NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation.

| Copyright 2010 © All rights reserved. NetWitness Corporation1

NetWitness Investigator FreewareNetwork Intelligence, Threat Indicators and Session Exploitation

Brian GirardiDirector, Product ManagementNetWitness [email protected]


Agenda

» Investigator Freeware Introduction/Review» Advanced Features

‣ Integration via “custom actions”‣ Intelligence via “feeds”‣ Indicators via “rules”‣ Protocol/Session exploitation via “parsers”

» Implementation Scenarios


Investigator Freeware Core Concepts

» Its free! – requires annual registration» What makes Investigator different?

‣ Designed from an analysts perspective to answer complex questions from large amounts of raw network data

‣ Designed to analyze advanced threats, applications, content, incident response, <insert problem here>

‣ Empowers novice analysts AND accelerates experts‣ Models network traffic, and exposes syntax to expand the

model‣ Session-based NOT packet-based


Session Processing Step 1

Packet Collection & Reassembly before anything else• putting the pieces back together

data packetized out of order fragmented

Mixed with other trafficRetransmitted

xSession


Session Processing steps 2 & 3» Application Identification, Meta Extraction, and Modeling

• Don’t rely on port for true service type• Extract pertinent network and application data• Model and organize data for human consumption

HTTP != port 80


Standard Features

» Real-time, patented layer 7 analytics– Effectively analyze data starting from

application layer entities like users, email, address, files , and actions.

– Infinite, free-form analysis paths– Content starting points

» Captures raw packets live from wired or 802.11 wireless networks

» Imports packets from any open-source, home-grown and commercial packet capture system (e.g. .pcap file import)

» Extensive network and application layer filtering (e.g. MAC, IP, User, Keywords, Etc.)

» IPv6 support

» Full content search, with Regex support» Bookmarking & history tracking» Integrated GeoIP for resolving IP addresses

to city/county, supporting Google® Earth visualization

» SSL Decryption (with server certificate)» Interactive time charts, and summary view» Interactive packet view and decode» Hash data on capture and export» Integrated Org, Domain, and ISP

databases» Supports VLAN meta tagging» Supports IP Tunnel (i.e. GRE) meta tagging» And More….

Now lets discuss advanced features…


Apply Your Own Intelligence & Needs

» Custom Actions‣ “Right-click” query actions for context

» Feeds‣ Means for creating meta data based on a list of values‣ Ex. IP Reputation Feed

» Rules‣ Evaluation of meta elements to alert, filter, stop/change processing or create

more metadata‣ Ex. If ip.dst=1.2.3.4 AND user=‘bob’ then alert

» Parsers (aka FlexParse™)‣ Exploitation of sessions and full payload to create metadata‣ Ex. Identify packed executables/malware, interpret identify and profile

protocols.. Etc.


Aggregating Indicators

RulesParsing

Feeds Aggregation of these methods help profile actual threatening activity

• Advanced Threat• Insider Threat• Policy/Compliance• Etc.


Custom Actions


Custom Actions

» Configurable “right-click” actions out of Investigator to external tools‣ URL-based‣ Local Scripts

» Examples


Example: right-click hostname into Google

Other options…


Feeds


Feeds

» Means for creating meta data based on external lists ‣ IP Address‣ Hostnames‣ Any metadata element

» Typical Uses‣ Intelligence Feeds ( Internet Storm Center/Dshield Top 10000 for

example)‣ Define Physical or Logical mappings for metadata

• Campus, Department• User Identity via Active Directory• Network-specific maps• DHCP mappings• Etc…


Real-world feed uses

» Large Bank• 17,000 known Home User IPs cross-referenced with botnet membership list

» DOD• 4000+ subnets, largely model after base locations

» Financial Services Firm• Buildings• Functional Area ie: Network Infrastructure• System Area ie: Firewall, VPN, Critical Servers


Department & Location Feed

» Enterprise-specific context‣ IP Ranges that correlate to

• Company Department • Physical Location• Lat/Long Override

» Feed File Example#networks#

172.16.60.1,172.16.60.254,NW-Wireless172.16.70.1,172.16.70.254,NW-GuestNet10.21.1.1,10.21.1.255,NW Infrastructure,38.967490,-77.37953310.21.2.30,10.21.2.111,NW Users Net,38.967490,-77.379533 10.21.3.30,10.21.3.111,NW Dev Workstations,38.967490,-77.37953310.21.4.1,10.21.4.255,NW Dev Servers,38.967490,-77.37953310.21.5.1,10.21.5.111,NW VPN Users,38.967490,-77.37953310.21.6.30,10.21.6.111,NW Wireless,38.967490,-77.379533 67.10.149.25,67.10.149.25,Nw TXGW,29.7296,-98.1001 172.16.55.0,172.16.55.255,NW-TX,29.7296,-98.1001172.16.55.0,172.16.55.255,NW-TX,29.7296,-98.1001192.168.1.1,192.168.1.255,NW Lab,38.742641,-77.199997


