tag:blogger.com,1999:blog-40806173729400680272024-03-18T05:48:07.458-04:00Journey Into Incident ResponseHolding the LineCorey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.comBlogger170125tag:blogger.com,1999:blog-4080617372940068027.post-45738439497023196452017-01-03T22:22:00.000-05:002017-01-03T22:22:43.877-05:00Changing Perspectives<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg8z654aO76FCBW8tGmFC-AVXn8Ohny51xP1g5z-b9a3AhCOekyDHUJ4cxWjHMflHKptIjuzmpMbvPEvRWtJoAz4r2-vXhFo6URya4CtfQWdHm8QzoTaP97YKBrhwFl_h7mD4k7CWFO4I/s1600/compost1.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg8z654aO76FCBW8tGmFC-AVXn8Ohny51xP1g5z-b9a3AhCOekyDHUJ4cxWjHMflHKptIjuzmpMbvPEvRWtJoAz4r2-vXhFo6URya4CtfQWdHm8QzoTaP97YKBrhwFl_h7mD4k7CWFO4I/s320/compost1.jpg" width="320" /></a><span style="font-family: "verdana" , sans-serif;">In the Fall I was staring out my back window seeing my yard covered in orange leaves. This sight is one I see each year and I have always viewed as my yearly chore. The chore of cleaning up the leaves that have fallen from the trees. At times I would see some joy the leaves would bring as my kids would play in them but mostly I viewed the leaves with disdain. Knowing I would be spending hours upon hours cleaning it up. I came to accept this yearly chore as something that doesn’t change since it came with the territory of owning a property with trees. This was until I became more knowledgeable about a subject and this knowledge changed my perspective on how I see these leaves.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">For over the past year I took some time to get refocused in life. During this time I was reflecting on different things; one of those things was I have never grown my food. My food typically came from stores, farmer markets, or local farmers. Thinking about it I realized my food has always came from someone else’s labor. I had no clue how to grow food nor what was involved with growing food. I decided I wanted to change this and I jumped head first into becoming more knowledgeable about organic gardening.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">I won’t go into detail about my approach; basically I read books, researched on websites, spoke to friends who garden, and I spoke to local farmers who I buy food from. I tried to cover all of my bases to know as much as I could about the entire plant life cycle. My goal is to be fully self-reliant so to avoid having to constantly buy compost I started to learn about composting. As I went deeper into the art of composting by reading and seeing what others have done before me, the more knowledgeable I started to become. The more knowledgeable I started to become the more my perspective started to change. Staring out of my back window each Fall I only saw a chore. However, this year as I was staring out of the window I saw something else. I saw enough brown material that I could use to make compost the next spring. To create the rich compost loaded with nutrients to feed my vegetable plants. I saw the potential for cover material I could put on my raised beds to protect the soil during the winter months. I saw what a blessing each Fall is since it is when nature provides you with a wealth of material you can use to improve your soil to grow better vegetable plants.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">As I stared out the window I also reflected on the similarities between my journey into composting and a security analyst’s journey into DFIR. When I’m building up a security analyst to do DFIR work the approach is the same. The first few months I allow them to be paid to learn; there job is to gain knowledge so their perspective looking at data changes. I want to give them knowledge about what they are looking for, different files and folders on the system, different log sources, and the analysis process. I try to give them enough knowledge to change how they see data and what that data means. To change them from seeing just a bunch of files and folder names to seeing select artifacts and log files. To change them from seeing just a bunch of activity to seeing the malicious activity. To change them from seeing alerts and alarms to seeing what the exact attack vector is.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Knowledge is the key to changing one’s perspective; applying the knowledge is what makes the change reality.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><i>"Knowledge without application is like a book that is never read"</i></span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">~ Christopher Crawford</span><br />
<div>
<br /></div>
Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com1tag:blogger.com,1999:blog-4080617372940068027.post-4630202196651069752016-05-24T12:51:00.000-04:002016-05-24T12:55:27.133-04:00Thanks a Million<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: Verdana, sans-serif;">Last week a new member on my $DayJob’s team reached the point in his in-house training where they started to read articles on jIIr. After I cracked a joke about the blog’s author he mentioned how my blog had over one million page views. To be honest, I haven’t looked at my jIIr’s statistics for months and I didn’t even know about the page views. The milestone really made me reflect on my journey and how it wouldn’t had been possible without others so I wanted to take the time to say thank you.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Thanks to everyone who has stopped by jIIr to read my content. Thanks to all the other bloggers who had linked back to my site or posted links directing their readers to my site. Thanks to everyone who posted links to my content on websites, social media, forums, and DFIR email lists to direct people to my posts. I especially wanted to thank those who took the time to leave a comment or contact me by email about something I wrote whether if it is positive or criticism. I wanted to give a shout out to <a href="http://windowsir.blogspot.com/">Harlan </a>for the advice he provided to me. I was just a random person who reached out to him looking for advice on starting a blog. Not only did he provided me with great advice (which showed me I was really over thinking things) but he also mentioned jIIr on his own blog, which helped my content gain more exposure. Lastly, I wanted to thank the Christian men’s group I was in all those years ago who walked with me on how we could use the passions God blessed us with to serve others.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">In addition to saying thanks I also wanted to apologize. I wanted to apologize to those who left comments on my blog over the past few months and I never responded. To those who contacted me by email and I either took an extremely long time to respond or never responded at all. To those who may had been visited my blog only to be disappointed due to the lack of new content being posted on jIIr since last September. This was not the way I would had preferred to hit this milestone compared to hitting the milestone due to a great article that pushed me over a million page views. Sitting where I am today I wouldn’t had done it any other way. I needed some time to focus on my walk with Christ and spend more time in God’s word. In essence, I realigned priorities in my life and how I was spending my time. Outside of my commitments (family, $DayJob, $AcademiaJob, and church) I pretty much disconnected from everything else to focus on my faith. The DFIR community and jIIr was part of this everything else category that I temporarily put on hold while I spent time refocusing. Stay tuned as I start working my way through my blog idea hopper that has built up over the months.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">It’s been a long journey to reach this milestone. I started out as a digital forensic analyst/ vulnerability assessor looking to get into the incident response field to becoming a security analyst who built and manages a Computer Security Incident Response Team (CSIRT) performing security monitoring and incident response. jIIr has been a place where I have shared my thoughts during this journey in hopes that someone somewhere would find the content useful and helpful. God willing, I’ll continue publishing content and my research for another six years to help those their own journeys.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><i>But He answered and said, “It is written, ‘MAN SHALL NOT LIVE ON BREAD ALONE, BUT ON EVERY WORD THAT PROCEEDS OUT OF THE MOUTH OF GOD.’”</i></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">~ Matthew 4:4</span></div>
Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com5tag:blogger.com,1999:blog-4080617372940068027.post-1458014285570910812016-05-19T12:37:00.001-04:002016-05-19T12:37:24.824-04:00Breaking Out of Routines<span style="font-family: Verdana, sans-serif;">I was digging a hole to plant my blackberries plants when I kept hearing a noise of something moving around the corner of my house. I stopped digging and walked around the house to see what was making the noise. I didn’t see anything anywhere so I shrugged it off and went back to digging the hole. Shortly thereafter I heard the noise again so I went back to look around the corner. Again, I didn’t see anything so I went back to work thinking maybe it was the wind. After a few minutes I heard the noise for a third time and this time I was determined to figure out what was making the noise. I went around the corner of my house but I still didn’t see anything. Then I looked down to my right to my basement window well that sits below ground and saw what was making the noise. Sitting next to my window inside the window well was a squirrel, which wasn’t moving since it saw me standing right above it.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">I walked a few feet away so the squirrel couldn’t see me but I could still see it. I stood on top of my air condition unit to see what the squirrel was doing. After a minute, the squirrel started to move around. Not just in any manner but it started to walk the boundary of the window well making a circle. As I stood there watching the squirrel I realize what occurred. I built up the soil on that side of my house to prepare for our garden but this caused the soil to be close to the top of my window well. The squirrel must had been walking and fell into the window well before I was able to buy window well covers. The trapped squirrel searching for a way out turned it into a routine. The routine of walking in circles trying to find a way to escape but not finding one. The squirrel keeps walking searching for a way out. In the end, the squirrel is just walking in a small circle. As I was watching the squirrel I could see it had been trapped for some time; maybe for hours or maybe the entire day.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">I thought about how I could help the squirrel escape without it biting me. My first attempt was to put a branch into the window well. This way the squirrel could climb up the branch to escape. I dropped the branch down into the window well and went back to my spot to watch what happens. The squirrel started to walk the circle and approached the branch. Then the squirrel walked over the branch and continued looking for a way out. My first thought was maybe the branch was too small so I replaced it with a piece of lumber. The same thing occurred with the squirrel walking right over the lumber and not seeing that the wood was its way out from being trapped. I stood there watching the squirrel and thought to myself the squirrel is trapped in its own routine. For hours the branch and lumber were not there so the squirrel was walking right past it since it was not expecting it. My neighbor came over to help me get the squirrel out. It took a few minutes but he was able to manage to lift the now freaked out squirrel out of the window well with the shovel. The squirrel panicked and jumped right back down into the window well. However, this time the squirrel was no longer trapped in its routine since the experience with the shovel was a jolt to its senses. My neighbor now struggled to get the squirrel on the shovel so he decided to set a brick on the bottom of the window well. The squirrel immediately saw the brick and used it to jump out of the window well to free itself.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">At times we can find ourselves trapped in our routines and this is especially true when performing analysis for security monitoring, digital forensics, or incident response. Routines make our job easier because we can perform certain actions without having to think really hard about how to do it. The downside of routines is they tend to put us on auto-pilot, which blinds us to seeing something new that is right in front of us. Similar to the squirrel’s routine blinding it to seeing the way to escape. Every now and then when you are performing routine analysis tasks take the time to stop and think about what you are doing, what you are trying to accomplish, and what you are seeing. If you don’t then you may never see what you are missing because we don’t have the luxury of someone giving us a jolt to break us out of our routines.</span>Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com0tag:blogger.com,1999:blog-4080617372940068027.post-8545977524109107432016-04-05T12:50:00.000-04:002016-04-05T12:55:56.606-04:00Triage Practical Solution – Malware Event – Proxy Logs Prefetch $MFT IDS<span style="font-family: "verdana" , sans-serif;">Staring at your Mountain Dew you think to yourself how well your malware triage process worked on triaging the IDS alert. It’s not perfect and needs improvement to make it faster but overall the process worked. In minutes you went from IDS alerts to malware on the system. That’s a lot better than what it used to be; where IDS alerts went into the black hole of logs never to be looked at again. Taking a sip of your Mountain Dew you are ready to provide your ISO with an update.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Triage Scenario</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">To fill in those readers who may not know what is going on the following is the abbreviated practical scenario (for the full scenario refer to the post <a href="http://journeyintoir.blogspot.com/2016/01/triage-practical-malware-event-web-logs.html">Triage Practical – Malware Event – Proxy Logs Prefetch $MFT IDS)</a>:</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The junior security guy noticed another malware infection showing up in the IDS alerts. They grabbed a screenshot of the alerts and sent it to you by email. As soon as you received the email containing the screenshot shown below you started putting your malware triage process to the test.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTTx_CLmXzH4fKZSFJppvm5WFYXimp5scGof_c6Xs5lyHIifOXs6Uo5qedqYJcmJbdfKejl6EY2zD9GhgCJtBBia8cKb0yvlKx-t-C6FTVP7Gk7cCji1puYHFk4Z0r4scHf7jPJ8m91_g/s1600/1.+ids-alert-screenshot.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTTx_CLmXzH4fKZSFJppvm5WFYXimp5scGof_c6Xs5lyHIifOXs6Uo5qedqYJcmJbdfKejl6EY2zD9GhgCJtBBia8cKb0yvlKx-t-C6FTVP7Gk7cCji1puYHFk4Z0r4scHf7jPJ8m91_g/s640/1.+ids-alert-screenshot.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Below are some of the initial questions you had to answer and report back to the ISO.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * Is this a confirmed malware security event or was the junior analyst mistaken?</span><br />
<span style="font-family: "verdana" , sans-serif;"> * What do you think occurred on the system to cause the malware event in the first place?</span><br />
<span style="font-family: "verdana" , sans-serif;"> * What type of malware is involved and what capabilities does it have?</span><br />
<span style="font-family: "verdana" , sans-serif;"> * What potential risk does the malware pose to your organization?</span><br />
<span style="font-family: "verdana" , sans-serif;"> * What recommendation(s) do you make to the security team to strengthen its security program to reduce similar incidents occurring in the future?</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Information Available</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Despite the wealth of information available to you within an enterprise, only a subset of data was provided for you to use while triaging this malware event. The following artifacts were made available:</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * IDS alerts for the timeframe in question (you need to replay the provide pcap to generate the IDS alerts. pcap is not provided for you to use during triage and was only made available to enable you to generate the IDS alerts in question)</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * Parsed index.dat files to simulate proxy web logs (the parsed index.dat information was modified to remove items not typically found in a web server’s proxy logs)</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * Prefetch files from the system in question (inside the Prefetch.ad1 file)</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * Filesystem metadata from the system in question (the Master File Table is provided for this practical)</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Information Storage Location within an Enterprise</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Each enterprise’s network is different and each one offers different information for triaging. As such, it is not possible to outline all the possible locations where this information could be located in enterprises. However, it is possible to highlight common areas where this information can be found. To those reading this post whose environments do not reflect the locations I mention then you can evaluate your network environment for a similar system containing similar information or better prepare your network environment by making sure this information starts being collected in systems.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * Proxy web logs within an enterprise can be stored on the proxy server itself and/or in a central logging system. In addition to proxy web logs, the potentially infected system will have web usage history for each web browser on the system</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * IDS alerts within an enterprise can be stored on the IDS/IPS sensors themselves or centrally located through a management console and/or central logging system (i.e. SIEM)</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * Prefetch files within an enterprise can be located on the potentially infected system</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * File system metadata within an enterprise can be located on the potentially infected system</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Collecting the Information from the Storage Locations</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Knowing where information is available within an enterprise is only part of the equation. It is necessary to collect the information so it can be used for triaging. Similar to all the differences between enterprises’ networks, how information is collected varies from one organization to the next. Below are a few suggestions for how the information outlined above can be collected.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * Proxy web logs will either be located on the proxy server itself or a centralized logging solution. The collection of the logs can be as simple as running a filter in a web graphical user interface to export the logs, copying an entire text file containing log data from the server, or viewing the logs using the interface to the central logging system.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * IDS alerts don’t have to be collected. They only need to be made available so they can be reviewed. Typically this is accomplished through a management console, security monitoring dashboard, or a centralized logging solution.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * Prefetch files are stored on the potentially infected system. The collection of this artifact can be done by either pulling the files off remotely or locally. Remote options include an enterprise forensic tools such as <a href="https://www.f-response.com/">F-Response</a>, <a href="https://www2.guidancesoftware.com/products/Pages/encase-enterprise/overview.aspx">Encase Enterprise</a>, or <a href="https://github.com/google/grr">GRR Rapid Response</a>, triage scripts such as <a href="https://drive.google.com/folderview?id=0BwsuIHubBoklVE5uRkhZOW01S1U&usp=sharing">Tr3Secure collection script</a>, or by using the admin share since Prefetch files are not locked files. Local options can use the same options.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * File system metadata is very similar to Prefetch files because the same collection methods work for collecting it. The one exception is the file can’t be pulled off by using the admin share.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Potential DFIR Tools to Use</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The last part of the equation is what tools one should use to examine the information that is collected. The tools I’m outlining below are the ones I used to complete the practical.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * Excel to view the text based proxy logs</span><br />
<span style="font-family: "verdana" , sans-serif;"> * <a href="http://www.nirsoft.net/utils/win_prefetch_view.html">Winprefetchview</a> to parse and examine the prefetch files</span><br />
<span style="font-family: "verdana" , sans-serif;"> * <a href="https://github.com/jschicht/Mft2Csv">MFT2CSV</a> to parse and examine the $MFT file</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Others’ Approaches to Triaging the Malware Event</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Placeholder since none were known at the time of this post</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Partial Malware Event Triage Workflow</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The diagram below outlines the jIIr workflow for confirming malicious code events. The workflow is a modified version of the <a href="https://securosis.com/blog/malware-analysis-quant-final-paper">Securosis Malware Analysis Quant</a>. I modified Securosis process to make it easier to use for security event analysis</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPJEQG7ctJA-n6FFMZpke93lxq9kaoKtOpl6ruAXHlgek0lBft-uyQkJMO106o10Prr-ygK3mHXkJfNDSf8NetgYRsmKMmXI2ScUSxzKzXs7rcxIT_RvUvUWUEN9hf8NKhN2Oyy8ej-X8/s1600/malware-analysis-quant.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPJEQG7ctJA-n6FFMZpke93lxq9kaoKtOpl6ruAXHlgek0lBft-uyQkJMO106o10Prr-ygK3mHXkJfNDSf8NetgYRsmKMmXI2ScUSxzKzXs7rcxIT_RvUvUWUEN9hf8NKhN2Oyy8ej-X8/s640/malware-analysis-quant.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><u>Detection</u>: the malicious code event is detected. Detection can be a result of technologies or a person reporting it. The workflow starts in response to a potential event being detected and reported.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><u>Triage</u>: the detected malicious code event is triaged to determine if it is a false positive or a real security event.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><u>Compromised</u>: after the event is triaged the first decision point is to decide if the machine could potentially be compromised. If the event is a false positive or one showing the machine couldn’t be infected then the workflow is exited and returns back to monitoring the network. If the event is confirmed or there is a strong indication it is real then the workflow continues to identifying the malware.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><u>Malware Identified</u>: the malware is identified two ways. The first way is identifying what the malware is including its purpose and characteristics. The second way is identifying and obtaining the malware from the actual system.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><u>Root Cause Analysis</u>: a quick root cause analysis is performed to determine how the machine was compromised and to identify indicators to use for scoping the incident. This root cause analysis does not call for a deep dive analysis taking hours and/or days but one only taking minutes.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><u>Quarantine</u>: the machine is finally quarantined from the network it is connected to. This workflow takes into account performing analysis remotely so disconnecting the machine from the network is done at a later point in the workflow. If the machine is initially disconnected after detection then analysis cannot be performed until someone either physically visits the machine or ships the machine to you. If an organization’s security monitoring and incident response capability is not mature enough to perform root cause analysis in minutes and analysis live over the wire then the Quarantine activity should occur once the decision is made about the machine being compromised. </span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Triage Analysis Solution</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">I opted to triage this practical similar to a real security event. As a result, the post doesn’t use all of the supplied information and the approach is more focused on speed. The triage process started with the IDS alert screenshot the junior security analyst saw then proceeded to the proxy logs before zeroing in on the system in question.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h3>
<span style="font-family: "verdana" , sans-serif;">IDS alerts</span></h3>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The screenshot below is the one supplied by the junior security analyst. In this practical it was not necessary to replay the packet capture to generate these IDS alerts since the screenshot supplied enough information.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQt7opQUCL28rGH-oSWup-DUiZE9EW3Jpq4PArMqhdJ5plV20z2Dy6mQnfgcYx3Bs_kdQbMIb4JOpOXwkP31h6bkyV7Yo28OahDQNFTdhesBKPtd4jKFWR812AhUGktd3qyvCwenSF1HU/s1600/1.+ids-alert-screenshot.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQt7opQUCL28rGH-oSWup-DUiZE9EW3Jpq4PArMqhdJ5plV20z2Dy6mQnfgcYx3Bs_kdQbMIb4JOpOXwkP31h6bkyV7Yo28OahDQNFTdhesBKPtd4jKFWR812AhUGktd3qyvCwenSF1HU/s640/1.+ids-alert-screenshot.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Typically you can gain a lot of context about a security event by first exploring the IDS signatures themselves. Gaining context around a security event solely using the IDS signature names becomes second nature by doing event triage analysis on a daily basis. Analysts tend to see similar attacks triggering similar IDS alerts over time; making it easier to remember what attacks are and the traces they leave in networks. For other analysts this is where Google becomes their best friend. The screenshot shows three distinct events related to the malware in this security incident.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">1. ET CURRENT_EVENTS Possible Dyre SSL Cert: these signatures indicate a possible SSL certificate for the Dyre malware. Dyre is a banking Trojan and it <a href="https://www.secureworks.com/research/dyre-banking-trojan">uses SSL to encrypt its communication</a>. The practical did not include this but another way to detect this activity is by consuming the <a href="https://sslbl.abuse.ch/">SSL Blacklist </a>and comparing it against an organization’s firewall logs or netflow data to see if any internal hosts are communicating with known IP addresses associated with Dyre</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">2. ET POLICY Internal Host Retrieving External IP via icanhazip[.]com: this signature flags an internal host that contacts a known website associated with identifying the public IP address. Depending on the organization this may or may not be normal behavior for web browsing and/or end users. However, some malware tries to identify the public facing IP address, which will trigger this IDS signature</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">3. ET TROJAN Common Upatre Header Structure: this signature flags traffic associated with the Upatre Trojan. <a href="https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Upatre">Upatre is a downloader</a> that installs other programs.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">One of the IDS alerts could had been a false positive but it is unlikely for this sequence of alerts all to be false positives. This confirms what the junior analyst believed about the machine being compromised. Specifically, the machine was infected with the Upatre downloader, which then proceeded to install the Dyre banking Trojan.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h3>
<span style="font-family: "verdana" , sans-serif;">Web Proxy Logs</span></h3>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">IDS alerts provide additional information that can be used in other data sources. The practical doesn’t provide the date and time when the IDS signatures fired but it does provide the destination IP addresses and domain name the machine communicated with. These IP addresses were used to correlate the IDS alerts to activity recorded in the web proxy logs. The web_logs.csv file was imported into Excel and the data was sorted using the date. This puts the log entries chronological order making it easier to perform analysis.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The web logs provided with the practical were very basic. The only information recorded was the date/time, URL, and username. Unfortunately, the destination IP address was not recorded, which is typical with web proxies. As a result, the logs did not contain any entries for the IP addresses 72.175.10.116 and 104.238.141.75.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The search on the domain icanhazip[.]com also came up empty. At this point the web proxy logs provide no additional information with a date and time to go on. This analysis did reveal these web proxy logs suck and the organization needs to make it a priority to record more information to make analysis easier. The organization also needs to ensure the network routes all HTTP/HTTPs web traffic through the proxy so it gets recorded and prevents users and programs from bypassing it.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h3>
<span style="font-family: "verdana" , sans-serif;">Prefetch files</span></h3>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">At this point in the analysis the machine in question needs to be triaged. Reviewing programs executing on a system is a quick technique to identify malicious programs on a system. The high level indicators I tend to look are below:</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * Programs executing from temporary or cache folders</span><br />
<span style="font-family: "verdana" , sans-serif;"> * Programs executing from user profiles (AppData, Roaming, Local, etc)</span><br />
<span style="font-family: "verdana" , sans-serif;"> * Programs executing from C:\ProgramData or All Users profile</span><br />
<span style="font-family: "verdana" , sans-serif;"> * Programs executing from C:\RECYCLER</span><br />
<span style="font-family: "verdana" , sans-serif;"> * Programs stored as Alternate Data Streams (i.e. C:\Windows\System32:svchost.exe)</span><br />
<span style="font-family: "verdana" , sans-serif;"> * Programs with random and unusual file names</span><br />
<span style="font-family: "verdana" , sans-serif;"> * Windows programs located in wrong folders (i.e. C:\Windows\svchost.exe)</span><br />
<span style="font-family: "verdana" , sans-serif;"> * Other activity on the system around suspicious files</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The collected prefetch files were parsed with Winprefetchview and I initially sorted by process path. I reviewed the parsed prefetch files using the general indicators I mentioned previously and I found the suspicious program highlighted in red.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFBRUdR_YSDqkIcUJ7a6ncz573SdfXSYpr2EbJHeKj6-2ZlRRIvTlcwpP3NPdpBzGMyhT5t9xBQpKxiflFV9w9pI3ExvANpxXQ-Ozh8JHVSuT_ndlW3m8PlkqHZGBhTZthRdDFb9NVUyQ/s1600/2.+prefetch+1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="64" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFBRUdR_YSDqkIcUJ7a6ncz573SdfXSYpr2EbJHeKj6-2ZlRRIvTlcwpP3NPdpBzGMyhT5t9xBQpKxiflFV9w9pI3ExvANpxXQ-Ozh8JHVSuT_ndlW3m8PlkqHZGBhTZthRdDFb9NVUyQ/s640/2.+prefetch+1.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The first suspicious program was SCAN_001_140815_881[1].SCR executing from the Temporary Internet Files directory. The program was suspicious because it is executing from the lab user profile and its name resembles a document name instead of a screensaver name. To gain more context around the suspicious program I then sorted by the Last Run time to see what else was executing around this time.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLUb-i-DkqcC1pCENQ-Ife2N52YnAYPNZcn3l1vfVTGTADt48szJb5LP-JLqxAOjNv-R0icU06UYNdr9LRuuoFzWLFx8Q-D70k6kNYU0XIgtOC3vN-EE6cKsI9ThOQWWKJEhaRdxvA4Vw/s1600/2.+prefetch+2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLUb-i-DkqcC1pCENQ-Ife2N52YnAYPNZcn3l1vfVTGTADt48szJb5LP-JLqxAOjNv-R0icU06UYNdr9LRuuoFzWLFx8Q-D70k6kNYU0XIgtOC3vN-EE6cKsI9ThOQWWKJEhaRdxvA4Vw/s640/2.+prefetch+2.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The SCAN_001_140815_881[1].SCR program executed at 8/15/2015 5:49:51 AM UTC. Shortly thereafter another executed named EJZZTA8.EXE executed from user’s Temp directory at 8/15/2015 5:51:03 AM UTC. Both prefetch files did not reference any other suspicious executables in their file handles. At this point not only do I have two suspicious files of interest but I also identified the exact date and time when the security event occurred.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h3>
<span style="font-family: "verdana" , sans-serif;">Web Proxy Logs Redux</span></h3>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The date and time of the incident obtained from the Prefetch files can now be used to correlate the IDS alerts and suspicious programs to the activity in the web proxy logs. The picture below shows leading up to when the SCAN_001_140815_881[1].SCR program executed the user was accessing Yahoo email.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieHahG7DvjZGaJNCyEDF2_u-zO5YWmtpr5y5hun_ZFqiuY3sSPtH5otoptpNVVYr0CnPBCGne71Qs76UDwj0_xWSHDefjrx5zE2jS-OmJ4SlGDeSgAeI_UE4CDhQ_lUoIAFuT-3tcEAw8/s1600/3+web+logs+1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieHahG7DvjZGaJNCyEDF2_u-zO5YWmtpr5y5hun_ZFqiuY3sSPtH5otoptpNVVYr0CnPBCGne71Qs76UDwj0_xWSHDefjrx5zE2jS-OmJ4SlGDeSgAeI_UE4CDhQ_lUoIAFuT-3tcEAw8/s640/3+web+logs+1.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The rest of the web logs continued to show the user interacting with Yahoo email around the time the infection occurred. However, the web logs don’t record the entry showing where the SCAN_001_140815_881[1].SCR program came from. This occurred either because the web proxy didn’t record it or the web proxy sucks by not recording it. I’m going with latter since the web proxy logs are missing a lot of information.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS8N6To01M0hAnTMvEARb7xQXtcS_zTU3oinYjQ80oPVz17G8dBtONPi03UnmAnnYxXgi5Aw_B1Ad2b8fSnUwbEw8V3Jk0Qer1IJvM5RZTMPg1rNXdkgou0K7QsmnkCmK2R8XMCR9oL9M/s1600/3+web+logs+2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS8N6To01M0hAnTMvEARb7xQXtcS_zTU3oinYjQ80oPVz17G8dBtONPi03UnmAnnYxXgi5Aw_B1Ad2b8fSnUwbEw8V3Jk0Qer1IJvM5RZTMPg1rNXdkgou0K7QsmnkCmK2R8XMCR9oL9M/s640/3+web+logs+2.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h3>
<span style="font-family: "verdana" , sans-serif;">File system metadata</span></h3>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">At this point the IDS alerts revealed the system in question had network activity related to the Upatre downloader and Dyre banking Trojans. The prefetch files revealed suspicious programs named SCAN_001_140815_881[1].SCR that executed at 8/15/2015 5:49:51 AM UTC and EJZZTA8.EXE that executed at 8/15/2015 5:51:03 AM UTC. The web proxy logs showed the user was accessing Yahoo email around the time the programs executed. The next step in the triage process is to examine the file system metadata to identify any other malicious software on the system and to try to confirm the initial infection vector. I reviewed the metadata in a timeline to make it easier to see the activity for the time of interest.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">For this practical I leveraged the MFT2CSV program in the configuration below to generate a timeline. However, an effective and faster technique - but not free - is using the home plate feature in Encase Enterprise against a remote system live. This enables you to triage the system live instead of trying to collect files from the system for offline analysis.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkkBGVMwrR0QGGCGQp_5qwUitcc7A3PKWoWhxD_PJ3wTFqqQQ2L80QdOUOD5yR56wXQ4FqZYQbC107CrUnY5y5NFtcb9XFoYESntH1EnQNRwYuslny9Upvj2QbKcpZKJ_k7p8lnbpHLdY/s1600/4+mft2csv+settings.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkkBGVMwrR0QGGCGQp_5qwUitcc7A3PKWoWhxD_PJ3wTFqqQQ2L80QdOUOD5yR56wXQ4FqZYQbC107CrUnY5y5NFtcb9XFoYESntH1EnQNRwYuslny9Upvj2QbKcpZKJ_k7p8lnbpHLdY/s400/4+mft2csv+settings.jpg" width="400" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">In the timeline I went to the time of interest, which was 8/15/2015 5:49:51 AM UTC. I then proceed forward in time to identify any other suspicious files. The first portion of the timeline didn’t show any new activity of interest around the SCAN_001_140815_881[1].SCR file.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_jit0LkI4jl-rCqX0px2pc-Z5aqvCHUjdiYs9fNyvOqDjvXhmc1oym2AnoRnOG9qzr26FABEmIUQxkbq_2oGSHPioOScOm2aaOIwXwymDT_Su2gtdmpAeEQPUmH-NYe809qz0fEG6t1U/s1600/5+timeline+1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_jit0LkI4jl-rCqX0px2pc-Z5aqvCHUjdiYs9fNyvOqDjvXhmc1oym2AnoRnOG9qzr26FABEmIUQxkbq_2oGSHPioOScOm2aaOIwXwymDT_Su2gtdmpAeEQPUmH-NYe809qz0fEG6t1U/s640/5+timeline+1.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Continuing going through the timeline going forward in time lead me to the next file EJZZTA8.EXE. The activity between these two files only showed files being created in the Temporary Internet Files and Cookies directories indicating the user was surfing the Internet.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTXfIIfO1-87nFVPsF_dVlyDTOsUdEAvh6Er-kmo7SmTjb3-1glQsM83YSTj7EAikcgZnzZqt0Sl2DqAnCsHPz9GvXWWKB6Ap5n74xo_kJWPLw1o2fU2pcHgW9ChFYHC5QDahTPnTdEjU/s1600/6+timeline+2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTXfIIfO1-87nFVPsF_dVlyDTOsUdEAvh6Er-kmo7SmTjb3-1glQsM83YSTj7EAikcgZnzZqt0Sl2DqAnCsHPz9GvXWWKB6Ap5n74xo_kJWPLw1o2fU2pcHgW9ChFYHC5QDahTPnTdEjU/s640/6+timeline+2.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">At this point the timeline did not provide any new information and the last analysis step is to triage the suspicious programs found.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h3>
