Upload
innismir
View
819
Download
1
Embed Size (px)
Citation preview
Blitzing with your DefenseAdjusting your strategy to hit attackers on their blind side
Ben JacksonMayhemic LabsBeaCon 2013
Outline• Background• Developing Intelligence• Information
– Receiving– Gathering– Sharing
• Active Defense• Tying it together
But first about me…http://www.funsted.com/pdata/t/l-1725.jpghttp://www.funsted.com/pdata/t/l-1725.jpg
Normal InfoSec Professional by day…
Thoughts expressed here are neither the opinions or beliefs of my employer.
SOC
Light is green,network is clean!
Incident ResponseLooks like they were running Java 6…
https://farm5.staticflickr.com/4101/4793807817_69c95f6342_b.jpg
Crazy Researcher by Night…
Locational Privacy
Malware
https://farm9.staticflickr.com/8148/7695709198_8f8113e3f8_b.jpg
“Other”
BackgroundOr… “Why we are totally screwed…”
Disclaimer• You can’t do this if you’re not
passionate– Tom Brady does not look at football as a
9-5 job• Blitzing is a different way to look at
defense, but it is not a cure all– If you’re not patching, you’re still
doomed• Every defense requires fundamentals
– If your defense can’t run and tackle, your blitz isn’t going to be very effective
We’re in a “prevent defense”
“A prevent defense is an American football defensive alignment... the goal of which is to prevent the opposing offense from completing a long pass...” – Wikipedia
Prevent Defenses don’t work
• We can’t prevent 100% of the time• Attackers are completely OK with
gaining a few yards at time• Occasionally, the defense will still
give up the “big play”– RSA, Comodo, Bit9, Broncos vs Ravens,
etc…• We’re giving up yardage to burn time
– Only we don’t have a clock we can run out
Incident Response Model• Preparation• Identification• Containment• Eradication• Recovery• Lessons Learned
Patrick Kral, Incident Handler's Handbook, SANS Institute Reading Room, 2011
Changes, kind of…• Incident Response model is geared
toward handing incidents as separate events
• Once the fire is out, it’s business as usual
• Good for handling viruses, isolated compromises, and casual attackers
• Less than ideal for handling determined attackers
Changes, kind of…• Incident Response model still works
– Learn it, live it, love it• However, the game has changed
– Wider awareness is needed• Incidents may be Independent or
Linked
The baddies have a model too…
• Intrusion Kill Chain– “Intelligence-Driven Computer Network
Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” (Hutchins, Cloppert, and Amin 2010)
• Describes the steps of an adversary to gain access to the target network
Intrusion Kill Chain• Reconnaissance • Weaponization• Delivery• Exploitation• Installation• Command and Control (C2)• Actions on Objectives
Attacker Free Time Fight or Flight
Preparation Identification Containment Eradication Recovery
ReconWeaponization
DeliveryExploitation
Installation
C&CObjectives
The Incident Tango
Time
But it’s never that simple...
Attacker Free Time Fight or Flight
Preparation Identification Containment Eradication Recovery
ReconWeaponization
DeliveryExploitation
Installation
C&CObjectives
Attacker Free Time Fight or Flight
Preparation Identification Containment Eradication Recovery
ReconWeaponization
DeliveryExploitation
Installation
C&CObjectives
Attacker Free Time Fight or Flight
Preparation Identification Containment Eradication Recovery
ReconWeaponization
DeliveryExploitation
Installation
C&CObjectives
Attacker Free Time Fight or Flight
Preparation Identification Containment Eradication Recovery
ReconWeaponization
DeliveryExploitation
Installation
C&CObjectives
Attacker Free Time Fight or Flight
Preparation Identification Containment Eradication Recovery
ReconWeaponization
DeliveryExploitation
Installation
C&CObjectives
Time
Blitzing• We need to
– Learn Bad Actors’ Tactics, Techniques and Procedures
– Tie multiple incidents into a cohesive picture
– Feed that back into the existing IR model
– Shorten, or eliminate, the attacker’s free time
Developing Intelligence
They know about you, learn about them
Data to Intelligence• Everyone is talking about intelligence• Unfortunately most people don’t
know what intelligence is• IOCs? IP Addresses? FQDNs? MD5s?
– Data, Data, Data, Data• Intelligence = Data + Analysis
Data to Intelligence (Star Wars Model)
• Princess Leia steals plans for Death Star
• Rebel Alliance analysts review plans and find exhaust port vulnerability (Not Shown)
• Luke, R2D2, Han, and Chewbacca blow up Death Star
Data to Intelligence
Easy• What are we seeing?• How did we see it?
Hard• What does it do?• What is it after?
#$@&
• Why is it after that?• Who is behind it?