Feed Definition File

<FlatFileFeed name="NetName" path="networks.txt" separator="," comment="#">

<LanguageKeys><LanguageKey name="netname" valuetype="Text"

srcname="netname.src" destname="netname.dst"/></LanguageKeys>

<Fields><Field index="1" type="index" range="low"/><Field index="2" type="index" range="high"/><Field index="3" type="value" key="netname"/>

</Fields>

</FlatFileFeed>


Netname Feed Classification


Analysis with Threat Feeds


Loading Internet Storm Center Feed

Load feeds


Feed Category Hits

Found hits on SANS feed


Session Details Review

HTTP putLikely C&C querystring

IP Found in SANS feed

Encoded/Encrypted payload


Rules


Rules

» Rules can be used to ‣ filter in/out data‣ truncate packets‣ alert/flag

» Rules span ‣ network elements‣ application layer elements

» Control depth of processing


Network Layer Rules


Application Layer Rules


Rule Examples

» Filter‣ Advertisements (ends in “doubleclick.net”)‣ Software Updates (ends in “liveupdate.symantec.com”)‣ Media (ends in “player.xmradio.com”)‣ Backup servers (192.168.1.54…etc)‣ Filter *(All), Keep email = “[email protected]”

» Truncate‣ Drop packet payload for port SSH and SSL

» Alert‣ Non-standard port activity (non-HTTP over port 80)‣ DynDNS Domains‣ BOT Profiles‣ Clear text passwords‣ Tunneling services ( gotomypc, anonymizers, etc. )‣ Specific threat profiles‣ Etc…etc…etc…


Rule Example

Tip: faster to check range than !=


Non-standard HTTP


Nonstandard HTTP Details


Facebook Koobface Malware Example

» Basic Rule:‣ Service = HTTP(80) && alias.host = ‘locator.getconnected.be’

» Better Rule:‣ Service = HTTP(80) && alias.host exists && (query contains 'action='

&& query contains 'c_fb=' && query contains 'c_ms=' && query contains 'c_hi=' && query contains 'c_tw=' && query contains 'c_be=' && query contains 'c_tg=' && query contains 'c_nl=’)

» Based on the url parameters koobface passes when it checks in

Ref: http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf

http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf


Parsers


FlexParse™

» FlexParse exposes the network session parsing and metadata model‣ Configure how to identify applications and extract data

• XML parser definitions• Register search tokens• Perform logic operations • Register metadata for the NetWitness system

» Why?‣ Instantly customize and expand processing and modeling behavior‣ Processing flexibility for networks with:

• heavy application profiles• proprietary protocols • and threats that don’t fall into common intrusion detection methods

» What's possible…‣ Expand baseline parsers, fast flux identification, social networking

profiling, mainframe exploitation, SCADA, file object identification, complex threat identification, …Etc.

Copyright 2007 NetWitness Corporation


SCADA MODBUS Parser


Simple MODBUS Parser

» Why? ‣ Need insight into SCADA over IP to correlate with other network activity –

critical infrastructure monitoring» Demonstrate

‣ Create new Service type for MODBUS ‣ Simple text based protocol has numeric tokens that map to actions:

• “Read Coil Status”• “Read Input Status”• “Read Hold Registers” • “Read Input Registers” • “Force Single Coil”• “Force Multiple Coils”• Etc……


MODBUS Protocol

» If port 502 AND tokens exist then classify and extract actions ---» Request

MODBUSPROTOCOL

ACTION


Simple MODBUS protocol FlexParser Syntax

<?xml version="1.0" encoding="utf-8"?>

<parsers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="parsers.xsd”><parser name="MODBUS" desc="MODBUS SCADA Protocol" service="502"><declaration><number name="vTemp" /><number name="vState" /><number name="vID"/><port name="server-port" value="502" /><meta name="action" format="Text" key="action"/>

</declaration><match name="server-port”><assign name="vTemp" value="1" /><while name="vTemp" equal="1”><assign name="vTemp" value="0" /><move value="2”><read name="vState" length="2”><if name="vState" equal="0”><assign name="vID" value="1" /><assign name="vTemp" value="1" /><move value="3”><read name="vState" length="1”>

<if name="vState" equal="1”><register name="action" value="Read Coil Status"/>

</if><if name="vState" equal="2”>

<register name="action" value="Read Input Status"/></if><if name="vState" equal="3”>

<register name="action" value="Read Hold Registers"/></if><if name="vState" equal="4”>

<register name="action" value="Read Input Register"/></if>

…………….


Detecting Malicious PDF Parser


Detecting Malicious PDFs

» Why?‣ One of the most pervasive exploitation techniques used currently‣ Very effective exploitation technique that can be difficult to detect

» Demonstrate‣ Combined existence of PDF tokens, including javascript that classifies

potentially malicious objects‣ Use “flags” to keep “state” between several different <match>

statements


Parser Logic

» Find the following token:‣ HTTP/1.1 200 OK

» If above is found, then find token:‣ Content-Type: application/pdf

» If above is found, then find token:‣ %PDF-1.

