Indicators of Compromise Magic: Living with compromise

download Indicators of Compromise Magic: Living with compromise

of 75

  • date post

    27-Jan-2015
  • Category

    Software

  • view

    109
  • download

    0

Embed Size (px)

description

A workshop given at phdays.com 2014 on use of indicators of compromise.

Transcript of Indicators of Compromise Magic: Living with compromise

  • 1. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Compromise Indicator Magic: Living with Compromise Vladimir Kropotov, Vitaly Chetvertakov, Fyodor Yarochkin PhDays 2014 Alations: Academia Sinica, o0o.nu, chroot.org May 22, 2014, Moscow Compromise Indicator Magic: Living with Compromise Alations: Academia Sinica, o0o.nu, chroot.org

2. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Outline Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing Network trac Analyzing HTTP logs Analyzing AV logs Creating 0wn IOCs EOF Compromise Indicator Magic: Living with Compromise Alations: Academia Sinica, o0o.nu, chroot.org 3. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Everyone is p0wn3d :) Compromise Indicator Magic: Living with Compromise Alations: Academia Sinica, o0o.nu, chroot.org 4. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Challenges Main Assumption: All networks are compromised The dierence between a good security team and a bad security team is that with a bad security team you will never know that youve been compromised. Compromise Indicator Magic: Living with Compromise Alations: Academia Sinica, o0o.nu, chroot.org 5. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Statistic speaks about 40,000,000 internet users in Russia for every 10,000 server hosts 500 hosts trigger redirects to malicious content per week about 20-50 user machines (full AV installed, NAT, FW) get ..aected Compromise Indicator Magic: Living with Compromise Alations: Academia Sinica, o0o.nu, chroot.org 6. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Campaigns r*.ru News ~ 790 000 ne*.com news ~ 590 000 ga*.ru news ~ 490 000 a*f.ru news ~ 330 000 m*.ru news ~ 315 000 v*.ru news ~ 170 000 li*.ru news ~ 170 000 top*s.ru news ~ 140 000 Compromise Indicator Magic: Living with Compromise Alations: Academia Sinica, o0o.nu, chroot.org 7. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Introduction:terminology Indicators of Compromise Indicator of compromise (IOC) in computer forensics is an artifact observed on network or in operating system that with high condence indicates a computer intrusion. http://en.wikipedia.org/wiki/Indicator_of_compromise Compromise Indicator Magic: Living with Compromise Alations: Academia Sinica, o0o.nu, chroot.org 8. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Why Indicators of compromise Indicators of Compromise help us to answer questions like: is this document/le/hash malicious? is there any past history for this IP/domain? what are the other similar/related domains/hashes/..? who is the actor? am I an APT target?!!;-) Compromise Indicator Magic: Living with Compromise Alations: Academia Sinica, o0o.nu, chroot.org 9. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Workshop: hands-on part If youd like to try as we go, these are tools we are about to cover: http://github.com/fygrave/ndf http://github.com/fygrave/hntp ddler elasticsearch && http://github.com/aol/moloch (vm) yara (as moloch plugin) hpfeeds CIF https://github.com/STIXProject/ - openioc-to-stix/ Compromise Indicator Magic: Living with Compromise Alations: Academia Sinica, o0o.nu, chroot.org 10. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N IOC representations Multiple standards have been created to facilitate IOC exchanges. Madiant: OpenIOC Mitre: STIX (Structured Threat Information Expression), CyBOX (CyberObservable Expression) Mitre: CAPEC, TAXII IODEF (Incident Object Description Format) Compromise Indicator Magic: Living with Compromise Alations: Academia Sinica, o0o.nu, chroot.org 11. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Standards: OpenIOC OpenIOC - Mandiant-backed eort for unform representation of IOC (now FireEye) http://www.openioc.org/ Compromise Indicator Magic: Living with Compromise Alations: Academia Sinica, o0o.nu, chroot.org 12. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N OpenIOCs D i g i t a l Appendices / Appendix G ( D i g i t a l ) IOCs$ l s 0c7c902c 67f8 479c9f44 4d985106365a . i o c 6bd24113 29224d25 ad5210686f18 4ab1899c11007a18ec73 . i o c 12 a40bf7 483449b0a4196abb5fe2b291 . i o c 70 b5be0c8a9444b4 af5f65fc e1ca 45db88b16ccb7191ee6a . i o c 2106 f0d2a260 427790abedd3455e31fa . i o c 7c739d52c6694d51 Appendix G IOCs README. pdf 26213db69d3b4a39abeb 73656acb913e . i o c 7 d2eaadfa5ff 4199 c32b8af3 28d047d3801fa2c2b0129650 . i o c 2 bff223f 9e4647a7ac35d35f8138a4c7 . i o c 7 f9a6986f00a 4071 c71b3305 85e54d51b07cff227181fb5a . i o c 2 fc55747 682241d2bcc1 387fc1b2e67b . i o c 806 beff3 7395492e c7fa2ea5 36d54a52a6cfddc2257cb6f9 . i o c 32b168e6dbd64d56ba2f 734553239 e f e . i o c 84 f04df2 25cd4f59 d14d5f09 90504769b00d30fce9e6eb85 . i o c 3433dad8 879e40d998b392ddc75f0dcd . i o c 8695bb5e29cd41b9 d1c65316cddd4d9c8efe c539aa5965c0 . i o c 3e01b786fe3a 422895fac3986e2353d6 . i o c 86 e9b8ec 7413453bCompromise Indicator Magic: Living with Compromise Alations: Academia Sinica, o0o.nu, chroot.org 13. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Standards: Mitre Mitre CybOX: http://cybox.mitre.org/ https://github.com/CybOXProject/Tools https://github.com/CybOXProject/openioc-to-cybox Mitre CAPEC: http://capec.mitre.org/ Mitre STIX: http://stix.mitre.org/ Mitre TAXII http://taxii.mitre.org/ Compromise Indicator Magic: Living with Compromise Alations: Academia Sinica, o0o.nu, chroot.org 14. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Mature: stix Compromise Indicator Magic: Living with Compromise Alations: Academia Sinica, o0o.nu, chroot.org 15. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Indicators of Compromise Complex IOCs covering all steps of attack Dynamic creation of IOCs on the y Auto-reload of IOCs, TTLs Dealing with dierent standards/import export Compromise Indicator Magic: Living with Compromise Alations: Academia Sinica, o0o.nu, chroot.org 16. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Exploit pack trace url ip mime type ref http://cuba.eanuncios.net/1/zf3z9lr6ac8di6r4kw2r0hu3ee8ad.html 93.189.46.222 text/html http://www.smeysyatu http://cuba.eanuncios.net/2909620968/1/1399422480.htm 93.189.46.222 text/html http://cuba.eanuncio http://cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive - http://cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive - http://cuba.eanuncios.net/f/1/1399422480/2909620968/2 93.189.46.222 - - http://cuba.eanuncios.net/f/1/1399422480/2909620968/2/2 93.189.46.222 - - Compromise Indicator Magic: Living with Compromise Alations: Academia Sinica, o0o.nu, chroot.org 17. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Nuclearsploit pack { N u c l e a r s p l o i t p a c k : { step1 : { f i l e s : [ w z 3 u 6 s i 8 e 5 l h 7 k 2 t k 5 o x 4 n e 6 d 8 g . html , t 3 f 5 y 9 a 2 b b 3 d l 7 z 8 g c 4 o 6 f . html , z f 3 z 9 l r 6 a c 8 d i 6 r 4 k domains : [ f a t h e r . f e r r e m o v i l . com , t h a i . a l o h a t r a n s l l c . com , cuba . e a n u n c i o s . net , duncan . arguments : [ ] , d i r e c t o r i e s : [ 1 ] , ip : [ 9 3 . 1 8 9 . 4 6 . 2 0 1 , 9 3 . 1 8 9 . 4 6 . 2 0 3 , 9 3 . 1 8 9 . 4 6 . 2 2 2 , 9 3 . 1 8 9 . 4 6 . 2 2 4 , 9 3 . 1 8 9 . 4 6 . 2 3 3 ] } , step2 : { f i l e s : [ 1 3 9 9 4 2 2 4 8 0 . htm , 1 39 97 047 20 . htm , 1 399 51 34 40 . htm , 13 99 51 40 40 . htm , 1 39 97 73 30 0. htm ] , domains : [ cuba . e a n u n c i o s . net , duncan . d i s e n o c o r p o r a t i v o . com . ar , homany . c o l l e c t i v e i t . com . arguments : [ ] , d i r e c t o r i e s : [ 2 9 0 9 6 2 0 9 6 8 , 1 , 507640988 , 940276731 , 3957283574 , 9 5 2 2 1 1 7 0 4 ] , ip : [ 9 3 . 1 8 9 . 4 6 . 2 2 2 , 9 3 . 1 8 9 . 4 6 . 2 2 4 , 9 3 . 1 8 9 . 4 6 . 2 3 3 ] } , step3 : { f i l e s : [ 1 3 9 9 4 2 2 4 8 0 . j a r , 1 39 95 13 44 0. j a r ] , domains : [ cuba . e a n u n c i o s . net , homany . c o l l e c t i v e i t . com . au ] , arguments : [ ] , d i r e c t o r i e s : [ 2 9 0 9 6 2 0 9 6 8 , 1 , 9 4 0 2 7 6 7 3 1 ] , ip : [ 9 3 . 1 8 9 . 4 6 . 2 2 2 , 9 3 . 1 8 9 . 4 6 . 2 2 4 ] } , step4 : { f i l e s : [ 2 ] , domains : [ cuba . e a n u n c i o s . net ] , arguments : [ ] , d i r e c t o r i e s : [ f , 1 , 1399422480 , 2909620968 , 2 ] , ip : [ 9 3 . 1 8 9 . 4 6 . 2 2 2 ] } } } Compromise Indicator Magic: Living with Compromise Alations: Academia Sinica, o0o.nu, chroot.org 18. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N Redirect (example) http: