HITB LAB: Identifying Threats in Raw Data Events: A Practical ...

Introduction Criminilogy: case studies Detection Creating own IOCs EOF

HITB LAB: Identifying Threats in Raw DataEvents: A Practical Approach for Enterprises

Vladimir Kropotov, Vitaly Chetvertakov, Fyodor YarochkinHITB 2014

Affilations: Academia Sinica, o0o.nu, chroot.org

October 16, 2014, Kuala-Lumpur


Outline

Introduction

Criminilogy: case studies

Detection

Creating own IOCs

EOF

2/150


Overview

Introduction


Detection

Creating own IOCs

EOF

3/150


LAB

our demo IP 100.123.7.111

4/150


Everyone is p0wn3d :)

5/150


Challenges

Main Assumption: All networks are compromisedThe difference between a good security team and a bad security team isthat with a bad security team you will never know that you’ve beencompromised.

6/150


Statistic speaks

I about 40,000,000 internet users in RussiaI for every 10,000 server hosts 500 hosts trigger redirects to malicious

content per weekI about 20-50 user machines (full AV installed, NAT, FW) get ..affected

7/150


Overview

Introduction


Detection

Creating own IOCs

EOF

8/150


Forumology

Forumology - what we can learn by following the trading forums.

9/150


Forumology - recent compromise signs

date: - 01-09-2014

10/150


Forumology: targetted attack queries

11/150


Forumology: obfuscation patterns

crypto, free service

12/150


Forumology: sensitive data monetization

13/150


Forumology: social groups buying request withleaked attribution in social network

14/150


Forumology: google play apps rating manipulation

15/150


Forumology: shells and traffic wo direct victimsattribution

I priority sales to individuals with high forum reputationI one hands only saleI reachable trough following contact:

16/150


Campaigns

Domain category Campaign dates unique hosts/dayria.ru news Summer 2013 – Summer 2014 ~ 1 600 000rg.ru news Autumn 2013 ~ 790 000newsru.com news Winter 2013 – Spring 2014 ~ 590 000gazeta.ru news Spring 2013 - Autumn 2013 ~ 490 000aif.ru news Spring 2013 - Winter 2013 ~ 330 000mk.ru news Summer 2013 - Autumn 2013 ~ 315 000inosmi.ru news Summer 2014 ~ 290 0003dnews.ru news Winter 2013 – Summer 2014 ~ 185 000vz.ru news Winter 2013 – Summer 2014 ~ 170 000topnews.ru news Spring 2013 - Autumn 2013 ~ 140 000

17/150


Campaigns(2)

Domain category When seen unique hosts/dayYoutube.com Summer 2013 - Winter 2014 Alexa N 3mail.ru email Winter 2013 - Spring 2014 Alexa N 40auto.ru Autos Summer 2014 - Autumn 2014 ~320 000soccer.ru Sport Winter 2014 ~220 000irr.ru Ad Boards Spring 2014 - Autumn 2014 ~175 000job.ru HR Autumn 2014 ~140 000glavbukh.ru Accountants Spring 2013 - Summer 2014 ~70 000hr-portal.ru Finance / HR Winter 2013 - Spring 2014 ~55 000tks.ru Finance Summer 2013 - Spring 2014 ~38 000Bankir.ru Finance Spring 2013 - Autumn 2014 ~33 000

18/150


Intermediate victims, EDU and forums

19/150


Intermediate victims, forums

20/150


Intermediate victims, companies (1)

21/150



22/150



23/150



24/150



25/150



26/150


Intermediate victims, regional gvt related(1)

27/150



28/150



29/150



30/150



31/150


Participants, other (mail delivery service)

32/150


Participants, other (anti debugging)

33/150


Seen on forum:

Google redirect:

34/150


Participants, other, (known referrers. . . .)

!!!!! Insert near google load sells(Google redirect:)

35/150


EK/malware serving hosts by country

36/150


Target victim traffic costs

37/150


Case studies:

I commercial crimeI not-monetary-profit oriented crime

lets take a look at first type:

38/150


Intermediate victims

Intermediate victims are target too, such as free DNS hostings:

fbps . 1 403883 .mar2 . a f r a id . orgju7a . 1403883 .mar2 . a f r a id . orgwzet . 1 403883 .mar2 . a f r a id . orggatw .1403883 .mar2 . a f r a id . orgkfzv . 1403883 .mar2 . a f r a id . orgoxdo . 1403883 .mar2 . a f r a id . org

39/150


Legit domain abuse

domain : SCHOOLOPROS.RUnserver : ns1 . a f r a id . org .nserver : ns2 . a f r a id . org .s t a t e : REGISTERED , DELEGATED, VERIFIEDorg : LLC "GKShP"r e g i s t r a r : RU−CENTER−REG−RIPNadmin−contac t : h t tps ://www. nic . ru/whoiscrea ted : 2010 . 01 . 25

40/150


Domain rotation

http://www.residensea.jp/xuaioxc.phphttp://firenzeviaroma.ru/dqryony.phphttp://sphynxtoutnu.com/dnqaibb.phphttp://www.icmjapan.co.jp/dgttcnm.phphttp://www.controlseal.nl/yolelkx.phphttp://ural.zz.mu/ledstsn.phphttp://www.fotobit.pl/cpjjpei.phphttp://bgcarshop.com/tgghhvy.phphttp://www.borkowski.org/fudbqrf.phphttp://shop.babeta.ru/puthnkn.phphttp://e-lustrate.us/mycbbni.phphttp://notarypublicconcept.com/shfvtpx.phphttp://www.stempelxpress.nl/vechoix.phphttp://64.68.190.53/dqohago.phphttp://likos.orweb.ru/oydochh.phphttp://wap.warelex.com/parpkeu.php

41/150

http://www.residensea.jp/xuaioxc.php

http://firenzeviaroma.ru/dqryony.php

http://sphynxtoutnu.com/dnqaibb.php

http://www.icmjapan.co.jp/dgttcnm.php

http://www.controlseal.nl/yolelkx.php

http://ural.zz.mu/ledstsn.php

http://www.fotobit.pl/cpjjpei.php

http://bgcarshop.com/tgghhvy.php

http://www.borkowski.org/fudbqrf.php

http://shop.babeta.ru/puthnkn.php

http://e-lustrate.us/mycbbni.php

http://notarypublicconcept.com/shfvtpx.php

http://www.stempelxpress.nl/vechoix.php

http://64.68.190.53/dqohago.php

http://likos.orweb.ru/oydochh.php

http://wap.warelex.com/parpkeu.php


Domain rotationI over 500 compromised domainsI rotation once every 3 minutes

42/150


malware hosting, on legit domains (stolen creds,vulns, etc.)

43/150


malware hosting on legit domains

44/150



45/150



46/150



47/150



48/150



49/150


Lurk Campaign

Historical overview

(http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html?m=1)

I but actually lurk campaign is at least 3 years old. (and mainlytargetting .ru IP ranges).

