SlideShare une entreprise Scribd logo

Hidden empires of malware

Télécharger en tant que PPTX, PDF
R
Ryan Kovar

The landscape of "threat hunting" has drastically changed due to the increase in TLS encrypted Internet traffic. The days of adversaries registering domains with their given names are gone and malicious actors increasingly use malware that takes advantage of TLS encryption to hide their tracks. Yet, even in this brave new world of altered TTPs, the adversaries leave clues that can expose their infrastructure. To find these clues, however, blue teams need to learn some new tricks. Our talk focuses on expanding upon techniques that have been researched and presented on at various conferences by Mark Parsons, specifically, his methods for using TLS certificates to find malicious malware infrastructure. We will build upon Parsons' corpus of work and show how his approach to malware certificate hunting can be expanded upon to detect instances of PowerShell Empire servers that have self-generated SSL certs on port 443 and 8080. These certificates have a unique finger print that can be detected by leveraging tools like zmap/zgrep, python, and statistics/machine learning. The results of this research will show how network defenders can find previously unknown instances of malicious infrastructure communicating with their network and prevent them in the future. Finally, we will discuss our hypotheses creation, our code and techniques, methods of validation for verification, and release our tools and methodology for use by the community to explore other "hidden empires" of malware that may exist.

Technologie
1  sur  70
© 2017 SPLUNK INC. The “Hidden Empires” of Malware Dave Ryan International Conference on Cyber Security January 2018
© 2017 SPLUNK INC. Disclaimer 2 During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. I often lie. Maybe this is a lie. Wik Alsø wik Alsø alsø wik Wi nøt trei a høliday in Sweden this yër? See the løveli lakes The wøndërful telephøne system And mäni interesting furry animals The characters and incidents portrayed and the names used in this Presentation are fictitious and any similarity to the names, characters, or history of any person is entirely accidental and unintentional. Signed RICHARD M. NIXON Including the majestik møøse A Møøse once bit my Marcus... No realli! He was Karving his initials on the møøse with the sharpened end of an interspace tøøthbrush given him by Svenge – his brother-in-law – a Canadian dentist and star of many Norwegian møvies: "The Høt Hands of an Canadian Dentist", "Fillings of Passion", "The Huge Mølars of Horst Nordfink"... In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. Splunk undertakës no øbligation either to develøp the features or functionality described or to include any such feature or functionality in a future release.
© 2017 SPLUNK INC. ▶ 17 years of cyber security experience ▶ Current role on Security Practice team focuses on incident/breach response, threat intelligence, and research ▶ Also investigating why printers are so insubordinate ಠ_ಠ 3 Staff Security Strategist Minster of the OODAloopers @meansec # whoami > Ryan Kovar CISSP, MSc(Dist)
© 2017 SPLUNK INC. - 20+ years IT and security - Information security officer, security architect, pen tester, consultant, SE, system/network engineer - Former SANS Mentor - Co-creator of Splunk Boss of the SOC Security Architect @splunk @daveherrald # whoami > Dave Herrald CISSP, GIAC G*, GSE #79
