Readers!!!

Advanced greetings for Christmas. Before I start make sure to check out SANS Holiday Hack Challenge here.

Recently, I was honoured to attend one of the SANS course For578 – Cyber Threat Intelligence. SANS instructor was one of the best in business Robert M. Lee. My reason to attend SANS training is purely because they are one the best security training provider, and when they announced FOR578 last year I was very keen in SANS take on Threat intelligence. I have been self-learning about threat intelligence via Lockheed Martin, various webcasts via SANS and other providers and realised that every vendor has different approach with Threat Intelligence.

I had prior knowledge Threat Intelligence and this course helped to me to get the best out of it.

After the end of the first day, I was having a very good understanding with what Intelligence is and how it is associated with Cyber Threats. Most of the time, in name of Threat Intelligence, vendors or service providers end up sharing Threat Indicators with some nice dashboards and portray the system as Threat Intelligence system. I have always been saying we need to move beyond Indicators based systems (yes its still good to have those), and concentrate more on Tools, Techniques and Procedures of our adversary. The content of the course actually aligned with my thinking and helped in better carve my thinking and actually implement in real life.

During the course, I learned how to track a threat actor or a campaign and how to best showcase that information across your organisation. Tools such as CRITS, MISP, Threat_note were used. Kill-Chain model and Diamond Model were explained in detailed and LABS were designed in way to implement these models.

One of the interesting LAB was to review vendor Threat Intelligence report. The report could be regarding a APT, analysis of an threat actor or generic briefings across the global related to Cyber Threats. In this exercise, we learned about biases and how multiple input to one single report may change the actual outcome of the report or identification of adversary.

Other LABS were related to extracting intelligence out of vendor reports, tracking a campaign and what artefacts to collects during intelligence exercise and how to provide evidence to your hypotheses. LABS that concentrated in how to share Threat Information via STIX, YARA and OpenIOC. The course has very good real life case studies with regards to Thr

At the end of the fifth day, I knew what actual Threat Intelligence means and how we can use that in our organisation.

For those who are thinking to take the course, would highly recommend to take it.

Readers!!!

Its been quite a while I have updated my blog posts, due to me spending  some quality time off the work and being with family.

Recently, was honoured to attend SANS FOR578 Cyber Threat Intelligence course taught by Robert M. Lee and it was excellent. I will be writing a separate blog post reviewing the course later.

Being on customer service environment, I have realised how important data visualisations are. When you are presenting your findings to C Level Executives, having tables, charts and graphics in the report, makes it easier to grasp and understand analyst ( or whoever wrote the report) point of view. We can visualise our findings about Organisational Risks, Threats, Incidents and many other departmental attributes in different manner.

For me, best visualisation is Mind Maps and I have used them to represent process, procedure, incidents etc. I also, use mind maps, when I am performing any investigations on incidents during IR, Forensics and/or Threat Hunting. It helps me track investigation steps and my findings. If the incident continues or the next business day, the mind map, helps me to start where I left, and also helps me trace back my steps rather looking at excel sheets or other textual representation or a case management system.

During the course, there was a good stress on making sure investigation or intelligence gathering information is represented in a manner that all levels of audience can understand. This is when I thought to create a mind map of a malware and its behaviour and how it can be represented on Kill Chain phases.

Above screenshot shows Kill Chain phases for Evoltin POS Malware and indicators that were identified during analysis and how they can associated to different Kill Chain phases. Rather presenting them on table or chart format, I believe the view via mind map is much more easy to grasp and better presented.

I will be creating more mind maps and uploading to my GitHub account. I normally, update IOC’s to Alienvault OTX, Blueliv, GitHub and ThreatConnect, but now I will also create similar Kill Chain Mind Map for every investigation I do.

Happy Mind Mapping!!!!!

Readers

I would like to share my experience and understanding with regards to forensics and where I started to get a foothold in forensics.

Questions that I normally get : I want to get into forensics. What should I study? What kind of certificates are good? What background should I have? 

By this blog I will answer those question based on my experience. I will not dwell into explaining what forensics is and why do we perform that. For that you can just google it and/or read my blog entry – Incident Response and Forensics : The Two Towers. Understand Forensics is considered a specialised field, meaning one must have prior knowledge of fundamentals in operating systems, networking, packet analysis, incident handling etc.

