Jan 25, 2010 - for every 10,000 server hosts 500 hosts trigger redirects to malicious ..... Targeted web infections _ No
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
HITB LAB: Identifying Threats in Raw Data Events: A Practical Approach for Enterprises Vladimir Kropotov, Vitaly Chetvertakov, Fyodor Yarochkin HITB 2014 Affilations: Academia Sinica, o0o.nu, chroot.org
October 16, 2014, Kuala-Lumpur
EOF
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Outline Introduction Criminilogy: case studies Detection Creating own IOCs EOF
2/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Overview Introduction Criminilogy: case studies Detection Creating own IOCs EOF
3/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
LAB
our demo IP 100.123.7.111
4/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Everyone is p0wn3d :)
5/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Challenges
Main Assumption: All networks are compromised The difference between a good security team and a bad security team is that with a bad security team you will never know that you’ve been compromised.
6/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Statistic speaks
I
about 40,000,000 internet users in Russia
I
for every 10,000 server hosts 500 hosts trigger redirects to malicious content per week
I
about 20-50 user machines (full AV installed, NAT, FW) get ..affected
7/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Overview Introduction Criminilogy: case studies Detection Creating own IOCs EOF
8/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Forumology
Forumology - what we can learn by following the trading forums.
9/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Forumology - recent compromise signs
date: - 01-09-2014
10/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Forumology: targetted attack queries
11/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Forumology: obfuscation patterns crypto, free service
12/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Forumology: sensitive data monetization
13/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Forumology: social groups buying request with leaked attribution in social network
14/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Forumology: google play apps rating manipulation
15/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Forumology: shells and traffic wo direct victims attribution
I I I
priority sales to individuals with high forum reputation one hands only sale reachable trough following contact:
16/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Campaigns
Domain ria.ru rg.ru newsru.com gazeta.ru aif.ru mk.ru inosmi.ru 3dnews.ru vz.ru topnews.ru
category news news news news news news news news news news
Campaign dates Summer 2013 – Summer 2014 Autumn 2013 Winter 2013 – Spring 2014 Spring 2013 - Autumn 2013 Spring 2013 - Winter 2013 Summer 2013 - Autumn 2013 Summer 2014 Winter 2013 – Summer 2014 Winter 2013 – Summer 2014 Spring 2013 - Autumn 2013
unique hosts/day ~ 1 600 000 ~ 790 000 ~ 590 000 ~ 490 000 ~ 330 000 ~ 315 000 ~ 290 000 ~ 185 000 ~ 170 000 ~ 140 000
17/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Campaigns(2)
Domain Youtube.com mail.ru auto.ru soccer.ru irr.ru job.ru glavbukh.ru hr-portal.ru tks.ru Bankir.ru
category email Autos Sport Ad Boards HR Accountants Finance / HR Finance Finance
When seen Summer 2013 - Winter 2014 Winter 2013 - Spring 2014 Summer 2014 - Autumn 2014 Winter 2014 Spring 2014 - Autumn 2014 Autumn 2014 Spring 2013 - Summer 2014 Winter 2013 - Spring 2014 Summer 2013 - Spring 2014 Spring 2013 - Autumn 2014
unique hosts/da Alexa N 3 Alexa N 40 ~320 000 ~220 000 ~175 000 ~140 000 ~70 000 ~55 000 ~38 000 ~33 000
18/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Intermediate victims, EDU and forums
19/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Intermediate victims, forums
20/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Intermediate victims, companies (1)
21/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Intermediate victims, companies (2)
22/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Intermediate victims, companies (3)
23/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Intermediate victims, companies (4)
24/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Intermediate victims, companies (5)
25/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Intermediate victims, companies (6)
26/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Intermediate victims, regional gvt related(1)
27/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Intermediate victims, regional gvt related(2)
28/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Intermediate victims, regional gvt related(3)
29/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Intermediate victims, regional gvt related(4)
30/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Intermediate victims, regional gvt related(5)
31/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Participants, other (mail delivery service)
32/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Participants, other (anti debugging)
33/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Seen on forum:
Google redirect:
34/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Participants, other, (known referrers. . . .)
35/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
EK/malware serving hosts by country
36/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Target victim traffic costs
37/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Case studies:
I
commercial crime
I
not-monetary-profit oriented crime
lets take a look at first type:
38/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Intermediate victims
Intermediate victims are target too, such as free DNS hostings: fbps . 1 4 0 3 8 8 3 . mar2 . j u 7 a . 1 4 0 3 8 8 3 . mar2 . wzet . 1 4 0 3 8 8 3 . mar2 . gatw . 1 4 0 3 8 8 3 . mar2 . kfzv . 1 4 0 3 8 8 3 . mar2 . oxdo . 1 4 0 3 8 8 3 . mar2 .