© 2017 SPLUNK INC. Agenda ▶ Answering some W ’s • What are we talking about with “Hunting Empires”? • What are SSL certificates and why do I care? • What can I do with them? ▶ Talk about the “H” • How can I get this data myself? ▶ And now another W • Where can I get this awesome stuff! 5
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. On the shoulders of giants
© 2017 SPLUNK INC. Mark Parsons “Lord of SSL Pivoting” @markpars0ns ▶ https://t.co/amyR9pU8o4 ▶ https://medium.com/@mark.pars ons/hunting-a-tls-certificate- series-post-1-6ad7adfebe44 ▶ https://mpars0ns.github.io/bsides charm-2016slides/ ▶ https://mpars0ns.github.io/archc 0n-2016-tls-slides/#/ ▶ https://www.slideshare.net/MSbl uehat/bluehat-v17-using-tls- certificates-to-track-activity- groups
© 2017 SPLUNK INC. What are these “Hidden” Empires?
© 2017 SPLUNK INC. POWERSHELL EMPIRE 10
© 2017 SPLUNK INC. • Similar to Metasploit in user experience • C2 functionality • Second stage infection/implant after initial infection • Used extensively for lateral movement
© 2017 SPLUNK INC. Sometimes its hard to find evidence that
© 2017 SPLUNK INC. Place Holder PowerSploit Capabilities 13
© 2017 SPLUNK INC. Place Holder PowerSploit Capabilities 14
© 2017 SPLUNK INC. 15
© 2017 SPLUNK INC. 16
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. SSL Certificates
© 2017 SPLUNK INC. What are SSL certificates and why do I care?
© 2017 SPLUNK INC. [SSL certificates are] Small [unencrypted] data files that digitally bind a cryptographic key to an organization’s details.” [1] Sooo… SSL Certificates? [1] https://www.godaddy.com/help/what-is-an-ssl- certificate-542
© 2017 SPLUNK INC. So that shows SSL certificates?
© 2017 SPLUNK INC. Censys.io
© 2017 SPLUNK INC. Circl.lu
© 2017 SPLUNK INC. Passivetotal.org
© 2017 SPLUNK INC. Splunk!
© 2017 SPLUNK INC. Internet-Wide Scan Data Repository ▶ Public archive of research data ▶ Hosted by the Censys team at the University of Michigan ▶ Perform scans, and host results from other teams ▶ The data on the site is restricted to non- commercial use ▶ https://scans.io (https://scans.io/json)
© 2017 SPLUNK INC. Exploring scans.io Studies Web Interface https://scans.io JSON https://scans.io/json Command Line $ python ./download.py --liststudies https://github.com/daveherrald/scansio-sonar-splunk
© 2017 SPLUNK INC. Project Sonar by Rapid7 https://sonar.labs.rapid7.com/ ▶ Many studies • SSL Certificates • HTTP Content • HTTPS Content • DNS • Various TCP/UDP services (SSH, SMB, Telnet, etc.) ▶ Hosted at scans.io ▶ Please review Project Sonar TOS ▶ Thanks to Rapid7 Labs!
© 2017 SPLUNK INC. SSL Certificates Study (sonar.ssl) ▶ October 30, 2013 – Present ▶ Raw size • Entire data set: 315 GB compressed (as of 02JAN2017) • Weekly: ~1.5 - 2.0 GB compressed ▶ Entire data set indexed in Splunk: ~1.2TB ▶ Scan the entire Internet (TCP/443 only) ▶ Comprised of: • Observed certificates * • Observed IP address / certificate * • Names • Endpoints
© 2017 SPLUNK INC. sonar.ssl Certificates 2 Column CSV SHA1 Hash + Base64 Encoded DER Decoded DER ( https://gchq.github.io )
© 2017 SPLUNK INC. sonar.ssl Certificate in Splunk index=sonarsslcert earliest=0 hash_id=b4c68c2fe3e689bd51c3676c69c02454be1f545f
© 2017 SPLUNK INC. sonar.ssl Hosts 2 Column CSV IP Address + Certificate hash (SHA1) Host, IP Address, Observation Date Enriched with Country and ASN via Maxmind