50/150

http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html?m=1

http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html?m=1


Lurk in the news and News distribute Lurk. . .

"For purposes of analysis, we selected two information resources which weknew had been used to distribute the malware— http://www.ria.ru/ (amajor Russian news agency) and http://www.gazeta.ru/ (a popularonline newspaper). " (http://securelist.com/blog/virus-watch/32383/a-unique-bodiless-bot-attacks-news-site-visitors-3/)Intermediate victims:

I ria.ruI gazeta.ru

51/150

http://www.ria.ru/

http://www.gazeta.ru/

http://securelist.com/blog/virus-watch/32383/a-unique-bodiless-bot-attacks-news-site-visitors-3/

http://securelist.com/blog/virus-watch/32383/a-unique-bodiless-bot-attacks-news-site-visitors-3/


Lurk in 2011

Intermediate victims:I glavbukh.ruI inosmi.ruI ria.ruI riarealty.ruI ura.ru

date referrer ip url03/Nov/2011:14:36:57 http://ria.ru/incidents/ 50.97.204.116 http://as5t3hjlsddk.com/BVRQ03/Nov/2011:14:47:44 http://inosmi.ru/ 50.97.204.116 http://as5t3hjlsddk.com/BVRQ03/Nov/2011:14:52:03 http://www.ura.ru/ 50.97.204.116 http://as5t3hjlsddk.com/BVRQ

52/150

http://ria.ru/incidents/

http://as5t3hjlsddk.com/BVRQ

http://inosmi.ru/


http://www.ura.ru/



Other patricipants of Winter-Spring 2012 CampaignIntermediate victims:

I banki.ruI fas.gov.ruI glavbukh.ruI infox.ruI infox.ruI inosmi.ruI klerk.ruI newsru.comI pravda.ruI riarealty.ruI slon.ruI ura.ru

53/150


Lurk in the news and News distribute Lurk. . . (2)

Targeted web infections _ Nov 08 2012 (http://securelist.ru/blog/intsidenty/3546/targetirovanny-e-veb-zarazheniya-2/)Intermediate victims:

I interfax.ruI Vesti.ruI gazeta.ruI vz.ruI ura.ru

54/150

http://securelist.ru/blog/intsidenty/3546/targetirovanny-e-veb-zarazheniya-2/

http://securelist.ru/blog/intsidenty/3546/targetirovanny-e-veb-zarazheniya-2/


Timeline of Summer- Autumn 2012 -

Intermediate victims:

date ref. dom ip port method url apptype bytes out/in8/17/2012 12:29 3dnews.ru 207.182.136.150 80 GET http://jiujitrolam.info/2T4T text/html 290/580678/17/2012 12:29 rian.ru 207.182.136.150 80 GET http://jiujitrolam.info/2T4T text/html 535/45118/17/2012 13:38 tks.ru 207.182.136.150 80 GET http://jiujitrolam.info/2T4T text/html 370/59729/4/2012 14:16 3dnews.ru 91.216.163.76 80 GET http://kalmadrezant.info/7GIC text/html 339/568709/13/2012 13:18 newsru.com 184.22.165.170 80 GET http://cdmalinkrating.net/7GIC text/html 607/580669/17/2012 12:50 tks.ru 184.22.165.170 80 GET http://responsesforemost.org/7GIC text/html 668/580759/17/2012 13:38 slon.ru 184.22.165.170 80 GET http://responsesforemost.org/7GIC text/html 728/1949/18/2012 11:54 rian.ru 184.22.165.170 80 GET http://oggmoreripples.com/7GIC text/html 1160/19410/10/2012 11:35 vesti.ru 91.121.152.84 80 GET http://deployspostsale.net/7GIC text/html 722/5803710/12/2012 13:34 gazeta.ru 91.121.152.84 80 GET http://personallymainframes.net/7GIC text/html 618/5808411/2/2012 14:12 vesti.ru 91.121.152.84 80 GET http://accuracyuploadonly.net/7GIC text/html 290/58078

(*) rian.ru + vesti.ru + gazeta.ru + newsru.com + 3dnews.ru + slon.ru > 40000 000 uniq visitors per day. . .

55/150

http://jiujitrolam.info/2T4T



http://kalmadrezant.info/7GIC

http://cdmalinkrating.net/7GIC

http://responsesforemost.org/7GIC

http://responsesforemost.org/7GIC

http://oggmoreripples.com/7GIC

http://deployspostsale.net/7GIC

http://personallymainframes.net/7GIC

http://accuracyuploadonly.net/7GIC


Campaign Autumn 2012 knocking to the Master

Proof logs:

date ip port method url bytes out/in11/2/2012 14:13 184.173.226.246 80 POST http://rime41claim.com/search?hl=us&source=hp&q=22282240&aq=f&aqi=&aql=&oq= 3041/25611/2/2012 14:13 184.173.226.245 80 GET http://landlady48s.com/search?hl=us&source=hp&q=58959&aq=f&aqi=&aql=&oq=58959 831/33611511/2/2012 14:14 184.173.226.246 80 POST http://rime41claim.com/search?hl=us&source=hp&q=1000000000503347&aq=f&aqi=&aql=&oq= 241/252

56/150

http://rime41claim.com/search?hl=us&source=hp&q=22282240&aq=f&aqi=&aql=&oq

http://landlady48s.com/search?hl=us&source=hp&q=58959&aq=f&aqi=&aql=&oq=58959

http://rime41claim.com/search?hl=us&source=hp&q=1000000000503347&aq=f&aqi=&aql=&oq


Winter 2012-2013 Campaign

I new sigs ISOQ (old sigs 2T4T, 7GIC BVRQ)I sploit 0ISOQjqI payload 1ISOQjq

57/150


Stats

date ref. dom ip port method url apptype bytes out/in22.01.2013 16:33 vesti.ru 64.79.67.220 80 GET http://cetapetrar.info/ISOQ text/html28.01.2013 15:15 vz.ru 64.79.67.220 80 GET http://mgsinterviews.biz/ISOQ text/html 629/5821428.01.2013 15:15 - 64.79.67.220 80 GET http://mgsinterviews.biz/0ISOQjq application/java-archive 668/2146028.01.2013 15:15 - 64.79.67.220 80 GET http://mgsinterviews.biz/1ISOQjq application/octet-stream 597/1232802013-02-05 15:27 vz.ru 208.110.73.74 80 GET http://ferpolokas.info/ISOQ text/html 366/5706108.02.2013 15:26 3dnews.ru 208.110.73.75 80 GET http://footmanage.info/XZAH text/html2/11/2013 16:22 vz.ru 208.110.73.75 80 GET http://croppingvietnam.biz/XZAH text/html 478/19419.02.2013 15:13 klerk.ru 208.110.73.75 80 GET http://interfacesfeaturelimited.org/XZAH text/html2/20/2013 12:52 newsru.com 208.110.73.75 80 GET http://solvesautoplay.info/XZAH text/html 653/582332/20/2013 12:52 - 208.110.73.75 80 GET http://solvesautoplay.info/0XZAHwj application/java-archive 684/214222/20/2013 12:52 - 208.110.73.75 80 GET http://solvesautoplay.info/1XZAHwj application/octet-stream 613/11918420.02.2013 12:52 newsru.com 208.110.73.75 80 GET http://solvesautoplay.info/XZAH text/html20.02.2013 13:22 vz.ru 208.110.73.75 80 GET http://solvesautoplay.info/XZAH text/html20.02.2013 13:24 vesti.ru 208.110.73.75 80 GET http://solvesautoplay.info/XZAH text/html3/5/2013 13:51 glavbukh.ru 208.110.73.75 80 GET http://birdsricher.info/XZAH text/html 619/1943/6/2013 14:32 klerk.ru 74.82.203.10 80 GET http://comprisefuse.info/XZAH text/html 875/194

