HIDDENSALAMANDER - Electronic Frontier Foundation · HIDDENSALAMANDER Alerting and ... - Earl...
Transcript of HIDDENSALAMANDER - Electronic Frontier Foundation · HIDDENSALAMANDER Alerting and ... - Earl...
SECRET//COMINT//REL TO USA, FVEY
HIDDENSALAMANDER Alerting and Characterization of Botnet Activity in TURMOIL
r v i i s s i p r \ ] CZ A R A B I I — I T"i E 5
SECRET//REL TO USA, FVEY m i s s i o n CAPABILIT] E5
(S//REL) High Level Goals
O Detect (all!) botnet activity on our sensors
- Alert only when activity is relevant and time-sensitive »Involves entities/commanding of high interest »Involves protected areas » Could initiate defensive action
- Generate metadata always »Aids in attribution and retrospective analysis
- Enrich metadata as much as possible »Alleviate the need for in-depth knowledge of actors or malware
SECRET//REL TO USA, FVEY
(S//REL) Approach rvussiSrvj
CAPABILIT]
<D Z!
-I—1
(D C O)
CO
o c
CO
C0 E
o _D) < "O CD N
"03 'o 0) CL
CO
HIDDENSv B Process Payload for "targets",
BotlDs, channels, nicknames, add directionality...
Igical Fl
rocessi
Track C2 (IP and SID) over a
period of activity, document bots
Gather specialized knowledge
Decode, Detect
Encryption, ...
Track over Event's time
Apply generic
Knowledge
Summarize Activity
Report Overall "Event"
Report Instance
SECRET//REL TO USA, FVEY
SECRET//REL TO USA, FVEY
(S//REL) Concept/Idea Behind It rvuss iC^ j
CAPABILIT] EEE
Q Discovery
SECRET//REL TO USA, FVEY
SECRET//REL TO USA, FVEY m i s s i o n [^ /XF 'A.Bt l i~T] E 5
(S//REL) What we offer today
o An extensible botnet processing service - Capabilities are added via configuration or specialized processors
® The ability to track events spanning across 5-tuples - Enables production of Event Summaries and Enrichment
© Geographical dispersion - SIGINT perspective, currently at SCS sites and MHS (prototype)
^ TURMOIL augments Defensive Efforts two fold - Early warning Tips for defensive action (to NETEZZA, then
TUTELAGE) - Metadata for characterization and to support attribution (to
GMPLACE and RONIN, then CYBERCLOUD and MARINA).
SECRET//REL TO USA, FVEY m i s s i o n [^ /XF 'A.Bt l i~T] E 5
(S//REL) Progress over the last year
® Advancements - Zeus RC4 encrypted processing flow - Base64 decoding e.g. BEB vl .8 target IP extraction - Limited Metadata Enrichment
» Case Study to support QBOT activities - Deployment to F6 sites and a second system at MHS - Established ASDF to GMPLACE for GHOSTMACHINE analytics - Established flow to NETEZZA (TURQI) for validation - Defined Botnet Lifecycle Model for categorizing enrichment
metadata
SECRET//REL TO USA, FVEY m i s s i o n [^ /XF 'A.Bt l i~T] E 5
(S//REL) Current Development Focus
® Attain analyst validation - Ingest into GM and creating Views - End-to-end dataflow validation
® Improve Metadata Enrichment capabilities - Define generic model to create metadata PCRE rules - Refine Enrichment Model for Malware
o Improvements to function as a framework/service - Greater focus on metadata enrichment
0 Provide dynamic AEG tasking ® Re-factor Tasking and Tips to fit botnets
- Update Tip format to closely align with extracted data
^ Add specialized packet processors - Mariposa - Looking for opportunities
SECRET//REL TO USA, FVEY
SECRET//REL TO USA, FVEY m i s s i o n [^ /XF 'A.Bt l i~T] E 5
(S//REL) Future Work
