SANS FOR578 Cyber Threat Intelligence – Course Review

Readers!!!

Advanced greetings for Christmas. Before I start make sure to check out SANS Holiday Hack Challenge here.

Recently, I was honoured to attend one of the SANS course For578 – Cyber Threat Intelligence. SANS instructor was one of the best in business Robert M. Lee. My reason to attend SANS training is purely because they are one the best security training provider, and when they announced FOR578 last year I was very keen in SANS take on Threat intelligence. I have been self-learning about threat intelligence via Lockheed Martin, various webcasts via SANS and other providers and realised that every vendor has different approach with Threat Intelligence.

I had prior knowledge Threat Intelligence and this course helped to me to get the best out of it.

After the end of the first day, I was having a very good understanding with what Intelligence is and how it is associated with Cyber Threats. Most of the time, in name of Threat Intelligence, vendors or service providers end up sharing Threat Indicators with some nice dashboards and portray the system as Threat Intelligence system. I have always been saying we need to move beyond Indicators based systems (yes its still good to have those), and concentrate more on Tools, Techniques and Procedures of our adversary. The content of the course actually aligned with my thinking and helped in better carve my thinking and actually implement in real life.

During the course, I learned how to track a threat actor or a campaign and how to best showcase that information across your organisation. Tools such as CRITS, MISP, Threat_note were used. Kill-Chain model and Diamond Model were explained in detailed and LABS were designed in way to implement these models.

One of the interesting LAB was to review vendor Threat Intelligence report. The report could be regarding a APT, analysis of an threat actor or generic briefings across the global related to Cyber Threats. In this exercise, we learned about biases and how multiple input to one single report may change the actual outcome of the report or identification of adversary.

Other LABS were related to extracting intelligence out of vendor reports, tracking a campaign and what artefacts to collects during intelligence exercise and how to provide evidence to your hypotheses. LABS that concentrated in how to share Threat Information via STIX, YARA and OpenIOC. The course has very good real life case studies with regards to Thr

At the end of the fifth day, I knew what actual Threat Intelligence means and how we can use that in our organisation.

For those who are thinking to take the course, would highly recommend to take it.

Evoltin POS Malware – Kill Chain Mind Map

Readers!!!

Its been quite a while I have updated my blog posts, due to me spending  some quality time off the work and being with family.

Recently, was honoured to attend SANS FOR578 Cyber Threat Intelligence course taught by Robert M. Lee and it was excellent. I will be writing a separate blog post reviewing the course later.

Being on customer service environment, I have realised how important data visualisations are. When you are presenting your findings to C Level Executives, having tables, charts and graphics in the report, makes it easier to grasp and understand analyst ( or whoever wrote the report) point of view. We can visualise our findings about Organisational Risks, Threats, Incidents and many other departmental attributes in different manner.

For me, best visualisation is Mind Maps and I have used them to represent process, procedure, incidents etc. I also, use mind maps, when I am performing any investigations on incidents during IR, Forensics and/or Threat Hunting. It helps me track investigation steps and my findings. If the incident continues or the next business day, the mind map, helps me to start where I left, and also helps me trace back my steps rather looking at excel sheets or other textual representation or a case management system.

During the course, there was a good stress on making sure investigation or intelligence gathering information is represented in a manner that all levels of audience can understand. This is when I thought to create a mind map of a malware and its behaviour and how it can be represented on Kill Chain phases.

evoltin-pos-aka-nitloveposb

Above screenshot shows Kill Chain phases for Evoltin POS Malware and indicators that were identified during analysis and how they can associated to different Kill Chain phases. Rather presenting them on table or chart format, I believe the view via mind map is much more easy to grasp and better presented.

I will be creating more mind maps and uploading to my GitHub account. I normally, update IOC’s to Alienvault OTX, Blueliv, GitHub and ThreatConnect, but now I will also create similar Kill Chain Mind Map for every investigation I do.

Happy Mind Mapping!!!!!

Forensics – Where to start and What to know

Readers

I would like to share my experience and understanding with regards to forensics and where I started to get a foothold in forensics.

Questions that I normally get : I want to get into forensics. What should I study? What kind of certificates are good? What background should I have? 

By this blog I will answer those question based on my experience. I will not dwell into explaining what forensics is and why do we perform that. For that you can just google it and/or read my blog entry – Incident Response and Forensics : The Two Towers. Understand Forensics is considered a specialised field, meaning one must have prior knowledge of fundamentals in operating systems, networking, packet analysis, incident handling etc.

