SANS Technology Institute Group Discussion/Written Project ... ?· SANS Technology Institute Group Discussion/Written…

Download SANS Technology Institute Group Discussion/Written Project ... ?· SANS Technology Institute Group Discussion/Written…

Post on 08-Sep-2018

212 views

Category:

Documents

0 download

TRANSCRIPT

  • SANS Technology Institute Group Discussion/Written Project

    GIAC Enterprises Downadup Incident

    3/1/2009

    Tim Proffitt Seth Misenar John Jarocki

  • Table of Contents

    Executive Summary ..........................................................................................................................................3

    Introduction.......................................................................................................................................................3

    Detection Techniques........................................................................................................................................3

    Detection Testing Results and Certainty ........................................................................................................5

    Top Three Recommendations ..........................................................................................................................6

    Conclusion..........................................................................................................................................................9

    References ........................................................................................................................................................10

    GIAC Enterprises Project Plan .....................................................................................................................11

  • Executive Summary The malware of 2009 is not the virii of 10 years ago where the threat was a rebooting computer or corrupted hard drive. Malware of the present is designed to steal your information assets, take control of your infrastructure, join a botnet or a host of many other criminal activities. In April 8, 2008 Symantec Corp.'s malware tally topped 1 million for the first time in the second half of 2007 as the number of new malicious code threats skyrocketed, the company said in its semiannual report on the state of security. Of the 1.1 million code threats that Symantec has detected since it began writing signatures more than a quarter-century ago, 711,912 were discovered in 2007; 499,811 were picked up in the last six months of the year alone. Nearly two-thirds of all the threats that Symantec has ever uncovered have been found since 2007 (Turner, 2008). The trending of these statistics makes it difficult to believe that traditional antivirus solutions will be sufficient in mitigating malware variants. This should be an alarming statistic for GIAC Enterprises or any organization with information to protect.

    GIAC Enterprises has provided a secure web application and backend database infrastructure for the workforce to submit and process intellectual property. Although this does provide a layer of defense, it does not protect GIAC Enterprises from all attack vectors. One such attack vector, which is the focus of this report, is malware. Contained within this report, we are recommending several solutions for GIAC Enterprises to utilize to protect its information systems. First, the report outlines the various techniques and tools utilized for detection of Downadup malware. Second, as requested, the tiger team has identified three recommendations for the prevention of malware to GIAC enterprises. Additionally, several general malware prevention solutions are documented for future initiatives as GIAC Enterprises experiences success and growth.

    Introduction GIAC Enterprises has tasked our group with developing an approach for dealing with malware. In particular, GIAC is concerned with determining: if they are currently infected with Downadup (a.k.a. Conficker); three recommended techniques that could be employed to prevent future malware infections; and a project plan associated with the implementation of these recommendations. While detection and prevention of malware is not an exact science, some basic measures can certainly be employed to mitigate the threat of initial infection and propagation.

    Detection Techniques The Downadup worm and its variants (Downadup.A, Downadup.B, Downadup.B++) have been highly successful at infecting large numbers of hosts due to a combination of both old and new techniques of propagation, survivability, and self-updating. Some of the specific features that enabled Downadup's growth include (Porras, Saidi, Yegneswaran, 2009):

    1. Remote exploitation of a fairly recent RPC-DCOM vulnerability (MS08-067) and then patching that exploit in memory (netapi32.dll).

    2. Injection of the worm into a critical system process (service.exe). 3. Detection of attempt to remotely exploit a Downadup-patched system and use this as a peer-to-peer

    update communication channel. 4. Multiple propagation methods, including direct remote MS08-067 exploitation, propagation via

    NetBIOS shares (using brute force password attempts), and creation of autorun.inf files to infect via

  • attached USB devices or other removable media. 5. Manipulation of Universal Plug and Play (UPnP) to modify the local Internet gateway to allow

    connections to the locally installed HTTP server for remote computers to connect to. 6. Patching of DNS APIs in memory to monitor and prevent access to security software update sites. 7. Authentication of new worm code updates through the use of digital signatures.

