Accelerating Incident Response With Network Forensics Techniques NJ InfraGard November 2007 Nick Lantuh President NetWitness Corporation

Accelerating Incident Response With Network Forensics Techniques

NJ InfraGard November 2007

Nick Lantuh

President

NetWitness Corporation

Copyright 2007 NetWitness Corporation Copyright 2007 NetWitness Corporation

2

Today’s Threat Landscape -- Commercial

VISA, MasterCard USA (with cvv2 code)

количествоидентификац

ияцена в $USD

5-50есть в продаже

5.0


4.5


4.0


3.0


2.0

более 10000есть в продаже

пишите

Если Вам нужно более 10000 карт, свяжитесь с нами, для Вас будет отдельная скидка

Call for bulk pricing info!

Copyright 2007 NetWitness Corporation

TJX Hack Basics

• Use of WEP protocol led to the ability of hackers to target at least one of their sites and gain network access– WEP has had known problems for years– Should have been using WPA or VPN in accordance with

standard practices

• Hackers exploited vulnerabilities to place malicious code on TJX servers and used this platform to achieve desired goals


Today’s Threat Landscape - USG


China Hack Basics

• Spear phishing attack as entry point due to good network layer perimeter security

• End user weaknesses permitted initial entry points

• Various techniques used:– non-HTTP over port 80– non-DNS over Port 53– non-SSL over 443


Subsequent Hacker Mechanisms Likely Used Following Initial Compromise

• Reconnaissance

• Command and control

• Communications

• Data exfiltration

• Clean-up


Insider Threats Are Compelling Too

• Enterprises also face important internal issues:– Protection of PII, PHI, R&D, classified data– Personnel/HR and Legal problems and concerns– Regulatory and policy compliance– Counterintelligence / counter-competitive– Achieving management control objectives

• Internal actors can include:– Disgruntled employees– Employees misusing I/T assets– Criminals– Espionage– Compromised technology assets (e.g., bots)


8

Current State of the Incident Response

• Typical security investments focus on detection of a specific problem set, known issues, or known threats– But what about the unknowns like “designer malware”? – And how do you find problems that are not flagged by your

existing technologies and processes?

• Treating “problems” individually is myopic– Network traffic contains a common truth and insights about

a variety of interrelated problems– Network traffic can be recorded once and reused

forensically many times for a variety of mission objectives

• Today’s discussion will focus on using these techniques to enhance the incident response approach

Fully Understanding Network Traffic


10

An Effective Approach

NetWitness NextGen provides a “record once / re-use many times” infrastructure

and the application framework to achieve Total Network Knowledge

• Many current technologies are antiquated and constrained by a myopic focus on a singular problem set – current challenges require a new generation of solutions

• Protection of corporate data in motion requires robust and diverse network monitoring to cope with threats from many dimensions

• NextGen provides unique investigative applications – both interactive and automated, which leverage a patented high speed data capture infrastructure, and an extensible application development platform

Copyright 2007 NetWitness Corporation Copyright 2007 NetWitness Corporation 11


Architecture

• Record, decode, and re-sessionize all network traffic

• Extract metadata and model ALL network, application and user layer characteristics for collected traffic

• Roll-up enterprise metadata as appropriate

• Ensure forensic validity, chain of custody

Live Network Capture

Span Port / Tap

Decoder Decoder

Concentrator


NetWitness Investigator (INTERACTIVE)Know Your Network Like NEVER Before

• Layer 7 Analytics– Infinite freeform analysis paths– Content/Context starting points– Specialized metadata paths,

such as PII

• Full Context– Pure data stored as it occurred– Data presented as the user

experienced (Web, Voice, Files, Emails, Chats, etc.)

• Supports massive data-sets• Instantly navigate 100’s of

gigabytes• Scalable to multi-TB data

stores

• Decrease time to resolution• Analysis that once took days,

now takes minutes


NetWitness Informer (AUTOMATED) Enterprise Reporting and Alerting

• Informer builds upon the power of Investigator and the NextGen infrastructure

• Automates the review of huge sets of captured data

• Facilitates Total Network Knowledge

• Ships with 100’s of rules and canned reports

• Completely customizable to your environment and needs


Session Analysis Benefits

• Typical methods– Port based identification

example: Port=80 is web traffic

– IP based identificationexample: IP=216.178.38.116 is myspace

• Port agnostic method– If packet contains IRC structure in

the payload then it IS IRC traffic

– Important because so much traffic is designed to run over common ports such as 80, 443, 25, 53, etc.


