of 54
| Copyright 2010 All rights reserved. NetWitness Corporation1
NetWitness Investigator FreewareNetwork Intelligence, Threat Indicators and Session Exploitation
Brian GirardiDirector, Product ManagementNetWitness [email protected]
| Copyright 2010 All rights reserved. NetWitness Corporation2
Agenda
Investigator Freeware Introduction/Review Advanced Features
Integration via custom actions Intelligence via feeds Indicators via rules Protocol/Session exploitation via parsers
Implementation Scenarios
| Copyright 2010 All rights reserved. NetWitness Corporation3
Investigator Freeware Core Concepts
Its free! requires annual registration What makes Investigator different?
Designed from an analysts perspective to answer complex questions from large amounts of raw network data
Designed to analyze advanced threats, applications, content, incident response,
Empowers novice analysts AND accelerates experts Models network traffic, and exposes syntax to expand the
model Session-based NOT packet-based
| Copyright 2010 All rights reserved. NetWitness Corporation4
Session Processing Step 1
Packet Collection & Reassembly before anything else putting the pieces back together
data packetized out of order fragmented
Mixed with other trafficRetransmitted
xSession
| Copyright 2010 All rights reserved. NetWitness Corporation5
Session Processing steps 2 & 3 Application Identification, Meta Extraction, and Modeling
Dont rely on port for true service type Extract pertinent network and application data Model and organize data for human consumption
HTTP != port 80
| Copyright 2010 All rights reserved. NetWitness Corporation6
Standard Features
Real-time, patented layer 7 analytics Effectively analyze data starting from
application layer entities like users, email, address, files , and actions.
Infinite, free-form analysis paths Content starting points
Captures raw packets live from wired or 802.11 wireless networks
Imports packets from any open-source, home-grown and commercial packet capture system (e.g. .pcap file import)
Extensive network and application layer filtering (e.g. MAC, IP, User, Keywords, Etc.)
IPv6 support
Full content search, with Regex support Bookmarking & history tracking Integrated GeoIP for resolving IP addresses
to city/county, supporting Google Earth visualization
SSL Decryption (with server certificate) Interactive time charts, and summary view Interactive packet view and decode Hash data on capture and export Integrated Org, Domain, and ISP
databases Supports VLAN meta tagging Supports IP Tunnel (i.e. GRE) meta tagging And More.
Now lets discuss advanced features
| Copyright 2010 All rights reserved. NetWitness Corporation7
Apply Your Own Intelligence & Needs
Custom Actions Right-click query actions for context
Feeds Means for creating meta data based on a list of values Ex. IP Reputation Feed
Rules Evaluation of meta elements to alert, filter, stop/change processing or create
more metadata Ex. If ip.dst=1.2.3.4 AND user=bob then alert
Parsers (aka FlexParse) Exploitation of sessions and full payload to create metadata Ex. Identify packed executables/malware, interpret identify and profile
protocols.. Etc.
| Copyright 2010 All rights reserved. NetWitness Corporation8
Aggregating Indicators
RulesParsing
Feeds Aggregation of these methods help profile actual threatening activity
Advanced Threat Insider Threat Policy/Compliance Etc.
| Copyright 2010 All rights reserved. NetWitness Corporation9
Custom Actions
| Copyright 2010 All rights reserved. NetWitness Corporation10
Custom Actions
Configurable right-click actions out of Investigator to external tools URL-based Local Scripts
Examples
| Copyright 2010 All rights reserved. NetWitness Corporation11
Example: right-click hostname into Google
Other options
| Copyright 2010 All rights reserved. NetWitness Corporation12
Feeds
| Copyright 2010 All rights reserved. NetWitness Corporation13
Feeds
Means for creating meta data based on external lists IP Address Hostnames Any metadata element
Typical Uses Intelligence Feeds ( Internet Storm Center/Dshield Top 10000 for
example) Define Physical or Logical mappings for metadata
Campus, Department User Identity via Active Directory Network-specific maps DHCP mappings Etc
| Copyright 2010 All rights reserved. NetWitness Corporation14
Real-world feed uses
Large Bank 17,000 known Home User IPs cross-referenced with botnet membership list
DOD 4000+ subnets, largely model after base locations
Financial Services Firm Buildings Functional Area ie: Network Infrastructure System Area ie: Firewall, VPN, Critical Servers
| Copyright 2010 All rights reserved. NetWitness Corporation15
Department & Location Feed
Enterprise-specific context IP Ranges that correlate to
Company Department Physical Location Lat/Long Override
Feed File Example#networks#
172.16.60.1,172.16.60.254,NW-Wireless172.16.70.1,172.16.70.254,NW-GuestNet10.21.1.1,10.21.1.255,NW Infrastructure,38.967490,-77.37953310.21.2.30,10.21.2.111,NW Users Net,38.967490,-77.379533 10.21.3.30,10.21.3.111,NW Dev Workstations,38.967490,-77.37953310.21.4.1,10.21.4.255,NW Dev Servers,38.967490,-77.37953310.21.5.1,10.21.5.111,NW VPN Users,38.967490,-77.37953310.21.6.30,10.21.6.111,NW Wireless,38.967490,-77.379533 67.10.149.25,67.10.149.25,Nw TXGW,29.7296,-98.1001 172.16.55.0,172.16.55.255,NW-TX,29.7296,-98.1001172.16.55.0,172.16.55.255,NW-TX,29.7296,-98.1001192.168.1.1,192.168.1.255,NW Lab,38.742641,-77.199997
