![Page 1: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/1.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation1
NetWitness Investigator FreewareNetwork Intelligence, Threat Indicators and Session Exploitation
Brian GirardiDirector, Product ManagementNetWitness [email protected]
![Page 2: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/2.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation2
Agenda
» Investigator Freeware Introduction/Review» Advanced Features
‣ Integration via “custom actions”‣ Intelligence via “feeds”‣ Indicators via “rules”‣ Protocol/Session exploitation via “parsers”
» Implementation Scenarios
![Page 3: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/3.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation3
Investigator Freeware Core Concepts
» Its free! – requires annual registration» What makes Investigator different?
‣ Designed from an analysts perspective to answer complex questions from large amounts of raw network data
‣ Designed to analyze advanced threats, applications, content, incident response, <insert problem here>
‣ Empowers novice analysts AND accelerates experts‣ Models network traffic, and exposes syntax to expand the
model‣ Session-based NOT packet-based
![Page 4: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/4.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation4
Session Processing Step 1
Packet Collection & Reassembly before anything else• putting the pieces back together
data packetized out of order fragmented
Mixed with other trafficRetransmitted
xSession
![Page 5: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/5.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation5
Session Processing steps 2 & 3» Application Identification, Meta Extraction, and Modeling
• Don’t rely on port for true service type• Extract pertinent network and application data• Model and organize data for human consumption
HTTP != port 80
![Page 6: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/6.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation6
Standard Features
» Real-time, patented layer 7 analytics– Effectively analyze data starting from
application layer entities like users, email, address, files , and actions.
– Infinite, free-form analysis paths– Content starting points
» Captures raw packets live from wired or 802.11 wireless networks
» Imports packets from any open-source, home-grown and commercial packet capture system (e.g. .pcap file import)
» Extensive network and application layer filtering (e.g. MAC, IP, User, Keywords, Etc.)
» IPv6 support
» Full content search, with Regex support» Bookmarking & history tracking» Integrated GeoIP for resolving IP addresses
to city/county, supporting Google® Earth visualization
» SSL Decryption (with server certificate)» Interactive time charts, and summary view» Interactive packet view and decode» Hash data on capture and export» Integrated Org, Domain, and ISP
databases» Supports VLAN meta tagging» Supports IP Tunnel (i.e. GRE) meta tagging» And More….
Now lets discuss advanced features…
![Page 7: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/7.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation7
Apply Your Own Intelligence & Needs
» Custom Actions‣ “Right-click” query actions for context
» Feeds‣ Means for creating meta data based on a list of values‣ Ex. IP Reputation Feed
» Rules‣ Evaluation of meta elements to alert, filter, stop/change processing or create
more metadata‣ Ex. If ip.dst=1.2.3.4 AND user=‘bob’ then alert
» Parsers (aka FlexParse™)‣ Exploitation of sessions and full payload to create metadata‣ Ex. Identify packed executables/malware, interpret identify and profile
protocols.. Etc.
![Page 8: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/8.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation8
Aggregating Indicators
RulesParsing
Feeds Aggregation of these methods help profile actual threatening activity
• Advanced Threat• Insider Threat• Policy/Compliance• Etc.
