This document summarizes a presentation about Jakub Sendor's work responding to malware incidents at Yelp. It discusses Yelp's malware response process, including initial detection using tools like antivirus and osquery, collecting forensic data using OSXCollector, analyzing the data both manually and automatically using tools like ElastAlert and AMIRA, and final remediation steps like blocking malicious domains and educating employees. It emphasizes how automation has helped speed up the process and reduce human errors.

1. Jakub (Kuba) Sendor
@jsendor
Slicing Apples with Ninja Sword
Fighting Malware at the Corporate Level

2. @jsendor
whoami
● Joined Yelp security team in July 2014.
● Mostly involved in malware incident response.
● Also working on automating our security processes.
● Previously worked at SAP in the Security & Trust research group.
● Before that:
MSc from AGH University of Science and Technology in Kraków, Poland
and Telecom ParisTech/Institut Eurecom in Sophia‑Antipolis, France.

3. Yelp’s Mission
Connecting people with great
local businesses.

4. Yelp Stats
As of Q1 2016
90M 3270%102M

5. > 4000

7. Dramatis personæ
Yelp
Employee
HelpDesk
IT Engineer
Security Team
Malware Analyst

8. @jsendor
Malware response process at a glance
Detection Analysis Remediation

9. Initial triage
Forensics collection
Forensics analysis
Final remediation
Malware incident response process

10. Initial triage // Malware Analyst
Forensics collection // IT Engineer
Forensics analysis // Malware Analyst
Final remediation // IT Engineer
Malware incident response process

11. @jsendor
Detection
Various alert sources:
● endpoint monitoring
○ antivirus
○ osquery
● network traffic monitoring
● SIEM (Security Incident and Event Management)
● email (phishing, adware, popups, etc.)

12. @jsendor
osquery
● kernel extensions
● user logins
● config file hashes
● browser extensions
● startup items
● launchd

13. @jsendor
{
"@ingestionTime": "2016-02-28T15:05:33Z",
"_id": "AVLwlmFxKVkRUjUGMJlD",
"_index": "logstash-osquery-osx-weekly-2016.09",
"_type": "osquery",
"columns": {
"name": "Window Resizer",
"path": "/Users/kuba/Library/Application Support/Google/Chrome/Profile
1/Extensions/kkelicaakdanhinjdeammmilcgefonfh/1.9.1.2_0/"
},
"filter_result": "blacklisted",
"hostIdentifier": "A43F47D0-A921-5895-8A59-AB49EB616A5D",
"kibana_link": "https://..."
}
osquery + ElastAlert

14. @jsendor
ElastAlert
Alerting out of data in Elasticsearch indexes.
https://github.com/Yelp/elastalert

15. @jsendor
Analysis
● False positive?
● Wrong OS?
● Who is it?
● How did that malware get there?
● Is the machine really infected?

16. @jsendor

17. https://github.com/Yelp/osxcollector

18. Forensics Collected by OSXCollector
OS System Info Applications Browser History
Kernel Extensions Quarantines Email Info
Downloads Startup Items
Groups &
Accounts

19. OSXCollector output
path, hashes, timestamps, signature chain, ...
{
"file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight",
"sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614",
"sha1": "99005b68295c202fd359b46cd1411acea96b2469",
"md5": "b8cc164b6546e4b13768d8353820b216",
"ctime": "2016-03-31 16:50:39",
"mtime": "2016-03-30 00:16:50",
"osxcollector_section": "kext",
"osxcollector_incident_id": "ChainsawNinja-2016_11_15-19_35_11",
"osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist",
"osxcollector_bundle_id": "com.apple.driver.Apple_iSight",
"signature_chain": [
"Software Signing",
"Apple Code Signing Certification Authority",
"Apple Root CA"
]
}

20. Manual analysis with grep and jq works pretty well
grep a time window
only urls in a time window
grep a single user
$ cat ChainsawNinja.json | grep '2016-11-15 19:3[2-8]'
$ cat ChainsawNinja.json | grep '2016-11-15 19:3[2-8]' | jq 'select(has("url")).url'
$ cat ChainsawNinja.json | jq 'select(.osxcollector_username=="kuba")|.'

