the challenges of the kill chain

Transcription

the challenges of the kill chain
THE CHALLENGES OF THE KILL CHAIN
Mischel Kwon, President and CEO MKA
TODAY’S ATTACKS
And that’s just one version of one adversaries tactics!
ATTACKER WORKFLOW
SPOOFED EMAIL
Apr 2 18:57:39 mka-admin sendmail[14766]: q32MvdU8014766: Subject:FOSE.2012.-.Earn.CPE.Credit!
Apr 2 18:57:39 mka-admin sendmail[14766]: q32MvdU8014766: from=it@fose.mkwonassoc.com, size=5331, class=0,
nrcpts=1, msgid=<201204022257.q32MvdU8014766@mka-admin.mkwonassoc.com>, proto=SMTP, daemon=MTA,
relay=[5.85.165.165]
Apr 2 18:57:39 mka-admin sendmail[14767]: q32MvdU8014766: to=lucky@fose.mkwonassoc.com, delay=00:00:00,
xdelay=00:00:00, mailer=local, pri=35634, dsn=2.0.0, stat=Sent
From it@fose.mkwonassoc.com Mon Apr 2 18:57:39 2012
Return-Path: <it@fose.mkwonassoc.com>
Received: from fose.mkwonassoc.com ([5.85.165.165])
by mka-admin.mkwonassoc.com (8.14.4/8.14.4) with SMTP id q32MvdU8014766
for lucky@fose.mkwonassoc.com; Mon, 2 Apr 2012 18:57:39 -0400
Date: Mon, 2 Apr 2012 18:57:39 -0400
Message-Id: <201204022257.q32MvdU8014766@mka-admin.mkwonassoc.com>
From: "FOSE Outreach" <contact@fose.com>
Subject: FOSE 2012 - Earn CPE Credit!
X-Sender: it@fose.mkwonassoc.com
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
MALWARE DOWNLOAD
1333316104.437 6972 10.20.30.11 TCP_MISS/200 901555
GET http://evil.com/inst.exe - DIRECT/5.85.165.245 application/x-msdos-program
01-Apr-2012 17:16:43.087 client 10.0.0.10#58382: query: evil.com IN AAAA + (10.0.0.10)
01-Apr-2012 17:16:43.088 client 10.0.0.10#58382: query: evil.com IN A + (10.0.0.10)
04/01-17:16:30.902006 [**] [1:100001:1] inst.exe Download Detected
[**] [Classification: Potentially Bad Traffic] [Priority: 2]
{TCP} 10.20.30.11:1138 -> 10.0.0.10:8080
MALWARE INSTALL
Apr 1 17:16:47 10.20.30.11 Process ID: 1208
Apr 1 17:16:47 10.20.30.11 Image File Name:
C:\Documents and Settings\Administrator\My Documents\Installs\inst.exe
Apr 1 17:16:48 10.20.30.11 Process ID: 1464
Apr 1 17:16:48 10.20.30.11 Image File Name:
C:\WINDOWS\system32\reg.exe
Apr 1 17:16:48 10.20.30.11 New Process ID: 1836
Apr 1 17:16:48 10.20.30.11 Image File Name:
C:\DOCUME~1\ADMINI~1\LOCALS~1\APPLIC~1\47501.exe
CALLBACK ACTIVITY
1-Apr-2012 17:18:15.231 client 10.0.0.10#58382: query: littlepayform.biz IN AAAA + (10.0.0.10)
1-Apr-2012 17:18:21.223 client 10.0.0.10#58382: query: littlepayform.biz IN AAAA + (10.0.0.10)
1-Apr-2012 17:18:22.687 client 10.0.0.10#58382: query: littlepayform.biz IN A + (10.0.0.10)
1-Apr-2012 17:18:28.400 client 10.0.0.10#58382: query: billextrapay.com IN AAAA + (10.0.0.10)
1-Apr-2012 17:18:31.141 client 10.0.0.10#58382: query: billextrapay.com IN A + (10.0.0.10)
1333040144.983 59 10.20.30.11 TCP_MISS/503 4060
GET http://littlepayform.biz/buy.php? - DIRECT/littlepayform.biz text/html
1333040145.819 565 10.20.30.11 TCP_MISS/302 441
GET http://billextrapay.com/buy.php? - DIRECT/69.43.161.176 text/html
1333040146.483 661 10.20.30.11 TCP_MISS/200 53962
GET http://ww35.billextrapay.com/buy.php? - DIRECT/141.8.224.44 text/html
1333040147.548 112 10.20.30.11 TCP_MISS/200 383
POST http://ww35.billextrapay.com/rg-rlog.php - DIRECT/141.8.224.44 text/html
1333040261.553 49 10.20.30.11 TCP_MISS/503 4060
GET http://littlepayform.biz/buy.php? - DIRECT/littlepayform.biz text/html
1333040261.902 297 10.20.30.11 TCP_MISS/302 441
GET http://billextrapay.com/buy.php? - DIRECT/69.43.161.176 text/html
1333040262.189 285 10.20.30.11 TCP_MISS/200 53847