58/150

http://cetapetrar.info/ISOQ

http://mgsinterviews.biz/ISOQ

http://mgsinterviews.biz/0ISOQjq

http://mgsinterviews.biz/1ISOQjq

http://ferpolokas.info/ISOQ

http://footmanage.info/XZAH

http://croppingvietnam.biz/XZAH

http://interfacesfeaturelimited.org/XZAH

http://solvesautoplay.info/XZAH

http://solvesautoplay.info/0XZAHwj

http://solvesautoplay.info/1XZAHwj




http://birdsricher.info/XZAH

http://comprisefuse.info/XZAH


Summer 2013: Landing pattern change to"indexm.html"

date ref. dom ip port method url apptype bytes out/in21/Aug/2013:11:53 tks.ru 70.32.39.108 80 GET http://frilpertesemota.info/indexm.html 585/20321/Aug/2013:11:53 tks.ru 70.32.39.108 80 GET http://frilpertesemota.info/054RIwj 4999/08/23/2013 12:58 slon.ru 173.234.60.86 80 GET http://sabretensar.info/indexm.html 4137/46003.09.2013 14:12 rg.ru 173.234.60.83 80 GET http://miopades.info/indexm.html09.09.2013 14:49 tks.ru 209.123.8.35 80 GET http://kilkadukas.info/indexm.html9/20/2013 12:50 gazeta.ru 216.55.166.53 80 GET http://lpakuwiera.info/indexm.html text/html 157/10259/20/2013 13:52 rg.ru 216.55.166.53 80 GET http://lpakuwiera.info/indexm.html 4134/6139/23/2013 12:41 aif.ru 209.123.8.183 80 GET http://liapolasens.info/indexm.html 4137/334

59/150

http://frilpertesemota.info/indexm.html

http://frilpertesemota.info/054RIwj

http://sabretensar.info/indexm.html

http://miopades.info/indexm.html

http://kilkadukas.info/indexm.html

http://lpakuwiera.info/indexm.html

http://lpakuwiera.info/indexm.html

http://liapolasens.info/indexm.html


Debugging of fingerprinting mechanism? Sep 2013

http://ljiartwbvsa.info/indexm.html text/htmlhttp://ljiartwbvsa.info/054RIdl application/x-shockwave-flashhttp://ljiartwbvsa.info/counter.php?t=f&v=win%2011,7,700,169&a=true text/htmlhttp://ljiartwbvsa.info/354RIcx text/htmlhttp://ljiartwbvsa.info/s.php?qt=null&fl=11,7,700,169&sw=null&ar=null&jv=null&sl=5,1,20513,0 text/htmlhttp://ljiartwbvsa.info/054RIcx

60/150

http://ljiartwbvsa.info/indexm.html

http://ljiartwbvsa.info/054RIdl

http://ljiartwbvsa.info/counter.php?t=f&v=win%2011,7,700,169&a=true

http://ljiartwbvsa.info/354RIcx

http://ljiartwbvsa.info/s.php?qt=null&fl=11,7,700,169&sw=null&ar=null&jv=null&sl=5,1,20513,0

http://ljiartwbvsa.info/054RIcx


Fresh news from the field

date ref. dom ip port method url apptype bytes out/in8/20/2014 16:57 auto.ru 188.165.229.195 80 GET http://kopwa.linogeraxa.info/indexm.html 189/3539/1/2014 12:02 irr.ru 188.165.229.195 80 GET http://apobda.kiqpoltar2.in/indexm.html 4251/61801/Sep/2014:16:54 bankir.ru 188.165.229.195 80 GET http://snkua.kiqpoltar2.in/indexm.html 634/70279/4/2014 14:16 smotri.com 188.165.229.195 80 GET http://xbxa72.bsoyetrad.in/indexm.html 4248/43304/Sep/2014:12:03 auto.ru 188.165.229.195 80 GET http://snkua.kiqpoltar2.in/indexm.html application/x-empty 593/690304/Sep/2014:15:26 irr.ru 188.165.229.195 80 GET http://boreas.gohasellor.info/indexm.html text/html 436/8249304/Sep/2014:15:26 188.165.229.195 80 GET http://boreas.gohasellor.info/3MSKMcx text/html 344/118104/Sep/2014:15:26 188.165.229.195 80 GET http://boreas.gohasellor.info/sxvutirwbfexedbjmqqn.html text/xml 362/162904/Sep/2014:15:56 job.ru 188.165.229.195 80 GET http://boreas.gohasellor.info/indexm.html application/x-empty 696/18205/Sep/2014:15:24 bankir.ru 188.165.229.195 80 GET http://snkua.kiqpoltar2.in/indexm.html 634/7027

61/150

http://kopwa.linogeraxa.info/indexm.html

http://apobda.kiqpoltar2.in/indexm.html

http://snkua.kiqpoltar2.in/indexm.html

http://xbxa72.bsoyetrad.in/indexm.html


http://boreas.gohasellor.info/indexm.html

http://boreas.gohasellor.info/3MSKMcx

http://boreas.gohasellor.info/sxvutirwbfexedbjmqqn.html

http://boreas.gohasellor.info/indexm.html



Mitigation experience and aftereffects

I Abusing hosting (you can loose the chain, criminals just pay $50 forother hosting)

I Abusing registarI Abusing DNSI Forensic evidence collection and actor attributionI Interaction with CERTs and AuthoritiesI Informing victims directly

62/150


MacOS botnet: a Kaiten variant in actionI Kaiten/Tsunami is an open-source irc-controlled DDoS botI Observed large infection of MacOS machines in Sept-2014 (starting on

02-09-2014)I initial infection vector: yet unknownI Observation: 2014-09-02 - nowI target - mainly .CN (mostly), TWI small number in KR, NP, JP, MYI iocs:

Executables :cbf5a6d2fba422caa5913e48ef68a6abhttp : //5 . 1 0 4 . 1 0 6 . 1 9 0/ . . . / cores

98bb67d91476d8ac4e71d39c92564b3bhttp :// l inux . microsoftwindowsupdate . org/poke . sh

63/150


IOCs

64/150


IOCs

IOCs5 . 1 0 4 . 1 0 6 . 1 9 0− eventuallydown . dyndns . b iz− f a s t foodz . dlinkddns . com− updates . dyndn−web . com54 . 6 8 . 5 3 . 1 8− f l i pp i n f l op s . dyndns . tv

65/150


Indicators

I Hosted on german IP and Amazon ec2. Hosts an IRC server, DNSserver, Web server (used to wget new binaries/updates).

