HITB LAB: Identifying Threats in Raw Data Events: A...
Transcript of HITB LAB: Identifying Threats in Raw Data Events: A...
![Page 1: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/1.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
HITB LAB: Identifying Threats in Raw DataEvents: A Practical Approach for Enterprises
Vladimir Kropotov, Vitaly Chetvertakov, Fyodor YarochkinHITB 2014
Affilations: Academia Sinica, o0o.nu, chroot.org
October 16, 2014, Kuala-Lumpur
![Page 2: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/2.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Outline
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
2/150
![Page 3: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/3.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Overview
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
3/150
![Page 4: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/4.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
LAB
our demo IP 100.123.7.111
4/150
![Page 5: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/5.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Everyone is p0wn3d :)
5/150
![Page 6: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/6.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Challenges
Main Assumption: All networks are compromisedThe difference between a good security team and a bad security team isthat with a bad security team you will never know that you’ve beencompromised.
6/150
![Page 7: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/7.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Statistic speaks
I about 40,000,000 internet users in RussiaI for every 10,000 server hosts 500 hosts trigger redirects to malicious
content per weekI about 20-50 user machines (full AV installed, NAT, FW) get ..affected
7/150
![Page 8: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/8.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Overview
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
8/150
![Page 9: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/9.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Forumology
Forumology - what we can learn by following the trading forums.
9/150
![Page 10: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/10.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Forumology - recent compromise signs
date: - 01-09-2014
10/150
![Page 11: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/11.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Forumology: targetted attack queries
11/150
![Page 12: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/12.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Forumology: obfuscation patterns
crypto, free service
12/150
![Page 13: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/13.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Forumology: sensitive data monetization
13/150
![Page 14: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/14.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Forumology: social groups buying request withleaked attribution in social network
14/150
![Page 15: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/15.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Forumology: google play apps rating manipulation
15/150
![Page 16: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/16.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Forumology: shells and traffic wo direct victimsattribution
I priority sales to individuals with high forum reputationI one hands only saleI reachable trough following contact:
16/150
![Page 17: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/17.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Campaigns
Domain category Campaign dates unique hosts/dayria.ru news Summer 2013 – Summer 2014 ~ 1 600 000rg.ru news Autumn 2013 ~ 790 000newsru.com news Winter 2013 – Spring 2014 ~ 590 000gazeta.ru news Spring 2013 - Autumn 2013 ~ 490 000aif.ru news Spring 2013 - Winter 2013 ~ 330 000mk.ru news Summer 2013 - Autumn 2013 ~ 315 000inosmi.ru news Summer 2014 ~ 290 0003dnews.ru news Winter 2013 – Summer 2014 ~ 185 000vz.ru news Winter 2013 – Summer 2014 ~ 170 000topnews.ru news Spring 2013 - Autumn 2013 ~ 140 000
17/150
![Page 18: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/18.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Campaigns(2)
Domain category When seen unique hosts/dayYoutube.com Summer 2013 - Winter 2014 Alexa N 3mail.ru email Winter 2013 - Spring 2014 Alexa N 40auto.ru Autos Summer 2014 - Autumn 2014 ~320 000soccer.ru Sport Winter 2014 ~220 000irr.ru Ad Boards Spring 2014 - Autumn 2014 ~175 000job.ru HR Autumn 2014 ~140 000glavbukh.ru Accountants Spring 2013 - Summer 2014 ~70 000hr-portal.ru Finance / HR Winter 2013 - Spring 2014 ~55 000tks.ru Finance Summer 2013 - Spring 2014 ~38 000Bankir.ru Finance Spring 2013 - Autumn 2014 ~33 000
18/150
![Page 19: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/19.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Intermediate victims, EDU and forums
19/150
![Page 20: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/20.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Intermediate victims, forums
20/150
![Page 21: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/21.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Intermediate victims, companies (1)
21/150
![Page 22: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/22.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Intermediate victims, companies (2)
22/150
![Page 23: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/23.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Intermediate victims, companies (3)
23/150
![Page 24: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/24.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Intermediate victims, companies (4)
24/150
![Page 25: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/25.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Intermediate victims, companies (5)
25/150
![Page 26: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/26.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Intermediate victims, companies (6)
26/150
![Page 27: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/27.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Intermediate victims, regional gvt related(1)
27/150
![Page 28: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/28.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Intermediate victims, regional gvt related(2)
28/150
![Page 29: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/29.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Intermediate victims, regional gvt related(3)
29/150
![Page 30: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/30.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Intermediate victims, regional gvt related(4)
30/150
![Page 31: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/31.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Intermediate victims, regional gvt related(5)
31/150
![Page 32: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/32.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Participants, other (mail delivery service)
32/150
![Page 33: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/33.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Participants, other (anti debugging)
33/150
![Page 34: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/34.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Seen on forum:
Google redirect:
34/150
![Page 35: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/35.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Participants, other, (known referrers. . . .)
!!!!! Insert near google load sells(Google redirect:)
35/150
![Page 36: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/36.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
EK/malware serving hosts by country
36/150
![Page 37: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/37.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Target victim traffic costs
37/150
![Page 38: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/38.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Case studies:
I commercial crimeI not-monetary-profit oriented crime
lets take a look at first type:
38/150
![Page 39: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/39.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Intermediate victims
Intermediate victims are target too, such as free DNS hostings:
fbps . 1 403883 .mar2 . a f r a id . orgju7a . 1403883 .mar2 . a f r a id . orgwzet . 1 403883 .mar2 . a f r a id . orggatw .1403883 .mar2 . a f r a id . orgkfzv . 1403883 .mar2 . a f r a id . orgoxdo . 1403883 .mar2 . a f r a id . org
39/150
![Page 40: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/40.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Legit domain abuse
domain : SCHOOLOPROS.RUnserver : ns1 . a f r a id . org .nserver : ns2 . a f r a id . org .s t a t e : REGISTERED , DELEGATED, VERIFIEDorg : LLC "GKShP"r e g i s t r a r : RU−CENTER−REG−RIPNadmin−contac t : h t tps ://www. nic . ru/whoiscrea ted : 2010 . 01 . 25
40/150
![Page 41: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/41.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Domain rotation
http://www.residensea.jp/xuaioxc.phphttp://firenzeviaroma.ru/dqryony.phphttp://sphynxtoutnu.com/dnqaibb.phphttp://www.icmjapan.co.jp/dgttcnm.phphttp://www.controlseal.nl/yolelkx.phphttp://ural.zz.mu/ledstsn.phphttp://www.fotobit.pl/cpjjpei.phphttp://bgcarshop.com/tgghhvy.phphttp://www.borkowski.org/fudbqrf.phphttp://shop.babeta.ru/puthnkn.phphttp://e-lustrate.us/mycbbni.phphttp://notarypublicconcept.com/shfvtpx.phphttp://www.stempelxpress.nl/vechoix.phphttp://64.68.190.53/dqohago.phphttp://likos.orweb.ru/oydochh.phphttp://wap.warelex.com/parpkeu.php
41/150
![Page 42: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/42.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Domain rotationI over 500 compromised domainsI rotation once every 3 minutes
42/150
![Page 43: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/43.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
malware hosting, on legit domains (stolen creds,vulns, etc.)
43/150
![Page 44: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/44.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
malware hosting on legit domains
44/150
![Page 45: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/45.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
malware hosting on legit domains
45/150
![Page 46: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/46.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
malware hosting on legit domains
46/150
![Page 47: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/47.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
malware hosting on legit domains
47/150
![Page 48: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/48.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
malware hosting on legit domains
48/150
![Page 49: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/49.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
malware hosting on legit domains
49/150
![Page 50: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/50.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Lurk Campaign
Historical overview
(http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html?m=1)
I but actually lurk campaign is at least 3 years old. (and mainlytargetting .ru IP ranges).
50/150
![Page 51: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/51.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Lurk in the news and News distribute Lurk. . .
"For purposes of analysis, we selected two information resources which weknew had been used to distribute the malware— http://www.ria.ru/ (amajor Russian news agency) and http://www.gazeta.ru/ (a popularonline newspaper). " (http://securelist.com/blog/virus-watch/32383/a-unique-bodiless-bot-attacks-news-site-visitors-3/)Intermediate victims:
I ria.ruI gazeta.ru
51/150
![Page 52: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/52.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Lurk in 2011
Intermediate victims:I glavbukh.ruI inosmi.ruI ria.ruI riarealty.ruI ura.ru
date referrer ip url03/Nov/2011:14:36:57 http://ria.ru/incidents/ 50.97.204.116 http://as5t3hjlsddk.com/BVRQ03/Nov/2011:14:47:44 http://inosmi.ru/ 50.97.204.116 http://as5t3hjlsddk.com/BVRQ03/Nov/2011:14:52:03 http://www.ura.ru/ 50.97.204.116 http://as5t3hjlsddk.com/BVRQ
52/150
![Page 53: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/53.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Other patricipants of Winter-Spring 2012 CampaignIntermediate victims:
I banki.ruI fas.gov.ruI glavbukh.ruI infox.ruI infox.ruI inosmi.ruI klerk.ruI newsru.comI pravda.ruI riarealty.ruI slon.ruI ura.ru
53/150
![Page 54: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/54.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Lurk in the news and News distribute Lurk. . . (2)
Targeted web infections _ Nov 08 2012 (http://securelist.ru/blog/intsidenty/3546/targetirovanny-e-veb-zarazheniya-2/)Intermediate victims:
I interfax.ruI Vesti.ruI gazeta.ruI vz.ruI ura.ru
54/150
![Page 55: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/55.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Timeline of Summer- Autumn 2012 -
Intermediate victims:
date ref. dom ip port method url apptype bytes out/in8/17/2012 12:29 3dnews.ru 207.182.136.150 80 GET http://jiujitrolam.info/2T4T text/html 290/580678/17/2012 12:29 rian.ru 207.182.136.150 80 GET http://jiujitrolam.info/2T4T text/html 535/45118/17/2012 13:38 tks.ru 207.182.136.150 80 GET http://jiujitrolam.info/2T4T text/html 370/59729/4/2012 14:16 3dnews.ru 91.216.163.76 80 GET http://kalmadrezant.info/7GIC text/html 339/568709/13/2012 13:18 newsru.com 184.22.165.170 80 GET http://cdmalinkrating.net/7GIC text/html 607/580669/17/2012 12:50 tks.ru 184.22.165.170 80 GET http://responsesforemost.org/7GIC text/html 668/580759/17/2012 13:38 slon.ru 184.22.165.170 80 GET http://responsesforemost.org/7GIC text/html 728/1949/18/2012 11:54 rian.ru 184.22.165.170 80 GET http://oggmoreripples.com/7GIC text/html 1160/19410/10/2012 11:35 vesti.ru 91.121.152.84 80 GET http://deployspostsale.net/7GIC text/html 722/5803710/12/2012 13:34 gazeta.ru 91.121.152.84 80 GET http://personallymainframes.net/7GIC text/html 618/5808411/2/2012 14:12 vesti.ru 91.121.152.84 80 GET http://accuracyuploadonly.net/7GIC text/html 290/58078
(*) rian.ru + vesti.ru + gazeta.ru + newsru.com + 3dnews.ru + slon.ru > 40000 000 uniq visitors per day. . .
