Blitzing with your defense bea con

Blitzing with your DefenseAdjusting your strategy to hit attackers on their blind side

Ben JacksonMayhemic LabsBeaCon 2013

Outline• Background• Developing Intelligence• Information

– Receiving– Gathering– Sharing

• Active Defense• Tying it together

But first about me…http://www.funsted.com/pdata/t/l-1725.jpghttp://www.funsted.com/pdata/t/l-1725.jpg

Normal InfoSec Professional by day…

Thoughts expressed here are neither the opinions or beliefs of my employer.

SOC

Light is green,network is clean!

Incident ResponseLooks like they were running Java 6…

https://farm5.staticflickr.com/4101/4793807817_69c95f6342_b.jpg

Crazy Researcher by Night…

Locational Privacy

Malware

https://farm9.staticflickr.com/8148/7695709198_8f8113e3f8_b.jpg

“Other”

BackgroundOr… “Why we are totally screwed…”

Disclaimer• You can’t do this if you’re not

passionate– Tom Brady does not look at football as a

9-5 job• Blitzing is a different way to look at

defense, but it is not a cure all– If you’re not patching, you’re still

doomed• Every defense requires fundamentals

– If your defense can’t run and tackle, your blitz isn’t going to be very effective

We’re in a “prevent defense”

“A prevent defense is an American football defensive alignment... the goal of which is to prevent the opposing offense from completing a long pass...” – Wikipedia

Prevent Defenses don’t work

• We can’t prevent 100% of the time• Attackers are completely OK with

gaining a few yards at time• Occasionally, the defense will still

give up the “big play”– RSA, Comodo, Bit9, Broncos vs Ravens,

etc…• We’re giving up yardage to burn time

– Only we don’t have a clock we can run out

Incident Response Model• Preparation• Identification• Containment• Eradication• Recovery• Lessons Learned

Patrick Kral, Incident Handler's Handbook, SANS Institute Reading Room, 2011

Changes, kind of…• Incident Response model is geared

toward handing incidents as separate events

• Once the fire is out, it’s business as usual

• Good for handling viruses, isolated compromises, and casual attackers

• Less than ideal for handling determined attackers

Changes, kind of…• Incident Response model still works

– Learn it, live it, love it• However, the game has changed

– Wider awareness is needed• Incidents may be Independent or

Linked

The baddies have a model too…

• Intrusion Kill Chain– “Intelligence-Driven Computer Network

Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” (Hutchins, Cloppert, and Amin 2010)

• Describes the steps of an adversary to gain access to the target network

Intrusion Kill Chain• Reconnaissance • Weaponization• Delivery• Exploitation• Installation• Command and Control (C2)• Actions on Objectives

Attacker Free Time Fight or Flight

Preparation Identification Containment Eradication Recovery

ReconWeaponization

DeliveryExploitation

Installation

C&CObjectives

The Incident Tango

Time

But it’s never that simple...



ReconWeaponization


Installation

C&CObjectives



ReconWeaponization


Installation

C&CObjectives



ReconWeaponization


Installation

C&CObjectives



ReconWeaponization


Installation

C&CObjectives



ReconWeaponization


Installation

C&CObjectives

Time

Blitzing• We need to

– Learn Bad Actors’ Tactics, Techniques and Procedures

– Tie multiple incidents into a cohesive picture

– Feed that back into the existing IR model

– Shorten, or eliminate, the attacker’s free time

Developing Intelligence

They know about you, learn about them

Data to Intelligence• Everyone is talking about intelligence• Unfortunately most people don’t

know what intelligence is• IOCs? IP Addresses? FQDNs? MD5s?

– Data, Data, Data, Data• Intelligence = Data + Analysis

Data to Intelligence (Star Wars Model)

• Princess Leia steals plans for Death Star

• Rebel Alliance analysts review plans and find exhaust port vulnerability (Not Shown)

• Luke, R2D2, Han, and Chewbacca blow up Death Star

Data to Intelligence

Easy• What are we seeing?• How did we see it?

Hard• What does it do?• What is it after?

#$@&

• Why is it after that?• Who is behind it?

