Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
The Indicators of Compromise
1. The Indicators of Compromise
Finding the footprints that attackers leave
behind when they breach your defenses
Tomasz Jakubowski, CISM, CISSP
@perunhimself
FEB 2017
2. How it all starts
At day – superhero director and CCO, leading biggest software
programming company...
At night all-things-Apple fan.
9. Oh, what do we have here?
0
10
20
30
40
50
Top 10 most visited sites
facebook.ru
visited only by
10.0.2.4
10.0.2.4
host that belongs to
thomas.a.anderson
@metacortex.com
NETWORK LOGS PROXY LOGS ASSET MNGM. CORP INVESTIG.
Picture from: ”The Matrix”
https://www.facebook.com/TheMatrixMovie
11. Static analysis of hack_metacortex.exe
STRINGS
Static analysis of found
malware sample
Sometimes most simple
methods will give results
adminJoshua – login and
password to somewhere?
www.facebook.ru
metacortex.ru – a potential
for future phishing atack?
hack_metacortex.exe
Registry keys - persistance
FQD
File hash
Registry
FQD
N
12. Static analysis of hack_metacortex.exe
PE Analysis
Continuing static analysis of
found malware sample
Imported DLLs and
methods suggest, that:
Registry entries will be read
and created
Files will be created on the
drive
Potentialy the malware will
run in the backround and
check for changes on
regular basis
13. Registry
Checking for the keys found in hack_metacortex.exe
Registry keps Windows
config
Look for:
Autostart items
Scheduled tasks
Added file extensions, eg.
I
PUsername and PasswordFile name and Path
14. Static analysis of hack_metacortex.exe
DISSASSEMBLY
Continuing static analysis of
found malware sample
Depending on the amount
of time available you can get
a lot of info about how the
malware works and what it
capabilities are
If you are lucky, you can get
some useful IoCs easily
I
PFile name
Registry
15. In search of info.txt
HARD DRIVE FORENSICS
Looking through the files on
the hard drive
Can get malware samples
and tools left behind by the
attacker for further analysis
Can understand what the
attacker was after
16. Dynamic analysis of hack_metacortex.exe
eg. PROCMON
Moving on from static
analysis into dynamic
Trying to understand how
the malware operates by
observing its behaviour
I
PFile name
Registry
17. Network traffic analysis from the host
PCAP
Attacker:
Used port 443 which means
they used SSL and that the
communication is encrypted
Do you use SSL decryption?
18. Network traffic analysis from the host
PCAP
Hands-on-keyboard
Attacker:
Checks the host name and
user name
Creates directories and
hides them
Gatheres info about the
environment (user info,
lists local drives,
lists contents of
drive C)
File names and Paths
19. Network traffic analysis from the host
PCAP
Hands-on-keyboard
Attacker:
Uses standard OS tools
Successfully downloads
further tools from attackers
infrastructure servers
I
PFile name and Path
Standard OS admin tool
URL
20. Network traffic analysis from the host
PCAP
Hands-on-keyboard
Attacker:
Uses standard OS tools
Successfully downloads
further tools from
legitimate sites
21. Network traffic analysis from the host
PCAP
Hands-on-keyboard
Attacker:
Gets their tools on the host
and is able to run them
File names and Path
22. Network traffic analysis from the host
PCAP
Hands-on-keyboard
Attacker:
Copies
Thomas.A.Anderson’s
Outlook.ost file
Copies all the intel they got
to a single location
Uses 7zip to pack the loot
23. Network traffic analysis from the host
PCAP
Hands-on-keyboard
Attacker:
Uses their tool
uploader.exe to upload
the packed file to their
server
I
P
24. Network traffic analysis from the host
PCAP
Hands-on-keyboard
Attacker:
After successful upload, the
attacker tries to cover their
tracks by deleting tools
they used
The attacker disconnects
Attacker tools
25. Pivot
For a start - things to look for
Other hosts connecting to:
metacortex.ru
facebook.ru
213.24.76.23 - C2 server
213.24.76.28 - server where data was uploaded
213.24.76.56 – attacker’s infrastructure server with tools
Or maybe anything in the whole 213.24.76.0/24 or /16 network?
Emails from xyz@metacortex.ru
On the host:
Registry keys
HKLMSoftwareMicrosoftWindowsCurrentVersionRunhack_metacortex.exe -u admin -p joshua -ip 213.24.76.23
Files OR hashes
AppleMysteryDevice.zip
c:Windowssystem32hack_metacortex.exe
%PATH%packer.exe
%PATH%uploader.exe
%PATH%backdoor.exe
%PATH%info.txt
26. Damage Report and Risk Assessment
CKC7 - Hands-on-keyboard
Environment information gathered by the attacker:
Host and Network environment
List of files on disk for further extraction (likely the attacker will try to connect again)
CIO’s host compromised, various files and Outlook.ost extracted
What was in CIOs mailbox?
What files are on CIOs disk?
Any other hosts compromised?
Any other information extracted?
27. Indicators from Inside and Outside
METACORTEX OUTSIDE
From the Host
Malware and attacker tools
samples
File hashes for DOC and EXE
File locations
File names
From the Network
Domain names
IPs
Copies of data extracted
From external sources
Threat group objectives
TTPs of that threat group
Other domains on the same
IP
Other IPs and domains used
by the same threat group
Other file hashes known to
be used by that group
28. Where to next (the TOOLSET)
CKS
PHASE
COURSE OF
ACTION
DETECT DENY DISRUPT DEGRADE DECEIVE CONTAIN
RECONNAISSANCE
|C H A| THREAT INTELLIGENCE
|C| WEB ANALYTICS
|C| WEB LOGS
|C| ROUTER LOGS
|C| NIDS
|C| FIREWALL ACL |C H A| ACTIVE DEFENSES |C H A| ACTIVE DEFENSES
|C| HONEYPOT
|C| REDIRECT LOOP
|C H A| ACTIVE DEFENSES
|C| HONEYPOT
|C| REDIRECT LOOPS
|C| FIREWALL ACL
WEAPONIZATION
THREAT INTELLIGENCE
|C| NIDS
|C| NIPS |C| NIPS
DELIVERY
EDUCATED USER
|C| NIDS
|H| HIDS
|C H| AV
|C| WEB FILTER
|C| MAIL FILTER
|A| APP WHITELISTING
|C| INLINE AV
|C| MAIL FILTER
|C| WEB FILTER
|C| QUEUING
|C| SINKHOLE
|C H A| COMBINATION OF
DENY/DISRUPT
|C| HONEYPOT |C| APP-AWARE FIREWALL
|C| HONEYPOT
EXPLOITATION
|H| HIDS
|C| NIDS
|C H| AV
PATCH
|C H| AV
|H| HIPS
|H| DEP
|H| PATCH
|C H| AV
|H| HIPS
|A| HIGHLY RESTRICTED USER
ACCOUNTS
|C| HONEYPOT |C| INTER-ZONE NIPS
INSTALLATION
|H| HIDS
|A| APPLICATION LOGS
|C H| AV
|C| NETFLOW
|H| ‘CHROOT’ JAIL
|A| APP WHITELISTING
|A| BLOCKED EXECUTION
|C H| AV
|H| HIPS
|C H A| COMBINATION OF
DENY/DISRUPT
|C| HONEYPOT |C| EPP
COMMAND &
CONTROL
|C| NIDS
|H| HIDS
|C H| AV
|C| FIREWALL ACL
|C| EGRESS FILTER
|C| SINKHOLE
|C| NIPS
|H| DEP
|C| SINKHOLE
|C| TARPIT
|C| SINKHOLE
|C| DNS REDIRECT
|C| SINKHOLE
|C| TRUST ZONES
ACTION ON
OBJECTIVES
|C H A| AUDIT LOGS
|H| DEP
|C H| AV
|C| NIDS
|H| HIDS
|C| FIREWALL ACL
|C| EGRESS FILTER
|C| NETWORK SEGMENTATION
|C H A| ENCRYPTION
|C H| DLP
|C| NETWORK
SEGMENTATION
|H| DEP
|H| HIPS
|C| QUALITY OF SERVICE
|C| NETWORK SEGMENTATION
|C| HONEYPOT |C| TRUST ZONES
Being a defender is fighting a loosing battle – you are always a step behind
I will try to show you how you can use simple IoC to try to shift that situation and over time – maybe even try to start winning – first those will be just small battles but later - who knows...
- At this point in time you are not ready yet to contact the external services to use them for getting more information about this attack
- Different IP than previously, which suggests bigger infrastructure than just 1 server
Information gathering by the attacker – thi sis where the attacker will try to get better understanding on the environment they got into:
What is the template used for user accounts
What sort of machines are used
What IP addressing is used
What other machines are online
Where are the AD servers
etc...
Here we try to understand where:
The malware will create its files
What files will be deleted
What registry keys will be opened, written and deleted
What connections will be made
For an easy start look at „Cuckoo malware sandbox” or some commercial ones or – better - create your own. Customize it:
Make sure the VM doesn’t give right away it’s a virtual environment (CD drivers, no. of CPU, ram etc.)
Make sure you have the most popular apps insalled – eg. Office, Acrobat Reader etc.
If you use a corporate desktop build – use that build in the sandbox to better replicate your environment
Make sure you can capture network traffic
This is a new, different IP
Attackers very often use standard OS tools to avoid detection, this is why usage of admin tools should be monitored (ISO 27001 also says that)
Attackers are just humans – they make mistakes
- You can’t really block that, as you will block legitimate websites
again, the attacker uses standard, legitimate tools like 7zip
Was able to get the CIO mailbox – wonder what’s inside...
- New IP as an indicator
Lucky you – the attacker used a Linux command instead on DOS – if you hurry, you still might get a copy of their tools for further analysis
Source is Lockheed Martin Corp.: http://lockheedmartin.com/content/dam/lockheed/data/corporate/documents/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDF
Will review testing results like NSS labs
Will listen to vendors sales engineers
Maybe will even do internal proof-of-concepts to test how the solution works in your environment
measure return on investment for security products
Ransomware hits in September – possible that people are comming back form holidays and click on stuff in their mailboxes
Campaign D was active in Jan-Mar
A way to manage your resources