• Like
  • Save
What Will You Investigate Today?
Upcoming SlideShare
Loading in...5
×
 

What Will You Investigate Today?

on

  • 1,302 views

 

Statistics

Views

Total Views
1,302
Views on SlideShare
1,268
Embed Views
34

Actions

Likes
1
Downloads
13
Comments
0

2 Embeds 34

http://blog.rootshell.be 32
http://rootshell.be 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    What Will You Investigate Today? What Will You Investigate Today? Presentation Transcript

    • What WillYou Investigate Today? RMLL 2013 - Xavier Mertens - Brussels
    • TrueSec $ whoami • Xavier Mertens (@xme) • Consultant @ day • Blogger @ night • BruCON co-organizer 2
    • TrueSec $ cat disclaimer.txt “The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.” 3
    • TrueSec Agenda • Introduction • Interesting protocols • Public resources • Toolbox 4
    • TrueSec Feeling This? 5
    • TrueSec Me? Breached? 6 • In 66% of investigated incidents, detection was a matter of months or even more • 69% of data breaches are discovered by third parties (Source:Verizon DBIR 2012)
    • TrueSec “Grepping” for Gold 7 • Tracking users • Suspicious traffic • Out-of-business • Compliance • Exfiltration • “Below the radar”
    • TrueSec Sources 8 • OS / Applications Events • Network protection (FW, ID(P)S, Proxies, etc) • Users Credentials • IP, Domains, URLs • Digests (MD5, SHA1) • Metadata
    • TrueSec Multiple Sources • Automatic (logfiles, events) • Online repositories • Internal resources • Developers! 9
    • TrueSec “Active” Lists 10 • Temporary or suspicious information to track and dynamically updated • Examples: Contractors, Admins,Terminated Accounts, Countries (GeoIP) • If grep(/$USER/, @ADMINS) { ... }
    • TrueSec Correlation 11 Your Recipes Evidences
    • TrueSec Visibility! 12
    • TrueSec Agenda • Introduction • Interesting protocols • Public resources • Toolbox 13
    • TrueSec DNS • No DNS, no Internet! • Can help to detect data exfiltration, communications with C&C (malwares) • Alert on any traffic to untrusted DNS • Allow only local DNS as resolvers • Investigate for suspicious domains 14
    • TrueSec HTTP • HTTP is the new TCP • Investigate for suspicious domains • Inspect HTTPS (Check with your legal dept!) • Search for interesting hashes 15
    • TrueSec SMTP • Track outgoing emails • Investigate for suspicious domains 16
    • TrueSec Netflow • Analyze network flows • Src Port • Src IP • Dst Port • Dst IP • Timestamp 17
    • TrueSec Agenda • Introduction • Interesting protocols • Public resources • Toolbox 18
    • TrueSec IP Addresses • http://www.malwaredomainlist.com/ hostslist/ip.txt • Correlate your firewall logs • GeoIP 19
    • TrueSec Domains • DNS-BH (malwaredomains.com) http://mirror1.malwaredomains.com/files/domains.txt http://mirror1.malwaredomains.com/files/spywaredomains.zones http://www.malwaredomainlist.com/hostslist/hosts.txt • Correlate your resolver logs 20
    • TrueSec URLs • http://malwareurls.joxeankoret.com/ normal.txt • Google SafeBrowsing use Net::Google::SafeBrowsing2; use Net::Google::SafeBrowsing2:::Sqlite; my gsb = Net::Google::SafeBrowsing2->new( key => “xxx”, storage => Net::Google::SafeBrowsing2::Sqlite->new(file => “google.db”) ); $gsb->update(); my $match = $gsb->lookup(url => “http://evil.com”); if ($match eq MALWARE) { ... } 21
    • TrueSec $ cat disclaimer2.txt 22 “Data are provided for ‘free’ but the right to us can be restricted to specific conditions (ex: cannot be re-used for commercial applications). Always read carefull the terms of use. Some services require prior registration and use of APIs”
    • TrueSec OSINT “Set of techniques to conduct regular reviews and/or continuous monitoring over multiple sources, including search engines, social networks, blogs, comments, underground forums, blacklists/whitelists and so on.“ 23
    • TrueSec OSINT 24 • Think “out of the box”! • What identify you on the Internet? • Domain names • IP addresses • Brand
    • TrueSec Agenda • Introduction • Interesting protocols • Public resources • Toolbox 25
    • TrueSec pastebin.com • A gold mine for exfiltrated data! • Tool: pastemon.pl • https://github.com/xme/pastemon 26
    • TrueSec Data Parsers • d3.js Javascript library • Example of implementation: malcom (Malware Communications Analyzer) • https://github.com/tomchop/malcom 27
    • TrueSec Data Parser 28
    • TrueSec The Conductor • OSSEC • Log Management • Active-Response • Powerful alerts engine 29
    • TrueSec Online Tools • http://urlquery.net • http://www.scumware.org/index.scumware • http://bgpranking.circl.lu/ • https://malwr.com/ • http://www.informatica64.com/foca.aspx • http://virustotal.com 30
    • TrueSec Conclusions • Know your environment • You have plenty of useful (big)data • Free software can help you (but the project is not free) 31
    • TrueSec Questions? @xme xavier@rootshell.be http://blog.rootshell.be https://www.truesec.be 32