1  

1  

 

Fidelis XPS™ Power Tools: Network YARA Implementation September 2013

 

 

 

 

 

 

 

 

1  

1  

Introduction  

Threat  actors  are  constantly  evolving  their  tactics,  employing  new  evasion  techniques,  new  ways  to  trick  the  user,  and  new  methods  to  exploit  your  network  infrastructure.  While  there  have  been  some  recent  instances  of  purely  destructive  attacks,  the  majority  of  compromises  we  examine  are  attempting  to  steal  something  of  value.  The  network  defender  is  tasked  with  the  daunting  responsibility  of  stopping  the  onslaught  of  attacks  from  across  the  Internet,  and  protecting  their  valuable  information  from  theft.  The  Fidelis  XPS™  advanced  threat  defense  solution  supports  the  defender’s  goals  by  providing  access  to  leading  edge  technological  advances  and  enabling  unparalleled  detection  at  unmatched  speed  to  stop  a  targeted  attack.  

The  network  security  ecosystem  has  evolved  in  lockstep  with  the  threat  actors,  attempting  to  stay  ahead  of  them  and  provide  the  appropriate  defenses.  One  of  the  chief  goals  of  network  security  tools  is  to  quickly  and  accurately  identify  a  file  object  entering  a  network  and  determine  if  that  object  is  malicious.  Identification  accuracy  is  important  because  network  defenders  do  not  have  the  time  or  resources  to  chase  every  lead.  They  need  high  confidence  that  a  detected  event  is  in  fact  something  worth  investigating.  An  additional  aspect  of  accuracy  is  the  ability  to  detect  new  malicious  threats  that  have  not  been  previously  observed  in  the  wild,  finding  the  unknown  before  it  infects  your  infrastructure.  Speed  of  detection  is  also  a  key  factor  of  network  defense;  because  alerting  of  a  compromise  is  only  valuable  if  the  defender  is  given  time  to  react.    It  is  a  clear  goal  of  Fidelis  XPS  to  identify  malicious  behavior  as  early  in  the  threat  lifecycle  as  possible,  giving  the  defender  as  much  time  to  thwart  the  attacker  as  possible.  

Speed  and  accuracy  are  key  tenets  of  Fidelis  XPS,  which  is  continuously  evolving  to  ensure  Fidelis  customers  stay  ahead  of  the  threat  actors  by  identifying  the  newest  threats  and  doing  so  at  the  speed  of  their  business.  Incorporating  network-­‐based  YARA  analysis  of  objects  on  the  wire  in  real-­‐time  into  the  Fidelis  XPS’  Deep  Session  Inspection®  provides  a  new  capability  to  Fidelis  customers  and  the  industry,  leaping  forward  in  both  the  ability  to  find  new  threats  and  the  speed  to  stop  attackers  in  their  tracks.  

 

 

 

 

 

 

 

 

 

 

 

 

2  

2  

Fidelis  XPS:  The  Speed  to  Prevent  

Fidelis  XPS  is  an  advanced  threat  defense  solution  that  has  three  primary  components,  a  management  console  (Fidelis  XPS  CommandPost),  a  network  sensor  (Fidelis  XPS  family  of  sensors)  and  a  non-­‐selective  network  memory  device  (Fidelis  XPS  Collector).  The  family  of  Fidelis  XPS  sensors  is  deployed  on  the  network  at  key  monitoring  points;  for  example,  where  the  internal  network  traffic  leaves  the  enterprise’s  control  or  outside  a  network  data  center.  In  these  locations,  Fidelis  XPS  sensors  can  inspect  network  traffic  in  real-­‐time  and  take  user-­‐defined  granular  actions  on  sessions  and  session  objects  that  violate  a  defined  policy.  The  core  technology  that  powers  the  Fidelis  XPS  solution  is  the  patented  Deep  Session  Inspection architecture.  

Deep  Session  Inspection®  

Most  malicious  content  is  obfuscated  or  embedded  in  some  way  to  make  it  through  enterprise  network  security  hygiene  layers.  Fidelis  XPS  leverages  more  than  twelve  years  of  development  on  our  core  intellectual  property,  Deep  Session  Inspection,  to  extract  malicious  content  out  of  the  most  obfuscated  traffic.    

