link by link - dell emc · –iocs and associated telemetry public and though ... – worst case...
TRANSCRIPT
1 © Copyright 2012 EMC Corporation. All rights reserved.
LINK BY LINK Crafting The Attribution Chain
Will Gragido, Sr. Manager RSA FirstWatch [email protected] 2012
2 © Copyright 2012 EMC Corporation. All rights reserved.
Agenda
• Introductions
• Behind Enemy Lines
• Paranoia or Preparedness
• Popping Smoke: You’ve Been Breached, Now What???
• Keep Calm and Carry On
• Analysis and the Attribution Chain
• Thank you!
3 © Copyright 2012 EMC Corporation. All rights reserved.
Introduction
“Research is to see what everybody else has seen, and to think what nobody else has thought.” - Albert Szent-Gyorgyi
4 © Copyright 2012 EMC Corporation. All rights reserved.
RSA FirstWatch’s Approach to Research & Analysis • Heavy emphasis on things with no names…
• This is where we spend most of our time
• Why?
• Because…
– Things that already have names are known
– Many times easier to contend with
– IOCs and associated Telemetry public and though important perhaps not revelatory
5 © Copyright 2012 EMC Corporation. All rights reserved.
Five Pillars of Research We Work Within
• Pragmatic
• Academic
• Specialized
• Skunk works
• Collaborative
6 © Copyright 2012 EMC Corporation. All rights reserved.
RSA FirstWatch Focus
– TTP of Threat Actors • Criminal, Amateur • Criminal, Professional • Confederation • Sub-national • State Actor
– Activity • Trafficking • Sourcing • Muling • Crimeware as a Service
(CaaS) – IOCs – Telemetry
– Malicious Code & Content, Binaries, PE etc.
– Known bad and suspected IP addresses & domains
– Botnet C&C – Communications
occurring within observable environments (multi-language)*
– HUMINT | SIGNINT | ESINT | OSINT | GEOINT related data*
– Data repatriation & attribution trail analysis*
7 © Copyright 2012 EMC Corporation. All rights reserved.
Examples of What We See… • Crimeware
– Exploit kits – DDoS tools
• Botnets – Botnets Control Panels – C&C Trojans
• Malicious Code & Content – Rootkits – Trojans – C&C enabled Trojans – Blended threats
• Metamorphic • Polymorphic
– Spyware
• Crimeware as a Service (CaaS) – DDoS – Botnet drone – Credit Card clearing – Muling – Mule retransmission and
middleman • Credit Card clearing forums • Credit Card purchasing /
brokering sites • Campaign Analysis
– Target – Non-targeted – Criminal – Sub-national – State Sponsored
8 © Copyright 2012 EMC Corporation. All rights reserved.
So What Does This Mean?
• Intense, global approach to intelligence collection
• Multi-dimensional approach to disparate intelligence driven data sets
• Manual and automated analysis
• High fidelity intelligence
• Net Effect = Distilled intelligence
– Intelligence feeds
– Digests used in the creation of parsers and connectors
9 © Copyright 2012 EMC Corporation. All rights reserved.
Examples of Trend Information and Intelligence • Daily average number of criminal
SOCKS proxies submitted: 15883
• Number of SOCKS providers being reviewed: 7
• Unique upstream SOCKS connections into <research network> for the last week: 3406
• Total number of VPN entry nodes reported: 349
• Total number of VPN exit nodes reported: 11199
• Number of VPN providers being reviewed: 12
• Number of entries in insider_feed-domain: 118
• Number of entries in insider_feed-ip: 132
• Items shared with RSA Israel: 2 (1 set of CC dump site creds and 5 credit cards)
• Items shared with non-LE: 0
• Number of FBI referrals for this week: 0
• Different brands of proxy malware in Constellation: 4
• Malware reach-out requests: 1 (1 with REN-ISAC)
• Industry research attempts: 0
• Industry intel sharing efforts: 0
13 © Copyright 2012 EMC Corporation. All rights reserved.
Acquy007.biz – Exploit Kits / Credit Card Fraud
14 © Copyright 2012 EMC Corporation. All rights reserved.