o Initial development - Initiate promotion (to XKS) or collection flows - Re-factor SEG to make Metadata Enrichment more flexible - Redesign the Analytic to provide more valuable Summaries
» Possibly detect point of origin of Herder commanding
® Biggest Challenges - Currently have no means to track peer-to-peer botnet activity
» May look to current TURMOIL Fast Flux capabilities for ideas - Encrypted bots defeat most attempts at tracking and reporting
» Possible candidate for TURMOIL Re-Injection flow
SECRET//REL TO USA, FVEY
8
TOP SECRET//COMINT//REL TO USA, FVEY fviissiOM
(TS//SI//REL) Current Implementation
FSPF forwards packets to AEG's based on tasking f rom each coi .ït£Çaçç Packet F ¡Iter
TURMOIL
BotDiscoverySeg
RC4Aeg RC4Seg RC4Aeg RC4Seg
HIDDENSALAMANDER Components
rvussiSrvj CAPABILIT] ES
Attack Events:
MARINA
ma
\ \ Enriched \ \ M e t a d a t a :
\ 1 RONIN \ \
\
1 CYBERCLOUD
ET
CIDR Block/SID Filter
Low Latency lerts:
NETEZZA T ï ^ r Q I Turnabout Query interface
Existing Components
] External Systems
(S//REL FVEY) TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY fviissiOM IVllSSlg lM C /XF'A.Btl fTq E5
(TS//SI//REL) The Components
O BotDiscoveryAeg - Not A Snort based Application. - Ingests translated Snort signatures and tasks the FSPF. - Emulates Snort behavior as closely as possible.
0 RC4Aeg/RC4Seg - Highly specialized components aimed at detecting RC4 Encrypted Zeus activity
O MariposaAeg (Currently in development) - Highly specialized - detects and decodes a particular encoding.
Q BotDiscoverySeg - De-dups on SID/5 Tuple for Tipping and MARINA. - De-dups on SID/IP/Port for BotAnalyticSeg.
O BotAnalyticSeg - Summarizes Event Metadata from BotDiscoverySeg. - Provides metadata to RON IN.
0 CIDR Block/SID Filter - Filters Tip Events based on IP information OR SID.
O cwbBot - Translates Tip messages to adhere to TRAFFICTHIEF schemas.
TOP SECRET//COMINT//REL TO USA, FVEY
SECRET//REL TO USA, FVEY m i s s i o n ( ARABII—IT, E5
(S//REL) Current Dataflow
Hjrnabout Query Interface
DB/WEB GM PLACE
ingest
normalize
aggregate
write
CLO UD SECRET//REL TO
ASDF ummarized
TOP SECRET//COMINT//REL TO USA, FVEY m i s s i o n CAPABII l"T| E5
(TS//SI//REL) Prototype View - POUNDSAND
POUNDSAND Prototype Incubator
Quer ies
W e l c o m e BotNet Family *
CITY FAMILY ROLE üo i r ie t r a n i m e s ADDRESS COUNTRY CITY FAMILY ROLE
F a m i l i e s " LT VILNIUS Donbo t Control Channe l l j • onbot IQ A S S U L A Y M A N m • o n b o t Control Channe l
R U MOSCOW • o n b o t Control Channe l u T ime Frame
LY TRIPOLI Donbo t Control Channe l V
Country Bots Targets Details Detection Address »
ADDRESS COUNTRY CITY FAMILY ROLE
LB BEIRUT Donbo t Bot A
LB BEIRUT Donbo t Bot
TM ASHGABAT Donbo t Bot
r "i LB BEIRUT Donbo t Bot 1
Submi t LB BEIRUT Donbo t Bot
IQ AS SU LAYMANM Donbo t Bot 1 IQ BAGHDAD Donbo t Bot
1 NL AMSTERDAM Donbo t Bot
TM ASHGABAT Donbo t Bot V 'i
TOP SECRET//COMINT//REL TO USA, FVEY
1 2
TOP SECRET//COMINT//REL TO USA, FVEY f v i i s s iOM CAPABILITi ES
(TS//SI//REL) HIDDENSALAMANDER Outputs
Turnabout Query Interface t l™ tmLMli
Jfllfc li'i: i • • jj- C-JJ Ixa suor uwi i»t.«*s.10JSXftVtMJ7B_&««( Ml&lMÎ IT i**TtS3S?S EAfilMf-T1 bfiW«3fîXPAH37B bu«
Date SID Signature
vnnr USJ-TÎÎ WHS %UVB»a L£j-Jii UHE ftAWSCtlT UÎJ-K& UH£
H. S»: itnmtiM^ St î£ MVi I H 1 I W U 4 tB E£l.SS\-i tJfurfMt- H
Src IP Dest IP
i"TjMVOL 5flV1l«.lîlîlMM0 rus IRHOL seviitiîisiww I U«SJ TtfcJOl SSYlIiltltlMM Ai6iiftti-6tii-n*flslSeti.Ttiefl6lS3el
CASN
Who?