55/150
![Page 56: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/56.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Campaign Autumn 2012 knocking to the Master
Proof logs:
date ip port method url bytes out/in11/2/2012 14:13 184.173.226.246 80 POST http://rime41claim.com/search?hl=us&source=hp&q=22282240&aq=f&aqi=&aql=&oq= 3041/25611/2/2012 14:13 184.173.226.245 80 GET http://landlady48s.com/search?hl=us&source=hp&q=58959&aq=f&aqi=&aql=&oq=58959 831/33611511/2/2012 14:14 184.173.226.246 80 POST http://rime41claim.com/search?hl=us&source=hp&q=1000000000503347&aq=f&aqi=&aql=&oq= 241/252
56/150
![Page 57: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/57.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Winter 2012-2013 Campaign
I new sigs ISOQ (old sigs 2T4T, 7GIC BVRQ)I sploit 0ISOQjqI payload 1ISOQjq
57/150
![Page 58: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/58.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Stats
date ref. dom ip port method url apptype bytes out/in22.01.2013 16:33 vesti.ru 64.79.67.220 80 GET http://cetapetrar.info/ISOQ text/html28.01.2013 15:15 vz.ru 64.79.67.220 80 GET http://mgsinterviews.biz/ISOQ text/html 629/5821428.01.2013 15:15 - 64.79.67.220 80 GET http://mgsinterviews.biz/0ISOQjq application/java-archive 668/2146028.01.2013 15:15 - 64.79.67.220 80 GET http://mgsinterviews.biz/1ISOQjq application/octet-stream 597/1232802013-02-05 15:27 vz.ru 208.110.73.74 80 GET http://ferpolokas.info/ISOQ text/html 366/5706108.02.2013 15:26 3dnews.ru 208.110.73.75 80 GET http://footmanage.info/XZAH text/html2/11/2013 16:22 vz.ru 208.110.73.75 80 GET http://croppingvietnam.biz/XZAH text/html 478/19419.02.2013 15:13 klerk.ru 208.110.73.75 80 GET http://interfacesfeaturelimited.org/XZAH text/html2/20/2013 12:52 newsru.com 208.110.73.75 80 GET http://solvesautoplay.info/XZAH text/html 653/582332/20/2013 12:52 - 208.110.73.75 80 GET http://solvesautoplay.info/0XZAHwj application/java-archive 684/214222/20/2013 12:52 - 208.110.73.75 80 GET http://solvesautoplay.info/1XZAHwj application/octet-stream 613/11918420.02.2013 12:52 newsru.com 208.110.73.75 80 GET http://solvesautoplay.info/XZAH text/html20.02.2013 13:22 vz.ru 208.110.73.75 80 GET http://solvesautoplay.info/XZAH text/html20.02.2013 13:24 vesti.ru 208.110.73.75 80 GET http://solvesautoplay.info/XZAH text/html3/5/2013 13:51 glavbukh.ru 208.110.73.75 80 GET http://birdsricher.info/XZAH text/html 619/1943/6/2013 14:32 klerk.ru 74.82.203.10 80 GET http://comprisefuse.info/XZAH text/html 875/194
58/150
![Page 59: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/59.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Summer 2013: Landing pattern change to"indexm.html"
date ref. dom ip port method url apptype bytes out/in21/Aug/2013:11:53 tks.ru 70.32.39.108 80 GET http://frilpertesemota.info/indexm.html 585/20321/Aug/2013:11:53 tks.ru 70.32.39.108 80 GET http://frilpertesemota.info/054RIwj 4999/08/23/2013 12:58 slon.ru 173.234.60.86 80 GET http://sabretensar.info/indexm.html 4137/46003.09.2013 14:12 rg.ru 173.234.60.83 80 GET http://miopades.info/indexm.html09.09.2013 14:49 tks.ru 209.123.8.35 80 GET http://kilkadukas.info/indexm.html9/20/2013 12:50 gazeta.ru 216.55.166.53 80 GET http://lpakuwiera.info/indexm.html text/html 157/10259/20/2013 13:52 rg.ru 216.55.166.53 80 GET http://lpakuwiera.info/indexm.html 4134/6139/23/2013 12:41 aif.ru 209.123.8.183 80 GET http://liapolasens.info/indexm.html 4137/334
59/150
![Page 60: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/60.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Debugging of fingerprinting mechanism? Sep 2013
http://ljiartwbvsa.info/indexm.html text/htmlhttp://ljiartwbvsa.info/054RIdl application/x-shockwave-flashhttp://ljiartwbvsa.info/counter.php?t=f&v=win%2011,7,700,169&a=true text/htmlhttp://ljiartwbvsa.info/354RIcx text/htmlhttp://ljiartwbvsa.info/s.php?qt=null&fl=11,7,700,169&sw=null&ar=null&jv=null&sl=5,1,20513,0 text/htmlhttp://ljiartwbvsa.info/054RIcx
60/150
![Page 61: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/61.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Fresh news from the field
date ref. dom ip port method url apptype bytes out/in8/20/2014 16:57 auto.ru 188.165.229.195 80 GET http://kopwa.linogeraxa.info/indexm.html 189/3539/1/2014 12:02 irr.ru 188.165.229.195 80 GET http://apobda.kiqpoltar2.in/indexm.html 4251/61801/Sep/2014:16:54 bankir.ru 188.165.229.195 80 GET http://snkua.kiqpoltar2.in/indexm.html 634/70279/4/2014 14:16 smotri.com 188.165.229.195 80 GET http://xbxa72.bsoyetrad.in/indexm.html 4248/43304/Sep/2014:12:03 auto.ru 188.165.229.195 80 GET http://snkua.kiqpoltar2.in/indexm.html application/x-empty 593/690304/Sep/2014:15:26 irr.ru 188.165.229.195 80 GET http://boreas.gohasellor.info/indexm.html text/html 436/8249304/Sep/2014:15:26 188.165.229.195 80 GET http://boreas.gohasellor.info/3MSKMcx text/html 344/118104/Sep/2014:15:26 188.165.229.195 80 GET http://boreas.gohasellor.info/sxvutirwbfexedbjmqqn.html text/xml 362/162904/Sep/2014:15:56 job.ru 188.165.229.195 80 GET http://boreas.gohasellor.info/indexm.html application/x-empty 696/18205/Sep/2014:15:24 bankir.ru 188.165.229.195 80 GET http://snkua.kiqpoltar2.in/indexm.html 634/7027
61/150
![Page 62: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/62.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Mitigation experience and aftereffects
I Abusing hosting (you can loose the chain, criminals just pay $50 forother hosting)
I Abusing registarI Abusing DNSI Forensic evidence collection and actor attributionI Interaction with CERTs and AuthoritiesI Informing victims directly
62/150
![Page 63: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/63.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
MacOS botnet: a Kaiten variant in actionI Kaiten/Tsunami is an open-source irc-controlled DDoS botI Observed large infection of MacOS machines in Sept-2014 (starting on
02-09-2014)I initial infection vector: yet unknownI Observation: 2014-09-02 - nowI target - mainly .CN (mostly), TWI small number in KR, NP, JP, MYI iocs:
Executables :cbf5a6d2fba422caa5913e48ef68a6abhttp : //5 . 1 0 4 . 1 0 6 . 1 9 0/ . . . / cores
98bb67d91476d8ac4e71d39c92564b3bhttp :// l inux . microsoftwindowsupdate . org/poke . sh
63/150
![Page 64: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/64.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
IOCs
64/150
![Page 65: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/65.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
IOCs
IOCs5 . 1 0 4 . 1 0 6 . 1 9 0− eventuallydown . dyndns . b iz− f a s t foodz . dlinkddns . com− updates . dyndn−web . com54 . 6 8 . 5 3 . 1 8− f l i pp i n f l op s . dyndns . tv
65/150
![Page 66: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/66.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Indicators
I Hosted on german IP and Amazon ec2. Hosts an IRC server, DNSserver, Web server (used to wget new binaries/updates).