afraid afraid afraid afraid afraid afraid
. org . org . org . org . org . org
39/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Legit domain abuse
domain : SCHOOLOPROS.RU nserver : ns1 . a f r a i d . org . nserver : ns2 . a f r a i d . org . state : REGISTERED , DELEGATED, VERIFIED org : LLC "GKShP" registrar : RU−CENTER−REG−RIPN admin−c o n t a c t : h t t p s ://www. n i c . ru/whois created : 2010.01.25
40/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Domain rotation http://www.residensea.jp/xuaioxc.php http://firenzeviaroma.ru/dqryony.php http://sphynxtoutnu.com/dnqaibb.php http://www.icmjapan.co.jp/dgttcnm.php http://www.controlseal.nl/yolelkx.php http://ural.zz.mu/ledstsn.php http://www.fotobit.pl/cpjjpei.php http://bgcarshop.com/tgghhvy.php http://www.borkowski.org/fudbqrf.php http://shop.babeta.ru/puthnkn.php http://e-lustrate.us/mycbbni.php http://notarypublicconcept.com/shfvtpx.php http://www.stempelxpress.nl/vechoix.php http://64.68.190.53/dqohago.php http://likos.orweb.ru/oydochh.php http://wap.warelex.com/parpkeu.php 41/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Domain rotation I I
over 500 compromised domains rotation once every 3 minutes
42/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
malware hosting, on legit domains (stolen creds, vulns, etc.)
43/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
malware hosting on legit domains
44/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
malware hosting on legit domains
45/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
malware hosting on legit domains
46/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
malware hosting on legit domains
47/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
malware hosting on legit domains
48/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
malware hosting on legit domains
49/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Lurk Campaign Historical overview
(http://malware.dontneedcoffee.com/2014/08/ angler-ek-now-capable-of-fileless.html?m=1) I
but actually lurk campaign is at least 3 years old. (and mainly targetting .ru IP ranges).
50/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Lurk in the news and News distribute Lurk. . .
"For purposes of analysis, we selected two information resources which we knew had been used to distribute the malware— http://www.ria.ru/ (a major Russian news agency) and http://www.gazeta.ru/ (a popular online newspaper). " (http://securelist.com/blog/virus-watch/ 32383/a-unique-bodiless-bot-attacks-news-site-visitors-3/) Intermediate victims: I
ria.ru
I
gazeta.ru 51/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Lurk in 2011 Intermediate victims: I
glavbukh.ru
I
inosmi.ru
I
ria.ru
I
riarealty.ru
I
ura.ru date 03/Nov/2011:14:36:57 03/Nov/2011:14:47:44 03/Nov/2011:14:52:03
referrer http://ria.ru/incidents/ http://inosmi.ru/ http://www.ura.ru/
ip 50.97.204.116 50.97.204.116 50.97.204.116
url http://as5t3hjlsddk.com/BVRQ http://as5t3hjlsddk.com/BVRQ http://as5t3hjlsddk.com/BVRQ
52/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Other patricipants of Winter-Spring 2012 Campaign Intermediate victims: I
banki.ru
I
fas.gov.ru
I
glavbukh.ru
I
infox.ru
I
infox.ru
I
inosmi.ru
I
klerk.ru
I
newsru.com
I
pravda.ru
I
riarealty.ru
I
slon.ru
I
ura.ru 53/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Lurk in the news and News distribute Lurk. . . (2)
Targeted web infections _ Nov 08 2012 (http://securelist.ru/blog/ intsidenty/3546/targetirovanny-e-veb-zarazheniya-2/) Intermediate victims: I
interfax.ru
I
Vesti.ru
I
gazeta.ru
I
vz.ru
I
ura.ru
54/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Timeline of Summer- Autumn 2012 Intermediate victims: date 8/17/2012 12:29 8/17/2012 12:29 8/17/2012 13:38 9/4/2012 14:16 9/13/2012 13:18 9/17/2012 12:50 9/17/2012 13:38 9/18/2012 11:54 10/10/2012 11:35 10/12/2012 13:34 11/2/2012 14:12
ref. dom 3dnews.ru rian.ru tks.ru 3dnews.ru newsru.com tks.ru slon.ru rian.ru vesti.ru gazeta.ru vesti.ru
ip 207.182.136.150 207.182.136.150 207.182.136.150 91.216.163.76 184.22.165.170 184.22.165.170 184.22.165.170 184.22.165.170 91.121.152.84 91.121.152.84 91.121.152.84
port 80 80 80 80 80 80 80 80 80 80 80
method GET GET GET GET GET GET GET GET GET GET GET
url http://jiujitrolam.info/2T4T http://jiujitrolam.info/2T4T http://jiujitrolam.info/2T4T http://kalmadrezant.info/7GIC http://cdmalinkrating.net/7GIC http://responsesforemost.org/7GIC http://responsesforemost.org/7GIC http://oggmoreripples.com/7GIC http://deployspostsale.net/7GIC http://personallymainframes.net/7GIC http://accuracyuploadonly.net/7GIC
apptype text/html text/html text/html text/html text/html text/html text/html text/html text/html text/html text/html
bytes out/in 290/58067 535/4511 370/5972 339/56870 607/58066 668/58075 728/194 1160/194 722/58037 618/58084 290/58078
(*) rian.ru + vesti.ru + gazeta.ru + newsru.com + 3dnews.ru + slon.ru > 4 0000 000 uniq visitors per day. . .
