Post on 04-Aug-2020
#whoami• DIRECTOR OF TECHNOLOGY AND INFORMATION SYSTEMS 20+ YEARS
• CERTIFIED INFORMATION SYSTEMS SECURITY PROFESSIONAL (CISSP)
• CERTIFIED GIAC SYSTEM AND NETWORK AUDITOR (GSNA)
• CERTIFIED GIAC INCIDENT HANDLER (GCIH)
• M.S. IN COMPUTERS AND TECHNOLOGY IN EDUCATION
• UNITED STATES MARINE CORPS
SCOPE OF NETWORK
• >8800 STUDENTS
• >1900 EMPLOYEES
• >14,000 DEVICES ON NETWORK (WIRED AND WIRELESS)
• 14 LOCATIONS CONNECTED VIA FIBER NETWORK
• 71 TELECOMMUNICATIONS CLOSETS
By Goran tek-en, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=36942216
Malspam
“Dialer”
COMMAND AND CONTROL
•“COMMAND AND CONTROL CONSISTS OF TECHNIQUES THAT ADVERSARIES MAY USE TO COMMUNICATE WITH SYSTEMS UNDER THEIR CONTROL WITHIN A VICTIM NETWORK.”
https://attack.mitre.org/tactics/TA0011/
EGRESS FIREWALL FILTERING
“EGRESS FILTERING IS THE CONTROL OF TRAFFIC LEAVING YOUR NETWORK.”
https://www.sans.org/reading-room/whitepapers/firewalls/egress-filtering-faq-1059
GOALS•EXAMINE MALSPAM ATTACK VECTOR•REVIEW EXAMPLE OF A COMMAND AND CONTROL•EXAMINE BENEFITS OF FIREWALL EGRESS FILTERING•EXAMINE METHODS FOR IDENTIFYING REQUIRED DESTINATION PORTS•DISCUSS APPLYING EGRESS FILTERS TO FIREWALL RULES
MALWARE SPAM OR MALSPAM•“THE MAJORITY OF INITIAL MALWARE IS DELIVERED BY EMAIL.”
(2019 VERIZON DBIR)•6.11% OF SPAM CONTAINS MALWARE
(2019 TRUSTWAVE GLOBAL SECURITY REPORT)•LAST 30 DAYS (SEPT), EMAIL FILTER DROPPED 1.7 MILLION MESSAGES•6.11% OF 1.8 MILLION=103,870 POTENTIAL MALSPAM
CIS/MS-ISAC TOP 10 MALWARE MARCH 2019
https://www.cisecurity.org/blog/top-10-malware-july-2019/
BENEFITS OF EGRESS FILTERING • PREVENT MALWARE “DIALER*” CALLBACKS • PREVENT COMMAND & CONTROL AND BACKDOORS• PREVENT DATA EXFILTRATION • PREVENT DEVICES FROM ACCESSING DNS DIRECTLY• ENFORCE POLICY—NO USE OF UNENCRYPTED COMMUNICATIONS: TELNET, TFTP, FTP.
• 47% of Crimeware incidents used C2
• 87% of Cyber-Espionage incidents used C2 (2019 Verizon DBIR)
FIREWALL• A FIREWALL IS A NETWORK SECURITY
DEVICE THAT MONITORS INCOMING AND OUTGOING NETWORK TRAFFIC AND DECIDES WHETHER TO ALLOW OR BLOCK SPECIFIC TRAFFIC BASED ON A DEFINED SET OF SECURITY RULES.
https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html
JARGON ALERT!
Destination Port:http-80https-443
I have 80/443 open. You can pass.
I’m listening on 80/443. Here’s what I have.
Destination Port:smb-445(Windows File Shares)
I do not have port 445 open. “You shall not pass.”
I’m stateful. I’ll remember what port you use. I’ve been configured to permit you access to all 65,535 tcp ports and all 65,535 upd ports.
Destination Port:http-80https-443
Email-25/110/143. You can pass.
Outgoing. Sure. I’ll remember.
I remember you. You can pass.
