What are-you-investigate-today? (version 2.0)

What Will You Investigate Today?

InfoSecurity.nl 11/2013 - Xavier Mertens

TrueSec

$ whoami

• Xavier Mertens (@xme)

!

• Consultant @ day

!

• Blogger @ night

!

• BruCON co-organizer��2

TrueSec

$ cat disclaimer.txt

“The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”

��3

TrueSec

Agenda

• Introduction

• Interesting protocols

• Public resources

• Toolbox

��4

TrueSec

Feeling This?

��5

TrueSec

Or This?

��6

TrueSec

Me? Breached?

��7

• In 66% of investigated incidents, detection was a matter of months or even more

• 69% of data breaches are discovered by third parties

(Source: Verizon DBIR 2012)

TrueSec

“Grepping” for Gold

��8

• Tracking users

• Suspicious traffic

• Out-of-business

• Compliance

• Exfiltration

• “Below the radar”

TrueSec

Sources

��9

• OS / Applications Events

• Network protection(FW, ID(P)S, Proxies, etc)

• Users Credentials

• IP, Domains, URLs

• Filenames, Database rows

• Hashes (MD5, SHA1)

• Metadata

TrueSec

IOC

��10

“In computer forensics, an Indicator of Compromise is an artefact observed on a network or in operating system that with high confidence indicates a computer intrusion.”

(Source: wikipedia.org)

TrueSec

Multiple Sources

• Automatic (logfiles, events)

• Online repositories

• Internal resources

• Developers!

��11

TrueSec

Classification

��12

• Tag your events with “classification” info

• Help you to build better detection schemes

attack, reconnaissance, scan, auth_success, auth_fail, firewall_allow, firewall_drop, etc

info, warning, error, critical, emergency

TrueSec

“Active” Lists

��13

• Temporary or suspicious information to track and dynamically updated

• Examples: Contractors, Admins, Terminated Accounts, Countries (GeoIP)

• If grep(/$USER/, @ADMINS) { ... }

TrueSec

Correlation

��14

YourRecipes

Evidences

TrueSec

Visibility!

��15

TrueSec

Agenda

• Introduction



• Toolbox

��16

TrueSec

Golden Rule

��17

“Anything unknown must be considered as suspicious”

TrueSec

DNS• No DNS, no Internet!

• Can help to detect data exfiltration, communications with C&C (malwares)

• Alert on any traffic to untrusted DNS

• Allow only local DNS as resolvers

• Investigate for suspicious domains

• Track suspicious requests (TXT)

��18

TrueSec

HTTP• HTTP is the new TCP


• Inspect HTTPS (Check with your legal dept before playing MitM!)

• Search for interesting hashes

��19

TrueSec

SMTP

• Because it remains the 1st infection path!

• Track outgoing emails


��20

TrueSec

Netflow

• Analyze network flows

• Src Port

• Src IP

• Dst Port

• Dst IP

• Timestamp

��21

TrueSec

Agenda

• Introduction



• Toolbox

��22

TrueSec

IP Addresses

• http://www.malwaredomainlist.com/hostslist/ip.txt

• Correlate your firewall logs

• GeoIP

��23

TrueSec

IP Addresses

• http://dshield.org

• http://zeustracker.abuse.ch/blocklist.php

• http://www.nothing.org/honeypots.php

��24

TrueSec

Domains

• DNS-BH (malwaredomains.com) http://mirror1.malwaredomains.com/files/domains.txthttp://mirror1.malwaredomains.com/files/spywaredomains.zoneshttp://www.malwaredomainlist.com/hostslist/hosts.txt

• spam404bl.com/blacklist.txt

• Correlate your resolver logs

��25

TrueSec

URLs• http://malwareurls.joxeankoret.com/

normal.txt

• http://hosts-file.net/

• http://www.malware.com.br/

• http://malc0de.com/bl/

• http://scumware.com

��26

http://scumware.com

TrueSec

Hashes

• http://malware.lu

• http://virustotal.com

• http://www.malwr.com

��27

TrueSec

$ cat disclaimer2.txt

��28

“Data are provided for ‘free’ but the right to us can be restricted to specific conditions (ex: cannot be re-used for commercial applications). Always read carefull the terms of use. Some services require prior registration and use of APIs”

TrueSec

OSINT“Set of techniques to conduct regular reviews and/or continuous monitoring over multiple sources, including search engines, social networks, blogs, comments, underground forums, blacklists/whitelistsand so on. “

��29

TrueSec

OSINT

��30

• Think “out of the box”!