55/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Campaign Autumn 2012 knocking to the Master
Proof logs: date 11/2/2012 14:13 11/2/2012 14:13 11/2/2012 14:14
ip 184.173.226.246 184.173.226.245 184.173.226.246
port 80 80 80
method POST GET POST
url http://rime41claim.com/search?hl=us&source=hp&q=22282240&aq=f&aqi=&aql=&oq= http://landlady48s.com/search?hl=us&source=hp&q=58959&aq=f&aqi=&aql=&oq=58959 http://rime41claim.com/search?hl=us&source=hp&q=1000000000503347&aq=f&aqi=&aql=
56/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Winter 2012-2013 Campaign
I
new sigs ISOQ (old sigs 2T4T, 7GIC BVRQ)
I
sploit 0ISOQjq
I
payload 1ISOQjq
57/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Stats
date 22.01.2013 16:33 28.01.2013 15:15 28.01.2013 15:15 28.01.2013 15:15 2013-02-05 15:27 08.02.2013 15:26 2/11/2013 16:22 19.02.2013 15:13 2/20/2013 12:52 2/20/2013 12:52 2/20/2013 12:52 20.02.2013 12:52 20.02.2013 13:22 20.02.2013 13:24 3/5/2013 13:51 3/6/2013 14:32
ref. dom vesti.ru vz.ru vz.ru 3dnews.ru vz.ru klerk.ru newsru.com newsru.com vz.ru vesti.ru glavbukh.ru klerk.ru
ip 64.79.67.220 64.79.67.220 64.79.67.220 64.79.67.220 208.110.73.74 208.110.73.75 208.110.73.75 208.110.73.75 208.110.73.75 208.110.73.75 208.110.73.75 208.110.73.75 208.110.73.75 208.110.73.75 208.110.73.75 74.82.203.10
port 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80
method GET GET GET GET GET GET GET GET GET GET GET GET GET GET GET GET
url http://cetapetrar.info/ISOQ http://mgsinterviews.biz/ISOQ http://mgsinterviews.biz/0ISOQjq http://mgsinterviews.biz/1ISOQjq http://ferpolokas.info/ISOQ http://footmanage.info/XZAH http://croppingvietnam.biz/XZAH http://interfacesfeaturelimited.org/XZAH http://solvesautoplay.info/XZAH http://solvesautoplay.info/0XZAHwj http://solvesautoplay.info/1XZAHwj http://solvesautoplay.info/XZAH http://solvesautoplay.info/XZAH http://solvesautoplay.info/XZAH http://birdsricher.info/XZAH http://comprisefuse.info/XZAH
apptype text/html text/html application/java-archive application/octet-stream text/html text/html text/html text/html text/html application/java-archive application/octet-stream text/html text/html text/html text/html text/html
58/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Summer 2013: Landing pattern change to "indexm.html"
date 21/Aug/2013:11:53 21/Aug/2013:11:53 8/23/2013 12:58 03.09.2013 14:12 09.09.2013 14:49 9/20/2013 12:50 9/20/2013 13:52 9/23/2013 12:41
ref. dom tks.ru tks.ru slon.ru rg.ru tks.ru gazeta.ru rg.ru aif.ru
ip 70.32.39.108 70.32.39.108 173.234.60.86 173.234.60.83 209.123.8.35 216.55.166.53 216.55.166.53 209.123.8.183
port 80 80 80 80 80 80 80 80
method GET GET GET GET GET GET GET GET
url http://frilpertesemota.info/indexm.html http://frilpertesemota.info/054RIwj http://sabretensar.info/indexm.html http://miopades.info/indexm.html http://kilkadukas.info/indexm.html http://lpakuwiera.info/indexm.html http://lpakuwiera.info/indexm.html http://liapolasens.info/indexm.html
apptype
bytes out/i 585/203 4999/0 4137/460
text/html
157/1025 4134/613 4137/334
59/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Debugging of fingerprinting mechanism? Sep 2013
http://ljiartwbvsa.info/indexm.html http://ljiartwbvsa.info/054RIdl http://ljiartwbvsa.info/counter.php?t=f&v=win%2011, 7, 700, 169&a=true http://ljiartwbvsa.info/354RIcx http://ljiartwbvsa.info/s.php?qt=null&fl=11, 7, 700, 169&sw=null&ar=null&jv=null&sl=5, 1, 20513, 0 http://ljiartwbvsa.info/054RIcx
text/html application/x-shockwave-flash text/html text/html text/html
60/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Fresh news from the field
date 8/20/2014 16:57 9/1/2014 12:02 01/Sep/2014:16:54 9/4/2014 14:16 04/Sep/2014:12:03 04/Sep/2014:15:26 04/Sep/2014:15:26 04/Sep/2014:15:26 04/Sep/2014:15:56 05/Sep/2014:15:24
ref. dom auto.ru irr.ru bankir.ru smotri.com auto.ru irr.ru job.ru bankir.ru
ip 188.165.229.195 188.165.229.195 188.165.229.195 188.165.229.195 188.165.229.195 188.165.229.195 188.165.229.195 188.165.229.195 188.165.229.195 188.165.229.195
port 80 80 80 80 80 80 80 80 80 80
method GET GET GET GET GET GET GET GET GET GET
url http://kopwa.linogeraxa.info/indexm.html http://apobda.kiqpoltar2.in/indexm.html http://snkua.kiqpoltar2.in/indexm.html http://xbxa72.bsoyetrad.in/indexm.html http://snkua.kiqpoltar2.in/indexm.html http://boreas.gohasellor.info/indexm.html http://boreas.gohasellor.info/3MSKMcx http://boreas.gohasellor.info/sxvutirwbfexedbjmqqn.html http://boreas.gohasellor.info/indexm.html http://snkua.kiqpoltar2.in/indexm.html