![Page 9: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/9.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation9
Custom Actions
![Page 10: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/10.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation10
Custom Actions
» Configurable “right-click” actions out of Investigator to external tools‣ URL-based‣ Local Scripts
» Examples
![Page 11: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/11.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation11
Example: right-click hostname into Google
Other options…
![Page 12: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/12.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation12
Feeds
![Page 13: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/13.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation13
Feeds
» Means for creating meta data based on external lists ‣ IP Address‣ Hostnames‣ Any metadata element
» Typical Uses‣ Intelligence Feeds ( Internet Storm Center/Dshield Top 10000 for
example)‣ Define Physical or Logical mappings for metadata
• Campus, Department• User Identity via Active Directory• Network-specific maps• DHCP mappings• Etc…
![Page 14: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/14.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation14
Real-world feed uses
» Large Bank• 17,000 known Home User IPs cross-referenced with botnet membership list
» DOD• 4000+ subnets, largely model after base locations
» Financial Services Firm• Buildings• Functional Area ie: Network Infrastructure• System Area ie: Firewall, VPN, Critical Servers
![Page 15: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/15.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation15
Department & Location Feed
» Enterprise-specific context‣ IP Ranges that correlate to
• Company Department • Physical Location• Lat/Long Override
» Feed File Example#networks#
172.16.60.1,172.16.60.254,NW-Wireless172.16.70.1,172.16.70.254,NW-GuestNet10.21.1.1,10.21.1.255,NW Infrastructure,38.967490,-77.37953310.21.2.30,10.21.2.111,NW Users Net,38.967490,-77.379533 10.21.3.30,10.21.3.111,NW Dev Workstations,38.967490,-77.37953310.21.4.1,10.21.4.255,NW Dev Servers,38.967490,-77.37953310.21.5.1,10.21.5.111,NW VPN Users,38.967490,-77.37953310.21.6.30,10.21.6.111,NW Wireless,38.967490,-77.379533 67.10.149.25,67.10.149.25,Nw TXGW,29.7296,-98.1001 172.16.55.0,172.16.55.255,NW-TX,29.7296,-98.1001172.16.55.0,172.16.55.255,NW-TX,29.7296,-98.1001192.168.1.1,192.168.1.255,NW Lab,38.742641,-77.199997
![Page 16: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/16.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation16
Feed Definition File
<FlatFileFeed name="NetName" path="networks.txt" separator="," comment="#">
<LanguageKeys><LanguageKey name="netname" valuetype="Text"
srcname="netname.src" destname="netname.dst"/></LanguageKeys>
<Fields><Field index="1" type="index" range="low"/><Field index="2" type="index" range="high"/><Field index="3" type="value" key="netname"/>
</Fields>
</FlatFileFeed>
![Page 17: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/17.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation17
Netname Feed Classification
![Page 18: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/18.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation18
Analysis with Threat Feeds
![Page 19: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/19.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation19
Loading Internet Storm Center Feed
Load feeds
![Page 20: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/20.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation20
Feed Category Hits
Found hits on SANS feed
![Page 21: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/21.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation21
Session Details Review
HTTP putLikely C&C querystring
IP Found in SANS feed
Encoded/Encrypted payload
![Page 22: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/22.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation22
Rules
![Page 23: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/23.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation23
Rules
» Rules can be used to ‣ filter in/out data‣ truncate packets‣ alert/flag
» Rules span ‣ network elements‣ application layer elements
» Control depth of processing
![Page 24: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/24.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation24
Network Layer Rules
![Page 25: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/25.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation25
Application Layer Rules
![Page 26: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/26.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation26
Rule Examples
» Filter‣ Advertisements (ends in “doubleclick.net”)‣ Software Updates (ends in “liveupdate.symantec.com”)‣ Media (ends in “player.xmradio.com”)‣ Backup servers (192.168.1.54…etc)‣ Filter *(All), Keep email = “[email protected]”
» Truncate‣ Drop packet payload for port SSH and SSL
» Alert‣ Non-standard port activity (non-HTTP over port 80)‣ DynDNS Domains‣ BOT Profiles‣ Clear text passwords‣ Tunneling services ( gotomypc, anonymizers, etc. )‣ Specific threat profiles‣ Etc…etc…etc…
![Page 27: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/27.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation27
Rule Example
Tip: faster to check range than !=
![Page 28: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/28.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation28
Non-standard HTTP
![Page 29: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/29.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation29
Nonstandard HTTP Details
![Page 30: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/30.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation30
Facebook Koobface Malware Example
» Basic Rule:‣ Service = HTTP(80) && alias.host = ‘locator.getconnected.be’
» Better Rule:‣ Service = HTTP(80) && alias.host exists && (query contains 'action='
&& query contains 'c_fb=' && query contains 'c_ms=' && query contains 'c_hi=' && query contains 'c_tw=' && query contains 'c_be=' && query contains 'c_tg=' && query contains 'c_nl=’)
» Based on the url parameters koobface passes when it checks in
Ref: http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf
![Page 31: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/31.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation31
Parsers
![Page 32: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/32.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation32
FlexParse™
» FlexParse exposes the network session parsing and metadata model‣ Configure how to identify applications and extract data
• XML parser definitions• Register search tokens• Perform logic operations • Register metadata for the NetWitness system
» Why?‣ Instantly customize and expand processing and modeling behavior‣ Processing flexibility for networks with:
• heavy application profiles• proprietary protocols • and threats that don’t fall into common intrusion detection methods
» What's possible…‣ Expand baseline parsers, fast flux identification, social networking
profiling, mainframe exploitation, SCADA, file object identification, complex threat identification, …Etc.