A
What?
What else can we tell today?
ROLE of the IPs involved: Is it a Bot Controller? Bot Victim? Target?
Whofest^e Target of this activity? (for certain botnets)
Who has troe Bot Controller been commanding (over time)? \ POUNDSAND
What botnet families are active in this region? How active? ^ ^ ^ ^ ^ ^ ^ ^ ^
What will we tell tomorrow?
What "Attack" commands are active that we could use to exploit?
What type of botnet activity is seen in this region? For this bot family? - (e.g. Increased "Infections" in US, or, most Bad Bot activity is "Reconnaisance")
What actual [server, filename, command, IP, url] did they send/grab/connect to?
v. V ,-q
TOP SECRET//COMINT//REL TO USA, FVEY
SECRET//REL TO USA, FVEY IN/1Í i D N CAPABILIT] E5
(S//REL) Current Model for Metadata Enrichment Optional Payload Details
Stage Name Stage Instance Optional Attribute Optional Attribute Configuration •splay/Adjust Bot Name
Redirect Traffic Flush DNS Mode Change Connect to Server Server IP Unknown
Infection/Exploit Update Server IP Web Address Download Server 1P Web Address
Reconnaissance DNS IP/Host Resolve A Record (multi pie) •splay Network 1 nformation • spi ay Syste m 1 nf ormati o n Network Scan Enable Network Scan Di sable Harvest
C&C Communication Disconnect Server IP Connect Server IP Login LogOut Current Bot Status Remove Bot Terminate Bot
Attack Execute File DDOS Type (Syn, Http.. ) Target IP Open File File Name Repeat Excecute Command Command Execute Command Command
Need] ycra"
14
SECRET//REL TO USA, FVEY
SECRET//REL TO USA, FVEY missiQNXJ CAPABILIT] ES
(S//REL) "Categorizing" Existing Signatures
® Most popular bot signature analyst repositories: - BLUESMOKE: Snort Rules - XKEYSCORE: Fingerprints
® Requires author to add extra detail to the existing signature
® Requires front end tools to add extra fields to their GUIs for analyst input - Suggested that the Lifecycle Stage Group and Stage
Instance be required for submission for botnet signatures - Other attributes may be optional for submission
SECRET//REL TO USA, FVEY rvìi i D N
CAPABILIT] ES
(S//REL) Bot Characterization Proposed Flow
[HIDDEN SALAMANDER]
CYBERCLOUD
Signatures Translated Tasked hyTURMOII HS
Analysts will develop signatures and include required metadata for submission
Metadata Produced and Consumed
TURMOIL HS will generate bot protocol tasking and accept tasking from repositories.
Map-Reduced Job Res jits Avai lable , /
Analyst Search Results, Available
CYBERCLOUD produces analytic results from all incoming data sources. RONIN provides immediate hardware characterization info.