    Although these variants have been successful, an organization patched for MS08-067, using strong passwords, with firewalls that do not allow inbound connections or self-modification via UPnP, and with Windows AutoRun disabled should have minimal risk of Downadup infections. Although we cannot be 100% sure there has not been an infection, we can recommend some techniques for detecting infected hosts and preventing future infections. At the request of the CIO, the team implemented several techniques to attempt to detect the presence of Downadup-infected hosts.

    Tasks Executed:

    - Ran a full virus scan of GIAC Enterprise systems using the existing antivirus solution. This scan was run overnight, to minimize impact to workers processing fortune cookie sayings.

    - Searched for scheduled tasks of the form "run32dll.exe.*" (using a list of GIAC systems to inspect in hosts.txt): (W32.Downadup.B, 2008)

    wmic /node:@hosts.txt job list where (command like "run32dll.exe%") list /format:csv

    - Checked for systems that were vulnerable because they did not have the MS08-067 patch installed (Microsoft Security Bulletin MS08-067, 2008). The following wmic command creates a report of all hosts that have the Windows XP version of the patch applied (KB958644):

    wmic /node:@hosts.txt qfe where hotfixid="KB958644" list brief /format:HTABLE > ms08-067-xp.html

    - Checked for disabled services - Error Reporting Services, BITS, Automatic Updates, Defender

    wmic /node:@hosts.txt service where (name="ERSvc" OR name="BITS" OR name="Wuauserv" OR name="WinDefend") get name, state /format:HTABLE > services.html

    - Looked for increased network congestion - via network monitoring tools (netflow, firewalls),

    - Checked for failed logins, account lockouts, and lockout resets - in Windows Domain Controller event logs,

    - Check if System Restore Points have been disabled (On a system where these are enabled, one or more restore points will be listed with the following command. Otherwise, the string No Instance(s) Available. is printed (zeraphis, 2005)),

  • wmic /namespace:\\root\default path SystemRestore get | find "No Instance"

    - Deployed IDS signatures for detection of Downadup as well as other known malware signatures.

    - Reviewed firewall logs for evidence of outbound propagation traffic or attempts to open ports via UPnP.

    Detection Testing Results and Certainty The result of our testing did not indicate the presence of Downadup infection, propagation, or post-infection communication at GIAC Enterprises. Although this is excellent news, we cannot state with 100% certainty that an infection has not occurred because of the built in fallibility of each test coupled with the base-rate fallacy (Axelsson, 2000). This is a phenomenon of Bayesian statistics that states that the true positive rate of any detection technique is built from a combination of two factors:

    1. The likelihood of an occurrence in the general population (in this case, what percentage of hosts connected to the Internet, directly or indirectly, are infected with Downadup), and

    2. The accuracy of the particular test itself. For example, if a service that we test for could be disabled for reasons other than Downadup, then our test does not have a high fidelity.

    Although calculating the true detection rate of our tests is outside the scope of this assignment, we accept that 100% accuracy is not possible nor required to allow us to state with reasonable certainty that GIAC Enterprises has not been infected with Downadup. Finally, we should note that this investigation was prompted by a notification to the GIAC Enterprises CIO from a peer who received an email, apparently from the CIO, that was marked as infected with Downadup. We obtained a sample of this email, including full header information. Our review of the headers illuminated that this email was spam -- spoofed to appear to come from our CIO's email account. Additionally, the currently known Downadup worm variants have multiple propagation vectors, but none of them include transmission via email (Porras, et al, 2009).

    Prevention Techniques

    Attackers being able to more easily and effectively craft malicious code capable of bypassing antivirus detection coupled with the fact that targeted attacks are increasingly impacting small to medium enterprises such as GIAC Enterprises, it is imperative that additional malware prevention techniques be employed by GIAC Enterprises. While Conficker/Downadup serves as an especially salient example of such malware, the prevention techniques outlined below are more widely applicable than simply one such piece of malicious code.

