Embed Size (px)
DESCRIPTION
Here is an updated version of the presentation I made at the RMLL in July 2013. This talk have been giving at InfoSecurity.nl in October 2013.
Citation preview
What Will You Investigate Today?
InfoSecurity.nl 11/2013 - Xavier Mertens
TrueSec
$ whoami
• Xavier Mertens (@xme)
!
• Consultant @ day
!
• Blogger @ night
!
• BruCON co-organizer���2
TrueSec
$ cat disclaimer.txt
“The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”
���3
TrueSec
Agenda
• Introduction
• Interesting protocols
• Public resources
• Toolbox
���4
TrueSec
Feeling This?
���5
TrueSec
Or This?
���6
TrueSec
Me? Breached?
���7
• In 66% of investigated incidents, detection was a matter of months or even more
• 69% of data breaches are discovered by third parties
(Source: Verizon DBIR 2012)
TrueSec
“Grepping” for Gold
���8
• Tracking users
• Suspicious traffic
• Out-of-business
• Compliance
• Exfiltration
• “Below the radar”
TrueSec
Sources
���9
• OS / Applications Events
• Network protection(FW, ID(P)S, Proxies, etc)
• Users Credentials
• IP, Domains, URLs
• Filenames, Database rows
• Hashes (MD5, SHA1)
• Metadata
TrueSec
IOC
���10
“In computer forensics, an Indicator of Compromise is an artefact observed on a network or in operating system that with high confidence indicates a computer intrusion.”
(Source: wikipedia.org)
TrueSec
Multiple Sources
• Automatic (logfiles, events)
• Online repositories
• Internal resources
• Developers!
���11
TrueSec
Classification
���12
• Tag your events with “classification” info
• Help you to build better detection schemes
attack, reconnaissance, scan, auth_success, auth_fail, firewall_allow, firewall_drop, etc
info, warning, error, critical, emergency
TrueSec
“Active” Lists
���13
• Temporary or suspicious information to track and dynamically updated
• Examples: Contractors, Admins, Terminated Accounts, Countries (GeoIP)
• If grep(/$USER/, @ADMINS) { ... }
TrueSec
Correlation
���14
YourRecipes
Evidences
TrueSec
Visibility!
���15
TrueSec
Agenda
• Introduction
• Interesting protocols
• Public resources
• Toolbox
���16
TrueSec
Golden Rule
���17
“Anything unknown must be considered as suspicious”
TrueSec
DNS• No DNS, no Internet!
• Can help to detect data exfiltration, communications with C&C (malwares)
• Alert on any traffic to untrusted DNS
• Allow only local DNS as resolvers
• Investigate for suspicious domains
• Track suspicious requests (TXT)
���18
TrueSec
HTTP• HTTP is the new TCP
• Investigate for suspicious domains
• Inspect HTTPS (Check with your legal dept before playing MitM!)
• Search for interesting hashes
���19
TrueSec
SMTP
• Because it remains the 1st infection path!
• Track outgoing emails
• Investigate for suspicious domains
���20
TrueSec
Netflow
• Analyze network flows
• Src Port
• Src IP
• Dst Port
• Dst IP
• Timestamp
���21
TrueSec
Agenda
• Introduction
• Interesting protocols
• Public resources
• Toolbox
���22
TrueSec
IP Addresses
• http://www.malwaredomainlist.com/hostslist/ip.txt
• Correlate your firewall logs
• GeoIP
���23
TrueSec
IP Addresses
• http://dshield.org
• http://zeustracker.abuse.ch/blocklist.php
• http://www.nothing.org/honeypots.php
���24
TrueSec
Domains
• DNS-BH (malwaredomains.com) http://mirror1.malwaredomains.com/files/domains.txthttp://mirror1.malwaredomains.com/files/spywaredomains.zoneshttp://www.malwaredomainlist.com/hostslist/hosts.txt
• spam404bl.com/blacklist.txt
• Correlate your resolver logs
���25
TrueSec
URLs• http://malwareurls.joxeankoret.com/
normal.txt
• http://hosts-file.net/
• http://www.malware.com.br/
• http://malc0de.com/bl/
• http://scumware.com
���26
TrueSec
Hashes
• http://malware.lu
• http://virustotal.com
• http://www.malwr.com
���27
TrueSec
$ cat disclaimer2.txt
���28
“Data are provided for ‘free’ but the right to us can be restricted to specific conditions (ex: cannot be re-used for commercial applications). Always read carefull the terms of use. Some services require prior registration and use of APIs”
TrueSec
OSINT“Set of techniques to conduct regular reviews and/or continuous monitoring over multiple sources, including search engines, social networks, blogs, comments, underground forums, blacklists/whitelistsand so on. “
���29
TrueSec
OSINT
���30
• Think “out of the box”!
