What Will You Investigate Today?

1,634 views
1,540 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,634
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
19
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

What Will You Investigate Today?

  1. 1. What WillYou Investigate Today? RMLL 2013 - Xavier Mertens - Brussels
  2. 2. TrueSec $ whoami • Xavier Mertens (@xme) • Consultant @ day • Blogger @ night • BruCON co-organizer 2
  3. 3. TrueSec $ cat disclaimer.txt “The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.” 3
  4. 4. TrueSec Agenda • Introduction • Interesting protocols • Public resources • Toolbox 4
  5. 5. TrueSec Feeling This? 5
  6. 6. TrueSec Me? Breached? 6 • In 66% of investigated incidents, detection was a matter of months or even more • 69% of data breaches are discovered by third parties (Source:Verizon DBIR 2012)
  7. 7. TrueSec “Grepping” for Gold 7 • Tracking users • Suspicious traffic • Out-of-business • Compliance • Exfiltration • “Below the radar”
  8. 8. TrueSec Sources 8 • OS / Applications Events • Network protection (FW, ID(P)S, Proxies, etc) • Users Credentials • IP, Domains, URLs • Digests (MD5, SHA1) • Metadata
  9. 9. TrueSec Multiple Sources • Automatic (logfiles, events) • Online repositories • Internal resources • Developers! 9
  10. 10. TrueSec “Active” Lists 10 • Temporary or suspicious information to track and dynamically updated • Examples: Contractors, Admins,Terminated Accounts, Countries (GeoIP) • If grep(/$USER/, @ADMINS) { ... }
  11. 11. TrueSec Correlation 11 Your Recipes Evidences
  12. 12. TrueSec Visibility! 12
  13. 13. TrueSec Agenda • Introduction • Interesting protocols • Public resources • Toolbox 13
  14. 14. TrueSec DNS • No DNS, no Internet! • Can help to detect data exfiltration, communications with C&C (malwares) • Alert on any traffic to untrusted DNS • Allow only local DNS as resolvers • Investigate for suspicious domains 14
  15. 15. TrueSec HTTP • HTTP is the new TCP • Investigate for suspicious domains • Inspect HTTPS (Check with your legal dept!) • Search for interesting hashes 15
  16. 16. TrueSec SMTP • Track outgoing emails • Investigate for suspicious domains 16
  17. 17. TrueSec Netflow • Analyze network flows • Src Port • Src IP • Dst Port • Dst IP • Timestamp 17
  18. 18. TrueSec Agenda • Introduction • Interesting protocols • Public resources • Toolbox 18
  19. 19. TrueSec IP Addresses • http://www.malwaredomainlist.com/ hostslist/ip.txt • Correlate your firewall logs • GeoIP 19
  20. 20. TrueSec Domains • DNS-BH (malwaredomains.com) http://mirror1.malwaredomains.com/files/domains.txt http://mirror1.malwaredomains.com/files/spywaredomains.zones http://www.malwaredomainlist.com/hostslist/hosts.txt • Correlate your resolver logs 20
  21. 21. TrueSec URLs • http://malwareurls.joxeankoret.com/ normal.txt • Google SafeBrowsing use Net::Google::SafeBrowsing2; use Net::Google::SafeBrowsing2:::Sqlite; my gsb = Net::Google::SafeBrowsing2->new( key => “xxx”, storage => Net::Google::SafeBrowsing2::Sqlite->new(file => “google.db”) ); $gsb->update(); my $match = $gsb->lookup(url => “http://evil.com”); if ($match eq MALWARE) { ... } 21
  22. 22. TrueSec $ cat disclaimer2.txt 22 “Data are provided for ‘free’ but the right to us can be restricted to specific conditions (ex: cannot be re-used for commercial applications). Always read carefull the terms of use. Some services require prior registration and use of APIs”
  23. 23. TrueSec OSINT “Set of techniques to conduct regular reviews and/or continuous monitoring over multiple sources, including search engines, social networks, blogs, comments, underground forums, blacklists/whitelists and so on.“ 23
  24. 24. TrueSec OSINT 24 • Think “out of the box”! • What identify you on the Internet? • Domain names • IP addresses • Brand
  25. 25. TrueSec Agenda • Introduction • Interesting protocols • Public resources • Toolbox 25
  26. 26. TrueSec pastebin.com • A gold mine for exfiltrated data! • Tool: pastemon.pl • https://github.com/xme/pastemon 26
  27. 27. TrueSec Data Parsers • d3.js Javascript library • Example of implementation: malcom (Malware Communications Analyzer) • https://github.com/tomchop/malcom 27
  28. 28. TrueSec Data Parser 28
  29. 29. TrueSec The Conductor • OSSEC • Log Management • Active-Response • Powerful alerts engine 29
  30. 30. TrueSec Online Tools • http://urlquery.net • http://www.scumware.org/index.scumware • http://bgpranking.circl.lu/ • https://malwr.com/ • http://www.informatica64.com/foca.aspx • http://virustotal.com 30
  31. 31. TrueSec Conclusions • Know your environment • You have plenty of useful (big)data • Free software can help you (but the project is not free) 31
  32. 32. TrueSec Questions? @xme xavier@rootshell.be http://blog.rootshell.be https://www.truesec.be 32

×