<span style="font-family: "verdana" , sans-serif;">Researching Suspicious Files</span></h3>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The first program SCAN_001_140815_881[1].SCR was no longer on the system but the second program (EJZZTA8.EXE) was. The practical file file_hash_list.csv showed the EJZZTA8.EXE’s MD5 hash was f26fd37d263289cb7ad002fec50922c7. The first search was to determine if anyone uploaded the file to VirusTotal and a <a href="https://www.virustotal.com/en/file/099705ee87894a3b283248c9d30b2b5a798705ed1b6688484cd767191a7beb83/analysis/">VirusTotal report was available</a>. Numerous antivirus detections confirmed the program was Upatre, which matches one of the triggered IDS signatures.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">A Google search of the hash located a <a href="https://www.hybrid-analysis.com/sample/099705ee87894a3b283248c9d30b2b5a798705ed1b6688484cd767191a7beb83?environmentId=1">Hybrid Analysis report</a> and <a href="https://malwr.com/analysis/MTA1MmVkMDUzZDM3NDFlY2E1YmY5ZTVjMTg5MjI0Mjk/">Malware report</a>. The Hybrid Analysis report confirm the sample sends network traffic. This information could then be used to scope the incident to identify potentially other infected machines.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfgsF4Uo2p9gkm_5M8xjx_we-_3dl048WOF4nassMAg7NDRqkaNSK3gIOOQrCxHUMqegzyP4W3Y9b__hU2Bh6kV88w5ff2DHPShtGE6bSK4i7LdXOIMsuHSIOXepuiB83bGvPS2DcOiwQ/s1600/7+hybrid+UDP.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfgsF4Uo2p9gkm_5M8xjx_we-_3dl048WOF4nassMAg7NDRqkaNSK3gIOOQrCxHUMqegzyP4W3Y9b__hU2Bh6kV88w5ff2DHPShtGE6bSK4i7LdXOIMsuHSIOXepuiB83bGvPS2DcOiwQ/s640/7+hybrid+UDP.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The resources section in the program contains an icon confirming the file tried to mimic a document. This makes me conclude it was a social engineering attack against the user.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnoje258jYoU0Yv66sO1tQ5Z8VoScHHaCea63ogrTAsgA8169rnQ2Mivb9x91sT7h46G4TWmbPXhrppkARkGT49W6gRno8whXJ6_QaZ7QRo6DHi38o9kg63jM6AtcOSK5TUXmhPhiRA6g/s1600/8+hyrid+resources.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnoje258jYoU0Yv66sO1tQ5Z8VoScHHaCea63ogrTAsgA8169rnQ2Mivb9x91sT7h46G4TWmbPXhrppkARkGT49W6gRno8whXJ6_QaZ7QRo6DHi38o9kg63jM6AtcOSK5TUXmhPhiRA6g/s400/8+hyrid+resources.jpg" width="400" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The reports contained other information that one could use to identify other infected systems in the enterprise. However, as it relates to the practical there wasn’t much additional information I needed to complete my triage analysis. The next step would be to contact the end user to get the phishing email and then request for the email to be purged from all users’ inboxes.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Triage Analysis Wrap-up</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The triage process did confirm the system was infected with malicious code. The evidence that was present on the system and the lack of other attack vector artifacts (i.e. exploits, vulnerable programs executing, etc.) leads me to believe the system was infected due to a phishing email. The email contained some mechanism to get the user to initiate the infection. The risk to the organization is twofold. One of the malicious programs downloads and installs other malware. The other malicious program tries to capture and exhilarate credentials from the system. The next step would be to escalate the malware event to the incident response process so the system can be quarantined, system can be cleaned, end user can be contacted to get the phishing email and then it can be determined why end users have access to web email instead of using the organization's email system. </span>Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com6tag:blogger.com,1999:blog-4080617372940068027.post-47441180552449408412016-02-08T21:30:00.003-05:002016-02-08T21:33:39.094-05:00Blaming Others<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjItEYx142qXLXq2YQxIhboPMYHjfAx-YpCxCFD52BSCOeUCTYEq5zZjteeP7Bt5t90wPkCDtXpEOaOrwX-74aIt3x1RTXf-bgfAVre7GALvVLdOo65Hef3EcmOpSvG-vs5CD_AqSTxWzc/s1600/PI-footsteps.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="219" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjItEYx142qXLXq2YQxIhboPMYHjfAx-YpCxCFD52BSCOeUCTYEq5zZjteeP7Bt5t90wPkCDtXpEOaOrwX-74aIt3x1RTXf-bgfAVre7GALvVLdOo65Hef3EcmOpSvG-vs5CD_AqSTxWzc/s320/PI-footsteps.jpg" width="320" /></a><span style="font-family: "verdana" , sans-serif;">As we marched across the parade deck from the side we looked as one. The sound of about 70 Marines' heels hitting the pavement but sounded as one. The sound of the hoarse drill instructor's voice echoed throughout the 3rd Battalion. The sight from the side must had been one to see. 70 Marines appearing as only a few walking in a single line. In one instant, in one brief moment the few became many. The drill instructor echoed one command followed by quickly correcting himself with a different command. The 70 Marines who were marching as one became many as they tried to adjust. The stress of making a mistake on his first platoon must have added to the pressure. As the Marines marched across the parade deck the drill instructor kept echoing the wrong commands forcing the Marines to adjust. The stress of the Marines striving to take first place must have added to the pressure. They lost their focus and were no longer in sync with the Marine standing next to them. It must have been a sorry sight from the side seeing close to 70 arms and legs marching with the sound of 70 heals hitting the parade deck at different times. Cluster is the most G-rated description one can give seeing the Marines march across the parade deck that afternoon.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The evaluation was over and the 70 Marines filed back into their barracks. The brief moment of reflection in their minds was broken as the sound of a footlocker being kicked broke the silence. The roar of the two other drill instructors’ hoarse voices followed the loud bang of more footlockers being kicked. The blame for the cluster on the parade deck was placed squarely on the recruits. That afternoon the Marines spent quality time doing sandpit hopping across 3rd Battalion in Parris Island. For those not acquainted with this tradition the following is what occurs. Recruits are forced exercise in what seems like a giant sandbox by following the orders barked by their drill instructor. Jumping jacks, mountain climbers, jumping jacks, push ups, mountain climbers, etc.. This goes on for a period of time before the recruits then run to the next sandbox to be smoked again in the same manner before running to the next sandbox. This continues until the drill instructors get bored or the recruits need to be somewhere. Words don’t do justice describing getting smoked so please take a few minutes to see a <a href="https://www.youtube.com/watch?v=xk5Nt1m2b4o">Pit Stop in action</a>. In the sweltering heat of South Carolina, the recruits had sweat powering down their faces as they were covered in sand with sandfleas biting them. As much as they tried to ignore it they could only focus on the feeling of bugs feasting on them and not being able to do anything about it (one scratch typically ends with a lot longer time being smoked). That afternoon the recruits (me being one of them) thought to ourselves why are we being punished when our drill instructor messed up.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">It was easier to blame even though it was hard to tell what even happened. It was easier to blame then it was to take responsibility so it wouldn't happen again. It was easier to blame then it was to admit we messed up; despite the circumstances we lost focus and resembled nasty civilians instead of Marines marching in sync. It was easier to blame to distract us from our current reality of shit.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><b>Moral of the Story</b></span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><i>It is wise to direct your anger towards problems - not people; to focus your energies on answers - not excuses.</i></span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">- William Arthur Ward</span><br />
<br />Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com0tag:blogger.com,1999:blog-4080617372940068027.post-20218012624585783502016-01-06T23:31:00.001-05:002016-04-05T12:50:44.129-04:00Triage Practical – Malware Event – Proxy Logs Prefetch $MFT IDS<span style="font-family: "verdana" , sans-serif;">The ISO was thrilled and excited about the possibilities after you successfully triaged the <a href="http://journeyintoir.blogspot.com/2015/11/triage-practical-malware-event-prefetch.html">previous suspicious network activity</a>. They got a glimpse of the visibility one attains through security monitoring and the information one can get leveraging incident response. As you sit at your desk drinking a Mountain Dew you don’t have time to reflect on the days when your security team was like an ostrich with its head buried in the sand. You are slowly working on improving and formalizing your organization’s security monitoring and detection capabilities as you detect and respond to security events. In the background you hear the junior security guy say “we got another one.” You already know he is referring to a malware infection so you say to him “Grab a screenshot of the alerts and send it to me in an email.” As you wait for the email to arrive you start to wonder is it wrong to get excited and look forward to an alert that means your organization may have a problem. You brushed the thought aside as the email arrives and you see the screenshot below (dates and times have been censored). You put down the Mountain Dew and put your hands to the keyword as you start putting your malware triage process to the test.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-54FdzkYY5q-fFgWgZdy87RmGGZMT0phT86NG87AXdyaO37RNEakERtLZo0pITIzyTzfkcAX4KY92yPDjLsV_6tCCOAI6tiofAMo9emfBXe-xotE3RP12gPFSZlrdlrm96edojL9sK58/s1600/ids-alert-screenshot.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-54FdzkYY5q-fFgWgZdy87RmGGZMT0phT86NG87AXdyaO37RNEakERtLZo0pITIzyTzfkcAX4KY92yPDjLsV_6tCCOAI6tiofAMo9emfBXe-xotE3RP12gPFSZlrdlrm96edojL9sK58/s640/ids-alert-screenshot.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Triage Scenario</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The above scenario outlines the activity leading up to the current malware security event. Below are some of the initial questions you need to answer and report back to the ISO.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> - Is this a confirmed malware security event or was the junior analyst mistaken?</span><br />
<span style="font-family: "verdana" , sans-serif;"> - What do you think occurred on the system to cause the malware event in the first place?</span><br />
<span style="font-family: "verdana" , sans-serif;"> - What type of malware is involved and what capabilities does it have?</span><br />
<span style="font-family: "verdana" , sans-serif;"> - What potential risk does the malware pose to your organization?</span><br />
<span style="font-family: "verdana" , sans-serif;"> - What recommendation(s) do you make to the security team to strengthen its security program to reduce similar incidents occurring in the future?</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Information Available</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">In an organization’s network you have a wealth of information available to you for you to use while triaging a security incident. Despite this, to successfully triage an incident only a subset of the data is needed. In this instance, you are provided with the following artifacts below for you to use during your triage. Please keep in mind, you may not even need all of these.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> - IDS alerts for the timeframe in question (you need to replay the provide pcap to generate the IDS alerts. <span style="color: red;">pcap is not provided for you to use during triage and was only made available to enable you to generate the IDS alerts in question</span>)</span><br />
<span style="font-family: "verdana" , sans-serif;"> - Parsed index.dat files to simulate proxy web logs (the parsed index.dat information was modified to remove items not typically found in a web server’s proxy logs)</span><br />
<span style="font-family: "verdana" , sans-serif;"> - Prefetch files from the system in question (inside the Prefetch.ad1 file)</span><br />
<span style="font-family: "verdana" , sans-serif;"> - Filesystem metadata from the system in question (the Master File Table is provided for this practical)</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Supporting References</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The below items have also been provided to assist you working through the triage process.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> - The jIIr-Practical-Tips.pdf document shows how to: update the IDS signatures in Security Onion, replay the packet capture in Security Onion, and mount the ad1 file with FTK Imager.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> - The file hash list from the system in question. This is being provided since you do not access to the system nor a forensic image. This can help you confirm the security event and any suspicious files you may find.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> - The file hashes of the practical files for verification purposes</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The <a href="https://drive.google.com/file/d/0BwsuIHubBoklLXFiTGN5VHVvTzg/view?usp=sharing">2016-01-06_Malware-Event Web Logs Prefetch MFT IDS practical files can be downloaded here</a></span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The 2016-01-06_Malware-Event Web Logs Prefetch MFT IDS triage write-up is outlined in the post <a href="http://journeyintoir.blogspot.com/2016/04/triage-practical-solution-malware-event.html">Triage Practical Solution – Malware Event – Proxy Logs Prefetch $MFT IDS</a> </span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">For background information about the jIIr practical’s please refer to <a href="http://journeyintoir.blogspot.com/2015/11/adding-event-triage-drop-to-community.html">Adding an Event Triage Drop to the Community Bucket</a> article</span>Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com0tag:blogger.com,1999:blog-4080617372940068027.post-52675854523173703862015-12-09T23:00:00.000-05:002015-12-10T00:10:21.338-05:00Triage Practical Solution – Malware Event – Prefetch $MFT IDS<span style="font-family: "verdana" , sans-serif;">You are staring at your computer screen thinking how you are going to tell your ISO what you found. Thinking about how this single IDS alert might have been overlooked; how it might have been lost among the sea of alerts from the various security products deployed in your company. Your ISO tasked with you triaging a malware event and now you are ready to report back.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Triage Scenario</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">To fill in those readers who may not know what is going on you started out the meeting providing background information about the event. The practical provided the following abbreviated scenario (for the full scenario refer to the post <a href="http://journeyintoir.blogspot.com/2015/11/triage-practical-malware-event-prefetch.html">Triage Practical – Malware Event – Prefetch $MFT IDS</a>):</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The ISO continued “I directed junior security guy to look at the IDS alerts that came in over the weekend. He said something very suspicious occurred early Saturday morning on August 15, 2015.” Then the ISO looked directly at you “I need you to look into whatever this activity is and report back what you find.” “Also, make sure you document the process you use since we are going to use it as a playbook for these types of security incidents going forward.”</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Below are some of the initial questions you need to answer and report back to the ISO.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * Is this a confirmed malware security event or was the junior analyst mistaken?</span><br />
<span style="font-family: "verdana" , sans-serif;"> * What type of malware is involved?</span><br />
<span style="font-family: "verdana" , sans-serif;"> * What potential risk does the malware pose to your organization?</span><br />
<span style="font-family: "verdana" , sans-serif;"> * Based on the available information, what do you think occurred on the system to cause the malware event in the first place?</span><br />
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<ul>
</ul>
<h2>
<span style="font-family: "verdana" , sans-serif;">Information Available</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Despite the wealth of information available to you within an enterprise, only a subset of data was provided for you to use while triaging this malware event. The following artifacts were made available:</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * IDS alerts for the time frame in question (you need to replay the provide pcap to generate the IDS alerts. pcap was not provided for you to use during triage and was only made available to enable you to generate the IDS alerts in question)</span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span><span style="font-family: "verdana" , sans-serif;"> * Prefetch files from the system in question (inside the Prefetch.ad1 file)</span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span><span style="font-family: "verdana" , sans-serif;"> * File system metadata from the system in question (the Master File Table is provided for this practical)</span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<ul>
</ul>
<h2>
<span style="font-family: "verdana" , sans-serif;">Information Storage Location within an Enterprise</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Each enterprise’s network is different and each one offers different information for triaging. As such, it is not possible to outline all the possible locations where this information could be located in enterprises. However, it is possible to highlight common areas where this information can be found. To those reading this post whose environments do not reflect the locations I mention then you can evaluate your network environment for a similar system containing similar information or better prepare your network environment by making sure this information starts being collected in systems.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * IDS alerts within an enterprise can be stored on the IDS/IPS sensors themselves or centrally located through a management console and/or logging system (i.e. SIEM)</span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span><span style="font-family: "verdana" , sans-serif;"> * Prefetch files within an enterprise can be located on the potentially infected system</span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span><span style="font-family: "verdana" , sans-serif;"> * File system metadata within an enterprise can be located on the potentially infected system</span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<ul>
</ul>
<h2>
<span style="font-family: "verdana" , sans-serif;">Collecting the Information from the Storage Locations</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Knowing where information is available within an enterprise is only part of the equation. It is necessary to collect the information so it can be used for triaging. Similar to all the differences between enterprises’ networks, how information is collected varies from one organization to the next. Below are a few suggestions for how the information outlined above can be collected.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * IDS alerts don’t have to be collected. They only need to be made available so they can be reviewed. Typically this is accomplished through a management console or security monitoring dashboard.</span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span><span style="font-family: "verdana" , sans-serif;"> * Prefetch files are stored on the potentially infected system. The collection of this artifact can be done by either pulling the files off remotely or locally. Remote options include an enterprise forensic tools such as </span><a href="https://www.f-response.com/" style="font-family: verdana, sans-serif;">F-Response</a><span style="font-family: "verdana" , sans-serif;">, </span><a href="https://www2.guidancesoftware.com/products/Pages/encase-enterprise/overview.aspx" style="font-family: verdana, sans-serif;">Encase Enterprise</a><span style="font-family: "verdana" , sans-serif;">, or </span><a href="https://github.com/google/grr" style="font-family: verdana, sans-serif;">GRR Rapid Response</a><span style="font-family: "verdana" , sans-serif;">, triage scripts such as </span><a href="https://drive.google.com/folderview?id=0BwsuIHubBoklVE5uRkhZOW01S1U&usp=sharing" style="font-family: verdana, sans-serif;">Tr3Secure collection script</a><span style="font-family: "verdana" , sans-serif;">, or by using the admin share since Prefetch files are not locked files. Local options can use the same options.</span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span><span style="font-family: "verdana" , sans-serif;"> * File system metadata is very similar to prefetch files because the same collection methods work for collecting it. The one exception is the NTFS Master File Table ($MFT) can’t be pulled off by using the admin share.</span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<ul>
</ul>
<h2>
<span style="font-family: "verdana" , sans-serif;">Potential DFIR Tools to Use</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The last part of the equation is what tools one should use to examine the information that is collected. The tools I’m outlining below are the ones I used to complete the practical.</span><br />
<br />
<span style="font-family: "verdana" , sans-serif;"> </span>* <a href="https://security-onion-solutions.github.io/security-onion/" style="font-family: verdana, sans-serif;">Security Onion</a><span style="font-family: "verdana" , sans-serif;"> to generate the IDS alerts</span><br />
* <a href="http://www.nirsoft.net/utils/win_prefetch_view.html" style="font-family: verdana, sans-serif;">Winprefetchview</a><span style="font-family: "verdana" , sans-serif;"> to parse and examine the prefetch files</span><br />
* <a href="https://github.com/jschicht/Mft2Csv" style="font-family: verdana, sans-serif;">MFT2CSV</a><span style="font-family: "verdana" , sans-serif;"> to parse and examine the $MFT file</span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<ul>
</ul>
<h2>
<span style="font-family: "verdana" , sans-serif;">Others’ Approaches to Triaging the Malware Event</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Before I dive into how I triaged the malware event I wanted to share the approaches used by others to tackle the same malware event. I find it helpful to see different perspectives and techniques tried to solve the same issue. I also wanted to thank those who took the time to do this so others could benefit from what you share.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Matt Gregory shared <a href="http://sudorandomthoughts.blogspot.com/2015/11/write-up-of-jiir-triage-practical.html">his analysis on his blog My Random Thoughts on InfoSec</a>. Matt did a great job outlining not only what he found but by explaining how he did it and what tools he used. I highly recommend taking the time to read through his analysis and the thought process he used to approach this malware event.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">An anonymous person (at least anonymous to me since I couldn’t locate their name) posted their <a href="http://anirudhrata.blogspot.in/2015/12/jiir-triage-practical-event-prefetch-writeup.html">analysis on a newly created blog called Forensic Insights</a>. Their post goes into detail on analyzing the packet capture including what was transmitted to the remote device.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Partial Malware Event Triage Workflow</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The diagram below outlines the jIIr workflow for confirming malicious code events. The workflow is a modified version of the <a href="https://securosis.com/blog/malware-analysis-quant-final-paper">Securosis Malware Analysis Quant</a>. I modified Securosis process to make it easier to use for security event analysis.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-GU_nLAQ3a83cyqhL2KrW2J-5AQ2k7WorXMabSr2-moJmJd1Yiirm2Nca5UQeEH7ppja0UIpcbHBnsSkhiazf3V8tfhW_ijeBDa0nrTl9s3HH1JcvoCXGgMV6itKz1x-qcE47MBzyGlQ/s1600/1_malicious-code_confirm-event.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="337" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-GU_nLAQ3a83cyqhL2KrW2J-5AQ2k7WorXMabSr2-moJmJd1Yiirm2Nca5UQeEH7ppja0UIpcbHBnsSkhiazf3V8tfhW_ijeBDa0nrTl9s3HH1JcvoCXGgMV6itKz1x-qcE47MBzyGlQ/s640/1_malicious-code_confirm-event.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<b style="font-family: Verdana, sans-serif;">Detection:</b><span style="font-family: "verdana" , sans-serif;"> the malicious code event is detected. Detection can be a result of technologies alerting on it or a person reporting it. The workflow starts in response to a potential event being detected and reported.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><b>Triage:</b> the detected malicious code event is triaged to determine if it is a false positive or a real security event.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><b>Compromised:</b> after the event is triaged the first decision point is to decide if the machine could potentially be compromised. If the event is a false positive or one showing the machine couldn’t be infected then the workflow is exited and returns back to monitoring the network. If the event is confirmed or there is a strong indication it is real then the workflow continues to identify the malware.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><b>Malware Identified:</b> the malware is identified two ways. The first way is identifying what the malware is including its purpose and characteristics using available information. The second way is identifying and obtaining the malware sample from the actual system to further identify the malware and its characteristics.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><b>Root Cause Analysis:</b> a quick root cause analysis is performed to determine how the machine was compromised and to identify indicators to use for scoping the incident. This root cause analysis does not call for a deep dive analysis taking hours and/or days but one only taking minutes.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><b>Quarantine:</b> the machine is finally quarantined from the network it is connected to. This workflow takes into account performing analysis remotely so disconnecting the machine from the network is done at a later point in the workflow. If the machine is initially disconnected after detection then analysis cannot be performed until someone either physically visits the machine or ships the machine to you. If an organization’s security monitoring and incident response capability is not mature enough to perform root cause analysis in minutes and analysis live over the wire then the Quarantine activity should occur once the decision is made about the machine being compromised.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Triage Analysis Solution</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">To triage the malware event outlined in the scenario does not require one to use all of the supplied information. The triage process could had started with either the IDS alert the junior security analyst saw or the prefetch files from system in question to see what program executed early Saturday morning on August 15, 2015. For completeness, my analysis touches on each data source and the information it contains. As a result, I started with the IDS signature to ensure I included it in my analysis.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h3>
<span style="font-family: "verdana" , sans-serif;">IDS alerts</span></h3>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The screenshot below shows the IDS signatures that triggered by replaying the provided malware-event.pcap file in Security Onion. I highlighted the alert of interest.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrb6NVfWnIDAR0lox8-_AZroyoY4_sDizwllc0W9zPjXbwhxXLiIVVSB0udKlE5jKeHGo_uLkkTo0dxocKicZvr7UVcDVRmQ026Zj31GevTIR953WqMj8o0TtYGQj3yiKVAdfB2XjZ7c4/s1600/2_hawkeye-keylogger.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="131" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrb6NVfWnIDAR0lox8-_AZroyoY4_sDizwllc0W9zPjXbwhxXLiIVVSB0udKlE5jKeHGo_uLkkTo0dxocKicZvr7UVcDVRmQ026Zj31GevTIR953WqMj8o0TtYGQj3yiKVAdfB2XjZ7c4/s640/2_hawkeye-keylogger.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The IDS alert by itself provides a wealth of information. The Emerging Threats (ET) signature that fired was "ET TROJAN HawkEye Keylogger FTP" and this occurred when the machine in question (192.168.200.128) made a connection to the IP address 107.180.21.230 on the FTP destination port 21. To determine if the alert is a false positive it’s necessary to explore the signature (if available) and the packet responsible for triggering it. The screenshot below shows the signature in question:</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYTx6M9MX7D4tGcagxrMacpQmhRclTevJkM92S7q8l43hq4TbwVtL_jgesa06HhmVJjSTEldkw-Hpb6I4kPxY3T5RMOJExRR_1SkhUnUS9Pafgxxj7fOjw5wfe9GMmRG5lVTzwcrHuaUI/s1600/3_hawkeye-rule.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYTx6M9MX7D4tGcagxrMacpQmhRclTevJkM92S7q8l43hq4TbwVtL_jgesa06HhmVJjSTEldkw-Hpb6I4kPxY3T5RMOJExRR_1SkhUnUS9Pafgxxj7fOjw5wfe9GMmRG5lVTzwcrHuaUI/s640/3_hawkeye-rule.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The signature is looking for a system on the $HOME_NET going to an external system on the FTP port 21 and the system has to initiate the connection (as reflected by flow:established,to_server). The packet needs to contain the string “STOR HAWKEye_”. The packet that triggered this signature meets all of these requirements. The system connected to an external IP address on port 21 and the picture below shows the data in the packet contained the string of interest.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj0HVfIeZqPvtXmJR43gv6JY2BBN1qpyx6dKTkhn25Xr4M1QP80u2IVZucKyaa35yCPT9Ul_io-QBHa3Ti5f752AyBsrQjf1byJavnX39s1dsSUEQDY6S1rjfrjHGCiU1WHqG_ITOWsq0/s1600/4_hawkeye-ids-data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj0HVfIeZqPvtXmJR43gv6JY2BBN1qpyx6dKTkhn25Xr4M1QP80u2IVZucKyaa35yCPT9Ul_io-QBHa3Ti5f752AyBsrQjf1byJavnX39s1dsSUEQDY6S1rjfrjHGCiU1WHqG_ITOWsq0/s640/4_hawkeye-ids-data.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Based on the network traffic and the packet data the IDS alert is not a false positive. I performed Internet research to obtain more context about the malware event. A simple Google search on HawkEye Keylogger produces numerous hits. From You Tube videos showing how to use it to forums posting cracked versions to various articles discussing it. One article is TrendMicro’s paper titled <a href="http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-piercing-hawkeye.pdf">Piercing the HawkEye: Nigerian Cybercriminals Use a Simple Keylogger to Prey on SMBs Worldwide</a> and just the pictures in the paper provide additional context (remember during triage you won’t have time to read 34 page paper.) The keylogger is easily customizable since it has a builder and it can delivery logs through SMTP or FTP. Additional functionality includes: stealing clipboard data, taking screenshots, downloading and executing other files, and collecting system information.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Research on the destination IP address shows the AS is GODADDY and numerous domain names map back to the address.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKszCsC00DPm8ZbFw540tMbcdaTiy6sFKVB1yEeO0qWnYDaRytPp1T40OH3Upu0d-rrM_IwaZSX3s0G_5cbHhm90F7X9JPOicGkwnIO9YzQYWCUpYo_eqbfIhFCXfJ-_fMcSNT6NiuU30/s1600/5_robtex.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKszCsC00DPm8ZbFw540tMbcdaTiy6sFKVB1yEeO0qWnYDaRytPp1T40OH3Upu0d-rrM_IwaZSX3s0G_5cbHhm90F7X9JPOicGkwnIO9YzQYWCUpYo_eqbfIhFCXfJ-_fMcSNT6NiuU30/s640/5_robtex.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h3>
<span style="font-family: "verdana" , sans-serif;">Prefetch files</span></h3>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">When I review programs executing on a system I tend to keep the high level indicators below in mind. Over the years, these indicators have enabled me to quickly identify malicious programs that are or were on a system.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<ul>
<li><span style="font-family: "verdana" , sans-serif;">Programs executing from temporary or cache folders</span></li>
<li><span style="font-family: "verdana" , sans-serif;">Programs executing from user profiles (AppData, Roaming, Local, etc)</span></li>
<li><span style="font-family: "verdana" , sans-serif;">Programs executing from C:\ProgramData or All Users profile</span></li>
<li><span style="font-family: "verdana" , sans-serif;">Programs executing from C:\RECYCLER</span></li>
<li><span style="font-family: "verdana" , sans-serif;">Programs stored as Alternate Data Streams (i.e. C:\Windows\System32:svchost.exe)</span></li>
<li><span style="font-family: "verdana" , sans-serif;">Programs with random and unusual file names</span></li>
<li><span style="font-family: "verdana" , sans-serif;">Windows programs located in wrong folders (i.e. C:\Windows\svchost.exe)</span></li>
<li><span style="font-family: "verdana" , sans-serif;">Other activity on the system around suspicious files</span></li>
</ul>
<br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The collected prefetch files were parsed with Winprefetchview and I initially sorted by process path. I reviewed the parsed prefetch files using my general indicators and I found the suspicious program highlighted in red.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnTc4CTBGLZ949-EvO6hi5SVORsCH6d1u0p5jw1BFNVpOTLVgmSXHHvxD5GJMPYQ8EdnJOR6Vl1KlkKL6s2e3JgjqoDbu6r3P9huSwPnhESgpmzLNH-E4ZucGIthx9qENX4O15kkXl0Uw/s1600/6_prefetch-file.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnTc4CTBGLZ949-EvO6hi5SVORsCH6d1u0p5jw1BFNVpOTLVgmSXHHvxD5GJMPYQ8EdnJOR6Vl1KlkKL6s2e3JgjqoDbu6r3P9huSwPnhESgpmzLNH-E4ZucGIthx9qENX4O15kkXl0Uw/s640/6_prefetch-file.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The program in question is suspicious for two reasons. First, the program executed from the temporarily Internet files folder. The second reason and more important one was the name of the program, which was OVERDUE INVOICE DOCUMENTS FOR PAYMENT 082015[1].EXE (%20 is the encoding for a space). The name resembles a program trying to be disguised as a document. This is a social engineering technique used with phishing emails. To gain more context around the suspicious program I then sorted by the Last Run time to see what else was executing around this time.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcRdZWW2cnU7pdn0OCXsyaGp4LQyOHIybPsmq5peIml7DVmmc37V1YHgcV-KsOpCediyALf6uz_2jO4HDSbexRwANXzGMN_NLjhThyBhiKIbfWG5fsnrJEkUPXvxfyi8hrZPJYYnktpkE/s1600/7_prefetch-file-last-run-time.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcRdZWW2cnU7pdn0OCXsyaGp4LQyOHIybPsmq5peIml7DVmmc37V1YHgcV-KsOpCediyALf6uz_2jO4HDSbexRwANXzGMN_NLjhThyBhiKIbfWG5fsnrJEkUPXvxfyi8hrZPJYYnktpkE/s640/7_prefetch-file-last-run-time.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The OVERDUE INVOICE DOCUMENTS FOR PAYMENT 082015[1].EXE program executed on 8/15/15 at 5:33:55 AM UTC, which matches up to the time frame the junior security analyst mentioned. The file </span><span style="font-family: "verdana" , sans-serif;">had a MD5 hash of ea0995d9e52a436e80b9ad341ff4ee62. This hash was used to confirm the file was malicious as reflected in an <a href="https://www.virustotal.com/en/file/96716cf198502bdeeb0c0fccd8d01e46bccb2d03eaf0537d16f51851333d5247/analysis/">available VirusTotal report</a>. </span><span style="font-family: "verdana" , sans-serif;">Shortly thereafter another executable ran named VBC.exe but the process path was not reflected in the files referenced in the prefetch file itself. The other prefetch files did not show anything else I could easily tie to the malware event.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h3>
<span style="font-family: "verdana" , sans-serif;">File System Metadata</span></h3>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">At this point the IDS alert revealed the system in question had network activity related to the HawkEye Keylogger. The prefetch files revealed a suspicious program named OVERDUE INVOICE DOCUMENTS FOR PAYMENT 082015[1].EXE and it executed on 8/15/15 at 5:33:55 AM UTC. The next step in the triage process is to examine the file system metadata to identify any other malicious software on the system and to try to identify the initial infection vector. I reviewed the metadata in a timeline to make it easier to see the activity for the time of interest.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">For this practical I leveraged the MFT2CSV program in the configuration below to generate a timeline. However, an effective technique - but not free - is using the home plate feature in Encase Enterprise against a remote system. This enables you to see all files and folders while being able to sort different ways. The Encase Enterprise method is not as comprehensive as a $MFT timeline but works well for triaging.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKRFeKJPqMHezFQzV5aIzUhGyFgmaMsB9ziDQC9TMq1xcWqdgbagXzlU4Q_DMmyQeh41BCVp8SYE8zapkhfX8xapfbGSZvAfgfrOx7MzZ5R_D4vSBk43nmvu3H_iJPCgtZAwn3z8iWU_w/s1600/8_mft2csv.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKRFeKJPqMHezFQzV5aIzUhGyFgmaMsB9ziDQC9TMq1xcWqdgbagXzlU4Q_DMmyQeh41BCVp8SYE8zapkhfX8xapfbGSZvAfgfrOx7MzZ5R_D4vSBk43nmvu3H_iJPCgtZAwn3z8iWU_w/s400/8_mft2csv.jpg" width="400" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">In the timeline I went to the time of interest, which was 8/15/15 at 5:33:55 AM UTC. I then proceeded forward in time to identify any other suspicious files. A few files were created within seconds of the OVERDUE INVOICE DOCUMENTS FOR PAYMENT 082015[1].EXE program executing. The files’ hashes will need to be used to determine more information about them since I am unable to view them.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSLp2nyK1FaGpU17iB4T1oElX4B_Pj5LRmPaZYP5T3llBz5UlPJpj_uBsTSA54yi1oTJVPSRBGFdm3uK5EQv3wEg95F7O7j1bvagSPeg3L_kqohbiK3LlBsa3lc5jM2C7ogiLzcHxmYvs/s1600/9_MFT_timeline-1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSLp2nyK1FaGpU17iB4T1oElX4B_Pj5LRmPaZYP5T3llBz5UlPJpj_uBsTSA54yi1oTJVPSRBGFdm3uK5EQv3wEg95F7O7j1bvagSPeg3L_kqohbiK3LlBsa3lc5jM2C7ogiLzcHxmYvs/s640/9_MFT_timeline-1.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The timeline then shows the VBC.EXE program executing followed by activity associated with a user surfing the Internet.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhel-FuHeY-ehsDPcX7tVkenwsyp13q0GQ9d5lj6o-HMn9Tc3_8R1Dlg5N5kLdTUFkA-BnyKPgI1Me0zB8hPC6kcmr186yHiqAtXO3sDwItxs991HsEOg1XAkNpP6y0-eSHLteq-ZJOLhA/s1600/10_MFT_timeline-2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhel-FuHeY-ehsDPcX7tVkenwsyp13q0GQ9d5lj6o-HMn9Tc3_8R1Dlg5N5kLdTUFkA-BnyKPgI1Me0zB8hPC6kcmr186yHiqAtXO3sDwItxs991HsEOg1XAkNpP6y0-eSHLteq-ZJOLhA/s640/10_MFT_timeline-2.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The timeline was reviewed for about a minute after the suspicious program executed and nothing else jumps out. The next step is go back to 8/15/15 at 5:33:55 AM UTC in the timeline to see what proceeded this event. There was more activity related to the user surfing the Internet as shown below.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt6_BUk0U4TTE5ZIAb5uoNQKAygQb6Or6ULhj6frjgyIr5DkWlx5acICC4P_s_4shXIxwsbv19KMFIhE9-8U2l8_7Ea7WBbQ1o5HetNiQGIYoez61RSWolnmgmvYwvsSx50PR7SmbK39I/s1600/11_MFT_timeline-3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt6_BUk0U4TTE5ZIAb5uoNQKAygQb6Or6ULhj6frjgyIr5DkWlx5acICC4P_s_4shXIxwsbv19KMFIhE9-8U2l8_7Ea7WBbQ1o5HetNiQGIYoez61RSWolnmgmvYwvsSx50PR7SmbK39I/s640/11_MFT_timeline-3.jpg" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">I kept working my way through the web browsing files to find something to confirm what the user was actually doing. I worked my way through Yahoo cookies and cache web pages containing the word “messages”. There was nothing definite so I continued going back in time. I worked my way back to around 5:30 AM UTC where cookies for Yahoo web mail were created. This activity was three minutes prior to the infection; three minutes is a long time. At this point additional information is needed to definitely answer how the system became infected in the first place. At least I know that it came from the Internet using a web browser. note: in the scenario the pcap file was meant for IDS alerts only so I couldn’t use it to answer the vector question.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Researching Suspicious Files</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The analysis is not complete without researching the suspicious files discovered through triage. I performed additional research on the file OVERDUE INVOICE DOCUMENTS FOR PAYMENT 082015[1].EXE using its MD5 hash ea0995d9e52a436e80b9ad341ff4ee62. I went back to <a href="https://www.virustotal.com/en/file/96716cf198502bdeeb0c0fccd8d01e46bccb2d03eaf0537d16f51851333d5247/analysis/">its VirusTotal report</a> and noticed t</span><span style="font-family: "verdana" , sans-serif;">here didn’t appear to be a common name in the various security product detections. However, there were unique detection names I used to conduct additional research. Microsoft’s detection name was TrojanSpy:MSIL/Golroted.B and their report said the malware “<a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy:MSIL/Golroted.B">tries to gather information stored on your PC</a>”. A Google search of the hash also <a href="https://malwr.com/analysis/ZWU0ZmJmOWE4OGFhNDlhN2EwZmZmM2UyZTc0ODk3MjQ/">located a Malwr sandbox report for the file</a>. The report didn’t shed any light on the other files I found in the timeline.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The VBC.EXE file was no longer on the system preventing me from performing additional research on this file. The pid.txt and pidloc.txt files’ hashes were associated with a <a href="https://www.hybrid-analysis.com/sample/6d85f3a2b6badd946ad476f50a1697b32c7d8cf803c8ec8d77e596157c341da0?environmentId=4">Hybrid Analysis report for a sample with the MD5 hash 242e9869ec694c6265afa533cfdf3e08</a>. The report had a few interesting things. The sample also dropped the pid.txt and pidloc.txt files as well as executing the REGSVCS.EXE as a child process. This is the same behavior I saw in the file system metadata and prefetch files. The report provided a few other nuggets such as the sample tries to dump Web browser and Outlook stored passwords.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Triage Analysis Wrap-up</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The triage process did confirm the system was infected with malicious code. The infection was a result of the user doing something on the Internet and additional information is needed to confirm what occurred on the system for it to become infected in the first place. The risk to the organization is the malicious code tries to capture and exfiltrate information from the system including passwords. The next step would be to escalate the malware event to the incident response process so a deeper analysis can be done to answer more questions. Questions such as what data was potentially exposed, what did the user do to contribute to the infection, was the attack random or targeted, and what type of response should be done.</span></div>
Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com1tag:blogger.com,1999:blog-4080617372940068027.post-64462766951689209082015-11-22T21:33:00.002-05:002015-12-09T23:12:34.639-05:00Triage Practical – Malware Event – Prefetch $MFT IDS<span style="font-family: "verdana" , sans-serif;">Another Monday morning as you stroll into work. Every Monday morning you have a set routine and this morning was no different. You were hoping to sit down into your chair, drink some coffee, and work your way through the emails that came in over the weekend. This morning things were different. As soon as you entered the office, your ISO had a mandatory meeting going on and they were waiting for you to arrive. As you entered the meeting the ISO announces “each week it seems like another company is breached. The latest headline about Company XYZ should be our wake up call. The breach could had been prevented but it wasn’t since their security people were not monitoring their security products and they never saw the alerts telling them they had a problem.” At this point you started to see where this was going; no one at your company pays any attention to all those alerts from the various security products deployed in your environment. Right on cue the ISO continued “what happened at Company XYZ can easily happen here. We don't have people looking at the alerts being generated by our security products and even if we had the bodies to do this we have no processes in place outlining how this can be accomplished.” As you sipped your coffee you came close to spitting it out after you heard what came next. The ISO continued “I directed junior security guy to look at the IDS alerts that came in over the weekend. He said something very suspicious occurred early Saturday morning on August 15, 2015.” Then the ISO looked directly at you “I need you to look into whatever this activity is and report back what you find.” “Also, make sure you document the process you use since we are going to use it as a playbook for these types of security incidents going forward.”</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Triage Scenario</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The above scenario outlines the activity leading up to the current malware security event. Below are some of the initial questions you need to answer and report back to the ISO.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * Is this a confirmed malware security event or was the junior analyst mistaken?</span><br />
<span style="font-family: "verdana" , sans-serif;"> * What type of malware is involved?</span><br />
<span style="font-family: "verdana" , sans-serif;"> * What potential risk does the malware pose to your organization?</span><br />
<span style="font-family: "verdana" , sans-serif;"> * Based on the available information, what do you think occurred on the system to cause the malware event in the first place?</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Information Available</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">In an organization’s network you have a wealth of information available to you for you to use while triaging a security incident. Despite this, to successfully triage an incident only a subset of the data is needed. In this instance, you are provided with the following artifacts below for you to use during your triage. Please keep in mind, you may not even need all of these.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * IDS alerts for the timeframe in question (you need to replay the provide pcap to generate the IDS alerts. </span><span style="color: red;"><b>pcap is not provided for you to use during triage</b></span><b style="font-family: verdana, sans-serif;"><span style="color: red;"> and was only made available to enable you to generate the IDS alerts in question</span></b><span style="font-family: "verdana" , sans-serif;">)</span><br />
<span style="font-family: "verdana" , sans-serif;"> * Prefetch files from the system in question (inside the Prefetch.ad1 file)</span><br />
<span style="font-family: "verdana" , sans-serif;"> * File system metadata from the system in question (the Master File Table is provided for this practical)</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">Supporting References</span></h2>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The below items have also been provided to assist you working through the triage process.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> * The jIIr-Practical-Tips.pdf document shows how to replay the packet capture in Security Onion and how to mount the ad1 file with FTK Imager.</span><br />
<span style="font-family: "verdana" , sans-serif;"> * The file hash list from the system in question. This is being provided since you do not access to the system nor a forensic image. This can help you confirm the security event and any suspicious files you may find.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The </span><a href="https://drive.google.com/open?id=0BwsuIHubBoklRkcxQzJmWExkSk0" style="font-family: verdana, sans-serif;">2015-11-22_Malware-Event Prefetch MFT IDS practical files can be downloaded from here</a><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The 2015-11-22_Malware-Event Prefetch MFT IDS triage write-up is outlined in the post <a href="http://journeyintoir.blogspot.com/2015/12/triage-practical-solution-malware-event.html">Triage Practical Solution – Malware Event – Prefetch $MFT IDS</a></span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">For background information about the jIIr practicals please refer to the <a href="http://journeyintoir.blogspot.com/2015/11/adding-event-triage-drop-to-community.html">Adding an Event Triage Drop to the Community Bucket </a>article</span><br />
<div>
<br /></div>
Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com7tag:blogger.com,1999:blog-4080617372940068027.post-54691043755339264192015-11-18T22:00:00.001-05:002015-11-18T22:06:49.930-05:00Adding an Event Triage Drop to the Community Bucket<span style="font-family: "verdana" , sans-serif;"><i>By failing to prepare, you are preparing to fail.</i></span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">~ Benjamin Franklin</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><i>Let's also stop saying if company X looked into their alerts then they would had seen there was a security issue. We need to start providing more published information instructing others how to actually triage and build workflows to respond to those alerts. If we don’t share and publish practical information about triaging workflows then we shouldn’t be pointing out the failures of our peers.</i></span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">~ Corey Harrell</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">As soon as you can get past the fact that I <a href="http://journeyintoir.blogspot.com/2015/11/random-thoughts.html">quoted myself</a> in my own article those two quotes really show a security predicament people and companies are facing today. Companies are trying to implement or improve their security monitoring capabilities to gain better visibility about threats in their environment. Defenders are looking to gain or improve their skills and knowledge to enable them to perform security monitoring and incident response activities for companies. On the one hand, according to Ben Franklin we need to take steps to prepare ourselves and if we don’t then we will fail. This means defenders need to constantly work to improve their knowledge, skills, and workflows so they are better prepared to perform security monitoring and incident response activities. If they aren’t preparing then most likely they will fail when they are called upon to respond to a security incident. On the other hand, according to myself as a community we don’t publish and share a lot of resources that others can use to improve their knowledge, skills, and workflows related to performing security monitoring and incident response activities. Please don’t get me wrong. There is some great published information out there and there are those who regularly share information (such as <a href="http://windowsir.blogspot.com/">Harlan</a> and <a href="http://www.malware-traffic-analysis.net/index.html">Brad Duncan</a>) but these individuals are in the minority. This brings us to our current security predicament. We need to prepare. We lack readily available information to help us prepare. So numerous companies are failing when it comes to performing security monitoring and incident response activities.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">As I was thinking about this predicament I was wondering how I can contribute to the solution instead of just complaining about the problem. I know my contribution will only be a drop in a very large bucket but it will be a drop nonetheless. This post outlines the few drops that will start appearing on jIIr.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">A common activity defenders perform is event triage. Event triage is the assessment of a security event to determine if there is a security incident, its priority, and the need for escalation. A defender performs this assessment repeatedly as various technologies alert on different activity, which generates events for the defender to review. As I explored this area for my $dayjob I found that most published resources say you need to triage security events but most didn’t provide practical information about how to actually do it. My hope is I can make at least a small contribution to this area.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><b><u>Objective</u></b></span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">My purpose is to provide resources and information to those seeking to improve their knowledge, skillsets, and workflows for event triage.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><b><u>Method</u></b></span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">I will periodically publish two posts on jIIr. The first post will outline a hypothetical scenario and a link will be provided to a limited data set. The data set will contain four or less artifacts that need to be analyzed to successfully complete the scenario. When performing event triage most of the time only a subset of data needs to be examined to successfully assess the event. To encourage this line of thinking I’m limiting the dataset to at most four artifacts containing information required to solve the scenario. The datasets will be pulled from the test systems I build to improve my own skills, knowledge, and workflows. If I’m building and deleting these systems I might as well as use them to help others. I’ll try to make the datasets resemble what may be available in most environments such as operating system artifacts, logs, and IDS alerts. Accompanying the dataset may be a document briefly explaining how to perform a specific task such as generating IDS alerts by replaying a packet capture in Security Onion. The scenarios will reflect areas I have or am working on so the type of simulated incidents will be limited. Please keep in mind, similar to performing event triage for a company some of my scenarios may be false positives.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The second post will be published between one to three weeks after the first post. The second post will outline a triage process one could use to assess the security event described in the scenario. At a minimum, the process will cover: where in a network this information can be found, how to collect this information, free/open source tools to use, how to parse the artifacts in the provided dataset, and how to understand the data you are seeing. The triage process will be focused on being thorough but fast. The faster one can triage a single event the more events they can process. If I come across any other DFIR bloggers who published how they triaged the security event then this post will contain links to their websites so others can see how they approached the same problem.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><b><u>Summary</u></b></span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">My hope is this small contribution adds to the resources available to other defenders. Resources they can use to improve their workflows, skills, and knowledge. Resources they can use to better prepare themselves instead of preparing to fail.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">To anyone I do help better prepare themselves, I only ask for one thing in return. For you to take a few minutes of your time to purposely share something you find useful/helpful with someone in your life. The person can be anyone you know from a co-worker to colleague to a fellow student to a complete stranger asking for help online. Take a few minutes of your life to share something with them. Losing a few minutes of our time has minimum impact on us but it can make a huge difference in the lives of others and possibly help them become better prepared for what they may face tomorrow.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">God bless and Happy Hunting.</span><br />
<div>
<br /></div>
Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com5tag:blogger.com,1999:blog-4080617372940068027.post-21957370433427606052015-11-07T12:30:00.001-05:002015-11-07T13:27:11.881-05:00Random Thoughts<span style="font-family: "verdana" , sans-serif;">Things have been quiet on jIIr since I over committed myself. The short version is I had zero time for personal interests outside of my commitments, $dayjob, and family. Things are returning back to normal so it’s time to start working through my blog idea hopper. In the meantime, this post is sharing some of my recent random thoughts. Most of these thoughts came in response to reading an article/email, seeing a tweet, hearing a presentation, or conversing with others. </span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<i style="font-family: Verdana, sans-serif;">~ We need to stop looking to others (peers, vendors, etc) to solve our problems. We need to stop complaining about a lack of resources, information, training, tools, or anything else. We need to start digging into our issues to solve them ourselves instead of looking for the easy answers.</i><br />
<i style="font-family: Verdana, sans-serif;"><br /></i>
<i style="font-family: Verdana, sans-serif;">~ As we work to better defend our organizations, we need to take to heart R. Buckminster Fuller's advice. "You never change things by fighting the existing reality. To change something, build a new model that makes the existing model obsolete." Our focus needs to be on building and improving the new reality while ignoring the haters who are stuck in the past.</i><br />
<i style="font-family: Verdana, sans-serif;"><br /></i>
<i style="font-family: Verdana, sans-serif;">~ We need to stop saying we don't have enough resources. We need to focus on our workflows and seek out ways to improve, automate, and become more efficient. Slight changes on existing workflows can free up resources for other areas.</i><br />
<i style="font-family: Verdana, sans-serif;"><br /></i>
<i style="font-family: Verdana, sans-serif;">~ We need to start using this new technology called Google. There is no such thing as a stupid question but there are questions that can be easily answered by doing a simple Google search.</i><br />
<i style="font-family: Verdana, sans-serif;"><br /></i>
<i style="font-family: Verdana, sans-serif;">~ Let's get our current generation tools working properly before talking about next generation. If we can't properly configure and use our current tools then getting a so called “next generation” tool won't solve anything.</i><br />
<i style="font-family: Verdana, sans-serif;"><br /></i>
<i style="font-family: Verdana, sans-serif;">~ We need to stop saying we need more training. We need to stop saying for me to do task X I need to be sent to training Y. We just need to realign our priorities to spend time on self-development. Turn off the TV, buy a book, build some virtual machines, conduct some tests, and analyze the results.</i><br />
<i style="font-family: Verdana, sans-serif;"><br /></i>
<i style="font-family: Verdana, sans-serif;">~ How about we talk more about detecting and responding to basic security threats. If we can't alert on commodity malware infections or web server compromises and have effective workflows triaging those alerts then hunting shouldn't even be in our vocabulary. Forget about hunting and focus on the basics.</i><br />
<i style="font-family: Verdana, sans-serif;"><br /></i>
<i style="font-family: Verdana, sans-serif;">~ Let's stop generalizing by saying if company X was monitoring their logs then they would had detected the compromise sooner. That is until there is more published practical information telling organizations how they can actually set up their security monitoring capability. If there is very little practical information or assistance about building a security monitoring program then we shouldn't be surprised when organizations struggle with the same complicated process.</i><br />
<i style="font-family: Verdana, sans-serif;"><br /></i>
<i style="font-family: Verdana, sans-serif;">~ On the same note and while we are at it. Let's also stop saying if company X looked into their alerts then they would had seen there was a security issue. We need to start providing more published information instructing others how to actually triage and build workflows to respond to those alerts. If we don’t share and publish practical information about triaging workflows then we shouldn’t be pointing out the failures of our peers.</i><br />
<i style="font-family: Verdana, sans-serif;"><br /></i>
<i style="font-family: Verdana, sans-serif;">~ Let's stop focusing our security strategy on the next new product instead of looking at how to better leverage our existing products. New products may address a need but we might be able to address the same need with existing products and use the money we save to address other needs.</i><br />
<i style="font-family: Verdana, sans-serif;"><br /></i>
<i style="font-family: Verdana, sans-serif;">~ Let's stop with the presentations and articles pretending to tell other defenders how to do something while the author says they are not saying how exactly they do it to prevent threats from knowing. This serves no purpose and is counterproductive since it’s actually not telling other defenders how to do something. What’s the point of saying anything in the first place?</i><br />
<i style="font-family: Verdana, sans-serif;"><br /></i>
<i style="font-family: Verdana, sans-serif;">~ Please let's stop adding noise to the intelligence sharing echo chamber. Whether if its products or conferences, most say we need more threat intelligence and we need to start sharing more. No other specifics are added; just that we need it and others need to share it. In the end we are just echoing noise without adding any value.</i><br />
<i style="font-family: Verdana, sans-serif;"><br /></i>
<i style="font-family: Verdana, sans-serif;">~ We need to stop saying how we have a shortage of talented security staff to hire. It is what it is. We need to start talking about how we can develop highly motivated people who want security as their career. We may not be able to hire talented security staff but we can definitely grow them to meet our needs.</i><br />
<i style="font-family: Verdana, sans-serif;"><br /></i>
<i style="font-family: Verdana, sans-serif;">~ We need to expand our focus on detecting and responding to threats from being primarily end point focused to server focused. A good percentage of articles, intelligence sources, and products talk about end point clients with very little mention about servers. How about detecting and responding to compromised web servers? How about database servers? How about CMS servers such as Joomla, WordPress, and Drupal? Our conversations are only talking about a part of our IT infrastructures and not the entire infrastructures.</i><br />
<i style="font-family: Verdana, sans-serif;"><br /></i>
<i style="font-family: Verdana, sans-serif;">~ We need to stop complaining that our management just doesn't get or take security seriously. The issue can be two things. Maybe we aren't communicating in a way for them to care. Maybe security really is not a high priority. Either way, we need to either: fix it, move on to another organization, or just accept it and stop complaining about it.</i>Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com8tag:blogger.com,1999:blog-4080617372940068027.post-43985817959502735352015-08-23T22:54:00.003-04:002015-08-23T23:04:00.052-04:00A Warning about Hidden Costs<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg77MnSoq0JURrejUqReY6mSD3KooHC8x3lALdCvryriqctNSQPhbYjMeKRMWm6D6w-gTnpc7Y4yAmVAf-xb-kZIn-NOgSc43k20lsfwbSvmtYHxt4amy6ztbrAqJRQGQGmWTY2YFgycpg/s1600/goldfishbowl.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg77MnSoq0JURrejUqReY6mSD3KooHC8x3lALdCvryriqctNSQPhbYjMeKRMWm6D6w-gTnpc7Y4yAmVAf-xb-kZIn-NOgSc43k20lsfwbSvmtYHxt4amy6ztbrAqJRQGQGmWTY2YFgycpg/s320/goldfishbowl.jpg" width="320" /></a><span style="font-family: Verdana, sans-serif;">I saw the excitement in my son's eyes as the biggest smile was stretching from ear to ear. He slowly stretched out his arm to show me what he got at camp that day. He was extremely excited and I could sense his happiness as I heard him say "I won it with only one dollar. I did it on my first try. Can we keep it?" My eyes focused on what was in his hand. It was a plastic bag with a small goldfish swimming around. "I won it at the fair today. Can we keep it?" In that split second I quickly ran through what owning a fish might entail and it was very similar to the picture used in this post. I then said "yes, we can keep it". My son excitedly ran to his summer camp counselor with so much excitement to tell her the fish was going home with him.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">As we were walking to pick up my youngest son I realized the first thing I didn't think about. My five year old would be upset seeing his brother with a goldfish and knowing he doesn't have one. I thought problem solved; we'll just buy him one at the pet store while we are there getting supplies. We reached my five year old in his camp and his eyes grew bigger and bigger as he saw the bag. "Is that a fish" he asked and my seven year old replied "Daddy is getting you one too". At that moment both kids had smiles as they kept staring at the little fish swimming in the bag. As we were walking down the hall we walked past another parent. She saw the bag with the fish and nervously said "Oh lucky you". I laughed and I could see she was a bit nervous walking down the hall to pick up her kid.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">On the drive home, I remembered what my wife said at one point. Dam, my wife. Make that item number two that didn’t cross my mind when my son asked me if we could keep the fish. She has been dead set against owning a fish and this time playing like I misunderstood or didn’t hear her won’t work. “Absolutely no fish" is pretty clear. I knew I wasn’t getting out of this one so I thought I might as well get something out of it. I sent her a text message saying the boys had a big surprise for her. Despite her continued texts trying to guess the surprise on my drive home I wouldn't answer them and I only deflected saying she had to wait.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">As my wife opened the door both of my sons went running up to her. They said guess what a few times trying to gather their thoughts from their excitement. Then my seven year old says "at the fair I won a fish on my first try. I did it with only one dollar. Daddy said we could keep it and he is getting Gab one too." She started to give me that stare until she walked over and started watching the fish swim around in its bag of water. Maybe she ran through what a fish would entail too but maybe not. Whatever it was I wasn't going to ask when she said it looks like we are making a trip to the pet store.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">On the drive to the pet store my wife and I were on the same page. We would get to the store then buy a basic tank, a second fish, and some food. As we walked up and down the aisle there were tanks of all sizes. Not sure what size we needed we asked the store for assistance. The cashier said he would send over the fish lady. I gave him a puzzled look and was like "fish lady?" He said that's what we call her since she knows everything about fish.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">We continued walking up and down the aisle waiting for the fish lady while continuously stopping my boys from wrestling each other. A younger girl was walking towards us and I asked if she was the fish lady. She laughed and then explained all the tanks and fish she owns. I told her we were looking for a tank to hold two goldfish. She said each fish should have least 10 gallons of water and then I glanced at the shelf. At that moment I knew getting the small basic tank we thought that would work was no longer an option. Nope, we had to get a real fish tank. As we continued listening to the fish lady she started going down the list of things we would need. Water conditioner, food, gravel for the bottom of the tank, filter, vegetation (fake or real), a stand for the tank to keep it level, structures for the fish to hide in, and the list went on. My wife and I both reached for our phones to confirm what she was saying without her noticing (we research everything before buying something). We were making sure she wasn't trying to pull a fast one on us and our quick research confirmed what the fish lady said. I even saw the weekly work that owning a fish entails. I stopped counting all of the things I didn’t think about when I quickly ran through the list of what I thought owning a fish entails.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">After hearing the fish lady I said that's a lot more than I was expecting. My kid won a fish at the fair and we thought we would only need a basic tank. She cracked a smile and then said "oh, a fair fish huh". After she helped us and was walking away I got the feeling this must happen a lot. Parents getting a fish at the fair, going to the fish store, and then getting hit over the head with what it really entails to own a fish. We grabbed a shopping cart, grabbed all of our supplies, the fish my five year old picked out, and selected the stand for our 20 gallon tank. As we left the store I kept thinking about the dollar fish that just cost us hundreds of dollars. That evening I spent hours putting together the stand and tank while my wife was cleaning all the items going into the tank (another thing we weren't expecting).</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">What I thought owning a fish entailed was nothing close to what is actually involved with owning a fish. Spending a dollar to win a fish was nothing compared to the hundreds of dollars needed to take care of the fish. The weekly work I envisioned was a lot less than the actual work I have been doing for weeks.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">If I could do it again knowing now what I didn't know when we sent our son to camp that day. I would do things differently. I would had told him to save his dollar and do not bring home any fish. Mommy and I are doing some research and then next weekend we will go get the supplies and fish to set up a nice tank. It will be better than just watching two goldfish swimming around in a 20 gallon tank. This is the approach I would had taken. The approach of not trying to make things work with a dollar fish because in the end I still paid the same amount as I would had going with the better option in the first place.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">My guess is this story plays out every year at a lot of organizations. The only exception is organizations are not dealing with goldfish but tools.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com3tag:blogger.com,1999:blog-4080617372940068027.post-15188981127440641702015-08-12T12:29:00.000-04:002015-08-12T12:32:28.121-04:00Go Against the Grain<span style="font-family: Verdana, sans-serif;"><strong>“You never change things by fighting the existing reality. To change something, build a new model that makes the existing model obsolete.” —</strong>Richard Buckminster Fuller<br />
<br />
It's very easy to accept the way things are and say in response "it is what it is". It's easy to say I tried and give up when others push back against the things you want to change. It's easy to say this is how we always did it so why change anything now. Now let's put this into context of information security. It's easy to accept the thinking "that no one gets security" and then take on the mentality of not doing anything to change it by saying "it is what it is". It's easy to say I tried and give up when you make an attempt change how people approach security but then get push back by others. It's easy to say this is how we always approached securing our organization so why change anything now.<br />
<br />
The quote I opened this post with nicely summarizes how you can go against the grain and put an organization on a better path to addressing their security risks. How you can change the existing security strategy focused on prevention to one focused on a balance between prevention, detection, and response. Start building the better approach (model) to enable others to see the value it adds. Continue building out the better approach and showing value to others. Showing the value and benefits results in people buying into the new approach. Eventually the change will take hold putting the organization on the better path. Building the better approach is more effective than fighting against the existing reality and those who are complacent with the way things are. Changing the security strategy won't occur without some resistance. There will be remnants of those who resist your changes and will fight to make things go back to the way things were. Those remnants won't be as successful in influencing change because they will be fighting against a new reality and they will lack the motivation and/or determination to go against the grain to build a better model.</span>Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com0tag:blogger.com,1999:blog-4080617372940068027.post-31357824254350324232015-08-10T21:31:00.000-04:002015-08-11T15:16:04.036-04:00Minor Updates to Auto_rip<span style="font-family: Verdana, sans-serif;">This is a quick post to pass along that I updated my <a href="https://drive.google.com/folderview?id=0BwsuIHubBoklemxMY2d1M3ctanc&usp=sharing">auto_rip script</a>. For those who may not know, auto_rip is a wrapper script for Harlan Carvey's <a href="https://github.com/keydet89/RegRipper2.8">RegRipper program</a> and it executes RegRipper’s plug-ins based on categories and in a specific order. To learn more about my script please see my previous post <a href="http://journeyintoir.blogspot.com/2013/05/unleashing-autorip.html">Unleashing auto_rip</a>. The auto_rip updates are pretty minor. I separated out the changes to a change log instead of documenting changes in the script itself, added a device category (due to a new plug-in), and I added most of the new RegRipper plug-ins Harlan created (as of 7/30/15). The download location can be found on the right of my blog or using this <a href="https://drive.google.com/folderview?id=0BwsuIHubBoklemxMY2d1M3ctanc&usp=sharing">link to its Google drive location</a>. </span><br />
<span style="font-family: Verdana;"></span><br />
<span style="font-family: Verdana;"></span><br />
<span style="font-family: Verdana;"><strong>****** 08/11/2015 Update *******</strong></span><br />
<span style="font-family: Verdana;"></span><br />
<span style="font-family: Verdana;">At this time I removed the compiled executable from auto_rip. The compiled executable is having issues and I'm working to resolve it. However, the perl script is present and works fine. As soon as I'm able to compile the script into an exe then I'll add it back to the auto_rip archive</span>Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com5tag:blogger.com,1999:blog-4080617372940068027.post-79381472650424412782015-07-26T11:51:00.002-04:002015-07-26T13:18:04.778-04:00SIEM – One Year Later<span style="font-family: Verdana, sans-serif;">We are overwhelmed with data and are not sure what to look at or collect? I came across this paraphrased comment in a SIEM forum and it echoes a sentiment I have seen about SIEM. Deploying the technology results in a ton of noise and alerts making it hard to make sense of. Some organizations struggle using SIEM effectively and at times their staff are drowning in a sea of logs and alerts. The comment is also one foreign to me. I’ve read about it and seen others say this but I never witnessed it for myself. My path, my journey was a different one. This post reflects on my SIEM journey for the past year in hopes that it can help others who are either taking their first step or are already on their SIEM journeys.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><em>Disclosure: jIIr is my personal blog and is not affiliated with my employer. This post only covers my personal experience and does not go in to details related to SIEM implementation in my employer’s environment. Any questions along these lines will unfortunately go unanswered. Some lines are not meant to be crossed and this is one of them.</em></span><br />
<br />
<h2>
Start with Why It Is Needed</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">My journey didn’t start when the SIEM was acquired but it occurred long before then when my perspective about security strategies changed. The security strategy is critical to explore since the strategy is the force pushing organizations down the SIEM path in the first place. Let’s go back in time to when I was in a unit performing vulnerability assessments against other public sector organizations. Over time I began to see fundamental problems with various security strategies I encountered.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Some strategies were completely centered on prevention. Almost every security resource – including funding, staffing, etc. – was applied to tasks and projects related to preventing attacks. In these organizations we always found something; in every organization we always found something. With each finding came the task of explaining to auditors on my side the cause of the finding. Auditors see things in black and white but security findings are not clear cut. The truth is we probe the target’s environment and security program moving from well protected areas to areas not well protected. These were the areas our findings came from. Organizations cannot protect everything in a manner to prevent everything; it’s an impossible task and even with an unlimited budget it is not achievable.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Some strategies were centered on compliance. Security resources and priorities are focused on the findings in the latest audit. As time goes by the security strategy is to address and reduce those findings without taking in to consideration areas posing the highest risks to the organization. At times during our engagements we were welcomed. The expectation was we would highlight areas they should focus on and help the security folks convince management to allocate the appropriate resources to address those areas. For a while I thought the work we were doing accomplished this as well. In time I became to see things differently. No matter how effective an audit is, this security strategy will never work since there is a fundamental problem. Audits only confirm if something complies with criteria outlined in a regulation, policy, or standard. If something has no criteria then it is very difficult for an audit to list it as a finding since each finding needs to be tied back to a criteria. If the criteria (regulation or policy) doesn’t address something that is a high risk to the organization then the audit/assessment will miss it as well. Making matters worse is it is very difficult to determine how effective something is. If something exists, has supporting documentation, and passes some tests in most cases this satisfies the audit requirement. Audits don’t truly evaluate how effective processes and controls are. They check a box as something being present then move on to other areas not well protected (remember it’s impossible to protect everything). This results in significant gaps in security strategies driven by compliance and the news headlines of breaches for organizations compliant with regulation X highlights this.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Then some security strategies were reactive. This is when the security strategy is based on the latest event; both inside the organization and outside of it. With each new event the organization switches focus and resources to address it even if it is not the highest risk to the organization. This leads down a path of random controls put in place to combat random threats and what little security resources are available is used in an ad-hoc manner. Reactive security strategies in my opinion are not even a strategy and are doomed for failure.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Over time, the fundamental problems with various security strategies I encountered made me ask myself a single question. If I ever found myself in a position to lead an organization’s immature security program. How should I approach building their program from scratch? Exploring this question brought me to various information security resources. It even lead me to obtaining my Masters of Science in Information Assurance. In time I came to the following conclusion:</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">1. There are fundamental problems with security strategies based on prevention, compliance, and reactive.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">2. Most information security decisions I witnessed in my entire career were not based on actual data to support the decisions. Decisions were based on experience, intuition, what someone else recommended, or shiny new objects. At times, decisions not based on actual data resulted in bad choices, wasted what little security resources are available, and didn’t address the actual threats the organizations faced.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">3. What security strategies need is “an <a href="https://msisac.cisecurity.org/resources/reports/documents/CISO-RPT-0112.pdf">intelligence-driven approach</a>, whereby decisions are made based on real-time knowledge regarding the cyber adversaries and their attack methods, and the organization’s security posture against them”.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The fundamental problems with security strategies based on prevention, compliance, and reactive would be addressed in an intelligence-driven approach. Security decisions would not only address the most significant risks an organization faces but the decisions would be influenced by facts and information. The path to intelligence-driven security needs to start with the foundation mentioned in the <a href="https://msisac.cisecurity.org/resources/reports/documents/CISO-RPT-0112.pdf">quote below</a>.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><em>“To be ready to take on an intelligence program, the organization needs to have a foundation in place for monitoring the network for intrusions and a workflow process for responding to incidents.”</em> </span><br />
<br />
<span style="font-family: Verdana, sans-serif;">This became my perspective on how security strategies needed to be and I ended up in a security office who agreed with the strategy. This strategy started me down the SIEM path as part of laying a foundation for security monitoring. The driving force behind SIEM was security monitoring and it influenced what logs were collected and how they were analyzed.</span><br />
<br />
<h2>