I controlled from an .il IP address
i r c se rver s1 9 2 . 3 1 . 1 8 6 . 48 5 . 2 1 4 . 4 5 . 2 0 8− eichwalde . de− ho r t bun t s t i f t e . de− channel # c o r e
66/150
![Page 67: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/67.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Kaiten ops:I controlled by iseee [email protected] PRIVMSGs commands, manipulates DNS resolver settings
67/150
![Page 68: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/68.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Kaiten conclusions
I 18247 Unique IP addresses within 3 daysI 3k bots are simultaneouslyI Botnet growth limited by IRC server stability
68/150
![Page 69: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/69.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Targetted campaigns
APT != STATE SPONSOREDI Q: Why so many APT-like activities out of .cn?I A: A different market structure. (Data worth money)
69/150
![Page 70: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/70.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
APT ..?Interesting correlations:
70/150
![Page 71: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/71.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Bad guys in your net ;-)
coming from a KR IP address (bounce), redirecting a shell to CHINANETSICHUAN :)14.63.225.20 and 118.123.116.177 -http://bobao.360.cn/learning/detail/43.html
71/150
![Page 72: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/72.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Overview
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
72/150
![Page 73: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/73.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Hands ON
I molochhttps://100.123.7.111:8005user adminpassword hitb2014
73/150
![Page 74: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/74.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Detection
Detection: tools and techniques
74/150
![Page 75: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/75.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Good thing to assume
If you are under attack, your AV,Firewalls, IDS, are in THE ATTACKERTHREATS MODEL. The option you have - read between the lines.When you are compromised, what is the action plan?
75/150
![Page 76: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/76.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Some Useful toolsDeveloped by us:
I http://github.com/fygrave/ndfI http://github.com/fygrave/hntp
3rd party:I fiddlerI elasticsearch && http://github.com/aol/moloch (vm)
and our 0mq pluginI yaraI hpfeeds https://github.com/rep/hpfeedsI CIF https://github.com/collectiveintel/cif-v1I https://github.com/STIXProject/ - openioc-to-stix converterI https://github.com/MISP/MISP - malware information sharing
platform
76/150
![Page 77: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/77.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Introduction:terminology
Indicators of CompromiseIndicator of compromise (IOC) in computer forensics is an artifactobserved on network or in operating system that with high confidenceindicates a computer intrusion.http://en.wikipedia.org/wiki/Indicator_of_compromise
77/150
![Page 78: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/78.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
AV model brokenWhy AV model is broken?
I AV detection/monitoringhttp://viruscheckmate.com/id/OByt539VwEcQ
78/150
![Page 79: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/79.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Why Indicators of compromise
Indicators of Compromise help us to answer questions like:I is this document/file/hash malicious?I is there any past history for this IP/domain?I what are the other similar/related domains/hashes/..?I who is the actor?I am I an APT target?!!;-)
79/150
![Page 80: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/80.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
An Example
A Network compromise case study:I Attackers broke via a web vuln.I Attackers gained local admin accessI Attackers created a local userI Attackers started probing other machines for default user idsI Attackers launched tunneling tools – connecting back to C2I Attackers installed RATs to maintain access
80/150
![Page 81: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/81.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Indicators
So what are the compromise indicators here?I Where did attackers come from? (IP)I What vulnerability was exploited? (pattern)I What web backdoor was used? (pattern, hash)I What tools were uploaded? (hashes)I What users were created locally? (username)I What usernames were probed on other machines
81/150
![Page 82: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/82.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Good or Bad?
F i l e Name : RasTls . exeF i l e S ize : 105 kBF i l e Modif icat ion Date/Time : 2009 : 02 : 09 19 : 42 : 05+08 : 00F i l e Type : Win32 EXEMIME Type : app l i ca t i on/oc te t−streamMachine Type : I n t e l 386 or l a t e r , and compatiblesTime Stamp : 2009 : 02 : 02 13 : 38 : 37+08 : 00PE Type : PE32Linker Version : 8 . 0Code Size : 49152I n i t i a l i z e d Data S ize : 57344Un in i t i a l i z ed Data S ize : 0Entry Point : 0x3d76OS Version : 4 . 0Image Version : 0 . 0Subsystem Version : 4 . 0Subsystem : Windows GUIF i l e Version Number : 1 1 . 0 . 4 0 1 0 . 7Product Version Number : 1 1 . 0 . 4 0 1 0 . 7F i l e OS : Windows NT 32−b i tObject F i l e Type : Executable app l i ca t i onLanguage Code : Engl ish (U. S . )Character Set : Windows , Lat in1Company Name : Symantec CorporationF i l e Descr ipt ion : Symantec 802 .1 x Suppl icantF i l e Version : 1 1 . 0 . 4 0 1 0 . 7In t e rna l Name : dot1xtray