For me I started in Technical Support – this is first due to I was a student and second technical support guys will go through numerous issues and fix through out the day which can be extended into Forensics investigation. For example, a user calls into saying my system is working slow – a tech support guy will first investigate why and provide solution/workaround based on the findings. This helped in understanding system internals especially Windows. One must understand how an operating system works – their processes, services, kernel level attributes etc. A very good link to start is here for windows, here for MacOSX and here for linux. I will be creating mind map for this and will provide them on my github account.

Certificates such as SANS GCFE will give you insights on windows operating system forensics. Individuals thinking of this course should read on here.

Other courses and comparison can be viewed here.

We obviously need tools to perform forensics. There are numerous tools available to perform forensics based on what is required. SANS has their own linux distribution SIFT and further information can be found here.

There is also a debate, that System Admins are the best Forensic examiners or investigators and I don’t agree with that statement. Yes system admins have knowledge of system, however that’s mostly into hardening and fixing an issue. Rarely security aspect is covered in System Admin side. System Admin will still need to learn and/or go through training (self or class based) and understand how their experience overlaps in forensics.

To gain a bit more knowledge about networking, incident handling, packet analysis I dwelled into SOC (security operations centre). This allowed me to understand how operating system communicates to other operating systems, network and/or external systems. In SOC, I was responsible to identify anomalies, develop SIEM content to identify incidents within network and/or operating system from a known bad behaviour. This allowed me understand what is a good behaviour. All operating system logs events and one must understand what is the meaning of those and in what situations they are triggered, and how one can use these events in identifying an unauthorised activity and/or unusual behaviour for example. This knowledge, during forensics, allowed me to investigate the operating system and/or infected host in different manner. Yes, Forensics and Incident Response overlaps and are two sides of the same coin. I always took initiatives and that helped me in the field.

To understand how Forensics should be performed one must also understands standards and RFC. Understanding these standards allowed me to grasp how corporate world and/or any forensics practice should perform forensics and how that can be integrated in Incident Response. Have a read here for NIST publication, here for RFC and here for NIST Mobile forensics publication.

This will be a good start to for individuals interested in Forensics. One should also dive into the operating system they normally use at work/home on their laptop/desktop and go through system. For Windows, work on PowerShell, look at the event viewer, services, use Sysinternal Tools. Fire up wireshark and/or Chrome net internals to see what happens when you access a website. Note down whatever is considered a normal behaviour. For linux/Mac look at the logs under directory /var/logs.

Lastly, read the blogs that are forensics and incident response related which will give a good insight in using tools, how forensics is performed and current methodologies and type of investigations.

Few Forensics Blogs :

Another point, I will raise is certifications are not the only way you will understand or gain more knowledge in Forensics. Your practice and dedication in self-learning and implementing on a regular basis will help a lot. But, also in corporate world these certifications are considered an entry point and it is advisable to get them. I have done SANS certifications (I am not advocating them and/or advertising SANS for personal gain, just sharing my personal experience), and I believe they concentrate on fundamentals and have better content with related to topics that are covered in any certifications.

I will be providing more links on the up coming mind map. I will also be providing any Forensic and/or IR investigations that I perform, at my home lab including tools usage.

Happy Forensicating!!!!!

Disposable email addresses (DEA) and concerns

Readers

This post is about disposable email addresses and where to get them and concerns for organisations or whitehats defending their network/country. Disposable email addresses are something for which you don’t need an account. Understand you can only RECEIVE emails and cannot SEND. The service was first paid only but now you can get it for free from multiple locations. The email lasts from 10 minutes to a week.

Disposable email addresses are something that you can register on a site that you think you won’t be visiting often and may send you spam later or you want to hide your identify when registering. Depending on the person who is using the service, it can used in positive and/or negative ways.

 Let’s start looking at them :

  1. AirMailScreen Shot 2016-09-12 at 9.54.05 PM.png
  2. Guerrilla Mail guerilla email.png
  3. ThrowAwayMailScreen Shot 2016-09-12 at 9.50.28 PM.png
  4. MailinatorScreen Shot 2016-09-12 at 9.53.32 PM.png
  5. Temp MailScreen Shot 2016-09-12 at 9.55.35 PM.png
  6. myTemp.emailScreen Shot 2016-09-12 at 9.57.25 PM.png
  7. Email on deckScreen Shot 2016-09-12 at 9.56.36 PM.png

There are others but the mentioned ones are top hits.

As having background in Social engineering and identifying tactics that cyber criminals  and/or insiders may use with regards to this disposable email, I can think of a 2 concerns.

  1. Partners in crime can use these for their communications rather than to worry about getting tracked and/or reveal the identity of the recipient.
  2. Another concern is insiders and  how one can use the disposable emails to transfer data and/or for data exfiltration. Organisations should be on lookout of these channels or medium and can configure mail gateway and/or DLP to make sure no sensitive/confidential information is going out.

If you know other concerns please comment.

Lets hope the service is being used for good purpose.

Battling Insider Threats – Browser in the box

Readers

One of the biggest threats for any organisation is Insider Threat. An employee visiting malicious sites, drive-by downloads, uploading documents etc. , in short any web activity that can impact the organisation. Many of the organisations have chose to deploy DLP, Intrusion Detection and Prevention systems, proxies, user behaviour analytics and other expensive tools to fight against the threats but are still failing to prevent or reduce risk occurring via this threat.

From my previous post, I mentioned attackers are exploiting human characteristics – FEAR and CURIOSITY.  Employees clicking on picture of a cat and wallah the system has been infected. No matter how much security awareness we provide , there will always be risk of having internet connection on corporate network.

Wouldn’t it be good to have some functionality or an application that can prevent a malware, to infect the operating system, coming via a URL or when a user is visiting a site? It can be obfuscated scripts, executables, rootkits etc. We do have a VM that we use for sand-boxing, but let’s agree that not all users in your organisation knows how to use it and/or even understand the impact of infected system in a corporate network.  During this search I came across a tool called “Browser in the Box” created by Sirrix AG Technologies.

Browser in the box provides a virtual environment with a web browser is encapsulated in it. Therefore, when an employee is surfing internet through this browser, any suspicious/malicious files from internet will stay in this virtual environment and will not traverse through actual host operating system. All the browsing activities are isolated completely from the host operating system. “Browser in the box” also prevents any uploading of the files into the internet, which suggests the confidentiality and integrity of the organisations data is not compromised. Please note, the application is not a virtual machine (one can think that there are malware that identifies vm and will not execute), its a virtual environment similar to windows XP mode. I will try and test whether this is actually true.

The system was initially developed by Sirrix on behalf of German Federal office for Information Security. Currently the solution is open for public.

Visit Sirrix website here and  Download link here.

Incident Response and Forensics – The two towers

Readers

Been meaning write something about my experience with Incident response and forensics and how knowledge of both field helped me.

Most of the organisations have Incident Response and Forensics as 2 different department and no overlap of services or transparency is seen between them. Personally, I believe it is not a good approach as Incident Response and Forensics team should work hand in hand to get the most out of the investigation. There are organisation who thinks Forensics are only to collect evidence. Yes indeed I was shocked!!!

Both stream requires well organised plans and procedures and individuals with strong technical expertise. Both streams have standards – NIST 800-61 of IR and 800-86 for Forensics. One must understand these standards.

When an organisation is performing IR, imagine the responder has no forensic knowledge.

  1. The reason we perform incident response is to understand what happened, how it happened, how we can stop it to further affect/infect our systems and how we can stop in future – Preparation, Identification, Containment, Remediation, Recovery and Lesson Learned. As mentioned in my earlier blog most organisation perform Preparation, Identification and Recovery. Is this due to improper process ? Is it because the responder doesn’t know the IR Phases? Is it due to time constraints or can’t be bothered?
  2. Now to understand what happened (e.g., malware infection), one must understand malware, and how it interacts with the system and what artefacts are involved. This is where Forensic knowledge will come in place. Handling a malware incident, one must know malware analysis and in certain scenarios reverse engineering. Let’s say you are not sure its a malware infection, however system are showing signs of unusual behaviour. As an incident responder one may think to just run certain tool to identify or understand behaviour – nothing wrong however, this may alter certain files by treating them malicious – like what a endpoint protection does by performing quarantine.
  3. A forensic investigator will first manually investigate the system and learn why a system is behaving in such manner – look through process (parent/child), file paths, services etc to determine what is not part of the system. I am not saying tool will not be used but this is about a process. Forensic investigator may choose to run Redline for example.
  4. The approach taken by 2 individuals are always different but the end goal should remain the same – reduce impact and determine indicators of compromise and TTPs (Tools, techniques and procedure) that can be used in earlier detection in future. When this is not performed our adversaries will always have tactical advantage over us.

An ideal approach I prefer is that an Incident Responder must have certain knowledge of forensics that can assist him/her in making sure our investigation is not only to clean the system (an anti-virus/anti-malware can do that), but identify the artefacts and preserve them for further investigation if time permits. Forensics should be performed in parallel to incident response.

IR is more process driven and forensics allows to deep dive into systems to identify bad actors. Forensics is time consuming and most of the time organisations prefer not to include them as they want business or system to return to its normal state. IR and Forensics should also communicate to other security network team and share the outcome of investigations.

I will be writing more about IR and Forensics methodologies (technical and non-technical) and answer most common question – how do i go by starting in IR or Forensics (DFIR). This will supplement the Threat Hunting article that I am working on.

Mandatory Reads

Happy Investigation!!!!!!

 

Penetration Testing and Rules of engagement

Readers

This post is about globally accepted LEGAL technique to exploit a system or network to validate their deployment of security controls. Yes I am talking about PENETRATION TESTING.

With this post I would like to share an ideal approach during penetration testing and importance in following the rules of engagement. Of what I have experienced following is the normal scenario:

Customer signs engagement and scope letter. Most of the time this engagement/scope letter  contains very vague and/or no proper description of How’s and who’s of Penetration testing methodology. Sometimes they will just mention Person A and Person B will be performing a Penetration Testing on Customer A Network and rest is legal and contractual stuff. Some will also add type of penetration testing (no they won’t mention Black/Grey/White Box testing). They will say Web application Pen testing, Network Pen Testing. Although, they are in a way correct but still we need to mention it.

Suggestions : Organisation must let customers know what will be included in a Pen test. There is no room for assumptions. For any pen test one must provide the techniques and methods and especially what will be tested. One does not need to provide the tools name but techniques are important.

Defining this in the scope/engagement letter can assist pen tester to make sure he/she is not stepping over the boundaries – which are normally considered RULES OF ENGAGEMENT. Management and Pen Testers must understand this rules for a successful pen testing.

Management and organisation should also understand Pen testing should not be only performed because of compliance – unfortunately this is the driver in most cases. As Pen testing simulates an attack on any organisation it should be performed on a regular basis and for extended period of time. One should also perform external pen test to test their security controls and simulate real world attacks. Adversaries and/or cyber criminals have no time limit to gain access to your network, but Pen testers do and management must take this into consideration. Having a pen test for a week and next one next year will have zero value.

Another suggestions to pen testers is to be ready with their own way to exploit systems. Most of the time due to time constraints we use available tools and exploits to perform pen test which may give you some good results but we need to think or try to go beyond that and writing your own exploits has been proved to be a good method. If a vulnerability is identified it is a good idea to exploit it with multiple techniques if known.

Pen testers should also spend a good chunk of time in information gathering (active or passive). The more information you gather the better you will be able to exploit your target. I have always used 2 pen testers whereby PT A will continue performing information gathering – provide the results to PT B, PT B will give some information back to PT A and PT A will continue to gather information. Consider this as a to and fro situation but PT A and PT B will exchange information continuously.

PT B should concentrate on fingerprinting, enumeration, attempt to gain access to the systems, vulnerability assessment. There are many organisations and pen testers preferring running Vulnerability scanners upfront when performing pen test which I personally believe is wrong step. As we are trying to simulate attacks on organisation, we must think from the attackers point of view. Normally they don’t run vulnerability scanners straight up – the traffic generated by them is heavy and easily detectable by various security controls. These scanners can be used for verification and/or add-on to pen testing methodology to make sure we didn’t miss anything.

Lastly, providing a report of pen test to customer. Report should provide all the findings, techniques and methods use to collect information and how information was used to gain access to the system, what vulnerability, types of exploit used and outcome of the exploitation – privilege access, data exfiltration, install/modify applications and/or files etc. Screenshots are considered ideal. Having these information will assist pen testers to draft recommendations that are actionable rather just  telling to update and patch.

Please visit following site for more information :

http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
http://www.pentest-standard.org/index.php/Main_Page