© 2017 SPLUNK INC. sonar.ssl First/Last seen Search for a hash, or pivot here from search
© 2017 SPLUNK INC. HTTPS (TCP/443) (sonar.https) ▶ July 25, 2016 – Present ▶ Raw size • Entire data set: ~3.2 TB compressed (as of 02JAN2017) • Weekly: ~25 GB compressed ▶ Entire data set indexed in Splunk: ~10TB ▶ Scan the entire Internet (TCP/443 only) ▶ Comprised of: • IP • Path • Port (Always 443) • Certificate Subject •Payload!
© 2017 SPLUNK INC. HTTPS (TCP/443) (sonar.https) in Splunk index=sonarhttps earliest=0
© 2017 SPLUNK INC. [1] David Bianco http://detect-respond.blogspot.com/2013/03/the- pyramid-of-pain.html
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. openssl req -new -x509 -keyout ../data/empire-priv.key -out ../data/empire-chain.pem -days 365 -nodes -subj "/C=US" >/dev/null 2>&1
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. VS
© 2017 SPLUNK INC. And I care why?
© 2017 SPLUNK INC. One of these is not like the others
We use Splunk But you don’t have to!
© 2017 SPLUNK INC. ▶DAVE. DONE UP TO HERE But what do we do with it?
© 2017 SPLUNK INC. You can do at least two things with SSL Certificate information Known Unknown
© 2017 SPLUNK INC. THE SSL CERTIFICATES IN YOUR INCIDENTS ARE REAL.
© 2017 SPLUNK INC. Start with some known naughty SSL SHA1 fingerprints
© 2017 SPLUNK INC. Gozi Trojan 8fc4a51bb808d0050a85f55de93b3aa9db4fef90
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. “As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know. And when someone tries to hunt in CyberSpace the known unknowns are the hardest to find ” - Donald “Cybersfeld”
© 2017 SPLUNK INC. Hunting PowerShell Empire
© 2017 SPLUNK INC. C=US is weird…
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. 200MM IPs 90 suspect 3 PSE :-)
© 2017 SPLUNK INC. 63 Oh… Just one more thing…
© 2017 SPLUNK INC. Splunk-based Certificate Research Platform Splunk Indexers QTY=3 i3.2xlarge 8 TB EBS Volume (10,000 IOPs) Elastic IP Splunk Search Head QTY=1 c3.4xlarge Elastic IP Data Staging and Load QTY=1 i3.16xlarge 8 TB EBS Volume (10,000 IOPs) Elastic IP Elastic Load Balancer TCP/8088 Splunk HTTP Event Collector Internet –Wide Scans Repository https://scans.io Processing and Load Metrics 6,000 Certificates / Second 25,000 Hosts / Second
© 2017 SPLUNK INC. Certificate Research Platform Resources https://github.com/daveherrald/scansio-sonar- splunk •Download any scans.io study, load sonar.ssl & sonar.https into Splunk for analysis https://github.com/mpars0ns/scansio-sonar-es •Download sonar.ssl load into Elasticsearch
© 2017 SPLUNK INC. Splunk Licensing Free: 500MB / day Enterprise Trial: 500MB / Day Developer: 10 GB/Day Enterprise Dev/Test: 50GB/day Splunk Enterprise Each approach has its pros and cons, but recall:
© 2017 SPLUNK INC. Can we wrap this up?
© 2017 SPLUNK INC. Conclusion 68 ▶ SSL certificates can be a great way to track adversary behavior ▶ Consider tracking from known and unknown ▶ Think about bringing SSL certificates “in house” to use and run greater analysis against with temporal knowledge
© 2017 SPLUNK INC. Special Thanks 69 ▶ Mark Parsons ▶ IKBD ▶ Rapid 7 ▶ Censys team at University of Michigan ▶ ICCS Conference ▶ Fordham University ▶ The FBI
© 2017 SPLUNK INC. Dave Herrald @daveherrald Ryan Kovar @meansec Contact info(Come see us at SANS CTI where we talk about ML against SSL data!)