82/150
![Page 83: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/83.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
It really depends on contextRasTls .DLLRasTls .DLL.mscRasTls . exehttp://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspxDynamic-Link Library Search Order
83/150
![Page 84: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/84.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
IOC representations
Multiple standards have been created to facilitate IOC exchanges.I Madiant: OpenIOCI Mitre: STIX (Structured Threat Information Expression), CyBOX
(CyberObservable Expression)I Mitre: CAPEC, TAXIII IODEF (Incident Object Description Format)
84/150
![Page 85: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/85.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Standards: OpenIOCOpenIOC - Mandiant-backed effort for unform representation of IOC (nowFireEye) http://www.openioc.org/
85/150
![Page 86: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/86.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
OpenIOCsDig i t a l Appendices/Appendix G ( D ig i t a l ) − IOCs$ l s0 c7c902c−67f8−479c−9f44−4d985106365a . ioc 6bd24113−2922−4d25−b490−f727f47ba948 . iocad521068−6f18−4ab1−899c−11007a18ec73 . ioc12 a40bf7−4834−49b0−a419−6abb5fe2b291 . ioc 70b5be0c−8a94−44b4−97a4−1e95b09498a8 . ioca f5 f 65 f c−e1ca−45db−88b1−6ccb7191ee6a . ioc2106 f0d2−a260−4277−90ab−edd3455e31fa . ioc 7c739d52−c669−4d51−ac15−8ae66305e232 . iocAppendix G IOCs README. pdf26213db6−9d3b−4a39−abeb−73656acb913e . ioc 7d2eaadf−a5f f −4199−996e−af6258874dad . iocc32b8af3−28d0−47d3−801f−a2c2b0129650 . ioc2 b f f223 f−9e46−47a7−ac35−d35f8138a4c7 . ioc 7 f9a6986−f00a−4071−99d3−484c9158beba . iocc71b3305−85e5−4d51−b07c−f f 227181 fb5a . ioc2 fc55747−6822−41d2−bcc1−387 fc1b2e67b . ioc 806 bef f3 −7395−492e−be63−99a6b4a550b8 . iocc7fa2ea5−36d5−4a52−a6cf−ddc2257cb6f9 . ioc32b168e6−dbd6−4d56−ba2f −734553239 e fe . i oc 84 f04df2−25cd−4f59−a920−448d8843b6fc . i ocd14d5f09−9050−4769−b00d−30fce9e6eb85 . ioc3433dad8−879e−40d9−98b3−92ddc75f0dcd . ioc 8695bb5e−29cd−41b9−b8b1−a0d20a6b960d . iocd1c65316−cddd−4d9c−8efe−c539aa5965c0 . ioc3e01b786−fe3a−4228−95fa−c3986e2353d6 . ioc 86 e9b8ec−7413−453b−a932−b5fb95a8dba6 . iocd4f103f8−c372−49d1−b9f4−e127d61d0639 . ioc4 a2c5f60−f4c0−4844−ba1f−a14dac9fa36c . ioc 86 f988b7−fa02−46df−8e19−e50ce37f0 fed . iocd5e49501−c30d−41ae−b381−c3c473040c39 . ioc4d1ced5f−fe47−4ba4−be0e−81d547f3aa8a . ioc 8900aa6b−883d−48d3−a07d−d49b0429dd2b . iocd8240090−affd−466e−a39c−64add5b98813 . ioc5477b392−e565−45c5−9cb4−f561d6daeddc . ioc 8dd23e0a−a659−45b4−a168−67e4b00944fb . ioce928aac0−9f71−4adf−9978−4177345ec610 . ioc547 e4128−9dff−45d9−b90f−081ce3966dee . ioc 9c9368cd−3a1f−4200−b093−adb97d5f1f5d . ioceb91abad−afe0−4bd6−80f2−850d14a99308 . ioc56468547−6 cf5−4c66−af56−2543d4271482 . ioc a1f02cbe−7d37−4f f8−bad7−c5 f9 f7ea63a3 . iocece1846e−98d3−4ddc−a520−0dcda4866989 . ioc6091 c4ce−6d73−4202−a7a8−b52406fa4d77 . ioc a461f381−8612−4ce1−a0dc−68bcaca028d0 . iocfabdf553−b3ed−4bc9−9ac6−13d6bd174dad . ioc61695156−298c−4d77−ad7f−48feb562fb75 . ioc a486d837−9f05−4360−908e−b4244c24723d . iocfdfb2c22−d0c4−4bf0−8ea4−27d8d51f98ea . ioc
86/150
![Page 87: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/87.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Standards: Mitre
Mitre CybOX: http://cybox.mitre.org/https://github.com/CybOXProject/Toolshttps://github.com/CybOXProject/openioc-to-cyboxMitre CAPEC:http://capec.mitre.org/Mitre STIX: http://stix.mitre.org/MitreTAXII http://taxii.mitre.org/
87/150
![Page 88: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/88.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Mature: stix
88/150
![Page 89: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/89.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Indicators of Compromise
I Complex IOCs covering all steps of attackI Dynamic creation of IOCs on the flyI Auto-reload of IOCs, TTLsI Dealing with different standards/import export
89/150
![Page 90: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/90.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Exploit pack trace
url ip mime type refhttp://cuba.eanuncios.net/1/zf3z9lr6ac8di6r4kw2r0hu3ee8ad.html 93.189.46.222 text/html http://www.smeysyatut.ru/ 118162 413 200
http://cuba.eanuncios.net/2909620968/1/1399422480.htm 93.189.46.222 text/html http://cuba.eanuncios.net/1/zf3z9lr6ac8di6r4kw2r0hu3ee8ad.html 37432 441 200
http://cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive - 18451 323 200http://cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive - 18451 280 200http://cuba.eanuncios.net/f/1/1399422480/2909620968/2 93.189.46.222 - - 115020 244 200http://cuba.eanuncios.net/f/1/1399422480/2909620968/2/2 93.189.46.222 - - 327 246 200
90/150
![Page 91: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/91.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Nuclearsploit pack