61/150
app
app text text text app
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Mitigation experience and aftereffects
I
Abusing hosting (you can loose the chain, criminals just pay $50 for other hosting)
I
Abusing registar
I
Abusing DNS
I
Forensic evidence collection and actor attribution
I
Interaction with CERTs and Authorities
I
Informing victims directly
62/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
MacOS botnet: a Kaiten variant in action I
Kaiten/Tsunami is an open-source irc-controlled DDoS bot
I
Observed large infection of MacOS machines in Sept-2014 (starting on 02-09-2014)
I
initial infection vector: yet unknown
I
Observation: 2014-09-02 - now
I
target - mainly .CN (mostly), TW
I
small number in KR, NP, JP, MY
I
iocs:
Executables : cbf5a6d2fba422caa5913e48ef68a6ab http : / / 5 . 1 0 4 . 1 0 6 . 1 9 0 / . . . / cores 98 bb67d91476d8ac4e71d39c92564b3b h t t p :// l i n u x . microsoftwindowsupdate . org/poke . sh 63/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
IOCs
64/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
IOCs
IOCs 5.104.106.190 − eventuallydown . dyndns . b i z − f a s t f o o d z . dlinkddns . com − updates . dyndn−web . com 54.68.53.18 − f l i p p i n f l o p s . dyndns . t v
65/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Indicators
I
Hosted on german IP and Amazon ec2. Hosts an IRC server, DNS server, Web server (used to wget new binaries/updates).
I
controlled from an .il IP address
irc servers 192.31.186.4 85.214.45.208 − eichwalde . de − h o r t b u n t s t i f t e . de − channel # c o r e
66/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Kaiten ops: I
controlled by iseee
[email protected].
I
PRIVMSGs commands, manipulates DNS resolver settings
67/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Kaiten conclusions I
18247 Unique IP addresses within 3 days
I
3k bots are simultaneously
I
Botnet growth limited by IRC server stability
68/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Targetted campaigns
APT != STATE SPONSORED I
Q: Why so many APT-like activities out of .cn?
I
A: A different market structure. (Data worth money)
69/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
APT ..?
Interesting correlations:
70/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Bad guys in your net ;-)
coming from a KR IP address (bounce), redirecting a shell to CHINANET 71/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Overview Introduction Criminilogy: case studies Detection Creating own IOCs EOF
72/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Hands ON
I
moloch
https://100.123.7.111:8005 user admin password hitb2014
73/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Detection
Detection: tools and techniques
74/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Good thing to assume
If you are under attack, your AV,Firewalls, IDS, are in THE ATTACKER THREATS MODEL. The option you have - read between the lines. When you are compromised, what is the action plan?
75/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Some Useful tools Developed by us: I
http://github.com/fygrave/ndf
I
http://github.com/fygrave/hntp
3rd party: I
fiddler
I
elasticsearch && http://github.com/aol/moloch (vm)
and our 0mq plugin I I
yara hpfeeds https://github.com/rep/hpfeeds
I
CIF https://github.com/collectiveintel/cif-v1
I
https://github.com/STIXProject/ - openioc-to-stix converter
I
https://github.com/MISP/MISP - malware information sharing platform 76/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Introduction:terminology
Indicators of Compromise Indicator of compromise (IOC) in computer forensics is an artifact observed on network or in operating system that with high confidence indicates a computer intrusion. http://en.wikipedia.org/wiki/Indicator_of_compromise
77/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
AV model broken
Why AV model is broken? I AV detection/monitoring http://viruscheckmate.com/id/OByt539VwEcQ
78/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Why Indicators of compromise
Indicators of Compromise help us to answer questions like: I
is this document/file/hash malicious?
I
is there any past history for this IP/domain?
I
what are the other similar/related domains/hashes/..?
I
who is the actor?
