Post on 18-Dec-2015
Accelerating Incident Response With Network Forensics Techniques
NJ InfraGard November 2007
Nick Lantuh
President
NetWitness Corporation
Copyright 2007 NetWitness Corporation Copyright 2007 NetWitness Corporation
2
Today’s Threat Landscape -- Commercial
VISA, MasterCard USA (with cvv2 code)
количествоидентификац
ияцена в $USD
5-50есть в продаже
5.0
51-100есть в продаже
4.5
101-500есть в продаже
4.0
501-1000есть в продаже
3.0
1001-5000есть в продаже
2.0
более 10000есть в продаже
пишите
Если Вам нужно более 10000 карт, свяжитесь с нами, для Вас будет отдельная скидка
Call for bulk pricing info!
Copyright 2007 NetWitness Corporation
TJX Hack Basics
• Use of WEP protocol led to the ability of hackers to target at least one of their sites and gain network access– WEP has had known problems for years– Should have been using WPA or VPN in accordance with
standard practices
• Hackers exploited vulnerabilities to place malicious code on TJX servers and used this platform to achieve desired goals
Copyright 2007 NetWitness Corporation
Today’s Threat Landscape - USG
Copyright 2007 NetWitness Corporation
China Hack Basics
• Spear phishing attack as entry point due to good network layer perimeter security
• End user weaknesses permitted initial entry points
• Various techniques used:– non-HTTP over port 80– non-DNS over Port 53– non-SSL over 443
Copyright 2007 NetWitness Corporation
Subsequent Hacker Mechanisms Likely Used Following Initial Compromise
• Reconnaissance
• Command and control
• Communications
• Data exfiltration
• Clean-up
Copyright 2007 NetWitness Corporation
Insider Threats Are Compelling Too
• Enterprises also face important internal issues:– Protection of PII, PHI, R&D, classified data– Personnel/HR and Legal problems and concerns– Regulatory and policy compliance– Counterintelligence / counter-competitive– Achieving management control objectives
• Internal actors can include:– Disgruntled employees– Employees misusing I/T assets– Criminals– Espionage– Compromised technology assets (e.g., bots)
Copyright 2007 NetWitness Corporation Copyright 2007 NetWitness Corporation
8
Current State of the Incident Response
• Typical security investments focus on detection of a specific problem set, known issues, or known threats– But what about the unknowns like “designer malware”? – And how do you find problems that are not flagged by your
existing technologies and processes?
• Treating “problems” individually is myopic– Network traffic contains a common truth and insights about
a variety of interrelated problems– Network traffic can be recorded once and reused
forensically many times for a variety of mission objectives
• Today’s discussion will focus on using these techniques to enhance the incident response approach
Fully Understanding Network Traffic
Copyright 2007 NetWitness Corporation Copyright 2007 NetWitness Corporation
10
An Effective Approach
NetWitness NextGen provides a “record once / re-use many times” infrastructure
and the application framework to achieve Total Network Knowledge
• Many current technologies are antiquated and constrained by a myopic focus on a singular problem set – current challenges require a new generation of solutions
• Protection of corporate data in motion requires robust and diverse network monitoring to cope with threats from many dimensions
• NextGen provides unique investigative applications – both interactive and automated, which leverage a patented high speed data capture infrastructure, and an extensible application development platform
Copyright 2007 NetWitness Corporation Copyright 2007 NetWitness Corporation 11
Copyright 2007 NetWitness Corporation
Architecture
• Record, decode, and re-sessionize all network traffic
• Extract metadata and model ALL network, application and user layer characteristics for collected traffic
• Roll-up enterprise metadata as appropriate
• Ensure forensic validity, chain of custody
Live Network Capture
Span Port / Tap
Decoder Decoder
Concentrator
Copyright 2007 NetWitness Corporation
NetWitness Investigator (INTERACTIVE)Know Your Network Like NEVER Before
• Layer 7 Analytics– Infinite freeform analysis paths– Content/Context starting points– Specialized metadata paths,
such as PII
• Full Context– Pure data stored as it occurred– Data presented as the user
experienced (Web, Voice, Files, Emails, Chats, etc.)
• Supports massive data-sets• Instantly navigate 100’s of
gigabytes• Scalable to multi-TB data
stores
• Decrease time to resolution• Analysis that once took days,
now takes minutes
Copyright 2007 NetWitness Corporation Copyright 2007 NetWitness Corporation
NetWitness Informer (AUTOMATED) Enterprise Reporting and Alerting
• Informer builds upon the power of Investigator and the NextGen infrastructure
• Automates the review of huge sets of captured data
• Facilitates Total Network Knowledge
• Ships with 100’s of rules and canned reports
• Completely customizable to your environment and needs
Copyright 2007 NetWitness Corporation
Session Analysis Benefits
• Typical methods– Port based identification
example: Port=80 is web traffic
– IP based identificationexample: IP=216.178.38.116 is myspace
• Port agnostic method– If packet contains IRC structure in
the payload then it IS IRC traffic
– Important because so much traffic is designed to run over common ports such as 80, 443, 25, 53, etc.
