Honeycon2014: Mining IoCs from Honeypot data feeds

Embed Size (px)

DESCRIPTION

This Honeynet/Taiwan chapter talk

Text of Honeycon2014: Mining IoCs from Honeypot data feeds

  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF Mining compromise indicators from Honeypot Systems Vladimir Kropotov, Vitaly Chetvertakov, Fyodor Yarochkin HoneyCON 2014 Alations: Academia Sinica, o0o.nu, chroot.org Jul 07, 2014, Taipei Mining compromise indicators from Honeypot Systems Alations: Academia Sinica, o0o.nu, chroot.org
  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF Outline Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF Mining compromise indicators from Honeypot Systems Alations: Academia Sinica, o0o.nu, chroot.org
  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF WHOAMI Alations: Academia Sinica, chroot, and a few others Mainly independent research (not vendor alated ;-)) Mining compromise indicators from Honeypot Systems Alations: Academia Sinica, o0o.nu, chroot.org
  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF WHOAMI:2 Our data sources: Academia Sinica Not to be named networks in Russian Federation Mining compromise indicators from Honeypot Systems Alations: Academia Sinica, o0o.nu, chroot.org
  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF Good things to know Main Assumption: All networks are compromised The dierence between a good security team and a bad security team is that with a bad security team you will never know that youve been compromised. Running Honeypots in the parts network gives a team visibility on emerging threats that your network might face. Mining compromise indicators from Honeypot Systems Alations: Academia Sinica, o0o.nu, chroot.org
  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF HP landscape HP platforms typically would have very low false/positive ratio. If your HP is hit, it is most likely a suspicious event. HP typically should replicate your typical enviroment. We focus on simulation of both end-user machines and servers/services. Mining compromise indicators from Honeypot Systems Alations: Academia Sinica, o0o.nu, chroot.org
  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF Statistic on end-user compromises about 40,000,000 internet users in Russia for every 10,000 server hosts 500 hosts trigger redirects to malicious content per week about 20-50 user machines (full AV installed, NAT, FW) get ..aected many infect .ru IP addresses only (source matters) Mining compromise indicators from Honeypot Systems Alations: Academia Sinica, o0o.nu, chroot.org
  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF Campaigns r*.ru News ~ 790 000 ne*.com news ~ 590 000 ga*.ru news ~ 490 000 a*f.ru news ~ 330 000 m*.ru news ~ 315 000 v*.ru news ~ 170 000 li*.ru news ~ 170 000 top*s.ru news ~ 140 000 Mining compromise indicators from Honeypot Systems Alations: Academia Sinica, o0o.nu, chroot.org
  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF Introduction:terminology Indicators of Compromise Indicator of compromise (IOC) in computer forensics is an artifact observed on network or in operating system that with high condence indicates a computer intrusion. http://en.wikipedia.org/wiki/Indicator_of_compromise Mining compromise indicators from Honeypot Systems Alations: Academia Sinica, o0o.nu, chroot.org
  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF Why Indicators of compromise Indicators of Compromise help us to answer questions like: is this document/le/hash malicious? is there any past history for this IP/domain? what are the other similar/related domains/hashes/..? who is the actor? am I an APT target?!!;-) They shorten initial-detection -*to*- detection-automation cycle. Mining compromise indicators from Honeypot Systems Alations: Academia Sinica, o0o.nu, chroot.org
  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF IoCs: old dog - new tricks Mining compromise indicators from Honeypot Systems Alations: Academia Sinica, o0o.nu, chroot.org
  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF A Network compromise case study: Attackers broke via a web vuln. Attackers gained local admin access Attackers created a local user Attackers started probing other machines for default user ids Attackers launched tunneling tools connecting back to C2 Attackers installed RATs to maintain access Mining compromise indicators from Honeypot Systems Alations: Academia Sinica, o0o.nu, chroot.org