{ ’ Nuclearsploi tpack ’ : {’ step1 ’ : {’ f i l e s ’ : [ ’ wz3u6si8e5lh7k2tk5ox4ne6d8g . html ’ , ’ t3 f5y9a2bb3dl7z8gc4o6f . html ’ , ’ zf3z9lr6ac8di6r4kw2r0hu3ee8ad . html ’ , ’ r x3vb9qg6 lq8 l l 6 i j 4u2sa0xx3 ln8 l e . html ’ , ’ k2qx3dv0ey7lo3rp8q6ce4lw0fp0z . html ’ , ’ kz6tp7k4cx3h4j8kr3za5a . html ’ , ’ wq6ln7o4zj3d4fu8zc3a5sw . html ’ , ’ z2c8mg6h0df2n2ss8kd2e6k7y . html ’ ] ,’ domains ’ : [ ’ f a the r . fe r removi l . com’ , ’ t ha i . a l oha t r an s l l c . com’ , ’ cuba . eanuncios . net ’ , ’ duncan . disenocorporat ivo . com . ar ’ , ’homany . c o l l e c t i v e i t . com . au ’ , ’ privacy . t e r ap i a . org . ar ’ ] ,
’ arguments ’ : [ ] ,’ d i r e c t o r i e s ’ : [ ’ 1 ’ ] ,
’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 0 1 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 0 3 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 3 3 ’ ] } ,’ step2 ’ : {’ f i l e s ’ : [ ’ 1399422480 .htm ’ , ’1399704720 .htm ’ , ’1399513440 .htm ’ , ’1399514040 .htm ’ ,’1399773300 .htm ’ ] ,’ domains ’ : [ ’ cuba . eanuncios . net ’ , ’ duncan . disenocorporat ivo . com . ar ’ , ’homany . c o l l e c t i v e i t . com . au ’ , ’ privacy . t e r ap i a . org . ar ’ ] ,’ arguments ’ : [ ] ,’ d i r e c t o r i e s ’ : [ ’ 2909620968 ’ , ’ 1 ’ , ’ 507640988 ’ , ’940276731 ’ , ’3957283574 ’ , ’ 952211704 ’ ] ,’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 3 3 ’ ] } ,’ step3 ’ : {’ f i l e s ’ : [ ’ 1399422480 . j a r ’ , ’ 1399513440 . j a r ’ ] ,’ domains ’ : [ ’ cuba . eanuncios . net ’ , ’homany . c o l l e c t i v e i t . com . au ’ ] ,’ arguments ’ : [ ] ,’ d i r e c t o r i e s ’ : [ ’ 2909620968 ’ , ’ 1 ’ , ’ 940276731 ’ ] ,’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ ] } ,’ step4 ’ : {’ f i l e s ’ : [ ’ 2 ’ ] ,’ domains ’ : [ ’ cuba . eanuncios . net ’ ] ,’ arguments ’ : [ ] ,’ d i r e c t o r i e s ’ : [ ’ f ’ , ’ 1 ’ , ’1399422480 ’ , ’2909620968 ’ , ’ 2 ’ ] ,’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ ] }}}
91/150
![Page 92: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/92.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Redirect (example)
http://mysimuran.ru/forum/kZsjOiDMFb/ 89.111.178.33 http://agency.accordinga.pw/remain/unknown.html?mods=8&id=26,text/htmlhttp://mysimuran.ru/forum/kZsjOiDMFb/js.js?4231 89.111.178.33 http://mysimuran.ru/forum/kZsjOiDMFb/,text/plainhttp://c.hit.ua/hit?i=59278&g=0&x=2 89.184.81.35 http://mysimuran.ru/forum/kZsjOiDMFb/,image/gifhttp://f-wake.browser-checks.info:28001/d1x/3/87475b26a521024ce78d7ea73164140a/http%3A%2F%2Fagency.accordinga.pw%2Fremain%2Funknown.html%3Fmods%3D8%26id%3D26 46.254.16.209 http://mysimuran.ru/forum/kZsjOiDMFb/,text/html
92/150
![Page 93: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/93.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Redirect Example
{ ’ 2 8 0 01 ’ : {’ step1 ’ : {
’ d i r e c t o r i e s ’ : [ ’ forum ’ , ’kZsjOiDMFb ’ , ’ epygFrFsoU ’ ] ,’ arguments ’ : [ ] ,’ f i l e s ’ : [ ’ ’ ] ,’ ip ’ : [ ’ 8 9 . 1 1 1 . 1 7 8 . 3 3 ’ ] ,’ domains ’ : [ ’mysimuran . ru ’ ] } ,’ step2 ’ : {
’ d i r e c t o r i e s ’ : [ ’ forum ’ , ’kZsjOiDMFb ’ , ’ epygFrFsoU ’ , ’kJXshWOMNC’ ] ,’ arguments ’ : [ ’ 4231 ’ , ’7697 ’ , ’9741 ’ ] ,’ f i l e s ’ : [ ’ j s . j s ’ , ’ cnt . html ’ ] ,’ ip ’ : [ ’ 8 9 . 1 1 1 . 1 7 8 . 3 3 ’ ] ,’ domains ’ : [ ’mysimuran . ru ’ ] } ,’ step3 ’ : {’ d i r e c t o r i e s ’ : [ ] ,’ arguments ’ : [ ’ i ’ , ’g ’ , ’ x ’ ] ,’ f i l e s ’ : [ ’ h i t ’ ] ,’ ip ’ : [ ’ 8 9 . 1 8 4 . 8 1 . 3 5 ’ ] ,’ domains ’ : [ ’ c . h i t . ua ’ ] } ,’ step4 ’ : {’ d i r e c t o r i e s ’ : [ ’ d1x ’ , ’ 3 ’ , ’87475 b26a521024ce78d7ea73164140a ’ , ’ d36eb1fc80ebe9df515d043be1557f57 ’ ] ,’ arguments ’ : [ ] ,’ f i l e s ’ : [ ’ ht tp%3A%2F%2Fagency . accordinga .pw%2Fremain%2Funknown . html%3Fmods%3D8%26id%3D26 ’ , ’ ht tp%3A%2F%2Fstruck . lookeda .pw%2Fcongress%2Fpres ident . html%3Flose%3D21%26amid%3D463 ’ ] ,’ ip ’ : [ ’ 4 6 . 2 5 4 . 1 6 . 2 0 9 ’ ] ,’ domains ’ : [ ’ f−wake . browser−checks . info ’ , ’ a−oprzay . browser−checks .pw’ ] }
}}
93/150
![Page 94: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/94.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Sourcing External IOCs
I CIF - https://code.google.com/p/collective-intelligence-framework/
I feeds (with scrappers):
94/150
![Page 95: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/95.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Sourcing External IOCsI feed your scrappers:
https://zeustracker.abuse.ch/blocklist.php?download=badipshttp://malc0de.com/database/https://reputation.alienvault.com/reputation.data . . .
I VT intelligence
95/150
![Page 96: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/96.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Sourcing IOCs Internally
I honeypot feedsI log analysisI traffic analysis
96/150
![Page 97: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/97.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Where to look for IOCs internally
I Outbound Network TrafficI User Activities/Failed LoginsI User profile foldersI Administrative AccessI Access from unsual IP addressesI Database IO: excessive READsI Size of responses of web pagesI Unusual access to particular files within Web Application (backdoor)I Unusual port/protocol connectionsI DNS and HTTP traffic requestsI Suspicious Scripts, Executables and Data Files
97/150
![Page 98: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/98.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Challenges
Why we need IOCs? because it makes it easier to systematically describeknowledge about breaches.
I Identifying intrusions is hardI Unfair game:
I defender should protect all the assetsI attacker only needs to ’poop’ one system.