For me I started in Technical Support – this is first due to I was a student and second technical support guys will go through numerous issues and fix through out the day which can be extended into Forensics investigation. For example, a user calls into saying my system is working slow – a tech support guy will first investigate why and provide solution/workaround based on the findings. This helped in understanding system internals especially Windows. One must understand how an operating system works – their processes, services, kernel level attributes etc. A very good link to start is here for windows, here for MacOSX and here for linux. I will be creating mind map for this and will provide them on my github account.

Certificates such as SANS GCFE will give you insights on windows operating system forensics. Individuals thinking of this course should read on here.

Other courses and comparison can be viewed here.

We obviously need tools to perform forensics. There are numerous tools available to perform forensics based on what is required. SANS has their own linux distribution SIFT and further information can be found here.

There is also a debate, that System Admins are the best Forensic examiners or investigators and I don’t agree with that statement. Yes system admins have knowledge of system, however that’s mostly into hardening and fixing an issue. Rarely security aspect is covered in System Admin side. System Admin will still need to learn and/or go through training (self or class based) and understand how their experience overlaps in forensics.

To gain a bit more knowledge about networking, incident handling, packet analysis I dwelled into SOC (security operations centre). This allowed me to understand how operating system communicates to other operating systems, network and/or external systems. In SOC, I was responsible to identify anomalies, develop SIEM content to identify incidents within network and/or operating system from a known bad behaviour. This allowed me understand what is a good behaviour. All operating system logs events and one must understand what is the meaning of those and in what situations they are triggered, and how one can use these events in identifying an unauthorised activity and/or unusual behaviour for example. This knowledge, during forensics, allowed me to investigate the operating system and/or infected host in different manner. Yes, Forensics and Incident Response overlaps and are two sides of the same coin. I always took initiatives and that helped me in the field.

To understand how Forensics should be performed one must also understands standards and RFC. Understanding these standards allowed me to grasp how corporate world and/or any forensics practice should perform forensics and how that can be integrated in Incident Response. Have a read here for NIST publication, here for RFC and here for NIST Mobile forensics publication.

This will be a good start to for individuals interested in Forensics. One should also dive into the operating system they normally use at work/home on their laptop/desktop and go through system. For Windows, work on PowerShell, look at the event viewer, services, use Sysinternal Tools. Fire up wireshark and/or Chrome net internals to see what happens when you access a website. Note down whatever is considered a normal behaviour. For linux/Mac look at the logs under directory /var/logs.

Lastly, read the blogs that are forensics and incident response related which will give a good insight in using tools, how forensics is performed and current methodologies and type of investigations.

Few Forensics Blogs :

• Crime Scene Training
• Zeno’s Month
• Forensics Wiki
• SANS DFIR
• Binary Foray
• Cheeky 4n6 Monkey

Another point, I will raise is certifications are not the only way you will understand or gain more knowledge in Forensics. Your practice and dedication in self-learning and implementing on a regular basis will help a lot. But, also in corporate world these certifications are considered an entry point and it is advisable to get them. I have done SANS certifications (I am not advocating them and/or advertising SANS for personal gain, just sharing my personal experience), and I believe they concentrate on fundamentals and have better content with related to topics that are covered in any certifications.

I will be providing more links on the up coming mind map. I will also be providing any Forensic and/or IR investigations that I perform, at my home lab including tools usage.

Happy Forensicating!!!!!

Readers

This post is about disposable email addresses and where to get them and concerns for organisations or whitehats defending their network/country. Disposable email addresses are something for which you don’t need an account. Understand you can only RECEIVE emails and cannot SEND. The service was first paid only but now you can get it for free from multiple locations. The email lasts from 10 minutes to a week.

Disposable email addresses are something that you can register on a site that you think you won’t be visiting often and may send you spam later or you want to hide your identify when registering. Depending on the person who is using the service, it can used in positive and/or negative ways.

 Let’s start looking at them :

1. AirMail
2. Guerrilla Mail 
3. ThrowAwayMail
4. Mailinator
5. Temp Mail
6. myTemp.email
7. Email on deck

There are others but the mentioned ones are top hits.