Technology – Beyond Signatures to Knowledge

• To face today’s threats and issues, technologies must provide KNOWLEDGE to address questions that can be answered from network data:– Why are employees running non standard traffic over ports?– Does the event need to be flipped to an Incident?– What is the magnitude of this incident?– How was an attack or breach conducted?– Who’s contacting our competitors and how?– Why is our top destination a foreign IP address?– How is specific data leaving our organization?– Who is using Skype to transfer files out of our network?

• Packet headers, logs and high level data do not provide enough information to answer these questions

Illustrations


Better Business Bureau Phishing Scam

• Two company execs (President & VP) at NetWitness received emails claiming that complaints were made against them and the company

• Email instructed recipients to open Word attachment for instructions on how to resolve the complaint (“Document_for_Case.doc”)

• Executives identified emails as suspicious and did not open

• Attachment analyzed using virtual system (VMWare) & open source tools (Sysinternals, Ollydbg, Hex Workshop, etc)


Suspicious email


Suspicious attachment gets more suspicious

• An embedded PDF file inside of Word attachment looks even more fishy

• Alarm bells should be going off at this point


Unsophisticated Delivery Mechanism


More bad karma

• Adobe Reader issues an error • Malicious code executed in background• “update443.exe” downloaded from http://64.17.184.98/cs/scripts

http://64.17.184.98/cs/scripts


Malicious executable “update443.exe” hosted on a church website in Kentucky

(graceofholland.org)


“update443.exe”

• Binary file compressed using Ultimate Packer for Executables / format: WIN32/PE) – A self-extracting binary compressor favored by malware writers

• Evidence of binary compression is a good indicator that it will probably do bad things to your system

• Stepped through uncompressed executable using open source debugger “Ollydbg”


“update443.exe” Analysis

• Malware makes registry changes to ensure persistence after reboot– Adds registry keys for new service “UpdateManager”


“update443.exe” Analysis

• Malicious code injected into IEXPLORE.EXE process; runs as “SYSTEM” vs. user-level

• Malicious DLL “update.dll” hooked into running IEXPLORE.EXE process, and any new instances of IEXPLORE.EXE processes


Beacon Activity

• Beaconing activity is obvious because of short time delay (~7 seconds)

• Much harder to detect beacons with large time delays (i.e. one packet / hour)

• Begins after malware is retrieved, extracted, installed & running

• A “phone home” to report in with machine name & logged in user

• DEMONSTRATION


Bad News DNS

• Lots of bad uses for DNS by state-sponsored hackers and organized crime

• Dynamic DNS– Used for spear-phishing attacks and obfuscation of other

data exfiltration activities

• Use of DNS as a covert channel– Hiding of non-DNS traffic in what appears to be DNS

packets

• DEMONSTRATION


Virus/Worm Outbreak

• Zero-Day Incident– Large enterprise of 40,000 users is experiencing network

degradation. – Anti-virus & IDS were silent. – Traffic flow monitors show increased volume from 100's of

hosts.

• DEMONSTRATION

Final Thoughts and Conclusions


Who Needs This Solution?

• CIO / CSO / CISO– Convergence of network and application layer reporting giving insight

and knowledge into behavior on the network

• Compliance / Risk Officer– Data Leakage– Compliance verification– Non-malicious network waste and abuse is recognized immediately for

comparison to company business rules and policies

• Investigator / General Counsel– Insider Threat– eDiscovery– Intensive/Deep Analysis– Reconstruction of malicious attacks, such as SQL injection, IRC bots,

and windows vulnerability exploitation, are identified through quick and accurate analysis

• Security & Network Operations– Orders of magnitude increase in speed to analysis: virus outbreaks,

BOTnets, network anomalies, network health insights, etc.– Advanced Analysis Capabilities for Incident Response Teams permitting

faster identification and resolution of events and problems


Summary

• Today’s threat and compliance landscape requires a new generation of network monitoring that goes way beyond log files and simple content review techniques

• NetWitness NextGen provides a powerful record once, re-use many time infrastructure that permits users to easily and quickly search across terabytes of data

• NextGen can lower the risks to your information assets by providing a much higher level of assurance regarding your ability to defend against threats

• NextGen improves response time and increases the overall likelihood of problem detection, lowering the potential impact of problems

For a copy of this presentation, please email me:

[email protected]

(703) 608-3323

Thanks for your time!

mailto:[email protected]

Documents

Accelerating Incident Response With Network Forensics Techniques NJ InfraGard November 2007 Nick Lantuh President NetWitness Corporation