Data
Intel
Developing Intelligence• Intelligence is hard work
– Long days looking like a conspiracy nut– A single piece of data can ruin weeks of
work• Needs to be an on-going, internal,
process– No one knows your network better than
you– Threat actors will change on a regular
basis• Once you become proficient, it’s
worth it’s weight in gold
Using Your DataIt works for the NSA, and it can work for you…
Here! Have some Data!• Data for intelligence is being sent to
your company every day• Every attack, successful or not,
results in data– IP addresses, C2 servers, phishing
themes, etc.• Most attackers do not have good
OPSEC– They’re lazy– Use this against them– “OPSEC For Hackers” - thegrugq
Start busting out of Silos• Start extracting data out of your
SIEM, IDS, AV Solution, or other security devices – Learn how to script
• Start correlating and forming timelines– Did that IP address probe the same
server today and last week? Odd…• Pay attention to attack methods and
start looking for patterns– Humans still beat machines for pattern
recognition
Five Different Attacks?Attack #1
Attack #2
Attack #3 Attack #4
Attack #5
Type e-Mail Social Media
e-Mail e-Mail Watering Hole
Source IP
W.X.Y.Z A.B.C.D H.I.J.K L.M.N.O L.M.N.O
Targets Group A Group A Group B Various VariousExploit CVE-X-Y CVE-X-N CVE-X-N CVE-X-Z VariousC&C abcdef.co
mqrstuv.com
ijklmnop.com
puppy.com
abcdef.com
Or One Persistent Attack?Attack #1
Attack #2
Attack #3 Attack #4
Attack #5
Type e-Mail Social Media
e-Mail e-Mail Watering Hole
Source IP
W.X.Y.Z A.B.C.D H.I.J.K L.M.N.O L.M.N.O
Targets Group A Group A Group B Various VariousExploit CVE-X-Y CVE-X-N CVE-X-N CVE-X-Z VariousC&C abcdef.co
mqrstuv.com
ijklmnop.com
puppy.com
abcdef.com
Attacker Attacker A Attacker A Attacker A Attacker B?
Attacker A
Gathering DataEmbrace being the Nosy Neighbor on the Internet
IRC• Certain groups still love to hang out
in IRC• Do not… Do NOT IRC from devices or
networks that can be traced back to you– Groups of bad actors often love privacy
– Embrace it, but don’t tempt fate• Due to the nature of IRC, groups can
be harder to infiltrate– Smaller the group, the more trusted it is.
Social Media• Certain groups love to discuss their
exploits on Social Media– Some groups use this as advertising
• Find out who’s talking about you and why– Then find out who’s talking to them and
why• Much easier to easier to monitor
people than IRC
Pastebin• A wretched hive of scum and villainy
– …therefore a great source for data• Groups often will post dumps of
stolen data here for easy access– Look for yours
• Has a subscription service that will alert when posts are made with key words– Or you can roll your own monitoring
system
Google Alerts• Google knows everything about
everyone– Leverage this to your advantage
• Does have a high false positive rate, but will yield occasional nuggets of beautiful data
Things to look for• Company name• Company Twitter Handles/Hashtags• Domain Names• IP addresses• e-Mail addresses• Names of Company Leadership• Terms that the people you are
monitoring talk about
Deep Undercover• Interacting with bad actors is
dangerous– And on shaky legal ground as well
• Sometimes you will attract attention just being a fly on the wall
• Developing a believable “legend” for your persona is necessary
• Need an identity?– http://namegenerator.in
Cover Identities• Cover identities cannot be created,
only grown– An account set up last week looks
suspicious• Tending a garden takes time and
effort• If you start today, you may have a
believable identity in a few months– Years? Even more believable
• Always have multiple identities “good to go”
Quick Tips for Believability• LinkedIn
– Research colleges, majors, student life• Facebook
– Find friends, create pictures and events• Twitter
– Tweet on an appropriate schedule• A college student in LA is not going to tweet
between 9 and 5 in Boston• Never, ever, cross contaminate
accounts
Early Warning• Cover identities are not just for
James Bond type stuff• Creating fake employees can give
you an early warning for someone looking into your company– Legitimate and Illegitimate
• Set up a fake work identities as well and see who pokes at them
Data SharingDon’t be a hoarder…
Data Sharing• Knowing as much as you can during
an incident is key• Sharing with peers can make a
difference– Time to detection– Situational awareness– Targeted vs Untargeted
• Sharing means giving and receiving– Produce and consume
Unorganized Informal Communities
• Never underestimate the power of networking– Introverted geeks, this means you
• Numerous communities in the local area– BeanSec– GraniteSec– MassHackers– Local chapters of National Organizations
Organized Informal Communities
• Closed communities that are designed to share information– Mostly mailing lists
• Don’t call them, they’ll call you– Again, networking…
• Can be great sources, but depends widely on the community– Also a can be a bear to get into
Infragard• Partnership between the FBI and
private sector• Good networking opportunities
– Get to know your fellow geeks• Private Secure Portal• Have recently started releasing DHS
Joint Indicator Bulletins to members– Quality?