GET http://ww35.billextrapay.com/buy.php? - DIRECT/141.8.224.44 text/html
BEACONING ACTIVITY
1333050577.463 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html
1333050655.557 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html
1333050733.653 63099 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html
1333050811.747 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html
1333050889.841 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html
1333050967.938 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html
1333051046.030 63101 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html
1333051124.124 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html
1333051202.220 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html
1333051280.314 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html
1333051358.409 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html
1333051436.505 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html
1333051514.601 63100 10.20.30.11 TCP_MISS/503 3886
GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html
1333051592.692 63100 10.20.30.11 TCP_MISS/503 3886
GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html
1333051670.788 63100 10.20.30.11 TCP_MISS/503 3886
GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html
1333051748.924 63100 10.20.30.11 TCP_MISS/503 3886
GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html
1333051827.049 63101 10.20.30.11 TCP_MISS/503 3886
GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html
MALWARE DOWNLOAD
31-Mar-2012 17:50:57.005 client 10.0.0.10#58382: query: www.f0se.com IN AAAA + (10.0.0.10)
31-Mar-2012 17:51:00.292 client 10.0.0.10#58382: query: www.f0se.com IN A + (10.0.0.10)
1333233560.373
5 10.20.30.13 TCP_MISS/302 329
GET http://www.f0se.com:8080/earn_CPE - DIRECT/5.85.165.245 text/html
1333233560.577
3 10.20.30.13 TCP_MISS/200 515
GET http://www.f0se.com:8080/earn_CPE/ - DIRECT/5.85.165.245 text/html
1333233569.602 1110 10.20.30.13 TCP_MISS/200 51453
GET http://www.f0se.com:8080/earn_CPE/SiteLoader.jar DIRECT/5.85.165.245 application/octet-stream
1333233570.838 1206 10.20.30.13 TCP_MISS/200 51582
GET http://www.f0se.com:8080/earn_CPE/SiteLoader.jar DIRECT/5.85.165.245 application/octet-stream
1333233578.690 1084 10.20.30.13 TCP_MISS/200 51512
GET http://www.f0se.com:8080/earn_CPE/SiteLoader.jar DIRECT/5.85.165.245 application/octet-stream
1333233579.944 1237 10.20.30.13 TCP_MISS/200 51592
GET http://www.f0se.com:8080/earn_CPE/SiteLoader.jar DIRECT/5.85.165.245 application/octet-stream
1333233581.079 1101 10.20.30.13 TCP_MISS/200 51666
GET http://www.f0se.com:8080/earn_CPE/SiteLoader.jar DIRECT/5.85.165.245 application/octet-stream
1333233582.150 1052 10.20.30.13 TCP_MISS/200 51593
GET http://www.f0se.com:8080/earn_CPE/SiteLoader.jar DIRECT/5.85.165.245 application/octet-stream
ODD FILE
Apr 1 12:27:40 10.20.30.13 988 <133>1 2012-04-01T13:24:49-04:00 demoxp2 Security 380 - [meta sequenceId="322"
sysUpTime="5032725"][origin ip="demoxp2" software="Security"][win@18372.4 EVENT_CATEGORY="Detailed Tracking"
EVENT_FACILITY="16" EVENT_ID="600" EVENT_LEVEL="5" EVENT_NAME="Security" EVENT_REC_NUM="1876”
EVENT_SID="S-1-5-21-1757981266-413027322-1801674531-500" EVENT_SID_TYPE="User"
EVENT_SOURCE="Security" EVENT_TYPE="Success Audit" EVENT_USERNAME="DEMOXP2\\Administrator"]
DEMOXP2\Administrator: Security Security: [Success Audit] A process was assigned a primary token.