Data

Intel

Developing Intelligence• Intelligence is hard work

– Long days looking like a conspiracy nut– A single piece of data can ruin weeks of

work• Needs to be an on-going, internal,

process– No one knows your network better than

you– Threat actors will change on a regular

basis• Once you become proficient, it’s

worth it’s weight in gold

Using Your DataIt works for the NSA, and it can work for you…

Here! Have some Data!• Data for intelligence is being sent to

your company every day• Every attack, successful or not,

results in data– IP addresses, C2 servers, phishing

themes, etc.• Most attackers do not have good

OPSEC– They’re lazy– Use this against them– “OPSEC For Hackers” - thegrugq

Start busting out of Silos• Start extracting data out of your

SIEM, IDS, AV Solution, or other security devices – Learn how to script

• Start correlating and forming timelines– Did that IP address probe the same

server today and last week? Odd…• Pay attention to attack methods and

start looking for patterns– Humans still beat machines for pattern

recognition

Five Different Attacks?Attack #1

Attack #2

Attack #3 Attack #4

Attack #5

Type e-Mail Social Media

e-Mail e-Mail Watering Hole

Source IP

W.X.Y.Z A.B.C.D H.I.J.K L.M.N.O L.M.N.O

Targets Group A Group A Group B Various VariousExploit CVE-X-Y CVE-X-N CVE-X-N CVE-X-Z VariousC&C abcdef.co

mqrstuv.com

ijklmnop.com

puppy.com

abcdef.com

Or One Persistent Attack?Attack #1

Attack #2

Attack #3 Attack #4

Attack #5

Type e-Mail Social Media

e-Mail e-Mail Watering Hole

Source IP

W.X.Y.Z A.B.C.D H.I.J.K L.M.N.O L.M.N.O

Targets Group A Group A Group B Various VariousExploit CVE-X-Y CVE-X-N CVE-X-N CVE-X-Z VariousC&C abcdef.co

mqrstuv.com

ijklmnop.com

puppy.com

abcdef.com

Attacker Attacker A Attacker A Attacker A Attacker B?

Attacker A

Gathering DataEmbrace being the Nosy Neighbor on the Internet

IRC• Certain groups still love to hang out

in IRC• Do not… Do NOT IRC from devices or

networks that can be traced back to you– Groups of bad actors often love privacy

– Embrace it, but don’t tempt fate• Due to the nature of IRC, groups can

be harder to infiltrate– Smaller the group, the more trusted it is.

Social Media• Certain groups love to discuss their

exploits on Social Media– Some groups use this as advertising

• Find out who’s talking about you and why– Then find out who’s talking to them and

why• Much easier to easier to monitor

people than IRC

Pastebin• A wretched hive of scum and villainy

– …therefore a great source for data• Groups often will post dumps of

stolen data here for easy access– Look for yours

• Has a subscription service that will alert when posts are made with key words– Or you can roll your own monitoring

system

Google Alerts• Google knows everything about

everyone– Leverage this to your advantage

• Does have a high false positive rate, but will yield occasional nuggets of beautiful data

Things to look for• Company name• Company Twitter Handles/Hashtags• Domain Names• IP addresses• e-Mail addresses• Names of Company Leadership• Terms that the people you are

monitoring talk about

Deep Undercover• Interacting with bad actors is

dangerous– And on shaky legal ground as well

• Sometimes you will attract attention just being a fly on the wall

• Developing a believable “legend” for your persona is necessary

• Need an identity?– http://namegenerator.in

Cover Identities• Cover identities cannot be created,

only grown– An account set up last week looks

suspicious• Tending a garden takes time and

effort• If you start today, you may have a

believable identity in a few months– Years? Even more believable

• Always have multiple identities “good to go”

Quick Tips for Believability• LinkedIn

– Research colleges, majors, student life• Facebook

– Find friends, create pictures and events• Twitter

– Tweet on an appropriate schedule• A college student in LA is not going to tweet

between 9 and 5 in Boston• Never, ever, cross contaminate

accounts

Early Warning• Cover identities are not just for

James Bond type stuff• Creating fake employees can give

you an early warning for someone looking into your company– Legitimate and Illegitimate

• Set up a fake work identities as well and see who pokes at them

Data SharingDon’t be a hoarder…

Data Sharing• Knowing as much as you can during

an incident is key• Sharing with peers can make a

difference– Time to detection– Situational awareness– Targeted vs Untargeted

• Sharing means giving and receiving– Produce and consume

Unorganized Informal Communities

• Never underestimate the power of networking– Introverted geeks, this means you

• Numerous communities in the local area– BeanSec– GraniteSec– MassHackers– Local chapters of National Organizations

Organized Informal Communities

• Closed communities that are designed to share information– Mostly mailing lists

• Don’t call them, they’ll call you– Again, networking…

• Can be great sources, but depends widely on the community– Also a can be a bear to get into

Infragard• Partnership between the FBI and

private sector• Good networking opportunities

– Get to know your fellow geeks• Private Secure Portal• Have recently started releasing DHS

Joint Indicator Bulletins to members– Quality?

