Netwitness Manual

| Copyright 2010 All rights reserved. NetWitness Corporation1

NetWitness Investigator FreewareNetwork Intelligence, Threat Indicators and Session Exploitation

Brian GirardiDirector, Product ManagementNetWitness [email protected]


Agenda

Investigator Freeware Introduction/Review Advanced Features

Integration via custom actions Intelligence via feeds Indicators via rules Protocol/Session exploitation via parsers

Implementation Scenarios


Investigator Freeware Core Concepts

Its free! requires annual registration What makes Investigator different?

Designed from an analysts perspective to answer complex questions from large amounts of raw network data

Designed to analyze advanced threats, applications, content, incident response,

Empowers novice analysts AND accelerates experts Models network traffic, and exposes syntax to expand the

model Session-based NOT packet-based


Session Processing Step 1

Packet Collection & Reassembly before anything else putting the pieces back together

data packetized out of order fragmented

Mixed with other trafficRetransmitted

xSession


Session Processing steps 2 & 3 Application Identification, Meta Extraction, and Modeling

Dont rely on port for true service type Extract pertinent network and application data Model and organize data for human consumption

HTTP != port 80


Standard Features

Real-time, patented layer 7 analytics Effectively analyze data starting from

application layer entities like users, email, address, files , and actions.

Infinite, free-form analysis paths Content starting points

Captures raw packets live from wired or 802.11 wireless networks

Imports packets from any open-source, home-grown and commercial packet capture system (e.g. .pcap file import)

Extensive network and application layer filtering (e.g. MAC, IP, User, Keywords, Etc.)

IPv6 support

Full content search, with Regex support Bookmarking & history tracking Integrated GeoIP for resolving IP addresses

to city/county, supporting Google Earth visualization

SSL Decryption (with server certificate) Interactive time charts, and summary view Interactive packet view and decode Hash data on capture and export Integrated Org, Domain, and ISP

databases Supports VLAN meta tagging Supports IP Tunnel (i.e. GRE) meta tagging And More.

Now lets discuss advanced features


Apply Your Own Intelligence & Needs

Custom Actions Right-click query actions for context

Feeds Means for creating meta data based on a list of values Ex. IP Reputation Feed

Rules Evaluation of meta elements to alert, filter, stop/change processing or create

more metadata Ex. If ip.dst=1.2.3.4 AND user=bob then alert

Parsers (aka FlexParse) Exploitation of sessions and full payload to create metadata Ex. Identify packed executables/malware, interpret identify and profile

protocols.. Etc.


Aggregating Indicators

RulesParsing

Feeds Aggregation of these methods help profile actual threatening activity

Advanced Threat Insider Threat Policy/Compliance Etc.


Custom Actions


Custom Actions

Configurable right-click actions out of Investigator to external tools URL-based Local Scripts

Examples


Example: right-click hostname into Google

Other options


Feeds


Feeds

Means for creating meta data based on external lists IP Address Hostnames Any metadata element

Typical Uses Intelligence Feeds ( Internet Storm Center/Dshield Top 10000 for

example) Define Physical or Logical mappings for metadata

Campus, Department User Identity via Active Directory Network-specific maps DHCP mappings Etc


Real-world feed uses

Large Bank 17,000 known Home User IPs cross-referenced with botnet membership list

DOD 4000+ subnets, largely model after base locations

Financial Services Firm Buildings Functional Area ie: Network Infrastructure System Area ie: Firewall, VPN, Critical Servers


Department & Location Feed

Enterprise-specific context IP Ranges that correlate to

Company Department Physical Location Lat/Long Override

Feed File Example#networks#

172.16.60.1,172.16.60.254,NW-Wireless172.16.70.1,172.16.70.254,NW-GuestNet10.21.1.1,10.21.1.255,NW Infrastructure,38.967490,-77.37953310.21.2.30,10.21.2.111,NW Users Net,38.967490,-77.379533 10.21.3.30,10.21.3.111,NW Dev Workstations,38.967490,-77.37953310.21.4.1,10.21.4.255,NW Dev Servers,38.967490,-77.37953310.21.5.1,10.21.5.111,NW VPN Users,38.967490,-77.37953310.21.6.30,10.21.6.111,NW Wireless,38.967490,-77.379533 67.10.149.25,67.10.149.25,Nw TXGW,29.7296,-98.1001 172.16.55.0,172.16.55.255,NW-TX,29.7296,-98.1001172.16.55.0,172.16.55.255,NW-TX,29.7296,-98.1001192.168.1.1,192.168.1.255,NW Lab,38.742641,-77.199997


Feed Definition File


Netname Feed Classification


Analysis with Threat Feeds


Loading Internet Storm Center Feed

Load feeds


Feed Category Hits

Found hits on SANS feed


Session Details Review

HTTP putLikely C&C querystring

IP Found in SANS feed

Encoded/Encrypted payload


Rules


Rules

Rules can be used to filter in/out data truncate packets alert/flag

Rules span network elements application layer elements

Control depth of processing


Network Layer Rules


Application Layer Rules


Rule Examples

Filter Advertisements (ends in doubleclick.net) Software Updates (ends in liveupdate.symantec.com) Media (ends in player.xmradio.com) Backup servers (192.168.1.54etc) Filter *(All), Keep email = [email protected]

Truncate Drop packet payload for port SSH and SSL

Alert Non-standard port activity (non-HTTP over port 80) DynDNS Domains BOT Profiles Clear text passwords Tunneling services ( gotomypc, anonymizers, etc. ) Specific threat profiles Etcetcetc


Rule Example

Tip: faster to check range than !=


Non-standard HTTP


Nonstandard HTTP Details


Facebook Koobface Malware Example

Basic Rule: Service = HTTP(80) && alias.host = locator.getconnected.be

Better Rule: Service = HTTP(80) && alias.host exists && (query contains 'action='

&& query contains 'c_fb=' && query contains 'c_ms=' && query contains 'c_hi=' && query contains 'c_tw=' && query contains 'c_be=' && query contains 'c_tg=' && query contains 'c_nl=)

Based on the url parameters koobface passes when it checks in

Ref: http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf


Parsers


FlexParse

FlexParse exposes the network session parsing and metadata model Configure how to identify applications and extract data

XML parser definitions Register search tokens Perform logic operations Register metadata for the NetWitness system

Why? Instantly customize and expand processing and modeling behavior Processing flexibility for networks with:

heavy application profiles proprietary protocols and threats that dont fall into common intrusion detection methods

What's possible Expand baseline parsers, fast flux identification, social networking

profiling, mainframe exploitation, SCADA, file object identification, complex threat identification, Etc.

Copyright 2007 NetWitness Corporation


SCADA MODBUS Parser


Simple MODBUS Parser

Why? Need insight into SCADA over IP to correlate with other network activity

critical infrastructure monitoring Demonstrate

Create new Service type for MODBUS Simple text based protocol has numeric tokens that map to actions:

Read Coil Status Read Input Status Read Hold Registers Read Input Registers Force Single Coil Force Multiple Coils Etc


MODBUS Protocol

If port 502 AND tokens exist then classify and extract actions --- Request

MODBUSPROTOCOL

ACTION


Simple MODBUS protocol FlexParser Syntax

.


Detecting Malicious PDF Parser


Detecting Malicious PDFs

Why? One of the most pervasive exploitation techniques used currently Very effective exploitation technique that can be difficult to detect

Demonstrate Combined existence of PDF tokens, including javascript that classifies

potentially malicious objects Use flags to keep state between several different

statements


Parser Logic

Find the following token: HTTP/1.1 200 OK

If above is found, then find token: Content-Type: application/pdf

If above is found, then find token: %PDF-1.