• What identify you on the Internet?

• Domain names

• IP addresses

• Brand

• Monitor them!

TrueSec

Agenda

• Introduction



• Toolbox

��31

TrueSec

OpenIOC• Open framework

• Sharing threatintelligence

• XML based

��32

TrueSec

URLs

• Google SafeBrowsing

use Net::Google::SafeBrowsing2; use Net::Google::SafeBrowsing2:::Sqlite; my gsb = Net::Google::SafeBrowsing2->new( key => “xxx”, storage => Net::Google::SafeBrowsing2::Sqlite->new(file => “google.db”) ); $gsb->update(); my $match = $gsb->lookup(url => “http://evil.com”); if ($match eq MALWARE) { ... }

��33

http://evil.com

TrueSec

Hashes• http://blog.didierstevens.com/2013/05/03/

virustotal-searching-and-submitting/

• Example from Python:

>> import virustotal >> api = virustotal.VirusTotalAPI("MYAPIKEY") >> print api.get_file_report(resource="99017f6eebbac24f351415dd410d522d") {"report": ["2010-04-13 23:28:27", {"nProtect": "", "CAT-QuickHeal": "", "McAfee": "Generic.dx!rkx", "TheHacker": "Trojan/VB.gen", "VirusBuster": "", "NOD32": "a variant of Win32/Qhost.NTY", "F-Prot": "", "Symantec": "", "Norman": "", "a-squared": "Trojan.Win32.VB!IK", ...}], "permalink": "http://www.virustotal.com/file-scan/report.html?id=a8...", "result": 1}

��34

TrueSec

IP Reputation

• http://isc.sans.edu/api/ip/50.46.90.187

• Example received in XML:<ip> <number>50.46.90.187</number> <count>186</count> <attacks>27</attacks> <maxdate>2013-10-26</maxdate> <mindate>2013-08-30</mindate> <updated>2013-10-27 04:34:04</updated> <country></country> <as>5650</as> <asname> FRONTIER-FRTR - Frontier Communications of America, Inc. </asname> <network>50.32.0.0/12</network> <comment/> </ip>

��35

TrueSec

pastebin.com• A gold mine for exfiltrated data!

• Interesting search:

• Logins

• Email addresses

• IPs, domains

• Tool: pastemon.pl

• https://github.com/xme/pastemon

��36

TrueSec

Data Parsers

• d3.js Javascript library

• Example of implementation: malcom (Malware Communications Analyzer)

• https://github.com/tomchop/malcom

��37

TrueSec

Data Parser

��38

TrueSec

Offline Honeypots

• Fake .conf file on the desktop

• Fake row in a SQL DB

• Track activity using yourIDS or SIEM

��39

TrueSec

The Conductor

• OSSEC

• Log Management

• Active-Response

• Powerful alerts engine

��40

TrueSec

Online Tools

• http://urlquery.net

• http://bgpranking.circl.lu/

• http://www.informatica64.com/foca.aspx

• http://virustotal.com

��41

TrueSec

Conclusions

• Know your environment

• You have plenty of useful (big)data

• Free software can help you (but the project is not free)

• To do good defensive security, know your enemy!(learn how bad guys work)

��42

TrueSec

Questions?

@xme

[email protected]

http://blog.rootshell.be

https://www.truesec.be

��43

https://www.truesec.be

What are-you-investigate-today? (version 2.0)

Technology

whoami xavier mertens

brucon coorganizer truesec