Fidelis  XPS’  patented  Deep  Session  Inspection  technology  reassembles  sessions,  decodes  and  analyzes  compression,  packing,  obfuscation,  embedded  objects,  etc.  and  gets  to  the  core  components  of  a  network  transmission  in  real  time.  This  technology  is  applied  to  all  network  protocols,  applications,  and  content  types  and  is  successful  at  decoding  traffic  types  it  does  not  natively  understand,  such  as  raw  TCP  sessions.  Through  these  techniques,  Fidelis  XPS  sees  deeper  into  the  content  of  traffic  on  the  network  than  any  other  technology.  

Fidelis  XPS’  Deep  Session  Inspection  engine  extracts  all  objects  of  interest  from  network  sessions  and  prioritizes  them  using  a  combination  of  object  type,  static  object  decoding,  and  analysis.  Next,  in  conjunction  with  Fidelis  XPS’  policy  engine  and  Insight  Threat  Intelligence  feeds;  passes  these  objects  to  further  stages  of  analysis  through  the  Malware  Detection  Stack  along  with  extracting  session  attributes  and  metadata  for  detailed  analysis  and  threat  determination.    

 

 

 

 

 

 

 

 

3  

3  

 

YARA:  The  Power  to  Identify  

YARA  is  a  malware  discovery  and  classification  tool  that  was  written  by  Víctor  Manuel  Álvarez  from  VirusTotal.  His  tool  has  gained  broad  acceptance  in  the  malware  analysis  and  reverse  engineering  communities  as  the  new  de  facto  standard  for  creating  and  sharing  malware  identification  and  classification  rules.  He  summarizes  the  tool  best  in  the  introduction  of  the  YARA  User’s  Manual  ver.1.6  [http://code.google.com/p/yara-­‐project/]:  

“YARA  is  a  tool  aimed  at  helping  malware  researchers  to  identify  and  classify  malware  families.  With  YARA  you  can  create  descriptions  of  malware  families  based  on  textual  or  binary  information  contained  on  samples  of  those  families.  These  descriptions,  named  rules,  consist  of  a  set  of  strings  and  a  Boolean  expression,  which  determines  the  rule  logic.  Rules  can  be  applied  to  files  or  running  processes  in  order  to  determine  if  it  belongs  to  the  described  malware  family.”  

This  analysis  engine  provides  the  ability  to  create  in-­‐depth  query  statements  in  a  way  that  is  easy  to  understand  and  implement.  For  example,  if  someone  wants  to  identify  multiple  strings  in  a  file  object  he  can  create  the  condition  “all  of  them”,    “any  of  them”,  or  “one  of  them”.  This  logic  can  include  more  involved  statements,  which  allow  for  deep  scanning  with  an  easy  to  understand  implementation.  

YARA  is  also  supported  by  a  diligent  and  growing  community  of  malware  analysts,  network  defenders,  and  reverse  engineers  that  are  constantly  discovering  new  techniques  and  communicating  those  discoveries  via  community  forums,  blogs,  and  private  sharing  groups.  These  rules  are  shared  in  a  standardized  format,  which  allows  security  analysts  and  security  products  to  understand  the  data  structure  and  quickly  implement  the  intelligence.  Most  security  tools  in  the  market  maintain  their  own  proprietary  rule  writing  language  that  make  intelligence  sharing  and  data  input  a  multi-­‐step,  difficult  process.  YARA  provides  a  standardized  rule  syntax  that  expedites  dissemination  and  ingestion  of  actionable  intelligence.  

 

 

 

 

 

 

 

 

 

4  

4  

Combining  the  Speed  to  Prevent  with  the  Power  to  Identify  

YARA  is  an  outstanding  and  powerful  analysis  engine,  typically  employed  against  data-­‐at-­‐rest.  Deep  Session  Inspection  was  designed  to  operate  on  data-­‐in-­‐motion.  By  incorporating  YARA,  Fidelis  XPS  now  offers  extraordinary  file  detection,  classification,  and  control  over  objects  moving  across  your  network  or  across  your  boundaries  in  real  time.    

Harnessing  the  Power  of  Deep  Session  Inspection  

YARA  excels  at  malware  discovery  and  classification,  but  the  tool  needs  to  be  provided  with  an  object  of  interest  in  order  for  it  to  operate.  Typically,  this  would  be  a  file  present  on  the  disk  or  an  end-­‐point  system’s  memory  snapshot  that  has  been  selected  because  of  an  ongoing  investigation.  This  characteristic  reduces  the  effectiveness  of  detection  in  the  traditional  implementation  of  YARA,  since  an  analyst  would  need  some  way  of  funneling  a  suspicious  object  to  YARA  for  investigation.  Fidelis  XPS  takes  the  approach  that  all  network  traffic  is  of  interest  and  warrants  some  type  of  investigation,  thus  using  Fidelis  XPS  Deep  Session  Inspection  as  the  funnel;  we  are  able  to  apply  YARA  analysis  to  all  applicable  files  entering  the  enterprise  or  crossing  some  boundary  in  the  company.  