As having background in Social engineering and identifying tactics that cyber criminals  and/or insiders may use with regards to this disposable email, I can think of a 2 concerns.

1. Partners in crime can use these for their communications rather than to worry about getting tracked and/or reveal the identity of the recipient.
2. Another concern is insiders and  how one can use the disposable emails to transfer data and/or for data exfiltration. Organisations should be on lookout of these channels or medium and can configure mail gateway and/or DLP to make sure no sensitive/confidential information is going out.

If you know other concerns please comment.

Lets hope the service is being used for good purpose.

Readers

One of the biggest threats for any organisation is Insider Threat. An employee visiting malicious sites, drive-by downloads, uploading documents etc. , in short any web activity that can impact the organisation. Many of the organisations have chose to deploy DLP, Intrusion Detection and Prevention systems, proxies, user behaviour analytics and other expensive tools to fight against the threats but are still failing to prevent or reduce risk occurring via this threat.

From my previous post, I mentioned attackers are exploiting human characteristics – FEAR and CURIOSITY.  Employees clicking on picture of a cat and wallah the system has been infected. No matter how much security awareness we provide , there will always be risk of having internet connection on corporate network.

Wouldn’t it be good to have some functionality or an application that can prevent a malware, to infect the operating system, coming via a URL or when a user is visiting a site? It can be obfuscated scripts, executables, rootkits etc. We do have a VM that we use for sand-boxing, but let’s agree that not all users in your organisation knows how to use it and/or even understand the impact of infected system in a corporate network.  During this search I came across a tool called “Browser in the Box” created by Sirrix AG Technologies.

Browser in the box provides a virtual environment with a web browser is encapsulated in it. Therefore, when an employee is surfing internet through this browser, any suspicious/malicious files from internet will stay in this virtual environment and will not traverse through actual host operating system. All the browsing activities are isolated completely from the host operating system. “Browser in the box” also prevents any uploading of the files into the internet, which suggests the confidentiality and integrity of the organisations data is not compromised. Please note, the application is not a virtual machine (one can think that there are malware that identifies vm and will not execute), its a virtual environment similar to windows XP mode. I will try and test whether this is actually true.

The system was initially developed by Sirrix on behalf of German Federal office for Information Security. Currently the solution is open for public.

Visit Sirrix website here and  Download link here.

Readers

Been meaning write something about my experience with Incident response and forensics and how knowledge of both field helped me.

Most of the organisations have Incident Response and Forensics as 2 different department and no overlap of services or transparency is seen between them. Personally, I believe it is not a good approach as Incident Response and Forensics team should work hand in hand to get the most out of the investigation. There are organisation who thinks Forensics are only to collect evidence. Yes indeed I was shocked!!!

Both stream requires well organised plans and procedures and individuals with strong technical expertise. Both streams have standards – NIST 800-61 of IR and 800-86 for Forensics. One must understand these standards.

When an organisation is performing IR, imagine the responder has no forensic knowledge.

1. The reason we perform incident response is to understand what happened, how it happened, how we can stop it to further affect/infect our systems and how we can stop in future – Preparation, Identification, Containment, Remediation, Recovery and Lesson Learned. As mentioned in my earlier blog most organisation perform Preparation, Identification and Recovery. Is this due to improper process ? Is it because the responder doesn’t know the IR Phases? Is it due to time constraints or can’t be bothered?
2. Now to understand what happened (e.g., malware infection), one must understand malware, and how it interacts with the system and what artefacts are involved. This is where Forensic knowledge will come in place. Handling a malware incident, one must know malware analysis and in certain scenarios reverse engineering. Let’s say you are not sure its a malware infection, however system are showing signs of unusual behaviour. As an incident responder one may think to just run certain tool to identify or understand behaviour – nothing wrong however, this may alter certain files by treating them malicious – like what a endpoint protection does by performing quarantine.
3. A forensic investigator will first manually investigate the system and learn why a system is behaving in such manner – look through process (parent/child), file paths, services etc to determine what is not part of the system. I am not saying tool will not be used but this is about a process. Forensic investigator may choose to run Redline for example.
4. The approach taken by 2 individuals are always different but the end goal should remain the same – reduce impact and determine indicators of compromise and TTPs (Tools, techniques and procedure) that can be used in earlier detection in future. When this is not performed our adversaries will always have tactical advantage over us.

An ideal approach I prefer is that an Incident Responder must have certain knowledge of forensics that can assist him/her in making sure our investigation is not only to clean the system (an anti-virus/anti-malware can do that), but identify the artefacts and preserve them for further investigation if time permits. Forensics should be performed in parallel to incident response.

IR is more process driven and forensics allows to deep dive into systems to identify bad actors. Forensics is time consuming and most of the time organisations prefer not to include them as they want business or system to return to its normal state. IR and Forensics should also communicate to other security network team and share the outcome of investigations.

I will be writing more about IR and Forensics methodologies (technical and non-technical) and answer most common question – how do i go by starting in IR or Forensics (DFIR). This will supplement the Threat Hunting article that I am working on.

Mandatory Reads

• http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf

Happy Investigation!!!!!!

Readers

This post is about globally accepted LEGAL technique to exploit a system or network to validate their deployment of security controls. Yes I am talking about PENETRATION TESTING.

With this post I would like to share an ideal approach during penetration testing and importance in following the rules of engagement. Of what I have experienced following is the normal scenario:

Customer signs engagement and scope letter. Most of the time this engagement/scope letter  contains very vague and/or no proper description of How’s and who’s of Penetration testing methodology. Sometimes they will just mention Person A and Person B will be performing a Penetration Testing on Customer A Network and rest is legal and contractual stuff. Some will also add type of penetration testing (no they won’t mention Black/Grey/White Box testing). They will say Web application Pen testing, Network Pen Testing. Although, they are in a way correct but still we need to mention it.

Suggestions : Organisation must let customers know what will be included in a Pen test. There is no room for assumptions. For any pen test one must provide the techniques and methods and especially what will be tested. One does not need to provide the tools name but techniques are important.

Defining this in the scope/engagement letter can assist pen tester to make sure he/she is not stepping over the boundaries – which are normally considered RULES OF ENGAGEMENT. Management and Pen Testers must understand this rules for a successful pen testing.

Management and organisation should also understand Pen testing should not be only performed because of compliance – unfortunately this is the driver in most cases. As Pen testing simulates an attack on any organisation it should be performed on a regular basis and for extended period of time. One should also perform external pen test to test their security controls and simulate real world attacks. Adversaries and/or cyber criminals have no time limit to gain access to your network, but Pen testers do and management must take this into consideration. Having a pen test for a week and next one next year will have zero value.

Another suggestions to pen testers is to be ready with their own way to exploit systems. Most of the time due to time constraints we use available tools and exploits to perform pen test which may give you some good results but we need to think or try to go beyond that and writing your own exploits has been proved to be a good method. If a vulnerability is identified it is a good idea to exploit it with multiple techniques if known.

Pen testers should also spend a good chunk of time in information gathering (active or passive). The more information you gather the better you will be able to exploit your target. I have always used 2 pen testers whereby PT A will continue performing information gathering – provide the results to PT B, PT B will give some information back to PT A and PT A will continue to gather information. Consider this as a to and fro situation but PT A and PT B will exchange information continuously.

PT B should concentrate on fingerprinting, enumeration, attempt to gain access to the systems, vulnerability assessment. There are many organisations and pen testers preferring running Vulnerability scanners upfront when performing pen test which I personally believe is wrong step. As we are trying to simulate attacks on organisation, we must think from the attackers point of view. Normally they don’t run vulnerability scanners straight up – the traffic generated by them is heavy and easily detectable by various security controls. These scanners can be used for verification and/or add-on to pen testing methodology to make sure we didn’t miss anything.

Lastly, providing a report of pen test to customer. Report should provide all the findings, techniques and methods use to collect information and how information was used to gain access to the system, what vulnerability, types of exploit used and outcome of the exploitation – privilege access, data exfiltration, install/modify applications and/or files etc. Screenshots are considered ideal. Having these information will assist pen testers to draft recommendations that are actionable rather just  telling to update and patch.