» If above is found, then alert if the following is found:‣ /S/JavaScript


Parser Syntax

<declaration> <token name="token_http_header" value="HTTP/1.1 200 OK" options="linestart"/> <token name="token_content_type" value="Content-Type: application/pdf" options="linestart"/> <token name="token_pdf_header" value="%PDF-1."/> <token name="token_open_brackets" value="<<"/> <number name="flag_state_traker" scope="session"/> <string name="str_holding"/> <number name="num_offset"/> <meta name="event" key="alert" format="Text"/> </declaration> Declare tokens


Parser Syntax

<match name="token_http_header"> <assign name="flag_state_traker" value="1"/> </match> <match name="token_content_type"> <if name="flag_state_traker" equal="1"> <assign name="flag_state_traker" value="2"/> </if> </match> <match name="token_pdf_header"> <if name="flag_state_traker" equal="2"> <assign name="flag_state_traker" value="3"/> </if> </match>

Maintain state of token identification


Parser Syntax

<match name="token_open_brackets"> <if name="flag_state_traker" equal="3"> <find value=">>" length="50" name="num_offset"> <read length="$num_offset" name="str_holding"> <find in="$str_holding" name="num_offset" value="S/JavaScript"> <register name="event" value="lab_advanced_pdf_with_javascript"/> </find> </read> </find> </if> </match>

Find javascript in PDF


Suspicious Trigger

Parser alert


PDF with Javascript

Matchedtokens


JRE 0day Analysis … the short versionUsing Feeds, Rules & Parsers to Investigate & Profile


Background

» April 9th 2010 – Tavis Ormandy of Google Security identifies Java Deployment Toolkit flaw

‣ Affects all versions of Java

» April 11th Active exploitation via Rogue Advertisements on nytimes.com, foxnews.com, oprah.com, ufc.com and others

‣ Malicious .jar file

‣ Referrers contains ‘nytimes.com’,’foxnews.com’, ’oprah.com’,ufc.com’

» How do we leverage feeds, rules and parsers to profile? Do I have a problem?‣ 0day, feeds may not provide intelligence


Hunting for Anomalous Traffic

» Profile HTTP for java-archives (potential deployment toolkit)» Rule: service = HTTP(80) && content = ‘application/java-archive’

Dig more on this…


Internal host being referred to what?

» Use IP from anomalous traffic analysis‣ Rule: ip.src = 156.145.x.x && referrer contains

‘nytimes.com’,’foxnews.com’,etc..’» Redirection to 95.211.14.21

‣ Netherlands Hosting Provider‣ 95.211.14.21/measure/ad.php‣ Inspect php

» Rule to profile & find ad.php querystring:‣ service = HTTP(80) && (query contains 'pl=' &&

query contains 'ce=' && query contains 'hb=' && query contains 'av=' && query contains 'jv=’)


Ad.php behavior

Really?.gif?

» Downloads “p.gif” from referred location

» How many times have I seen this “.gif”?


Compromised Hosts

» Rule: service = HTTP(80) && filename=‘p.gif’ && content = ‘application/octet-stream’

» 3 Sessions» 3 Unique hosts


Deeper Analysis…

» p.gif (exe) appears corrupt‣ Does that mean no one was infected?

» Let’s have a look at the .jar

» .jar modifies the first two bytes of the binary to subvert “MZ” token signatures

» FlexParse profile the malware…

MZ

Huh?


Flex Parser for Obfuscated Exe in Image<parser name="non_matching_app_content_type" desc="non_matching_app_content_type">

<declaration><meta name="alert" key="alert" format="Text"/>

<token name="get" value="GET " options="linestart"/><token name="content" value="This program cannot be run in DOS mode"/><token name="content" value="This program must be run under Win32"/><token name="named_types" value=".jpg HTTP/1.1" options="linestop"/><token name="named_types" value=".gif HTTP/1.1" options="linestop"/><token name="named_types" value=".png .....<snip>

<number name="session_flag" scope="session"/></declaration>

<match name="get"><assign name="session_flag" value="0"/>

</match><match name="named_types">

<if name="session_flag" equal="0"><assign name="session_flag" value="2"/>

</if></match>

<match name="content"><if name="session_flag" equal="2">

<register name="alert" value="non_matching_app_content_type"/><assign name="session_flag" value="0"/>

</if></match>

If GET image & content contains“… run in DOS mode…”“… under Win32…”


Summary

» Investigator – Free!» Custom actions, Feeds, Rules and Parsers expand to expand analytical

capabilities» Aggregating advanced indicators and profiling techniques really help

» Resources‣ Community (http://community.netwitness.com)

• Rule examples• FlexParser examples• Tips/Tricks• Discussion

‣ YouTube (http://www.youtube.com/netwitness)‣ Training Webcasts ( www.netwitness.com )‣ Brian Girardi, [email protected]

http://community.netwitness.com/

http://www.youtube.com/netwitness

http://www.netwitness.com


Q&A

NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation.

Documents