21. $ sudo osxcollector.py -i ChainsawNinja
Wrote 35394 lines.
Output in ChainsawNinja_2016-11-15_19:43:13.tar.gz

22. OSXCollector Output Filters
Internal blacklists
Related files
Domain extraction
Threat intel APIs
Browser history filter
JSON
in
JSON
out

23. Automated
Malware
Incident
Response and
Analysis

24. Uploading OSXCollector output
ChainsawNinja_2016-11-15_19:43:13.tar.gz

25. S3 Event Notifications
ChainsawNinja_2016-11-15_19:43:13.tar.gz
ObjectCreated
AmiraS3EventNotifications

26. S3 Event Notifications
ChainsawNinja_2016-11-15_19:43:13.tar.gz
ObjectCreated
AmiraS3EventNotifications

27. S3 Event Notifications
ChainsawNinja_2016-11-15_19:43:13.tar.gz
ChainsawNinja_2016-11-15_19:43:13.tar.gz

28. Automated analysis
Internal blacklists
Related files
Domain extraction Threat intel APIs
Browser history filter

29. Uploading the results
ChainsawNinja_2016-11-15_19:43:13.json
ChainsawNinja_2016-11-15_19:43:13.html

30. ● Domains and hashes found on the blacklist.
● Threat intel APIs hits for domains and file hashes.
● Blacklist suggestions.
Analysis results

31. Prerequisites:
● SQS queue for the S3 event notifications.
● S3 bucket configured to send S3 event notifications.
● (optional) Another S3 bucket for the analysis results.
Running AMIRA

32. from amira.amira import AMIRA
amira = AMIRA('us-west-1', 'AmiraS3EventNotifications')
# register results uploader
from amira.s3 import S3ResultsUploader
s3_results_uploader = S3ResultsUploader('amira-results-bucket')
amira.register_results_uploader(s3_results_uploader)
# Ready, set, GO!
amira.run()

33. 1. Trigger OSXCollector via inventory management system.
2. Upload the results to an S3 bucket*.
3. Profit!
Automated forensics collection
*hint: use create-only rights in the S3 bucket policy

34. #!/bin/bash
file="$1"
bucket="$2"
echo "Uploading file $file to bucket $bucket"
resource="/${bucket}/${file}"
contentType="application/x-compressed-tar"
dateValue=`date -u +"%a, %d %b %Y %T GMT" `
stringToSign="PUTnn${contentType}n${dateValue}n${resource}"
s3Key="$3"
s3Secret="$4"
signature=`echo -en ${stringToSign} | openssl sha1 -hmac ${s3Secret} -binary |
base64`
curl -X PUT -T "${file}"
-H "Host: ${bucket}.s3.amazonaws.com"
-H "Date: ${dateValue}"
-H "Content-Type: ${contentType}"
-H "Authorization: AWS ${s3Key}:${signature}"
"https://${bucket}.s3.amazonaws.com/${file}" | cat

35. Automation FTW
Before
1-2 days
Now
Several minutes,
up to a couple of
hours in the worst
case

36. Initial triage // Malware Analyst
Forensics collection // AMIRA
Forensics analysis // AMIRA/Malware Analyst
Final remediation // IT Engineer
Malware incident response process

37. ● Automated process equal less human errors
● No need for physical collection.
● More proactive forensics collection.
Auto-win

38. https://github.com/Yelp/amira
Try it out!

39. @jsendor
Phishing

40. @jsendor
● employee education
● email alias for reporting phishing attempts
● reward positive behavior
● automated email scanning
Phishing

41. @jsendor
Analyzing phishing emails
● analyze message headers
● detonate attachments
● past user interaction
● who else received it?
● https://www.phishtank.com/

43. @jsendor
Remediation
wipe!

44. @jsendor
Remediation, more seriously
● DNS/firewall blocking
● update IoCs (Indicators of Compromise)
● block/quarantine email senders
● whitelisting
● communication

45. @jsendor
Recap
Detect Analyze Remediate
● endpoint protection
● network monitoring
● SIEM
● employees
● collect forensics
● correlate
information
● automated analysis
● wipe :(
● block at
DNS/firewall
● blacklist/whitelist
● educate

46. @jsendor
Improving the response process
faster response
better tools education
reduce the
number of
false positives

48. @YelpEngineering
fb.com/YelpEngineers
engineeringblog.yelp.com
github.com/yelp