Expect a Significant Time Commitment</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">I knew there was going to be a significant time requirement at my $dayjob but I didn’t know about the impact on my personal time. I had a well-rounded background to take on a SIEM project but I never built the equivalent of a SOC. I read the <a href="http://searchsecurity.techtarget.com/news/2240227732/Plan-ahead-to-avoid-SIEM-deployment-pitfalls">often quoted percentage</a> that “somewhere between 20% and 30% of SIEM deployments among his client base fail, meaning not only do they not meet predefined goals, but also that many organizations don't even bother using the product”. I also read the articles and comments about how difficult SIEM deployments are, how complicated SIEM management is, and how companies frequently end up in a sea of alerts with no clue what to do about them. I guessed what the impact would be on an organization for a failed security investment. How after getting buy-in, making a sizable investment in technology, and allocating staff to only end up with something that doesn’t meet any goals would be devastating. Not only would this not provide the needed foundation for intelligence driven security but the failure would linger for a long time for the organization. Any other request for security resources would be even more difficult because it will be looked upon as another wasted investment since the investment in SIEM failed. Any other security initiatives may be looked at with doubt and wonder if they can even be successful since the security office failed with the SIEM initiative. Needless to say, failure was possible but it wasn’t an option in my opinion.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">I put most of my personal time I allocate for research, writing, and reading on hold to allow me to focus on building the SOC. I spent my time instead researching and learning from others about how to build an effective security monitoring capability. A small portion of what I explored was mentioned in the posts: <a href="http://journeyintoir.blogspot.com/2014/07/linkz-for-siem.html">Linkz for SIEM</a>, <a href="http://journeyintoir.blogspot.com/2015/01/linkz-for-detection-and-response.html">Linkz for Detection and Response</a>, <a href="http://journeyintoir.blogspot.com/2015/04/making-incident-response-security.html">Making Incident Response a Security Program Enabler</a>, and <a href="http://journeyintoir.blogspot.com/2015/06/linkz-for-intelligence-driven-security.html">Linkz for Intelligence Driven Security and Threat Intelligence</a>. In essence, my time at the $dayJob was spent implementing SIEM capabilities, building processes, training staff, and managing security monitoring while my personal time was spent exploring all aspects related to security monitoring and intelligence driven security.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">It was a personal sacrifice I made for my employer to ensure our SIEM project would be successful but in the past year my knowledge and skills have grown by leaps and bounds. There’s a personal sacrifice leading a SIEM implementation but making that sacrifice is worth it in the end.</span><br />
<br />
<h2>
Prepare, Prepare, and Prepare Some More</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">In John Boyd’s autobiography <a href="http://www.amazon.com/Boyd-The-Fighter-Pilot-Changed/dp/0316796883">Boyd: The Fighter Pilot Who Changed the Art of War </a>one lesson we all can learn is how he approached things. Take the following quote about someone who Boyd influenced and was a member on his team:</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><em>“His attitude was “Maybe so. But if not me, who?” He was the right man in the right place at the right time. He had done his homework and knew his briefing was rock solid.”</em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The lesson we can all learn is for us to do our homework; to prepare for each possibility and the things that can and will go wrong. This is probably the best advice I could give anyone traveling down this path. You might be the right man in the right place at the right time to lead an organization as they deploy SIEM technology but you need to do your homework. You need to research and explore the issues trying to be solved, developing a detailed project plan with phases, getting buy-in by explaining the issues and why SIEM is the technology to solve it, identifying the exact logs required and what in those logs is needed, etc.. The list goes on but the point of this advice is to prepare. Prepare, and then prepare some more since the effort and time spent doing this will ensure a smooth deployment. I spent a considerable amount of time preparing upfront and during the deployment and this helped me avoid pitfalls that could had impacted the project.</span><br />
<br />
<h2>
Leverage Use Cases</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">As I started this journey one of the first things I did was to learn from others who took this journey before me. The main person who influenced my thoughts and thus my approach was <a href="http://blogs.gartner.com/anton-chuvakin/">Anton Chuvakin</a>. In most articles he advocates to leverage use cases when deploying a SIEM and hands down this is the best advice for a successful SIEM project. He authored a lot of posts on the subject but the best one as it relates to a SIEM project is the <a href="http://journeyintoir.blogspot.com/2014/07/linkz-for-siem.html">one hyperlinked in my quote below</a>:</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><em>“The best reference I found to help architect a SIEM solution is a slide deck by Anton Chuvakin. The presentation is <a href="http://www.slideshare.net/anton_chuvakin/five-best-and-five-worst-practices-for-siem-by-dr-anton-chuvakin">Five Best and Five Worst Practices for SIEM</a> and it outlines the major areas to include in your SIEM project (16 to be exact). It may not cover everything -such as building rules, alarms, and establishing triage processes - but it does an outstanding job outlining how to avoid the pitfalls others have fallen in. If anyone is considering a SIEM deployment or in the midst of a SIEM deployment then this is the one link they will want to read.”</em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">His slide deck influenced my SIEM project plan from the point of getting buy-in to the actual implementation. To implement a use case there wasn’t a lot of information on it so I put together the <a href="http://journeyintoir.blogspot.com/2014/09/siem-use-case-implementation-mind-map.html">SIEM Use Case Implementation Mind Map</a> to have a repeatable process for each use case. </span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The beauty in leveraging use cases. Not only does it make building a SOC more manageable by focusing on detecting certain activity in smaller chunks and building the processes around those chucks but it makes it very easy to show others the value SIEM adds. If the SIEM deployment takes one year to complete then using multiple use case can show progress and what was accomplished throughout the year. The value added is shown throughout the year instead of waiting until the end. That is if the proper preparation was done in advanced.</span><br />
<br />
<h2>
Focus on Triage</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Thinking back over the past year and what I found to be the most challenging with SIEM technology or any detection technology for that matter is how events/alerts need to be handled. I found bringing in logs, creating custom detection rules, and tuning rules to be easy compared to developing the triage processes surrounding each category of events/alerts. My previous thoughts on the subject still ring true today:</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><em>In my opinion establishing triage processes is the second most critical step (detection rules are the first.) Triage is what determines what is accepted as "good" behavior, what needs to be addressed, and what needs to be escalated. After the rules are implemented take some time reviewing the rules that fired. Evaluate the activity that triggered the rule and try out different triage techniques. This is repeated until there is a repeatable triage process for the rules. Continue testing the repeatable triage process to make it more efficient and faster. Look at the false positives and determine if there is a way to identify them sooner in the process? Look at the techniques that require more in-depth analysis and move them to later in the process? The triage process walks a fine line between being as fast as possible and using resources as efficient as possible. Remember, the more time spent on one alarm the less time is spent on others; the less time on one alarm increases malicious activity being missed.</em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The triage processes are critical and can help prevent encountering the paraphrased comment I opened this post with. We are overwhelmed with data and are not sure what to look at or collect? Unfortunately, when it comes to triage for the most part you are on your own. This was one area I found to be truly lacking in documentation and the few cheat sheets I found didn’t account for the majority of stuff one needs to consider. Determining what triage processes were needed followed by developing those processes and then training others was definitely a tough challenge. It was tougher since it also involved honing those triaging processes to improve their efficiency and speed. Despite the difficulty, focusing on triage enables you to see through the noise and know what to look for.</span><br />
<br />
<h2>
Metrics – These Are Needed</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">If someone would had told me two years ago I be reading about security metrics I would had laughed out loud. Two years ago I didn’t see the value metrics offer until my eyes were opened exploring intelligence driven security. Another comment I saw in the SIEM forum was the following quote: “what information should be provided to the management on the daily basis which can justify the purchase of <redacted> SIEM”. This is where metrics can come in to play. By recording certain information it makes it easier to communicate what one is detecting and responding to. Communicating metrics and trends shows value to management, highlights weak areas in the security program, or uncovers patterns in attacks. During the past year I explored various information security metrics. As it relates to the SIEM, the <a href="http://veriscommunity.net/">VERIS schema</a> is probably the best one I found for recording the information from detecting and responding to security events. As soon as you have the documented information then the fun part is finding creative ways to communicate these to others.</redacted></span><br />
<br />
<h2>
You Are Alone Standing on the Shoulders of Others</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">As I embarked on this journey I learned from others who have either dealt with SIEM technology or security monitoring. Initially, I read online what they published and made available to the public. I reached out to a few people about the additional questions I had. I looked around locally and reached out to others who were managing their own security monitoring capabilities. Needless to say, my SIEM journey was successful since I was standing on the shoulders of those who came before me.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">However, at the end of the day each organization is different. Others can provide you with advice and share their experience but what is actually encountered is unique. The environment is unique and certain aspects of the use cases are unique as well. Due to this uniqueness, most of the time throughout the year we (my team and myself) were on our own. I mention this as a word of caution to others who may expect a vendor or others to solve their SIEM challenges for them. Others and vendors can help to a certain extent but you and your team are the ones who need to solve the challenges you face. At that point you will find yourself alone standing on the shoulders of others.</span><br />
<span style="font-family: Verdana, sans-serif;"> </span><br />
<h2>
Looking Forward to SIEM Year 2</h2>
<span style="font-family: Verdana, sans-serif;"><br />
Reflecting back over the past year it has been a demanding challenge. The journey hasn't ended since work still needs to be done. There will always be work to do and new challenges to work through. Hopefully, the experienced I shared will avert someone from stepping on a SIEM land mind resulting in them yelling out for help as they are drowning in the sea of logs and alerts. </span>Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com1tag:blogger.com,1999:blog-4080617372940068027.post-84869245051060553592015-07-10T13:45:00.001-04:002015-07-10T13:51:11.439-04:00Villager or Special Forces - That Is The Question<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEig2iO9N2LvHATm3DohG7LQMsMSINg_umiTY2rvUqq3Lk323C160f7WeeXe78yejK-ZZOtUBoHifgGIRZiC5QQBxnTldVOnVytUKSKL7yOQ6UFyiiLyRQxPT84wfD6us9I96s-_J7kBgFA/s1600/villager-pitchfork.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEig2iO9N2LvHATm3DohG7LQMsMSINg_umiTY2rvUqq3Lk323C160f7WeeXe78yejK-ZZOtUBoHifgGIRZiC5QQBxnTldVOnVytUKSKL7yOQ6UFyiiLyRQxPT84wfD6us9I96s-_J7kBgFA/s320/villager-pitchfork.jpg" width="320" /></a><span style="font-family: Verdana, sans-serif;">At certain times we will find ourselves being like Special Forces going against what seems like a villager with a pitchfork. We are better equipped, better trained, possess more technical knowledge, and have more advanced skills. Despite their best efforts, the pitchfork and the one welding it doesn't stand a chance against our arsenal and our ability to use it.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">At other times we find ourselves as the villager holding the pitchfork going up against what feels like Special Forces. They are smarter, have more resources, and possess more advanced skills. Despite our best effort and our ability to use the pitchfork; it's still a pitchfork going against a Special Forces arsenal and people who can use it.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The pendulum swings between the villager and Special Forces in the information security field. Between the two, I'd rather be the villager. The villager is the one facing the constant challenge. Unless of course, the pendulum only contains Special Forces. Special Forces against Special Forces would be the ultimate challenge.</span>Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com0tag:blogger.com,1999:blog-4080617372940068027.post-3475693566594415652015-06-30T22:56:00.000-04:002015-07-01T22:22:27.331-04:00Linkz for Intelligence Driven Security and Threat Intelligence<span style="font-family: Verdana, sans-serif;">What’s the strategy one should use when trying to defend an organization against the threats we face today. At times the security strategy has been reactive. Decisions and the direction forward are based on the latest incident the organization experienced. This approach is not effective since it is the equivalent of firefighting where resources are used on addressing the latest fire without identifying the underlying issues causing the fires in the first place. At other times the security strategy is based on compliance. Decisions and the direction forward are based on regulations or standards the organization has to be compliant with. This approach is not as effective either. It will provide an organization with some minimum security controls but it may not help with defending against the threats we face today (the news highlights organizations who are compliant but are still compromised anyway). One security strategy that has gained traction over the years and is more effective than the previous two is intelligence driven security. The direction forward and “<a href="https://msisac.cisecurity.org/resources/reports/documents/CISO-RPT-0112.pdf">decisions are made based on real-time knowledge regarding the cyber adversaries and their attack methods, and the organization’s security posture against them</a>”. This approach is more effective than the previous two since it enables an organization to allocate security resources to address the highest risks and threats they face.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">In this post, I sharing linkz to various resources I found useful over the past few years related to the intelligence driven security, threat intelligence, threat intelligence data, consuming threat intelligence data, and threat intelligence sharing.</span><br />
<br />
<h2>
Intelligence Driven Security Links</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">These links are related to intelligence driven security, which <a href="https://msisac.cisecurity.org/resources/reports/documents/CISO-RPT-0112.pdf">RSA defined</a> as “<em>developing real-time knowledge on threats and the organization’s posture against those threats in order to prevent, detect, and/or predict attacks, make risk decisions, optimize defensive strategies, and enable action</em>.”</span><br />
<br />
<h3>
Achieving Intelligence-Driven Information Security</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The first link is one that will always hold a certain personal value since it was one of the first papers I read on the topic years ago. The RSA paper <a href="https://msisac.cisecurity.org/resources/reports/documents/CISO-RPT-0112.pdf">Getting Ahead of Advanced Threats: Achieving Intelligence-Driven Information Security</a> discusses how an organization can approach managing their security program in this manner. The paper addresses: what organizations need to know, categories of cyber-risk data, intelligence driven information security, roadmap to achieving intelligence driven information security, opportunities for quick wins, and information sharing. I spent years performing vulnerability assessments against other organizations and each engagement it became more and more clear that the traditional approaches to security management were no longer effective. What was needed was an approach were factual information influenced decisions instead of decisions being based solely on someone's judgment or gut feeling. The approach in this paper is very light on details but it does address the thought process behind it and to me this was very helpful. The paper did nail the foundation one needs to have in place to achieve this as seen in the following quote: “to be ready to take on an intelligence program, the organization needs to have a foundation in place for monitoring the network for intrusions and a workflow process for responding to incidents.”</span><br />
<br />
<h3>
Strategic Cyber Intelligence</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The reason behind leveraging intelligence in security management is to help people make better security decisions. These decisions can be related to addressing risks, security strategies, and resource usage. Despite this being the driving force behind intelligence driven security a good percentage of the material I’ve seen on the topic is more focused on the real time intelligence about threats and not about the intelligence an organization needs to make better security decisions. The next link I picked up from <a href="http://taosecurity.blogspot.com/">Richard Bejtlich</a> and it’s a document titled <a href="http://issuu.com/insalliance/docs/strategiccyberintelligence?e=6126110/7262065">Strategic Cyber Intelligence</a>. If there is only one link to read in this post then this document is it. My words wouldn't do justice in describing this document so instead I'm opting to use part of the executive summary to describe it.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><em>While there has been much emphasis on tactical cyber intelligence to help understand the “on-the-network” cyber-attacks so frequently in the news, there has been little discussion about the strategic and operational levels in order to better understand the overall goals, objectives, and inter-relationships associated with these tactical attacks. As a result, key consumers such as C-suite executives, executive managers, and other senior leaders are not getting the right type of cyber intelligence to efficiently and effectively inform their organizations’ risk management programs. This traditionally tactical focus also hampers the capability of the cyber intelligence function to communicate cyber risks in a way that leaders can fully interpret and understand.</em></span><br />
<br />
<h3>
Adopting Intelligence Driven Security</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The next links I found helpful since they had some good talking points and a nice diagram to get buy-in to approach security in a more intelligent manner. The RSA <a href="http://www.emc.com/collateral/white-papers/h13235-wp-adopting-intelligence-driven-security.pdf">Adopting Intelligence Driven Security</a> paper provides a high-level overview about adopting an intelligence driven security strategy. Topics discussed include: visibility, analysis, action, and difference between today's security strategies and intelligence driven. The RSA blog post <a href="https://blogs.rsa.com/intelligence-driven-security/">What is Intelligence Driven Security?</a> provides very similar but less information than their paper.</span><br />
<br />
<h2>
Threat Intelligence Links</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Threat intelligence is a needed component in achieving intelligence driven security but the two are not the same. This can be seen in the <a href="http://www.isightpartners.com/2015/05/cyber-threat-intelligence-we-wrote-the-book/#sthash.GNx3qg7i.dpbs">iSightPartners threat intelligence definition</a>, which is “<em>cyber threat intelligence is knowledge about adversaries and their motivations, intentions, and methods that is collected, analyzed, and disseminated in ways that help security and business staff at all levels protect the critical assets of the enterprise</em>”. These links provide information about threat intelligence.</span><br />
<br />
<h3>
Threat intelligence: Collecting, Analysing, and Evaluating</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The MWR InfoSecurity <a href="https://www.mwrinfosecurity.com/system/assets/909/original/Threat_Intelligence_Whitepaper.pdf">Threat intelligence: Collecting, Analysing, and Evaluating</a> whitepaper provides an excellent overview about threat intelligence and a threat intelligence program. Topics included are: what is threat intelligence, building a threat intelligence program, strategic/operational/tactical threat intelligence, and technical threat intelligence. The paper is well worth taking the time to read since the overview touched on most components of a threat intelligence program.</span><br />
<br />
<h3>
Definitive Guide to Cyber Threat Intelligence</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">iSIGHT Partners is a vendor providing threat intelligence services. They released a short ebook titled <a href="http://www.isightpartners.com/2015/05/cyber-threat-intelligence-we-wrote-the-book/#sthash.GNx3qg7i.dpbs">Definitive Guide to Cyber Threat Intelligence</a> (at the time of this post the link for the <a href="http://cdn2.hubspot.net/hubfs/266554/Docs/eBook/Definitive_Guide_to_CTI.pdf">PDF is here</a> and if it no longer works then you'll need to provide them your email address to receive the download link). In their own words the following is why they wrote the book: "We figured that since we wrote the book on cyber threat intelligence, we might as well write the book on cyber threat intelligence". The book itself is 74 pages and addresses the following: defining cyber threat intelligence, developing threat intelligence requirements, collecting threat information, analyzing and disseminating threat intelligence, using threat intelligence, implementing an intelligence program, and selecting the right threat intelligence partner. The one area where I think this book shines is by outlining the components that a commercial threat intelligence service should have.</span><br />
<br />
<h3>
Actionable information for Security Incident Response</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">ENISA released the <a href="https://www.enisa.europa.eu/activities/cert/support/actionable-information/actionable-information-for-security">Actionable information for Security Incident Response document</a> that was “intended as a good practice guide for the exchange and processing of actionable information”. The document discusses some of the following points: properties of actionable information, levels of information, collecting information, preparing information, storing information, analyzing information, and case studies. The document does an outstanding job outlining the characteristics of actionable intelligence as well as a process one could use to process it.</span><br />
<br />
<h3>
Threat Intelligence for Dummies</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Another ebook released by another threat intelligence vendor named Norse is the book <a href="http://media.wiley.com/assets/7286/48/9781119081197_Threat_Intelligence_For_Dummies_Norse_Edition.pdf">Threat Intelligence for Dummies</a>. The book is a short read (52 pages) and touches on the following areas: understanding threat intelligence, gathering threat intelligence, scoring threat intelligence, supporting incident response, threat mitigation, and buying criteria for threat intelligence solutions. The book is another option for those looking for a more general overview about threat intelligence.</span><br />
<br />
<h3>
Five Steps to Build an Effective Threat Intelligence Capability</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The next link is for a Forrester <a href="http://www.coresecurity.com/system/files/attachments/2013/04/RickHollandFiveStepstoBuild.pdf">report about building an effective threat intelligence capability</a>. The first half of the report outlines the case for needing a threat intelligence capability while the second half discusses the actual capability. The topics include: intelligence cycle, intelligence disciplines, and five steps to build the intelligence capability. This report is another approach to building the capability and I find it beneficial to see different approaches for accomplishing the same thing. It makes it easier to pick and choose aspects from the various approaches to find what works best for you.</span><br />
<br />
<h2>
Open Source Threat Intelligence Data Feeds Links</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Data about threats, adversaries, and methods they use can be obtained from various sources. One source for regularly updated threat data is from publically available sources. Despite the data being freely available care must be taken in selecting the data feeds to use. For each data feed its characteristics must be evaluated to determine the value added for an organization's security monitoring and response process. (Side note: consuming as many feed as possible is counterproductive and could actually impede security monitoring.)</span><br />
<br />
<h3>
Evaluating Threat Intelligence Data Feeds</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">These links are a bit dated but they are as relevant today as when they were published. David Bianco's posts <a href="http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html">The Pyramid of Pain</a> and <a href="http://detect-respond.blogspot.com/2013/03/what-do-you-get-when-you-cross-pyramid.html">What Do You Get When You Cross a Pyramid With A Chain? </a>outline an approach to evaluate the value of indicators. The Pyramid of Pain is a versatile model that can be used when not only evaluating indicators in open source threat intelligence feeds but it is also helpful when trying to assess the coverage in a security monitoring program.</span><br />
<br />
<h3>
Feeds, Feeds, and More Feeds</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The next link is a word of caution from Jack Crook about using threat intelligence data feeds. In his post <a href="http://blog.handlerdiaries.com/?p=637">Feeds, feeds and more feeds</a> his provides some food for thought for those looking to start consuming feeds. Below is a very telling quote from his post:</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">“<em>By blindly alerting on these types of indicators you also run the risk of cluttering your alert console with items that will be deemed, 99.99% of the time, false positive. This can cause your analysts to spend much unneeded time analyzing these while higher fidelity alerts are sitting there waiting to be analyzed</em>.”</span><br />
<br />
<h3>
Threat Data Feeds</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Now with the links about evaluating data feeds and a word of caution out of the way I can now provide links to websites that contain links to publically available sources for threat data. It’s an easy way to provide a wealth of feed options by linking work done by others.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><a href="http://journeyintoir.blogspot.com/2015/05/introducing-active-threat-search.html">Introducing the Active Threat Search</a><br /><a href="https://intel.criticalstack.com/">Critical Stack Bro Intelligence Framework</a> (need to register but it is well worth it)<br /><a href="https://code.google.com/p/collective-intelligence-framework/wiki/NewFeedSources">Collective Intelligence Framework Data Sources</a><br /><a href="https://github.com/mlsecproject/combine/wiki/Threat-Intelligence-Feeds-Gathered-by-Combine">Threat Intelligence Feeds Gathered by Combine</a><br /><a href="https://www.snip2code.com/Snippet/186848/Opensource-intel-links">Opensource intel links</a><br /><a href="https://github.com/uiucseclab/cif-configs">uiucseclab cif-configs</a></span><br />
<br />
<h2>
Consuming Threat Intelligence Data Links</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">One of the ENISA actionable information characteristics is ingestibility. Ingestibility is the ability of the organization receiving the data to "consume it painlessly and automatically, including correlating and associating it with other information". The consumption is what makes the information useful to an organization to identify vulnerabilities, mitigate an ongoing attack, or detecting a new threat.</span><br />
<br />
<h3>
Leveraging Threat Intelligence in Security Monitoring</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Securosis published a decent paper titled <a href="https://securosis.com/assets/library/reports/Securosis_ThreatIntelSecurityMonitoring_FINAL.pdf">Leveraging Threat Intelligence in Security Monitoring</a>. The paper discusses threat intelligence sources (is mostly focused on malware), and the network security monitoring process before going into detail on integrating threat intelligence with the security monitoring process. The part I really liked about the paper is it outlines a process for managing the security monitoring process that consumes threat intelligence and it takes the time to explain each component. Even if an organization doesn't use this process its helpful to see how someone else approached consuming threat intelligence to see what can be used to improve their security monitoring processes.</span><br />
<br />
<h3>
How to Use Threat Intelligence with Your SIEM?</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The next link is really a bunch of links. Anton Chuvakin is a Gartner analyst who focuses on SIEM, security monitoring, and incident response. His analysis reports requires a Gartner account to access but he does share some of his research on his blog. Anton wrote numerous posts addressing: consuming threat intelligence, threat intelligence, and threat intelligence data. His post <a href="http://blogs.gartner.com/anton-chuvakin/2014/03/26/how-to-use-threat-intelligence-with-your-siem/">How to Use Threat Intelligence with Your SIEM?</a> talks about how SIEMs can consume threat intelligence data for an organization and the post really hits home since this is one way I consume TI data. He also released the following posts related to threat intelligence:</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><u>Threat Intelligence</u></span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;"><a href="http://blogs.gartner.com/anton-chuvakin/2014/03/20/on-internally-sourced-threat-intelligence/">On Internally-sourced Threat Intelligence</a> <br /><a href="http://blogs.gartner.com/anton-chuvakin/2014/03/14/delving-into-threat-actor-profiles">Delving into Threat Actor Profiles</a> <br /><a href="http://blogs.gartner.com/anton-chuvakin/2014/02/04/on-threat-intelligence-use-cases/">On Threat Intelligence Use Cases</a> <br /><a href="http://blogs.gartner.com/anton-chuvakin/2014/01/30/on-broad-types-of-threat-intelligence/">On Broad Types of Threat Intelligence</a> <br /><a href="http://blogs.gartner.com/anton-chuvakin/2014/01/28/threat-intelligence-is-not-signatures/">Threat Intelligence is NOT Signatures!</a> <br /><a href="http://blogs.gartner.com/anton-chuvakin/2014/01/15/the-conundrum-of-two-intelligences/">The Conundrum of Two Intelligences!</a></span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><u>Threat Intelligence Data</u></span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;"><a href="http://blogs.gartner.com/anton-chuvakin/2014/02/26/on-threat-intelligence-sources/">On Threat Intelligence Sources</a> <br /><a href="http://blogs.gartner.com/anton-chuvakin/2014/02/19/how-to-make-better-threat-intelligence-out-of-threat-intelligence-data/">How to Make Better Threat Intelligence Out of Threat Intelligence Data?</a> <br /><a href="http://blogs.gartner.com/anton-chuvakin/2014/01/07/on-comparing-threat-intelligence-feeds/">On Comparing Threat Intelligence Feeds</a> <br /><a href="http://blogs.gartner.com/anton-chuvakin/2013/03/22/consumption-of-shared-security-data/">Consumption of Shared Security Data</a> <br /><a href="http://blogs.gartner.com/anton-chuvakin/2013/04/04/from-ips-to-ttps/">From IPs to TTPs</a> </span><br />
<br />
<h3>
McAfee SIEM and Open Source Intelligence Data Feeds</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">An easy way to consume open source threat intelligence data is by feeding it into a properly configured SIEM and correlating the data across an organization’s logs. The next few links explain one method to accomplish this with the McAfee SIEM (formerly known as Nitro). The SIEM stores intelligence data inside items called watchlists and these watchlists can be dynamically updated with intelligence feeds. The post <a href="https://community.mcafee.com/docs/DOC-6972">Creating a Watchlist from Malc0de</a> shows how to accomplish creating a dynamic watchlist to populate it with the Malc0de feed. I populate my dynamic watchlists using a script; there are always different ways to arrive at the same destination. The watchlist containing threat intelligence data can then be used in correlation. The next post <a href="https://community.mcafee.com/docs/DOC-6230">SIEM Foundations: Threat Feeds</a> walks you through creating a static watchlist (I don’t recommend this approach with intelligence feeds) followed by showing different ways to use the watchlist.</span><br />
<br />
<h3>
Splunk and Open Source Intelligence Data Feeds</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Different SIEMs are able to consume threat intelligence data in different ways. The previous links were for McAfee SIEM and the next links are for Splunk. The Deep Impact post <a href="http://www.deepimpact.io/blog/splunkandfreeopen-sourcethreatintelligencefeeds">Splunk and Free Open-Source Threat Intelligence Feeds</a> “is a write-up for integrating some readily available free and open-source threat intelligence feeds and block lists into Splunk”. The thing I really liked about this post was the author not only explained how to perform this integration but he also released a script to help others do the same.</span><br />
<br />
<h3>
Bro and Open Source Intelligence Data Feeds</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">To make use of open source intelligence data feeds you don’t need a SIEM technology. All you need is technology that can consume the data feeds you selected. The next link is a great example of that. Critical Stack has put together their <a href="https://intel.criticalstack.com/">Threat Intelligence for The Bro Platform</a>. I don't use Bro but I find this idea really slick. They set up a portal where you can log-in, review numerous open source intelligence feeds, select the feeds you want, and then create a subscription that gets ingested into Bro. This has really lowered the bar for people to use open source threat intelligence and even if you don't use Bro the portal is a nice reference for available data feeds.</span><br />
<br />
<h2>
Threat Intelligence Sharing Link</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Approaching intelligence driven security provides an organization with visibility into their environments. Visibility into the threats they face, the actual attacks conducted against their environment, and their security posture to defend against those threats. Not only does intelligence driven security result in the organization consuming external threat intelligence but it enables the organization to develop and maintain their own threat intelligence based on what they are seeing. Internally developed intelligence can be shared with others. The last link is the only one I had for intelligence sharing.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<h3>
NIST Guide to Cyber Threat Information Sharing</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The NIST Special Publication 800-150 <a href="http://csrc.nist.gov/publications/drafts/800-150/sp800_150_draft.pdf">Guide to Cyber Threat Information Sharing</a> (in draft format at the time of this post) expands on the NIST Computer Security Incident Handling Guide by exploring "information sharing, coordination, 228 and collaboration as part of the incident response life cycle". The guide is broken down into the following parts: incident coordination and information sharing overview, understanding current cybersecurity capabilities, establishing, & maintaining, and using information sharing relationships. The guide might be of value for those interested in a more formalized approach to intelligence sharing.</span><br />
<span style="font-family: Verdana;"></span><br />
<h2>
***** 07/01/15 Addendum *****</h2>
<br />
<span style="font-family: Verdana;">In response to this post the author of the CYINT Analysis blog pointed me to the threat intelligence resources webpage they put together. The webpage contains additonal resources I didn't discuss in this post and numerous others I wasn't aware about. I wanted to update this post to point to the CYINT Analysis resources webpage.</span>Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com5tag:blogger.com,1999:blog-4080617372940068027.post-9290046739268944282015-05-25T11:02:00.000-04:002015-05-25T11:02:32.220-04:00Security Monitoring with Attack Behavior Based Signatures<span style="font-family: Verdana, sans-serif;">Coaches and athletes both gather intelligence against their upcoming opponent by watching game film. Based on what they learn, they adjust their strategies to account for their opponent’s strengthens, weaknesses, and tendencies. The analogy about watching game film does not translate well to information security. In sports, the film study is to identify a single opponent’s tendencies while in information security there is no film for the numerous threats a company is up against on a weekly basis. However, the concept of watching an opponent's techniques to identify tendencies does translate. These tendencies are how they compromise systems and by identifying tendencies enables a company to adjust their security monitoring program. Companies can have the visibility to detect threats in their environment even when those threats are new or unknown. Attaining this level of visibility is possible by leveraging attack behavior based signatures in security monitoring. </span><br />
<br />
<h2>
Attack Vectors</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;"><a href="http://searchsecurity.techtarget.com/definition/attack-vector">SearchSecurity defines an attack vector</a> as "a path or means by which a hacker (or cracker) can gain access to a computer or network server in order to deliver a payload or malicious outcome." Based on this definition, the attack vector is broken down into three separate components. The path or means is the exploit used, the payload is the outcome of the exploit, and the delivery mechanism is what delivers the exploit and/or the payload to the target. The definition combines the delivery mechanism and exploit together but in reality these are separated.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">As defenders, exploring attack vectors enables us to better protect systems, detect when systems are under attack, and determine how systems are compromised. The <a href="http://journeyintoir.blogspot.com/2015/03/compromised-root-cause-analysis-model.html">Compromised Root Cause Analysis Model</a> goes in to detail about identifying and understanding the artifacts left on a compromised system to determine the attack vector used in the attack. This post goes in to detail about how exploring attack vectors can be used to determine when systems are under attack.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">When attacking a system the attacker is constrained to the environment they are targeting. In this environment, certain actions behave a certain way every time they are performed. The behavior is dictated by the operating system and the action performed results in the operating system behaving a certain way. This behavior occurs every time the action is performed making the activity detectable. The attacker controls the exploit and payload so these can be changed making detection harder. However, the delivery mechanism component of the attack vector is susceptible to security monitoring in the Windows operating system. The delivery mechanism is dependent on the operating system and this is the environment the attacker is constrained to. Each time the attacker uses that delivery mechanism results in the same activity occurring in the operating system. This is the activity detected when using attack behavior based signatures.</span><br />