I controlled from an .il IP address

i r c se rver s1 9 2 . 3 1 . 1 8 6 . 48 5 . 2 1 4 . 4 5 . 2 0 8− eichwalde . de− ho r t bun t s t i f t e . de− channel # c o r e

66/150


Kaiten ops:I controlled by iseee [email protected] PRIVMSGs commands, manipulates DNS resolver settings

67/150


Kaiten conclusions

I 18247 Unique IP addresses within 3 daysI 3k bots are simultaneouslyI Botnet growth limited by IRC server stability

68/150


Targetted campaigns

APT != STATE SPONSOREDI Q: Why so many APT-like activities out of .cn?I A: A different market structure. (Data worth money)

69/150


APT ..?Interesting correlations:

70/150


Bad guys in your net ;-)

coming from a KR IP address (bounce), redirecting a shell to CHINANETSICHUAN :)14.63.225.20 and 118.123.116.177 -http://bobao.360.cn/learning/detail/43.html

71/150

http://bobao.360.cn/learning/detail/43.html


Overview

Introduction


Detection

Creating own IOCs

EOF

72/150


Hands ON

I molochhttps://100.123.7.111:8005user adminpassword hitb2014

73/150

https://100.123.7.111:8005


Detection

Detection: tools and techniques

74/150


Good thing to assume

If you are under attack, your AV,Firewalls, IDS, are in THE ATTACKERTHREATS MODEL. The option you have - read between the lines.When you are compromised, what is the action plan?

75/150


Some Useful toolsDeveloped by us:

I http://github.com/fygrave/ndfI http://github.com/fygrave/hntp

3rd party:I fiddlerI elasticsearch && http://github.com/aol/moloch (vm)

and our 0mq pluginI yaraI hpfeeds https://github.com/rep/hpfeedsI CIF https://github.com/collectiveintel/cif-v1I https://github.com/STIXProject/ - openioc-to-stix converterI https://github.com/MISP/MISP - malware information sharing

platform

76/150

http://github.com/fygrave/ndf

http://github.com/fygrave/hntp

http://github.com/aol/moloch

https://github.com/rep/hpfeeds

https://github.com/collectiveintel/cif-v1

https://github.com/STIXProject/

https://github.com/MISP/MISP


Introduction:terminology

Indicators of CompromiseIndicator of compromise (IOC) in computer forensics is an artifactobserved on network or in operating system that with high confidenceindicates a computer intrusion.http://en.wikipedia.org/wiki/Indicator_of_compromise

77/150

http://en.wikipedia.org/wiki/Indicator_of_compromise


AV model brokenWhy AV model is broken?

I AV detection/monitoringhttp://viruscheckmate.com/id/OByt539VwEcQ

78/150

http://viruscheckmate.com/id/OByt539VwEcQ


Why Indicators of compromise

Indicators of Compromise help us to answer questions like:I is this document/file/hash malicious?I is there any past history for this IP/domain?I what are the other similar/related domains/hashes/..?I who is the actor?I am I an APT target?!!;-)

79/150


An Example

A Network compromise case study:I Attackers broke via a web vuln.I Attackers gained local admin accessI Attackers created a local userI Attackers started probing other machines for default user idsI Attackers launched tunneling tools – connecting back to C2I Attackers installed RATs to maintain access

80/150


Indicators

So what are the compromise indicators here?I Where did attackers come from? (IP)I What vulnerability was exploited? (pattern)I What web backdoor was used? (pattern, hash)I What tools were uploaded? (hashes)I What users were created locally? (username)I What usernames were probed on other machines

81/150


Good or Bad?

F i l e Name : RasTls . exeF i l e S ize : 105 kBF i l e Modif icat ion Date/Time : 2009 : 02 : 09 19 : 42 : 05+08 : 00F i l e Type : Win32 EXEMIME Type : app l i ca t i on/oc te t−streamMachine Type : I n t e l 386 or l a t e r , and compatiblesTime Stamp : 2009 : 02 : 02 13 : 38 : 37+08 : 00PE Type : PE32Linker Version : 8 . 0Code Size : 49152I n i t i a l i z e d Data S ize : 57344Un in i t i a l i z ed Data S ize : 0Entry Point : 0x3d76OS Version : 4 . 0Image Version : 0 . 0Subsystem Version : 4 . 0Subsystem : Windows GUIF i l e Version Number : 1 1 . 0 . 4 0 1 0 . 7Product Version Number : 1 1 . 0 . 4 0 1 0 . 7F i l e OS : Windows NT 32−b i tObject F i l e Type : Executable app l i ca t i onLanguage Code : Engl ish (U. S . )Character Set : Windows , Lat in1Company Name : Symantec CorporationF i l e Descr ipt ion : Symantec 802 .1 x Suppl icantF i l e Version : 1 1 . 0 . 4 0 1 0 . 7In t e rna l Name : dot1xtray

82/150


It really depends on contextRasTls .DLLRasTls .DLL.mscRasTls . exehttp://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspxDynamic-Link Library Search Order

83/150

http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspx


IOC representations

Multiple standards have been created to facilitate IOC exchanges.I Madiant: OpenIOCI Mitre: STIX (Structured Threat Information Expression), CyBOX

(CyberObservable Expression)I Mitre: CAPEC, TAXIII IODEF (Incident Object Description Format)

84/150


Standards: OpenIOCOpenIOC - Mandiant-backed effort for unform representation of IOC (nowFireEye) http://www.openioc.org/