Copyright 2007 NetWitness Corporation
Technology – Beyond Signatures to Knowledge
• To face today’s threats and issues, technologies must provide KNOWLEDGE to address questions that can be answered from network data:– Why are employees running non standard traffic over ports?– Does the event need to be flipped to an Incident?– What is the magnitude of this incident?– How was an attack or breach conducted?– Who’s contacting our competitors and how?– Why is our top destination a foreign IP address?– How is specific data leaving our organization?– Who is using Skype to transfer files out of our network?
• Packet headers, logs and high level data do not provide enough information to answer these questions
Illustrations
Copyright 2007 NetWitness Corporation
Better Business Bureau Phishing Scam
• Two company execs (President & VP) at NetWitness received emails claiming that complaints were made against them and the company
• Email instructed recipients to open Word attachment for instructions on how to resolve the complaint (“Document_for_Case.doc”)
• Executives identified emails as suspicious and did not open
• Attachment analyzed using virtual system (VMWare) & open source tools (Sysinternals, Ollydbg, Hex Workshop, etc)
Copyright 2007 NetWitness Corporation
Suspicious email
Copyright 2007 NetWitness Corporation
Suspicious attachment gets more suspicious
• An embedded PDF file inside of Word attachment looks even more fishy
• Alarm bells should be going off at this point
Copyright 2007 NetWitness Corporation
Unsophisticated Delivery Mechanism
Copyright 2007 NetWitness Corporation
More bad karma
• Adobe Reader issues an error • Malicious code executed in background• “update443.exe” downloaded from http://64.17.184.98/cs/scripts
Copyright 2007 NetWitness Corporation
Malicious executable “update443.exe” hosted on a church website in Kentucky
(graceofholland.org)
Copyright 2007 NetWitness Corporation
“update443.exe”
• Binary file compressed using Ultimate Packer for Executables / format: WIN32/PE) – A self-extracting binary compressor favored by malware writers
• Evidence of binary compression is a good indicator that it will probably do bad things to your system
• Stepped through uncompressed executable using open source debugger “Ollydbg”
Copyright 2007 NetWitness Corporation
“update443.exe” Analysis
• Malware makes registry changes to ensure persistence after reboot– Adds registry keys for new service “UpdateManager”
Copyright 2007 NetWitness Corporation
“update443.exe” Analysis
• Malicious code injected into IEXPLORE.EXE process; runs as “SYSTEM” vs. user-level
• Malicious DLL “update.dll” hooked into running IEXPLORE.EXE process, and any new instances of IEXPLORE.EXE processes
Copyright 2007 NetWitness Corporation
Beacon Activity
• Beaconing activity is obvious because of short time delay (~7 seconds)
• Much harder to detect beacons with large time delays (i.e. one packet / hour)
• Begins after malware is retrieved, extracted, installed & running
• A “phone home” to report in with machine name & logged in user
• DEMONSTRATION
Copyright 2007 NetWitness Corporation
Bad News DNS
• Lots of bad uses for DNS by state-sponsored hackers and organized crime
• Dynamic DNS– Used for spear-phishing attacks and obfuscation of other
data exfiltration activities
• Use of DNS as a covert channel– Hiding of non-DNS traffic in what appears to be DNS
packets
• DEMONSTRATION
Copyright 2007 NetWitness Corporation
Virus/Worm Outbreak
• Zero-Day Incident– Large enterprise of 40,000 users is experiencing network
degradation. – Anti-virus & IDS were silent. – Traffic flow monitors show increased volume from 100's of
hosts.
• DEMONSTRATION
Final Thoughts and Conclusions
Copyright 2007 NetWitness Corporation
Who Needs This Solution?
• CIO / CSO / CISO– Convergence of network and application layer reporting giving insight
and knowledge into behavior on the network
• Compliance / Risk Officer– Data Leakage– Compliance verification– Non-malicious network waste and abuse is recognized immediately for
comparison to company business rules and policies
• Investigator / General Counsel– Insider Threat– eDiscovery– Intensive/Deep Analysis– Reconstruction of malicious attacks, such as SQL injection, IRC bots,
and windows vulnerability exploitation, are identified through quick and accurate analysis
• Security & Network Operations– Orders of magnitude increase in speed to analysis: virus outbreaks,
BOTnets, network anomalies, network health insights, etc.– Advanced Analysis Capabilities for Incident Response Teams permitting
faster identification and resolution of events and problems
Copyright 2007 NetWitness Corporation
Summary
• Today’s threat and compliance landscape requires a new generation of network monitoring that goes way beyond log files and simple content review techniques
• NetWitness NextGen provides a powerful record once, re-use many time infrastructure that permits users to easily and quickly search across terabytes of data
• NextGen can lower the risks to your information assets by providing a much higher level of assurance regarding your ability to defend against threats
• NextGen improves response time and increases the overall likelihood of problem detection, lowering the potential impact of problems
For a copy of this presentation, please email me:
nick@netwitness.com
(703) 608-3323
Thanks for your time!