<br />
<h2>
Delivery Mechanism: Malicious Word Document</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">To elaborate on delivery mechanisms resulting in the same activity an example is needed. Word documents are a mechanism used by attackers to compromise systems. The exploits in Word documents vary from macros to hyperlinks to Microsoft Word exploits. The payloads vary even more since an attacker can use anything. Case in point, some attackers use <a href="https://isc.sans.edu/forums/diary/Dridex+Phishing+Campaign+uses+Malicious+Word+Documents/19011/">the Dridex malware</a> as the payload while other attackers use <a href="http://www.threattracksecurity.com/it-blog/dyre-botnet-using-malicious-microsoft-word-macros/">the Dyre malware</a>. Traditional signature detection mechanisms try to keep pace with the changes attackers introduce in the exploit or payload. Attack behavior based signatures instead focus on the delivery mechanism’s interaction with the operating system. The activity caused by the Word document executing in the Windows operating system to deliver malware. This behavior remains the same no matter how much obfuscation or encryption attackers use to conceal the exploit and/or payload. To demonstrate this behavior what follows is a walkthrough of the activity of a malicious Word document being used as a delivery mechanism and the activity is monitored with the <a href="https://technet.microsoft.com/en-us/sysinternals/dn798348">Microsoft Sysmon software</a>. The sampled used in this walkthrough is the <a href="https://malwr.com/analysis/ZTZlMDA1ZDExMGFhNDAwZTkyYmI0ODc4NWM5N2I5NGU/">malicious document MD5 d89c0affa2c1b5eff1bfe55b011bbaa8</a> obtained from <a href="https://malwr.com/">Malwr.com</a>.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">To compromise a system the malicious document needs to be executed. The picture below shows what occurs when the document is executed by the user. Upon execution, the user's shell (Explorer.exe) creates a process for the program that is the default reader for Word documents (files ending in .doc). In this instance and similar to most systems in enterprise environments, the default reader is Microsoft Word and the program's executable is named WINWORD.EXE.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBmJBb2SVPwywyXGh5VhwlDIzrQAcY43TRAAALMJpGAGgX74LTwT2HgyLclzTNWhdmMn-fdtz5l_gMIHE7zSmrmkV-GAqH8ua7lko8iCXbbV4BpKpQVmZp65MEYzgJHKlEWVNpFV_iLkg/s1600/1.+word-starting.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBmJBb2SVPwywyXGh5VhwlDIzrQAcY43TRAAALMJpGAGgX74LTwT2HgyLclzTNWhdmMn-fdtz5l_gMIHE7zSmrmkV-GAqH8ua7lko8iCXbbV4BpKpQVmZp65MEYzgJHKlEWVNpFV_iLkg/s640/1.+word-starting.jpg" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">At some point after the WINWORD.EXE process creation the exploit in the document is ran. Again, the exploit varies from macros to links to Microsoft Word exploits to embedded executables. Regardless of the exploit used, the activity of using Word as a delivery mechanism is the same and is shown in the picture below. Microsoft Word creates a child process for the payload of the attack. In this instance, WINWORD.EXE creates the process for the file kiramin86.exe inside a user profile's temp folder.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPPIQ3IYPP2O06LVEVirVSLH5tTgytUegK9Lhr6rtK7H8Nk_4NSuKK8a2600e5yW3FGgMm6VXFFa95q9Bz8q4Uu5ywG9BhuPk1r0YgkyHaoYdLE_mxS9YfcDe72EB_yr784D0WrlA2lK8/s1600/2.+word-executing-binary.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPPIQ3IYPP2O06LVEVirVSLH5tTgytUegK9Lhr6rtK7H8Nk_4NSuKK8a2600e5yW3FGgMm6VXFFa95q9Bz8q4Uu5ywG9BhuPk1r0YgkyHaoYdLE_mxS9YfcDe72EB_yr784D0WrlA2lK8/s640/2.+word-executing-binary.jpg" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">This is the activity that is susceptible to security monitoring. Microsoft Word (WINWORD.EXE) being the parent of another process that is a Windows binary (i.e. exe, pif, dll). Depending on the organization, this activity is the anomaly since Microsoft Word may rarely be the parent process of another executable or try to execute another executable. This is the type of activity attack behavior based signatures can focus on to detect new and unknown threats. The signature can be narrowed down even further to make it more accurate - such as focusing on executables in user profiles - but in essence this is the activity being detected. The signature is able to detect attack vectors using Word documents delivery mechanisms even if the exploit and payloads are different.</span><br />
<br />
<h3>
Technique Detection: Bypassing UAC</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Attack behavior based signatures are not only limited to detecting the attack vector’s delivery mechanism. The concept can be applied to other techniques used by the attacker. At times attackers leverage techniques to bypass Windows User Account Control (UAC). UAC is a feature in Windows where every application ran under an administrator user account only runs in the context of a standard user. Bypassing UAC is a way for attackers to elevate their standard user privileges to administrator privileges. (For more information on UAC see the post <a href="http://journeyintoir.blogspot.com/2013/03/uac-impact-on-malware.html">UAC Impact on Malware</a>.) The malicious document used in the previous walkthrough delivers the Dridex malware and this malware has a UAC bypass.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The May 12, 2015 post <a href="http://blog.jpcert.or.jp/2015/05/a-new-uac-bypass-method-that-dridex-uses.html">A New UAC Bypass Method that Dridex Uses</a> outlines the current technique Dridex uses to bypass UAC. The article stated the following about how Dridex uses the application compatibility database to bypass UAC:</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><em>"An application compatibility database is a file that configures execution rules for applications that have compatibility issues. These files have an extension of sdb. Dridex leverages this feature to bypass UAC."</em></span><br />
<em></em><br />
<span style="font-family: Verdana, sans-serif;"><em>".Dridex uses the sdbinst command to install/uninstall application compatibility databases to install $$$.sdb."</em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">This UAC bypass technique is constrained to the Windows environment and results in the same activity occurring in the operating system. The picture below shows the activity. The sbdinst.exe process is created and the commandline used to create the process points to an application compatibility database file (.sdb) inside the user profile. It’s activity that occurs every time so it is susceptible to detection through security monitoring. The signature’s logic could be the image value containing “sdbinst.exe” and the commandline containing .sdb file in a user profile.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLqe6gj169hChIr_sLDPqO5eyPBJJtVjysHiH4m9XCh1M_CRyu0TBm-FEJaQEnRkTvWqp_QDm4kaXMsyi9tkIGanT0dAOECwMulruK8u_yPaZRoCufxK-PXaq4aXRYzGGnYNb0sx_AhrI/s1600/3+bypassing_uac_2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLqe6gj169hChIr_sLDPqO5eyPBJJtVjysHiH4m9XCh1M_CRyu0TBm-FEJaQEnRkTvWqp_QDm4kaXMsyi9tkIGanT0dAOECwMulruK8u_yPaZRoCufxK-PXaq4aXRYzGGnYNb0sx_AhrI/s640/3+bypassing_uac_2.jpg" width="640" /></a></div>
<br />
<h2>
Leveraging Attack Behavior Based Signatures</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">To leverage attack behavior based signatures in security monitoring to detect new and unknown threats is achievable. The approach requires technology to provide visibility on enterprise end points and the backend needs technology for the collection and analysis of the logs from the endpoints. The technology on the end point needs to provide visibility involving the Windows process and files the process interact with. This article leveraged Microsoft Sysmon utility since it is freely available to anyone and was suggested to me by <a href="http://windowsir.blogspot.com/">Harlan Carvey</a>. Other options are available for the end points including possibly existing agents that may already be deployed in enterprises. The technology for the collection and analysis of logs from the end points need to support regex or wildcards for querying the logs to identify the attack patterns. Attack behavior based signatures tend to focus on characteristics of processes involved in the attack activity. For malicious documents with Microsoft Word installed on the endpoint, the focus is on WINWORD.EXE and not necessarily the entire file path since this executable can be located in different folders (i.e. 32bit versus 64bit Word programs). Regex or wildcards support in queries enables this type of flexibility when building detection signatures.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Another consideration is attack behavior based signatures need to be used in layers customized to an enterprise. The walkthrough only demonstrated one signature for Word documents but there are numerous other attack vectors to account for. Each attack vector needs to be customized to the enterprise to account for the software installed on their endpoints. Further customization is needed since y their nature attack behavior based signatures results in false positives. The signatures detect patterns in the activity involving Windows processes. This activity can be either malicious or normal behavior. To identify false positives triage processes need to evaluate the activity flagged by the signatures to determine if they are false positives or security events. For reoccurring false positives, the signatures need to be tuned to reduce the noise from normal behavior.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Despite the technology, process, and customization challenges, leveraging attack behavior based signatures in security monitoring can be an effective approach for detecting new and unknown threats. The techniques used by attackers are constrained to our environments and their techniques cause activity on our systems that may be susceptible to detection. It just requires us to identify the activity susceptible to detection, build signatures to detect it, and then share with others to help them improve their monitoring capabilities.</span>Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com7tag:blogger.com,1999:blog-4080617372940068027.post-11759395846088177082015-05-11T19:16:00.002-04:002015-05-24T11:03:58.482-04:00Introducing the Active Threat Search<span style="font-family: Verdana, sans-serif;">Have you found yourself looking at a potential security event and wishing there was more context. The security event could be an IDS/IPS triggering on network activity, antivirus software flagging a file, or a SIEM rule alarming on activity in logs. By itself the security event may not provide a bigger picture about the activity. Has anyone else seen the same activity? Where did the file come from? Is the event part of a mass attack or is it unique? Being able to run queries on certain security event indicators can go a long way in providing context to what you are seeing. This post is the formal introduction of the <a href="https://cse.google.com/cse/publicurl?cx=011905220571137173365:eo5wzloxe_m">Active Threat Search</a> that can help you identify this context.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The <a href="https://cse.google.com/cse/publicurl?cx=011905220571137173365:eo5wzloxe_m">Active Threat Search</a> is another Custom Google search. Similar to the <a href="https://cse.google.com/cse/home?cx=011905220571137173365:7eskxxzhjj8">Digital Forensic Search</a>, <a href="https://cse.google.com/cse/home?cx=011905220571137173365:3dje3l3s8wk">Vulnerability Search</a>, and <a href="https://cse.google.com/cse/home?cx=011750002002865445766:pc60zx1rliu">Malware Analysis Search</a> (by <a href="http://hooked-on-mnemonics.blogspot.com/2010/11/malware-analysis-search.html">Hooked on Mnemonics Worked for Me</a>), the Active Threat Search harnesses the collective knowledge and research of the people/organizations who openly share intelligence information.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">To demonstrate how context can be provided let’s say the IDS/IPS tripped on numerous connection attempts being made to a server running SSH. This security event could mean a few things. Someone may had forgotten their credentials and tried numerous times to log in or someone (or something) found the open SSH port on the server and tried numerous times to log in. The bigger picture may not be readily apparent so additional context is needed. A search on the source IP address that triggered the IDS/IPS alert in the Active Threat Search may show something similar to the image below:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiYgsj-0u_E9oVDHuDxzjcVo6pmYPbA-rWbp9cXtLryx2S8udo4zvGgOJ1DQcVs2BXzZ2aIsyvgzJ0r1bVN6Nxqdv9QBcEXZhbc1-kV0S2eBclRctU1ORCoNeYhsIezGtbqApe0mJdkas/s1600/1.+SSH+IP+Search.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiYgsj-0u_E9oVDHuDxzjcVo6pmYPbA-rWbp9cXtLryx2S8udo4zvGgOJ1DQcVs2BXzZ2aIsyvgzJ0r1bVN6Nxqdv9QBcEXZhbc1-kV0S2eBclRctU1ORCoNeYhsIezGtbqApe0mJdkas/s640/1.+SSH+IP+Search.jpg" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The search on the source IP address provides a wealth of context for the security event. The same source IP address has attempted attacks against other systems. This means the security event was something trying to log in to the server and not someone forgetting their password. Context changes everything and the Active Threat Search at times can help provide this context.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The Active Threat Search can be found at the top of jIIr or directly at this link:</span><br />
<a href="https://cse.google.com/cse/publicurl?cx=011905220571137173365:eo5wzloxe_m"><span style="font-family: Verdana, sans-serif;"></span></a><span style="font-family: Verdana, sans-serif;"><a href="https://cse.google.com/cse/publicurl?cx=011905220571137173365:eo5wzloxe_m">https://cse.google.com/cse/publicurl?cx=011905220571137173365:eo5wzloxe_m</a></span><a href="https://www.blogger.com/null"></a><a href="https://www.blogger.com/null"></a><span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">**********Sites Last Updated on 05/24/2015**********</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The following is the listing of sites indexed by the Active Threat Search and this section will be continuously updated.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Bambenek Consulting </span><a href="http://osint.bambenekconsulting.com/feeds/"><span style="font-family: Verdana, sans-serif;"></span></a><span style="font-family: Verdana, sans-serif;"><a href="http://osint.bambenekconsulting.com/feeds/">http://osint.bambenekconsulting.com/feeds/</a></span><a href="https://www.blogger.com/null"></a><a href="https://www.blogger.com/null"></a><span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Binary Defense Systems <a href="http://www.binarydefense.com/banlist.txt">http://www.binarydefense.com/banlist.txt</a></span><br />
<span style="font-family: Verdana, sans-serif;">Blocklist.de </span><a href="http://www.blocklist.de/"><span style="font-family: Verdana, sans-serif;">http://www.blocklist.de</span></a><br />
<span style="font-family: Verdana, sans-serif;">Cisco Threat Intelligence </span><a href="http://tools.cisco.com/security/center/"><span style="font-family: Verdana, sans-serif;">http://tools.cisco.com/security/center/</span></a><br />
<span style="font-family: Verdana, sans-serif;">Cyber Crime </span><a href="http://cybercrime-tracker.net/"><span style="font-family: Verdana, sans-serif;">http://cybercrime-tracker.net/</span></a><br />
<span style="font-family: Verdana, sans-serif;">Dragon Research Group </span><a href="http://dragonresearchgroup.org/insight/"><span style="font-family: Verdana, sans-serif;">http://dragonresearchgroup.org/insight/</span></a><br />
<span style="font-family: Verdana, sans-serif;">Dshield </span><a href="https://dshield.org/"><span style="font-family: Verdana, sans-serif;">https://dshield.org/</span></a><br />
<span style="font-family: Verdana, sans-serif;">Dynamoo's Blog </span><a href="http://blog.dynamoo.com/"><span style="font-family: Verdana, sans-serif;">http://blog.dynamoo.com/</span></a><br />
<span style="font-family: Verdana, sans-serif;">Emerging Threats </span><a href="http://rules.emergingthreats.net/"><span style="font-family: Verdana, sans-serif;">http://rules.emergingthreats.net/</span></a><br />
<span style="font-family: Verdana, sans-serif;">Emerging Threats List </span><a href="https://lists.emergingthreats.net/pipermail/emerging-sigs"><span style="font-family: Verdana, sans-serif;">https://lists.emergingthreats.net/pipermail/emerging-sigs</span></a><br />
<span style="font-family: Verdana, sans-serif;">Feodo Tracker </span><a href="https://feodotracker.abuse.ch/"><span style="font-family: Verdana, sans-serif;">https://feodotracker.abuse.ch/</span></a><br />
<span style="font-family: Verdana, sans-serif;">hpHosts </span><a href="http://hosts-file.net/"><span style="font-family: Verdana, sans-serif;">http://hosts-file.net/</span></a><br />
<span style="font-family: Verdana, sans-serif;">Malc0de Database </span><a href="http://malc0de.com/database/"><span style="font-family: Verdana, sans-serif;">http://malc0de.com/database/</span></a><br />
<span style="font-family: Verdana, sans-serif;">Malware Domain List </span><a href="http://www.malwaredomainlist.com/"><span style="font-family: Verdana, sans-serif;">http://www.malwaredomainlist.com</span></a><br />
<span style="font-family: Verdana, sans-serif;">MalwareDomains </span><a href="http://www.malwaredomains.com/"><span style="font-family: Verdana, sans-serif;">http://www.malwaredomains.com/</span></a><br />
<span style="font-family: Verdana, sans-serif;">Malware-Traffic-Analysis </span><a href="http://www.malware-traffic-analysis.net/"><span style="font-family: Verdana, sans-serif;">http://www.malware-traffic-analysis.net</span></a><br />
<span style="font-family: Verdana, sans-serif;">McAfee Threat Intelligence </span><a href="http://www.mcafee.com/threat-intelligence"><span style="font-family: Verdana, sans-serif;">http://www.mcafee.com/threat-intelligence</span></a><br />
<span style="font-family: Verdana, sans-serif;">Malware URLs <a href="http://malwareurls.joxeankoret.com/">http://malwareurls.joxeankoret.com/</a></span><br />
<span style="font-family: Verdana, sans-serif;">Multiproxy </span><a href="http://multiproxy.org/"><span style="font-family: Verdana, sans-serif;">http://multiproxy.org</span></a><br />
<span style="font-family: Verdana, sans-serif;">MX Lab </span><a href="http://blog.mxlab.eu/"><span style="font-family: Verdana, sans-serif;">http://blog.mxlab.eu/</span></a><br />
<span style="font-family: Verdana, sans-serif;">OpenBL </span><a href="http://www.us.openbl.org/"><span style="font-family: Verdana, sans-serif;">http://www.us.openbl.org/</span></a><br />
<span style="font-family: Verdana, sans-serif;">OpenPhish </span><a href="https://openphish.com/"><span style="font-family: Verdana, sans-serif;">https://openphish.com/</span></a><br />
<span style="font-family: Verdana, sans-serif;">Palevo Tracker </span><a href="https://palevotracker.abuse.ch/"><span style="font-family: Verdana, sans-serif;">https://palevotracker.abuse.ch/</span></a><br />
<span style="font-family: Verdana, sans-serif;">Phish Tank </span><a href="http://www.phishtank.com/"><span style="font-family: Verdana, sans-serif;">http://www.phishtank.com</span></a><br />
<span style="font-family: Verdana, sans-serif;">Project Honeypot </span><a href="https://www.projecthoneypot.org/"><span style="font-family: Verdana, sans-serif;">https://www.projecthoneypot.org</span></a><br />
<span style="font-family: Verdana, sans-serif;">SPAM404 </span><a href="http://www.spam404.com/"><span style="font-family: Verdana, sans-serif;">http://www.spam404.com/</span></a><br />
<span style="font-family: Verdana, sans-serif;">SPAMHAUS </span><a href="http://www.spamhaus.org/"><span style="font-family: Verdana, sans-serif;">www.spamhaus.org</span></a><br />
<span style="font-family: Verdana, sans-serif;">SSL Blacklist <a href="https://sslbl.abuse.ch/blacklist/">https://sslbl.abuse.ch/blacklist/</a></span><br />
<span style="font-family: Verdana, sans-serif;">Tor Exit Addresses </span><a href="https://check.torproject.org/exit-addresses"><span style="font-family: Verdana, sans-serif;">https://check.torproject.org/exit-addresses</span></a><br />
<span style="font-family: Verdana, sans-serif;">URLQuery </span><a href="http://urlquery.net/"><span style="font-family: Verdana, sans-serif;">http://urlquery.net</span></a><br />
<span style="font-family: Verdana, sans-serif;">VirusTotal </span><a href="http://www.virustotal.com/"><span style="font-family: Verdana, sans-serif;">http://www.virustotal.com</span></a><br />
<span style="font-family: Verdana, sans-serif;">VX Vault </span><a href="http://vxvault.net/"><span style="font-family: Verdana, sans-serif;">http://vxvault.net/</span></a><br />
<span style="font-family: Verdana, sans-serif;">Zeus Tracker </span><a href="https://zeustracker.abuse.ch/"><span style="font-family: Verdana, sans-serif;">https://zeustracker.abuse.ch/</span></a>Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com9tag:blogger.com,1999:blog-4080617372940068027.post-7602709750603283532015-04-26T21:26:00.001-04:002015-04-26T21:50:21.635-04:00Making Incident Response a Security Program Enabler<span style="font-family: Verdana, sans-serif;">Incident response is frequently viewed as a reactive process. As soon as something bad happens that is when the incident response process is activated to respond to what occurred. This view is similar to insurance. Every month we spend money on buying insurance so it is available when we need it. It doesn’t matter if the insurance gets used once in a year or not at all; money is still spent on a monthly basis to buy it. In a way, it’s easy to see the similarity to the incident response process. Resources - such as staffing and technology - are invested in the incident response process. In some organizations there is a sizable investment while in others very little. The hope is something is available when the organizations need it. How can one change an organization’s view of incident response? How can you take a traditional reactive process and make it in to a proactive process that’s an enabler for the organization’s information security program? This post discusses one approach to make incident response a security enabler by addressing: continuous incident response, incident response metrics, root cause analysis, and data analytics.</span><br />
<h2>
</h2>
<h2>
Continuous Incident Response</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The traditional incident response models resemble the incident response lifecycle illustrated below that was obtained from the <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf">NIST Computer Security Incident Handling Guide</a>.</span><br />
<span style="font-family: Verdana;"></span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhixFG6Y9HyfE_E3IzCP0SYu4dxAFNYCkKLs6xkqN9QqkQ2ncSsVkdYu6aI0pIkT74UEC4hQiNNE8Iv538PcOuRDjq48cnXemHKVOmxVgKtoIE7CivIAd8UviuATimWVtHkTI3wYbCXeVc/s1600/1+NIST+incident+response+lifecycle.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhixFG6Y9HyfE_E3IzCP0SYu4dxAFNYCkKLs6xkqN9QqkQ2ncSsVkdYu6aI0pIkT74UEC4hQiNNE8Iv538PcOuRDjq48cnXemHKVOmxVgKtoIE7CivIAd8UviuATimWVtHkTI3wYbCXeVc/s1600/1+NIST+incident+response+lifecycle.jpg" height="324" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Image obtained from <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf">http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf</a> </td></tr>
</tbody></table>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The first phase involves the organization preparing for future incidents. The next phase is when an incident is detected and analyzed. This is followed by the containment, eradication, and recovery activities. At times when trying to remediate an incident, activities cycle back to detection and analysis to determine if the incident was resolved. After the incident is eradicated and the organization returns to normal operations a post incident activity is performed to see what did and didn't work out as planned. The lifecycle represents the traditional approach to incident response: incident detected -> organization responds -> incident eradicated -> organization returns to normal operations. This is the tradition reactive incident response process where the assumption is that nothing is going on until an incident is detected and after the incident is resolved it goes back to assuming nothing is going on.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">To take a traditional reactive incident response process and make it in to a proactive process requires incident response to be seen in a different light. Organizations are under constant attack from daily malware infections to daily probing to daily exploit attempts to daily potential unauthorized access attempts. The model is no longer linear where an organization is waiting to detect an incident and then returning to normal operations. The new normal is being under constant attack and being at different stages in the incident response process concurrently. Richard Bejtlich stated in his book <a href="http://www.nostarch.com/nsm">The Practice of Network Security Monitoring</a> on page 188 regarding the model below: </span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">“<em>the workflow in Figure 9-2 appears orderly and linear, but that’s typically not the case in real life. In fact, all phases of the detection and response processes may occur at the same time. Sometimes, multiple incidents are occurring; other times, the same incident occupies all four stages at once</em>.”</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsVCMPS7hCD7GI-kI9g-uB0Ru2R-4s4E0VGGxv2Iq2A7j3LrJy6KJXcSoVF0sHlq4HnuCtyrFp-jePAIai3ykoq7lMP1TRpEoyjVSV9bAWnLqBm3yERgqisP674LzUqXLVS0-Dwn_7xKw/s1600/2+Bejtlich+NSM+Practice.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsVCMPS7hCD7GI-kI9g-uB0Ru2R-4s4E0VGGxv2Iq2A7j3LrJy6KJXcSoVF0sHlq4HnuCtyrFp-jePAIai3ykoq7lMP1TRpEoyjVSV9bAWnLqBm3yERgqisP674LzUqXLVS0-Dwn_7xKw/s1600/2+Bejtlich+NSM+Practice.jpg" height="412" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Image obtained from <a href="http://www.nostarch.com/nsm">http://www.nostarch.com/nsm</a></td></tr>
</tbody></table>
<br />
<span style="font-family: Verdana, sans-serif;">Richard expressed incident response is not a linear process with a start and end; on the contrary the process can be at different phases at the same time dealing with different incidents. Anton Chuvakin also touched on the non-linear incident response process in his post <a href="http://blogs.gartner.com/anton-chuvakin/2013/06/05/incident-response-the-death-of-a-straight-line/">Incident Response: The Death of a Straight Line</a>. Not only did he say that the “ “normal -> incident -> back to normal” is no more” but he summed up the situation organizations find themselves in.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><em>“While some will try to draw a clear line between monitoring (before/after the incident) and incident response (during the incident), the line is getting much blurrier than many think. Ongoing indicator scans (based on external and internal sources), malware and artifact reversing, network forensics “hunting”, etc all blur the line and become continuous incident response activities.”</em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The light incident response needs to be seen in is that it is a continuous process instead of a linear one. Incident response is not something that starts and ends but is an ongoing cyclical process where an organization is constantly detecting and responding to incidents. A process similar to David Bianco's the Intel-Driven Operations Cycle model shown below and was obtained from his <a href="https://speakerdeck.com/davidjbianco/the-pyramid-of-pain-intel-driven-detection-and-response-to-increase-your-adversarys-cost-of-operations">The Pyramid of Pain Intel-Driven Detection and Response to Increase Your Adversary's Cost of Operations</a> presentation.</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNFfqRtwm9UjRq6G5vTYsz2bhgw5MoyId70rWWZlTdJMUIxq8aU5Ud0Vnv1HPc-_DkdPKjgzIymaOUDCZvN1JdVv5WI7tyFNhcfgsCVvDb8BCnduYrJv2Zc3FQbivJ4fw-vNNCY_6sCcA/s1600/3+Bianco+the+Intel-Driven+Operations+Cycle.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNFfqRtwm9UjRq6G5vTYsz2bhgw5MoyId70rWWZlTdJMUIxq8aU5Ud0Vnv1HPc-_DkdPKjgzIymaOUDCZvN1JdVv5WI7tyFNhcfgsCVvDb8BCnduYrJv2Zc3FQbivJ4fw-vNNCY_6sCcA/s1600/3+Bianco+the+Intel-Driven+Operations+Cycle.jpg" height="420" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Image obtained from <a href="https://speakerdeck.com/davidjbianco/the-pyramid-of-pain-intel-driven-detection-and-response-to-increase-your-adversarys-cost-of-operations">https://speakerdeck.com/davidjbianco/the-pyramid-of-pain-intel-driven-detection-and-response-to-increase-your-adversarys-cost-of-operations</a></td></tr>
</tbody></table>
<br />
<span style="font-family: Verdana, sans-serif;">Seeing incident response as a continuous process is one that everyone must see from security practitioners to incident responders to management. Changing people’s perspectives on incident response will take time and every opportunity to sell it will need to be seized (don’t sell FUD but layout the actual threat environment we find ourselves in.) In time the conversation will go from viewing incident response as insurance that may or may not be needed to viewing incident response as continuous where people are detecting and responding to the daily security incidents. The conversation will go from “do we really need to invest in this since we only had a few incidents last year” to “we are continuing seeing these incidents due to this security weakness so how can we address it since it’s an area of concern.”</span><br />
<br />
<h2>
Operationalize Incident Response Information</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Changing the view of incident response from a linear process to a continuous one is not enough to make it a security program enabler. To be a security program enabler incident response needs to contribute to the organization’s security strategy to help influence where security resources are focused. Too often incident response tries to influence the security strategy in a reactive manner. The reactive process resembles the following: incident detected -> organization responds -> incident eradicated -> organization returns to normal operations -> incident response recommendations provided. The attempts to influence the security strategy is based on the most recent incident. In essence, recommendations are being made based on a single event instead being made based on trends from numerous events. Don’t get me wrong, there are times when recommendations from a single event do influence the security strategy but to make incident response a security program enabler there needs to be more.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">To re-enforce this point, a story about a local credit union that happened years ago may help. The credit union happened to be located at a busy intersection; its location was very accessible from buses, cars, bikes, and walking. One day a person walked in to the credit union, handed the teller a note, and then walked out with money. As an outsider looking at this single event, there was nothing drastic implemented from any recommendations based on this single robbery. The next week a similar event occurred again with someone handing the teller a note and walking out with cash. This occurred a few more times and each robbery was very similar. The robbery involved a person handing a note to the teller without any visible weapons shown. The credit union looked at all the robberies and they must have seen this pattern. In response, the credit union implemented a compensating control and this control was double doors to trap any individual as they try to exit the bank. After this control was implemented the robberies stopped. This story shows how incident response can become a security program enabler. The first robbery was a single event and the recommendation may had been to install trap doors. However, installing trap doors takes essential resources from other areas and this may not be in the best interest of the organization. As more data is collected from different events it causes a pattern to emerge. Now taking essential resources from other areas is an easier decision since the data analysis shows installing trap doors is not addressing a single event but a re-occurring issue.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The continuous incident response process needs to move from only providing reactive recommendations to producing intelligence by operationalizing the information produced by enterprise incident response and detection processes. To accomplish this, data and information needs to be captured from the ongoing detection and response activities. Then this data and information is analyzed to produce intelligence to be used by the security program. Some intelligence is used by the response and detection processes themselves but other intelligence (especially ones developed through trend analysis) is reported to appropriate parties to influence the organization’s security strategy. Operationalizing incident response information results in creating intelligence at various levels in the intelligence pyramid.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisx6uONKpnxjqTv56gKh7eCcY6luMKJwUJlZ2C8DnjNuYQn56FG2GFUyj1GI0ZUiVzy0WqfuDqpdGcd5kCa3p6qCx8GtfTe7tUdbfmKhsqdnHuaA2qQMJ0AOeBoy9fvDmWDYxz67wGggs/s1600/4+Intelligence+pyramid.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisx6uONKpnxjqTv56gKh7eCcY6luMKJwUJlZ2C8DnjNuYQn56FG2GFUyj1GI0ZUiVzy0WqfuDqpdGcd5kCa3p6qCx8GtfTe7tUdbfmKhsqdnHuaA2qQMJ0AOeBoy9fvDmWDYxz67wGggs/s1600/4+Intelligence+pyramid.jpg" height="488" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The book <a href="http://www.amazon.com/Building-Intelligence-Led-Security-Program-Allan/dp/0128021454">Building an Intelligence-Led Security Program</a> authored by Allan Liska describes the pyramid levels as follows:</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><em>"Strategic intelligence is concerned with long-term trends surrounding threats, or potential threats to an organization. Strategic intelligence is forward thinking and relies heavily on estimation – anticipating future behavior based on past actions or expected capabilities."</em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><em>"Tactical intelligence is an assessment of the immediate capabilities of an adversary. It focuses on the weaknesses, strengths, and the intentions of an enemy. An honest tactical assessment of an adversary allows those in the field to allocate resources in the most effective manner and engage the adversary at the appropriate time and with the right battle plan."</em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><em>"Operational intelligence is real time, or near real-time intelligence, often derived from technical means, and delivered to ground troops engaged in activity against the adversary. Operational intelligence is immediate, and has a short time to live (TTL). The immediacy of operational intelligence requires that analysts have instant access to the collection systems and be able to put together FINTEL in a high-pressure environment."</em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">As it relates to making incident response process a security program enabler, the focus needs to be on making the process contribute to the organization’s security strategy by producing tactical and strategic intelligence. Tactical intelligence can highlight the organization’s weaknesses and strengths then show where security resources can be used more effectively. Strategic intelligence can influence the direction of the organization’s long term security strategy. Incident response starts to move from being viewed as a reactive process to a proactive one once it starts adding value to other areas in an organization’s security program.</span><br />
<br />
<h3>
Improve Root Cause Analysis Capabilities</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Before one can start to operationalize incident response information to produce intelligence at various levels in the intelligence pyramid they must first improve their root cause analysis capabilities. <a href="http://journeyintoir.blogspot.com/2015/03/compromised-root-cause-analysis-model.html">Root cause analysis</a> is trying to determine how an attacker went after another system or network by identifying and understanding the remnants they left on the systems involved during the attack. This is a necessary activity for one to discover information during a security incident that can be operationalized. The <a href="http://www.verizonenterprise.com/DBIR/">Verizon Data Breach Investigations Report</a> is an excellent example about the type of information one can discover by performing root cause analysis. The report highlights trends from “time to incident discovery” to “time to compromise” to exploited vulnerabilities to frequency of attack types to hacking actions. None of this data would had been available for analysis if root cause analysis wasn’t completed on these incidents.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Take the hypothetical scenario of a malware infected system. Root cause analysis discovered the attacker compromised the system using a phishing email containing a malicious Word document. At this point there is various data one can then turn in to intelligence. At the operationally level, the email’s subject line, content, from address, and Word document attachment name can all be documented and then turned in to intelligence for response and detection activities. The same can occur for the URL inside the Word document and the malware it downloads. Doing root cause analysis on all infections can then make data available to do trend analysis. Is it a pattern for the organization employees to be socially engineered through Word documents? Can resources be applied in other areas such as security awareness training to combat this threat? In time, more and more data can be collected to reveal other trends to help drive security. Performing root cause analysis on each incident is needed to operationalize incident response information to produce intelligence in this manner. The Compromised Root Cause Analysis Model is one model to use and it is described in the post <a href="http://journeyintoir.blogspot.com/2015/03/compromised-root-cause-analysis-model.html">Compromised Root Cause Analysis Model Revisited</a>.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPs3SkzOLNfbB6ZyIYQh9Cp4QPSuMLKDVHwFX2k70mpW30x1d8zkeKoCGN4WOf-LsQZ0mBUEzU158Sym8R4l1CYnjCHWkX-pDvB-kg29hK8WkH0DjVa4sknLQRK8XjpMU3o8sF1yJ5HFw/s1600/5+root+cause+analysis+model.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPs3SkzOLNfbB6ZyIYQh9Cp4QPSuMLKDVHwFX2k70mpW30x1d8zkeKoCGN4WOf-LsQZ0mBUEzU158Sym8R4l1CYnjCHWkX-pDvB-kg29hK8WkH0DjVa4sknLQRK8XjpMU3o8sF1yJ5HFw/s1600/5+root+cause+analysis+model.jpg" height="582" width="640" /></a></div>
<br />
<h3>
Incident Response Metrics</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The outcome from performing root cause analysis on each incident is discoverable information. It’s not enough to consistently do root cause analysis to discover information; the information needs to be documented and analyzed to make it into intelligence. Different options are available to document security incident information but in my opinion the best available schema is the VERIS Framework. The “<a href="http://veriscommunity.net/">Vocabulary for Event Recording and Incident Sharing (VERIS)</a> is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner.” The VERIS Framework is open and can be modified to meet an organization’s needs.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The <a href="http://veriscommunity.net/schema-docs.html">schema is well designed</a> but to support an internal incident response process some modifications may be needed. This post won’t go in to great detail about the needed modifications but I will mention a few to make the schema better support internal incident response. In the <a href="http://veriscommunity.net/incident-track.html">Incident Tracking section</a>, to make it easier to track security incidents the following can be added: Incident Severity (to match the incident response process severity for incidents), Hostname (of the targeted system), IP Address (of the targeted system), Username (involved in the incident), and Source IP Address (of the attacker’s system). In the <a href="http://veriscommunity.net/victim-demo.html">Victim Demographics section</a>, these may or may not apply for an internal incident response process. Personally, I don’t see the need for tracking this information if the incident response process supports the same entity. In the Incident Description section, the biggest change is outlining the expected values for the vectors and vulnerabilities. For example, for the vulnerabilities list out each possible vulnerable application - such as Java vulnerability - instead of allowing for specific CVEs. This reduces the amount of work needed on doing root cause analysis without losing too much on the metrics side. The last changes I’ll discuss are for the <a href="http://veriscommunity.net/discovery.html">Discovery and Response section</a>. In this section make sure to account for the various discovery methods the organization may use to detect incidents as well as the intelligence sources behind those methods. This slight change enables an organization to measure how they are detecting security incidents and to evaluate the return on investment for different intelligence sources.</span><br />
<br />
<h3>
Data Analysis</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Information that is documented is only data and does not become intelligence until it is analyzed and refined so it is useful to others. There are different options available for organizations to produce intelligence from the information discovered during root cause analysis. The book <a href="http://www.amazon.com/Data-Driven-Security-Analysis-Visualization-Dashboards/dp/1118793722">Data-Driven Security: Analysis, Visualization and Dashboards</a> goes in to detail about how one can do data analysis with free and/or open source tools. The route I initially took was to allow me to focus on the incident response process without getting bogged down trying to create visualizations to identify trends. At my company (this is the only item in this post directly tied to my employer and I only mention it in hopes it helps my readers) we went with a license for <a href="http://www.tableau.com/products/desktop">Tableau Desktop</a> and I bought a personal copy of the book <a href="http://www.amazon.com/Tableau-Your-Data-Analysis-Software/dp/1118612043/">Tableau Your Data!: Fast and Easy Visual Analysis with Tableau Software</a>. The combination of Tableau Desktop and the VERIS Framework makes it very effective at producing strategic and tactical intelligence that can be consumed by the security program. In minutes, you can create visualizations to highlight what departments in an organization is most susceptible to phishing attacks or to quickly identify the trends explaining how malware is entering the organization. The answers and intelligence one can gain from the incident response data is only limited by one’s creativity and the ability of those consuming the intelligence.</span><br />
<br />
<h2>
Making Incident Response a Security Program Enabler</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The approach an organization can take to take incident response from a reactive process to proactive one involves the following steps:</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"> - Improving an organization's incident response capabilities</span><br />
<span style="font-family: Verdana, sans-serif;"> - Improving an organization's root cause analysis capabilities</span><br />
<span style="font-family: Verdana, sans-serif;"> - Improving an organization’s security monitoring capabilities</span><br />
<span style="font-family: Verdana, sans-serif;"> - Influencing others to see incident response as a continuous process</span><br />
<span style="font-family: Verdana, sans-serif;"> - Operationalizing incident response information</span><br />
<span style="font-family: Verdana, sans-serif;"> - Collecting and documenting data for the organization’s incident response metrics</span><br />
<span style="font-family: Verdana, sans-serif;"> - Analyzing the organization’s incident response metrics to produce intelligence</span><br />
<span style="font-family: Verdana, sans-serif;"> - Presenting the intelligence to appropriate stakeholders</span><br />
<span style="font-family: Verdana;"></span><br />
<span style="font-family: Verdana, sans-serif;">Making incident response a security program enabler is a gradual process requiring organization buy-in and resources to make it happen. As DFIR practitioners, we can only be the voice in the wilderness telling others incident response can be more than a reactive process. It can be more than an insurance policy. It can be a continuous process enabling an organization’s security strategy and helping guide how security resources are used. A voice hoping to influence others to make the right decision to better protect their organization.</span>Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com12tag:blogger.com,1999:blog-4080617372940068027.post-23718961087110414882015-04-08T22:39:00.001-04:002015-04-08T22:39:32.753-04:00Python: print “Hello DFIR World!”<span style="font-family: Verdana, sans-serif;">Coursera's mission is to "provide universal access to the world's best education." Judging by their extensive course listing it appears as if they are delivering on their mission since the courses are free for anyone to take. I knew about Coursera for some time but only recently did I take one of their courses (Python Programming for Everybody.) In this post I'm sharing some thoughts about my Coursera experience, the course I took, and how I immediately used what I learned.</span><br />
<br />
<h2>
Why Python? Why Coursera?</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Python is a language used often in information security and DFIR. Its usage is varied from simple scripts to extensive programs. My interest in Python was modest; I wanted to be able to modify (if needed) Python tools I use and to write automation scripts to make my job easier. Despite the wealth of resources available to learn Python, I wanted a more structured environment to learn the basics. An environment that leverages lectures, weekly readings, and weekly assignments to explore the topic. My plan was to learn the basics then proceed exploring how Python applies to information security using the books <a href="http://www.nostarch.com/blackhatpython">Black Hat Python</a> and <a href="http://www.amazon.com/Violent-Python-Cookbook-Penetration-Engineers/dp/1597499579">Violent Python</a>. Browsing through the Cousera offerings I found the course <a href="https://www.coursera.org/course/pythonlearn">Programming for Everybody (Python)</a>. The course “aims to teach everyone to learn the basics of programming computers using Python. The course has no pre-requisites and avoids all but the simplest mathematics.” Teaches the basics in a span of 10 weeks without the traditional learning to code by mathematics; the course was exactly what I was looking for.</span><br />
<br />
<h2>
Programming for Everybody (Python)</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">I’m not providing a full fledge course review but I did want to provide some thoughts on this course. The course itself is “designed to be a first programming course using the popular Python programming language.” This is important and worth repeating. The course is designed to be someone’s first programming course. If you already know how to code in a different language then this course isn’t for you. I didn’t necessary fit the target audience since I know how to script in both batch and Perl. However, I knew this was a beginner’s course going in so I expected things would move slowly. I could easily overlook this one aspect since my interest was to build a foundation in Python. The course leveraged some pretty cool technology for an online format. The recorded lectures used a split screen between the professor, his slides, and his ability to write on the slides as he taught. The assignments had an auto grader where students complete assignments by executing their programs and the grader confirms if the program was written correctly. The text book is <a href="http://www.pythonlearn.com/book.php">Python for Informatics: Exploring Information</a>, which focuses more on trying to solve data analysis problems instead of math problems like traditional programming texts. The basics covered include: variables, conditional code, functions, loops/iteration, strings, files, lists, dictionaries, tuples, and regular expressions.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Overall, spending the past 10 weeks completing this course was time well spent. Sure, at times I wish times moved faster but I did achieve what I wanted to. Exploring the basics of the Python language so I can have a foundation prior to exploring how the language applies to security work. The last thing I wanted to mention about the course, which I highly respect. The entire course from the textbook to the lecture videos is licensed under a Creative Common Attribution making it available for pretty much anyone to use.</span><br />
<br />
<h2>
Applying What I Learned</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The way I tend to judge courses, trainings, and books is by how much of the content can be applied to my work. If the curriculum is not relevant to one’s work than what is the point in wasting time completing it? It’s just my opinion but judging courses and trainings in this manner has proven to be effective. To illustrate this point as it applies to the Python Programming for Everybody course I’m showing how the basics I learned solved a recent issue. One issue I was facing is how to automate parsing online content and consuming it in a SIEM. This is a typical issue for those wishing to use open source threat intelligence feeds. One approach is to manually parse it in to a machine readable form that your SIEM and tools can use. Another and a better approach is to automate as much as possible through scripting. I took the later approach by creating a simple script to automate this process. For those interested in Python usage in DFIR should check out <a href="http://www.hecfblog.com/2015/03/automating-dfir-how-to-series-on_22.html">David Cowen's Automating DFIR series</a> or <a href="https://ramslack.wordpress.com/">Tom Yarrish's Year of Python series</a>.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">There are various open source threat intelligence feeds one can incorporate in to their enterprise detection program. Kyle Maxwell’s presentation <a href="https://digital-forensics.sans.org/summit-archives/DFIR_Summit/Open-Source-Threat-Intelligence-Kyle-Maxwell.pdf">Open Source Threat Intelligence</a> touched on some of them. For this post, I’m only discussing one and it was something I was interested in knowing how to do it. Tor is an anonymity service that enables people to hide where they are coming from as they surf the Internet. Tor has a lot of legitimate uses and just because someone is using it does not mean they are doing something wrong. Being able to flagged users connecting to your network from Tor can add context to other activity. Is the SQL injection IDS alert a false positive? Is the SQL injection IDS alert coming from someone who is also using Tor a false positive? See what I mean by adding context. This was an issue that needed a Python solution (or at least a solution where I could apply what I learned.)</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">To accomplish adding Tor context to activity in my SIEM I first had to identify the IP addresses for the Tor exit nodes. Users using the service will have the IP address of the exit node they are going through. The <a href="https://www.torproject.org/docs/faq-abuse.html.en">Tor Project FAQs</a> provides an answer to the question "I want to ban the Tor network from my service." After trying to discourage people from blocking two options are presented by using either the <a href="https://check.torproject.org/cgi-bin/TorBulkExitList.py">Tor exit relay list</a> or a <a href="https://www.torproject.org/projects/tordnsel.html.en">DNS-based list</a>. The Tor exit relay list webpage has a link to the <a href="https://check.torproject.org/exit-addresses">current list of exit addresses</a>. The screenshot below shows how this information is presented:</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7aOrz1vpPsigoAlDXWHGdU0RIXUW1oHZlFI1jjb-R7P_NqwQVX7Vg6i9zRvmnRnZugHG_rrapMdL5HtY4x9UHMJmtTlloGUPWvwOPya61zeQuR-AjDHgFu3yUOrBBlmghXrZ34nDvDgA/s1600/1+Tor+exit+nodes.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7aOrz1vpPsigoAlDXWHGdU0RIXUW1oHZlFI1jjb-R7P_NqwQVX7Vg6i9zRvmnRnZugHG_rrapMdL5HtY4x9UHMJmtTlloGUPWvwOPya61zeQuR-AjDHgFu3yUOrBBlmghXrZ34nDvDgA/s1600/1+Tor+exit+nodes.jpg" height="194" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-family: Verdana, sans-serif;">Now we’ll explore the script I wrote to parse the Tor exit node IP addresses into a form my SIEM can consume, which is a text file with one IP address per line. The first part –as shown in the image below - imports the <a href="https://docs.python.org/2/library/urllib2.html">urllib2 module</a> that is used to open URLs. This part wasn’t covered in the course but wasn’t too difficult to figure out by Googling. The last line in the image creates a dictionary called urls. A dictionary associates a key with a value and in this case the key is tor-exit with the value being the URL to the Tor exit relay list. Leveraging a dictionary allows the script to be extended to support other feeds without having to make significant changes to the script.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhty0eJOHAUcNv4x9EiDE38HeXi0_XMogfyAukOcAIINNvMdSQgG0wBGwvVGEUWJVhKsyIUXvb_73xRKTjgkHu7GhqPxFObyP_oWhrNvouARmGLnD-fEbRHbbYSO7na718jjIJ5A21daD8/s1600/2+script+initialization+section.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhty0eJOHAUcNv4x9EiDE38HeXi0_XMogfyAukOcAIINNvMdSQgG0wBGwvVGEUWJVhKsyIUXvb_73xRKTjgkHu7GhqPxFObyP_oWhrNvouARmGLnD-fEbRHbbYSO7na718jjIJ5A21daD8/s1600/2+script+initialization+section.jpg" height="126" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The next portion of the script as shown below is where the first for loop occurs. The for loop will process each entry (key and value pair) in the urls dictionary. The try and except is a method to account for errors such as a URL not working. Inside the try section the URL is opened in to a variable named file and then it is read in to a variable named data using the urllib2 readlines() option. Lastly, a file is created to store the output using the key value and the file handle is named output.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzkIrrO-ptmrxiXemoVXFb1_Pdul1q10PXDSER_qOKcO-8S-fNcYSqmnqSgxl1vgWCAcyzWlqAeEm6ASsVgTzGrwfMEgqlQ7CYrmkIHLYL3P_tjAxZ_kQRRfomAQZfzuHXGjb2qFTn508/s1600/3+Main+processing+section.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzkIrrO-ptmrxiXemoVXFb1_Pdul1q10PXDSER_qOKcO-8S-fNcYSqmnqSgxl1vgWCAcyzWlqAeEm6ASsVgTzGrwfMEgqlQ7CYrmkIHLYL3P_tjAxZ_kQRRfomAQZfzuHXGjb2qFTn508/s1600/3+Main+processing+section.jpg" height="156" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The next part of the script –image below - is specific to each threat feed being parsed. This accounts for the differences in the way threat feeds present data. The if statement checks to see if the key matches “tor-exit” and if it does then the second for loop executes. This for loop reads each line in the data variable (hence the data listed at the URL.) As each line is read there is additional actions performed such as skipping blank lines and any line that doesn’t start with the string “ExitAddress.” For the lines that do start with this string, the line is broken up in to a list named words. Basically, it breaks the line up into different values by using the space as a separator. The IP address is the second value so it is contained in the second index location in the words list (words[1]). The IP address is then written to the output file and after each line is processed a message is displayed saying processing completed.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqUSHNQaq2I0X445FJJzLbI_ezbAoo1A-RoBGd14wZWHyCQLJvojOi8bNIP3LFFVcwmxejMkwASwjoFV1GhaaoRWoW7g44EaXzDpmTbmVp1xWznPZBPD8Yj33K_iY3aOPmsbR_ngC2Kg0/s1600/4+tor+processing.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqUSHNQaq2I0X445FJJzLbI_ezbAoo1A-RoBGd14wZWHyCQLJvojOi8bNIP3LFFVcwmxejMkwASwjoFV1GhaaoRWoW7g44EaXzDpmTbmVp1xWznPZBPD8Yj33K_iY3aOPmsbR_ngC2Kg0/s1600/4+tor+processing.jpg" height="170" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The screenshot below shows the script running.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJTHMjAaXPm0D9ePsXj0F1dPw6qO9VIS9tzeKDGqYM97xKEsNgSraVWEmFHJFswG7R9XUrEXto8_RMIgW7UjfEHy5ZwDDLXBPrSnbovHrTC_W3fYWexoTGKmQukBFUgc2A26AgHm8OBP8/s1600/5+get-siem-feeds.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJTHMjAaXPm0D9ePsXj0F1dPw6qO9VIS9tzeKDGqYM97xKEsNgSraVWEmFHJFswG7R9XUrEXto8_RMIgW7UjfEHy5ZwDDLXBPrSnbovHrTC_W3fYWexoTGKmQukBFUgc2A26AgHm8OBP8/s1600/5+get-siem-feeds.jpg" height="60" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The end result is a text file containing the Tor exit IP addresses with one address per line. This text file can then be automatically consumed by my SIEM or I can use it when analyzing web logs to flag any activity involving Tor.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhwg0mZIW_W431fO82fjUt3flJI9XvjM73o9Kj1zHx2DSkUJBROrWHXRHzOCMx6GaWq_zYpY22o5wyZ0Nw4x-Mh0cSzD6FOfDRUrbsT-jW8xL6cIkIOyUnSoWWZTEelkEMZvVndtuqM6s/s1600/6+tor-exit+nodes.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhwg0mZIW_W431fO82fjUt3flJI9XvjM73o9Kj1zHx2DSkUJBROrWHXRHzOCMx6GaWq_zYpY22o5wyZ0Nw4x-Mh0cSzD6FOfDRUrbsT-jW8xL6cIkIOyUnSoWWZTEelkEMZvVndtuqM6s/s1600/6+tor-exit+nodes.jpg" height="400" width="393" /></a></div>
<br />
<h2>
It’s Basic but Works</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Harlan recently said in his <a href="http://windowsir.blogspot.com/2015/04/blogging.html">Blogging post</a> “it doesn't matter how new you are to the industry, or if you've been in the industry for 15 years...there's always something new that can be shared, whether it's data, or even just a perspective.” My hope with this post is it would be useful to others who are not programmers but want to learn Python. Coursera is a good option that can teach you the basics. Even just learning the basics can extend your DFIR capabilities as demonstrated by my simple script.</span>Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com6tag:blogger.com,1999:blog-4080617372940068027.post-77649266308000021842015-03-11T21:44:00.002-04:002015-03-11T23:11:41.610-04:00Compromised Root Cause Analysis Model Revisited<span style="font-family: Verdana, sans-serif;">How? The one question that is easy to ask but can be very difficult to answer. It's the question I kept asking myself over and over. Reading article after article where publicized breaches and compromises were discussed. Each article alluded to the answer about how the breach or compromise occurred in the first place but each one left something out. Every single one left out the details that influenced their conclusions. As a result, I was left wondering how they figure out how the attack occurred in the first place. It was the question everyone alluded to and everyone said to perform root cause to determine the answer. They didn’t elaborate on how to actually do root cause analysis though. Most incident response literature echoes the same sentiment; do root cause analysis while omitting the most critical piece explaining how to do it. I asked my question to a supposed "incident responder" and their response was along the lines "you will know it when you see it." Their answer along with every other answer on the topic was not good enough. What was needed was a repeatable methodical process one can use to perform root cause analysis. The type of methodical process found in the Compromise Root Cause Analysis Model.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">I developed the Compromise Root Cause Analysis Model three years ago to fulfill the need for a repeatable investigative process for doing root cause analysis. In this post I'm revisiting the model and demonstrating its usefulness by outlining the following:</span><br />
<br />
<span style="font-family: Verdana;"> - Exploring Locard’s Exchange Principle</span><br />
<span style="font-family: Verdana;"> - Exploring Temporal Context</span><br />
<span style="font-family: Verdana;"> - Exploring Attack Vectors</span><br />
<span style="font-family: Verdana;"> - Exploring the Compromise Root Cause Analysis Model</span><br />
<span style="font-family: Verdana;"> - The Model is Cyclical</span><br />
<span style="font-family: Verdana;"> - Applying the Compromise Root Cause Analysis Model</span><br />
<span style="font-family: Verdana;"> * Webserver Compromise</span><br />
<br />
<h2>
Exploring Locard’s Exchange Principle</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The essential principle in the Compromise Root Cause Analysis Model is Locard’s Exchange Principle. This principle states “when two objects come into contact, something is exchanged from one to the other.” Locard’s Exchange Principle is typically explained using examples from the physical world. When one object – such as someone’s hand – comes in to contact with another object – such as a glass – something is exchanged from one to the other. In this example, on the glass are traces of oils from the person’s hand, skin flakes, and even fingerprints.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The principle is not only limited to the physical world; it applies to the digital world as well. <a href="http://windowsir.blogspot.com/2005/01/locards-exchange-principle-in-digital.html">Harlan Carvey’s example </a>demonstrated the principle in the digital world as follows: “well, in essence, whenever two computers come "into contact" and interact, they exchange something from each other.” The principle is not only limited to computers; it applies to everything such as routers, switches, firewalls, or mobile devices. The essence of this principle for the Compromise Root Cause Analysis Model is:</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;"><em>When an attacker goes after another system; the exchange will leave remnants of the attack on the systems involved. There is a transfer between the attacker’s system(s), the targeted system(s), and the networking devices connecting them together.</em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The transfer between the systems and networks involved in the attack will indicate the actual attack used. By identifying and exploring the remnants left by the transfer is what enables the question of “how did the attack occur in the first place” to be answered.</span><br />
<br />
<h2>
Exploring Temporal Context</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The second principle and one that supports the Compromise Root Cause Analysis Model is the psychology principle of proximity. The principle of proximity is one of the <a href="http://en.wikipedia.org/wiki/Principles_of_grouping">Gestalt laws of grouping</a> and <a href="http://www.psychologyconcepts.com/proximity-principle/">states that</a> “when we see stimuli or objects that are in close proximity to each other, we tend to perceive them as being grouped together.” As it relates to the Compromise Root Cause Analysis Model, the grouping is based on the temporal relationship between each object. Temporal proximity impacts the model in two ways.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The first way temporal proximity impacts the Compromise Root Cause Analysis Model is by enabling the grouping of remnants related to an attack. When an attacker goes after another system, remnants are left is various places within system and the network the system is a part of. Networking devices logs showing the network activity, application logs showing what the intruder was doing, and remnants on the system showing what the intruder accomplished are only a few of the places where these artifacts could be located. The attacker’s actions are not the only remnants left within the network and system. The organization and its employees are creating remnants every day from their activity as well as remnants left by the normal operation of the information technology devices themselves. Temporal proximity enables the grouping of the remnants left by an attacker throughout a network and system by their temporal relationship to each other. Remnants that occur within a short timeframe of each other can be grouped together while remnants outside of this timeframe are excluded. Other factors are involved to identify the attacker’s remnants amongst normal activity but temporal proximity is one of the most significant factors.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The second way temporal proximity impacts the Compromise Root Cause Analysis Model is the time that lapses between when an attacker attacks the system and an investigation is conducted affects the ability to identify and group the remnants left by the attacker. The reason for this impact is that “<a href="http://forensicir.blogspot.com/2008/12/footprints-in-snow.html">time is what permits other forces to have an effect on the persistence of data</a>.” The remnants left by the attacker is in the form of data on information technology devices. The more time that goes by after these remnants are left the more opportunity there is for them to be changed and/or removed. Logs can be overwritten, files modified, or files deleted through activities of the organization and its employees along with the normal operation of the information technology devices. The more time that lapses between when the attack occurred and when the investigation begins the greater the opportunity for remnants to disappear and the inability to group the remaining remnants together. The Compromise Root Cause Analysis Model can still be used to identify these remnants and group them but it is much more difficult as more time lapses between the initial attack and investigation.</span><br />
<br />
<h2>
Exploring Attack Vectors</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Root cause analysis is trying to determine how an attacker went after another system or network by identifying and understanding the remnants they left on the systems involved during the attack. In essence, the analysis is identifying the attack vector used to compromise the system. It is crucial to explore what an attack vector is to see how it applies to the Compromise Root Cause Analysis Model.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><a href="http://searchsecurity.techtarget.com/definition/attack-vector">SearchSecurity defines an attack vector</a> as "a path or means by which a hacker (or cracker) can gain access to a computer or network server in order to deliver a payload or malicious outcome." Based on this definition, the attack vector can be broken down into three separate components. The path or means is the exploit used, the payload is the outcome of the exploit, and the delivery mechanism is what delivers the exploit and/or the payload to the target. The definition combines the delivery mechanism and exploit together but in reality these are separated. The exploit, payload, and delivery mechanism can all leave remnants (or artifacts) on the compromised system and network and these artifacts are used to identify the attack vector used.</span><br />
<br />
<h3>
Exploit</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">An <a href="http://en.wikipedia.org/wiki/Exploit_(computer_security)">exploit is defined</a> as "a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized).." An exploit takes advantage of a weakness in a system to cause a desirable activity on that system for the attacker. Exploits can target vulnerabilities in either operating systems, applications, or the people using the system. In accordance with Locard’s Exchange Principle, when the exploit comes in contact with the system containing the weakness remnants are left by the attacker. Identifying these exploit artifacts left on a system are one piece of the puzzle for identifying the attack vector.</span><br />
<br />
<h3>
Payload</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">A <a href="http://en.wikipedia.org/wiki/Payload_(computing)">payload is defined</a> (in security) as “the cargo of a data transmission.” A payload is the desirable activity on a system for the attacker that was caused by an exploit taking advantage of a weakness. In accordance with Locard’s Exchange Principle, when the payload comes in contact with the system remnants are left by the attacker. Identifying these payload artifacts left on a system are another piece of the puzzle for identifying the attack vector.</span><br />
<br />
<h3>
Delivery Mechanism</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">A delivery mechanism is defined as “a method by which malicious software places a payload into a target computer or computer network.” The delivery mechanism is what delivers the exploit and/or payload to the system to enable the desirable activity to occur on the system for the attacker. Similar to the exploit and payload, when the delivery mechanisms come in contact with the system remnants are left by the attacker. Identifying these delivery mechanisms artifacts left on a system are the last piece of the puzzle for identifying the attack vector.</span><br />
<br />
<h2>
Exploring the Compromise Root Cause Analysis Model</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">When an attacker goes after another system; the exchange leaves artifacts of the attack on the systems involved. These artifacts are identified during an investigation and grouped together based on their temporal proximity to one another. Root cause analysis identifies the attack vector used by determining what of the identified artifacts are related to the exploit, payload, and delivery mechanism(s). The Compromise Root Cause Analysis Model is a methodical process for organizing information and identified artifacts during an investigation to make it easier to answer the question of how did a compromise occur. The model is a not a replacement for any existing models; rather it’s a complimentary model to help discover information related to a system compromise. The Compromise Root Cause Analysis Model organizes the artifacts left on a network and/or system after being attacked into the following categories: source, delivery mechanism, exploit, payload, and indicators. The relationship between the categories are shown below.</span><br />
<span style="font-family: Verdana;"></span><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCt9RRvz8YHm5bDKxGuKkfQiVxaL9HfMGl9gJy9OtqPN5kkS1vTwBfKcmtBBlIm6BPl9W6x3xHJwHV6YbwooVdzNZBTxAYEdNgb6KBpaNsXCFWmOaQfJ8UUNMgSKEKiR579N4nV89l1KE/s1600/1+root+cause+analysis+model.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCt9RRvz8YHm5bDKxGuKkfQiVxaL9HfMGl9gJy9OtqPN5kkS1vTwBfKcmtBBlIm6BPl9W6x3xHJwHV6YbwooVdzNZBTxAYEdNgb6KBpaNsXCFWmOaQfJ8UUNMgSKEKiR579N4nV89l1KE/s1600/1+root+cause+analysis+model.jpg" height="580" width="640" /></a><br />
<br />
<h3>
Source</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">At the core of the model is the source of the attack. The source is where the attack originated from. Attacks can originate from outside or within an organization’s network; it all depends on who the attacker is. An external source is anything residing outside the control of an organization or person. An example is attacks against a web application coming from the Internet. Attacks can also be internal, which is within the network and under the control of an organization or person. An example is an employee who is stealing data from a company file server.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The artifacts left behind by the attacker on the system is used to determine where the attack came from. For example, if the attack originated from the Internet then the data left on the systems indicate this. Firewall logs, web application logs, proxy server logs, authentication logs, and email logs all will point to the attacker’s location outside of the organization’s network.</span><br />
<br />
<h3>
Delivery Mechanism</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Proceeding to the next layer is the first delivery mechanism. This is the mechanism used to send the exploit to the system. The mechanism used is dependent on the attacker’s location. Attackers external to the organization may use avenues such as email, network services (i.e. HTTP, SSH, FTP, etc..), or removable media. Attackers internal to the organization may use avenues such as physical access or file sharing protocols.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The artifacts left behind by the attacker on the system is used to determine how they sent the exploit to the system. Where and what the artifacts are is solely dependent on the method used. If the method was HTTP then either web proxy, web browser histories, or web application logs will contain the remnants from the attacker. If the method was email then the email gateway logs, client email storage file, or user activity involving email will contain the remnants from the attacker.</span><br />
<br />
<h3>
Exploit</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Continuing outward to the next layer is the exploit. The exploit is what was sent to take advantage of a vulnerability. As mentioned previously, vulnerabilities can be present in a range of items: from operating systems to applications to databases to network services to the person using the computer.</span><br />
<span style="font-family: Verdana, sans-serif;">When vulnerabilities are exploited it leaves specific artifacts on the system and these artifacts can identify the weakness targeted by the attacker. Where and what the artifacts are is solely dependent on what weakness is targeted. The Applying the Model section illustrates this artifact for one vulnerability.</span><br />
<br />
<h3>
Delivery Mechanism</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The next layer is the second delivery mechanism. A successful exploit may result in a payload being sent to the system. This is what the outer delivery mechanism is for. If the payload has to be sent to then there may be artifacts showing this activity. This is the one layer that may not always be present. There are times when the payload is bundled with the exploit or the payload just provides access to the system. Similar to the exploit, where and what the artifacts are present solely dependent on what the exploit was.</span><br />
<br />
<h3>
Payload</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The next layer outlines the desired end result in any attack; to deliver a payload or malicious outcome to the system. The payload can include a number of actions ranging from unauthorized access to denial of service to remote code execution to escalation of privileges. The payload artifacts left behind will be dependent on what action was taken.</span><br />
<br />
<h3>
Indicators</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The last layer in the model is the indicators layer. The layer is not only where the information and artifacts about how the attack was detected would go but it also encompasses all of the artifacts showing the post compromise activity. The reason for organizing all the other remnants left by the attacker into this layer is to make it easier to identify the attack vector artifacts (exploit, payload, and delivery mechanisms.) This results in the layer being broad since it contains all of the post compromise artifacts such as downloading files, malware executing, network traversal, or data exfiltration.</span><br />
<br />
<h2>
The Model is Cyclical</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The Compromise Root Cause Analysis Model is a way to organize information and artifacts to make it easier to answer questions about an attack. More specifically to answer: how and when did the compromise occur? Information or artifacts about the compromise are discovered by completing examination steps against any relevant systems involved with the attack. The model is cyclical; as each new system is discovered the model is used to determine how the system was compromised. This ongoing process continues until each system involved with an attack is examined to confirm if it truly was a part of the attack.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">To illustrate, take the hypothetical scenario of an IDS alert indicating an organization’s employee laptop is infected with malware. The IDS signature that flagged the network traffic is shown below (signature was obtained from the <a href="http://rules.emergingthreats.net/blockrules/emerging-botcc.rules">Emerging Threats emerging-botcc.rules</a>.) As can be seen in the rule, the laptop was flagged for visiting an IP address associated with the Zeus Trojan.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwthFK03_OAsUEljbFLEGqmzXKwe3mvpaSe2leao-KoR4xrZCr9jcrHpaKJTG-bV_1tmzmlh0za5bQ6mODzQ3kGOYzdR5EJR9HKP3S9zNhVLgxsUyx9ijSVrjXvUAxhSlJkbmPKlmwjEI/s1600/2+IDS+alert.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwthFK03_OAsUEljbFLEGqmzXKwe3mvpaSe2leao-KoR4xrZCr9jcrHpaKJTG-bV_1tmzmlh0za5bQ6mODzQ3kGOYzdR5EJR9HKP3S9zNhVLgxsUyx9ijSVrjXvUAxhSlJkbmPKlmwjEI/s1600/2+IDS+alert.jpg" height="64" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: Verdana, sans-serif;">The network packet captured in the IDS alert indicates the employee is a remote user connected through the organization’s VPN. The network diagram below shows the organization’s network layout and where this employee’s laptop is located.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUH8FJqKB-fJW-gHk52Nxi7BBKbtXzfCypYPKd-9XpqSphJjtwzMrkeBuvo-VdmMwTF2foYzmYFuTh506-X8p3Q1ySZ7ix15NaZwjdn3pbTApIVseZq8Ff-OOP-erBr6MmNmtX_voHsl0/s1600/2+network+with+infected+client.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUH8FJqKB-fJW-gHk52Nxi7BBKbtXzfCypYPKd-9XpqSphJjtwzMrkeBuvo-VdmMwTF2foYzmYFuTh506-X8p3Q1ySZ7ix15NaZwjdn3pbTApIVseZq8Ff-OOP-erBr6MmNmtX_voHsl0/s1600/2+network+with+infected+client.jpg" height="402" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The investigation into the employee’s laptop - remotely over the network – located the Zeus Trojan on the laptop. The examination continued by doing root cause analysis to determine how the laptop became infected in the first place. The employee was surfing the Internet prior to connecting to the organization’s network through the VPN. A drive-by attack successfully compromised the laptop when the employee visited the organization’s website. The IDS alerted on the infection once the laptop connected through the VPN. The investigation now uncovered another system involved with the attack (organization’s web server) and its location is shown below.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJHEwe1aYEiKoy5UwjoGBuGSOgmCPL8-rUbzUxkLm2T3HyUuabpjVodCb0qLgtt-1BYX852UJRZGukDh4_5H6sMHz-k8ipiSvIW1ssgR7_cwpKzBOmRKFX0wUk__tmx17IJ_lqB2gH8aI/s1600/3+network+withcompromised+server.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJHEwe1aYEiKoy5UwjoGBuGSOgmCPL8-rUbzUxkLm2T3HyUuabpjVodCb0qLgtt-1BYX852UJRZGukDh4_5H6sMHz-k8ipiSvIW1ssgR7_cwpKzBOmRKFX0wUk__tmx17IJ_lqB2gH8aI/s1600/3+network+withcompromised+server.jpg" height="400" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The organization’s main website is compromised and serving malware to its visitors. The investigation continues by moving to the compromised web server. The Root Cause Analysis Model is applied to the server to determine how it became compromised in the first place. The answer was an attacker found the webserver was running an outdated Joomla plug-in and exploited it. The attacker eventually leveraged the compromised web server to deliver malware to its visitors.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">In this hypothetical scenario, the Compromise Root Cause Analysis Model was initially applied to a compromised laptop. The source of the attack pointed to another system under the control of the organization. The investigation continued to the newly discovered system by applying the Compromise Root Cause Analysis Model against it. The attack vector pointed to an attacker from the Internet so at this point all of the systems involved in the attack have been investigated and the root cause identified. If there were more systems involved then the cyclical process continues until all systems are investigated. The Compromise Root Cause Analysis Model enabled the attack vector for each system to be determined and the incident information discovered can then be further organized using other models. For example, the overall attack can be described using the Lockheed Martin's <a href="http://www.lockheedmartin.com/us/what-we-do/information-technology/cyber-security/cyber-kill-chain.html">Cyber Kill Chain model</a>.</span><br />
