Peter Peter SilbermanSilberman INTRUSION RESPONSE
6/22/2010Kris HarmsPeter SilbermanINTRUSION RESPONSEREALITY CHECK2USA vs Slovenia Score Update1
6/22/2010MANDIANT3APT and CDT experts VISA Qualified IncidentResponse Assessor (QIRA) Located in 4WashingtonNew YorkLos AngelesSan FranciscoServices, software, andeducationMANDIANT Intelligent Response(MIR)Collect indicatorsffromthousandsthd offagents Index and search theresults Live IR on thousandsof systems at once From disk images toregistry keys to livememory forensics 2
6/22/20105Introductions Kris Harms Peter Silberman 6IR Engagement Lead,Lead InstructorResearcher / Engineer, CoCo-- Author ofMemoryze and Audit Viewer, MalwareAnalysis TeamImportant noteAll information is derivedfrom MANDIANT observationsin nonnon-classified environments.Some information has been sanitizedto protect our clients’ interests.3
6/22/20107Agenda 8Why Most Defenders LoseA Few Malware Samples and AttackerTechniquesHow to WinA Few Investigation Techniques That WorkTodayWhy Defenders LoseVSYour CompanyLLogo HHere4
6/22/20109Why Defenders Lose10Why Defenders Lose5
6/22/201011Why Defenders LoseGENERAL WINDOWSKNOWLEDGEVSYOUR NETWORKCONFIGURATIONChoose Your Theater12Why Defenders LosePorn Sites(sorry no pictures)6
6/22/201015Well It Depends Sample A Obfuscated shellcodeBuilt in Unknown functionality 16Keylogger functionalityAbility to download functionalityCompromised accounts?Exploit component?Pivot component?Hiding in plain sight7
6/22/201018Persistence MechanismOf the APT backdoorsamples we havecollected,, 60% werepersistent on thetargeted system.Interestingly, of thenon--persistentnonsamples, almost athird used processinjection tomasquerade theirnetwork traffic aslegitimatecommunication.193% 27%70%HKLM Run keyServiceOtherPersistence sens.dll – 5 byte persistence FTWservices exe – bringing cron backservices.exe8
6/22/201020The Legitimate DllMainDllMain()() Function The code in the DllMainDllMain()() function calls two libraryfunctions: ()() andGetProcessHeap()GetProcessHeap()722D12B9 ; int D12C2722D12C4722D12C7722D12CD722D12D3722D12D8 loc 722D12D8:722D12D8722D12DA722D12DB722D12DC722D12DC DllEntryPoint21DllMain(struct HINSTANCE *, unsigned long, void *)movedi, edipushebpmovebp, espmoveax, [ebp fdwReason]deceaxjnzshort loc 722D12D8push[ebp hLibModule]callds: imp DisableThreadLibraryCalls@4calllldds: impiGetProcessHeap@0mov?ghSensHeap@@3PAXA, eaxxorincpopretnendpeax, eaxeaxebp0ChThe Trojanized DllMain() FunctionNow code in the DllMain() only GetProcessHeap()gets called. The Call to DisableThreadLibraryCalls()y() has beenreplaced by a mysterious jmp instruction. DB722D12DC722D12DC; int stdcallstdcall DllMain(struct HINSTANCE *, unsigned long, void *)movedi,edi, edipushebpmovebp,ebp, espmoveax,eax, [ebp [ebp fdwReasonfdwReason]]deceaxjnzshort loc 722D12D8push[ebp hinstDLL[ebp hinstDLL]]jmploc 722D822D; ‐‐‐‐‐‐‐‐‐‐‐‐‐‐db 88h; ‐‐‐‐‐‐‐‐‐‐‐‐‐‐loc 722D12CD:callds: imp 3PAXA, eaxloc 722D12D8:xoreax,eax, eaxinceaxpopebpretn0ChDllEntryPointendp9
6/22/201022Would you know its bad?Entry are\Microsoft\Windows\CurrentVersion\Shell\S eDirectoryecto yExtensions\ApprovedService FindHKLM\Software\Microsoft\Windows\CurrentVersio Directoryn\ShellServiceExtensions\ApprovedCommon UIHKLM\Software\Microsoft\Windows\CurrentVersio Directoryn\ShellServiceExtensions\ApprovedCommon UI23Publisher(Not verified) InternetSecurity Systems, Inc.(Not verified) InternetSecurity Systems, Inc.(Not verified) InternetSecurity Systems, Inc.(Not verified) MicrosoftCorporationImage Pathc:\program )( e ed) Microsoftc oso tWindows Publisherc:\windows\system32\dsquery.dll(Verified) MicrosoftWindows Publisherc:\windows\system32\dsuiext.dll(Verified) MicrosoftWindows Publisherc:\windows\system32\dsuiext.dllAbusing services.exeUNMODIFIEDMODIFIED10