If above is found, then alert if the following is found: /S/JavaScript


Parser Syntax

Declare tokens


Parser Syntax

Maintain state of token identification


Parser Syntax

Find javascript in PDF


Suspicious Trigger

Parser alert


PDF with Javascript

Matchedtokens


JRE 0day Analysis the short versionUsing Feeds, Rules & Parsers to Investigate & Profile


Background

April 9th 2010 Tavis Ormandy of Google Security identifies Java Deployment Toolkit flaw

Affects all versions of Java April 11th Active exploitation via Rogue

Advertisements on nytimes.com, foxnews.com, oprah.com, ufc.com and others

Malicious .jar file Referrers contains

nytimes.com,foxnews.com, oprah.com,ufc.com

How do we leverage feeds, rules and parsers to profile? Do I have a problem? 0day, feeds may not provide intelligence


Hunting for Anomalous Traffic

Profile HTTP for java-archives (potential deployment toolkit) Rule: service = HTTP(80) && content = application/java-archive

Dig more on this


Internal host being referred to what?

Use IP from anomalous traffic analysis Rule: ip.src = 156.145.x.x && referrer contains

nytimes.com,foxnews.com,etc.. Redirection to 95.211.14.21

Netherlands Hosting Provider 95.211.14.21/measure/ad.php Inspect php

Rule to profile & find ad.php querystring: service = HTTP(80) && (query contains 'pl=' &&

query contains 'ce=' && query contains 'hb=' && query contains 'av=' && query contains 'jv=)


Ad.php behavior

Really?.gif?

Downloads p.gif from referred location

How many times have I seen this .gif?


Compromised Hosts

Rule: service = HTTP(80) && filename=p.gif && content = application/octet-stream

3 Sessions 3 Unique hosts


Deeper Analysis

p.gif (exe) appears corrupt Does that mean no one was infected?

Lets have a look at the .jar

.jar modifies the first two bytes of the binary to subvert MZ token signatures

FlexParse profile the malware

MZ

Huh?


Flex Parser for Obfuscated Exe in Image


Summary

Investigator Free! Custom actions, Feeds, Rules and Parsers expand to expand analytical

capabilities Aggregating advanced indicators and profiling techniques really help

Resources Community (http://community.netwitness.com)

Rule examples FlexParser examples Tips/Tricks Discussion

YouTube (http://www.youtube.com/netwitness) Training Webcasts ( www.netwitness.com ) Brian Girardi, [email protected]


Q&A

NetWitness Investigator FreewareAgendaInvestigator Freeware Core ConceptsSession Processing Step 1Session Processing steps 2 & 3Standard FeaturesApply Your Own Intelligence & NeedsAggregating IndicatorsCustom ActionsCustom ActionsExample: right-click hostname into GoogleFeedsFeedsReal-world feed usesDepartment & Location FeedFeed Definition FileNetname Feed ClassificationAnalysis with Threat FeedsLoading Internet Storm Center FeedFeed Category HitsSession Details ReviewRulesRulesNetwork Layer RulesApplication Layer RulesRule ExamplesRule ExampleNon-standard HTTPNonstandard HTTP DetailsFacebook Koobface Malware ExampleParsersFlexParseSCADA MODBUS ParserSimple MODBUS ParserMODBUS ProtocolSimple MODBUS protocol FlexParser SyntaxDetecting Malicious PDF ParserDetecting Malicious PDFsParser LogicParser SyntaxParser SyntaxParser SyntaxSuspicious TriggerPDF with JavascriptJRE 0day Analysis the short versionUsing Feeds, Rules & Parsers to Investigate & ProfileBackgroundHunting for Anomalous TrafficInternal host being referred to what?Ad.php behavior Compromised HostsDeeper AnalysisFlex Parser for Obfuscated Exe in ImageSummaryQ&A

Date post:	14-Oct-2015
Category:	Documents
Upload:	nemke91
View:	67 times
Download:	0 times

Netwitness Manual

Documents