| Copyright 2010 All rights reserved. NetWitness Corporation16
Feed Definition File
| Copyright 2010 All rights reserved. NetWitness Corporation17
Netname Feed Classification
| Copyright 2010 All rights reserved. NetWitness Corporation18
Analysis with Threat Feeds
| Copyright 2010 All rights reserved. NetWitness Corporation19
Loading Internet Storm Center Feed
Load feeds
| Copyright 2010 All rights reserved. NetWitness Corporation20
Feed Category Hits
Found hits on SANS feed
| Copyright 2010 All rights reserved. NetWitness Corporation21
Session Details Review
HTTP putLikely C&C querystring
IP Found in SANS feed
Encoded/Encrypted payload
| Copyright 2010 All rights reserved. NetWitness Corporation22
Rules
| Copyright 2010 All rights reserved. NetWitness Corporation23
Rules
Rules can be used to filter in/out data truncate packets alert/flag
Rules span network elements application layer elements
Control depth of processing
| Copyright 2010 All rights reserved. NetWitness Corporation24
Network Layer Rules
| Copyright 2010 All rights reserved. NetWitness Corporation25
Application Layer Rules
| Copyright 2010 All rights reserved. NetWitness Corporation26
Rule Examples
Filter Advertisements (ends in doubleclick.net) Software Updates (ends in liveupdate.symantec.com) Media (ends in player.xmradio.com) Backup servers (192.168.1.54etc) Filter *(All), Keep email = [email protected]
Truncate Drop packet payload for port SSH and SSL
Alert Non-standard port activity (non-HTTP over port 80) DynDNS Domains BOT Profiles Clear text passwords Tunneling services ( gotomypc, anonymizers, etc. ) Specific threat profiles Etcetcetc
| Copyright 2010 All rights reserved. NetWitness Corporation27
Rule Example
Tip: faster to check range than !=
| Copyright 2010 All rights reserved. NetWitness Corporation28
Non-standard HTTP
| Copyright 2010 All rights reserved. NetWitness Corporation29
Nonstandard HTTP Details
| Copyright 2010 All rights reserved. NetWitness Corporation30
Facebook Koobface Malware Example
Basic Rule: Service = HTTP(80) && alias.host = locator.getconnected.be
Better Rule: Service = HTTP(80) && alias.host exists && (query contains 'action='
&& query contains 'c_fb=' && query contains 'c_ms=' && query contains 'c_hi=' && query contains 'c_tw=' && query contains 'c_be=' && query contains 'c_tg=' && query contains 'c_nl=)
Based on the url parameters koobface passes when it checks in
Ref: http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf
| Copyright 2010 All rights reserved. NetWitness Corporation31
Parsers
| Copyright 2010 All rights reserved. NetWitness Corporation32
FlexParse
FlexParse exposes the network session parsing and metadata model Configure how to identify applications and extract data
XML parser definitions Register search tokens Perform logic operations Register metadata for the NetWitness system
Why? Instantly customize and expand processing and modeling behavior Processing flexibility for networks with:
heavy application profiles proprietary protocols and threats that dont fall into common intrusion detection methods
What's possible Expand baseline parsers, fast flux identification, social networking
profiling, mainframe exploitation, SCADA, file object identification, complex threat identification, Etc.
Copyright 2007 NetWitness Corporation
| Copyright 2010 All rights reserved. NetWitness Corporation33
SCADA MODBUS Parser
| Copyright 2010 All rights reserved. NetWitness Corporation34
Simple MODBUS Parser
Why? Need insight into SCADA over IP to correlate with other network activity
critical infrastructure monitoring Demonstrate
Create new Service type for MODBUS Simple text based protocol has numeric tokens that map to actions:
Read Coil Status Read Input Status Read Hold Registers Read Input Registers Force Single Coil Force Multiple Coils Etc
| Copyright 2010 All rights reserved. NetWitness Corporation35
MODBUS Protocol
If port 502 AND tokens exist then classify and extract actions --- Request
MODBUSPROTOCOL
ACTION
| Copyright 2010 All rights reserved. NetWitness Corporation36
Simple MODBUS protocol FlexParser Syntax
.
| Copyright 2010 All rights reserved. NetWitness Corporation37
Detecting Malicious PDF Parser
| Copyright 2010 All rights reserved. NetWitness Corporation38
Detecting Malicious PDFs
Why? One of the most pervasive exploitation techniques used currently Very effective exploitation technique that can be difficult to detect
Demonstrate Combined existence of PDF tokens, including javascript that classifies
potentially malicious objects Use flags to keep state between several different
statements
| Copyright 2010 All rights reserved. NetWitness Corporation39
Parser Logic
Find the following token: HTTP/1.1 200 OK
If above is found, then find token: Content-Type: application/pdf
If above is found, then find token: %PDF-1.
