What Will You Investigate Today?

RMLL 2013 - Xavier Mertens - Brussels

TrueSec

$ whoami

• Xavier Mertens (@xme)

• Consultant @ day

• Blogger @ night

• BruCON co-organizer2

TrueSec

$ cat disclaimer.txt

“The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”

TrueSec

Agenda

• Introduction

• Interesting protocols

• Public resources

• Toolbox

TrueSec

Feeling This?

TrueSec

Me? Breached?

• In 66% of investigated incidents, detection was a matter of months or even more

• 69% of data breaches are discovered by third parties

(Source: Verizon DBIR 2012)

TrueSec

“Grepping” for Gold

• Tracking users

• Suspicious traffic

• Out-of-business

• Compliance

• Exfiltration

• “Below the radar”

TrueSec

Sources

• OS / Applications Events

• Network protection(FW, ID(P)S, Proxies, etc)

• Users Credentials

• IP, Domains, URLs

• Digests (MD5, SHA1)

• Metadata

TrueSec

Multiple Sources

• Automatic (logfiles, events)

• Online repositories

• Internal resources

• Developers!

TrueSec

“Active” Lists

• Temporary or suspicious information to track and dynamically updated

• Examples:Contractors, Admins, Terminated Accounts, Countries (GeoIP)

• If grep(/$USER/, @ADMINS) { ... }

TrueSec

Correlation

YourRecipes

Evidences

TrueSec

Visibility!

TrueSec

Agenda

• Introduction

• Toolbox

TrueSec

• No DNS, no Internet!

• Can help to detect data exfiltration, communications with C&C (malwares)

• Alert on any traffic to untrusted DNS

• Allow only local DNS as resolvers

• Investigate for suspicious domains

TrueSec

• HTTP is the new TCP

• Inspect HTTPS (Check with your legal dept!)

• Search for interesting hashes

TrueSec

• Track outgoing emails

TrueSec

Netflow

• Analyze network flows

• Src Port

• Src IP

• Dst Port

• Dst IP

• Timestamp

TrueSec

Agenda

• Introduction

• Toolbox

TrueSec

IP Addresses

• http://www.malwaredomainlist.com/hostslist/ip.txt

• Correlate your firewall logs

• GeoIP

TrueSec

Domains

• DNS-BH (malwaredomains.com)http://mirror1.malwaredomains.com/files/domains.txt

http://mirror1.malwaredomains.com/files/spywaredomains.zoneshttp://www.malwaredomainlist.com/hostslist/hosts.txt

• Correlate your resolver logs

TrueSec

• http://malwareurls.joxeankoret.com/normal.txt

• Google SafeBrowsinguse Net::Google::SafeBrowsing2;use Net::Google::SafeBrowsing2:::Sqlite;my gsb = Net::Google::SafeBrowsing2->new(key => “xxx”,storage => Net::Google::SafeBrowsing2::Sqlite->new(file => “google.db”));$gsb->update();my $match = $gsb->lookup(url => “http://evil.com”);if ($match eq MALWARE) { ... }

TrueSec

$ cat disclaimer2.txt

“Data are provided for ‘free’ but the right to us can be restricted to specific conditions (ex: cannot be re-used for commercial applications). Always read carefull the terms of use. Some services require prior registration and use of APIs”

TrueSec

OSINT“Set of techniques to conduct regular reviews and/or continuous monitoring over multiple sources, including search engines, social networks, blogs, comments, underground forums, blacklists/whitelistsand so on. “

TrueSec

• Think “out of the box”!

• What identify you on the Internet?

• Domain names

• IP addresses

• Brand

TrueSec

Agenda

• Introduction

• Toolbox

TrueSec

pastebin.com• A gold mine for exfiltrated data!

• Tool: pastemon.pl

• https://github.com/xme/pastemon

TrueSec

Data Parsers

• d3.js Javascript library

• Example of implementation: malcom(Malware Communications Analyzer)

• https://github.com/tomchop/malcom

TrueSec

Data Parser

TrueSec

The Conductor

• OSSEC

• Log Management

• Active-Response

• Powerful alerts engine

TrueSec

Online Tools• http://urlquery.net

• http://www.scumware.org/index.scumware

• http://bgpranking.circl.lu/

• https://malwr.com/

• http://www.informatica64.com/foca.aspx

• http://virustotal.com

TrueSec

Conclusions

• Know your environment

• You have plenty of useful (big)data

• Free software can help you (but the project is not free)

TrueSec

Questions?

xavier@rootshell.be

http://blog.rootshell.be

https://www.truesec.be

What Will You Investigate Today?

Technology

what is today?

Classroom Objects · 05.03.2020 · what was new for me today? what was difficult for me today?

What are-you-investigate-today? (version 2.0)

What You Will Learn Today

What Does Advertising Mean Today?

What day is it today? What day was it yesterday? What is the date today? What was the date yesterday?

What date is it today? What day is it today? Who is on duty today? Who is absent today? What season is it now? Is it cold Is it snowing?

What Are We Learning Today?

Welcome to GCSE Geography...GCSE Geography Where will it take us today? Topic 1.2: global hazards 1.2a: What processes occur @ plate boundaries aii) Let’s investigate ….4 plate

ENVIRONMENTAL PROBLEMS. Conversation with on duty 1.What day is it today? 2.What date is it today? 3.What is the weather like today? 4.Who is absent today?

Today we will use the distributive property in equations and expressions with variables. analyze= investigate

What is happening today!?

An Introduction to Scratch ‘Drumming’ Today, we are working towards… Investigate what the Scratch Program can do Use a ‘Design Notebook’ to record our

What Daddy Did Today

What have you learnt today?. What is the most important thing you have learnt today?

What have we done today

ACCIDENT INVESTIGATION 101. 2 Course Objectives Understand the need to investigate Understand the need to investigate Know what to investigate Know what

What Will You Investigate Today? · What Will You Investigate Today? RMLL 2013 - Xavier Mertens - Brussels

What am I learning today?

Parabolas Today you will investigate and identify the important characteristics of a parabola