<br />
<h2>
Applying the Compromise Root Cause Analysis Model</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The Compromise Root Cause Analysis Model is a way to organize information and artifacts to make it easier to answer questions about a compromise. The model can be applied to systems to either confirm how they were compromised or to determine if they were compromised. The <a href="http://journeyintoir.blogspot.com/2012/07/malware-root-cause-analysis.html">article Malware Root Cause Analysis</a> goes in to detail about how to apply the model for a malicious code incident involving a single system. However, the model is not limited to only malicious code incidents. It can be applied to any type of security incident including: unauthorized access, denial of service, malicious network traffic, phishing, and compromised user accounts. To demonstrate the model’s versatility, it will be applied to a hypothetical security incident using data from a published article. The incident is for a compromised Coldfusion webserver as described in the An Eye on Forensics's article <a href="http://eyeonforensics.blogspot.com/2013/03/a-cold-day-in-e-commerce-guest-post.html">A Cold Day in E-Commerce - Guest Post</a>. The data referenced below either was influenced/borrowed from either the previously mentioned article, the <a href="http://www.slideshare.net/chrisgates/coldfusion-for-penetration-testers">Coldfusion for Pentesters presentation</a>, or made up to appear realistic.</span><br />
<br />
<h3>
Webserver Compromise</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">An IDS alert flags some suspicious network traffic for an external system trying to connect to an organization’s Coldfusion web server located in their DMZ. The organization monitors for access attempts to the Coldfusion administrator web panel including access to features such as scheduling tasks. The external system triggered the IDS signature shown below because it accessed the Coldfusion’s scheduleedit located at hxxp://www.fake_site.com/CFIDE/administrator/scheduler/scheduleedit.cfm on an established session.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6nl56Yp1LhsuprjDSh7vkCV7Dtgn7AJZ6XmeQQRjzvfjuKCrItDV4Vk_DZV3ob5AOmaUmW_6Ac0SGIzIiK8iNRHLlOYWj4sw27pRwZbgNagJTqUcSrXhvXlFfpnXIfpwV3vTVUtEUPak/s1600/4+ids-coldfusion.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6nl56Yp1LhsuprjDSh7vkCV7Dtgn7AJZ6XmeQQRjzvfjuKCrItDV4Vk_DZV3ob5AOmaUmW_6Ac0SGIzIiK8iNRHLlOYWj4sw27pRwZbgNagJTqUcSrXhvXlFfpnXIfpwV3vTVUtEUPak/s1600/4+ids-coldfusion.jpg" height="40" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The reason the IDS alert is concerning is because what accessing scheduleedit means. One method an attacker can use to upload code on to a compromised Coldfusion server is by leveraging the scheduled tasks. The attacker can schedule a task, point it to their program’s location on a different server, and then have the task save it locally to the Coldfusion server for them to use (<a href="http://www.slideshare.net/chrisgates/coldfusion-for-penetration-testers">see page 85 in this presentation</a>.) Accessing the interface to edit scheduled tasks is reflected by “scheduleedit” appearing in the URL. The IDS alert is triaged to determine if the Coldfusion server was successfully compromised and if an attacker was uploading anything to the server using the scheduled tasks feature.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The Coldfusion instance is running on a Windows 2008 server with IIS and its IP address is 192.168.0.1. The IIS log was reviewed for the time in question to see the activity around the time the IDS alert triggered.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><em>2015-03-10 22:09:00 192.168.0.1 GET /CFIDE/Administrator/scheduler/scheduletasks.cfm - 80 – X.X.X.X fake-useragent 200 0 0 5353</em></span><br />
<em></em><br />
<span style="font-family: Verdana, sans-serif;"><em>2015-03-10 22:09:10 192.168.0.1 GET /CFIDE/Administrator/scheduler/scheduleedit.cfm submit=Schedule+New+Task 80 - X.X.X.X fake-useragent 200 0 0 5432</em></span><br />
<em></em><br />
<span style="font-family: Verdana, sans-serif;"><em>2015-03-10 22:09:15 192.168.0.1 GET /CFIDE/Administrator/scheduler/scheduletasks.cfm runtask=z&timeout=0 80 – X.X.X.X fake-useragent 200 0 0 1000</em></span><br />
<em></em><br />
<span style="font-family: Verdana, sans-serif;"><em>2015-03-10 22:11:15 192.168.0.1 GET /CFIDE/shell.cfm - 80 – X.X.X.X fake-useragent 200 0 0 432</em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The IIS logs showed the activity that tripped the IDS sensor occurred at 2015-03-10 22:09:10 when the external system with IP address X.X.X.X scheduled a new task successfully. Notice the <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html">200 HTTP status c</a>ode indicating the request completed successfully. This single entry answers one of the questions. The attacker did compromise the Coldfusion server and has administrator rights to the Coldfusion instance because they were able to access the schedule tasks area within the administrator panel. The next log entry shows the scheduled task named “z” executed at 2015-03-10 22:09:15 and shortly thereafter the attacker accessed a file named “shell.cfm”. Applying the Root Cause Analysis Model to this incident results in this activity along with the IDS alert being organized into the indicators layer. The activity is post compromise activity and the model is being used to identify the attack vector. The investigation continues to see what remnants the attacker left in the logs just prior to tripping the sensor while trying to upload their web shell.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The IIS log was reviewed to see what occurred prior to 2015-03-10 22:09:10 for the attackers IP address X.X.X.X. The few records are listed below:</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><em>2015-03-10 22:08:30 192.168.0.1 GET /CFIDE/adminapi/administrator.cfc method=login&adminpassword=&rdsPasswordAllowed=true 80 – X.X.X.X fake-useragent 200 0 0 432</em></span><br />
<em></em><br />
<span style="font-family: Verdana, sans-serif;"><em>2015-03-10 22:08:40 192.168.0.1 GET /CFIDE/administrator/images/icon.jpg 80 – X.X.X.X fake-useragent 200 0 0 432</em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The prior activity shows the attacker requesting a strange URL followed by successfully accessing the icon.jpg image file. Searching on the strange URL reveals it’s an <a href="http://www.exploit-db.com/exploits/27755/">Adobe ColdFusion Administrative Login Bypass exploit</a> and when successful it provides access to the admin panel. This remnant is organized into the exploit layer. The payload of this exploit is direct access to the admin panel. There is no delivery mechanism for the payload. When the admin panel is accessed certain files are loaded such as images. In this scenario one of the images loaded by default is the file icon.jpg. This remnant indicates the attacker successfully accessed the admin panel so it means the exploit worked and the payload was admin access. The access to the icon.jpg file is organized into the payload layer. At this point the following layers in the Root Cause Analysis have been completed: indicators, payload, deliver mechanism, and exploit. The remaining layers are the delivery mechanism for the exploit and source. The attacker used a tool or web browser to attack the server so the delivery mechanism for the exploit is HTTP and the source of the attack is somewhere from the Internet.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The Compromise Root Cause Analysis Model was applied to the hypothetical web compromise security incident and it made it easier to review the remnants left by the attacker to identify the attack vector they used.</span><br />
<br />
<h2>
Root Cause Analysis Is Easier with a Methodical Process</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The Compromise Root Cause Analysis Model is a cyclical methodical process one can use to perform root cause analysis. The model is way to organize information and artifacts discovered during investigations for each system involved in the attack. The model is a repeatable investigation process enabling the questions of how and when did the compromise occur to be answered.</span><br />
<br />
<br />
<br />
<span style="font-family: Verdana, sans-serif;"><strong>References</strong></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Carvey, H. (2005). Locard's Exchange Principle in the Digital World. Retrieved from </span><a href="http://windowsir.blogspot.com/2005/01/locards-exchange-principle-in-digital.html"><span style="font-family: Verdana, sans-serif;"></span></a><span style="font-family: Verdana, sans-serif;"><a href="http://windowsir.blogspot.com/2005/01/locards-exchange-principle-in-digital.html">http://windowsir.blogspot.com/2005/01/locards-exchange-principle-in-digital.html</a></span><a href="https://www.blogger.com/null"></a><a href="https://www.blogger.com/null"></a><span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Harrell, C. (2010). Attack Vector Artifacts. Retrieved from </span><a href="http://journeyintoir.blogspot.com/2010/11/attack-vector-artifacts.html"><span style="font-family: Verdana, sans-serif;"></span></a><span style="font-family: Verdana, sans-serif;"><a href="http://journeyintoir.blogspot.com/2010/11/attack-vector-artifacts.html">http://journeyintoir.blogspot.com/2010/11/attack-vector-artifacts.html</a></span><a href="https://www.blogger.com/null"></a><a href="https://www.blogger.com/null"></a><span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Harrell, C. (2012). Compromise Root Cause Analysis Model. Retrieved from </span><a href="http://journeyintoir.blogspot.com/2012/06/compromise-root-cause-analysis-model.html"><span style="font-family: Verdana, sans-serif;"></span></a><span style="font-family: Verdana, sans-serif;"><a href="http://journeyintoir.blogspot.com/2012/06/compromise-root-cause-analysis-model.html">http://journeyintoir.blogspot.com/2012/06/compromise-root-cause-analysis-model.html</a></span><a href="https://www.blogger.com/null"></a><a href="https://www.blogger.com/null"></a><span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Harrell, C. (2012). Malware Root Cause Analysis. Retrieved from </span><a href="http://journeyintoir.blogspot.com/2012/07/malware-root-cause-analysis.html"><span style="font-family: Verdana, sans-serif;"></span></a><span style="font-family: Verdana, sans-serif;"><a href="http://journeyintoir.blogspot.com/2012/07/malware-root-cause-analysis.html">http://journeyintoir.blogspot.com/2012/07/malware-root-cause-analysis.html</a></span><a href="https://www.blogger.com/null"></a><a href="https://www.blogger.com/null"></a><span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Harrell, C. (2014). Malware Root Cause Analysis Dont Be a Bone Head Slide Deck. Retrieved from </span><a href="http://journeyintoir.blogspot.com/2014/06/malware-root-cause-analysis-dont-be.html"><span style="font-family: Verdana, sans-serif;"></span></a><span style="font-family: Verdana, sans-serif;"><a href="http://journeyintoir.blogspot.com/2014/06/malware-root-cause-analysis-dont-be.html">http://journeyintoir.blogspot.com/2014/06/malware-root-cause-analysis-dont-be.html</a></span><a href="https://www.blogger.com/null"></a><a href="https://www.blogger.com/null"></a><span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Hogfly. (2008). Footprints in the snow. Retrieved from </span><a href="http://forensicir.blogspot.com/2008/12/footprints-in-snow.html"><span style="font-family: Verdana, sans-serif;">http://forensicir.blogspot.com/2008/12/footprints-in-snow.html</span></a>Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com4tag:blogger.com,1999:blog-4080617372940068027.post-56756249892163957162015-02-22T13:47:00.002-05:002015-02-22T13:59:21.958-05:00The Jock Becomes the Geek<span style="font-family: Verdana, sans-serif;">We interrupt the normal DFIR programming on this blog for a different kind of post. A post about a situation I found myself in. It's a story others may find amusing or cause them to have empathy for me. It's a story about how I evolved from being a jock to walking amongst the DFIR geeks.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL6GQsRO_Ig2rMty0uz0yF1mdiee6k_Eih7ELIqvn0CkRxT9-l7DPhGoPUMYwIbIHlYUrNYyZIFWqQGtVLKTv0bB_4tXYd3C9MvmTg_8pkM_uxPYMofZTgMORJHd7Bb6rXrGw5kNnE8hc/s1600/ogre.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL6GQsRO_Ig2rMty0uz0yF1mdiee6k_Eih7ELIqvn0CkRxT9-l7DPhGoPUMYwIbIHlYUrNYyZIFWqQGtVLKTv0bB_4tXYd3C9MvmTg_8pkM_uxPYMofZTgMORJHd7Bb6rXrGw5kNnE8hc/s1600/ogre.jpg" height="176" width="200" /></a><span style="font-family: Verdana, sans-serif;">In high school I didn't pay any mind to the so called “clicks.” If I had to be categorized then I guess it would had been a jock. I was a three sport athlete who enjoyed the social life outside of school. I wasn’t in to any of the things people tend to talk about to show their “geek credentials.” I didn’t care about technology (outside of video games), didn’t use computers, and definitely didn’t play any of the so called “geeky” games like dungeons and dragons. Heck, I didn’t even have a drive to learn since I was only going through the motions.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">So at this point you may be wondering what the hell happened to me. To go from an athlete who didn't care about technology and learning. To someone who is passionate about one of the most technical areas within the information security field and spends their free time researching “geeky” things. What happened to me was a life changing experience.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">After I graduated high school I was working for an organization who provided for people with disabilities. I have the upmost respect for the people whose calling is in this field. To care for one of the most vulnerable populations in our society. Without these organizations, there is a risk to returning to the institutions where this population was mistreated and abused for years. The people working in this field have been some of the most caring people I ever met. My mom was one of them and growing up she would bring me to the places where she worked. Now back to my story. I was a floater in the organization I worked for. Floaters worked in the residences where the people lived and did not have a set house they would always work in. We floated from house to house based on where coverage was needed. The houses varied in the people’s functional levels who lived there. Some had high functioning individuals who had jobs and took care of themselves; my job was more of a mentor then a direct care worker. Other houses had lower functioning individuals; my job was direct care taking care of their every need. Going in to this job I knew what I was in for and what the nature of the work could involve.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">One day I was working at a low functioning house. During my shift, an individual who was confined to a wheel chair had an accident that involved a bowel movement. I wasn't sure how it played out with my coworker but it was my turn. It was the turn of an 19 year old kid to clean up an adult who had an accident. I worked in this position for some time but this was the first time I encountered having to attempt anything like this. As we entered into the bathroom I noticed the most awful smell I have ever smelled. Mind you, we just walked in to the bathroom and the bowel smell quickly overcame what little fresh air was left in the room. I started to envision what I had to do next. The images running through my mind along with the smell was making me more and more nauseous. That is when I blew chunks in the direction of the toilet as I dropped to my knees getting sicker and sicker as tears started rolling down my face. I mumbled and grunted to my coworker; something along the lines "I can't. I can't. I can’t. I can't stop getting sick." She was one of the people I worked with who had a serving heart but looking back on this almost 18 years later I think she took pity on me. An 19 year old kid who looked like a mess and was on his knees throwing up into the toilet. Each time I breathed in what smelled worse than death resulted in the toilet calling my name again. I tried to leave. Believe me, I tried to leave to get fresh air. Boy, how many times did I try to leave? The smell; that horrible, horrible smell. At one point, I stood up to leave and I saw my coworker attending to the individual. That provided visuals to go along with the smell and things became worse.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">I don't remember how long this went on for or what happened afterwards. All I know was this experience had a significant impact on my life. Again, I have the upmost respect for those who work in this field but the experience taught me the work was not meant for me and my weak stomach. The experience stuck with me and impacted me when I was joining the Marines a year later. I had the pick of any job I wanted in the Marines. I only wanted a job that kept me far away from going through the experience again. I picked what in my mind was the complete opposite of the field where I had this experience. I picked a technology field where I thought I would never again be responsible for caring for other people. (Please keep in mind, when I made this decision I was 19 and had a lot to learn.) This decision –based on my experience - is what made the jock become a geek. The rest of my story is history as I had a guiding hand leading me down the path where I eventually found my passion amongst the DFIR geeks. A community where if you have the technical skills and knowledge then you are accepted as one of their own even if you lack the traditional "geek credentials."</span>Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com2tag:blogger.com,1999:blog-4080617372940068027.post-4708698023790962812015-02-04T12:49:00.004-05:002015-02-04T18:18:33.281-05:00Process Hollowing Meets Cuckoo Sandbox<span style="font-family: Verdana, sans-serif;">Growing up I loved to watch horror movies. In hindsight, they scared the crap out of me probably because I was too young to watch them. One such movie was the 1986 movie Night of the Creeps. Alien slugs enter through peoples' mouths and eventually take over their bodies. A classic body snatchers style movie that had me worried for few days when talking to close to people. Process hollowing (aka process replacement) is a technique malware uses to overwrite a running process with a malicious code. To me it's the technical equivalent of those alien body snatchers. This post explores process hollowing techniques using the Cuckoo Sandbox.</span><br />
<br />
<h2>
Process Hollowing (aka Process Replacement)</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">In my post <a href="http://journeyintoir.blogspot.com/2014/12/prefetch-file-meet-process-hollowing_17.html">Prefetch File Meet Process Hollowing</a> I walked through what process hollowing was but for completeness I’ll copied what I wrote below:</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Malware uses various techniques to covertly execute code on systems. One such technique is process hollowing, which is also known as process replacement.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The book <a href="http://www.nostarch.com/malware">Practical Malware Analysis</a> states the following in regards to this technique:</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><em>"Process replacement is used when a malware author wants to disguise malware as a legitimate process, without the risk of crashing a process through the use of process injection.</em></span><br />
<em></em><br />
<span style="font-family: Verdana, sans-serif;"><em>Key to process replacement is creating a process in a suspended state. This means that the process will be loaded into memory, but the primary thread of the process is suspended. The program will not do anything until an external program resumes the primary thread, causing the program to start running"</em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">In addition, the book <a href="http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118825098.html">The Art of Memory Forensics</a> states the following:</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><em>"A malicious process starts a new instance of a legitimate process (such as lsass.exe) in suspended mode. Before resuming it, the executable section( s) are freed and reallocated with malicious code."</em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">In essence, process hollowing is when a process is started in the suspended state, code is injected into the process to overwrite the original data, and when the process is resumed the injected code is executed. Everything about the process initial appears to reflect the original process. Similar to how everything about the person initially appears to be the original person. Upon closer inspection it reveals that everything is not what it seems. The process behaves differently (such as network communications) and the code inside the process is not the original code. This is very similar to the person behaving differently (such as trying to eat you) and the biological material inside the person is not the original biological material.</span><br />
<br />
<h2>
A Common Process Hollowing Technique</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Through observation, the characters in the In the Night of the Creeps figured out how people’s bodies were snatched. Slugs went from one person’s mouth to another person’s mouth. After observing this method the characters put tape over their mouths and were able to fight the zombies without becoming one themselves. By knowing what technique was used to snatch a body enabled the characters to defend themselves. The same can be said about process hollowing and knowing how the technique looks enables you to spot the zombified processes. One of the more publicize techniques was described in the Practical Malware Analysis book (lab 12-2 solution on page 590) as well as Trustwave SpiderLabs’s article <a href="http://blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html">Analyzing Malware Hollow Processes</a>. The sequence of Windows functions, their descriptions, and how they appear during dynamic analysis of the Profoma Invoice.exe sample (<a href="https://malwr.com/analysis/YzFhMjlmZTBlNjk0NGZmOThkZjA3ZmYwYjViMzc5ODA/">md5 ab30c5c81a9b3509d77d83a5d18091de</a>) with the Cuckoo sandbox is as follows:</span><br />
<br />
<span style="font-family: Verdana;"> - </span><a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx"><span style="font-family: Verdana;">CreateProcessA</span></a><span style="font-family: Verdana;">: creates a new process and the </span><a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms684863(v=vs.85).aspx"><span style="font-family: Verdana;">process creation flag 0x00000004</span></a><span style="font-family: Verdana;"> is used to create the process in the suspended state</span><br />
<span style="font-family: Verdana;"> - </span><a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms679362(v=vs.85).aspx"><span style="font-family: Verdana;">GetThreadContext</span></a><span style="font-family: Verdana;">: retrieves the context of the specified thread for the suspended process</span><br />
<span style="font-family: Verdana;"> - </span><a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553(v=vs.85).aspx"><span style="font-family: Verdana;">ReadProcessMemory</span></a><span style="font-family: Verdana;">: reads the image base of the suspended process</span><br />
<span style="font-family: Verdana;"> - </span><a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms683212(v=vs.85).aspx"><span style="font-family: Verdana;">GetProcAddress</span></a><span style="font-family: Verdana;">: according to Practical Malware Analysis this function “manually resolves the import UnMapViewofSection using GetProcAddress, the ImageBaseAddress is a parameter of UnMapViewofSection”. This removes the suspended process from memory.</span><br />
<span style="font-family: Verdana;"> - </span><a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa366890(v=vs.85).aspx"><span style="font-family: Verdana;">VirtualAllocEx</span></a><span style="font-family: Verdana;">: allocates memory within the suspended process’s address space</span><br />
<span style="font-family: Verdana;"> - </span><a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674(v=vs.85).aspx"><span style="font-family: Verdana;">WriteProcessMemory</span></a><span style="font-family: Verdana;">: writes data of the PE file into the memory just allocated within the suspended process</span><br />
<span style="font-family: Verdana;"> - </span><a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms680632(v=vs.85).aspx"><span style="font-family: Verdana;">SetThreadContext</span></a><span style="font-family: Verdana;">: according to Practical Malware Analysis this function sets the EAX register to the entry point of the executable just written into the suspended process’s memory space. This means the thread of the suspended process is pointing to the injected code so it will execute when the process is resumed</span><br />
<span style="font-family: Verdana;"> - </span><a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms685086(v=vs.85).aspx"><span style="font-family: Verdana;">ResumeThread</span></a><span style="font-family: Verdana;">: resumes the thread of the suspended process executing the injected code</span><br />
<br />
<h3>
Cuckoo Sandbox Showing the Common Process Hollowing Technique</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;"><a href="http://www.cuckoosandbox.org/">Cuckoo Sandbox</a> is an open source automated malware analysis system. In their own words "<em>it simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment</em>." <a href="https://malwr.com/">Malwr is a free online malware analysis service</a> that leverages the Cuckoo Sandbox. The Behavioral Analysis section outlines the function calls made during execution. The pictures below show the Profoma Invoice.exe sample’s (<a href="https://malwr.com/analysis/YzFhMjlmZTBlNjk0NGZmOThkZjA3ZmYwYjViMzc5ODA/">md5 ab30c5c81a9b3509d77d83a5d18091de</a>) function calls that perform process hollowing.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The image below shows Profoma Invoice.exe creating a process in the suspended state. The suspended process’ handle is 0x00000088 and thread handle is 0x0000008c.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-1WuvG8jnubQT9qQKa0D-OzmEJcGl4gRJL0wldC7KmgLNcguAwdmKMZiF0uZG-x4Exf9yYZzFQtsMt312925-Yh6v0swcALYXhDR6VmCmJ9IxbnvZWjG-qQKm9Qwz4AipbTihhCtdNRI/s1600/1_CreateProcess.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-1WuvG8jnubQT9qQKa0D-OzmEJcGl4gRJL0wldC7KmgLNcguAwdmKMZiF0uZG-x4Exf9yYZzFQtsMt312925-Yh6v0swcALYXhDR6VmCmJ9IxbnvZWjG-qQKm9Qwz4AipbTihhCtdNRI/s1600/1_CreateProcess.jpg" height="222" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The next image shows Profoma Invoice.exe retrieving the context of the suspended process since it references the thread handle 0x0000008c.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjukwWS3uxxYurZWhjTGhakOSNxEtS-93Wkq7KmgfekisAHbYSo4SLf7TlBagbbwZcuTgShKSkoNgVdMxLlvjfLjlQVvCKNuda2oACefjlD1wCSejy-LBvpidGJKaWPH0siYHTsglICFEA/s1600/2_GetThreadContext.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjukwWS3uxxYurZWhjTGhakOSNxEtS-93Wkq7KmgfekisAHbYSo4SLf7TlBagbbwZcuTgShKSkoNgVdMxLlvjfLjlQVvCKNuda2oACefjlD1wCSejy-LBvpidGJKaWPH0siYHTsglICFEA/s1600/2_GetThreadContext.jpg" height="42" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The image below shows Profoma Invoice.exe reading the image base of the suspended process since it references the process handle 0x00000088.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijE711Il8VWVzi8raERXmKR1-gjDfE8oB9F9DfHLv_fKmfc0A3UUZvBtPIHQr78yFFcRLCTbd2rIqBSCRy-ZJpF1h25BLHY1ITKGLbq3rVaUHKeTQwUSTuNXCIuBSgz-sPIe8-fJhy5e0/s1600/3_ReadProcessMemory.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijE711Il8VWVzi8raERXmKR1-gjDfE8oB9F9DfHLv_fKmfc0A3UUZvBtPIHQr78yFFcRLCTbd2rIqBSCRy-ZJpF1h25BLHY1ITKGLbq3rVaUHKeTQwUSTuNXCIuBSgz-sPIe8-fJhy5e0/s1600/3_ReadProcessMemory.jpg" height="74" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The image below shows Profoma Invoice.exe getting the addresses of the UnMapViewofSection and VirtualAllocEx function calls.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtjgdrbfpPQ0DD7ETWT75h4m7FIPlwZcB0O2cs9-laG4Xo_eP-4mSqczri_qUZ975WqCBE1pW24Jr4kxg1GtWZPYKwABFVDAD0RIqKs6mi97KomgWUgBaQPgiit3i3Kf0tD7PME2KRfus/s1600/4_GetProcAddress.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtjgdrbfpPQ0DD7ETWT75h4m7FIPlwZcB0O2cs9-laG4Xo_eP-4mSqczri_qUZ975WqCBE1pW24Jr4kxg1GtWZPYKwABFVDAD0RIqKs6mi97KomgWUgBaQPgiit3i3Kf0tD7PME2KRfus/s1600/4_GetProcAddress.jpg" height="236" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The images below show Profoma Invoice.exe writing a PE file into the address space of the suspended process since it references the process handle 0x00000088. It takes multiple WriteProcessMemory function calls to write the entire PE file.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-gj1lBAKHsCDSkBMkUgTVzZzK05Y7auvX_I1gZy3-PcHD4u40ysBmHj1yu-cYwz0DJSDt7vve0kNkqjYa722vd12cC-8dyyjam5tjeC5CAVX3KdUBjwEIRyzU5n_VqonJwwPFFsiiwXc/s1600/5_WriteProcessMemory.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-gj1lBAKHsCDSkBMkUgTVzZzK05Y7auvX_I1gZy3-PcHD4u40ysBmHj1yu-cYwz0DJSDt7vve0kNkqjYa722vd12cC-8dyyjam5tjeC5CAVX3KdUBjwEIRyzU5n_VqonJwwPFFsiiwXc/s1600/5_WriteProcessMemory.jpg" height="294" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The image below shows Profoma Invoice.exe setting the thread context for the suspended process since it references the thread handle 0x0000008c.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-s58xmWn9xlCcYWYoVGw2YyG1IGaz5niqqlg2KiT656_lzPXODrGYRatC-u0wYpvG02KtWvH7kZSlUlVmlq4Ws-jSCmnYFUhjfILhyVR_8-bEz5YKIvi4N3GmYXJxtiz2I3D2ru_u7h4/s1600/6_SetThreadContext.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-s58xmWn9xlCcYWYoVGw2YyG1IGaz5niqqlg2KiT656_lzPXODrGYRatC-u0wYpvG02KtWvH7kZSlUlVmlq4Ws-jSCmnYFUhjfILhyVR_8-bEz5YKIvi4N3GmYXJxtiz2I3D2ru_u7h4/s1600/6_SetThreadContext.jpg" height="42" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The image below shows Profoma Invoice.exe resuming the suspended thread to execute the injected code.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjbjrL7Gr80C2Hcuz74JWHeeP9JQeSQEUDCzQNVfEh_i8uHud0SMopywQQ_5hNNtLC3sImL70go7tOWcvlMS4uENbq-6T_f1ZBvHRoZ5jDMf5OR7GGWcDO_l2ElVoUprouH-IR_lp-8WE/s1600/7_ResumeThread.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjbjrL7Gr80C2Hcuz74JWHeeP9JQeSQEUDCzQNVfEh_i8uHud0SMopywQQ_5hNNtLC3sImL70go7tOWcvlMS4uENbq-6T_f1ZBvHRoZ5jDMf5OR7GGWcDO_l2ElVoUprouH-IR_lp-8WE/s1600/7_ResumeThread.jpg" height="56" width="640" /></a></div>
<br />
<h3>
Cuckoo Sandbox Detecting the Common Process Hollowing Technique</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Cuckoo Sandbox detects malware functionality using signatures. The image below shows Malwr detecting the common process hollowing technique used by Profoma Invoice.exe (<a href="https://malwr.com/analysis/YzFhMjlmZTBlNjk0NGZmOThkZjA3ZmYwYjViMzc5ODA/">md5 ab30c5c81a9b3509d77d83a5d18091de</a>).</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB8C9jhEFUNvlYb4volPhHV-033bL1yUyqI4lfedUc0OUXBGElxiquWdX9f6hV_fg8hUvC3UmpCjR0Ou4hxCCmfO9uoh9uhlFfFQ_hnfzoABDoeASNjVemSoKKW1Siop_5-YmIEJbBOTo/s1600/8_Detecting-process-hollowing.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB8C9jhEFUNvlYb4volPhHV-033bL1yUyqI4lfedUc0OUXBGElxiquWdX9f6hV_fg8hUvC3UmpCjR0Ou4hxCCmfO9uoh9uhlFfFQ_hnfzoABDoeASNjVemSoKKW1Siop_5-YmIEJbBOTo/s1600/8_Detecting-process-hollowing.jpg" height="230" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The signature detecting process hollowing reports it as “executed a process and injected code into it, probably while unpacking.” The signature detecting the technique is named <a href="https://github.com/cuckoobox/community/blob/master/modules/signatures/injection_runpe.py">injection_runpe.py</a> and is available in the <a href="https://github.com/cuckoobox/community">Community Signatures</a>. The signature is open allowing anyone to read it to see how it detects this behavior. However, the image below shows a portion of the signature that detects the sequence of function calls outlined earlier to perform process hollowing.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQA4uEWZB774F7u6lo_HUqwqO5BqlYzSX-gGs5oNPSifKHgUqMJmEUDs-2kYYWM4PWLzib3WGcgtOIFHs77yPkVugWRZQ1DFA1nfIge64MsAtENe_pWjYPlp7FZzfnrPdi82XKqeqiKss/s1600/9_injection-runpe.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQA4uEWZB774F7u6lo_HUqwqO5BqlYzSX-gGs5oNPSifKHgUqMJmEUDs-2kYYWM4PWLzib3WGcgtOIFHs77yPkVugWRZQ1DFA1nfIge64MsAtENe_pWjYPlp7FZzfnrPdi82XKqeqiKss/s1600/9_injection-runpe.jpg" height="248" width="640" /></a></div>
<br />
<h2>
A Different Process Hollowing Technique</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The process hollowing technique outlined above is well publicized and is the technique I normally expected to see. It was as if I had tape on my mouth waiting for a zombified friend to come strolling down the street. There are more than one ways to perform an action similar to there being more than one way to snatch a body. In the 1998 movie The Faculty an unknown creature snatched bodies by entering the body through the ear. Now imagine what would had happened to the characters from the Night of the Creeps movie encountering these body snatchers. The zombified bodies are harder to spot since they don’t look like zombies. Trying to defend themselves with tape on their mouths and baseball bats in hand would be short lived. The tape offers no protection since the creatures enter through the ear. It’s a different technique with the same result. Process hollowing is similar with different techniques ending with the same result.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">I was a bit surprised back in December when I saw the behavior in the image below after I ran the sample Kroger_OrderID.exe (<a href="https://malwr.com/analysis/YjczMGI5ZWVmNjViNGFhOWFhNmJlNjg1OTM5NzNkYWI/">md5 1de7834ba959e734ad701dc18ef0edfc</a>) through a sandbox.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPK6wv_vRYbwqQ36xNFnjtH0G3HryaLjZpbJFKEXQ4KfMb6Cg7wG2JHVr5vTMNi8EF2h8dIrVja_ONUKVv-_7CqyEtIpJ_Zp8HT4I7kEc4Lq-6g6l02P8PFWOXnnq8bKcZfZ5IClhUwlo/s1600/10_different-process-hollowing.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPK6wv_vRYbwqQ36xNFnjtH0G3HryaLjZpbJFKEXQ4KfMb6Cg7wG2JHVr5vTMNi8EF2h8dIrVja_ONUKVv-_7CqyEtIpJ_Zp8HT4I7kEc4Lq-6g6l02P8PFWOXnnq8bKcZfZ5IClhUwlo/s1600/10_different-process-hollowing.jpg" height="360" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The behavior clearly shows that Kroger_OrderID.exe is going to perform process hollowing since it started the svchost.exe process in a suspended state (creation flag 0x00000004.) However, the function calls afterwards are not the typical well publicized ones; this was a different technique. After a bit of searching I found the Lexsi article <a href="http://www.lexsi-leblog.com/cert-en/overview-kronos-banking-malware-rootkit.html">Overview of the Kronos banking malware rootkit</a>, which breaks down how this technique works. (the article also shows how to use <a href="https://github.com/volatilityfoundation/volatility">Volatility</a> to analyze this as well.) I summarized below the Windows function sequence and their descriptions as outlined in the article:</span><br />
<br />
<span style="font-family: Verdana;"> - </span><a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx"><span style="font-family: Verdana;">CreateProcessA</span></a><span style="font-family: Verdana;">: creates a new process and the </span><a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms684863(v=vs.85).aspx"><span style="font-family: Verdana;">process creation flag 0x00000004</span></a><span style="font-family: Verdana;"> is used to create the process in the suspended state</span><br />
<span style="font-family: Verdana;"> - </span><a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553(v=vs.85).aspx"><span style="font-family: Verdana;">ReadProcessMemory</span></a><span style="font-family: Verdana;">: reads image base of the suspended process</span><br />
<span style="font-family: Verdana;"> - </span><a href="https://msdn.microsoft.com/en-us/library/windows/hardware/ff556473(v=vs.85).aspx"><span style="font-family: Verdana;">NtCreateSection</span></a><span style="font-family: Verdana;">: creates two read/write/execute sections </span><br />
<span style="font-family: Verdana;"> - </span><a href="https://msdn.microsoft.com/en-us/library/windows/hardware/ff566481(v=vs.85).aspx"><span style="font-family: Verdana;">ZwMapViewOfSection</span></a><span style="font-family: Verdana;">: maps the read/write/execute sections into the malware’s address space</span><br />
<span style="font-family: Verdana;"> - </span><a href="https://msdn.microsoft.com/en-us/library/windows/hardware/ff566481(v=vs.85).aspx"><span style="font-family: Verdana;">ZwMapViewOfSection</span></a><span style="font-family: Verdana;">: maps the second section into the suspended process’s address space (this section is therefore shared between both processes).</span><br />
<span style="font-family: Verdana;"> - </span><a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553(v=vs.85).aspx"><span style="font-family: Verdana;">ReadProcessMemory</span></a><span style="font-family: Verdana;">: reads image base of the suspended process’s image into section 1</span><br />
<span style="font-family: Verdana;"> - </span><a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553(v=vs.85).aspx"><span style="font-family: Verdana;">ReadProcessMemory</span></a><span style="font-family: Verdana;">: reads image base of the malware’s image into section 2</span><br />
<span style="font-family: Verdana;"> - </span><a href="https://msdn.microsoft.com/en-us/library/windows/hardware/ff556551(v=vs.85).aspx"><span style="font-family: Verdana;">NtMapViewOfSection</span></a><span style="font-family: Verdana;">: overwrites the suspended process's entry point code by mapping section 1 to the new process base address</span><br />
<span style="font-family: Verdana;"> - </span><a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms685086(v=vs.85).aspx"><span style="font-family: Verdana;">ResumeThread</span></a><span style="font-family: Verdana;">: resumes the thread of the suspended process executing the injected code</span><br />
<br />
<h3>
Cuckoo Sandbox Showing the Different Process Hollowing Technique</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The Behavioral Analysis section outlines the function calls made during execution. The pictures below show the sample Kroger_OrderID.exe (<a href="https://malwr.com/analysis/YjczMGI5ZWVmNjViNGFhOWFhNmJlNjg1OTM5NzNkYWI/">md5 1de7834ba959e734ad701dc18ef0edfc</a>) function calls performing the different process hollowing technique.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The image below shows the first three function calls. The sample Kroger_OrderID.exe creates a suspended process with the thread handle 0x00000608 and process handle 0x00000604. Next the ReadProcessMemory function reads the image base of the suspended process due to the reference to process handle 0x00000604. The NtCreateSection function then creates the second read/write/execute section with the section handle 0x000005f8.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQYLPzhlbFrwIod9zVz6p5iJNlT-Wp-NDW90wuTv7NvQBIiKPpWqxSStHqdmxahHDJJi26Cl4UrJX07fPgI5cUJOtvZ77BY8aC8Rc24-kxU5P8Y0n7ReYe0hN13BKA-EAFb_iEZpfFmVg/s1600/11_CreateProcess-ntcreatesection.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQYLPzhlbFrwIod9zVz6p5iJNlT-Wp-NDW90wuTv7NvQBIiKPpWqxSStHqdmxahHDJJi26Cl4UrJX07fPgI5cUJOtvZ77BY8aC8Rc24-kxU5P8Y0n7ReYe0hN13BKA-EAFb_iEZpfFmVg/s1600/11_CreateProcess-ntcreatesection.jpg" height="362" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The image below shows the next three function calls. The ZwMapViewOfSection function maps the read/write/execute sections into the malware’s address space due to the section handle 0x000005f8 being referenced. The next ZwMapViewOfSection maps the second section into the suspended process’s address space due to both the section handle 0x000005f8 and process handle 0x00000604 both being referenced. Then the ReadProcessMemory function reads malware’s image into the section. Not shown in the image is the ReadProcessMemory function referencing the process handle 0x00000604.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGdsEgaDZJN8Ub05fUohsZEndiv5FMeKPpEeHv1QOekThyphenhypheny4kKl_Qoyl2bjDYZ0rzcvWVa2xBrPGuW9FFgfVBGLMQQD6GqvKF23limEer7tglKN59PVhzuB94UA5eiXLhBQiqMVTH2egQ/s1600/12_ntmapviewofsection.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGdsEgaDZJN8Ub05fUohsZEndiv5FMeKPpEeHv1QOekThyphenhypheny4kKl_Qoyl2bjDYZ0rzcvWVa2xBrPGuW9FFgfVBGLMQQD6GqvKF23limEer7tglKN59PVhzuB94UA5eiXLhBQiqMVTH2egQ/s1600/12_ntmapviewofsection.jpg" height="420" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The image below shows the remaining four functions. The NtCreateSection function then creates the first read/write/execute section with the section handle 0x000005f4. The ZwMapViewOfSection functions maps the read/write/execute sections between the malware and suspended process due to section handle 0x000005f4 and process handle 0x00000604 both being referenced. This mapping overwrites the entry point code in the suspended process. Finally, the ResumeThread function resumes the thread of the suspended process executing the injected code.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxjGkeVr-QdP3h7N1a9hFkjsYGWXDlVf77qvGvyKUQqYuLKyO4zKxcURi4Ag3BZ3t_7ub7quZf5bBpYN9Kh5pAwQjeF0zfdmVNsodm7MaI2QFKhXO7z9lSkZ8QFbsV8vAbkPUzNrDl0J4/s1600/13_createsection_ntmapview-resume.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxjGkeVr-QdP3h7N1a9hFkjsYGWXDlVf77qvGvyKUQqYuLKyO4zKxcURi4Ag3BZ3t_7ub7quZf5bBpYN9Kh5pAwQjeF0zfdmVNsodm7MaI2QFKhXO7z9lSkZ8QFbsV8vAbkPUzNrDl0J4/s1600/13_createsection_ntmapview-resume.jpg" height="390" width="640" /></a></div>
