LINK BY LINK - Dell EMC · –IOCs and associated Telemetry public and though ... – Worst case...

1 © Copyright 2012 EMC Corporation. All rights reserved.

LINK BY LINK Crafting The Attribution Chain

Will Gragido, Sr. Manager RSA FirstWatch [email protected] 2012

mailto:[email protected]


Agenda

• Introductions

• Behind Enemy Lines

• Paranoia or Preparedness

• Popping Smoke: You’ve Been Breached, Now What???

• Keep Calm and Carry On

• Analysis and the Attribution Chain

• Thank you!


Introduction

“Research is to see what everybody else has seen, and to think what nobody else has thought.” - Albert Szent-Gyorgyi


RSA FirstWatch’s Approach to Research & Analysis • Heavy emphasis on things with no names…

• This is where we spend most of our time

• Why?

• Because…

– Things that already have names are known

– Many times easier to contend with

– IOCs and associated Telemetry public and though important perhaps not revelatory


Five Pillars of Research We Work Within

• Pragmatic

• Academic

• Specialized

• Skunk works

• Collaborative


RSA FirstWatch Focus

– TTP of Threat Actors • Criminal, Amateur • Criminal, Professional • Confederation • Sub-national • State Actor

– Activity • Trafficking • Sourcing • Muling • Crimeware as a Service

(CaaS) – IOCs – Telemetry

– Malicious Code & Content, Binaries, PE etc.

– Known bad and suspected IP addresses & domains

– Botnet C&C – Communications

occurring within observable environments (multi-language)*

– HUMINT | SIGNINT | ESINT | OSINT | GEOINT related data*

– Data repatriation & attribution trail analysis*


Examples of What We See… • Crimeware

– Exploit kits – DDoS tools

• Botnets – Botnets Control Panels – C&C Trojans

• Malicious Code & Content – Rootkits – Trojans – C&C enabled Trojans – Blended threats

• Metamorphic • Polymorphic

– Spyware

• Crimeware as a Service (CaaS) – DDoS – Botnet drone – Credit Card clearing – Muling – Mule retransmission and

middleman • Credit Card clearing forums • Credit Card purchasing /

brokering sites • Campaign Analysis

– Target – Non-targeted – Criminal – Sub-national – State Sponsored


So What Does This Mean?

• Intense, global approach to intelligence collection

• Multi-dimensional approach to disparate intelligence driven data sets

• Manual and automated analysis

• High fidelity intelligence

• Net Effect = Distilled intelligence

– Intelligence feeds

– Digests used in the creation of parsers and connectors


Examples of Trend Information and Intelligence • Daily average number of criminal

SOCKS proxies submitted: 15883

• Number of SOCKS providers being reviewed: 7

• Unique upstream SOCKS connections into <research network> for the last week: 3406

• Total number of VPN entry nodes reported: 349

• Total number of VPN exit nodes reported: 11199

• Number of VPN providers being reviewed: 12

• Number of entries in insider_feed-domain: 118

• Number of entries in insider_feed-ip: 132

• Items shared with RSA Israel: 2 (1 set of CC dump site creds and 5 credit cards)

• Items shared with non-LE: 0

• Number of FBI referrals for this week: 0

• Different brands of proxy malware in Constellation: 4

• Malware reach-out requests: 1 (1 with REN-ISAC)

• Industry research attempts: 0

• Industry intel sharing efforts: 0


Examples of What We Encounter Daily


Andromeda - Botnet


Acquy007.biz – Exploit Kits / Credit Card Fraud


Approved.**


Generic Carder Site


Russian Based Carder / Dump Site


ProAdmin Mule / Drop Site


Zeus Botnet Variant


Behind Enemy Lines

• The modern Internet equates to a kind of Cyber ‘Hot Zone’*

• You enter into the this environment in one of two conditions:

– Informed and prepared – Uninformed and unprepared

• You don’t have the luxury of

claiming ignorance in today’s Internet

– Best case mocked and ridiculed

– Worst case mocked, doxed, p0wn3d

Upstream and Beyond Your Demarcation Point


Behind Enemy Lines

• Globalization forces the situation – Friedman was right: The

world is flat and a lot smaller thanks to the Internet • Social media is heavily

leveraged in order to reach an organizations target and ancillary audiences

• Goal increasing global awareness of organizational brand

– At what cost?

• Faust’s Pact – Deal with the Devil



Behind Enemy Lines

• Internet based threat actors continue to mature; mastering their art & science

– Casting wide nets with well defined targets in mind

– Study and master new techniques in coding, infiltration, and compromise • Poison Ivy, Stuxnet, DuQu, Flame,

Gauss, VOHO

• Cyber crime, Industrial Espionage and Classic Espionage

– Reality as opposed to fiction – Common linkage

• Cross pollination – Awareness is increasing thus the

seeming increase in events

• Broader, More Available Internet Profile = More Pronounced Attack Surface – Places Us at Risk and

Identified as Someone’s: • Target of Opportunity

(TOO) • Target of Intent (TOI) • Pivot Site (PS)



Behind Enemy Lines Upstream and Beyond Your Demarcation Point

• A word on the realities of industrial & traditional espionage

– There is far more to this than most believe

– It has been around much longer than have terms such as ‘cyber’ or ‘apt’ have

– Yes, it is likely that you’re a target regardless of whether or not you believe anyone would be interested in targeting your organization

– The sooner you accept that you’re a target, the better off you’ll be

• Who’s behind this activity? – Hacktivists – Criminals – Nation states – All of the above


Paranoia or Preparedness


Paranoia or Preparedness?

