i n g 0 = " h t t p " $ s t r i n g 1 = " indexm. h t m l " $ s t r i n g 2 = " 054 RI " } c o n d i t i o n : a l l o f them

Use snort to catch suspicious traffic: # many plugx d e p l o y m e n t s c o n n e c t t o g o o g l e DNS when n o t i n u s e a l e r t t c p! $DNS_SERVERS any > 8. 8. 8. 8 53 ( msg : "APT p o s s i b l e PlugX G o o g l e DNS TCP p o r t 53 c o n n e c t i o n a t t e m p t " ; c l a s s t y p e : misc a c t i v i t y ; s i d : 5 0 0 0 0 0 1 1 2 ; r e v : 1 ; )

GRR: Google Rapid Response: http://code.google.com/p/grr/ Hunting IOC artifacts with GRR

GRR: Creating rules

GRR: hunt in progress

IOC management portal

IOC exportable to json { " 8000 " : { " IP " : [ 2 1 2. 8 3. 1 6 7. 1 9 2, 2 1 2. 8 3. 1 7 0. 1 4, 2 1 2. 8 3. 1 7 0. 2 2, 2 1 2. 8 3. 1 7 3. 1 6 3, 2 1 " f y f l a s h " : { " IP " : [ 1 0 3. 2 4 6. 2 4 6. 1 0 3, 7 4. 1 2 6. 1 7 7. 6 8, 2 0 4. 2 0 0. 2 2 2. 1 3 6, 1 9 4. 1 8 3. 2 2 4. 7 5 7 6. 7 3. 8 0. 1 8 8, 7 4. 1 2 6. 1 7 7. 7 0, 1 9 2. 7 4. 2 4 6. 2 1 9, 7 4. 1 2 6. 1 7 7. 2 4 1 ], " Domain " : [ wmi. n s 0 1. u s, p r o x y. ddns. i n f o, windows. ddns. u s, m i c r o s a f e s. no i p. o r g, f u c k c h i n a. govnb. com, i d s. n s 0 1. u s, u p d a t e d n s. n s 0 1. u s, u p d a t e d n s. n s 0 2. u s, a d s e r v i c e. no i p. o r g, j a v a. n s 1. name ], "MD5" : [ 7d810e3564c4eb95bcb3d11ce191208e, 1ec5141051776ec9092db92050192758 ] }, " b t c " : { " IP " : [ 1 8 4. 1 0 6. 1 4 6. 2 4 4 ] }, " s l v b u s o " : { "MD5" : [ 45645 F17E3B014B9BCE89A793F5775B2 ], " Domain " : [ h e l l d a r k. b i z ] }, " s p " : { " IP " : [ 1 9 4. 5 8. 9 1. 1 8 6, 9 5. 1 5 6. 2 3 8. 1 4, 1 9 2. 9 5. 4 6. 0, 1 9 8. 5 0. 1 3 1. 2 2 0, 1 9 8. 5 0. 2 4 1 9 8. 5 0. 1 4 0. 7 2, 9 5. 1 5 6. 2 3 8. 5, 1 9 2. 9 5. 4 6. 2 5 ] }, "pw" : { " IP " : [ 1 8 5. 8. 1 0 6. 9 7, 1 9 5. 2. 2 5 3. 2 5 ] }, " sophmdropfqi " : { "MD5" : [ c f 6 5 6 f d 9 f 8 3 9 a 5 c d 5 6 b b 9 9 9 1 9 7 7 4 5 a 4 9 ], " Domain " : [ s a m i o l l o. o r g ] " s y m s r " : { " IP " : [ 2 1 2. 9 5. 3 2. 5 2, 9 5. 2 1 1. 1 3 0. 1 3 2, 1 2 3. 4 5. 6 7. 8 9 ], " Domain " : [ w e r t d g h b y r u k l. ch, r g t r y h b g d d t y h. b i z ] } " f a k e i n s t r " : { " IP " : [ 4 6. 1 6 5. 2 5 0. 2 3 7, 4 6. 1 6 5. 2 5 0. 2 3 6, 4 6. 1 6 5. 2 5 0. 1 9 7 ] }, " m s P r o l a c o " : { " Domain " : [ k a t h e l l. com, c o g i n i x. o r g ] } }

and every manager loves graphs :p

Q and A Or contact us at...

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback