Posts

Showing posts from 2017

"It's Not All Black And White" or "Why You Should Switch From Blacklisting To Whitelisting"

I think the title says a lot here: if you want to defend your information systems, you should switch from blacklisting to whitelisting.

But what does that mean?

Most people hear "whitelisting" in terms of CND and think "application whitelisting". But there's so many more places to do it! You already hopefully do outbound whitelisting on your firewall. You aren't really allowing any system to talk out on TCP/3389, right? You do have a DEFAULT:DENY or DENY ANY,ANY down at the bottom of your firewall rules, right?

But have you considered whitelisting outbound web traffic at your proxy as well? Most people think of their web proxy reputation lists as block lists, and for good reason: most of them are incomplete. But did you ever consider that maybe that incompleteness as a defensive measure? If you block unknown websites at your web proxy, you're going to block a huge amount of malicious websites. You're probably thinking to yourself but what about the m…

"WannaCry Is North Korea!" or "Rich Headers Win Again!"

http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/

https://twitter.com/neelmehta/status/864164081116225536

Samples from Unit42:
a4b3404fffc581ab06d50f3f2243cb56
cab10f19ae0a6deeb7be7bd0b46a0f5f
d511fa33bb3c9a238e4b4eae7bae6e84

WannaCry sample from Neel Mehta:
9c7c7149387a1c79679a87dd1ba755bc

All 4 samples share significant overlap in their Rich Headers. In fact, the set of IDs and Value pairs in the Rich Headers from the 3 samples I listed above are fully contained within the set of ID and Value pairs in the Rich Headers of the WannaCry sample from Neel Mehta's Twitter post. The WannaCry sample contains several header pairs that are not present within the other samples - I do not know what tools they represent so I am unable to determine the significance of this particular data point.

I don't know how significant this overlap is, but in my own repository that particular set of ID and Value pairs was unique to WannaCry and malware attributed to Laz…

OLE: Not to beat a dead horse...

Since I keep seeing new malicious OLEs, I wanted to do a few posts about writing yara signatures for them. I don't have the time right now for a full post, but I'll share a few preliminary links that I'll be referencing for metadata extraction.

[MS-OLEPS]: SummaryInformation
https://msdn.microsoft.com/en-us/library/dd942545.aspx

[MS-OLEPS]: FILETIME (Packet Version)
https://msdn.microsoft.com/en-us/library/dd942482.aspx

[MS-DTYP]: FILETIME
https://msdn.microsoft.com/en-us/library/cc230324.aspx

Operation Cloud Hopper

Although long, a highly recommended read:

https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html

https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-updated.pdf

One thing I want to call out is Table 3, where PWC clearly demonstrated an interesting composite indicator of a TTP that appears to be specific to this operation. Specifically, the use of @india.com registrants and ITITCH nameservers. If you have the ability to pivot on this TTP, then you're likely to find a significant number of other similar domains.

Happy hunting, y'alls!

Your report is bad and you should feel bad

Image
Kaspersky Labs published a report today discussing overlap between Turla and Moonlight Maze.

https://securelist.com/blog/sas/77883/penquins-moonlit-maze/

From their conclusion:
An objective view of the investigation would have to admit that a conclusion is simply premature.

For shame, Kaspersky.

APT Rosetta Stone or A Plea To The Industry For Shared Names

Last night one of my CTI sharing groups was discussing a report from FireEye regarding APT29 and domain fronting (https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html) when we all realized we had no clue who APT29 is in our own internal systems. 
One member finally shared this mess:
https://www.google.com/url?sa=t&source=web&rct=j&url=https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit&ved=0ahUKEwjNhd-novjSAhVBC2MKHYglAgoQFghIMAQ&usg=AFQjCNFe0KMzzgH09bdHImCB5VxrXo2gIA&sig2=1CI3ffYHiBNLliisz6EbAw
Nobody can agree on names. Even to the untrained eye it's obvious that there's a communication issue present here. The most amazing thing is how simple it would be to fix all of this, but none of these vendors have because #branding #sorrynotsorry #aptlolwut. The excuse "but we'd have to rename everything" is silly, because if you want to present the image of being a quality threat intell…

[repost] Cyberespionage, and the Need for Norms

This is a quick one, but I wanted to call out a piece shared with me by a peer in the industry:

http://harvardpolitics.com/covers/cyberespionage-need-norms/

A truly key point here: [C]onsider how almost every recent cybercrime is called a “cyberattack” by the media. North Korea’s hack into Sony Pictures, China’s theft of American personnel records, and Russia’s attack on Estonian online infrastructure were all dubbed "cyberattacks," despite their significant differences. The repeated use of this simplistic label has muddied dialogue surrounding this issue by obscuring the unique qualities of different cybercrimes—making it difficult to keep track of what actions warrant retaliation. This has been a pain-point of mine for a few years now, but I have yet to convince many others in my field that computer/network espionage (CNE) is explicitly NOT an attack.

Also, I hate the prefix cyber. It has no meaning. For more info on this, see: http://willusingtheprefixcybermakemelooklike…

US-CERT published another bad article

Image
https://www.us-cert.gov/ncas/alerts/TA17-075A

Last time it was GRIZZLY STEPPE, this time they're saying that TLS inspection is bad. Let's start by explaining what they're talking about.
Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers. This is essentially your basic SSL/TLS man-in-the-middle attack, but in an approved fashion. On an enterprise web-proxy, this allows you to do all kinds of wonderful things, like monitor C2 over HTTPS, or even detect delivery of malicious payloads from HTTPS-enabled websites.

So why is US-CERT saying this is dangerous?
All systems behind a hypertext transfer protocol secure (HTTPS) interception product are potentially affected. They just used a terrible word: "potentially". Why is this a bad word? Because its meaning has no value in terms of estimative probability - it just means "greater-than-0% probability", which is …

Yara and Rich Headers are full of win

Rich Headers are awesome and you should read about them here: http://www.ntcore.com/files/richsign.htm

I was looking at a sample recently and, being the good analyst I am, attempted to automate my DFIR processes using the tools I had handy.

Step 1: Get the Rich Headers for the malicious binary.
Let's use 9e6658fab423d9b3fabc3578ac5482bf4f21f6fb98949d8ef4f3cad349862b82, a known RAMNIT ransomware sample.

$ laika.py 9e6658fab423d9b3fabc3578ac5482bf4f21f6fb98949d8ef4f3cad349862b82 | jq '.scan_result[].moduleMetadata | select(.META_PE) | .META_PE."Rich Header"' { "Checksum": 3183276661, "Hashes": { "SHA1": "dd0f0861bc67028b3cab0d6cdc55a29cc2822f64", "SHA256": "8fd544eee7389c64a29440555f5b968ae0632ed3b989a63402b6d43934a8973e", "MD5": "8451f317057b289c04b2c5b202c09715" }, "Rich Header Values": [ { "Count": 6, "Version": 7299, …

Baller On A Budget: A series on cost-effective IT/infosec practices

I want to start a series of posts on how to do CND/DFIR/CTI on a budget.

I've spent the last decade of my life working in the IT world. I spent about half that time working as a part-time administrator/engineer in a small datacenter within a large corporation. I touched a lot of tech during that time frame and adopted a significant amount of it into my own homelab. But the last five years of my life have been devoted to CND/DFIR/CTI.

One of the things I've experienced working in this field has been the vast differences between the large and small companies in terms of capabilities. My current job involves sharing CTI with a wide variety of companies with a wide variety of maturity in terms of CND/DFIR/CTI capabilities. A common complaint I hear from the small-/medium-sized companies is that they could never keep up with the bigger companies because they lack resources. If you fall into this bucket, then this series is for you.

A few problems I hope to solve on shoestring budge…

I have to start somewhere...

Image
Here's some links for now:
https://github.com/agrajag9/a9dotfiles
This is a collection of my bashrc and related files. I've been daily-driving Linux terminals now for years and this is one of the first things I install. The screenshot below however is taken from one of my Windoze hosts.



https://github.com/agrajag9/getrichlaikaboss
If you work in CND/DFIR/CTI and you aren't familiar with LaikaBOSS, I recommend taking a look. It's a framework originally intended as an IDPS, but it's since grown to do far more than just those tasks. The core concept is that modern file-types tend to be tiered and follow an object-oriented design, so a modern IDS/IPS needed to be able to analyze these objects as such.
getrichlaikaboss was a short script I wrote to determine the compilation toolset of a Windoze PE. Every exe and dll compiled with Visual Studio will contain a Rich Header, which in turn contains a list of tools used to compile, assemble, and link all of the files in the …