Copyright 2007 NetWitness Corporation
![Page 33: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/33.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation33
SCADA MODBUS Parser
![Page 34: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/34.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation34
Simple MODBUS Parser
» Why? ‣ Need insight into SCADA over IP to correlate with other network activity –
critical infrastructure monitoring» Demonstrate
‣ Create new Service type for MODBUS ‣ Simple text based protocol has numeric tokens that map to actions:
• “Read Coil Status”• “Read Input Status”• “Read Hold Registers” • “Read Input Registers” • “Force Single Coil”• “Force Multiple Coils”• Etc……
![Page 35: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/35.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation35
MODBUS Protocol
» If port 502 AND tokens exist then classify and extract actions ---» Request
MODBUSPROTOCOL
ACTION
![Page 36: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/36.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation36
Simple MODBUS protocol FlexParser Syntax
<?xml version="1.0" encoding="utf-8"?>
<parsers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="parsers.xsd”><parser name="MODBUS" desc="MODBUS SCADA Protocol" service="502"><declaration><number name="vTemp" /><number name="vState" /><number name="vID"/><port name="server-port" value="502" /><meta name="action" format="Text" key="action"/>
</declaration><match name="server-port”><assign name="vTemp" value="1" /><while name="vTemp" equal="1”><assign name="vTemp" value="0" /><move value="2”><read name="vState" length="2”><if name="vState" equal="0”><assign name="vID" value="1" /><assign name="vTemp" value="1" /><move value="3”><read name="vState" length="1”>
<if name="vState" equal="1”><register name="action" value="Read Coil Status"/>
</if><if name="vState" equal="2”>
<register name="action" value="Read Input Status"/></if><if name="vState" equal="3”>
<register name="action" value="Read Hold Registers"/></if><if name="vState" equal="4”>
<register name="action" value="Read Input Register"/></if>
…………….
![Page 37: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/37.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation37
Detecting Malicious PDF Parser
![Page 38: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/38.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation38
Detecting Malicious PDFs
» Why?‣ One of the most pervasive exploitation techniques used currently‣ Very effective exploitation technique that can be difficult to detect
» Demonstrate‣ Combined existence of PDF tokens, including javascript that classifies
potentially malicious objects‣ Use “flags” to keep “state” between several different <match>
statements
![Page 39: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/39.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation39
Parser Logic
» Find the following token:‣ HTTP/1.1 200 OK
» If above is found, then find token:‣ Content-Type: application/pdf
» If above is found, then find token:‣ %PDF-1.
» If above is found, then alert if the following is found:‣ /S/JavaScript
![Page 40: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/40.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation40
Parser Syntax
<declaration> <token name="token_http_header" value="HTTP/1.1 200 OK" options="linestart"/> <token name="token_content_type" value="Content-Type: application/pdf" options="linestart"/> <token name="token_pdf_header" value="%PDF-1."/> <token name="token_open_brackets" value="<<"/> <number name="flag_state_traker" scope="session"/> <string name="str_holding"/> <number name="num_offset"/> <meta name="event" key="alert" format="Text"/> </declaration> Declare tokens
![Page 41: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/41.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation41
Parser Syntax
<match name="token_http_header"> <assign name="flag_state_traker" value="1"/> </match> <match name="token_content_type"> <if name="flag_state_traker" equal="1"> <assign name="flag_state_traker" value="2"/> </if> </match> <match name="token_pdf_header"> <if name="flag_state_traker" equal="2"> <assign name="flag_state_traker" value="3"/> </if> </match>
Maintain state of token identification
![Page 42: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/42.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation42
Parser Syntax
<match name="token_open_brackets"> <if name="flag_state_traker" equal="3"> <find value=">>" length="50" name="num_offset"> <read length="$num_offset" name="str_holding"> <find in="$str_holding" name="num_offset" value="S/JavaScript"> <register name="event" value="lab_advanced_pdf_with_javascript"/> </find> </read> </find> </if> </match>
Find javascript in PDF
![Page 43: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/43.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation43
Suspicious Trigger
Parser alert
![Page 44: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/44.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation44
PDF with Javascript
Matchedtokens
![Page 45: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/45.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation45
JRE 0day Analysis … the short versionUsing Feeds, Rules & Parsers to Investigate & Profile
![Page 46: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/46.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation46
Background
» April 9th 2010 – Tavis Ormandy of Google Security identifies Java Deployment Toolkit flaw
‣ Affects all versions of Java
» April 11th Active exploitation via Rogue Advertisements on nytimes.com, foxnews.com, oprah.com, ufc.com and others
‣ Malicious .jar file
‣ Referrers contains ‘nytimes.com’,’foxnews.com’, ’oprah.com’,ufc.com’
» How do we leverage feeds, rules and parsers to profile? Do I have a problem?‣ 0day, feeds may not provide intelligence
![Page 47: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/47.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation47
Hunting for Anomalous Traffic
» Profile HTTP for java-archives (potential deployment toolkit)» Rule: service = HTTP(80) && content = ‘application/java-archive’
Dig more on this…
![Page 48: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/48.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation48
Internal host being referred to what?