• What identify you on the Internet?
• Domain names
• IP addresses
• Brand
• Monitor them!
TrueSec
Agenda
• Introduction
• Interesting protocols
• Public resources
• Toolbox
���31
TrueSec
OpenIOC• Open framework
• Sharing threatintelligence
• XML based
���32
TrueSec
URLs
• Google SafeBrowsing
use Net::Google::SafeBrowsing2; use Net::Google::SafeBrowsing2:::Sqlite; my gsb = Net::Google::SafeBrowsing2->new( key => “xxx”, storage => Net::Google::SafeBrowsing2::Sqlite->new(file => “google.db”) ); $gsb->update(); my $match = $gsb->lookup(url => “http://evil.com”); if ($match eq MALWARE) { ... }
���33
TrueSec
Hashes• http://blog.didierstevens.com/2013/05/03/
virustotal-searching-and-submitting/
• Example from Python:
>> import virustotal >> api = virustotal.VirusTotalAPI("MYAPIKEY") >> print api.get_file_report(resource="99017f6eebbac24f351415dd410d522d") {"report": ["2010-04-13 23:28:27", {"nProtect": "", "CAT-QuickHeal": "", "McAfee": "Generic.dx!rkx", "TheHacker": "Trojan/VB.gen", "VirusBuster": "", "NOD32": "a variant of Win32/Qhost.NTY", "F-Prot": "", "Symantec": "", "Norman": "", "a-squared": "Trojan.Win32.VB!IK", ...}], "permalink": "http://www.virustotal.com/file-scan/report.html?id=a8...", "result": 1}
���34
TrueSec
IP Reputation
• http://isc.sans.edu/api/ip/50.46.90.187
• Example received in XML:<ip> <number>50.46.90.187</number> <count>186</count> <attacks>27</attacks> <maxdate>2013-10-26</maxdate> <mindate>2013-08-30</mindate> <updated>2013-10-27 04:34:04</updated> <country></country> <as>5650</as> <asname> FRONTIER-FRTR - Frontier Communications of America, Inc. </asname> <network>50.32.0.0/12</network> <comment/> </ip>
���35
TrueSec
pastebin.com• A gold mine for exfiltrated data!
• Interesting search:
• Logins
• Email addresses
• IPs, domains
• Tool: pastemon.pl
• https://github.com/xme/pastemon
���36
TrueSec
Data Parsers
• d3.js Javascript library
• Example of implementation: malcom (Malware Communications Analyzer)
• https://github.com/tomchop/malcom
���37
TrueSec
Data Parser
���38
TrueSec
Offline Honeypots
• Fake .conf file on the desktop
• Fake row in a SQL DB
• Track activity using yourIDS or SIEM
���39
TrueSec
The Conductor
• OSSEC
• Log Management
• Active-Response
• Powerful alerts engine
���40
TrueSec
Online Tools
• http://urlquery.net
• http://bgpranking.circl.lu/
• http://www.informatica64.com/foca.aspx
• http://virustotal.com
���41
TrueSec
Conclusions
• Know your environment
• You have plenty of useful (big)data
• Free software can help you (but the project is not free)
• To do good defensive security, know your enemy!(learn how bad guys work)
���42
TrueSec
Questions?
@xme
http://blog.rootshell.be
https://www.truesec.be
���43