<br />
<h3>
Cuckoo Sandbox Detecting the Different Process Hollowing Technique</h3>
<span style="font-family: Verdana, sans-serif;"><strong></strong></span><br />
<span style="font-family: Verdana, sans-serif;"><strong></strong></span><br />
<span style="font-family: Verdana, sans-serif;"><strong>**** Updated on 02/04/15 *****</strong></span><br />
<span style="font-family: Verdana, sans-serif;"><br />This section of the blog has been edited since it was published earlier today. In the original blog post I highlighted how the injection_run.py signature did not detect this injection technique and I shared a signature I put together to detect it.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /><a href="https://github.com/brad-accuvant/">Brad Spengler</a> sent me an email about what I was seeing. He mentioned that a change did not make it into the updated injection_run.py signature. Specifically, he mentioned the plugin is looking for NtMapViewOfSection which he uses in his Cuckoo Sandbox instead of looking for the older ZwMapViewOfSection. I modified the injection_run.py signature by renaming NtMapViewOfSection to ZwMapViewOfSection (on lines 45 and 51) and afterwards it did detect this technique. As a result, I updated this section of the blog to reflect this since this post’s purpose was to explore different injection techniques and how Cuckoo can help explore them. <br />
<br /><strong>**** Updated on 02/04/15 *****</strong></span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Cuckoo Sandbox is able to detect this different process hollowing technique (see update about change made to the injection_runpe.py signature.) </span><span style="font-family: Verdana, sans-serif;">Executing the sample Kroger_OrderID.exe (<a href="https://malwr.com/analysis/YjczMGI5ZWVmNjViNGFhOWFhNmJlNjg1OTM5NzNkYWI/">md5 1de7834ba959e734ad701dc18ef0edfc</a>) in Cuckoo results in the following behavior detection.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkdQWm1PoL7JYYzk9hE7Q9csKR-Hcn2WRIn_g7yAYFN5hfa6tYiMDJ0Bw5wBD569TO1wn6L5EaAHvaKqJQm837S6UdTh2-ssTnk5bm-95BBQpGgWMQeRvH_WJaRlBKwT3ncOWse7tp0As/s1600/10_different-process-hollowing_new.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkdQWm1PoL7JYYzk9hE7Q9csKR-Hcn2WRIn_g7yAYFN5hfa6tYiMDJ0Bw5wBD569TO1wn6L5EaAHvaKqJQm837S6UdTh2-ssTnk5bm-95BBQpGgWMQeRvH_WJaRlBKwT3ncOWse7tp0As/s1600/10_different-process-hollowing_new.jpg" height="262" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<h2>
Wrapping Things Up</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">We don’t need to sit at our computers wearing headphones and tape on our mouths to hunt down zombified processes within our environments. Process hollowing is an interesting technique and it constantly reminds me about the various body snatcher horror movies I’ve seen. Leveraging the Cuckoo Sandbox makes exploring the various process hollowing techniques even more interesting since it allows for following the sequence of Windows function calls.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Happy hunting and if you come across any zombies in your travels don’t take any chances and just follow the rule from the movie Zombieland. Rule 2 Double Tap: when in doubt, don't get stingy with your bullets. </span>Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com2tag:blogger.com,1999:blog-4080617372940068027.post-77635986368196593422015-01-19T13:02:00.001-05:002015-01-19T19:14:04.294-05:00Linkz for Detection and Response<span style="font-family: Verdana, sans-serif;">The fastest way to reach a destination is to learn from those who have traveled parts of the journey you are on. Others may point you in a direction to avoid the obstacles they faced or show you the path through the woods towards your destination. In Information Security, we tend to gain knowledge from others by what they publish: websites, blogs, books, and even their 140 character tweets. The journey I have been on is exploring enterprise security detection and response; actually implementing enterprise detection and response. Implementing them not as standalone processes standing on their own but two complimentary processes that feed into each other. This Linkz post is sharing the works by others I came across whose focus is on detection and response.</span><br />
<span style="font-family: Verdana;"></span><br />
<h2>
Linkz for Incident Response and SIEM</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">I shared these linkz before but they point to some great resources about detection and response. For linkz related to incident response - including the thought process behind IR - refer to the post <a href="http://journeyintoir.blogspot.com/2013/11/linkz-for-incident-response.html">Linkz for Incident Response</a>. For linkz related to detection with a focus on SIEM refer to <a href="http://journeyintoir.blogspot.com/2014/07/linkz-for-siem.html">Linkz for SIEM</a>.</span><br />
<span style="font-family: Verdana;"></span><br />
<h2>
Network Security Operations Management Workflow</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">When it comes to network security there is a wealth of information. How to create a SOC, how to design and deploy IDS sensors, and how to use security monitoring tools are a few of the topics covered. Despite the wealth of information, there is very little about the management workflow for network security monitoring. Securosis released the <a href="https://securosis.com/Research/Publication/network-security-operations-quant-report">Network Security Operations Quant Report</a> about five years ago and it outlines one of the best management workflows I have come across. The Manage Process (<a href="https://securosis.com/assets/library/reports/Securosis_NSOQuant-v1.6_FINAL_.pdf">on page 13</a>) addresses policy review, update policies & rules, evaluate signatures, deploy, and audit/validate. It's a decent process since it touches on topics I haven't seen addressed elsewhere. At this point I could care less about the metrics portion of the document but the process portion is worth a look.</span><br />
<span style="font-family: Verdana;"></span><br />
<h2>
Network Security Monitoring Books</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">One thing I tend to look for in detection and response resources is do they outline a process or a thought process. Tools are great and all but it's pretty easy to learn a tool on your own compared to the process one should use when doing detection and response. The processes are what you can learn from others to reach your destination and you can fill in the gaps by teaching yourself the tools. The next two resources are not free but are well worth the investment. Richard Bejtlich's <a href="http://www.amazon.com/Practice-Network-Security-Monitoring-Understanding/dp/1593275099/">The Practice of Network Security Monitoring: Understanding Incident Detection and Response</a> and Chris Sanders & Jason Smith's <a href="http://www.amazon.com/Applied-Network-Security-Monitoring-Collection/dp/0124172083/">Applied Network Security Monitoring: Collection, Detection, and Analysis</a>. Both books cover open source NSM tools and analyzing network data but the aspects I really enjoyed where their perspectives. Their perspectives about how to approach NSM and how to manage certain aspects of NSM including the response to security incidents along with detection security events.</span><br />
<span style="font-family: Verdana;"></span><br />
<h2>
Free Book with Strategies for Cybersecurity Operations Center</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Carson Zimmerman of The MITRE Corporation <a href="http://www.mitre.org/news/press-releases/new-mitre-book-outlines-ten-proven-strategies-for-computer-network-defense-best">released a free book</a> titled <a href="http://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdf">Ten Strategies of a World-Class Cybersecurity Operations Center</a>. I have been to a few different conferences where vendors give out free books. Needless to say, based on my past experiences I view free books with skepticism. However, Ten Strategies of a World-Class Cybersecurity Operations Center has restored my faith in free books. I'm surprised it was released for free; the content was great and the quality was top notch. The strategies covered topics from consolidating functions of detection and response under one organization to CSOC size to staff quality to sensor placement to responding to incidents. It's a great read for anyone who is looking to improve an organization's detection and response capability. It may even be worth the while for people who have been managing CSOCs to pick up a few different ideas.</span><br />
<span style="font-family: Verdana;"></span><br />
<h2>
Leveraging the Kill Chain for Detection</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;"><a href="http://seanmason.com/">Sean Mason</a> wrote the article <a href="http://www.darkreading.com/attacks-breaches/leveraging-the-kill-chain-for-awesome/a/d-id/1317810?">Leveraging The Kill Chain For Awesome</a> discussing the various ways the kill chain can be used. The section I wanted to focus on was the following: "when it comes to enterprise detection, the Kill Chain is useful for understanding what your capabilities are, as well as your gaps in coverage by tools and threat actors." This is one area where I think the kill chain excels. By organizing your detection rules beneath the kill chain it is easy to see what detection areas are strong and weak. Furthermore, it helps to see where external tools or intelligence can fill in the gaps. The one additional point I suggest is to do this organization for each <a href="http://journeyintoir.blogspot.com/2014/09/siem-use-case-implementation-mind-map.html">use case that is implemented</a>.</span><br />
<span style="font-family: Verdana;"></span><br />
<h2>
Questions to Answer During Response</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">A couple months ago Jack Crook put together a nice post over on his <a href="http://blog.handlerdiaries.com/">HandlerDiaries blog</a> called <a href="http://blog.handlerdiaries.com/?p=687">Answering those needed questions</a>. He walked through the typical questions he needs to answer when he is responding to an incident. In addition, he addressed "some of the actions needed during response activities." There were two things I really enjoyed about the post. First was how he broke down all of the possible questions one could ask into six categories; this simplifies the thought process making it easier to work through. The second point I liked was how he tied together response and detection. Throughout the post he touched on things to consider to improve detection as you respond.</span><br />
<span style="font-family: Verdana;"></span><br />
<h2>
Triage Questions</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Continuing along with what questions should be answered when responding to security incidents is David Bianco's article <a href="http://detect-respond.blogspot.com/2014/11/triage-any-alert-with-these-five-weird.html">Triage Any Alert With These Five Weird Questions!</a>. David defines alert triage as "the process of going through all of your alerts, investigating them, and either closing them or escalating them to an incident." By far, this is one of the most common activities for those performing detection and response. The article walks through five questions one should ask while performing alert triage. The article is well worth the read since it highlights things to consider when performing this work.</span><br />
<span style="font-family: Verdana;"></span><br />
<h2>
If Antivirus Fires Triage that System</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Speaking about triaging and alerts. Adam over at the <a href="http://www.hexacorn.com/blog/">Hexacorn blog</a> put together an awesome post (<a href="http://www.hexacorn.com/blog/2014/10/05/the-art-of-disrespecting-av-and-other-old-school-controls-part-2/">The art of disrespecting AV (and other old-school controls), Part 2</a>) highlighting a critical point. His conclusion was "when you see an AV alert you need to triage the system, because it has been compromised + there may be still some undetected malware present on it." I couldn't agree more with the items he brought to light in his post and his conclusion. Too many times you see organizations complacent in that their antivirus solutions detected and removed a malware without any additional work or trying to answer questions. Too many times I've seen where antivirus hits on one file but missed numerous others. The line of thinking things are all good "since antivirus got it" is broken and in the end risks leaving compromise systems on the network. Furthermore, triaging every single antivirus alert provides visibility into the network and the methods being used trying to compromise an organization.</span><br />
<br />
<h2>
Seeing the Complete Picture</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Rounding out this linkz post is the article <a href="http://windowsir.blogspot.com/2014/12/what-it-looks-like-malware-infection.html">What It Looks Like: Malware Infection via a Weaponized Document</a> by <a href="http://windowsir.blogspot.com/">Harlan Carvey</a>. Harlan obtained a weaponized document, executed it in a test system, and then walked through his examination to identify artifacts on the host. The document he obtained was already written about from the dynamic analysis perspective but it didn't address artifacts left on the system. The thing I really liked about Harlan's post is it addresses an area that very little is written about. There are a ton of articles about dynamic analysis and offensive techniques such as exploiting a vulnerability but there is not as much about <a href="http://journeyintoir.blogspot.com/2010/11/attack-vector-artifacts.html">attack vector artifacts</a> left on the system. The attack vector artifacts showing how it looks when a hacker (or cracker) uses a path or means to gain access to a computer or network server in order to deliver a payload or malicious outcome. Over the past month there have been various articles mentioning the increase in malicious documents being used to compromise systems. The malicious documents mentioned vary as well as their payloads vary. However, the activity left on the system due to a malicious document will remain the same. This activity is what Harlan addressed in his post and the information helps to bring a more complete picture into view. Harlan also provided his thoughts on a few take-aways for detection and response.</span>Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com1tag:blogger.com,1999:blog-4080617372940068027.post-1293130336393532402015-01-04T14:01:00.000-05:002015-01-04T14:30:28.583-05:00Triaging a System Infected with Poweliks<span style="font-family: Verdana, sans-serif;">Change is one of the only constants in incident response. In time most things will change; technology, tools, processes, and techniques all eventually change. The change is not only limited to the things we rely on to be the <a href="http://journeyintoir.blogspot.com/2014/04/holding-line.html">last line of defense</a> for our organizations and/or customers. The threats we are protecting them against change too. One recent example is the Angler exploit kit incorporating fileless malware. Malware that never hits the hard drive is not new but this change is pretty significant. An exploit kit is using the technique so the impact is more far reaching than the previous instances where fileless malware has been used (to my knowledge.) In this post I'm walking through the process one can use to triage a system potentially impacted by fileless malware. The post is focused on Poweliks but the process applies to any fileless malware.</span><br />
<br />
<h2>
Background on Why This Matters</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">In my RSS feeds, I was following the various articles about how an exploit kit incorporated the use of fileless malware. The malware never gets dropped to the disk and gets loaded directly into memory. A few of the articles I'm referring to are: <a href="http://blog.emsisoft.com/2014/08/06/poweliks-the-file-less-little-malware-that-could/">Poweliks: The file-less little malware that could, Angler EK : now capable of "fileless" infection (memory malware)</a>, <a href="https://blog.malwarebytes.org/exploits-2/2014/09/fileless-infections-from-exploit-kit-an-overview/">Fileless Infections from Exploit Kit: An Overview</a>, <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/">POWELIKS: Malware Hides In Windows Registry</a>, and <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/">POWELIKS Levels Up With New Autostart Mechanism</a>. Reading the articles made one thing clear: one of the most effective tools to deliver malware (exploit kits) is now using malware that stays in memory.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">This change has a significant impact on multiple areas. If the malware stays in memory then the typically artifacts we see on the host will not be there. For example, when the malware is loaded into memory then it won't create <a href="http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html">program execution artifacts</a> on the system. This means the triage and examination process needs to adjust. As I mentioned previously, this change was implemented into a widely known exploit kit (Angler exploit kit.) The systems infected with this exploit kit can be far reaching. This means we will encounter this change sooner rather than later; if you haven't faced it already. Case in point, recently the Internet Systems Consortium website was compromised and was <a href="http://threatpost.com/internet-systems-consortium-site-redirects-to-angler-exploit/110131">redirecting visitors to the Angler exploit kit</a>. The last impact is if this change provides better results for the people behind it then I can see other exploit kit authors following suit. This means fileless malware may become even more widespread and it's something that is here to stay.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">I knew memory forensics is one technique we can use to find the malware in memory. (if you need a great reference on how to do this check out the book the <a href="http://journeyintoir.blogspot.com/2014/12/the-art-of-memory-forensics-book-review.html">Art of Memory Forensics</a>.) However, the question remained what does this look like. I took the short route for a quick answer to my question by reaching out to my Twitter followers. I asked them the following: "Anyone know how Poweliks code looks from memory forensics perspective?"</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The first responses I got back was from <a href="http://www.hexacorn.com/blog/">Adam over at the Hexacron blog</a> (great blog by the way) as shown below.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNRsBY4FgedyXqlnMHcf7-fE1R7ZT7bNxl6gbeINlrqt7HaownegtumJMBd42Wg-V8yuPsJLqV1x5TD6Voz1hBAcVeRFUv6vl7IOIDPiGu1ZeP_AuYIEk2LAzqXcdlpVqDkZsJ0cPZlcQ/s1600/1+hexacron.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNRsBY4FgedyXqlnMHcf7-fE1R7ZT7bNxl6gbeINlrqt7HaownegtumJMBd42Wg-V8yuPsJLqV1x5TD6Voz1hBAcVeRFUv6vl7IOIDPiGu1ZeP_AuYIEk2LAzqXcdlpVqDkZsJ0cPZlcQ/s1600/1+hexacron.jpg" height="400" width="321" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: Verdana, sans-serif;">Adam provided some great information; to narrow in on the dllhost.exe process and what strings to look for. Another response I got was from @lstaPee as shown below:</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge1BVXv9GP1XaUGrBaWx3KYHrIxtn8vm9RzCclWYv4bbXbtfC3a5juvmcxwa0KS8EYiW3R0Ht3wn1F3Gqm6HLCXYbOqU8IRtFd2fVH0KocTY08MMRzL_q36pc1rJpuIyCmNg53gMJXcDE/s1600/2+lstapee.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge1BVXv9GP1XaUGrBaWx3KYHrIxtn8vm9RzCclWYv4bbXbtfC3a5juvmcxwa0KS8EYiW3R0Ht3wn1F3Gqm6HLCXYbOqU8IRtFd2fVH0KocTY08MMRzL_q36pc1rJpuIyCmNg53gMJXcDE/s1600/2+lstapee.jpg" height="200" width="400" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">@lstaPee provided a few more tidbits. RunDll32.exe injects code into the Dllhost.exe and dllhost.exe should have network connections. The response I got back from Twitter was great but I really needed to address the bigger question. If and when I have to triage a system infected with Poweliks what is the fastest way to perform the triage to locate the malware and determine the root cause of the infection. A question I needed to dig in to in order to find out the answer.</span><br />
<br />
<h2>
Testing Environment</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">As much as I wanted to simulate this attack by finding a live link to an Angler exploit kit I knew it would be very difficult. Based on various articles I read, Angler is VMware aware and it doesn't always deliverer the fileless malware. I opted to use a Powelik's dropper/downloader. I used the <a href="https://malwr.com/analysis/NGFlMjQwNGU1MWQ3NDIwY2I0MTU3MzZjNjE3MjdlNzM/">sample MD5 0181850239cd26b8fb8b72afb0e95eac I found on Malwr</a>. The test system was a Windows 7 32bit virtual machine in VMware.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The test conditions were really basic. I executed the sample by clicking it and then waited for about a minute. The VM was suspended and I collected the memory and prefetch files. I then unsuspended the VM followed by rebooting the system. After reboot, I logged onto the VM and then suspended it to collect the memory and prefetch files.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">My tests was to analyze the Poweliks infection from two angles. The initial infection prior to a system reboot and a persistent infection after the system reboots. My analysis had one exception. By clicking the Poweliks executable to infect the system this action created program execution artifacts. I ignored these artifacts since they wouldn't be present if the malware was loaded directly into memory. I followed <a href="http://journeyintoir.blogspot.com/p/journey-into-ir-methodology.html">my typical examination process</a> on the memory images and vmdk files but this post only highlights the activity that directly points to Poweliks. There was other activity of interest but the activity by itself does not indicate anything malicious. This activity I opted to omit from the post.</span><br />
<br />
<h2>
Poweliks' Behavior</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Before diving into the triage process and what to look for it's important I discuss one Poweliks' behavior. I won't go into any details how I first picked up on this but I will show the end result. What the behavior is and how it can help when triaging Poweliks specifically. The screenshot below shows partial of the <a href="https://malwr.com/analysis/NGFlMjQwNGU1MWQ3NDIwY2I0MTU3MzZjNjE3MjdlNzM/">Malwr's behavior analysis section</a> showing the behavior I'm referring to.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn69iXZx5kakfmQE733bRyf2q1w2I9td0DHmAfgofqbEUW7ftZTG3H8ngBzvC5_WisMlmW46LdyaAojaHzPZv8Jx_CuX_LLGAe6RPS2c3w8L8Z5Ob9ulZunvLtdVg-9MHWRWHuPNDHy-U/s1600/3_poweliks-process.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn69iXZx5kakfmQE733bRyf2q1w2I9td0DHmAfgofqbEUW7ftZTG3H8ngBzvC5_WisMlmW46LdyaAojaHzPZv8Jx_CuX_LLGAe6RPS2c3w8L8Z5Ob9ulZunvLtdVg-9MHWRWHuPNDHy-U/s1600/3_poweliks-process.jpg" height="128" width="400" /></a></div>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Upon a system's initial infection, the malware calls rundll32.exe which then calls powershell.exe who injects code into the dllhost.exe process. In the image above the numbers are for the process IDs and this relevant as we dig deeper into the behavior.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The image below shows activity that occurs shortly after the rundll32.exe process starts. As can be seen, rundll32.exe attempts to load a module into its own address space with the <a href="http://undocumented.ntinternals.net/source/usermode/undocumented%20functions/executable%20images/ldrloaddll.html">LdrLoadDll function</a>. The module being loaded is actually javascript; this behavior is well documented for Poweliks such as in the article <a href="http://thisissecurity.net/2014/08/20/poweliks-command-line-confusion/">Poweliks – Command Line Confusion</a>. Notice the activity following the LdrLoadDll function call is trying to locate the address for the RunHTMLApplication function. Here's the keyword Adam pointed out.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_KAD2SEsnPvlQYRvlQvGRvuTH-uxlMkS1MOrPUTCMABK1uB7P9btPPPbTmfffIXWPQzlsLPqqEcs3AG1mrK2IKJlbGsjzlQXzqrP7s-BrJOd5zFu5tZ-EVTgR7sFeLLLABe4AjGDHEEs/s1600/4_rundll-loaddll.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_KAD2SEsnPvlQYRvlQvGRvuTH-uxlMkS1MOrPUTCMABK1uB7P9btPPPbTmfffIXWPQzlsLPqqEcs3AG1mrK2IKJlbGsjzlQXzqrP7s-BrJOd5zFu5tZ-EVTgR7sFeLLLABe4AjGDHEEs/s1600/4_rundll-loaddll.jpg" height="396" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The images below shows activity that occurs just prior to powershell.exe process exiting. Powershell.exe creates the dllhost.exe process in the suspended state. Code gets injected into this suspended dllhost.exe process and then it is resumed. This technique is process hollowing and when the suspended process is resumed it executes the injected code.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm0LuYyZanr6MGBBHV8Y137VCrxMmPCOXTOj6gIqfy4laL_W5wTSIJRRIzXwjz1GlL4Ei_vxkbyXKaU0XvZ45pX-LPnBfLMKlfnyP1hqSOZF8a_-DwR0Nc0QgcyG-tkOgGVSok8CK2A0c/s1600/5_powershell1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm0LuYyZanr6MGBBHV8Y137VCrxMmPCOXTOj6gIqfy4laL_W5wTSIJRRIzXwjz1GlL4Ei_vxkbyXKaU0XvZ45pX-LPnBfLMKlfnyP1hqSOZF8a_-DwR0Nc0QgcyG-tkOgGVSok8CK2A0c/s1600/5_powershell1.jpg" height="426" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTifE8dPSNhl-6mVVDmxbgZQwaHi6Nh_1IcuG_vJxSnHjVbZ_FP32bTHkHp0nPx_iK1YzlUnJqGXPba-TKp0XROsr_-6QGshZkl4G4wDJjuu-x6_nQ0IwtpGw-IBytDe2KsDUgfFf9l3s/s1600/6_powershell2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTifE8dPSNhl-6mVVDmxbgZQwaHi6Nh_1IcuG_vJxSnHjVbZ_FP32bTHkHp0nPx_iK1YzlUnJqGXPba-TKp0XROsr_-6QGshZkl4G4wDJjuu-x6_nQ0IwtpGw-IBytDe2KsDUgfFf9l3s/s1600/6_powershell2.jpg" height="226" width="640" /></a></div>
<br />
<h2>
Triaging System Infected with Poweliks</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Triage is the assessment of a security event to determine if there is a security incident, its priority, and the need for escalation. As it relates to potential malware incidents, the <a href="http://journeyintoir.blogspot.com/2013/09/triaging-malware-incidents.html">purpose of triaging may vary</a>. In this instance, triage is being used to determine if an event is a security incident or false positive by identifying malware on the system. Confirming the presence of malware allows for a deeper examination to be completed. The triage process I'm outlining is to confirm the presence of the Poweliks fileless malware.</span><br />
<br />
<h3>
Triaging with Host Artifacts</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Normally, triaging a system using artifacts on the host is an effective technique to identify malware. This is especially true when leveraging <a href="http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html">program execution artifacts</a>. However, loading malware directly into memory has a significant impact on the artifacts available on the host. There are very little artifacts available and if the malware doesn't remain persistent then there will be even less. Triaging a system infected with Poweliks is no different. Most of the typically artifacts are missing but it can still be identified using prefetch files and autorun locations.</span><br />
<br />
<h4>
Prefetch Files</h4>
<br />
<span style="font-family: Verdana, sans-serif;">Previously I outlined the Poweliks behavior where the rundll32.exe process runs, which then starts a powershell.exe process before injecting code into the dllhost.exe suspended process. This behavior is apparent in the prefetch files at the point of the initial infection. The image below shows the activity.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSLcZTGFJuXchSVAtYladOOg25sbDFpyZS3a64DCTwGXoi_lLCVLdjjyQpNU7aceQf5jMrAbwsW_oJsvwsJzzmUhAgUNg8sPCwsh67s_oFIE_Mz5EkjwxpaEm62ku67orWFpams_DMUeo/s1600/7_initial-prefetch.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSLcZTGFJuXchSVAtYladOOg25sbDFpyZS3a64DCTwGXoi_lLCVLdjjyQpNU7aceQf5jMrAbwsW_oJsvwsJzzmUhAgUNg8sPCwsh67s_oFIE_Mz5EkjwxpaEm62ku67orWFpams_DMUeo/s1600/7_initial-prefetch.jpg" height="108" width="640" /></a></div>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The prefetch files show the sequence of rundll32.exe executing followed by powershell.exe before dllhost.exe. Furthermore, the dllhost.exe prefetch file is missing the process path. The missing process path indicates process hollowing was used as I outlined in the post <a href="http://journeyintoir.blogspot.com/2014/12/prefetch-file-meet-process-hollowing_17.html">Prefetch File Meet Process Hollowing</a>. The prefetch files contain references to files accessed during the first 10 seconds of application startup. The dllhost.exe prefetch file contains revealing ones. It contains a reference to <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa385473(v=vs.85).aspx">wininet.dll for interacting with the network</a> and files associated with Internet Explorer as shown below.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOqOl6cXPVYSp1_M7l3-3qkme9iZQi6DkugTRjEszlp-chYHUDOvoFCCCFxRteOk7y2lzqkH_5tEnUVVvJLKUOaqVgUtE9MA-Z6Gfu0sEuzmECn4fKSxOxqktgx8E78Hg7CkgURJXmjwM/s1600/8_initial-dll.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOqOl6cXPVYSp1_M7l3-3qkme9iZQi6DkugTRjEszlp-chYHUDOvoFCCCFxRteOk7y2lzqkH_5tEnUVVvJLKUOaqVgUtE9MA-Z6Gfu0sEuzmECn4fKSxOxqktgx8E78Hg7CkgURJXmjwM/s1600/8_initial-dll.jpg" height="98" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">This specific prefetch file sequence only occurs upon the initial infection. Future system restarts where Poweliks is loaded into the dllhost.exe process only shows the dllhost.exe prefetch file. The file references in this prefetch still show references to files located in the user profile.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd_uBHoI4HbQ8lFbYu7ar1eINkm0lzjpmzJkIXDgktRYCTMn6R1obt8rO99g48SBDgknDcinLT1c3VYYSYvtWwyJlc12hhjZvLPSDZJxcIs7p66TKBfnw3tpYwW65Wg8TM2e3APw2UVas/s1600/9_prefetch-dll.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd_uBHoI4HbQ8lFbYu7ar1eINkm0lzjpmzJkIXDgktRYCTMn6R1obt8rO99g48SBDgknDcinLT1c3VYYSYvtWwyJlc12hhjZvLPSDZJxcIs7p66TKBfnw3tpYwW65Wg8TM2e3APw2UVas/s1600/9_prefetch-dll.jpg" height="150" width="640" /></a></div>
<br />
<h4>
Autoruns</h4>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The prefetch files contain a distinctive pattern indicating a Poweliks infection. Depending on the sample, autoruns can reveal even more. I mention depending on the sample because Poweliks has changed its persistence mechanism. Initially it used the Run registry key before moving on to a <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/">CLSID registry key</a>. I thought one article mentioned Poweliks may not try to remain persistent at all times. If Poweliks does try to remain persistent then its mechanism can be used to find it. Keep in mind, Poweliks has taken self protection measures to prevent this mechanism from being located on a live system. The easiest method to bypass these measures is to access the system remotely with a forensic tool like Encase Enterprise, mount the drive, and then run <a href="https://github.com/keydet89">Regripper</a> across the hives.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The image below shows the Run key from the user account on my test system. The sample I used was older since the Run key was used but it still is a tell-tale sign for a Poweliks infection.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwuNNJFIhEvQlfDMp_w_exBHOxa1QlMPzMzL1DRAYIXCJ_RELqiTZhADuvYsoeJdfoqaioaejInDNEsNa2LlrYYwe91o9YXrCwKXOi8ZCd_OVWirCOJsG6QoBAQB4e3BX5kSZW6jpHyhs/s1600/10_run1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwuNNJFIhEvQlfDMp_w_exBHOxa1QlMPzMzL1DRAYIXCJ_RELqiTZhADuvYsoeJdfoqaioaejInDNEsNa2LlrYYwe91o9YXrCwKXOi8ZCd_OVWirCOJsG6QoBAQB4e3BX5kSZW6jpHyhs/s1600/10_run1.jpg" height="100" width="640" /></a></div>
<span style="font-family: Verdana, sans-serif;"><snip>...snip....</snip></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCv6W2DL2oTTjNa9CNv26e6qwigFO7Hy0aO2BIWczaFD3sXFcf0upeDegg1GCfcxUQWN6-_o1gF4xKDZ47-Ug-1GWkFGFYAoPx7Dvm9FM0dSQ252epu9dbKM1RiqJZ7_V6p_znsP7SbF8/s1600/11_run2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCv6W2DL2oTTjNa9CNv26e6qwigFO7Hy0aO2BIWczaFD3sXFcf0upeDegg1GCfcxUQWN6-_o1gF4xKDZ47-Ug-1GWkFGFYAoPx7Dvm9FM0dSQ252epu9dbKM1RiqJZ7_V6p_znsP7SbF8/s1600/11_run2.jpg" height="70" width="640" /></a></div>
<span style="font-family: Verdana, sans-serif;"></span><br />
<h3>
Memory Analysis Triage</h3>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Fileless malware may leave very little artifacts available on the host's hard drive but it still has to reside in memory. The most effective technique to identify a fileless malware infection is memory forensics. A Poweliks infection is not an exception since it stands out in memory whether if the memory is examined after the initial infection or a system reboot.</span><br />
<br />
<h4>
Network Connections</h4>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">One area with malware indications is network activity are for unusual processes. @lstaPee alluded to this in their tweet about Poweliks. The Volatility <a href="https://code.google.com/p/volatility/wiki/CommandReference23#netscan">netscan plug-in</a> does show network activity for the dllhost.exe process involving the IP address 178.89.159.35 on port 80 for HTTP traffic. dllhost.exe is not a process typically associated with web traffic so this makes it a good indicator pointing to Poweliks.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHg0OOuDxWpzbptlUh0i84GY99DPcpwLbt0Olb8pHgkFF0y6p8ePFyMgMyqccf7aP5jdFPv_Zpk-Io87c6nd8kiGXdC8sKUGe5lDnFH8LKhNU_4Dxprj-KCbZ4lD3tqEtnoqWCqG84sbs/s1600/12_netscan.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHg0OOuDxWpzbptlUh0i84GY99DPcpwLbt0Olb8pHgkFF0y6p8ePFyMgMyqccf7aP5jdFPv_Zpk-Io87c6nd8kiGXdC8sKUGe5lDnFH8LKhNU_4Dxprj-KCbZ4lD3tqEtnoqWCqG84sbs/s1600/12_netscan.jpg" height="90" width="640" /></a></div>
<br />
<h4>
Process Listing</h4>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Another area with malware indications is the process listing showing unusual ones or ones with unusual commands. The Volatility <a href="https://code.google.com/p/volatility/wiki/CommandReference23#pslist">pslist</a>, <a href="https://code.google.com/p/volatility/wiki/CommandReference23#psscan">psscan</a>, and <a href="https://code.google.com/p/volatility/wiki/CommandReference23#pstree">pstree -v</a> plugins did not reveal anything that could definitely be used as an indicator but they did show the dllhost.exe process running. I checked a few clean systems to see if dllhost.exe normally runs but the process was not running by default. This doesn't mean it can be used as an indicator because there could be other reasons for dllhost.exe running besides Poweliks. The screen below is from the pstree plug-in showing the command-line for launching dllhost.exe (notice there are no other options used in the command.)</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipxycvpBsR4FsMthTHsD32UlpEa9zzFKJ_tAglJ3XfDz2kuDuWlhujPdbbhqR4k3OEq8TM1RYMayERZs-BP5HM4BZMXtsJm5PrxKUU3A2t4aRucC5Z20XmPRAMTr5Xc0SxQxCpWRdUTLg/s1600/13_pstree.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipxycvpBsR4FsMthTHsD32UlpEa9zzFKJ_tAglJ3XfDz2kuDuWlhujPdbbhqR4k3OEq8TM1RYMayERZs-BP5HM4BZMXtsJm5PrxKUU3A2t4aRucC5Z20XmPRAMTr5Xc0SxQxCpWRdUTLg/s1600/13_pstree.jpg" height="54" width="640" /></a></div>
<br />
<h4>
Injected Code</h4>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Looking for processes with injected code is an effective technique to locate malware on a system. This is the one technique that absolutely reveals Poweliks on a system. The Volatility malfind plug-in showed the dllhost.exe process with injected code. This matches up to the articles about the malware and behavior analysis showing code does get injected into the dllhost.exe process. The image below shows the partial output from malfind.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSfElt1HtRIf77gEEJjWbscZzk6lBqP6AWGCOpK2ww8VDqzRhqo5BlxxHX1rsXX8QWREdTgPWYcJbDZ7jb0fpWqRcFM5WhyphenhyphenwQ89SxEbcNDIhMqg5Gs65WTwMi6wY1zvgZMBHMu7lhENls/s1600/14_malfind.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSfElt1HtRIf77gEEJjWbscZzk6lBqP6AWGCOpK2ww8VDqzRhqo5BlxxHX1rsXX8QWREdTgPWYcJbDZ7jb0fpWqRcFM5WhyphenhyphenwQ89SxEbcNDIhMqg5Gs65WTwMi6wY1zvgZMBHMu7lhENls/s1600/14_malfind.jpg" height="252" width="640" /></a></div>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Extracting the injected code and scanning it with antivirus confirms it is Poweliks. The image below shows the <a href="https://www.virustotal.com/en/file/6befdd31e5bd4a201e0e773dc8fc39359c92f49e0dfb2caad6aa6351dddd124d/analysis/1420385748/">VirusTotal results for the injected code</a>. Microsoft detected the code as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=TROJAN:WIN32/POWESSERE.A">Trojan:Win32/Powessere.A</a> which is their classification for Poweliks.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFT84KJqo_jTI5Xht0pd00rJgNU27M5ZIVbByIDyKYvYBhOpQ7Z_NutEr4oUVBIhlGXUehYV0iPL7t6eIn5dOQzr7S6FSb_cYdbmLzFC0ujPADalqQVUkMeSofteEmwLs2g03Hkk1TyCo/s1600/15_virustotal.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFT84KJqo_jTI5Xht0pd00rJgNU27M5ZIVbByIDyKYvYBhOpQ7Z_NutEr4oUVBIhlGXUehYV0iPL7t6eIn5dOQzr7S6FSb_cYdbmLzFC0ujPADalqQVUkMeSofteEmwLs2g03Hkk1TyCo/s1600/15_virustotal.jpg" height="244" width="640" /></a></div>
<br />
<h4>
Strings</h4>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The last area containing indicators pointing to Poweliks are the strings in the dllhost.exe process. The method to review the strings is not as straight forward as running a single Volatility plug-in. The <a href="https://code.google.com/p/volatility/wiki/CommandReference23#strings">strings command reference</a> walks through the process and it's the one I used. The only thing I did different was to grep for my process ID to make the strings easier to review. The dllhost.exe strings revealed URLs such as one containing the IP address found with the netscan plug-in.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjAkACDCjLIcRm3HxQkfvGLypwF7ekTCfRM_FnONkACeT4LI0tgYstqnsfj3it8cuimc5ZHV5Z_w-vzhAKXNjJqlO0K8hZ7n18FZq5SPdvg_9dtLvBA_pcoLCf9KJbVD9m7e4fgWeKQqg/s1600/16_strings-ip.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjAkACDCjLIcRm3HxQkfvGLypwF7ekTCfRM_FnONkACeT4LI0tgYstqnsfj3it8cuimc5ZHV5Z_w-vzhAKXNjJqlO0K8hZ7n18FZq5SPdvg_9dtLvBA_pcoLCf9KJbVD9m7e4fgWeKQqg/s1600/16_strings-ip.jpg" height="136" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">The most significant string found was the command used to make rundll32.exe inject code into the dllhost.exe process as shown below. The presence of this string alone in the dllhost.exe process indicates the system is infected with Poweliks.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLfXVNqDJgcB62j6_kswwGP3viN7nxC0GhpE0etSai7BCVvzAYE-xrckT8b8Lk9zVyL9hKUg0BlWd7NJE3a_EhJBs_SglKV95Vy5iKSl8i1eai0NSoIfJMEojhGqvsLumYRMPWVvIzf3E/s1600/17_strings-command.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLfXVNqDJgcB62j6_kswwGP3viN7nxC0GhpE0etSai7BCVvzAYE-xrckT8b8Lk9zVyL9hKUg0BlWd7NJE3a_EhJBs_SglKV95Vy5iKSl8i1eai0NSoIfJMEojhGqvsLumYRMPWVvIzf3E/s1600/17_strings-command.jpg" height="48" width="640" /></a></div>
<br />
<h2>
Wrapping Things Up</h2>
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The change introduce by the Angler exploit kit creator(s) is causing us to make adjustments in our processes. The effective techniques we used in the past may not be as effective against fileless malware. However, it doesn't mean nothing is effective preventing us from triaging these systems. It only means we need to use other processes, techniques, and tools we have at our disposal. We need to take what artifacts do remain and use it to our advantage. This post was specific to the Poweliks malware but the techniques discussed will apply to other fileless malware. The only difference will be what data is actually found in the artifacts. </span>Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.com3