My thoughts on DHS Advisories in 140

Characters…

ISACs• Information Sharing and Analysis

Centers• Formal communities set up within

your vertical– Finance, Energy, State Governments,

Health, Higher Education, and More• The communities vary wildly

between ISACs• Usually not free, but worth it

Advanced Cyber Security Center

• Multi-vertical ISAC• Weekly meetings on threat

evaluation and information sharing• Young, but growing• Again, not free

Active DefenseEmbrace your home field advantage…

Always calling the same play

• We always use the same tools– Firewall, IDS, Anti-Virus, Windows, RHEL

• Attackers know this– They’ve adapted their methods

• Defense has stayed stagnant while offense has continued to develop new tools– HD Moore’s law by Josh Corman

• “Casual Attacker power grows at the rate of Metasploit”

Active Defense is NOT…• Hacking Back

– Questionable Legality• Attribution

– The rabbit hole always goes deeper• Retaliation

– Don’t fight angry• Counterstrikes

– You’re not going to eliminate the problem

Active Defense is…• Delay

– Slow them down• Deception

– Where’s the data?• Detection

– Find them• Disruption

– Deny access

Why Active Defense?• Increasing attacker cost

– The bad actors will either move on or the people pulling the strings may get another “hired gun”

• Mind games– If the bad actors think everything is a

trap, they’ll be overly cautious• It’s an uncommonly used tactic

Delay• Use Honeypots

– Internally facing only– Double edged sword

• Run additional services on underutilized servers– If the bad actors are looking for SQL

servers, give them SQL servers

Deceive• Put “interesting” files on open shares

– “Corporate_Forecast_1H2014.doc”• Complete with a web bug that calls to a

offsite server– “Customer DB Backup.zip”

• 12GB Zip file with a 36 alphanumeric password

• Fake databases– http://fakenamegenerator.com

Detect• Monitor your systems that delay and

deceive– Like a hawk on amphetamines

• Establish “Motion Sensors”– Route a few network segments to a

tarpit• Keep an eye on your “traditional”

alerting systems as well

Disrupt• Find them and destroy them!

– Or not..• Monitoring intruders can be a good

source of tactics, techniques, and procedures– And keep your IR staff consuming large

amounts of antacids– It is very, very, very risky

Would you like to know more?

• Offensive Countermeasures Training– Paul Asadorian and John Strand

• Active Defense Harbinger Distribution– Bootable Linux Distribution with all kinds

of “Active Defense” goodies– http://sf.net/projects/adhd/

Putting it all together

…with bailing wire and duct tape

Putting it all together• All of these techniques are useless

– Until you start feeding them back into the traditional incident response model

• Feeding intelligence back into the Incident Response loop shortens attacker free time

• For example…

To the WABAC machine!• April-July 2012• Noticeable increase in Malware spam

lures– Verizon, American and United Airlines,

USPS, PayPal, Facebook• Widespread reports across the

Internet– Not targeted against a single individual,

company, or vertical

Click this link, will ya?

Common Threads• A large majority of the spam runs

had commonalities– All same “kind” of lure– Similar lists of targets– All using the Blackhole Exploit kit– Similar URL structure on lures– Mostly pushing Zeus

• There were other runs that were different

Smoking Gun…• The exploit kits invariably included

two styles of URLs:

http://ip.address/showthread.php?t=<16 hexadecimal digits>http://ip.address/page.php?p=<16 hexadecimal digits>

Achievement Unlocked• Conclusion: Single group of bad

actors behind campaign• Adjusted defenses to locate URLs

with “page.php” and “showthread.php” with hex strings– Some false positives

• Was able to detect malware spam runs often before they were reported

Turns out we were right…• Trend Micro “Blackhole Exploit Kit: A

Spam Campaign, Not a Series of Individual Spam Runs”

• Released July 12th, 2012• Reached similar conclusions• Campaign started to sputter after

that...

Conclusion• You are the best tool to defend your

network– Get passionate

• Stop thinking about threats and start worrying about actors

• Stop being nice and start playing “dirty”

• Learn who is talking about you, where, and why

Questions?

Please fill out your evaluation sheets!

Contact Information• Ben Jackson• e-Mail: [email protected]• Twitter: @innismir• Web/Code: http://mayhemiclabs.com

Documents

Blitzing with your defense bea con