My thoughts on DHS Advisories in 140
Characters…
ISACs• Information Sharing and Analysis
Centers• Formal communities set up within
your vertical– Finance, Energy, State Governments,
Health, Higher Education, and More• The communities vary wildly
between ISACs• Usually not free, but worth it
Advanced Cyber Security Center
• Multi-vertical ISAC• Weekly meetings on threat
evaluation and information sharing• Young, but growing• Again, not free
Active DefenseEmbrace your home field advantage…
Always calling the same play
• We always use the same tools– Firewall, IDS, Anti-Virus, Windows, RHEL
• Attackers know this– They’ve adapted their methods
• Defense has stayed stagnant while offense has continued to develop new tools– HD Moore’s law by Josh Corman
• “Casual Attacker power grows at the rate of Metasploit”
Active Defense is NOT…• Hacking Back
– Questionable Legality• Attribution
– The rabbit hole always goes deeper• Retaliation
– Don’t fight angry• Counterstrikes
– You’re not going to eliminate the problem
Active Defense is…• Delay
– Slow them down• Deception
– Where’s the data?• Detection
– Find them• Disruption
– Deny access
Why Active Defense?• Increasing attacker cost
– The bad actors will either move on or the people pulling the strings may get another “hired gun”
• Mind games– If the bad actors think everything is a
trap, they’ll be overly cautious• It’s an uncommonly used tactic
Delay• Use Honeypots
– Internally facing only– Double edged sword
• Run additional services on underutilized servers– If the bad actors are looking for SQL
servers, give them SQL servers
Deceive• Put “interesting” files on open shares
– “Corporate_Forecast_1H2014.doc”• Complete with a web bug that calls to a
offsite server– “Customer DB Backup.zip”
• 12GB Zip file with a 36 alphanumeric password
• Fake databases– http://fakenamegenerator.com
Detect• Monitor your systems that delay and
deceive– Like a hawk on amphetamines
• Establish “Motion Sensors”– Route a few network segments to a
tarpit• Keep an eye on your “traditional”
alerting systems as well
Disrupt• Find them and destroy them!
– Or not..• Monitoring intruders can be a good
source of tactics, techniques, and procedures– And keep your IR staff consuming large
amounts of antacids– It is very, very, very risky
Would you like to know more?
• Offensive Countermeasures Training– Paul Asadorian and John Strand
• Active Defense Harbinger Distribution– Bootable Linux Distribution with all kinds
of “Active Defense” goodies– http://sf.net/projects/adhd/
Putting it all together
…with bailing wire and duct tape
Putting it all together• All of these techniques are useless
– Until you start feeding them back into the traditional incident response model
• Feeding intelligence back into the Incident Response loop shortens attacker free time
• For example…
To the WABAC machine!• April-July 2012• Noticeable increase in Malware spam
lures– Verizon, American and United Airlines,
USPS, PayPal, Facebook• Widespread reports across the
Internet– Not targeted against a single individual,
company, or vertical
Click this link, will ya?
Common Threads• A large majority of the spam runs
had commonalities– All same “kind” of lure– Similar lists of targets– All using the Blackhole Exploit kit– Similar URL structure on lures– Mostly pushing Zeus
• There were other runs that were different
Smoking Gun…• The exploit kits invariably included
two styles of URLs:
http://ip.address/showthread.php?t=<16 hexadecimal digits>http://ip.address/page.php?p=<16 hexadecimal digits>
Achievement Unlocked• Conclusion: Single group of bad
actors behind campaign• Adjusted defenses to locate URLs
with “page.php” and “showthread.php” with hex strings– Some false positives
• Was able to detect malware spam runs often before they were reported
Turns out we were right…• Trend Micro “Blackhole Exploit Kit: A
Spam Campaign, Not a Series of Individual Spam Runs”
• Released July 12th, 2012• Reached similar conclusions• Campaign started to sputter after
that...
Conclusion• You are the best tool to defend your
network– Get passionate
• Stop thinking about threats and start worrying about actors
• Stop being nice and start playing “dirty”
• Learn who is talking about you, where, and why
Questions?
Please fill out your evaluation sheets!
Contact Information• Ben Jackson• e-Mail: [email protected]• Twitter: @innismir• Web/Code: http://mayhemiclabs.com