Here is an updated version of the presentation I made at the RMLL in July 2013. This talk have been giving at InfoSecurity.nl in October 2013.

1. What Will You
Investigate Today?
InfoSecurity.nl 11/2013 - Xavier Mertens

2. $ whoami
• Xavier Mertens (@xme)
!
• Consultant @ day
!
• Blogger @ night
!
• BruCON co-organizer
TrueSec
2

3. $ cat disclaimer.txt
“The opinions expressed in this presentation
are those of the speaker and do not necessarily
reflect those of past, present employers,
partners or customers.”
TrueSec
3

4. Agenda
• Introduction
• Interesting protocols
• Public resources
• Toolbox
TrueSec
4

5. Feeling This?
TrueSec
5

6. Or This?
TrueSec
6

7. Me? Breached?
• In 66% of investigated incidents, detection
was a matter of months or even more
• 69% of data breaches are discovered by
third parties
(Source:Verizon DBIR 2012)
TrueSec
7

8. “Grepping” for Gold
• Tracking users
• Suspicious traffic
• Out-of-business
• Compliance
• Exfiltration
• “Below the radar”
TrueSec
8

9. Sources
• OS / Applications Events
• Network protection
(FW, ID(P)S, Proxies, etc)
• Users Credentials
• IP, Domains, URLs
• Filenames, Database rows
• Hashes (MD5, SHA1)
• Metadata
TrueSec
9

10. IOC
“In computer forensics, an Indicator of
Compromise is an artefact observed on a
network or in operating system that with high
confidence indicates a computer intrusion.”
(Source: wikipedia.org)
TrueSec
10

11. Multiple Sources
• Automatic (logfiles, events)
• Online repositories
• Internal resources
• Developers!
TrueSec
11

12. Classification
• Tag your events with “classification” info
• Help you to build better detection schemes
attack, reconnaissance, scan, auth_success, auth_fail,
firewall_allow, firewall_drop, etc
info, warning, error, critical, emergency
TrueSec
12

13. “Active” Lists
• Temporary or suspicious information to
track and dynamically updated
• Examples:
Contractors, Admins,Terminated Accounts,
Countries (GeoIP)
• If grep(/$USER/, @ADMINS) { ... }
TrueSec
13

14. Correlation
Your
Recipes
Evidences
TrueSec
14

15. Visibility!
TrueSec
15

16. Agenda
• Introduction
• Interesting protocols
• Public resources
• Toolbox
TrueSec
16

17. Golden Rule
“Anything unknown must be considered
as suspicious”
TrueSec
17

18. DNS
• No DNS, no Internet!
• Can help to detect data exfiltration,
communications with CC (malwares)
• Alert on any traffic to untrusted DNS
• Allow only local DNS as resolvers
• Investigate for suspicious domains
• Track suspicious requests (TXT)
TrueSec
18

19. HTTP
• HTTP is the new TCP
• Investigate for suspicious domains
• Inspect HTTPS
(Check with your legal dept before playing
MitM!)
• Search for interesting hashes
TrueSec
19

20. SMTP
•
• Track outgoing emails
• Investigate for suspicious domains
Because it remains the 1st infection path!
TrueSec
20

21. Netflow
• Analyze network flows
• Src Port
• Src IP
• Dst Port
• Dst IP
• Timestamp
TrueSec
21

22. Agenda
• Introduction
• Interesting protocols
• Public resources
• Toolbox
TrueSec
22

23. IP Addresses
• http://www.malwaredomainlist.com/
hostslist/ip.txt
• Correlate your firewall logs
• GeoIP
TrueSec
23

24. IP Addresses
• http://dshield.org
• http://zeustracker.abuse.ch/blocklist.php
• http://www.nothing.org/honeypots.php
TrueSec
24

25. Domains
• DNS-BH (malwaredomains.com)
http://mirror1.malwaredomains.com/files/domains.txt
http://mirror1.malwaredomains.com/files/spywaredomains.zones
http://www.malwaredomainlist.com/hostslist/hosts.txt
• spam404bl.com/blacklist.txt
• Correlate your resolver logs
TrueSec
25

