Your SlideShare is downloading. ×
Compromise Indicator Magic
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Compromise Indicator Magic

299
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
299
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Compromise Indicator Magic: Living with Compromise Vladimir Kropotov, Vitaly Chetvertakov, Fyodor Yarochkin PhDays 2014 Affilations: Academia Sinica, o0o.nu, chroot.org May 22, 2014, Moscow Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 2. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Outline Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing Network traffic Analyzing HTTP logs Analyzing AV logs Creating 0wn IOCs EOF Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 3. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Everyone is p0wn3d :) Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 4. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Challenges Main Assumption: All networks are compromised The difference between a good security team and a bad security team is that with a bad security team you will never know that you’ve been compromised. Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 5. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Statistic speaks about 40,000,000 internet users in Russia for every 10,000 server hosts 500 hosts trigger redirects to malicious content per week about 20-50 user machines (full AV installed, NAT, FW) get ..affected Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 6. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Campaigns r*.ru News ~ 790 000 ne*.com news ~ 590 000 ga*.ru news ~ 490 000 a*f.ru news ~ 330 000 m*.ru news ~ 315 000 v*.ru news ~ 170 000 li*.ru news ~ 170 000 top*s.ru news ~ 140 000 Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 7. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Introduction:terminology Indicators of Compromise Indicator of compromise (IOC) in computer forensics is an artifact observed on network or in operating system that with high confidence indicates a computer intrusion. http://en.wikipedia.org/wiki/Indicator_of_compromise Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 8. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Why Indicators of compromise Indicators of Compromise help us to answer questions like: is this document/file/hash malicious? is there any past history for this IP/domain? what are the other similar/related domains/hashes/..? who is the actor? am I an APT target?!!;-) Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 9. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Workshop: hands-on part If you’d like to try as we go, these are tools we are about to cover: http://github.com/fygrave/ndf http://github.com/fygrave/hntp fiddler elasticsearch && http://github.com/aol/moloch (vm) yara (as moloch plugin) hpfeeds CIF https://github.com/STIXProject/ - openioc-to-stix/ Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 10. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N IOC representations Multiple standards have been created to facilitate IOC exchanges. Madiant: OpenIOC Mitre: STIX (Structured Threat Information Expression), CyBOX (CyberObservable Expression) Mitre: CAPEC, TAXII IODEF (Incident Object Description Format) Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 11. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Standards: OpenIOC OpenIOC - Mandiant-backed effort for unform representation of IOC (now FireEye) http://www.openioc.org/ Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 12. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N OpenIOCs D i g i t a l Appendices / Appendix G ( D i g i t a l ) − IOCs$ l s 0c7c902c −67f8 −479c−9f44 −4d985106365a . i o c 6bd24113 −2922−4d25 ad521068−6f18 −4ab1−899c−11007a18ec73 . i o c 12 a40bf7 −4834−49b0−a419−6abb5fe2b291 . i o c 70 b5be0c−8a94−44b4 af5f65fc −e1ca −45db−88b1−6ccb7191ee6a . i o c 2106 f0d2−a260 −4277−90ab−edd3455e31fa . i o c 7c739d52−c669−4d51 Appendix G IOCs README. pdf 26213db6−9d3b−4a39−abeb −73656acb913e . i o c 7 d2eaadf−a5ff −4199 c32b8af3 −28d0−47d3−801f−a2c2b0129650 . i o c 2 bff223f −9e46−47a7−ac35−d35f8138a4c7 . i o c 7 f9a6986−f00a −4071 c71b3305 −85e5−4d51−b07c−ff227181fb5a . i o c 2 fc55747 −6822−41d2−bcc1 −387fc1b2e67b . i o c 806 beff3 −7395−492e c7fa2ea5 −36d5−4a52−a6cf−ddc2257cb6f9 . i o c 32b168e6−dbd6−4d56−ba2f −734553239 e f e . i o c 84 f04df2 −25cd−4f59 d14d5f09 −9050−4769−b00d−30fce9e6eb85 . i o c 3433dad8 −879e−40d9−98b3−92ddc75f0dcd . i o c 8695bb5e−29cd−41b9 d1c65316−cddd−4d9c−8efe −c539aa5965c0 . i o c 3e01b786−fe3a −4228−95fa−c3986e2353d6 . i o c 86 e9b8ec −7413−453bCompromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 13. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Standards: Mitre Mitre CybOX: http://cybox.mitre.org/ https://github.com/CybOXProject/Tools https://github.com/CybOXProject/openioc-to-cybox Mitre CAPEC: http://capec.mitre.org/ Mitre STIX: http://stix.mitre.org/ Mitre TAXII http://taxii.mitre.org/ Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 14. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Mature: stix Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 15. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Indicators of Compromise Complex IOCs covering all steps of attack Dynamic creation of IOCs on the fly Auto-reload of IOCs, TTLs Dealing with different standards/import export Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 16. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Exploit pack trace url ip mime type ref http://cuba.eanuncios.net/1/zf3z9lr6ac8di6r4kw2r0hu3ee8ad.html 93.189.46.222 text/html http://www.smeysyatu http://cuba.eanuncios.net/2909620968/1/1399422480.htm 93.189.46.222 text/html http://cuba.eanuncio http://cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive - http://cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive - http://cuba.eanuncios.net/f/1/1399422480/2909620968/2 93.189.46.222 - - http://cuba.eanuncios.net/f/1/1399422480/2909620968/2/2 93.189.46.222 - - Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 17. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Nuclearsploit pack { ’ N u c l e a r s p l o i t p a c k ’ : { ’ step1 ’ : { ’ f i l e s ’ : [ ’ w z 3 u 6 s i 8 e 5 l h 7 k 2 t k 5 o x 4 n e 6 d 8 g . html ’ , ’ t 3 f 5 y 9 a 2 b b 3 d l 7 z 8 g c 4 o 6 f . html ’ , ’ z f 3 z 9 l r 6 a c 8 d i 6 r 4 k ’ domains ’ : [ ’ f a t h e r . f e r r e m o v i l . com ’ , ’ t h a i . a l o h a t r a n s l l c . com ’ , ’ cuba . e a n u n c i o s . net ’ , ’ duncan . ’ arguments ’ : [ ] , ’ d i r e c t o r i e s ’ : [ ’ 1 ’ ] , ’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 0 1 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 0 3 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 3 3 ’ ] } , ’ step2 ’ : { ’ f i l e s ’ : [ ’ 1 3 9 9 4 2 2 4 8 0 . htm ’ , ’1 39 97 047 20 . htm ’ , ’1 399 51 34 40 . htm ’ , ’13 99 51 40 40 . htm ’ , ’1 39 97 73 30 0. htm ’ ] , ’ domains ’ : [ ’ cuba . e a n u n c i o s . net ’ , ’ duncan . d i s e n o c o r p o r a t i v o . com . ar ’ , ’ homany . c o l l e c t i v e i t . com . ’ arguments ’ : [ ] , ’ d i r e c t o r i e s ’ : [ ’ 2 9 0 9 6 2 0 9 6 8 ’ , ’ 1 ’ , ’507640988 ’ , ’940276731 ’ , ’3957283574 ’ , ’ 9 5 2 2 1 1 7 0 4 ’ ] , ’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 3 3 ’ ] } , ’ step3 ’ : { ’ f i l e s ’ : [ ’ 1 3 9 9 4 2 2 4 8 0 . j a r ’ , ’1 39 95 13 44 0. j a r ’ ] , ’ domains ’ : [ ’ cuba . e a n u n c i o s . net ’ , ’ homany . c o l l e c t i v e i t . com . au ’ ] , ’ arguments ’ : [ ] , ’ d i r e c t o r i e s ’ : [ ’ 2 9 0 9 6 2 0 9 6 8 ’ , ’ 1 ’ , ’ 9 4 0 2 7 6 7 3 1 ’ ] , ’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ ] } , ’ step4 ’ : { ’ f i l e s ’ : [ ’ 2 ’ ] , ’ domains ’ : [ ’ cuba . e a n u n c i o s . net ’ ] , ’ arguments ’ : [ ] , ’ d i r e c t o r i e s ’ : [ ’ f ’ , ’ 1 ’ , ’1399422480 ’ , ’2909620968 ’ , ’ 2 ’ ] , ’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ ] } } } Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 18. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Redirect (example) http://mysimuran.ru/forum/kZsjOiDMFb/ http://mysimuran.ru/forum/kZsjOiDMFb/js.js?4231 http://c.hit.ua/hit?i=59278&g=0&x=2 http://f-wake.browser-checks.info:28001/d1x/3/87475b26a521024ce78d7ea73164140a/http%3A%2F%2Fagency.accordinga.pw%2Fremain%2Funknown.h Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 19. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Redirect Example { ’ 2 8 0 0 1 ’ : { ’ step1 ’ : { ’ d i r e c t o r i e s ’ : [ ’ forum ’ , ’ kZsjOiDMFb ’ , ’ epygFrFsoU ’ ] , ’ arguments ’ : [ ] , ’ f i l e s ’ : [ ’ ’ ] , ’ ip ’ : [ ’ 8 9 . 