I
am I an APT target?!!;-)
79/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
An Example
A Network compromise case study: I
Attackers broke via a web vuln. Attackers gained local admin access
I
Attackers created a local user
I
Attackers started probing other machines for default user ids
I
Attackers launched tunneling tools – connecting back to C2
I
Attackers installed RATs to maintain access
I
80/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Indicators
So what are the compromise indicators here? I
Where did attackers come from? (IP)
I
What vulnerability was exploited? (pattern)
I
What web backdoor was used? (pattern, hash)
I
What tools were uploaded? (hashes)
I
What users were created locally? (username)
I
What usernames were probed on other machines
81/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Good or Bad? F i l e Name File Size F i l e M o d i f i c a t i o n Date/Time F i l e Type MIME Type Machine Type Time Stamp PE Type Linker Version Code S i z e I n i t i a l i z e d Data S i z e U n i n i t i a l i z e d Data S i z e Entry P o i n t OS Version Image Version Subsystem Version Subsystem F i l e Version Number Product Version Number F i l e OS O b j e c t F i l e Type Language Code Character Set Company Name F i l e Description F i l e Version I n t e r n a l Name
: : : : : : : : : : : : : : : : : : : : : : : : : : :
RasTls . exe 105 kB 2009:02:09 19:42:05+08:00 Win32 EXE a p p l i c a t i o n / o c t e t−stream I n t e l 386 or l a t e r , and c o m p a t i b l e s 2009:02:02 13:38:37+08:00 PE32 8.0 49152 57344 0 0 x3d76 4.0 0.0 4.0 Windows GUI 11.0.4010.7 11.0.4010.7 Windows NT 32− b i t Executable application E n g l i s h (U. S . ) Windows , L a t i n 1 Symantec Corporation Symantec 8 0 2 . 1 x S u p p l i c a n t 11.0.4010.7 dot1xtray
82/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
It really depends on context RasTls . DLL RasTls . DLL . msc RasTls . exe http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspx Dynamic-Link Library Search Order
83/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
IOC representations
Multiple standards have been created to facilitate IOC exchanges. I
Madiant: OpenIOC
I
Mitre: STIX (Structured Threat Information Expression), CyBOX (CyberObservable Expression)
I
Mitre: CAPEC, TAXII
I
IODEF (Incident Object Description Format)
84/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Standards: OpenIOC
OpenIOC - Mandiant-backed effort for unform representation of IOC (now FireEye) http://www.openioc.org/
85/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
OpenIOCs D i g i t a l Appendices/Appendix G ( D i g i t a l ) − 0 c7c902c −67f8 −479c−9f44 −4d985106365a . i o c ad521068 −6f18 −4ab1 −899c −11007 a18ec73 . i o c 12 a40bf7 −4834−49b0−a419 −6abb5fe2b291 . i o c a f 5 f 6 5 f c −e1ca −45db−88b1−6c c b 7 1 9 1 e e 6 a . i o c 2106 f0d2−a260 −4277−90ab−edd3455e31fa . i o c Appendix G IOCs README. pdf 26213 db6−9d3b−4a39−abeb −73656 acb913e . i o c c32b8af3 −28d0−47d3−801 f−a2c2b0129650 . i o c 2 b f f 2 2 3 f −9e46 −47a7−ac35−d 3 5 f 8 1 3 8 a 4 c 7 . i o c c71b3305 −85e5−4d51−b07c−f f 2 2 7 1 8 1 f b 5 a . i o c 2 f c 5 5 7 4 7 −6822−41d2−bcc1 −387 f c 1 b 2 e 6 7 b . i o c c 7 f a 2 e a 5 −36d5−4a52−a 6 c f −ddc2257cb6f9 . i o c 32 b168e6−dbd6−4d56−ba2f −734553239 e f e . i o c d14d5f09 −9050−4769−b00d−30 f c e 9 e 6 e b 8 5 . i o c 3433 dad8−879e−40d9−98b3−92ddc75f0dcd . i o c d1c65316−cddd−4d9c−8e f e −c 5 3 9 a a 5 9 6 5 c 0 . i o c 3 e01b786−fe3a −4228−95 fa−c3986e2353d6 . i o c d 4 f 1 0 3 f 8 −c372 −49d1−b9f4−e127d61d0639 . i o c
IOCs$ l s 6 bd24113 −2922−4d25
70 b5be0c −8a94 −44b4
7 c739d52−c669 −4d51
7 d2eaadf−a 5 f f −4199
7 f9a6986 −f00a −4071
806 b e f f 3 −7395−492e 84 f 0 4 d f 2 −25cd−4f59
8695 bb5e −29cd−41b9
86 e9b8ec −7413−453b 86/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Standards: Mitre
Mitre CybOX: http://cybox.mitre.org/ https://github.com/CybOXProject/Tools https://github.com/CybOXProject/openioc-to-cybox Mitre CAPEC: http://capec.mitre.org/ Mitre STIX: http://stix.mitre.org/ Mitre TAXII http://taxii.mitre.org/
87/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Mature: stix
88/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Indicators of Compromise
I
Complex IOCs covering all steps of attack
I
Dynamic creation of IOCs on the fly
I
Auto-reload of IOCs, TTLs
I
Dealing with different standards/import export
89/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Exploit pack trace
url http://cuba.eanuncios.net/1/zf3z9lr6ac8di6r4kw2r0hu3ee8ad.html
ip 93.189.46.222
mime type text/html
ref http://www.smeysyatut.ru/
http://cuba.eanuncios.net/2909620968/1/1399422480.htm
93.189.46.222
text/html
http://cuba.eanuncios.net/
http://cuba.eanuncios.net/2909620968/1/1399422480.jar http://cuba.eanuncios.net/2909620968/1/1399422480.jar http://cuba.eanuncios.net/f/1/1399422480/2909620968/2 http://cuba.eanuncios.net/f/1/1399422480/2909620968/2/2
93.189.46.222 93.189.46.222 93.189.46.222 93.189.46.222