“Sometimes paranoia’s just having all the facts.”

William S. Burroughs

…..and perhaps a bigger gun than Elmo!


Paranoia or Preparedness?

It pays to be paranoid

Paranoia != FUD – Burroughs Quote – Facts often more challenging than fiction

Are you prepared? – Compliance ! = preparedness – Auditors won’t be asked for quotes by the media if your organization

is breached… you will – You’ll need to be able to understand who, what, where, when, how

and perhaps most important why – Perhaps it is time to reconsider and redirect energies to ensure that

preparedness is achieved and compliance initiatives satisfied

Adapt and Overcome – You have no choice, your organization, your personnel and your brand

a re already in the Hot Zone


Popping Smoke: You’ve Been Breached, Now What??? Building The Attribution Chain Link by Link


Keep Calm and Carry On Building The Attribution Chain Link by Link



• Invoke your organizational incident response plan – “If you’re having incident problems, I feel bad for you son, I got

99 problems and breaches ain’t one” – Oh, you don’t have an incident response plan?

• Contact RSA NetWitness

• This should be a well practiced and vetted exercise – Not a Chinese fire drill

• Ensure your OPSEC is sound – If it’s not you’ll know soon enough

• No Barney Fife IR initiation please kthanksbye



• Maintain order and ensure that you’re inspecting what you expect via the establishment of an evidentiary chain of custody through forensic analysis

• This requires that you: – Knowing where to begin

• Is this an anomaly? • Is the anomaly an incident?

– Clear evaluation of the situation (React, Respond, and Recover) • The hosts and systems involved • Samples collected from the hosts or submitted as part of the initial

investigation • Collect and harvest evidence (information, data, samples etc.) paying

attention to detail and order that it was identified – Logging and / or cataloging is key here

• Processing


Keep Calm and Carry On Building The Attribution Chain Link by Link • Be aware that the following are not misconstrued:

– Heisenberg Principle ! = Observer Effect ! = Locard’s Exchange Principle – Each is important and provides a perspective

• So when collecting your evidence: – Interviews – Do you have what you need? – Network logs

• DNS, SMTP, Routing Logs etc. – Session intelligence – Packet capture intelligence – Local host logs – Local host drive images – Impacted system images

• Attention to detail is crucial in ensuring that all data is collected, logged and made ready for analysis

• Lack of the above = failure to begin establishing the attribution chain


Keep Calm and Carry On Building The Attribution Chain Link by Link • Analysis

– Can you connect the dots? – Follow the bread crumbs? – If not, why? What’s missing? – Do you have anything conclusive that would be useful in establishing the

attribution chain? • Compromises and threat actors have signatures; attributes unique to

them • Have you identified anything that coincides with or ties to a known

profile? • Do you have enough information from one or more systems and / or

network elements to establish a pattern? • Telemetry? • Geographic Intelligence?


Analysis and the Attribution Chain Building The Attribution Chain Link by Link

• Cast a wide net – Employ a discerning eye

• Research ! = Analysis – Beware this pitfall

• Review, Refine, Reassess, Enrich, Repeat – Inspect what you expect

• Telemetry – Telemetry = remote measurement – Critical in the establishment of data for the defining of research and

sound analysis – Applicable to Internet (DNS / routing intel), local network, host etc. – C2 analysis, domain analysis, spider diagrams and ontology – Entropy


Analysis and the Attribution Chain Building The Attribution Chain Link by Link • Campaign Analysis

– Malicious Code and Content Analysis • Vulnerability analysis • What’s required (vulnerability) for the malicious code to execute and succeed in its goals?

– Observing the behavior of the malware in virtual machines and bare metal environments

– Do the attributes noted with the malware align with or match those seen in other campaigns?

– Is it part of a multi-stage campaign? – How do the samples relate to the network telemetry?

• C2 • Pivot sites • Covert channels

– Botnet related? – Non-self propagating?



• Campaign Analysis Continued – Geo Intelligence

• To some this seems less important than to others • I’m in the ‘others’ camp; high fidelity geo intelligence is very

important in identifying campaign attributes and threat actors

– Collaboration with trusted parties • Co-workers • Fellow researchers • Law enforcement • Can’t be stressed enough



• Campaign Analysis Continued – Data repatriation

• Lots of debate on this • Ethics & morals • Responses are not always pleasant nor are they always grateful if

in fact you receive one

– Write up – Storage


Upcoming Webcasts

•Sept 26 – How to think like a security analyst of today •Oct 17 – Why logs are not enough


Questions?


THANK YOU

LINK BY LINK - Dell EMC · –IOCs and associated Telemetry public and though ... – Worst case...

Documents

Transcript of LINK BY LINK - Dell EMC · –IOCs and associated Telemetry public and though ... – Worst case...