If above is found, then alert if the following is found: /S/JavaScript
| Copyright 2010 All rights reserved. NetWitness Corporation40
Parser Syntax
Declare tokens
| Copyright 2010 All rights reserved. NetWitness Corporation41
Parser Syntax
Maintain state of token identification
| Copyright 2010 All rights reserved. NetWitness Corporation42
Parser Syntax
Find javascript in PDF
| Copyright 2010 All rights reserved. NetWitness Corporation43
Suspicious Trigger
Parser alert
| Copyright 2010 All rights reserved. NetWitness Corporation44
PDF with Javascript
Matchedtokens
| Copyright 2010 All rights reserved. NetWitness Corporation45
JRE 0day Analysis the short versionUsing Feeds, Rules & Parsers to Investigate & Profile
| Copyright 2010 All rights reserved. NetWitness Corporation46
Background
April 9th 2010 Tavis Ormandy of Google Security identifies Java Deployment Toolkit flaw
Affects all versions of Java April 11th Active exploitation via Rogue
Advertisements on nytimes.com, foxnews.com, oprah.com, ufc.com and others
Malicious .jar file Referrers contains
nytimes.com,foxnews.com, oprah.com,ufc.com
How do we leverage feeds, rules and parsers to profile? Do I have a problem? 0day, feeds may not provide intelligence
| Copyright 2010 All rights reserved. NetWitness Corporation47
Hunting for Anomalous Traffic
Profile HTTP for java-archives (potential deployment toolkit) Rule: service = HTTP(80) && content = application/java-archive
Dig more on this
| Copyright 2010 All rights reserved. NetWitness Corporation48
Internal host being referred to what?
Use IP from anomalous traffic analysis Rule: ip.src = 156.145.x.x && referrer contains
nytimes.com,foxnews.com,etc.. Redirection to 95.211.14.21
Netherlands Hosting Provider 95.211.14.21/measure/ad.php Inspect php
Rule to profile & find ad.php querystring: service = HTTP(80) && (query contains 'pl=' &&
query contains 'ce=' && query contains 'hb=' && query contains 'av=' && query contains 'jv=)
| Copyright 2010 All rights reserved. NetWitness Corporation49
Ad.php behavior
Really?.gif?
Downloads p.gif from referred location
How many times have I seen this .gif?
| Copyright 2010 All rights reserved. NetWitness Corporation50
Compromised Hosts
Rule: service = HTTP(80) && filename=p.gif && content = application/octet-stream
3 Sessions 3 Unique hosts
| Copyright 2010 All rights reserved. NetWitness Corporation51
Deeper Analysis
p.gif (exe) appears corrupt Does that mean no one was infected?
Lets have a look at the .jar
.jar modifies the first two bytes of the binary to subvert MZ token signatures
FlexParse profile the malware
MZ
Huh?
| Copyright 2010 All rights reserved. NetWitness Corporation52
Flex Parser for Obfuscated Exe in Image
| Copyright 2010 All rights reserved. NetWitness Corporation53
Summary
Investigator Free! Custom actions, Feeds, Rules and Parsers expand to expand analytical
capabilities Aggregating advanced indicators and profiling techniques really help
Resources Community (http://community.netwitness.com)
Rule examples FlexParser examples Tips/Tricks Discussion
YouTube (http://www.youtube.com/netwitness) Training Webcasts ( www.netwitness.com ) Brian Girardi, [email protected]
| Copyright 2010 All rights reserved. NetWitness Corporation54
Q&A
NetWitness Investigator FreewareAgendaInvestigator Freeware Core ConceptsSession Processing Step 1Session Processing steps 2 & 3Standard FeaturesApply Your Own Intelligence & NeedsAggregating IndicatorsCustom ActionsCustom ActionsExample: right-click hostname into GoogleFeedsFeedsReal-world feed usesDepartment & Location FeedFeed Definition FileNetname Feed ClassificationAnalysis with Threat FeedsLoading Internet Storm Center FeedFeed Category HitsSession Details ReviewRulesRulesNetwork Layer RulesApplication Layer RulesRule ExamplesRule ExampleNon-standard HTTPNonstandard HTTP DetailsFacebook Koobface Malware ExampleParsersFlexParseSCADA MODBUS ParserSimple MODBUS ParserMODBUS ProtocolSimple MODBUS protocol FlexParser SyntaxDetecting Malicious PDF ParserDetecting Malicious PDFsParser LogicParser SyntaxParser SyntaxParser SyntaxSuspicious TriggerPDF with JavascriptJRE 0day Analysis the short versionUsing Feeds, Rules & Parsers to Investigate & ProfileBackgroundHunting for Anomalous TrafficInternal host being referred to what?Ad.php behavior Compromised HostsDeeper AnalysisFlex Parser for Obfuscated Exe in ImageSummaryQ&A