  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF IoC Indicators So what are the compromise indicators here? Where did attackers come from? (IP) What vulnerability was exploited? (pattern) What web backdoor was used? (pattern, hash) What tools were uploaded? (hashes) What users were created locally? (username) What usernames were probed on other machines Detailed IoCs (unsual port to serve exploit kit, URI pattern, mime-content, user agent) Warning: Blind use of IoCs may lead to disaster. (some IoCs are more suitable for statistical studies) Mining compromise indicators from Honeypot Systems Alations: Academia Sinica, o0o.nu, chroot.org
  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF Where to look for IOCs internally Outbound Network Trac User Activities/Failed Logins User prole folders Administrative Access Access from unsual IP addresses Database IO: excessive READs Size of responses of web pages Unusual access to particular les within Web Application (backdoor) Unusual port/protocol connections DNS and HTTP trac requests Suspicious Scripts, Executables and Data Files Mining compromise indicators from Honeypot Systems Alations: Academia Sinica, o0o.nu, chroot.org
  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF IoCs (good and bad) Why we need IOCs? because it makes it easier to systematically describe knowledge about breaches. Identifying intrusions is hard Unfair game: defender should protect all the assets attacker only needs to poop one system. Identifying targeted, organized intrusions is even harder Minor anomalous events are important when put together Seeing global picture is a mast Details matter Attribution is hard Mining compromise indicators from Honeypot Systems Alations: Academia Sinica, o0o.nu, chroot.org
  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF Whats wrong with IoCs IoCs expire (IP addresses get discovered, cleaned) Domain names expire Hash collisions Benign binaries might be malicious (depending on context) Mining compromise indicators from Honeypot Systems Alations: Academia Sinica, o0o.nu, chroot.org
  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF Good or Bad? F i l e Name : RasTls . exe F i l e S i z e : 105 kB F i l e M o d i f i c a t i o n Date /Time : 2 0 0 9 : 0 2 : 0 9 1 9 : 4 2 : 0 5 + 0 8 : 0 0 F i l e Type : Win32 EXE MIME Type : a p p l i c a t i o n / o c t e t stream Machine Type : I n t e l 386 o r l a t e r , and c o m p a t i b l e s Time Stamp : 2 0 0 9 : 0 2 : 0 2 1 3 : 3 8 : 3 7 + 0 8 : 0 0 PE Type : PE32 L i n k e r V e r s i o n : 8 . 0 Code S i z e : 49152 I n i t i a l i z e d Data S i z e : 57344 U n i n i t i a l i z e d Data S i z e : 0 Entry P o i n t : 0 x3d76 OS V e r s i o n : 4 . 0 Image V e r s i o n : 0 . 0 Subsystem V e r s i o n : 4 . 0 Subsystem : Windows GUI F i l e V e r s i o n Number : 1 1 . 0 . 4 0 1 0 . 7 Product V e r s i o n Number : 1 1 . 0 . 4 0 1 0 . 7 F i l e OS : Windows NT 32 b i t Object F i l e Type : E x e c u t a b l e a p p l i c a t i o n Language Code : E n g l i s h (U . S . ) C h a r a c t e r Set : Windows , L a t i n 1 Company Name : Symantec C o r p o r a t i o n F i l e D e s c r i p t i o n : Symantec 8 0 2 . 1 x S u p p l i c a n t F i l e V e r s i o n : 1 1 . 0 . 4 0 1 0 . 7 I n t e r n a l Name : d o t 1 x t r a y Mining compromise indicators from Honeypot Systems Alations: Academia Sinica, o0o.nu, chroot.org
  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF It really depends on context RasTls . DLL RasTls . DLL . msc RasTls . exe http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspx Dynamic-Link Library Search Order Mining compromise indicators from Honeypot Systems Alations: Academia Sinica, o0o.nu, chroot.org
  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF IOC representations Multiple standards have been created to facilitate IOC exchanges. Madiant: OpenIOC Mitre: STIX (Structured Threat Information Expression), CyBOX (CyberObservable Expression) Mitre: CAPEC, TAXII IODEF (Incident Object Description Format) Mining compromise indicators from Honeypot Systems Alations: Academia Sinica, o0o.nu, chroot.org
  • Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF Standards: OpenIOC OpenIOC -