GoGadget displays analytic results from CYBERCLOUD and detailed metadata for the analyst
SECRET//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY rvii iDN
Example CAPABILITiE5
O Command Found: 20;3000;10;0;0;30;300;20;20;2000;3000#flood http #1#xK3 2893BC90
O How alert describes it: IP SRC/DEST: 1.1.1.1/2.2.2.2 PORT TO/FROM: 234/123 SIGAD/CASN: SID: 12345 SIGNATURE NAME: BEB:BlackEnergy_DDoS_X_of^ TIME: 00:00:00
O How summary describes it today: IP SRC 1.1.1.1 PORT: 123 [ROLE: C2] IP DEST a.a.a.a PORT: 234 [ROLE: BOT]
b.b.b.b .. z.z.z.z ...
SIGAD/CASN: SID: 12345 SIGNATURE NAME: BEB:BlackEnergy_DDoS_X_of_Y TIME: 00:00:00 - 00:00:10 FAMILY: BEB Total Events: 51
for each instance
1 8
TOP SECRET//COMINT/ /REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY rvii iDN
Example rvussiSrvj
CAPABILIT] ES
O Command Found: 20;3000;10;0;0;30;300;20;20;2000;3000#flood http| t1#xK3 2893BC90
© How Summary describes it (tomorrow): IP SRC 1.1.1.1 PORT: 123 [ROLE: C2] IP DEST a.a.a.a PORT: 234 [ROLE: BOT]
b.b.b.b .. z.z.z.z ...
SIGAD/CASN: SID: 12345 SIGNATURE NAME: BEB:BlackEnergy_DDoS_X_of_Y FAMILY: BEB TIME: 00:00:00 - 00:00:10 Total Events: 51 CONFIGURATION / BOTID: xK3 2893BC90
fACK / DDQS / COMMAND: 20;3000;10;0;0;30;300;20;20;2000;3000#flood http j#1#xK3 2893B>C90
19
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY m i s s i o n [ /XRABII—IXq E5
Example #2
O Command Found: JOIN :#marCh2#<crlf>:TESTING1 .Virus.HERE 332 virus-squadlr #marCh2# :!NAZELmarCh2
h t tp : / / ^ ^^^^^H/page / f i l e . j peg aFile.exe 1<crlf>
How alert describes it: We don't want alert! It's insignificant for defensive activity!
O How summary describes it today: IP SRC 1.1.1.1 PORT: 123 [ROLE: C2] IP DEST a.a.a.a PORT: 234 [ROLE: BOT]
b.b.b.b .. z.z.z.z ...
SIGAD/CASN: SID: unknown!!! SIGNATURE NAME: botnet/quantumbot/possible_download1 (XKS Fingerprint-derived) TIME: 00:00:00 - 00:00:10 FAMILY: IRC_GEN Total Events: 3
20
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY rvii i D N CAPABILITi ES
Example
O Command Found: JOIN :#marCh2#<crlf>:TESTING1 .Virus.HERE 332 virus-squadlr #marCh2# :!NAZELmarCh2
h t t p : / ^ ^ ^ ^ ^ ^ ^ ^ p a g e / f i l e . j p e g aFile.exe 1<crlf>
O How Summary describes it (tomorrow): IP SRC 1.1.1.1 PORT: 123 [ROLE: C2] IP DEST a.a.a.a PORT: 234 [ROLE: BOT]
b.b.b.b .. z.z.z.z ...
SIGAD/CASN: SID: unknown!!! SIGNATURE NAME: botnet/quantumbot/possible_download1 (XKS Fingerprint-derived) FAMILY: IRC_GEN TIME: 00:00:00 - 00:00:10 Total Events: 3 CONFIGURATION / BOTID /NICKNAME: virus-squadlr C&C COMMS / CONNECT / CHANNEL: #marCh2# C&C COMMS / CONNECT / SERVER: TESTING1.Virus.HERE
K M T UPDATE / C i N i ^ e r o !NAZELmarCh2 aFile.exe 1
21
TOP SECRET//COMINT//REL TO USA, FVEY