I Identifying targeted, organized intrusions is even harderI Minor anomalous events are important when put togetherI Seeing global picture is a mastI Details matterI Attribution is hard
98/150
![Page 99: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/99.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Use honeypots
I Running honeypots gives enormous advantage in detecting emergingthreats
I Stategically placing honeypots is extemely important
99/150
![Page 100: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/100.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
HPfeeds, Hpfriends and more
100/150
![Page 101: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/101.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
HPFeeds Architecture
101/150
![Page 102: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/102.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
HPFeeds API in nutshell:
import pygeoipimport hpfeedsimport j son
HOST= ’ broker ’PORT = 20000CHANNELS= [ ’ geoloc . events ’ ]IDENT= ’ ident ’SECRET= ’ s e c r e t ’g i = pygeoip . GeoIP ( ’ GeoLiteCity . dat ’ )hpc = hpfeeds . new(HOST, PORT, IDENT, SECRET)msg = { ’ l a t i t ude ’ : g i . record_by_addr ( ip ) [ ’ l a t i t ud e ’ ] ,
’ longi tude ’ : g i . record_by_addr ( ip ) [ ’ longi tude ’ ] ,’ type ’ : ’ honeypot␣ h i t ’ }
hpc . publ ish (CHANNELS, j son . dumps(msg ) )
102/150
![Page 103: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/103.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
hpfeeds integration
103/150
![Page 104: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/104.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
NTP probe collector
104/150
![Page 105: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/105.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
HPFeeds and honeymap
105/150
![Page 106: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/106.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Applying IOCs to your detection processmoloch moloch moloch :)
106/150
![Page 107: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/107.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Tools for Dynamic Detection of IOC
I SnortI Yara + yara-enabled toolsI MolochI Splunk/Log searchI roll-your-own:p
107/150
![Page 108: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/108.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Moloch
Moloch is awesome:
108/150
![Page 109: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/109.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Open-source tools
OpenIOC manipulationhttps://github.com/STIXProject/openioc-to-stixhttps://github.com/tklane/openiocscriptsMantis Threat Intelligence Frameworkhttps://github.com/siemens/django-mantis.gitMantis supportsSTIX/CybOX/IODEF/OpenIOC etc via importers:https://github.com/siemens/django-mantis-openioc-importerSearch splunk data for IOC indicators:https://github.com/technoskald/splunk-searchOur framework: http://github.com/fygrave/iocmap/
109/150
![Page 110: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/110.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
iocmap
110/150
![Page 111: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/111.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
MISP
I http://www.secure.edu.pl/pdf/2013/D2_1530_A_Socha.pdfI https://github.com/MISP
111/150
![Page 112: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/112.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Tools for Dynamic Detection
I MolochI Moloch supports Yara (IOCs can be directly applied)I Moloch has awesome tagger plugin:
# t a g g e r . s o# p r o v i d e s a b i l i t y t o impor t t e x t f i l e s wi th IP and / o r hos tnames# i n t o a s e n s o r t h a t would c au s e a u t o t a g g i n g o f a l l match ing s e s s i o n splugins=tagger . sot agge r IpF i l e s=b l a c k l i s t , tag , tag , tag . . .taggerDomainFiles=domainbasedblackl is ts , tag , tag , tag
112/150
![Page 113: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/113.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Moloch pluginsMoloch is easily extendable with your own plugins
I https://github.com/fygrave/moloch_zmq - makes it easy tointegrate other things with moloch via zmq queue pub/sub or push/pull
model 113/150
![Page 114: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/114.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Moloch ZMQ example
CEP-based analysis of network-traffic (using ESPER):https://github.com/fygrave/clj-esptool/
( esp : add " c r ea t e ␣ contex t ␣SegmentedBySrc␣ pa r t i t i o n ␣by␣ s r c ␣fromWebDataEvent " )( esp : add " contex t ␣SegmentedBySrc␣ s e l e c t ␣ src , ␣ r a t e ( 3 0 ) ␣as␣ rate ,avg ( r a t e ( 3 0 ) ) ␣ as ␣avgRate␣from␣WebDataEvent . win : time ( 3 0 ) ␣havingra t e ( 3 0 ) ␣<␣avg ( r a t e ( 3 0 ) ) ␣∗␣ 0 .75 ␣output␣ snapshot␣every␣60␣ sec " )( future−c a l l s t a r t−counting )
114/150
![Page 115: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/115.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Sources of IOCs
I ioc bucket:http://iocbucket.com
I Public blacklists/trackers could also be used as source:https://zeustracker.abuse.ch/blocklist.php?download=ipblocklisthttps://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
I Eset IOC repositoryhttps://github.com/eset/malware-iocmore coming?
115/150
![Page 116: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/116.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
where to mine IOC
I passive HTTP (keep your data recorded)I passive DNS
These platforms provide ability to mine traffic or patterns from the pastbased on IOC similarityshow me all the packets similar to this IOCWe implemented a whois service for IOC look-ups
whois −h ioc . host . com a t t r i b u t e : value+ a t t r i b u t e : value
116/150
![Page 117: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/117.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Mining IOCs from your own data
I find and investigate incidentI Or even read paperI determine indicators and test it in YOUR EnvironmentI use new indicators in the future
see IOC cycle we mentioned earlier
117/150
![Page 118: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/118.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Example
If event chain leads to compromisehttp :// l i apo l a s ens [ . ] in fo/indexm . html
ht tp :// l i apo l a s ens [ . ] in fo/counter . php? t= f&v=win%2011 ,7 ,700 ,169&a= t rue
http :// l i apo l a s ens [ . ] in fo /354RIcx
http :// l i apo l a s ens [ . ] in fo /054RIcx
What to do?
118/150
![Page 119: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/119.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Investigating using known IOCs
I Investigating Static host based IOCsI Investigating Dynamic host based IOCsI Investigating Static network IOCsI Investigating Dynamic network IOCs
119/150
![Page 120: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/120.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
analyzing HTTP traffic
I User agentsI suspicious domainsI static analysis of HTTP headers
120/150
![Page 121: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/121.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Analyzing AV logs
23 . 0 1 . 1 3 19 :56 Detected : Trojan−Spy .Win32 . Zbot . aymrC:/Documents and Se t t i ng s/user1/Appl icat ion Data/Sun/Java/Deployment/cache /6.0/27/4169865b−641d53c9/UPX23 . 0 1 . 1 3 19 :56 Detected : Trojan−Downloader . Java . OpenConnection . ckC:/Documents and Se t t i ng s/user1/Appl icat ion Data/Sun/Java/Deployment/cache /6.0/48/38388 f30−4a676b87/bpac/b . c l a s s23 . 0 1 . 1 3 19 :56 Detected : Trojan−Downloader . Java . OpenConnection . csC:/Documents and Se t t i ng s/user1/Appl icat ionData/Sun/Java/Deployment/cache /6.0/48/38388 f30−4a676b87/ot/pizdi . c l a s s23 . 0 1 . 1 3 19 :58 Detected : HEUR: Explo i t . Java .CVE−2013−0422.genC:/Documents and Se t t i ng s/user1/Local S e t t i ng s/Temp/jar_cache3538799837370652468 . tmp
121/150
![Page 122: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/122.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Analyzing AV logs