Please visit following site for more information :

http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
http://www.pentest-standard.org/index.php/Main_Page

As we all know Ransomware is currently one of the biggest threat to any organisation and therefore we must understand how a ransomware works and its digital footprint. Every application when executed leaves a footprint on the system and sometimes we call them dropper. A footprint for Microsoft word is filename.doc for example.

Similarly, when ranswomware is executed it will leave certain files and have following extensions and files :

@Please_Read_Me@
@WanaDecryptor@
*.wnry
*.*cry
*.*crypto
*.crptrg
*.*darkness
*.*enc*
*.*exx
*.*kb15
*.*kraken
*.*locked
*.*nochance
*.*obleep
*.*oshit
*.0x0
*.1999
*.73i87A
*.7z.encrypted
*.aaa
*.abc
*.AES256
*.better_call_saul
*.bleep
*.btc
*.BTC
*.btcbtcbtc
*.cbf
*.ccc
*.cerber
*.chifrator@qq_com
*.clf
*.coverton
*.crime
*.crinf
*.crjoker
*.cry
*.crypt
*.crypted
*.crypto
*.crypto*
*.cryptolocker
*.cryptotorlocker*
*.CryptoTorLocker2015!
*.CrySiS
*.ctb2
*.CTB2
*.ctbl
*.ctbl
*.CTBL
*.czvxce
*.darkness
*.doc
*.dyatel@qq_com
*.ecc
*.enc
*.encedRSA
*.enciphered
*.EnCiPhErEd
*.Encrypted
*.encrypted*
*.encryptedAES
*.encryptedRSA
*.enigma
*.exx
*.exte
*.ezz
*.frtrss
*.fucked
*.fun
*.FUN
*.good
*.gruzin@qq_com
*.gsw
*.gws
*.GWS
*.ha3
*.HA3
*.hb15
*.helpdecrypt@ukr*.net
*.html
*.hydracrypt*
*.JUST
*.justbtcwillhelpyou
*.kb15
*.keybtc@inbox_com
*.kimcilware
*.KKK
*.kraken
*.lechiffre
*.LeChiffre
*.locked
*.locky
*.lol!
*.LOL!
*.magic
*.micro
*.mp3
*.nalog@qq_com
*.nochance
*.omg!
*.OMG!
*.oplata@qq_com
*.oshit
*.p5tkjw
*.pizda@qq_com
*.PoAr2w
*.pr0tect
*.pzdc
*.r16m*
*.R16M01D05
*.R5A
*.r5a
*.RADAMANT
*.rapid
*.rdm
*.RDM
*.relock@qq_com
*.remind
*.rokku
*.rrk
*.RRK
*.sanction
*.saturn
*.scarab
*.sport
*.supercrypt
*.SUPERCRYPT
*.surprise
*.toxcrypt
*.troyancoder@qq_com
*.ttt
*.vault
*.vvv
*.xort
*.xrnt
*.XRNT
*.xrtn
*.xtbl
*.XTBL
*.xxx
*.xyz
*.zzz
*@gmail_com_*
*@india.com*
*_H_e_l_p_RECOVER_INSTRUCTIONS*
*_LAST
*cpyt*
*crypt*
*decipher*
*help_restore*.*
*help_your_files*.*
*how_to_recover*.*
*install_tor*.*
*keemail.me*
*qq_com*
*restore_fi*.*
*ukr.net*
*want your files back.*
_crypt
_DECRYPT_INFO_*
_ryp
AllFilesAreLocked*.bmp
ATTENTION!!!.txt
confirmation.key
Decrypt.exe
DECRYPT_INSTRUCTION.HTML
DECRYPT_INSTRUCTION.TXT
DECRYPT_INSTRUCTIONS.HTML
DECRYPT_INSTRUCTIONS.TXT
DecryptAllFiles*.txt
DecryptAllFiles.txt
enc_files.txt
HELP_DECRYPT.HTML
HELP_DECRYPT.lnk
HELP_DECRYPT.PNG
HELP_DECRYPT.TXT
HELP_RESTORE_FILES.txt
HELP_TO_DECRYPT_YOUR_FILES.txt
HELP_TO_SAVE_FILES.txt
how to decrypt aes files.lnk
How_Decrypt.html
How_Decrypt.txt
HowDecrypt.txt
last_chance.txt
message.txt
MESSAGE.txt
oor*.
recovery_file.txt
recovery_key.txt
RECOVERY_KEY.TXT
restore_files*.txt
restore_files.txt
vault.hta
vault.key
vault.txt
*.canihelpyou
*.zepto
*.venusf

Recently updated WannaCry and SOREBRECT ransomware extensions.