85/150

http://www.openioc.org/


OpenIOCsDig i t a l Appendices/Appendix G ( D ig i t a l ) − IOCs$ l s0 c7c902c−67f8−479c−9f44−4d985106365a . ioc 6bd24113−2922−4d25−b490−f727f47ba948 . iocad521068−6f18−4ab1−899c−11007a18ec73 . ioc12 a40bf7−4834−49b0−a419−6abb5fe2b291 . ioc 70b5be0c−8a94−44b4−97a4−1e95b09498a8 . ioca f5 f 65 f c−e1ca−45db−88b1−6ccb7191ee6a . ioc2106 f0d2−a260−4277−90ab−edd3455e31fa . ioc 7c739d52−c669−4d51−ac15−8ae66305e232 . iocAppendix G IOCs README. pdf26213db6−9d3b−4a39−abeb−73656acb913e . ioc 7d2eaadf−a5f f −4199−996e−af6258874dad . iocc32b8af3−28d0−47d3−801f−a2c2b0129650 . ioc2 b f f223 f−9e46−47a7−ac35−d35f8138a4c7 . ioc 7 f9a6986−f00a−4071−99d3−484c9158beba . iocc71b3305−85e5−4d51−b07c−f f 227181 fb5a . ioc2 fc55747−6822−41d2−bcc1−387 fc1b2e67b . ioc 806 bef f3 −7395−492e−be63−99a6b4a550b8 . iocc7fa2ea5−36d5−4a52−a6cf−ddc2257cb6f9 . ioc32b168e6−dbd6−4d56−ba2f −734553239 e fe . i oc 84 f04df2−25cd−4f59−a920−448d8843b6fc . i ocd14d5f09−9050−4769−b00d−30fce9e6eb85 . ioc3433dad8−879e−40d9−98b3−92ddc75f0dcd . ioc 8695bb5e−29cd−41b9−b8b1−a0d20a6b960d . iocd1c65316−cddd−4d9c−8efe−c539aa5965c0 . ioc3e01b786−fe3a−4228−95fa−c3986e2353d6 . ioc 86 e9b8ec−7413−453b−a932−b5fb95a8dba6 . iocd4f103f8−c372−49d1−b9f4−e127d61d0639 . ioc4 a2c5f60−f4c0−4844−ba1f−a14dac9fa36c . ioc 86 f988b7−fa02−46df−8e19−e50ce37f0 fed . iocd5e49501−c30d−41ae−b381−c3c473040c39 . ioc4d1ced5f−fe47−4ba4−be0e−81d547f3aa8a . ioc 8900aa6b−883d−48d3−a07d−d49b0429dd2b . iocd8240090−affd−466e−a39c−64add5b98813 . ioc5477b392−e565−45c5−9cb4−f561d6daeddc . ioc 8dd23e0a−a659−45b4−a168−67e4b00944fb . ioce928aac0−9f71−4adf−9978−4177345ec610 . ioc547 e4128−9dff−45d9−b90f−081ce3966dee . ioc 9c9368cd−3a1f−4200−b093−adb97d5f1f5d . ioceb91abad−afe0−4bd6−80f2−850d14a99308 . ioc56468547−6 cf5−4c66−af56−2543d4271482 . ioc a1f02cbe−7d37−4f f8−bad7−c5 f9 f7ea63a3 . iocece1846e−98d3−4ddc−a520−0dcda4866989 . ioc6091 c4ce−6d73−4202−a7a8−b52406fa4d77 . ioc a461f381−8612−4ce1−a0dc−68bcaca028d0 . iocfabdf553−b3ed−4bc9−9ac6−13d6bd174dad . ioc61695156−298c−4d77−ad7f−48feb562fb75 . ioc a486d837−9f05−4360−908e−b4244c24723d . iocfdfb2c22−d0c4−4bf0−8ea4−27d8d51f98ea . ioc

86/150


Standards: Mitre

Mitre CybOX: http://cybox.mitre.org/https://github.com/CybOXProject/Toolshttps://github.com/CybOXProject/openioc-to-cyboxMitre CAPEC:http://capec.mitre.org/Mitre STIX: http://stix.mitre.org/MitreTAXII http://taxii.mitre.org/

87/150

http://cybox.mitre.org/

https://github.com/CybOXProject/Tools

https://github.com/CybOXProject/openioc-to-cybox

http://capec.mitre.org/

http://stix.mitre.org/

http://taxii.mitre.org/


Mature: stix

88/150


Indicators of Compromise

I Complex IOCs covering all steps of attackI Dynamic creation of IOCs on the flyI Auto-reload of IOCs, TTLsI Dealing with different standards/import export

89/150


Exploit pack trace

url ip mime type refhttp://cuba.eanuncios.net/1/zf3z9lr6ac8di6r4kw2r0hu3ee8ad.html 93.189.46.222 text/html http://www.smeysyatut.ru/ 118162 413 200

http://cuba.eanuncios.net/2909620968/1/1399422480.htm 93.189.46.222 text/html http://cuba.eanuncios.net/1/zf3z9lr6ac8di6r4kw2r0hu3ee8ad.html 37432 441 200

http://cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive - 18451 323 200http://cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive - 18451 280 200http://cuba.eanuncios.net/f/1/1399422480/2909620968/2 93.189.46.222 - - 115020 244 200http://cuba.eanuncios.net/f/1/1399422480/2909620968/2/2 93.189.46.222 - - 327 246 200

90/150

http://cuba.eanuncios.net/1/zf3z9lr6ac8di6r4kw2r0hu3ee8ad.html

http://www.smeysyatut.ru/

http://cuba.eanuncios.net/2909620968/1/1399422480.htm

http://cuba.eanuncios.net/1/zf3z9lr6ac8di6r4kw2r0hu3ee8ad.html

http://cuba.eanuncios.net/2909620968/1/1399422480.jar

http://cuba.eanuncios.net/2909620968/1/1399422480.jar

http://cuba.eanuncios.net/f/1/1399422480/2909620968/2

http://cuba.eanuncios.net/f/1/1399422480/2909620968/2/2


Nuclearsploit pack

{ ’ Nuclearsploi tpack ’ : {’ step1 ’ : {’ f i l e s ’ : [ ’ wz3u6si8e5lh7k2tk5ox4ne6d8g . html ’ , ’ t3 f5y9a2bb3dl7z8gc4o6f . html ’ , ’ zf3z9lr6ac8di6r4kw2r0hu3ee8ad . html ’ , ’ r x3vb9qg6 lq8 l l 6 i j 4u2sa0xx3 ln8 l e . html ’ , ’ k2qx3dv0ey7lo3rp8q6ce4lw0fp0z . html ’ , ’ kz6tp7k4cx3h4j8kr3za5a . html ’ , ’ wq6ln7o4zj3d4fu8zc3a5sw . html ’ , ’ z2c8mg6h0df2n2ss8kd2e6k7y . html ’ ] ,’ domains ’ : [ ’ f a the r . fe r removi l . com’ , ’ t ha i . a l oha t r an s l l c . com’ , ’ cuba . eanuncios . net ’ , ’ duncan . disenocorporat ivo . com . ar ’ , ’homany . c o l l e c t i v e i t . com . au ’ , ’ privacy . t e r ap i a . org . ar ’ ] ,