application/java-archive application/java-archive -
-
90/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Nuclearsploit pack
{ ’ Nuclearsploitpack ’ : { ’ step1 ’ : { ’ f i l e s ’ : [ ’ wz3u6si8e5lh7k2tk5ox4ne6d8g . html ’ , ’ t 3 f 5 y 9 a 2 b b 3 d l 7 z 8 g c 4 o 6 f . html ’ , ’ z f 3 z 9 l r 6 a c 8 d i 6 r 4 k w 2 r 0 h u 3 e e 8 a d . html ’ , ’ r x 3 v ’ domains ’ : [ ’ f a t h e r . f e r r e m o v i l . com ’ , ’ t h a i . a l o h a t r a n s l l c . com ’ , ’ cuba . eanuncios . net ’ , ’ duncan . d i s e n o c o r p o r a t i v o . com . ar ’ , ’ arguments ’ : [ ] , ’ directories ’ : [ ’1 ’] , ’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 0 1 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 0 3 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 3 3 ’ ] } , ’ step2 ’ : { ’ f i l e s ’ : [ ’ 1 3 9 9 4 2 2 4 8 0 . htm ’ , ’ 1 3 9 9 7 0 4 7 2 0 . htm ’ , ’ 1 3 9 9 5 1 3 4 4 0 . htm ’ , ’ 1 3 9 9 5 1 4 0 4 0 . htm ’ , ’ 1 3 9 9 7 7 3 3 0 0 . htm ’ ] , ’ domains ’ : [ ’ cuba . eanuncios . net ’ , ’ duncan . d i s e n o c o r p o r a t i v o . com . ar ’ , ’ homany . c o l l e c t i v e i t . com . au ’ , ’ p r i v a c y . t e r a p i a . org . ’ arguments ’ : [ ] , ’ directories ’ : [ ’2909620968 ’ , ’1 ’ , ’507640988 ’ , ’940276731 ’ , ’3957283574 ’ , ’952211704 ’] , ’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 3 3 ’ ] } , ’ step3 ’ : { ’ f i l e s ’ : [ ’1399422480. jar ’ , ’1399513440. jar ’ ] , ’ domains ’ : [ ’ cuba . eanuncios . net ’ , ’ homany . c o l l e c t i v e i t . com . au ’ ] , ’ arguments ’ : [ ] , ’ directories ’ : [ ’2909620968 ’ , ’1 ’ , ’940276731 ’] , ’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ ] } , ’ step4 ’ : { ’ files ’ : [ ’2 ’] , ’ domains ’ : [ ’ cuba . eanuncios . net ’ ] , ’ arguments ’ : [ ] , ’ directories ’ : [ ’ f ’ , ’1 ’ , ’1399422480 ’ , ’2909620968 ’ , ’2 ’] , ’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ ] } } }
91/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Redirect (example)
http://mysimuran.ru/forum/kZsjOiDMFb/ http://mysimuran.ru/forum/kZsjOiDMFb/js.js?4231 http://c.hit.ua/hit?i=59278&g=0&x=2 http://f- wake.browser- checks.info:28001/d1x/3/87475b26a521024ce78d7ea73164140a/http%3A%2F%2Fagency.accordinga.pw%2Fremain%2Funknown.h
92/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Redirect Example
{ ’28001 ’: { ’ step1 ’ : { ’ d i r e c t o r i e s ’ : [ ’ forum ’ , ’ kZsjOiDMFb ’ , ’ epygFrFsoU ’ ] , ’ arguments ’ : [ ] , ’ files ’ : [ ’ ’] , ’ ip ’ : [ ’ 8 9 . 1 1 1 . 1 7 8 . 3 3 ’ ] , ’ domains ’ : [ ’ mysimuran . ru ’ ] } , ’ step2 ’ : { ’ d i r e c t o r i e s ’ : [ ’ forum ’ , ’ kZsjOiDMFb ’ , ’ epygFrFsoU ’ , ’kJXshWOMNC’ ] , ’ arguments ’ : [ ’ 4 2 3 1 ’ , ’ 7 6 9 7 ’ , ’ 9 7 4 1 ’ ] , ’ f i l e s ’ : [ ’ j s . j s ’ , ’ c n t . html ’ ] , ’ ip ’ : [ ’ 8 9 . 1 1 1 . 1 7 8 . 3 3 ’ ] , ’ domains ’ : [ ’ mysimuran . ru ’ ] } , ’ step3 ’ : { ’ directories ’ : [] , ’ arguments ’ : [ ’ i ’ , ’ g ’ , ’ x ’ ] , ’ f i l e s ’ : [ ’ hit ’ ] , ’ ip ’ : [ ’ 8 9 . 1 8 4 . 8 1 . 3 5 ’ ] , ’ domains ’ : [ ’ c . h i t . ua ’ ] } , ’ step4 ’ : { ’ d i r e c t o r i e s ’ : [ ’ d1x ’ , ’ 3 ’ , ’ 8 7 4 7 5 b26a521024ce78d7ea73164140a ’ , ’ d36eb1fc80ebe9df515d043be1557f57 ’ ] , ’ arguments ’ : [ ] , ’ f i l e s ’ : [ ’ h t t p%3A%2F%2Fagency . a c c o r d i n g a .pw%2Fremain%2Funknown . html%3Fmods%3D8%26id%3D26 ’ , ’ h t t p%3A%2F%2F s t r u c k . looked ’ ip ’ : [ ’ 4 6 . 2 5 4 . 1 6 . 2 0 9 ’ ] , ’ domains ’ : [ ’ f−wake . browser−checks . i n f o ’ , ’ a−oprzay . browser−checks . pw’ ] } } }
93/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Sourcing External IOCs I
CIF - https: //code.google.com/p/collective-intelligence-framework/
I
feeds (with scrappers):
94/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Sourcing External IOCs feed your scrappers: https://zeustracker.abuse.ch/blocklist.php?download=badips http://malc0de.com/database/ https://reputation.alienvault.com/reputation.data . . . I VT intelligence I
95/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Sourcing IOCs Internally
I
honeypot feeds
I
log analysis
I
traffic analysis
96/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Where to look for IOCs internally I
Outbound Network Traffic
I
User Activities/Failed Logins
I
User profile folders
I
Administrative Access
I
Access from unsual IP addresses
I
Database IO: excessive READs
I
Size of responses of web pages
I
Unusual access to particular files within Web Application (backdoor)
I
Unusual port/protocol connections
I
DNS and HTTP traffic requests
I
Suspicious Scripts, Executables and Data Files
97/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Challenges Why we need IOCs? because it makes it easier to systematically describe knowledge about breaches. I I
Identifying intrusions is hard Unfair game: I I
defender should protect all the assets attacker only needs to ’poop’ one system.
I
Identifying targeted, organized intrusions is even harder