As  Fidelis  XPS  is  reassembling  a  session  in  real-­‐time  in  memory  and  decoding  and  analyzing  the  content,  it  is  also  categorizing  the  file  objects  discovered.  Fidelis  XPS  can  find  file  objects  hidden  behind  obfuscation,  archived  objects,  compressed  files,  and  many  other  forms  of  evasion  techniques  used  by  threat  actors.  Once  Fidelis  XPS  finds  the  hidden  objects,  it  subjects  them  to  targeted  analysis  aimed  at  uncovering  the  attributes  of  the  particular  file  type  and  analyzes  the  object  using  our  Malware  Detection  Stack  [See  our  white  paper  titled  Fidelis  XPS  Power  Tools:  Malware  Detection  Stack  at:  http://www.fidelissecurity.com/data-­‐security-­‐resources/white-­‐papers.  At  this  stage,  Fidelis  XPS  will  also  apply  YARA  rules  directly  to  content  of  interest,  for  example  YARA  rules  meant  to  find  malicious  executable  files  will  work  exclusively  against  found  executable  file  objects  in  the  network  stream.  

Leveraging  the  Community  

Malware  analysts  have  been  leveraging  YARA  rules  to  detect  known  malware,  new  variants  of  malware  families,  and  even  previously  unknown  malware  for  years.  There  is  a  wealth  of  rules  available  online  and  in  user  communities,  with  new  rules  being  developed  and  shared  everyday.  One  of  the  best  resources  to  find  YARA  sharing  communities  and  additional  information  on  using  

 

 

 

 

 

 

 

 

5  

5  

YARA  for  analysis  is  Deep  End  Research:  [http://www.deependresearch.org/2013/02/yara-­‐resources.html].    

Fidelis  XPS  provides  a  simple  user  interface  for  implementing  existing  YARA  rules.  Since  the  standard  YARA  syntax  is  utilized  by  Fidelis  XPS  for  rule  creation,  an  analyst  can  transition  from  finding  an  exciting  new  rule  to  defending  their  enterprise  in  seconds.  This  functionality  allows  your  network  defense  team  to  immediately  expand  their  research  potential  to  the  vast  potential  of  the  entire  YARA  community.  Copy,  paste,  protect.  

Prevent!  Prevent!  Prevent!  

Recently  pundits  have  stated  the  concept  of  preventing  malicious  content  from  entering  the  enterprise  is  too  difficult  and  costly  to  put  in  place.  Instead,  they  say  network  defenders  should  assume  they  have  been  infected  and  focus  their  time  and  resources  on  remediation  and  containment.  At  Fidelis,  we  understand  the  need  for  a  strong  remediation  focus  and  historical  evidence  collection.  Fidelis  XPS  Collector  was  created  from  the  need  to  assist  network  investigations  by  providing  rich  metadata  about  all  network  session  traversing  the  Fidelis  XPS  family  of  sensors.  However,  we  do  not  believe  in  letting  the  malware  authors  have  their  way  in  your  network,  even  for  a  second.  Instead  we  empower  our  users  to  take  the  fight  back  to  the  network  ingress  point  by  providing  market  leading  analysis  and  prevention  of  anomalous  traffic.  YARA  is  yet  another  tool  in  our  toolbox  allowing  network  defenders  to  define  a  malicious  object  and  prevent  it  from  entering  your  enterprise.  If  prevention  is  not  utilized,  Fidelis  XPS  still  offers  extremely  fast  detection  of  malicious  or  suspicious  events  in  the  network,  resulting  in  notification  of  policy  violation  seconds  after  the  event.  

Remediation  and  containment  are  important  aspects  of  incident  response,  but  giving  up  on  prevention  entirely  because  it  is  too  difficult  only  ensures  that  your  remediation  team  will  be  extremely  busy  for  the  foreseeable  future.  Combining  the  speed  of  Fidelis  XPS  Deep  Session  Inspection  and  the  power  of  YARA  analysis  makes  the  seemingly  difficult  problem  of  prevention  suddenly  appear  simple.  With  Fidelis  XPS,  prevention  can  be  a  powerful  tool  in  the  network  defenders  arsenal.  