EMOTET
https://www.us-cert.gov/ncas/alerts/TA18-201A
Emotet reports a new infection to its C2
server and receives instructions
A downloader or dropper of other banking Trojans.
https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/
https://isc.sans.edu/forums/diary/Malspam+pushing+ransomware+using+two+layers+of+password+protection+to+avoid+detection/23573/
MITRE ATT&CK
MITRE ATT&CK • HTTPS://ATTACK.MITRE.ORG• HOME>TECHNIQUES>ENTERPRISE>COMMAND AND CONTROL>COMMONLY USED PORT• HTTPS://ATTACK.MITRE.ORG/TECHNIQUES/T1043/• EMOTET: 20, 22, 80, 443, 8080, AND 8443
• HTTPS://ISC.SANS.EDU/FORUMS/DIARY/EMOTET+MALSPAM+IS+BACK/25330/
DNSCAT2 Client direct communication with DNSCAT2 C2 Server
DNSCAT2 Client communication with DNSCAT2 C2 Server via Internal DNS Server
OBJECTIVES• CREATE NETWORK VISIBILITY• CAPTURE NETWORK TRAFFIC—IDENTIFY DESTINATION PORTS • MAP DESTINATION PORTS TO SERVICES• IDENTIFY REQUIRED PORTS• CONFIGURE FIREWALL TO PERMIT IDENTIFIED REQUIRED PORTS AND DENY ALL
CIS CONTROL : BOUNDARY DEFENSE
12.4: DENY COMMUNICATION OVER UNAUTHORIZED PORTS:• DENY COMMUNICATION OVER UNAUTHORIZED TCP OR UDP PORTS OR APPLICATION
TRAFFIC TO ENSURE THAT ONLY AUTHORIZED PROTOCOLS ARE ALLOWED TO CROSS THE NETWORK BOUNDARY IN OR OUT OF THE NETWORK AT EACH OF THE ORGANIZATION'S NETWORK BOUNDARIES.
https://www.cisecurity.org/controls/
POLICY OR PERMISSION
NETWORK VISIBILITY
• IDENTIFY BEST LOCATION TO MONITOR NETWORK TRAFFIC• SELECT NETWORK TAP OR • SPAN (SWITCHED PORT ANALYZER), PORT MIRRORING, OR PORT MONITORING
Network VisibilityDestinationPorts
Network Tap
Tap NSM
SPANPORT orPort Mirror
SHARKTAP
midBit Technologies
CAPTURE NETWORK TRAFFICZEEK
• FORMERLY BRO NETWORK SECURITY MONITOR• UNIX/LINUX• RUNS ON COMMODITY HARDWARE• GENERATES LOG FILES OF NETWORK ACTIVITY• CONN.LOG—SESSION DATA • BRO-CUT
CAPTURE NETWORK TRAFFICSECURITY ONION
• ZEEK INSTALLS WITH SECURITY ONION• UNIX/LINUX• EASIER TO INSTALL• REQUIRES MORE HARDWARE• DEFAULT INSTALL LOGS FULL PACKET CAPTURE• ZEEK LOGS IN JSON FOR USE WITH ELK STACK
• ELASTICSEARCH, LOGSTASH, AND KIBANA
SAMPLE ZEEK CONN.LOG
SAMPLE ZEEK CONN.LOG
{"ts":"2019-04-26T00:05:30.990493Z","uid":"CrbjTY2YyqDdOVcxO5","id.orig_h":"10.53.4.42","id.orig_p":54317,"id.resp_h":"162.222.96.171","id.resp_p":443,"proto":"tcp","service":"ssl"
ZEEK CONN.LOG-IDENTIFY PORT USE
$ zcat conn.*.log.gz | awk -F '"' '{ print $12, $15, $18, $21, $24 }' | grep '^10\.‘ | awk -F ' ' '{ print $4, $5 }' | sort | uniq -c | sort -nr | head -n 10
ZEEK CONN.LOG-IDENTIFY PORT USEzcat conn.*.log.gz | awk -F '"' '{ print $12, $15, $18, $21, $24 }' | grep '^10\.'