I
Minor anomalous events are important when put together
I
Seeing global picture is a mast
I
Details matter
I
Attribution is hard
98/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Use honeypots
I
Running honeypots gives enormous advantage in detecting emerging
threats I
Stategically placing honeypots is extemely important
99/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
HPfeeds, Hpfriends and more
100/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
HPFeeds Architecture
101/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
HPFeeds API in nutshell: import pygeoip import hpfeeds import j s o n HOST= ’ broker ’ PORT = 20000 CHANNELS= [ ’ g e o l o c . e v e n t s ’ ] IDENT= ’ i d e n t ’ SECRET= ’ s e c r e t ’ g i = pygeoip . GeoIP ( ’ G e o L i t e C i t y . dat ’ ) hpc = hpfeeds . new (HOST, PORT, IDENT , SECRET ) msg = { ’ l a t i t u d e ’ : g i . record_by_addr ( i p ) [ ’ l a t i t u d e ’ ] , ’ l o n g i t u d e ’ : g i . record_by_addr ( i p ) [ ’ l o n g i t u d e ’ ] , ’ type ’ : ’ honeypot ␣ h i t ’ } hpc . p u b l i s h (CHANNELS, j s o n . dumps ( msg ) )
102/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
hpfeeds integration
103/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
NTP probe collector
104/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
HPFeeds and honeymap
105/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Applying IOCs to your detection process
moloch moloch moloch :)
106/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Tools for Dynamic Detection of IOC
I
Snort
I
Yara + yara-enabled tools
I
Moloch
I
Splunk/Log search
I
roll-your-own:p
107/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Moloch Moloch is awesome:
108/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Open-source tools
OpenIOC manipulation https://github.com/STIXProject/openioc-to-stix https://github.com/tklane/openiocscripts Mantis Threat Intelligence Framework https://github.com/siemens/django-mantis.git Mantis supports STIX/CybOX/IODEF/OpenIOC etc via importers: https://github.com/siemens/django-mantis-openioc-importer Search splunk data for IOC indicators: https://github.com/technoskald/splunk-search Our framework: http://github.com/fygrave/iocmap/
109/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
iocmap
110/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
MISP
I
http://www.secure.edu.pl/pdf/2013/D2_1530_A_Socha.pdf
I
https://github.com/MISP
111/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Tools for Dynamic Detection
I
Moloch I I
Moloch supports Yara (IOCs can be directly applied) Moloch has awesome tagger plugin:
# tagger . so # p r o v i d e s a b i l i t y t o i m p o r t t e x t f i l e s w i t h IP and / o r h o s t n # i n t o a s e n s o r t h a t would c a u s e a u t o t a g g i n g o f a l l m a t c h i n g p l u g i n s = t a g g e r . so t a g g e r I p F i l e s = b l a c k l i s t , tag , tag , t a g . . . taggerDomainFiles= d o m a i n b a s e d b l a c k l i s t s , tag , tag , t a g
112/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Moloch plugins
Moloch is easily extendable with your own plugins I https://github.com/fygrave/moloch_zmq - makes it easy to integrate other things with moloch via zmq queue pub/sub or push/pull
model
113/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Moloch ZMQ example
CEP-based analysis of network-traffic (using ESPER): https://github.com/fygrave/clj-esptool/
( esp : add " c r e a t e ␣ c o n t e x t ␣ SegmentedBySrc ␣ p a r t i t i o n ␣by␣ s r c ␣fro WebDataEvent " ) ( esp : add " c o n t e x t ␣ SegmentedBySrc ␣ s e l e c t ␣ s r c , ␣ r a t e ( 3 0 ) ␣ as ␣ r a avg ( r a t e ( 3 0 ) ) ␣ as ␣ avgRate ␣from␣WebDataEvent . win : time ( 3 0 ) ␣ havi r a t e ( 3 0 ) ␣ 8 . 8 . 8 . 8 53 ( msg : "APT␣ p o s s i b l e ␣PlugX␣ Google ␣DNS␣TCP p o r t ␣ 53 ␣ c o n n e c t i o n ␣ attempt " ; c l a s s t y p e : misc−a c t i v i t y ; s i d : 5 0 0 0 0 0 1 1 2 ; rev : 1 ; )
129/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
GRR: Google Rapid Response: http://code.google.com/p/grr/ Hunting IOC artifacts with GRR
130/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
GRR: Creating rules
131/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
GRR: hunt in progress
132/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Honeypots
Learn about attacker as much as you can: I What language does the attacker understand? I What is the attacker keyboard layout? I What tools the attacker uses? I Where those are hosted? I Who are the targets? I Client software information (kippo -> ssh client)
133/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Honeypots plenty of hosting urls, DDoS targets in hp logs
134/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
DNS: Detection
Passive DNS traffic acquisition and analysis a couple of examples (last week) domain rtvwerjyuver.com tvrstrynyvwstrtve.com cu3007133.wfaxyqykxh.ru
ip 69.164.203.105 109.74.196.143 ...
