Pragmatic intelsans intelsummit2014

Download Pragmatic intelsans intelsummit2014

Post on 25-May-2015




1 download

Embed Size (px)


Symbiotic Network Technologies - Pragmatic Intelligence and release of the community


<ul><li> 1. Pragmatic Intelligence</li></ul> <p> 2. Curt Shaffer Curt Shaffer has been in the IT field for 15 years. His experience is diverse across the IT field from ISP network design and installation, to server engineering for small and medium business as well as a number of local and US federal international agencies as well as intrusion analysis, incident response and malware reverse engineering. His change over the past 5 years has been his security focus. A majority of his security work most recently has been building internal threat intelligence for federal agencies and in his current position as the Owner of and Sr. Threat Researcher, for Symbiotic Network Technologies, LLC he analyzes current and new trends in that attack landscape in order to provide organizations with a realistic view of how they are being attacked and what can be done about it. He holds a number of industry standard certifications including CISSP, SANS:GREM, GCIA, GCIH, GPEN, GSEC and a number of CompTIA and Microsoft certifications. 3. The ProcessReconnaissanceSIEMC2Weaponization and DeliveryIDS/IPS/ DLP 4. Not all intel is good intel 5. Event OverviewWeaponization: Attacker creates Java payload with exploit code and publishes the malware into an ad system for deliveryDelivery: Regex HTTP URI for /[a-z]{8}.php?[a-z]{8}=[0-9]{6}$Exploitation JAR: HTTP Request Method = GET Content-Type = application/x-java-archive Regex HTTP URI for /[a-z]{8}.jar$ Successful Infection will call home for further instructions C2: GET /news/default-phpversion.php?mdm=30:1g:2v:1f:1o&amp;xguc=3b:3i:39:35&amp;nze=1l:1f:30:1l:2v :30:1m:2v:1n:30&amp;bhn=lixvdd HTTP/1.1. 6. Actionable Intel Delivery: IDS/IPS rule to match the URL pattern or web content filter rule of the delivery of weaponized malware Exploitation: Yara or IDS/IPS rule for keywords or pattern of the JAR payload and code exploiting CVE-2012-1723 C2: IDS/IPS/DLP rule to match known C2 call back URI pattern. 7. Actionable Intel vs Informative Intel Redirection URL is identified The JAR delivery - identified and would be labeled as related, but with an additional label of exploitation Aspects of the JAR - indicating the client in fact downloaded C2 is recognized - related and additionally labeled as C2 Corroborating evidence the target is infected 8. Evidence Image Related Alerts Severity AlertID SummaryTimeHigh High6/22/13 8:00 Yes 6/22/13 8:01 NoDelivery Delivery6/22/13 8:03 Yes 6/22/13 8:10 NoExploitation C2High High10027 Known Impact Exploit Kit Landing Page 10028 Impact EK Payload Content-type = application/x-java-archive 10029 JAR file matching CVE-201201723 10030 Impact EK C2 URI detectedWith MalwareKill Chain Phase 9. Main Incident Takeaways (by most management) How fast was the behavior detected? How fast did the team respond to the event? How long did it take to be fixed? We aim to be able to assist the analysts with providing good news to all of these factors. 10. Kill Chain Phase DeliveryObserved Action File Identification in IDS/IPSMitigation Actions Create IDS/IPS to alert or prevent.Indicator alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"ET CURRENT_EVENT S Impact Exploit Kit Landing Page"; flow:established,fr om_server; pcre:" /[a-z]{8}.php?[az]{8}=[0-9]{6; classtype:trojanactivity; sid:99999999; rev:1;) 11. Kill Chain Phase DeliveryObserved Action Known Impact Exploit Kit Landing PageReason for success Lack of previous IDS/IPS ruleMitigation Actions IDS/IPS rule for identificationDeliveryImpact EK Lack of Payload previous Content-type = IDS/IPS rule application/xjava-archiveIDS/IPS rule for identification 12. Exploit: Indicator rule cf_jar_cve_2013_0422 { meta: description = "Java Applet JMX Remote Code Execution" cve = "CVE-2013-0422" ref = "" author = "" date = "12-Jan-2013" version = "1" impact = 4 hide = false strings: $0422_1 = "com/sun/jmx/mbeanserver/JmxMBeanServer" fullword $0422_2 = "com/sun/jmx/mbeanserver/JmxMBeanServerBuilder" fullword $0422_3 = "com/sun/jmx/mbeanserver/MBeanInstantiator" fullword $0422_4 = "findClass" fullword $0422_5 = "publicLookup" fullword $class = /|GeneratedClassLoader)/ fullword condition: (all of ($0422_*)) or (all of them) } 13. Kill Chain Observed Phase ActionMitigating ActionC2IDS/IPS/DLP rule alert tcp $HOME_NET anyURI consistent with exploit kit C2Indicator-&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Exploit Kit C2 URI"; flow:established,to_serve r; uricontent GET /news/default-phpversion.php?mdm=30:1g:2 v:1f:1o&amp;xguc=3b:3i:39:35&amp; nze=1l:1f:30:1l:2v:30:1m:2v: 1n:30&amp;bhn=lixvdd HTTP/1.1. "; classtype:trojan-activity; sid:9999999; rev:4;) 14. Key Benefits! Provides clear and concise ability to analyze events to ascertain if they are just events or incidents as rapidly as possible. Provides the analyst quality feedback. IR teams for action plans Lessons learned meetings 15. Kill Chain PhaseWhy our controls failed EK URL No blocking Delivery rule in Access IDS/IPS or web filtering JAR with No blocking Delivery known bad rule in characterize IDS/IPS or s delivered web filtering Workstation Exploitation JAR with CVE-2012s not patched for 1723 this CVE C2What happenedEK C2 URI AccessMitigation Plan Create signature for the URL for block Create signature for the URL for block Deploy the patch to all systemsIOCIDS/IPS/DLP signature or blacklist in web filter IDS/IPS/DLP signatoure r blacklist in web filter AV or Yara SignatureNo blocking Create IDS/IPS/DLP rule in signature for signature or 16. Questions? 17. Shameless Plug Im happy to announce the beginning of a collaborative vetted threat intelligence group Not ANOTHER GROUP! Vetting is a bit different: *Sponsor/community references *Email address *Voice telephone # *A short description of why you would like access to 18. Whats Different? OSINT out the wazoo!! But you just told us to practice pragmatic intelligence! Good catch. We are striving to have attributable work that can be tracked and followed up on in order to take OSINT and make actionable intel, which the members can then use pragmatically Utilizing the extension of the XORCISM framework our goal is to injest or product indicators in a format ready for action for you! 19. Whats Different? Ticket tracking for members analyzing data Custom Correlation Rules to increase intel confidence Use of patent pending dynamic malware analysis and research lab Web interface for API configuration self service Web search/filter/analyze/Trend graphs etc Cloud Nein* style collab with mind mapping 20. We Want You! Interested in helping out with this new crowd sourced community? Follow the requirements set out on We are accepting a limited number of beta members until we consider the product really prime time for the collaboration.</p>