Recommandé

The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningThe Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
Ryan Kovar
 
10(?) holiday gifts for the SOC who has everything
10(?) holiday gifts for the SOC who has everything10(?) holiday gifts for the SOC who has everything
10(?) holiday gifts for the SOC who has everything
Ryan Kovar
 
SOCs for the rest of us
SOCs for the rest of usSOCs for the rest of us
SOCs for the rest of us
Ryan Kovar
 
Threat Intelligence Victory Garden
Threat Intelligence Victory GardenThreat Intelligence Victory Garden
Threat Intelligence Victory Garden
Ryan Kovar
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
Great Wide Open
 
Implementing Inexpensive Honeytrap Techniques
Implementing Inexpensive Honeytrap TechniquesImplementing Inexpensive Honeytrap Techniques
Implementing Inexpensive Honeytrap Techniques
Daniel Miessler
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
Deploy360 Programme (Internet Society)
 

Recommandé

The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningThe Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
Ryan Kovar
 
10(?) holiday gifts for the SOC who has everything
10(?) holiday gifts for the SOC who has everything10(?) holiday gifts for the SOC who has everything
10(?) holiday gifts for the SOC who has everything
Ryan Kovar
 
SOCs for the rest of us
SOCs for the rest of usSOCs for the rest of us
SOCs for the rest of us
Ryan Kovar
 
Threat Intelligence Victory Garden
Threat Intelligence Victory GardenThreat Intelligence Victory Garden
Threat Intelligence Victory Garden
Ryan Kovar
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
Great Wide Open
 
Implementing Inexpensive Honeytrap Techniques
Implementing Inexpensive Honeytrap TechniquesImplementing Inexpensive Honeytrap Techniques
Implementing Inexpensive Honeytrap Techniques
Daniel Miessler
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
Deploy360 Programme (Internet Society)
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
chrissanders88
 
Shamoon
ShamoonShamoon
Shamoon
Shakacon
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Andrew Morris
 
DNSSEC best practices Webinar
DNSSEC best practices WebinarDNSSEC best practices Webinar
DNSSEC best practices Webinar
Men and Mice
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with python
Jose Manuel Ortega Candel
 
Attack Simulation and Hunting
Attack Simulation and HuntingAttack Simulation and Hunting
Attack Simulation and Hunting
nathi mogomotsi
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
Andrew Morris
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
 
LOGGING FOR FUN, AND PROFIT
LOGGING FOR FUN, AND PROFITLOGGING FOR FUN, AND PROFIT
LOGGING FOR FUN, AND PROFIT
Informatics Summit
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
CODE BLUE
 
Mapping Tweets to Conference Talks: A Goldmine for Semantics
Mapping Tweets to Conference Talks: A Goldmine for SemanticsMapping Tweets to Conference Talks: A Goldmine for Semantics
Mapping Tweets to Conference Talks: A Goldmine for Semantics
Milan Stankovic
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
Chi En (Ashley) Shen
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection server
Amit Serper
 
PowerDNS Webinar
PowerDNS Webinar PowerDNS Webinar
PowerDNS Webinar
Men and Mice
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
chrissanders88
 
Navigating the Security Landscape
Navigating the Security LandscapeNavigating the Security Landscape
Navigating the Security Landscape
Sucuri
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensocSplunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
Rene Aguero
 

Contenu connexe

Tendances

Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
chrissanders88
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Andrew Morris
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
Andrew Morris
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
CODE BLUE
 
Mapping Tweets to Conference Talks: A Goldmine for Semantics
Mapping Tweets to Conference Talks: A Goldmine for SemanticsMapping Tweets to Conference Talks: A Goldmine for Semantics
Mapping Tweets to Conference Talks: A Goldmine for Semantics
Milan Stankovic
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
 

Tendances (20)

Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
 
Shamoon
ShamoonShamoon
Shamoon
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
 
DNSSEC best practices Webinar
DNSSEC best practices WebinarDNSSEC best practices Webinar
DNSSEC best practices Webinar
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with python
 
Attack Simulation and Hunting
Attack Simulation and HuntingAttack Simulation and Hunting
Attack Simulation and Hunting
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
 
LOGGING FOR FUN, AND PROFIT
LOGGING FOR FUN, AND PROFITLOGGING FOR FUN, AND PROFIT
LOGGING FOR FUN, AND PROFIT
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
 
Mapping Tweets to Conference Talks: A Goldmine for Semantics
Mapping Tweets to Conference Talks: A Goldmine for SemanticsMapping Tweets to Conference Talks: A Goldmine for Semantics
Mapping Tweets to Conference Talks: A Goldmine for Semantics
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection server
 
PowerDNS Webinar
PowerDNS Webinar PowerDNS Webinar
PowerDNS Webinar
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
 
Navigating the Security Landscape
Navigating the Security LandscapeNavigating the Security Landscape
Navigating the Security Landscape
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
 

Similaire à Hidden empires of malware

Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into Insight
Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Keith Kraus
 

Similaire à Hidden empires of malware (20)

Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensocSplunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat Hunting
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into Insight
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting Workshop
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017
 
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
 
Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020
 
Securing the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the CentreSecuring the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the Centre
 
Splunk Discovery Indianapolis - October 10, 2017
Splunk Discovery Indianapolis - October 10, 2017Splunk Discovery Indianapolis - October 10, 2017
Splunk Discovery Indianapolis - October 10, 2017
 
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security Session
 
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOARPartner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
 
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
 

Dernier

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Dernier (20)

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Hidden empires of malware

  • 1. © 2017 SPLUNK INC. The “Hidden Empires” of Malware Dave Ryan International Conference on Cyber Security January 2018
  • 2. © 2017 SPLUNK INC. Disclaimer 2 During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. I often lie. Maybe this is a lie. Wik Alsø wik Alsø alsø wik Wi nøt trei a høliday in Sweden this yër? See the løveli lakes The wøndërful telephøne system And mäni interesting furry animals The characters and incidents portrayed and the names used in this Presentation are fictitious and any similarity to the names, characters, or history of any person is entirely accidental and unintentional. Signed RICHARD M. NIXON Including the majestik møøse A Møøse once bit my Marcus... No realli! He was Karving his initials on the møøse with the sharpened end of an interspace tøøthbrush given him by Svenge – his brother-in-law – a Canadian dentist and star of many Norwegian møvies: "The Høt Hands of an Canadian Dentist", "Fillings of Passion", "The Huge Mølars of Horst Nordfink"... In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. Splunk undertakës no øbligation either to develøp the features or functionality described or to include any such feature or functionality in a future release.
  • 3. © 2017 SPLUNK INC. ▶ 17 years of cyber security experience ▶ Current role on Security Practice team focuses on incident/breach response, threat intelligence, and research ▶ Also investigating why printers are so insubordinate ಠ_ಠ 3 Staff Security Strategist Minster of the OODAloopers @meansec # whoami > Ryan Kovar CISSP, MSc(Dist)
  • 4. © 2017 SPLUNK INC. - 20+ years IT and security - Information security officer, security architect, pen tester, consultant, SE, system/network engineer - Former SANS Mentor - Co-creator of Splunk Boss of the SOC Security Architect @splunk @daveherrald # whoami > Dave Herrald CISSP, GIAC G*, GSE #79
  • 5. © 2017 SPLUNK INC. Agenda ▶ Answering some W ’s • What are we talking about with “Hunting Empires”? • What are SSL certificates and why do I care? • What can I do with them? ▶ Talk about the “H” • How can I get this data myself? ▶ And now another W • Where can I get this awesome stuff! 5
  • 7. © 2017 SPLUNK INC. On the shoulders of giants
  • 8. © 2017 SPLUNK INC. Mark Parsons “Lord of SSL Pivoting” @markpars0ns ▶ https://t.co/amyR9pU8o4 ▶ https://medium.com/@mark.pars ons/hunting-a-tls-certificate- series-post-1-6ad7adfebe44 ▶ https://mpars0ns.github.io/bsides charm-2016slides/ ▶ https://mpars0ns.github.io/archc 0n-2016-tls-slides/#/ ▶ https://www.slideshare.net/MSbl uehat/bluehat-v17-using-tls- certificates-to-track-activity- groups
  • 9. © 2017 SPLUNK INC. What are these “Hidden” Empires?
  • 10. © 2017 SPLUNK INC. POWERSHELL EMPIRE 10
  • 11. © 2017 SPLUNK INC. • Similar to Metasploit in user experience • C2 functionality • Second stage infection/implant after initial infection • Used extensively for lateral movement
  • 12. © 2017 SPLUNK INC. Sometimes its hard to find evidence that
  • 13. © 2017 SPLUNK INC. Place Holder PowerSploit Capabilities 13
  • 14. © 2017 SPLUNK INC. Place Holder PowerSploit Capabilities 14
  • 15. © 2017 SPLUNK INC. 15
  • 16. © 2017 SPLUNK INC. 16
  • 18.
  • 19. © 2017 SPLUNK INC. SSL Certificates
  • 20. © 2017 SPLUNK INC. What are SSL certificates and why do I care?
  • 21. © 2017 SPLUNK INC. [SSL certificates are] Small [unencrypted] data files that digitally bind a cryptographic key to an organization’s details.” [1] Sooo… SSL Certificates? [1] https://www.godaddy.com/help/what-is-an-ssl- certificate-542
  • 22. © 2017 SPLUNK INC. So that shows SSL certificates?
  • 23. © 2017 SPLUNK INC. Censys.io
  • 24. © 2017 SPLUNK INC. Circl.lu
  • 25. © 2017 SPLUNK INC. Passivetotal.org
  • 26. © 2017 SPLUNK INC. Splunk!
  • 27. © 2017 SPLUNK INC. Internet-Wide Scan Data Repository ▶ Public archive of research data ▶ Hosted by the Censys team at the University of Michigan ▶ Perform scans, and host results from other teams ▶ The data on the site is restricted to non- commercial use ▶ https://scans.io (https://scans.io/json)
  • 28. © 2017 SPLUNK INC. Exploring scans.io Studies Web Interface https://scans.io JSON https://scans.io/json Command Line $ python ./download.py --liststudies https://github.com/daveherrald/scansio-sonar-splunk