6/22/201024services.exe 25Automatic installerservices exe loads malicious DLLservices.exeDLL implements cron like functionalityHiding in plain sight (network) Used for Command and Control Communicate,, control the targetgGather informationAttackers want this to be covertHTTP/S is commonly encrypted But it’s not always SSL!Encrypted HTML comments !‐‐ !‐‐aHR0cAXXXXXXaHR0cAXXXXXX ‐‐ ‐‐ 11
6/22/201026Hiding in plain sight (network)Connection port17%83%TCP/80 or 44327Non-HTTP/HTTPSCommunication SecurityHTTP(S) portsNon-HTTP(S) extNon-HTTP(S) ports12
6/22/201028Access management Attackers track your assets BackdoorsNeed to know: IP/HostnameMay know: When one goes away they need to rere-uptheir inventory x 2 29OS / SP LevelMACRAMNew malwareSample beacon GET/search(#)####/search(#)####?h1 ?h1 ##&h2 &h2 ##&h3 &h3 ##&h4 &h4 FMFEFEFHAFMFEFEFHAEBIBKFOFEAGFGFC (#) – random numberh1 OSh2 proxiedh3 malware versionh4 encoded mac address13
6/22/201030USA vs Slovenia Score UpdateThe beatings will continue until security improvesHOW TO WIN14
6/22/201032Step 1: Redefine Winning Goals Are Customized Per Organization, ButCan Include: Improve Detection CapabilityCentralize Logs Acquire Outside Intelligence Improve Response CapabilityRemove Political Hurdles Iron Processes Out 33Practice RemediationRaise the Cost of the Theft to Equal DevelopmentStaff ManagementPractical Advice Detect and Respond is what is workingtoday.y15
6/22/2010Game Changers of TodayINVESTIGATION TECHNIQUES35Working Investigation Techniques Differential Analysis Rackingg and StackinggHard Core Forensic KnowledgeCode SigningIntelligence Based Detection16
6/22/201036They Dare You to NoticeCount5,5982Service NamePathService vC:\WINDOWS\System32\svchost tem32\wauaserv dll%SystemRoot%\System32\wauaserv.dll5,235What’s bad?38Working Investigation Techniques Differential Analysis Rackingg and StackinggHard Core Forensic KnowledgeCode SigningIntelligence Based Detection17
6/22/201039File System Review40MFT Parsing18
6/22/201041Working Investigation Techniques Differential Analysis 42Rackingg and StackinggHard Core Forensic KnowledgeCode SigningIntelligence Based DetectionDigital Signature Checking Audit Viewer and Memoryze with MRI Intelligence19
6/22/201043Working Investigation Techniques Differential Analysis Rackingg and StackinggHard Core Forensic KnowledgeCode SigningIntelligence Based DetectionGenerate a Compromise ProfileThere is an ongoing APTAPT-related incident. At least 35systems with APT backdoors have been discovered. One ofthe backdoors installs itself as a Windows service named“ersvcersvc”” with a service DLL m32\t 32\32\ersvr.dll”.dll”ThThe filfile sizeiiis 2323,040040bytes and the MD5 hash is 906b5626b779eb90b4f403c3b4503b46.In all cases, the modification date of the backdoor filewas 20092009-0303-21 10:06 AM.The backdoor connects to a remote site via standard HTTPprotocol, and downloads a Web page that contains aspecially formatted HTML comment. The HTML commentcontains instructions for the backdoor, and starts with “ “ - #!##!#obotobot”.”. The backdoor will use the useruser-agent string“Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0; obotobot)”.)”.The backdoor uses a mutex called “ ))!VoqA.I4q“. In somecases, the backdoor has been installed laterally using thecredentials of a user named “lazydg“lazydg”.”.Your boss would really like you to clean up the network.Identify Content You Can Use to Identify This Attacker in your Network20
6/22/2010Generate a Compromise ProfileThere is an ongoing APTAPT-related incident. At least 35systems with APT backdoors have been discovered. One ofthe backdoors installs itself as a Windows service named“ersvcersvc”” with a service DLL of%tt%\t dll”.”.The filfile sizeis 2323,040bytes and the MD5 hash is 906b5626b779eb90b4f403c3b4503b46.In all cases, the modification date of the backdoor filewas 20092009-0303-21 10:06 AM.The backdoor connects to a remote site via standard HTTPprotocol, and downloads a Web page that contains aspecially formatted HTML comment. The HTML commentcontains instructions for the backdoor, and starts with “ “ ”. The backdoor will use the useruser-agent string“”.The backdoor uses a mutex called ““. In somecases, the backdoor has been installed laterally using thecredentials of a user named “lazydg”.“”.Your boss would really like you to clean up the network.Cheap to Change No CodingNecessary46More Costly To Change Original Author / SourceCode AvailableIntelligence Based Detection OpenIOC (Open Indicator of CompromiseLanguage)g g )Developed by Mandiant in conjuction withIndustryDesigned to Facilitate Sharing ofActionable IntelligenceFFreeOOpenIOCIOC EditorEdit on ththe MandiantM di tWebsite to Create and Manage Indicators21