’ arguments ’ : [ ] ,’ d i r e c t o r i e s ’ : [ ’ 1 ’ ] ,

’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 0 1 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 0 3 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 3 3 ’ ] } ,’ step2 ’ : {’ f i l e s ’ : [ ’ 1399422480 .htm ’ , ’1399704720 .htm ’ , ’1399513440 .htm ’ , ’1399514040 .htm ’ ,’1399773300 .htm ’ ] ,’ domains ’ : [ ’ cuba . eanuncios . net ’ , ’ duncan . disenocorporat ivo . com . ar ’ , ’homany . c o l l e c t i v e i t . com . au ’ , ’ privacy . t e r ap i a . org . ar ’ ] ,’ arguments ’ : [ ] ,’ d i r e c t o r i e s ’ : [ ’ 2909620968 ’ , ’ 1 ’ , ’ 507640988 ’ , ’940276731 ’ , ’3957283574 ’ , ’ 952211704 ’ ] ,’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 3 3 ’ ] } ,’ step3 ’ : {’ f i l e s ’ : [ ’ 1399422480 . j a r ’ , ’ 1399513440 . j a r ’ ] ,’ domains ’ : [ ’ cuba . eanuncios . net ’ , ’homany . c o l l e c t i v e i t . com . au ’ ] ,’ arguments ’ : [ ] ,’ d i r e c t o r i e s ’ : [ ’ 2909620968 ’ , ’ 1 ’ , ’ 940276731 ’ ] ,’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ ] } ,’ step4 ’ : {’ f i l e s ’ : [ ’ 2 ’ ] ,’ domains ’ : [ ’ cuba . eanuncios . net ’ ] ,’ arguments ’ : [ ] ,’ d i r e c t o r i e s ’ : [ ’ f ’ , ’ 1 ’ , ’1399422480 ’ , ’2909620968 ’ , ’ 2 ’ ] ,’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ ] }}}

91/150


Redirect (example)

http://mysimuran.ru/forum/kZsjOiDMFb/ 89.111.178.33 http://agency.accordinga.pw/remain/unknown.html?mods=8&id=26,text/htmlhttp://mysimuran.ru/forum/kZsjOiDMFb/js.js?4231 89.111.178.33 http://mysimuran.ru/forum/kZsjOiDMFb/,text/plainhttp://c.hit.ua/hit?i=59278&g=0&x=2 89.184.81.35 http://mysimuran.ru/forum/kZsjOiDMFb/,image/gifhttp://f-wake.browser-checks.info:28001/d1x/3/87475b26a521024ce78d7ea73164140a/http%3A%2F%2Fagency.accordinga.pw%2Fremain%2Funknown.html%3Fmods%3D8%26id%3D26 46.254.16.209 http://mysimuran.ru/forum/kZsjOiDMFb/,text/html

92/150

http://mysimuran.ru/forum/kZsjOiDMFb/

http://agency.accordinga.pw/remain/unknown.html?mods=8&id=26,text/html

http://mysimuran.ru/forum/kZsjOiDMFb/js.js?4231

http://mysimuran.ru/forum/kZsjOiDMFb/,text/plain

http://c.hit.ua/hit?i=59278&g=0&x=2

http://mysimuran.ru/forum/kZsjOiDMFb/,image/gif

http://f-wake.browser-checks.info:28001/d1x/3/87475b26a521024ce78d7ea73164140a/http%3A%2F%2Fagency.accordinga.pw%2Fremain%2Funknown.html%3Fmods%3D8%26id%3D26

http://mysimuran.ru/forum/kZsjOiDMFb/,text/html


Redirect Example

{ ’ 2 8 0 01 ’ : {’ step1 ’ : {

’ d i r e c t o r i e s ’ : [ ’ forum ’ , ’kZsjOiDMFb ’ , ’ epygFrFsoU ’ ] ,’ arguments ’ : [ ] ,’ f i l e s ’ : [ ’ ’ ] ,’ ip ’ : [ ’ 8 9 . 1 1 1 . 1 7 8 . 3 3 ’ ] ,’ domains ’ : [ ’mysimuran . ru ’ ] } ,’ step2 ’ : {

’ d i r e c t o r i e s ’ : [ ’ forum ’ , ’kZsjOiDMFb ’ , ’ epygFrFsoU ’ , ’kJXshWOMNC’ ] ,’ arguments ’ : [ ’ 4231 ’ , ’7697 ’ , ’9741 ’ ] ,’ f i l e s ’ : [ ’ j s . j s ’ , ’ cnt . html ’ ] ,’ ip ’ : [ ’ 8 9 . 1 1 1 . 1 7 8 . 3 3 ’ ] ,’ domains ’ : [ ’mysimuran . ru ’ ] } ,’ step3 ’ : {’ d i r e c t o r i e s ’ : [ ] ,’ arguments ’ : [ ’ i ’ , ’g ’ , ’ x ’ ] ,’ f i l e s ’ : [ ’ h i t ’ ] ,’ ip ’ : [ ’ 8 9 . 1 8 4 . 8 1 . 3 5 ’ ] ,’ domains ’ : [ ’ c . h i t . ua ’ ] } ,’ step4 ’ : {’ d i r e c t o r i e s ’ : [ ’ d1x ’ , ’ 3 ’ , ’87475 b26a521024ce78d7ea73164140a ’ , ’ d36eb1fc80ebe9df515d043be1557f57 ’ ] ,’ arguments ’ : [ ] ,’ f i l e s ’ : [ ’ ht tp%3A%2F%2Fagency . accordinga .pw%2Fremain%2Funknown . html%3Fmods%3D8%26id%3D26 ’ , ’ ht tp%3A%2F%2Fstruck . lookeda .pw%2Fcongress%2Fpres ident . html%3Flose%3D21%26amid%3D463 ’ ] ,’ ip ’ : [ ’ 4 6 . 2 5 4 . 1 6 . 2 0 9 ’ ] ,’ domains ’ : [ ’ f−wake . browser−checks . info ’ , ’ a−oprzay . browser−checks .pw’ ] }

}}

93/150


Sourcing External IOCs

I CIF - https://code.google.com/p/collective-intelligence-framework/

I feeds (with scrappers):

94/150

https://code.google.com/p/collective-intelligence-framework/

https://code.google.com/p/collective-intelligence-framework/


Sourcing External IOCsI feed your scrappers:

https://zeustracker.abuse.ch/blocklist.php?download=badipshttp://malc0de.com/database/https://reputation.alienvault.com/reputation.data . . .

I VT intelligence

95/150

https://zeustracker.abuse.ch/blocklist.php?download=badips

http://malc0de.com/database/

https://reputation.alienvault.com/reputation.data


Sourcing IOCs Internally

I honeypot feedsI log analysisI traffic analysis

96/150


Where to look for IOCs internally

I Outbound Network TrafficI User Activities/Failed LoginsI User profile foldersI Administrative AccessI Access from unsual IP addressesI Database IO: excessive READsI Size of responses of web pagesI Unusual access to particular files within Web Application (backdoor)I Unusual port/protocol connectionsI DNS and HTTP traffic requestsI Suspicious Scripts, Executables and Data Files

97/150


Challenges

Why we need IOCs? because it makes it easier to systematically describeknowledge about breaches.

I Identifying intrusions is hardI Unfair game:

I defender should protect all the assetsI attacker only needs to ’poop’ one system.