  • 29. © 2017 SPLUNK INC. Project Sonar by Rapid7 https://sonar.labs.rapid7.com/ ▶ Many studies • SSL Certificates • HTTP Content • HTTPS Content • DNS • Various TCP/UDP services (SSH, SMB, Telnet, etc.) ▶ Hosted at scans.io ▶ Please review Project Sonar TOS ▶ Thanks to Rapid7 Labs!
  • 30. © 2017 SPLUNK INC. SSL Certificates Study (sonar.ssl) ▶ October 30, 2013 – Present ▶ Raw size • Entire data set: 315 GB compressed (as of 02JAN2017) • Weekly: ~1.5 - 2.0 GB compressed ▶ Entire data set indexed in Splunk: ~1.2TB ▶ Scan the entire Internet (TCP/443 only) ▶ Comprised of: • Observed certificates * • Observed IP address / certificate * • Names • Endpoints
  • 31. © 2017 SPLUNK INC. sonar.ssl Certificates 2 Column CSV SHA1 Hash + Base64 Encoded DER Decoded DER ( https://gchq.github.io )
  • 32. © 2017 SPLUNK INC. sonar.ssl Certificate in Splunk index=sonarsslcert earliest=0 hash_id=b4c68c2fe3e689bd51c3676c69c02454be1f545f
  • 33. © 2017 SPLUNK INC. sonar.ssl Hosts 2 Column CSV IP Address + Certificate hash (SHA1) Host, IP Address, Observation Date Enriched with Country and ASN via Maxmind
  • 34. © 2017 SPLUNK INC. sonar.ssl First/Last seen Search for a hash, or pivot here from search
  • 35. © 2017 SPLUNK INC. HTTPS (TCP/443) (sonar.https) ▶ July 25, 2016 – Present ▶ Raw size • Entire data set: ~3.2 TB compressed (as of 02JAN2017) • Weekly: ~25 GB compressed ▶ Entire data set indexed in Splunk: ~10TB ▶ Scan the entire Internet (TCP/443 only) ▶ Comprised of: • IP • Path • Port (Always 443) • Certificate Subject •Payload!
  • 36. © 2017 SPLUNK INC. HTTPS (TCP/443) (sonar.https) in Splunk index=sonarhttps earliest=0
  • 37. © 2017 SPLUNK INC. [1] David Bianco http://detect-respond.blogspot.com/2013/03/the- pyramid-of-pain.html
  • 39. © 2017 SPLUNK INC. openssl req -new -x509 -keyout ../data/empire-priv.key -out ../data/empire-chain.pem -days 365 -nodes -subj "/C=US" >/dev/null 2>&1
  • 41. © 2017 SPLUNK INC. VS
  • 42. © 2017 SPLUNK INC. And I care why?
  • 43. © 2017 SPLUNK INC. One of these is not like the others
  • 44. We use Splunk But you don’t have to!
  • 45. © 2017 SPLUNK INC. ▶DAVE. DONE UP TO HERE But what do we do with it?
  • 46. © 2017 SPLUNK INC. You can do at least two things with SSL Certificate information Known Unknown
  • 47. © 2017 SPLUNK INC. THE SSL CERTIFICATES IN YOUR INCIDENTS ARE REAL.
  • 48. © 2017 SPLUNK INC. Start with some known naughty SSL SHA1 fingerprints
  • 49. © 2017 SPLUNK INC. Gozi Trojan 8fc4a51bb808d0050a85f55de93b3aa9db4fef90
  • 54. © 2017 SPLUNK INC. “As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know. And when someone tries to hunt in CyberSpace the known unknowns are the hardest to find ” - Donald “Cybersfeld”
  • 55. © 2017 SPLUNK INC. Hunting PowerShell Empire
  • 56. © 2017 SPLUNK INC. C=US is weird…
  • 62. © 2017 SPLUNK INC. 200MM IPs 90 suspect 3 PSE :-)
  • 63. © 2017 SPLUNK INC. 63 Oh… Just one more thing…
  • 64. © 2017 SPLUNK INC. Splunk-based Certificate Research Platform Splunk Indexers QTY=3 i3.2xlarge 8 TB EBS Volume (10,000 IOPs) Elastic IP Splunk Search Head QTY=1 c3.4xlarge Elastic IP Data Staging and Load QTY=1 i3.16xlarge 8 TB EBS Volume (10,000 IOPs) Elastic IP Elastic Load Balancer TCP/8088 Splunk HTTP Event Collector Internet –Wide Scans Repository https://scans.io Processing and Load Metrics 6,000 Certificates / Second 25,000 Hosts / Second
  • 65. © 2017 SPLUNK INC. Certificate Research Platform Resources https://github.com/daveherrald/scansio-sonar- splunk •Download any scans.io study, load sonar.ssl & sonar.https into Splunk for analysis https://github.com/mpars0ns/scansio-sonar-es •Download sonar.ssl load into Elasticsearch
  • 66. © 2017 SPLUNK INC. Splunk Licensing Free: 500MB / day Enterprise Trial: 500MB / Day Developer: 10 GB/Day Enterprise Dev/Test: 50GB/day Splunk Enterprise Each approach has its pros and cons, but recall:
  • 67. © 2017 SPLUNK INC. Can we wrap this up?
  • 68. © 2017 SPLUNK INC. Conclusion 68 ▶ SSL certificates can be a great way to track adversary behavior ▶ Consider tracking from known and unknown ▶ Think about bringing SSL certificates “in house” to use and run greater analysis against with temporal knowledge
  • 69. © 2017 SPLUNK INC. Special Thanks 69 ▶ Mark Parsons ▶ IKBD ▶ Rapid 7 ▶ Censys team at University of Michigan ▶ ICCS Conference ▶ Fordham University ▶ The FBI
  • 70. © 2017 SPLUNK INC. Dave Herrald @daveherrald Ryan Kovar @meansec Contact info(Come see us at SANS CTI where we talk about ML against SSL data!)