1 1 1 . 1 7 8 . 3 3 ’ ] , ’ domains ’ : [ ’ mysimuran . ru ’ ] } , ’ step2 ’ : { ’ d i r e c t o r i e s ’ : [ ’ forum ’ , ’ kZsjOiDMFb ’ , ’ epygFrFsoU ’ , ’kJXshWOMNC’ ] , ’ arguments ’ : [ ’ 4 2 3 1 ’ , ’7697 ’ , ’9741 ’ ] , ’ f i l e s ’ : [ ’ j s . j s ’ , ’ c n t . html ’ ] , ’ ip ’ : [ ’ 8 9 . 1 1 1 . 1 7 8 . 3 3 ’ ] , ’ domains ’ : [ ’ mysimuran . ru ’ ] } , ’ step3 ’ : { ’ d i r e c t o r i e s ’ : [ ] , ’ arguments ’ : [ ’ i ’ , ’ g ’ , ’ x ’ ] , ’ f i l e s ’ : [ ’ h i t ’ ] , ’ ip ’ : [ ’ 8 9 . 1 8 4 . 8 1 . 3 5 ’ ] , ’ domains ’ : [ ’ c . h i t . ua ’ ] } , ’ step4 ’ : { ’ d i r e c t o r i e s ’ : [ ’ d1x ’ , ’ 3 ’ , ’87475 b26a521024ce78d7ea73164140a ’ , ’ d36eb1fc80ebe9df515d043be1557 ’ arguments ’ : [ ] , ’ f i l e s ’ : [ ’ h t t p%3A%2F%2Fagency . a c c o r d i n g a . pw%2Fremain%2Funknown . html%3Fmods%3D8%26i d%3D26 ’ , ’ ip ’ : [ ’ 4 6 . 2 5 4 . 1 6 . 2 0 9 ’ ] , ’ domains ’ : [ ’ f−wake . browser−c h e c k s . i n f o ’ , ’ a−o p r z a y . browser−c h e c k s . pw ’ ] } } } Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 20. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N IOCs Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 21. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N IOCs3 Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 22. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N IOCs viz Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 23. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N IOCs viz(02) Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 24. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N IOCs viz(3) Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 25. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N IOCs viz(4) Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 26. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N IOCs viz(5) Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 27. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Nuclear sploitpack f u n c t i o n see_user_agent (){ var replace_user_agent = [ ’ Lunascape ’ , ’ iPhone ’ , ’ Macintosh ’ , ’ Linux ’ , ’ iPad ’ , ’ Flock ’ , ’ Se var low_user_agent = f a l s e ; for ( var i in replace_user_agent ) { i f ( s t r i p o s ( n a v i g a t o r . userAgent , replace_user_agent [ i ] ) ) { low_user_agent = true ; break ; } } return low_user_agent Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 28. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Sourcing External IOCs CIF - https: //code.google.com/p/collective-intelligence-framework/ feeds (with scrappers): Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 29. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Sourcing External IOCs feed your scrappers: https://zeustracker.abuse.ch/blocklist.php?download=badips http://malc0de.com/database/ https://reputation.alienvault.com/reputation.data . . . VT intelligence Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 30. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Sourcing IOCs Internally honeypot feeds log analysis traffic analysis Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 31. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Where to look for IOCs internally Outbound Network Traffic User Activities/Failed Logins User profile folders Administrative Access Access from unsual IP addresses Database IO: excessive READs Size of responses of web pages Unusual access to particular files within Web Application (backdoor) Unusual port/protocol connections DNS and HTTP traffic requests Suspicious Scripts, Executables and Data Files Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 32. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Challenges Why we need IOCs? because it makes it easier to systematically describe knowledge about breaches. Identifying intrusions is hard Unfair game: defender should protect all the assets attacker only needs to ’poop’ one system. Identifying targeted, organized intrusions is even harder Minor anomalous events are important when put together Seeing global picture is a mast Details matter Attribution is hard Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 33. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Use honeypots Running honeypots gives enormous advantage in detecting emerging threats Stategically placing honeypots is extemely important Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 34. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N HPfeeds, Hpfriends and more Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 35. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N HPFeeds Architecture Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 36. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N HPFeeds API in nutshell: import pygeoip import hpfeeds import json HOST=’ broker ’ PORT = 20000 CHANNELS= [ ’ geoloc . events ’ ] IDENT=’ i d e n t ’ SECRET=’ s e c r e t ’ g i = pygeoip . GeoIP ( ’ GeoLiteCity . dat ’ ) hpc = hpfeeds . new(HOST, PORT, IDENT , SECRET) msg = { ’ l a t i t u d e ’ : g i . record_by_addr ( ip ) [ ’ l a t i t u d e ’ ] , ’ l o n g i t u d e ’ : g i . record_by_addr ( ip ) [ ’ l o n g i t u d e ’ ] , ’ type ’ : ’ honeypot ␣ h i t ’ } hpc . p u b l i s h (CHANNELS, json . dumps(msg )) Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 37. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N hpfeeds integration Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 38. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N NTP probe collector Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 39. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N HPFeeds and honeymap Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 40. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Applying IOCs to your detection process moloch moloch moloch :) Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 41. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Tools for Dynamic Detection of IOC Snort Yara + yara-enabled tools Moloch Splunk/Log search roll-your-own:p Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 42. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Moloch Moloch is awesome: Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 43. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Open-source tools OpenIOC manipulation https://github.com/STIXProject/openioc-to-stix https://github.com/tklane/openiocscripts Mantis Threat Intelligence Framework https://github.com/siemens/django-mantis.git Mantis supports STIX/CybOX/IODEF/OpenIOC etc via importers: https://github.com/siemens/django-mantis-openioc-importer Search splunk data for IOC indicators: https://github.com/technoskald/splunk-search Our framework: http://github.com/fygrave/iocmap/ Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 44. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N iocmap Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 45. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N MISP http://www.secure.edu.pl/pdf/2013/D2_1530_A_Socha.pdf https://github.com/MISP Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 46. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Tools for Dynamic Detection Moloch Moloch supports Yara (IOCs can be directly applied) Moloch has awesome tagger plugin: # tagger . so # p r o v i d e s a b i l i t y to import t e x t f i l e s with IP and/ or hostn # i n t o a sensor that would cause autotagging of a l l matching p l u g i n s=tagger . so t a g g e r I p F i l e s=b l a c k l i s t , tag , tag , tag . . . taggerDomainFiles=domainbasedblacklists , tag , tag , tag Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 47. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Moloch plugins Moloch is easily extendable with your own plugins https://github.com/fygrave/moloch_zmq - makes it easy to integrate other things with moloch via zmq queue pub/sub or push/pull model Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 48. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Moloch ZMQ example CEP-based analysis of network-traffic (using ESPER): https://github.com/fygrave/clj-esptool/ ( esp : add " c r e a t e ␣ context ␣SegmentedBySrc␣ p a r t i t i o n ␣by␣ s r c ␣fro WebDataEvent" ) ( esp : add " context ␣SegmentedBySrc␣ s e l e c t ␣ src , ␣ r a t e (30) ␣ as ␣ ra avg ( r a t e (30)) ␣ as ␣ avgRate ␣from␣WebDataEvent . win : time (30) ␣ havi r a t e (30) ␣<␣avg ( r a t e (30)) ␣∗␣ 0.75 ␣ output ␣ snapshot ␣ every ␣60␣ sec ( future −c a l l s t a r t −counting ) Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 49. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Sources of IOCs ioc bucket: http://iocbucket.com Public blacklists/trackers could also be used as source: https: //zeustracker.abuse.ch/blocklist.php?download=ipblocklist https: //zeustracker.abuse.ch/blocklist.php?download=domainblocklist Eset IOC repository https://github.com/eset/malware-ioc more coming? Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 50. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N where to mine IOC passive HTTP (keep your data recorded) passive DNS These platforms provide ability to mine traffic or patterns from the past based on IOC similarity show me all the packets similar to this IOC We implemented a whois service for IOC look-ups whois −h i o c . host . com a t t r i b u t e : value+a t t r i b u t e : value Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 51. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Mining IOCs from your own data find and investigate incident Or even read paper determine indicators and test it in YOUR Environment use new indicators in the future see IOC cycle we mentioned earlier Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 52. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Example If event chain leads to compromise h t t p : / / l i a p o l a s e n s [ . ] i n f o / indexm . html h t t p : / / l i a p o l a s e n s [ . ] i n f o / c o u n t e r . php ? t=f&v=win %2011 ,7 ,700 ,169& a=t r u e h t t p : / / l i a p o l a s e n s [ . ] i n f o /354 RIcx h t t p : / / l i a p o l a s e n s [ . ] i n f o /054 RIcx What to do? Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 53. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Use YARA, or tune your own tools r u l e susp_params_in_url_kind_of_fileless_bot_drive_by { meta : date = " o c t ␣ 2013 " d e s c r i p t i o n = " Landing ␣ hxxp : / / j d a t a s t o r e l a m e . i n f o / indexm . html ␣␣ 0 4 . 1 0 . 2 0 1 3 ␣ 1 3 : 1 4 ␣␣ 1 0 8 . 6 d e s c r i p t i o n 1 = "␣ Java ␣ S p l o i t ␣ hxxp : / / j d a t a s t o r e l a m e . i n f o /054 RIwj ␣␣␣␣␣" s t r i n g s : $ s t r i n g 0 = " h t t p " $ s t r i n g 1 = " indexm . html " $ s t r i n g 2 = " 054 RI " c o n d i t i o n : a l l o f them } Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 54. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Use snort to catch suspicious traffic: # many plugX d e p l o y m e n t s c o n n e c t to g o o g l e DNS when not i n use a l e r t t c p ! $DNS_SERVERS any −> 8 . 8 . 8 . 8 53 ( msg : "APT␣ p o s s i b l e ␣ PlugX ␣ Google ␣DNS␣TCP p o r t ␣53␣ c o n n e c t i o n ␣ attempt " ; c l a s s t y p e : misc−a c t i v i t y ; s i d : 5 0 0 0 0 0 1 1 2 ; r e v : 1 ; ) Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 55. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N GRR: Google Rapid Response: http://code.google.com/p/grr/ Hunting IOC artifacts with GRR Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 56. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N GRR: Creating rules Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 57. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N GRR: hunt in progress Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 58. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Campaign walkthrough Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 59. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N An Example A Network compromise case study: Attackers broke via a web vuln. Attackers gained local admin access Attackers created a local user Attackers started probing other machines for default user ids Attackers launched tunneling tools – connecting back to C2 Attackers installed RATs to maintain access Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 60. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Indicators So what are the compromise indicators here? Where did attackers come from? (IP) What vulnerability was exploited? (pattern) What web backdoor was used? (pattern, hash) What tools were uploaded? (hashes) What users were created locally? (username) What usernames were probed on other machines Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 61. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Good or Bad? F i l e Name : RasTls . exe F i l e S i z e : 105 kB F i l e M o d i f i c a t i o n Date /Time : 2 0 0 9 : 0 2 : 0 9 1 9 : 4 2 : 0 5 + 0 8 : 0 0 F i l e Type : Win32 EXE MIME Type : a p p l i c a t i o n / o c t e t −stream Machine Type : I n t e l 386 o r l a t e r , and c o m p a t i b l e s Time Stamp : 2 0 0 9 : 0 2 : 0 2 1 3 : 3 8 : 3 7 + 0 8 : 0 0 PE Type : PE32 L i n k e r V e r s i o n : 8 . 