Acquy007.biz – Exploit Kits / Credit Card Fraud
32 © Copyright 2012 EMC Corporation. All rights reserved.
Behind Enemy Lines
• The modern Internet equates to a kind of Cyber ‘Hot Zone’*
• You enter into the this environment in one of two conditions:
– Informed and prepared – Uninformed and unprepared
• You don’t have the luxury of
claiming ignorance in today’s Internet
– Best case mocked and ridiculed
– Worst case mocked, doxed, p0wn3d
Upstream and Beyond Your Demarcation Point
33 © Copyright 2012 EMC Corporation. All rights reserved.
Behind Enemy Lines
• Globalization forces the situation – Friedman was right: The
world is flat and a lot smaller thanks to the Internet • Social media is heavily
leveraged in order to reach an organizations target and ancillary audiences
• Goal increasing global awareness of organizational brand
– At what cost?
• Faust’s Pact – Deal with the Devil
Upstream and Beyond Your Demarcation Point
34 © Copyright 2012 EMC Corporation. All rights reserved.
Behind Enemy Lines
• Internet based threat actors continue to mature; mastering their art & science
– Casting wide nets with well defined targets in mind
– Study and master new techniques in coding, infiltration, and compromise • Poison Ivy, Stuxnet, DuQu, Flame,
Gauss, VOHO
• Cyber crime, Industrial Espionage and Classic Espionage
– Reality as opposed to fiction – Common linkage
• Cross pollination – Awareness is increasing thus the
seeming increase in events
• Broader, More Available Internet Profile = More Pronounced Attack Surface – Places Us at Risk and
Identified as Someone’s: • Target of Opportunity
(TOO) • Target of Intent (TOI) • Pivot Site (PS)
Upstream and Beyond Your Demarcation Point
35 © Copyright 2012 EMC Corporation. All rights reserved.
Behind Enemy Lines Upstream and Beyond Your Demarcation Point
• A word on the realities of industrial & traditional espionage
– There is far more to this than most believe
– It has been around much longer than have terms such as ‘cyber’ or ‘apt’ have
– Yes, it is likely that you’re a target regardless of whether or not you believe anyone would be interested in targeting your organization
– The sooner you accept that you’re a target, the better off you’ll be
• Who’s behind this activity? – Hacktivists – Criminals – Nation states – All of the above
37 © Copyright 2012 EMC Corporation. All rights reserved.
Paranoia or Preparedness?
“Sometimes paranoia’s just having all the facts.”
William S. Burroughs
…..and perhaps a bigger gun than Elmo!
38 © Copyright 2012 EMC Corporation. All rights reserved.
Paranoia or Preparedness?
It pays to be paranoid
Paranoia != FUD – Burroughs Quote – Facts often more challenging than fiction
Are you prepared? – Compliance ! = preparedness – Auditors won’t be asked for quotes by the media if your organization
is breached… you will – You’ll need to be able to understand who, what, where, when, how
and perhaps most important why – Perhaps it is time to reconsider and redirect energies to ensure that
preparedness is achieved and compliance initiatives satisfied
Adapt and Overcome – You have no choice, your organization, your personnel and your brand
a re already in the Hot Zone
39 © Copyright 2012 EMC Corporation. All rights reserved.
Popping Smoke: You’ve Been Breached, Now What??? Building The Attribution Chain Link by Link
40 © Copyright 2012 EMC Corporation. All rights reserved.
Keep Calm and Carry On Building The Attribution Chain Link by Link
41 © Copyright 2012 EMC Corporation. All rights reserved.
Keep Calm and Carry On Building The Attribution Chain Link by Link
• Invoke your organizational incident response plan – “If you’re having incident problems, I feel bad for you son, I got
99 problems and breaches ain’t one” – Oh, you don’t have an incident response plan?
• Contact RSA NetWitness
• This should be a well practiced and vetted exercise – Not a Chinese fire drill
• Ensure your OPSEC is sound – If it’s not you’ll know soon enough
• No Barney Fife IR initiation please kthanksbye
42 © Copyright 2012 EMC Corporation. All rights reserved.