owner linode linode
what does your DNS traffic look like..?
135/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
DNS viz01
136/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
DNS viz02
137/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
DNS anonymizer traffc
Anonimizer
8/13/2014 9:59:12 PM - ##.##.##.## - 0s.o53xo.pfxxk5dvmjss4y3pnu.dd34.ru 8/13/2014 9:59:12 PM - ##.##.##.## - o53xo.pfxxk5dvmjss4y3pnu.dd34.ru 8/13/2014 9:59:12 PM - ##.##.##.## - o53xo.pfxxk5dvmjss4y3pnu.dd34.ru 8/13/2014 9:59:12 PM - ##.##.##.## - 0s.om.pf2gs3lhfzrw63i.dd34.ru 8/13/2014 9:59:12 PM - ##.##.##.## - 0s.om.pf2gs3lhfzrw63i.dd34.ru 8/13/2014 9:59:12 PM - ##.##.##.## - nbxxe33tnbuxsllwnn2xg.mjuxultvme.dd34. 8/13/2014 9:59:12 PM - ##.##.##.## - nbxxe33tnbuxsllwnn2xg.mjuxultvme.dd34. 8/13/2014 9:59:12 PM - ##.##.##.## - 0s.ne.pf2gs3lhfzrw63i.dd34.ru 8/13/2014 9:59:12 PM - ##.##.##.## - 0s.ne.pf2gs3lhfzrw63i.dd34.ru 8/13/2014 9:59:15 PM - ##.##.##.## - obuwg4y.nruxmzlkn52xe3tbnqxgg33n.dd34 8/13/2014 9:59:15 PM - ##.##.##.## - obuwg4y.nruxmzlkn52xe3tbnqxgg33n.dd34 8/13/2014 9:59:15 PM - ##.##.##.## - 0s.o53xo.mzqwgzlcn5xwwltdn5wq.dd34.r 8/13/2014 9:59:15 PM - ##.##.##.## - 0s.o53xo.mzqwgzlcn5xwwltdn5wq.dd34.ru Time: Today 09:59:15pm Description: Phishing.bpwh Confidence Level: High
138/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Covert channel communication
8/13/2014 5 : 4 9 : 0 4 PM − x . x . x . x − 5 1 4 1 0 1 7 . mtdtzwdhc . mdgtmtmmd 8/13/2014 5 : 4 9 : 0 4 PM − x . x . x . x − 5 1 4 1 0 1 7 . mtdtzwdhc . mdgtmtmmd Time : Description : 13:19:25 I n t e r f a c e Name : Interface Direction :
Today 13:19:25 REP . b i l s c z Detected a t Today bond1 . 3 8 2 outbound
139/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Sinkhole in DNS Credit: domaintools.com
140/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Sinkhole in DNS Credit: domaintools.com
141/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
DNS
Suspicious activity: DNS lookups: kojxlvfkpl.biz:149.93.207.203 kojxlvfkpl.biz:216.66.15.109 kojxlvfkpl.biz:38.102.150.27
142/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Look for holes :)
143/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Hole traffic
144/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Categorizing Incidents It is extremely important to be able to categorize your incidents or threats. There are multiple data sources that could be used to do so.
145/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Catagorization based on public souces
[tbd]
146/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Catagorization based on historical data
[tbd]
147/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Catagorization based on cross source correlation
I
Visualizing the Threats
I
Filtering noisy extras
I
Making decisions
148/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Overview Introduction Criminilogy: case studies Detection Creating own IOCs EOF
149/150
Introduction
Criminilogy: case studies
Detection
Creating own IOCs
EOF
Questions
@fygrave @vbkropotov @vitalychetvertakov And answers :)
150/150