Apr 1 12:27:40 10.20.30.13 Assigning Process Information:
Apr 1 12:27:40 10.20.30.13 Process ID: 3184
Apr 1 12:27:40 10.20.30.13 Image File Name: C:\Documents and Settings\TEMP\Local
Settings\Temp\~spawn12488.tmp.dir\FSdXvdnm.exe
Apr 1 12:27:40 10.20.30.13 New Process Information:
Apr 1 12:27:40 10.20.30.13 Process ID: 4028
Apr 1 12:27:40 10.20.30.13 Image File Name: C:\WINDOWS\system32\cmd.exe
LATERAL SCANNING
Apr 1 12:28:48 10.20.30.13 (EventID 593)
Apr 1 12:28:49 10.20.30.13 558 <131>… Unknown User: System Service Control Manager: [Error]
Timeout (30000 milliseconds) waiting for the qfdtzy service to connect. (EventID 7009)
Apr 1 12:30:37 10.20.30.11 741 <132>…: Security Security: [Failure Audit] Logon Failure:
Apr 1 12:30:37 10.20.30.11 Reason: Unknown user name or bad password
Apr 1 12:30:37 10.20.30.11 User Name: larry
Apr 1 12:30:37 10.20.30.11 Domain: WORKGROUP
Apr 1 12:30:37 10.20.30.11 Workstation Name: VKFzuLVYrkeh2qpP (EventID 529)
Apr 1 12:31:25 10.20.30.11 741 <132>..: Security Security: [Failure Audit] Logon Failure:
Apr 1 12:31:25 10.20.30.11 Reason: Unknown user name or bad password
Apr 1 12:31:25 10.20.30.11 User Name: lucky
Apr 1 12:31:25 10.20.30.11 Domain: WORKGROUP
Apr 1 12:31:25 10.20.30.11 Workstation Name: Dn6cPTbMWvhxuSYC (EventID 529)
Apr 1 12:32:33 10.20.30.11 749 <132>…: Security Security: [Failure Audit] Logon Failure:
Apr 1 12:32:33 10.20.30.11 Reason: Unknown user name or bad password
Apr 1 12:32:33 10.20.30.11 User Name: Administrator
Apr 1 12:32:33 10.20.30.11 Domain: WORKGROUP
MALWARE INSTALL
Apr 2 20:37:05 10.20.30.102 657 <133> … [origin ip="10.20.30.102" … EVENT_TYPE="Success Audit"
EVENT_USERNAME="NT AUTHORITY\\SYSTEM"] <U+FEFF>NT AUTHORITY\SYSTEM: Security Security: [Success Audit] A
process has exited:
Apr 2 20:37:05 10.20.30.102 Process ID: 2248
Apr 2 20:37:05 10.20.30.102 Image File Name: C:\WINDOWS\IaBOwFIe.exe
Apr 2 20:37:05 10.20.30.102 User Name: MACHINEA2$
Apr 2 20:37:05 10.20.30.102 Domain: AD
Apr 2 20:37:05 10.20.30.102 624 <133> … [origin ip="10.20.30.102" … EVENT_USERNAME="AD\\larry"] <U+FEFF>AD\larry:
System Service Control Manager: [Information] The MIbRQJsnmQcTDtfmHx service
was successfully sent a start control. (EventID 7035)
Apr 2 20:37:05 10.20.30.102 566 <133> … [origin ip="10.20.30.102" … EVENT_SOURCE=
"Service Control Manager" … [Information] The MIbRQJsnmQcTDtfmHx service entered the
running state. (EventID 7036)
Apr 2 20:37:05 10.20.30.102 566 <133> … [origin ip="10.20.30.102" … EVENT_SOURCE=
"Service Control Manager" … <U+FEFF>Unknown User: System Service Control Manager:
[Information] The MIbRQJsnmQcTDtfmHx service entered the stopped state. (EventID 7036)
Apr 2 20:37:07 10.20.30.102 610 <133>… machinea2 … EVENT_CATEGORY="Logon/Logoff"
…EVENT_USERNAME="AD\\larry"] <U+FEFF>AD\larry: Security Security: [Success Audit]
User Logoff:
Apr 2 20:37:07 10.20.30.102 User Name: larry
Apr 2 20:37:07 10.20.30.102 Domain: AD
DATA EXFIL
INPUT: 12947 Records for 12765 Bins and 44577810 Total Bytes
OUTPUT: Top 30 Bins by Bytes
sIP|sPort|
dIP|dPort| Bytes| %Bytes| cumul_%|
10.20.30.102| 3869|5.85.165.245|33333|38229438|85.758897| 85.758897|
10.20.30.102| 4435| 10.0.0.15| 2006| 438480| 0.983628| 89.699344|
10.20.30.100|63464| 10.0.0.15| 2008| 388211| 0.870862| 90.570205|
10.20.30.13| 2166| 10.0.0.15| 2001| 388120| 0.870657| 91.440863|
10.20.30.11| 1176| 10.0.0.15| 2000| 388080| 0.870568| 92.311430|
10.20.30.100|65247|65.55.184.16| 443| 213243| 0.478361| 94.202196|
10.20.30.102| 3249| 10.0.0.15| 4444| 116425| 0.261173| 94.463369|
10.20.30.100|52086|4.59.136.208| 443| 81870| 0.183656| 94.647025|
10.20.30.100|51314|5.85.165.245|33333| 48004| 0.107686| 94.754711|
KILL CHAIN
Military Concept – target identification, force
dispatch to target, decision and order to attack the
target, and finally the destruction of the target
Air Force’s process subdivided into seven “events”