I Identifying targeted, organized intrusions is even harderI Minor anomalous events are important when put togetherI Seeing global picture is a mastI Details matterI Attribution is hard

98/150


Use honeypots

I Running honeypots gives enormous advantage in detecting emergingthreats

I Stategically placing honeypots is extemely important

99/150


HPfeeds, Hpfriends and more

100/150


HPFeeds Architecture

101/150


HPFeeds API in nutshell:

import pygeoipimport hpfeedsimport j son

HOST= ’ broker ’PORT = 20000CHANNELS= [ ’ geoloc . events ’ ]IDENT= ’ ident ’SECRET= ’ s e c r e t ’g i = pygeoip . GeoIP ( ’ GeoLiteCity . dat ’ )hpc = hpfeeds . new(HOST, PORT, IDENT, SECRET)msg = { ’ l a t i t ude ’ : g i . record_by_addr ( ip ) [ ’ l a t i t ud e ’ ] ,

’ longi tude ’ : g i . record_by_addr ( ip ) [ ’ longi tude ’ ] ,’ type ’ : ’ honeypot␣ h i t ’ }

hpc . publ ish (CHANNELS, j son . dumps(msg ) )

102/150


hpfeeds integration

103/150


NTP probe collector

104/150


HPFeeds and honeymap

105/150


Applying IOCs to your detection processmoloch moloch moloch :)

106/150


Tools for Dynamic Detection of IOC

I SnortI Yara + yara-enabled toolsI MolochI Splunk/Log searchI roll-your-own:p

107/150


Moloch

Moloch is awesome:

108/150


Open-source tools

OpenIOC manipulationhttps://github.com/STIXProject/openioc-to-stixhttps://github.com/tklane/openiocscriptsMantis Threat Intelligence Frameworkhttps://github.com/siemens/django-mantis.gitMantis supportsSTIX/CybOX/IODEF/OpenIOC etc via importers:https://github.com/siemens/django-mantis-openioc-importerSearch splunk data for IOC indicators:https://github.com/technoskald/splunk-searchOur framework: http://github.com/fygrave/iocmap/

109/150

https://github.com/STIXProject/openioc-to-stix

https://github.com/tklane/openiocscripts

https://github.com/siemens/django-mantis.git

https://github.com/siemens/django-mantis-openioc-importer

https://github.com/technoskald/splunk-search

http://github.com/fygrave/iocmap/


iocmap

110/150


MISP

I http://www.secure.edu.pl/pdf/2013/D2_1530_A_Socha.pdfI https://github.com/MISP

111/150

http://www.secure.edu.pl/pdf/2013/D2_1530_A_Socha.pdf

https://github.com/MISP


Tools for Dynamic Detection

I MolochI Moloch supports Yara (IOCs can be directly applied)I Moloch has awesome tagger plugin:

# t a g g e r . s o# p r o v i d e s a b i l i t y t o impor t t e x t f i l e s wi th IP and / o r hos tnames# i n t o a s e n s o r t h a t would c au s e a u t o t a g g i n g o f a l l match ing s e s s i o n splugins=tagger . sot agge r IpF i l e s=b l a c k l i s t , tag , tag , tag . . .taggerDomainFiles=domainbasedblackl is ts , tag , tag , tag

112/150


Moloch pluginsMoloch is easily extendable with your own plugins

I https://github.com/fygrave/moloch_zmq - makes it easy tointegrate other things with moloch via zmq queue pub/sub or push/pull

model 113/150

https://github.com/fygrave/moloch_zmq


Moloch ZMQ example

CEP-based analysis of network-traffic (using ESPER):https://github.com/fygrave/clj-esptool/

( esp : add " c r ea t e ␣ contex t ␣SegmentedBySrc␣ pa r t i t i o n ␣by␣ s r c ␣fromWebDataEvent " )( esp : add " contex t ␣SegmentedBySrc␣ s e l e c t ␣ src , ␣ r a t e ( 3 0 ) ␣as␣ rate ,avg ( r a t e ( 3 0 ) ) ␣ as ␣avgRate␣from␣WebDataEvent . win : time ( 3 0 ) ␣havingra t e ( 3 0 ) ␣<␣avg ( r a t e ( 3 0 ) ) ␣∗␣ 0 .75 ␣output␣ snapshot␣every␣60␣ sec " )( future−c a l l s t a r t−counting )

114/150

https://github.com/fygrave/clj-esptool/


Sources of IOCs

I ioc bucket:http://iocbucket.com

I Public blacklists/trackers could also be used as source:https://zeustracker.abuse.ch/blocklist.php?download=ipblocklisthttps://zeustracker.abuse.ch/blocklist.php?download=domainblocklist

I Eset IOC repositoryhttps://github.com/eset/malware-iocmore coming?

115/150

http://iocbucket.com

https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist

https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist

https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist

https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist

https://github.com/eset/malware-ioc


where to mine IOC

I passive HTTP (keep your data recorded)I passive DNS

These platforms provide ability to mine traffic or patterns from the pastbased on IOC similarityshow me all the packets similar to this IOCWe implemented a whois service for IOC look-ups

whois −h ioc . host . com a t t r i b u t e : value+ a t t r i b u t e : value

116/150


Mining IOCs from your own data

I find and investigate incidentI Or even read paperI determine indicators and test it in YOUR EnvironmentI use new indicators in the future

see IOC cycle we mentioned earlier

117/150


Example

If event chain leads to compromisehttp :// l i apo l a s ens [ . ] in fo/indexm . html

ht tp :// l i apo l a s ens [ . ] in fo/counter . php? t= f&v=win%2011 ,7 ,700 ,169&a= t rue

http :// l i apo l a s ens [ . ] in fo /354RIcx

http :// l i apo l a s ens [ . ] in fo /054RIcx

What to do?

118/150


Investigating using known IOCs

I Investigating Static host based IOCsI Investigating Dynamic host based IOCsI Investigating Static network IOCsI Investigating Dynamic network IOCs

119/150


analyzing HTTP traffic

I User agentsI suspicious domainsI static analysis of HTTP headers

120/150


Analyzing AV logs

23 . 0 1 . 1 3 19 :56 Detected : Trojan−Spy .Win32 . Zbot . aymrC:/Documents and Se t t i ng s/user1/Appl icat ion Data/Sun/Java/Deployment/cache /6.0/27/4169865b−641d53c9/UPX23 . 0 1 . 1 3 19 :56 Detected : Trojan−Downloader . Java . OpenConnection . ckC:/Documents and Se t t i ng s/user1/Appl icat ion Data/Sun/Java/Deployment/cache /6.0/48/38388 f30−4a676b87/bpac/b . c l a s s23 . 0 1 . 1 3 19 :56 Detected : Trojan−Downloader . Java . OpenConnection . csC:/Documents and Se t t i ng s/user1/Appl icat ionData/Sun/Java/Deployment/cache /6.0/48/38388 f30−4a676b87/ot/pizdi . c l a s s23 . 0 1 . 1 3 19 :58 Detected : HEUR: Explo i t . Java .CVE−2013−0422.genC:/Documents and Se t t i ng s/user1/Local S e t t i ng s/Temp/jar_cache3538799837370652468 . tmp