» Use IP from anomalous traffic analysis‣ Rule: ip.src = 156.145.x.x && referrer contains
‘nytimes.com’,’foxnews.com’,etc..’» Redirection to 95.211.14.21
‣ Netherlands Hosting Provider‣ 95.211.14.21/measure/ad.php‣ Inspect php
» Rule to profile & find ad.php querystring:‣ service = HTTP(80) && (query contains 'pl=' &&
query contains 'ce=' && query contains 'hb=' && query contains 'av=' && query contains 'jv=’)
![Page 49: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/49.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation49
Ad.php behavior
Really?.gif?
» Downloads “p.gif” from referred location
» How many times have I seen this “.gif”?
![Page 50: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/50.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation50
Compromised Hosts
» Rule: service = HTTP(80) && filename=‘p.gif’ && content = ‘application/octet-stream’
» 3 Sessions» 3 Unique hosts
![Page 51: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/51.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation51
Deeper Analysis…
» p.gif (exe) appears corrupt‣ Does that mean no one was infected?
» Let’s have a look at the .jar
» .jar modifies the first two bytes of the binary to subvert “MZ” token signatures
» FlexParse profile the malware…
MZ
Huh?
![Page 52: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/52.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation52
Flex Parser for Obfuscated Exe in Image<parser name="non_matching_app_content_type" desc="non_matching_app_content_type">
<declaration><meta name="alert" key="alert" format="Text"/>
<token name="get" value="GET " options="linestart"/><token name="content" value="This program cannot be run in DOS mode"/><token name="content" value="This program must be run under Win32"/><token name="named_types" value=".jpg HTTP/1.1" options="linestop"/><token name="named_types" value=".gif HTTP/1.1" options="linestop"/><token name="named_types" value=".png .....<snip>
<number name="session_flag" scope="session"/></declaration>
<match name="get"><assign name="session_flag" value="0"/>
</match><match name="named_types">
<if name="session_flag" equal="0"><assign name="session_flag" value="2"/>
</if></match>
<match name="content"><if name="session_flag" equal="2">
<register name="alert" value="non_matching_app_content_type"/><assign name="session_flag" value="0"/>
</if></match>
If GET image & content contains“… run in DOS mode…”“… under Win32…”
![Page 53: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/53.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation53
Summary
» Investigator – Free!» Custom actions, Feeds, Rules and Parsers expand to expand analytical
capabilities» Aggregating advanced indicators and profiling techniques really help
» Resources‣ Community (http://community.netwitness.com)
• Rule examples• FlexParser examples• Tips/Tricks• Discussion
‣ YouTube (http://www.youtube.com/netwitness)‣ Training Webcasts ( www.netwitness.com )‣ Brian Girardi, [email protected]
![Page 54: NetWitness Investigator Freeware - SANS · PDF fileNetwork Intelligence, Threat Indicators and Session Exploitation Brian Girardi. Director, Product Management. NetWitness Corporation](https://reader031.vdocuments.net/reader031/viewer/2022022502/5aa9eeab7f8b9a72188d8759/html5/thumbnails/54.jpg)
| Copyright 2010 © All rights reserved. NetWitness Corporation54
Q&A