Anticipate
Find
Fix
Track
Target
Engage
Access
http://ftp.rta.nato.int/public//PubFullText/RTO/TR/RTO-TR-SAS-050///TR-SAS-050-10-06.pdf
KILL CHAIN THEORY
Cybersecurity – Understanding the phases of a
cyber attack in order to eliminate it and defend
against it
To record, track and group information about a cyber
attack to develop profiles that allow us to defend against
particular types of attacks and adversaries
Enables analysts to identify adversary attack patterns
Enabling next step predictions
Enabling proactive defense
Cyber Attack Progression Stages
Courtesy Mike Cloppert, Lockeed Martin
Thank you Mike Cloppert
http://computer-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill-chain/
OTHER BUZZ WORDS AND STRATEGIES
One for One – better known as “Whac-a-Mole”
method
SEIM Model
Packet reconstruction
Flow
APT
Continuous Monitoring
Exploitation Life Cycle
Ostrich Method
TOOLS AND TECHNIQUES USED TODAY
SEIM
IDS
Firewall
Packet Reconstruction
Network Forensics
Flow Data
Host Based Detection
Host Forensics
Honey Pot
Vulnerability and Patch Management Tools
Configuration Management Tools
Network Management Tools
Scanners
Virtualization – Hypervisor Monitoring Tools
AND IT LOOKS LIKE THIS:
DATA AND ANALYTICS – THE ACHILLES’ HEEL
Massive amount of Data
165,000 end users – 6000 servers
3 core enterprise domains
10 internet gateways – 4 OC-12s, 6 OC-3s
126 TB of network traffic a day
Roughly one billion events received by SIEM and log aggregation devices
daily
Expensive analysts often repeating analysis
Doesn’t include remediation or compliance data
WHAT DOES IT TAKE TO DO KILL CHAIN?
Threat Intelligence = Data
Indicators
TTPs – Tactics, Techniques, Procedures
Adversary Behavior
System Monitoring = Data
System Knowledge = Data
Known vulnerabilities
Known users + there behaviors
Mission and criticality
Analysts and Hunters
The ability to process the data quickly
Not on a one for one alert basis
Enable pattern recognition
http://computer-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill-chain/
SO…NOW YOU HAVE DETECTED A PATTERN
– WHAT DO YOU DO?
Prioritize the Monitoring – prioritized threat
Remediation
Policy
You might not have it all
How is the mission owner involved
Tie back to audit
It’s not just a technical fix!
Manage the RISK
Not just what you have detected! Take advantage of understanding their
patterns
Make it not happen again!
FISMA
DIACAP
Make it operational no matter what you call it!
Defense
Make strategic changes – configuration of architecture, network, devices,
procedures
Monitor, monitor, monitor the hard stuff
Control the domain, control administrative power
Be creative
SOLUTION – ONE SECURITY PLATFORM
Courtesy MKA VSOC™
SCALABILITY, SPEED, FLEXIBILITY
NEW DATA STRUCTURES, IN MEMORY ANALYSIS
http://www.experiencesaphana.com/community/solutions/predictive-analysis
CHALLENGES
Storing the data
Accessing the data
Fast Analysis Engine – in memory
Analysis Engine must allow for simple model modification
Mapping
Reporting and Metrics
How does policy keep up with the actions of the adversary?
Risk
Technical
Managerial
Executive
Mission
Policy
Attack patterns – whether all the pattern has happened or not
Attack points to vulnerabilities
Vulnerabilities to Controls and Policies
Attack results to mission
So much data – how do you understand the ultimate risk to the mission?
Budget
How do you right size this
How do you articulate the need, successes, and cost effectiveness to the Executive level
FUTURE (WISH LIST ☺)
Shared Pattern Libraries – on the
meta data level
Vulnerability management based
on patterns not just one for one
One data format
Acceptance and tools to manage
other data storage formats
Shared Analyst pools
Mission participation in Risk
Analysis
Questions?
For copies of slide and or more information contact:
Mischel Kwon: info@mkwonassoc.com,