Notes de l'éditeur

  1. Learned System Administration in the US Navy Worked in the UK/US in public/private sector Most recently at DARPA using Splunk Has a masters degree from University of Westminster Focuses on Incident response, Threat intel, dry humor,
  2. Ryan
  3. Ryan
  4. Discuss what powerShell Empire is
  5. Steve
  6. Who uses it? The usual Suspects
  7. DeepPanda/APT19 Ryan
  8. Poseidon Brazillian APT Steve Primarily used for corporate and government espionage for the purposes of financial gain. Estimated to have been operating since 2005. Known to pose as Windows security consultants who, as part of their “service” run powershell scripts to gain a foothold and gather data.
  9. APT28/Fancy Bear/Sofacy Ryan
  10. Gothic Panda/APT3 Ryan
  11. But the internet is fast… and its hard to find things unless you have…
  12. Hard evidence in a forensic investigation. But its good to be proactive
  13. So we are going to use PowerSHell empire as an exmple of how to find “hidden” infrastrucutre using information in SSL Certificates and ALSO how to find things that are not so “hidden”
  14. Two options when you are looking at SSL certificate data: Hunting for known SSL certificates that have been found during the course of your research or incident Hunting for unknnown things using statstical analysis or other methods
  15. IN the course of your incident response or threat hunting you might find SSL certificates that are connected to malware.
  16. Ryan
  17. Ryan