26. URLs
• http://malwareurls.joxeankoret.com/
normal.txt
• http://hosts-file.net/
• http://www.malware.com.br/
• http://malc0de.com/bl/
• http://scumware.com
TrueSec
26

27. Hashes
• http://malware.lu
• http://virustotal.com
• http://www.malwr.com
TrueSec
27

28. $ cat disclaimer2.txt
“Data are provided for ‘free’ but the right to us
can be restricted to specific conditions (ex:
cannot be re-used for commercial applications).
Always read carefull the terms of use. Some
services require prior registration and use of
APIs”
TrueSec
28

29. OSINT
“Set of techniques to conduct regular
reviews and/or continuous monitoring over
multiple sources, including search engines,
social networks, blogs,
comments, underground
forums, blacklists/whitelists
and so on. “
TrueSec
29

30. OSINT
• Think “out of the box”!
• What identify you on the Internet?
• Domain names
• IP addresses
• Brand
• Monitor them!
TrueSec
30

31. Agenda
• Introduction
• Interesting protocols
• Public resources
• Toolbox
TrueSec
31

32. OpenIOC
• Open framework
• Sharing threat
intelligence
• XML based
TrueSec
32

33. URLs
•
Google SafeBrowsing
use Net::Google::SafeBrowsing2;
use Net::Google::SafeBrowsing2:::Sqlite;
my gsb = Net::Google::SafeBrowsing2-new(
key = “xxx”,
storage = Net::Google::SafeBrowsing2::Sqlite-new(file =
“google.db”)
);
$gsb-update();
my $match = $gsb-lookup(url = “http://evil.com”);
if ($match eq MALWARE) { ... }
TrueSec
33

34. Hashes
• http://blog.didierstevens.com/2013/05/03/
virustotal-searching-and-submitting/
• Example from Python:
import virustotal
api = virustotal.VirusTotalAPI(MYAPIKEY)
print api.get_file_report(resource=99017f6eebbac24f351415dd410d522d)
{report: [2010-04-13 23:28:27, {nProtect: ,
CAT-QuickHeal: ,
McAfee: Generic.dx!rkx,
TheHacker: Trojan/VB.gen,
VirusBuster: ,
NOD32: a variant of Win32/Qhost.NTY,
F-Prot: , Symantec: ,
Norman: ,
a-squared: Trojan.Win32.VB!IK, ...}],
permalink: http://www.virustotal.com/file-scan/report.html?id=a8...,
result: 1}
TrueSec
34

35. IP Reputation
• http://isc.sans.edu/api/ip/50.46.90.187
• Example received in XML:
ip
number50.46.90.187/number
count186/count
attacks27/attacks
maxdate2013-10-26/maxdate
mindate2013-08-30/mindate
updated2013-10-27 04:34:04/updated
country/country
as5650/as
asname
FRONTIER-FRTR - Frontier Communications of America, Inc.
/asname
network50.32.0.0/12/network
comment/
/ip
TrueSec
35

36. pastebin.com
• A gold mine for exfiltrated data!
• Interesting search:
• Logins
• Email addresses
• IPs, domains
• Tool: pastemon.pl
• https://github.com/xme/pastemon
TrueSec
36

37. Data Parsers
• d3.js Javascript library
• Example of implementation: malcom
(Malware Communications Analyzer)
• https://github.com/tomchop/malcom
TrueSec
37

38. Data Parser
TrueSec
38

39. Offline Honeypots
• Fake .conf file on the
desktop
• Fake row in a SQL DB
• Track activity using your
IDS or SIEM
TrueSec
39

40. The Conductor
• OSSEC
• Log Management
• Active-Response
• Powerful alerts engine
TrueSec
40

41. Online Tools
• http://urlquery.net
• http://bgpranking.circl.lu/
• http://www.informatica64.com/foca.aspx
• http://virustotal.com
TrueSec
41

42. Conclusions
• Know your environment
• You have plenty of useful (big)data
• Free software can help you (but the project is
not free)
• To do good defensive security, know your enemy!
(learn how bad guys work)
TrueSec
42

43. Questions?
@xme
xavier@rootshell.be
http://blog.rootshell.be
https://www.truesec.be
TrueSec
43