    The goal of this phase is to provide recommendations for such preventative techniques and technologies. Though GIAC Enterprises has asked for three recommendations, we thought it prudent to highlight additional methods that could be employed should management determine more or fewer resources are able to be dedicated to this project. However, enumeration of the three most highly recommended prevention techniques will certainly be provided. Also, we would be remiss not to mention that though preventing infection is a most laudable goal, building an infrastructure that supports and provides a facility for detection of malware infection is considerably more important; "prevention is ideal, but detection is a must" (Cole, p. 15, 2001).

  • Top Three Recommendations Patch Management - Employ a 3rd party patch management tool and associated process for ensuring the prompt deployment of patches for applications installed throughout the enterprise. Although tools such as the free Windows Software Update Services (WSUS) from Microsoft are increasingly common to find in small to medium enterprises such as GIAC, simply focusing on Microsoft patches is no longer sufficient. In part, due to our facility for blocking infiltration via the perimeter, attackers are trending toward a focus on client side applications (Turner, 2008). In addition, although 0-day exploits are getting more press in recent years, the fact remains that the overwhelming majority of exploitations target a known vulnerability for which there is a patch. GIAC Enterprises should evaluate 3rd party patch management solutions that are capable of timely distribution of patches for applications used throughout the environment, which could help prevent malware infections exploiting known vulnerabilities. Secure Baseline Configurations - Standardize on hardened baseline configurations derived from industry best practices. Although all systems and applications should have a secure baseline configuration that is consistently used throughout the enterprise, the most important items to address initially would be a base secure desktop and server configuration. Certainly hardened database, network gear, mail, web server specific configurations are important, but ensuring that the basic desktop and server configurations represent sound starting points is key. A hardened baseline configuration can greatly reduce the security exposure to malware infection by limiting the potential vulnerability touch points.

    Security Awareness Training/Acceptable Use Policy - Provide continuously updated security awareness training to all members of GIAC Enterprises workforce, and ensure our Acceptable Use Policy (AUP) is strict enough to preclude actions commonly associated with malware infection. Most organizations do a poor job providing awareness of security issues to their workforce. End-users serve not only as a common attack vector, but, if properly trained and empowered, can also serve as a member of the security team. A more knowledgeable workforce can serve as a first line of detection of security incidents. Well intentioned users, if properly trained, are also less likely to engage in behaviors that might lead to malware infection. In addition to the base Security Awareness Training, GIAC Enterprises should also have a clear Acceptable Use Policy that makes obvious what actions are expected and prohibited.

    Additional Recommendations Egress filtering - Where possible, and certainly at the network perimeter, employ egress filtering that allows only business necessary traffic/ports to leave the organization. Strict filtering of outbound traffic serves as a basic implementation of the Defense In Depth principle of least privilege. In addition to the obvious benefit of not acting as an agent of propagation for spreading a malware infection beyond enterprise boundaries, egress filtering can also limit the abilities of the malware itself by disallowing the malicious code from receiving updated instructions or software from an external entity. Only allowing outbound traffic that is necessary for business purposes, while easy to understand, can be extremely difficult to implement for enterprises that lack sufficient understanding of what constitutes business necessary access.

  • Network Access Control (NAC)/Network Access Protection (NAP) - Employ a NAC/NAP solution that is capable of ensuring that a node meets defined minimum security standards before allowing network access. Enterprises typically have less robust security when facing an attacker or malware infection sourced from the internal network. Sales persons, contractors, mobile employees, VPN connections, and partner networks can all serve as sources of malware propagation or attack. Although the details and functionality certainly vary across vendors, NAC/NAP typically provides a facility by which some level of scrutiny can be placed on the security of an endpoint device before allowi...

Recommended

View more >