• Source IP Sport Destination IP Dport Protocol• 10.231.5.102 :57051, 23.49.249.151 :443, tcp• 10.15.2.19 :52397, 104.244.36.20 :443, tcp• 10.15.2.19 :52376, 104.244.36.20 :443, tcp• 10.15.2.19 :52394, 104.244.36.20 :443, tcp• 10.43.6.70 :58428, 17.249.108.89 :5223, tcp
ZEEK CONN.LOG-IDENTIFY PORT USE| awk -F ' ' '{ print $4, $5 }' | sort | uniq -c | sort -nr | head -n 10
• 9525992 :443, tcp• 3179372 :80, tcp• 2809189 :53, udp• 1696422 :443, udp• 175176 :8245, udp
• 149542 :5223, tcp• 95336 :123, udp• 44510 :2195, tcp• 42725 :2196, tcp• 34693 :3260, tcp
CAPTURE NETWORK TRAFFICTCPDUMP• EASY TO INSTALL
• RUNS ON COMMODITY HARDWARE
• ADDITIONAL OPTIONS NECESSARY TO MINIMIZE PACKET CAPTURE
TCPDUMP-IDENTIFY PORT USE
sudo tcpdump -i eno2 -nt -s 60 src net 10.0.0.0/8 and 'tcp[13] & 2!=0' > /path/file.tsv
TCPDUMP-IDENTIFY PORT USEsudo tcpdump -i eno2 -nt -s 60 src net 10.0.0.0/8 and 'tcp[13] & 2!=0' > /path/file.tsv• IP 10.56.2.51.53704 > 3.95.104.195.443: Flags [S], seq 3183427970, win 65535, options [mss 1250,nop,[|tcp]>• IP 10.53.2.80.52855 > 172.217.12.162.443: Flags [S], seq 790271908, win 8192, options [mss 1250,nop,[|tcp]>• IP 10.56.2.51.53705 > 23.195.65.245.443: Flags [S], seq 2573793816, win 65535, options [mss 1250,nop,[|tcp]>
• IP 10.232.9.38.41030 > 172.217.7.13.443: Flags [S], seq 2547266284, win 29200, options [mss 1250,sackOK,[|tcp]>• IP 10.56.2.51.53706 > 68.67.180.43.443: Flags [S], seq 1203456510, win 65535, options [mss 1250,nop,[|tcp]>
TCPDUMP-IDENTIFY PORT USEcat /path/file.tsv | awk -F ' ' '{ print $4 }' | awk -F '.' '{ print $5 }' | sort | uniq -c | sort -nr• 170551 443:• 24462 80:• 1118 5223:• 829 2195:• 827 2196:• 368 3260:
MAP DESTINATION PORTS TO SERVICES•9525992 :443, tcp•3179372 :80, tcp•2809189 :53, udp•1696422 :443, udp—QUIC
(Google Chrome)•175176 :8245, udp
•149542 :5223, tcp—APN• 95336 :123, udp—NTP (Apple)• 44510 :2195, tcp—APN• 42725 :2196, tcp—APN• 34693 :3260, tcp
https://www.fastvue.co/fastvue/blog/googles-quic-protocols-security-and-reporting-implications/
FIREWALL PERMIT/DENY• VISIBILITY—PRACTICE ABILITY TO VIEW CLIENT NETWORK TRAFFIC TO DETERMINE IF YOU ARE
BLOCKING A NEEDED DESTINATION PORT
• BLOCK PORTS IN CHUNKS OR GROUPS—EASIER TROUBLE SHOOTING
• ADD PERMIT RULE FOR REQUIRED PORTS
• ADD DENY RULE
FIREWALL PERMIT/DENY
NGFW• LAYER 7 APPLICATION FILTERING
https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html
RECOMMENDED READING
“THE MORE I PRACTICE, THE LUCKIER I GET.”
Questions?
•GEORGE FRAZIER •FRAZIER@LMSD.ORG•@GEOFRAZIER