0 Code S i z e : 49152 I n i t i a l i z e d Data S i z e : 57344 U n i n i t i a l i z e d Data S i z e : 0 Entry P o i n t : 0 x3d76 OS V e r s i o n : 4 . 0 Image V e r s i o n : 0 . 0 Subsystem V e r s i o n : 4 . 0 Subsystem : Windows GUI F i l e V e r s i o n Number : 1 1 . 0 . 4 0 1 0 . 7 Product V e r s i o n Number : 1 1 . 0 . 4 0 1 0 . 7 F i l e OS : Windows NT 32− b i t Object F i l e Type : E x e c u t a b l e a p p l i c a t i o n Language Code : E n g l i s h (U . S . ) C h a r a c t e r Set : Windows , L a t i n 1 Company Name : Symantec C o r p o r a t i o n F i l e D e s c r i p t i o n : Symantec 8 0 2 . 1 x S u p p l i c a n t F i l e V e r s i o n : 1 1 . 0 . 4 0 1 0 . 7 I n t e r n a l Name : d o t 1 x t r a y Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 62. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N It really depends on context RasTls . DLL RasTls . DLL . msc RasTls . exe http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspx Dynamic-Link Library Search Order Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 63. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Catagorization based on public souces Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 64. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Catagorization based on historical data Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 65. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Catagorization based on cross source correlation Visualizing the Threats Filtering noisy extras Making decisions Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 66. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Investigating using known IOCs Investigating Static host based IOCs Investigating Dynamic host based IOCs Investigating Static network IOCs Investigating Dynamic network IOCs Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 67. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Analyzing network traffic and DNS Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 68. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N analyzing HTTP traffic User agents suspicious domains static analysis of HTTP headers Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 69. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Analyzing AV logs 23.01.13 19:56 Detected : Trojan−Spy . Win32 . Zbot . aymr C:/ Documents and S e t t i n g s / user1 / A p p l i c a t i o n Data/ Sun/ Java /Deployment/ cache /6.0/27/4169865b−641d53c9/UPX 23.01.13 19:56 Detected : Trojan−Downloader . Java . OpenConnec C:/ Documents and S e t t i n g s / user1 / A p p l i c a t i o n Data/ Sun/ Java /Deployment/ cache /6.0/48/38388 f30 −4a676b87/bpac/b . cl 23.01.13 19:56 Detected : Trojan−Downloader . Java . OpenConnec C:/ Documents and S e t t i n g s / user1 / A p p l i c a t i o n Data/Sun/ Java /Deployment/ cache /6.0/48/38388 f30 −4a676b87/ ot / p 23.01.13 19:58 Detected : HEUR: E x p l o i t . Java .CVE−2013−0422.g C:/ Documents and S e t t i n g s / user1 / Local S e t t i n g s / Temp/ jar_cache3538799837370652468 . tmp Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 70. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Analyzing AV logs 01/14/13 06:57 PM 178.238.141.19 http://machete0-yhis.me/ pictures/dem 01/14/13 06:57 PM 178.238.141.19 http://machete0-yhis.me/pictures/de 01/14/13 06:57 PM 178.238.141.19 http://loretaa0-shot.co/career...45 Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 71. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Analyzing AV logs Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 72. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Analyzing AV logs Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 73. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Analyzing AV logs Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 74. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Creating host based IOCs hashes, mutexes, threatexpert Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
  • 75. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Questions And answers :) Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org