01/14/13 06:57 PM 178.238.141.19 http://machete0-yhis.me/ pictures/demos/OAggq application/x-java-archive01/14/13 06:57 PM 178.238.141.19 http://machete0-yhis.me/pictures/demos/OAggq application/x-java-archive01/14/13 06:57 PM 178.238.141.19 http://loretaa0-shot.co/career...45 application/octet-stream
122/150
![Page 123: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/123.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Analyzing AV logs
123/150
![Page 124: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/124.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Analyzing AV logs
124/150
![Page 125: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/125.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Analyzing AV logs
125/150
![Page 126: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/126.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Overview
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
126/150
![Page 127: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/127.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Creating host based IOCs
hashes, mutexes, threatexpert
127/150
![Page 128: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/128.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Use YARA, or tune your own tools
ru le susp_params_in_ur l_k ind_of_ f i l e less_bot_dr ive_by{
meta :date = " oc t ␣2013 "desc r ip t i on = " Landing␣hxxp :// jda tas tore lame . in fo/indexm . html␣␣ 04 . 10 . 2013 ␣ 13 :14 ␣␣ 108 . 6 2 . 1 1 2 . 8 4 ␣␣ "desc r ip t ion1 = " ␣ Java ␣ Sp l o i t ␣hxxp:// jda tas tore lame . in fo /054RIwj␣␣␣␣␣ "
s t r i ng s :$ s t r ing0 = " ht tp "$ s t r ing1 = " indexm . html "$ s t r ing2 = " 054RI "
condi t ion :a l l of them
}
128/150
![Page 129: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/129.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Use snort to catch suspicious traffic:
# many plugX dep l oyment s c onn e c t t o g o o g l e DNS when not in usea l e r t tcp ! $DNS_SERVERS any −> 8 . 8 . 8 . 8 53 (msg : "APT␣ poss ib l e ␣PlugX␣Google␣DNS␣TCPport ␣53␣ connect ion ␣attempt " ; c l a s s type : misc−a c t i v i t y ; s id : 500000112 ;rev : 1 ; )
129/150
![Page 130: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/130.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
GRR: Google Rapid Response:http://code.google.com/p/grr/Hunting IOC artifacts with GRR
130/150
![Page 131: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/131.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
GRR: Creating rules
131/150
![Page 132: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/132.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
GRR: hunt in progress
132/150
![Page 133: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/133.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Honeypots
Learn about attacker as much as you can:I What language does the attacker understand?I What is the attacker keyboard layout?I What tools the attacker uses?I Where those are hosted?I Who are the targets?I Client software information (kippo -> ssh client)
133/150
![Page 134: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/134.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Honeypotsplenty of hosting urls, DDoS targets in hp logs
134/150
![Page 135: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/135.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
DNS: Detection
Passive DNS traffic acquisition and analysisa couple of examples (last week)
domain ip ownerrtvwerjyuver.com 69.164.203.105 linodetvrstrynyvwstrtve.com 109.74.196.143 linodecu3007133.wfaxyqykxh.ru . . .
what does your DNS traffic look like..?
135/150
![Page 136: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/136.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
DNS viz01
136/150
![Page 137: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/137.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
DNS viz02
137/150
![Page 138: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/138.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
DNS anonymizer traffcAnonimizer
8/13/2014 9:59:12 PM - ##.##.##.## - 0s.o53xo.pfxxk5dvmjss4y3pnu.dd34.ru8/13/2014 9:59:12 PM - ##.##.##.## - o53xo.pfxxk5dvmjss4y3pnu.dd34.ru8/13/2014 9:59:12 PM - ##.##.##.## - o53xo.pfxxk5dvmjss4y3pnu.dd34.ru8/13/2014 9:59:12 PM - ##.##.##.## - 0s.om.pf2gs3lhfzrw63i.dd34.ru8/13/2014 9:59:12 PM - ##.##.##.## - 0s.om.pf2gs3lhfzrw63i.dd34.ru8/13/2014 9:59:12 PM - ##.##.##.## - nbxxe33tnbuxsllwnn2xg.mjuxultvme.dd34.ru8/13/2014 9:59:12 PM - ##.##.##.## - nbxxe33tnbuxsllwnn2xg.mjuxultvme.dd34.ru8/13/2014 9:59:12 PM - ##.##.##.## - 0s.ne.pf2gs3lhfzrw63i.dd34.ru8/13/2014 9:59:12 PM - ##.##.##.## - 0s.ne.pf2gs3lhfzrw63i.dd34.ru8/13/2014 9:59:15 PM - ##.##.##.## - obuwg4y.nruxmzlkn52xe3tbnqxgg33n.dd34.ru8/13/2014 9:59:15 PM - ##.##.##.## - obuwg4y.nruxmzlkn52xe3tbnqxgg33n.dd34.ru8/13/2014 9:59:15 PM - ##.##.##.## - 0s.o53xo.mzqwgzlcn5xwwltdn5wq.dd34.r8/13/2014 9:59:15 PM - ##.##.##.## - 0s.o53xo.mzqwgzlcn5xwwltdn5wq.dd34.ruTime: Today 09:59:15pm
Description: Phishing.bpwhConfidence Level: HighDestination DNS Hostname: 0s.o53xo.mzqwgzlcn5xwwltdn5wq.dd34.ru
Malware Action: Malicious DNS request
138/150
![Page 139: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/139.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Covert channel communication
8/13/2014 5 : 4 9 : 0 4 PM − x . x . x . x − 5141017 .mtdtzwdhc .mdgtmtmmdgtmtma . in8/13/2014 5 : 4 9 : 0 4 PM − x . x . x . x − 5141017 .mtdtzwdhc .mdgtmtmmdgtmtma . in
Time : Today 13 : 1 9 : 2 5Descr ipt ion : REP . b i l s c z Detected at Today13 : 1 9 : 2 5I n t e r f a c e Name: bond1 .382I n t e r f a c e Direc t ion : outbound
139/150
![Page 140: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/140.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Sinkhole in DNS
Credit: domaintools.com
140/150
![Page 141: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/141.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Sinkhole in DNS
Credit: domaintools.com
141/150
![Page 142: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/142.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
DNSSuspicious activity: DNS lookups: kojxlvfkpl.biz:149.93.207.203kojxlvfkpl.biz:216.66.15.109kojxlvfkpl.biz:38.102.150.27
142/150
![Page 143: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/143.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Look for holes :)
143/150
![Page 144: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/144.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Hole traffic
144/150
![Page 145: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/145.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Categorizing Incidents
It is extremely important to be able to categorize your incidents or threats.There are multiple data sources that could be used to do so.
145/150
![Page 146: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/146.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Catagorization based on public souces
[tbd]
146/150
![Page 147: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/147.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Catagorization based on historical data
[tbd]
147/150
![Page 148: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/148.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Catagorization based on cross source correlation
I Visualizing the ThreatsI Filtering noisy extrasI Making decisions
148/150
![Page 149: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/149.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Overview
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
149/150
![Page 150: HITB LAB: Identifying Threats in Raw Data Events: A ...conference.hitb.org/hitbsecconf2014kul/materials... · IntroductionCriminilogy: case studiesDetectionCreating own IOCsEOF Campaigns](https://reader034.fdocuments.net/reader034/viewer/2022042420/5f37a2c2d3eedf5c730d1ea4/html5/thumbnails/150.jpg)
Introduction Criminilogy: case studies Detection Creating own IOCs EOF
Questions
@fygrave @vbkropotov @vitalychetvertakovAnd answers :)
150/150