Keep Calm and Carry On Building The Attribution Chain Link by Link
• Maintain order and ensure that you’re inspecting what you expect via the establishment of an evidentiary chain of custody through forensic analysis
• This requires that you: – Knowing where to begin
• Is this an anomaly? • Is the anomaly an incident?
– Clear evaluation of the situation (React, Respond, and Recover) • The hosts and systems involved • Samples collected from the hosts or submitted as part of the initial
investigation • Collect and harvest evidence (information, data, samples etc.) paying
attention to detail and order that it was identified – Logging and / or cataloging is key here
• Processing
43 © Copyright 2012 EMC Corporation. All rights reserved.
Keep Calm and Carry On Building The Attribution Chain Link by Link • Be aware that the following are not misconstrued:
– Heisenberg Principle ! = Observer Effect ! = Locard’s Exchange Principle – Each is important and provides a perspective
• So when collecting your evidence: – Interviews – Do you have what you need? – Network logs
• DNS, SMTP, Routing Logs etc. – Session intelligence – Packet capture intelligence – Local host logs – Local host drive images – Impacted system images
• Attention to detail is crucial in ensuring that all data is collected, logged and made ready for analysis
• Lack of the above = failure to begin establishing the attribution chain
44 © Copyright 2012 EMC Corporation. All rights reserved.
Keep Calm and Carry On Building The Attribution Chain Link by Link • Analysis
– Can you connect the dots? – Follow the bread crumbs? – If not, why? What’s missing? – Do you have anything conclusive that would be useful in establishing the
attribution chain? • Compromises and threat actors have signatures; attributes unique to
them • Have you identified anything that coincides with or ties to a known
profile? • Do you have enough information from one or more systems and / or
network elements to establish a pattern? • Telemetry? • Geographic Intelligence?
45 © Copyright 2012 EMC Corporation. All rights reserved.
Analysis and the Attribution Chain Building The Attribution Chain Link by Link
• Cast a wide net – Employ a discerning eye
• Research ! = Analysis – Beware this pitfall
• Review, Refine, Reassess, Enrich, Repeat – Inspect what you expect
• Telemetry – Telemetry = remote measurement – Critical in the establishment of data for the defining of research and
sound analysis – Applicable to Internet (DNS / routing intel), local network, host etc. – C2 analysis, domain analysis, spider diagrams and ontology – Entropy
46 © Copyright 2012 EMC Corporation. All rights reserved.
Analysis and the Attribution Chain Building The Attribution Chain Link by Link • Campaign Analysis
– Malicious Code and Content Analysis • Vulnerability analysis • What’s required (vulnerability) for the malicious code to execute and succeed in its goals?
– Observing the behavior of the malware in virtual machines and bare metal environments
– Do the attributes noted with the malware align with or match those seen in other campaigns?
– Is it part of a multi-stage campaign? – How do the samples relate to the network telemetry?
• C2 • Pivot sites • Covert channels
– Botnet related? – Non-self propagating?
47 © Copyright 2012 EMC Corporation. All rights reserved.
Analysis and the Attribution Chain Building The Attribution Chain Link by Link
• Campaign Analysis Continued – Geo Intelligence
• To some this seems less important than to others • I’m in the ‘others’ camp; high fidelity geo intelligence is very
important in identifying campaign attributes and threat actors
– Collaboration with trusted parties • Co-workers • Fellow researchers • Law enforcement • Can’t be stressed enough
48 © Copyright 2012 EMC Corporation. All rights reserved.
Analysis and the Attribution Chain Building The Attribution Chain Link by Link
• Campaign Analysis Continued – Data repatriation
• Lots of debate on this • Ethics & morals • Responses are not always pleasant nor are they always grateful if
in fact you receive one
– Write up – Storage
49 © Copyright 2012 EMC Corporation. All rights reserved.
Upcoming Webcasts
•Sept 26 – How to think like a security analyst of today •Oct 17 – Why logs are not enough