6/22/20104748Truths To Date: No Organization Has: Been Preparedpto Defend Their NetworkAgainst A Nation State Sponsored AttackingCapabilityThere is no industry or governmentsolution to protect our commercialcompaniesprightg now22
6/22/2010USA vs Slovenia49 Score UpdateQuestions?50RESOURCES M-Trends – MANDIANT websiteM-Unition Blog (blog.mandiant.com)Mandiant is Hiring! Help us Out!Recruiting@mandiant.comWeb Historian 2.0 Release Yesterday at FIRST23
MM--Trends Trends –– MANDIANT websiteMANDIANT website 50 MM--UnitionUnition Blog (blog.mandiant.com)Blog (blog.mandiant.com) MandiantMandiant is Hiring! Help us Out! is Hiring! Help us Out! Recruiting@mandiant.com
Intrusion Detection System Objectives To know what is Intrusion Detection system and why it is needed. To be familiar with Snort IDS/IPS. What Is Intrusion Detection? Intrusion is defined as “the act of thrusting in, or of entering into a place or state without invitation, right, or welcome.” When we speak of intrusion detection,
c. Plan, Deploy, Manage, Test, Configure d. Design, Configure, Test, Deploy, Document 15. What are the main types of intrusion detection systems? a. Perimeter Intrusion Detection & Network Intrusion Detection b. Host Intrusion Detection & Network Intrusion Detection c. Host Intrusion Detection & Intrusion Prevention Systems d.
Intrusion Prevention: Signature Policies 201 Intrusion Prevention: Signature Policies - New 203 Intrusion Prevention: Sensors 204 Intrusion Prevention: Sensor - New 205 Intrusion Prevention: Sensor - Associating Sensor to a Firewall Policy 206 Intrusion Prevention: Alerts and Reports 208 Intrusion Prevention: View Rule File 210
Step 1.1. Create Intrusion Policy To configure Intrusion Policy, login to Adaptive Security Device Manager (ASDM) and complete these steps: Step 1. Navigate to Configuration ASA FirePOWER Configuration Policies Intrusion Policy Intrusion Policy. Step 2. Click the Create Policy. Step 3. Enter the Name of the Intrusion Policy. Step 4.
called as behaviour-based intrusion detection. Fig. 2: Misuse-based intrusion detection process Misuse-based intrusion detection is also called as knowledge-based intrusion detection because in Figure 2. it depicts that it maintains knowledge base which contains the signature or patterns of well-known attacks. This intrusion
threats to your security policies. And intrusion prevention is the process of per - forming intrusion detection and then stopping the detected incidents. These security measures are available as intrusion detection systems (IDS) and intrusion prevention systems (IPS), which become part of your network to detect and stop potential incidents.
This chapter presents the corresponding research work on the intrusion detection and intrusion prevention in large-scale high-speed network environment and is organized as follows: firstly, a distributed extensible intrusion prevention system is provided, then various packet selection models for intrusion detection systems based-on sampling are
The publication of the ISO 14001 standard for environmental management systems (EMS) has proved to be very successful, as it is now implemented in more than 159 countries and has provided organizations with a powerful management tool to improve their environmental performance. More than 324 000 organizations have been certified worldwide against ISO 14001 at the end of 2014, which is an .