 

 

 

 

 

 

 

 

 

 

 

6  

6  

Fidelis  XPS  Implementation  of  YARA  

Below  is  an  example  of  implementing  a  YARA  rule  for  detecting  njRAT,  a  malicious  remote  administrative  tool  that  Fidelis  has  observed  in  the  field.  For  more  information  on  NJRAT  please  see  the  Fidelis  Threat  Advisory  [http://www.threatgeek.com/2013/06/fidelis-­‐threat-­‐advisory-­‐1009-­‐njrat-­‐uncovered.html]  or  the  blog  post  describing  YARA  detection  rules  [http://www.threatgeek.com/2013/07/njrat-­‐detection-­‐rules-­‐using-­‐yara-­‐.html].  

Figure  1  shows  how  the  YARA  rule  posted  on  the  ThreatGeek  blog  was  copied  and  pasted  into  the  text  area  shown  below  in  Fidelis  XPS  CommandPost.  The  right  side  of  the  image  shows  the  granular  selection  of  file  objects  that  can  be  scanned  with  this  YARA  rule.  In  this  example,  the  njRAT  is  a  windows  executable  file  object,  so  ‘exe’  is  selected.  One  could  just  as  easily  apply  this  rule  to  PDF  files,  Microsoft  Office  files,  and  any  other  of  the  formats  Fidelis  XPS  detects.  

 

Figure 1 - njRAT YARA Rule Entry in Fidelis XPS

 

 

 

 

 

 

 

 

7  

7  

By  simply  choosing  the  rule  action  of  “Alert  and  Prevent”  in  the  Fidelis  XPS  CommandPost  when  creating  the  rule,  Fidelis  XPS  will  drop  the  malicious  transmission  when  detected.  The  figure  below  shows  a  YARA  alert  generated  by  the  transmission  of  the  njRAT  malware  across  the  network.  This  alert  highlights  the  power  of  Deep  Session  Inspection,  because  the  njRAT  file  was  hidden  in  a  ZIP  archive,  then  a  RAR  archive  and  then  base64  encoded  and  Fidelis  XPS  was  still  able  to  detect  the  executable  using  the  YARA  rule  in  real  time.  Note  the  file  object  that  triggered  the  YARA  rule  is  highlighted  by  the  Fidelis  XPS  CommandPost  in  the  Decoding  Path  section  on  the  right  of  Figure  2.  The  left  section  of  the  image  also  shows  the  Violation  Information,  which  contains  the  name  of  the  Policy  and  Rule  that  generated  the  alert.  Rich  alert  metadata  is  provided  throughout  the  rest  of  this  alert  screen  including  IP  addresses  of  source  and  destination,  time  of  alert,  extracted  attributes  from  the  session,  and  much  more.  

 

Figure 2 - njRAT Alert Generated by YARA Rule

 

 

 

 

 

 

 

 

 

8  

8  

Conclusion  

The  job  of  a  network  defender  is  not  a  simple  one.  Your  adversaries  spend  every  hour  of  the  day  developing  and  applying  new  techniques  to  compromise  your  network,  because  they  have  everything  to  gain  and  almost  nothing  to  lose.  Unfortunately,  there  are  only  so  many  hours  in  the  day  that  an  analyst  can  keep  watch.  It  is  imperative  that  we  in  the  security  industry  need  to  work  smarter  and  more  efficiently.  We  need  to  focus  on  finding  more  anomalies  to  investigate  and  develop  better  procedures  for  weeding  out  false  positives  in  order  to  optimize  our  effective  time  on  target.  

Fidelis  understands  the  plight  of  the  network  defender,  and  our  mission  has  always  been  making  the  analyst’s  job  easier  and  the  attacker’s  job  more  difficult.  Incorporating  a  revolutionary  new  way  of  inspecting  traffic  in  motion  using  YARA  helps  propel  us  forward  in  our  mission.  Fidelis  XPS  plus  YARA  enables  better  detection  of  malicious  objects  attempting  to  penetrate  your  network,  and  does  so  with  the  speed  to  prevent  the  attack.  Additionally,  Fidelis  XPS  offers  extremely  fast  detection  and  rich  forensics,  allowing  correlation  and  remediation  to  take  place  seconds,  not  days  after  and  event.  With  Fidelis  XPS  you  can  detect  more,  faster.