121/150


Analyzing AV logs

01/14/13 06:57 PM 178.238.141.19 http://machete0-yhis.me/ pictures/demos/OAggq application/x-java-archive01/14/13 06:57 PM 178.238.141.19 http://machete0-yhis.me/pictures/demos/OAggq application/x-java-archive01/14/13 06:57 PM 178.238.141.19 http://loretaa0-shot.co/career...45 application/octet-stream

122/150

http://machete0-yhis.me/

http://machete0-yhis.me/pictures/demos/OAggq

http://loretaa0-shot.co/career...45


Analyzing AV logs

123/150


Analyzing AV logs

124/150


Analyzing AV logs

125/150


Overview

Introduction


Detection

Creating own IOCs

EOF

126/150


Creating host based IOCs

hashes, mutexes, threatexpert

127/150


Use YARA, or tune your own tools

ru le susp_params_in_ur l_k ind_of_ f i l e less_bot_dr ive_by{

meta :date = " oc t ␣2013 "desc r ip t i on = " Landing␣hxxp :// jda tas tore lame . in fo/indexm . html␣␣ 04 . 10 . 2013 ␣ 13 :14 ␣␣ 108 . 6 2 . 1 1 2 . 8 4 ␣␣ "desc r ip t ion1 = " ␣ Java ␣ Sp l o i t ␣hxxp:// jda tas tore lame . in fo /054RIwj␣␣␣␣␣ "

s t r i ng s :$ s t r ing0 = " ht tp "$ s t r ing1 = " indexm . html "$ s t r ing2 = " 054RI "

condi t ion :a l l of them

}

128/150


Use snort to catch suspicious traffic:

# many plugX dep l oyment s c onn e c t t o g o o g l e DNS when not in usea l e r t tcp ! $DNS_SERVERS any −> 8 . 8 . 8 . 8 53 (msg : "APT␣ poss ib l e ␣PlugX␣Google␣DNS␣TCPport ␣53␣ connect ion ␣attempt " ; c l a s s type : misc−a c t i v i t y ; s id : 500000112 ;rev : 1 ; )

129/150


GRR: Google Rapid Response:http://code.google.com/p/grr/Hunting IOC artifacts with GRR

130/150

http://code.google.com/p/grr/


GRR: Creating rules

131/150


GRR: hunt in progress

132/150


Honeypots

Learn about attacker as much as you can:I What language does the attacker understand?I What is the attacker keyboard layout?I What tools the attacker uses?I Where those are hosted?I Who are the targets?I Client software information (kippo -> ssh client)

133/150


Honeypotsplenty of hosting urls, DDoS targets in hp logs

134/150


DNS: Detection

Passive DNS traffic acquisition and analysisa couple of examples (last week)

domain ip ownerrtvwerjyuver.com 69.164.203.105 linodetvrstrynyvwstrtve.com 109.74.196.143 linodecu3007133.wfaxyqykxh.ru . . .

what does your DNS traffic look like..?

135/150


DNS viz01

136/150


DNS viz02

137/150


DNS anonymizer traffcAnonimizer

8/13/2014 9:59:12 PM - ##.##.##.## - 0s.o53xo.pfxxk5dvmjss4y3pnu.dd34.ru8/13/2014 9:59:12 PM - ##.##.##.## - o53xo.pfxxk5dvmjss4y3pnu.dd34.ru8/13/2014 9:59:12 PM - ##.##.##.## - o53xo.pfxxk5dvmjss4y3pnu.dd34.ru8/13/2014 9:59:12 PM - ##.##.##.## - 0s.om.pf2gs3lhfzrw63i.dd34.ru8/13/2014 9:59:12 PM - ##.##.##.## - 0s.om.pf2gs3lhfzrw63i.dd34.ru8/13/2014 9:59:12 PM - ##.##.##.## - nbxxe33tnbuxsllwnn2xg.mjuxultvme.dd34.ru8/13/2014 9:59:12 PM - ##.##.##.## - nbxxe33tnbuxsllwnn2xg.mjuxultvme.dd34.ru8/13/2014 9:59:12 PM - ##.##.##.## - 0s.ne.pf2gs3lhfzrw63i.dd34.ru8/13/2014 9:59:12 PM - ##.##.##.## - 0s.ne.pf2gs3lhfzrw63i.dd34.ru8/13/2014 9:59:15 PM - ##.##.##.## - obuwg4y.nruxmzlkn52xe3tbnqxgg33n.dd34.ru8/13/2014 9:59:15 PM - ##.##.##.## - obuwg4y.nruxmzlkn52xe3tbnqxgg33n.dd34.ru8/13/2014 9:59:15 PM - ##.##.##.## - 0s.o53xo.mzqwgzlcn5xwwltdn5wq.dd34.r8/13/2014 9:59:15 PM - ##.##.##.## - 0s.o53xo.mzqwgzlcn5xwwltdn5wq.dd34.ruTime: Today 09:59:15pm

Description: Phishing.bpwhConfidence Level: HighDestination DNS Hostname: 0s.o53xo.mzqwgzlcn5xwwltdn5wq.dd34.ru

Malware Action: Malicious DNS request

138/150


Covert channel communication

8/13/2014 5 : 4 9 : 0 4 PM − x . x . x . x − 5141017 .mtdtzwdhc .mdgtmtmmdgtmtma . in8/13/2014 5 : 4 9 : 0 4 PM − x . x . x . x − 5141017 .mtdtzwdhc .mdgtmtmmdgtmtma . in

Time : Today 13 : 1 9 : 2 5Descr ipt ion : REP . b i l s c z Detected at Today13 : 1 9 : 2 5I n t e r f a c e Name: bond1 .382I n t e r f a c e Direc t ion : outbound

139/150


Sinkhole in DNS

Credit: domaintools.com

140/150


Sinkhole in DNS

Credit: domaintools.com

141/150


DNSSuspicious activity: DNS lookups: kojxlvfkpl.biz:149.93.207.203kojxlvfkpl.biz:216.66.15.109kojxlvfkpl.biz:38.102.150.27

142/150


Look for holes :)

143/150


Hole traffic

144/150


Categorizing Incidents

It is extremely important to be able to categorize your incidents or threats.There are multiple data sources that could be used to do so.

145/150


Catagorization based on public souces

[tbd]

146/150


Catagorization based on historical data

[tbd]

147/150


Catagorization based on cross source correlation

I Visualizing the ThreatsI Filtering noisy extrasI Making decisions

148/150


Overview

Introduction


Detection

Creating own IOCs

EOF

149/150


Questions

@fygrave @vbkropotov @vitalychetvertakovAnd answers :)

150/150

Date post:	01-Jan-2017
Category:	Documents
Upload:	lediep
View:	241 times
Download:	11 times