Courtesy Bleeping Computer and kinomakino.

The extensions can be used during Hunting phase or timeline analysis where analysts are looking for suspicious/malicious files on a host. Further information can be found here.

Happy Hunting!!!

The buzz word first came in 2014 and individuals who were actually performing activities such as hunting for adversaries within network interested in Threat Hunting agreed with it on all aspects. During Threat Hunting and/or intelligence gathering or incident response we are mostly concentrating on identifying indicators of compromise and normally follow these steps:

1. Collect Indicators of Compromise – Basic/Advanced Threat intelligence platform – Yes I have collected Indicators of compromise from all over world than what ?
2. Compare the IOCs with internal logs – SIEM – to understand the extent of infection – lateral movements as we say. One can also use specific tools for this – carbon black, palantir, dark trace etc.
3. Detect and mitigation – most of the time by running anti-virus and/or restoring the system from backup or re-installing a fresh copy.

Most organisation perform mentioned points believing that this is their Incident Response plan and threat hunting procedure, but they actually only performed 2-3 stages – Identification, Recovery and Follow-up/lesson learned.

This is somewhat I call as Reactive approach, as the name suggests incident response – responding to an incident. However, there is another approach -pro-active approach – where team of experience Incident Responders will look through the network and identify anomalies and/or unwanted entities within a network. Threat Hunting was it called. The days of external organisations notifying you of an infection or data exfil or their own data showing up on pastebin are increasing and organisation must have Threat Hunting and IR capabilities well invested and implemented. Proper Process and procedure are important as well in understanding how to perform these duties. Consider following:

Following is the pyramid of pain

http://detect-respond.blogspot.com.au/2013/03/the-pyramid-of-pain.html

The diagram has a scale that shows relationship between the indicators of compromise a Threat Hunter or an incident responder can find and how much pain it will cause to use them to detect the adversary.

Threat hunting and Incident response goes beyond just deploying a product within the network and responding based on what it alerts. It goes beyond normal rule and/or signature based mechanisms to detect threats that one cannot detect with just plug-n-play devices. Both requires human factor to perform these actions. Deep diving into the networks and looking for adversaries (active defense and/or pro-active investigations) is a must have within the organisation and Incident Responders and IT Team must work hand in hand. And don’t forget to involve Forensics. Yes, we need forensics to gather evidence properly.

Threat Hunting phases :

1. Create and/or define Hypotheses
2. Investigate via tools and techniques
3. Identify new patterns and TTP (Tools, techniques and procedure)
4. Inform and update analytics platform and/or database
5. Start 1

It’s my pleasure to announce that I recently got honoured to co-author a book with Don Murdoch. The book will be used as a field guide and/or playbook for Threat hunters during Threat Hunting.

Happy Hunting !!!!

Just about an hour ago I received an text from one of my mentors. Excited, I read but I know him very well and knew it wasn’t him.

The phishing text :

It’s possible to do 10 k in 10 day.

hxxp://www.prosperity-today.com

I texted him directly with a new message rather than responding the message and verified that it was indeed phishing.

1. The message had no phone number associated.

2. Looking at the details of the name – the sender – they were empty. Normally, if a contact on you address book sends a message you can see their serials stored on your phone.

Possible motives :

1. By sending an text an attacker can verify that number exist or not via a delivery notification.

2. If someone responds – response in this case is not feasible as it has no return number – than attacker can continue with social engineering attack.

3. Likely I was targeted and attacker was trying to deceive me to click on the link and get the some results back to him/her.

Will be analysing the link to understand if it has any embedded and/or crafted scripts that are targeting mobile phones. This may be attempt to exploit Quadroot set of vulnerabilities on Android.