Monday, September 10, 2012

DeepINTEL 2012

The first DeepINTEL conference is over and it was great with a fairly small crowd, where you got to meet and talk to everyone.

Andrew Barrat, who was giving a talk about "Better Breach Disclosure = Better Risk Management?" wrote a couple of blog posts about other talks (day 1, day 2).

So for those who couldn't attend DeepINTEL, here's a high level overview of the topics, concepts and resources I gave in my talk, which was tittled "Preventing and Detecting Mass-Malware and Advanced Threats".

Here's the abstract that was given for CFP:

Your organization has firewalls, network IDS/IPS, anti-virus on multiple layers, maybe even HIPS, hardening and patching done and feels pretty safe and secure. But lots of companies and organizations who got breached had all that too. So maybe that’s not enough for today’s threats any more? This speech should give you lots of new intelligence resources to know who are the different threat actors, what are their motivations and techniques, what vulnerabilities are exploited by what threat actors, and some (maybe more or less unconventional) methods for prevention or detection of these threats. Most resources used are freely available, some need free registration and some are from personal work experience.

As a brief introduction to what I think is missing, I introduced the Security event System (SES) and Collective Intelligence Framework (CIF) project from REN-ISAC.

The introduction about me and why I like to share malware and threat intelligence contained references to SANS ISC blog diaries (1, 2, 3), Mila's contagio malware dump blog post and a couple posts on Kyle's threatthoughts blog about sharing indicators, that were based on information I collected and provided to them. Another example is the discovery and analysis of the Ponmocup botnet on blog, where I shared a list of C&C domains for sinkholing.
This first part of the talk was also meant to show the limitations of antivirus, because lots of malware samples I discovered had zero or very low (less than 10%) initial detection rates (out of 42 AV scanners on VirusTotal), which I consider pretty bad.

Next I introduced some terms and concepts like "cyberrisk intelligence", "actionable intelligence" and "cyber-risk data" from the SBIC report Getting Ahead of Andanced Threats.
This report contains several "charts" (though I'd call it more tables) of such cyber-risk data along with examples. The first table about "cyber attack indicators" gives interesting examples like "description of spear phishing mails", "lists of domains hosting malware" and "set of binaries used by attackers" (which for example could be file hashes like MD5 etc).

Then I used two quotes from Richard Beitlich's posts on Mandiant's M-unition blog, which I like.
In a post about "understanding each type of targeted attacker" he says:
"When trying to defend an organization, it’s imperative to understand the nature of the threats who seek to compromise the enterprise. This is not a common belief, unfortunately."
In another post about "understanding state-serving adversaries" he wrote:
"A hallmark of a disciplined adversary, however, is to only use the level of “force” required to accomplish the mission, only escalating when the minimum fails to get the desired result. This is the true definition of "advanced," because it means the adversary knows how to properly deploy resources against a target."

Elaborating on the different types of threat actors I used resources from Mandiant's M-trends 2012 report, SANS Cyber Attack Threat Map (page 2 from 20 Critical Security Controls poster 2010 -- not found online anymore), and Dell SecureWorks Advanced Threat Resource Center.
The presentation "Why Are Our Defenses Failing Us? One Click Is All It Takes" from Bryce Galbraith gives a very detailed and technical analysis, how little it takes to get breached.

To give some examples and history of APT attacks I used the paper "Advanced Persistent Threats: A Decade in Review" from Command5 and the site about "Cyber Attacks Timeline".
The next point I was trying to make is the importance of knowing what exploits are being used by what threat actors. An overview of exploits kits (also called browser exploit packs / BEP) has been updated frequently on Mila's contagio malware dump blog. This blog is also great to find out what exploits (see categories / labels) are used and find malicious document samples from targeted attacks.

Another great resource giving details about what exploits are used for APT attacks is a blog post from Xecure Lab. Also from this company is XecScan, an online scan service for spear phishing document analysis. It's also a great OSINT source for indicators (MD5 hashes, C&C domains / IPs etc.) of APT spear phishing documents.

The next topic was "the need for analysis in Intelligence-Drive Defense" from the Windows-IR blog which gives a nice summary of Dan Guido's paper "A case study of intelligence driven defense" and the Exploit Intelligence Project (EIP).

The paper "Intelligence Driven CND Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" introduces the "intrusion kill chain" and "kill chain phases" along with the definition of "late phase detection" (C2) versus "early phase detection" (delivery).

So what's the relevance of all this? What do I make of it?

Well, patching and updating all software, especially OS, browser and all browser plugins (Java, Flash, Adobe Reader etc.) should be a very high priority. But some software, like Java with all its dependencies, are hard(er) to be patched very timely in some enterprises.

So here are some suggestions for additional mass-malware prevention on a web proxy:
  • implement a Java whitelist, allowing Java from trusted domains only (user-agent based)
  • limit executable downloads (magic bytes) to trusted domains (or categories if available)
  • block all malicious IPs, IP ranges, 1st level domains (esp. dyndns) as possible and business allows (start using CIF with many feeds)

And additional protection for a mail gateway:
  • block or strip all executable (magic bytes) attachments, also inside ZIP or RAR files
  • keep mail logs of A/V events (with context) for a long period

Detecting a series of targeted attacks:

Knowing what exploits (CVE's) have been used for targeted attacks I spotted a single A/V event (containing "CVE-2011-0611" SWF exploit) from a PDF email attachment amongst hundreds other mass-malware events. Now knowing the targeted person I found previous attack mails using CVE-2009-3129 inside a XLS and an unknown exploit inside a PDF with JavaScript. Monitoring the mails of the targeted person I found a IMG-SRC in an HTML mail without attachments. The URL was using a domain hosted on the same IP that was used for C2 of the previous PDF/SWF exploit and contained the target's email address in it. The attack series continued with a number of DOC attachments with CVE-2012-0158 exploits, some of which were very similar to the ones described on this Securelist blog.

The above are of course just some examples of additional prevention and detection measures you can put in place.

Some other projects, collaboration groups and tools you may want to look at are:

Feedback is always welcome!