the challenges of the kill chain
Transcription
the challenges of the kill chain
THE CHALLENGES OF THE KILL CHAIN Mischel Kwon, President and CEO MKA TODAY’S ATTACKS And that’s just one version of one adversaries tactics! ATTACKER WORKFLOW SPOOFED EMAIL Apr 2 18:57:39 mka-admin sendmail[14766]: q32MvdU8014766: Subject:FOSE.2012.-.Earn.CPE.Credit! Apr 2 18:57:39 mka-admin sendmail[14766]: q32MvdU8014766: from=it@fose.mkwonassoc.com, size=5331, class=0, nrcpts=1, msgid=<201204022257.q32MvdU8014766@mka-admin.mkwonassoc.com>, proto=SMTP, daemon=MTA, relay=[5.85.165.165] Apr 2 18:57:39 mka-admin sendmail[14767]: q32MvdU8014766: to=lucky@fose.mkwonassoc.com, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=35634, dsn=2.0.0, stat=Sent From it@fose.mkwonassoc.com Mon Apr 2 18:57:39 2012 Return-Path: <it@fose.mkwonassoc.com> Received: from fose.mkwonassoc.com ([5.85.165.165]) by mka-admin.mkwonassoc.com (8.14.4/8.14.4) with SMTP id q32MvdU8014766 for lucky@fose.mkwonassoc.com; Mon, 2 Apr 2012 18:57:39 -0400 Date: Mon, 2 Apr 2012 18:57:39 -0400 Message-Id: <201204022257.q32MvdU8014766@mka-admin.mkwonassoc.com> From: "FOSE Outreach" <contact@fose.com> Subject: FOSE 2012 - Earn CPE Credit! X-Sender: it@fose.mkwonassoc.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 MALWARE DOWNLOAD 1333316104.437 6972 10.20.30.11 TCP_MISS/200 901555 GET http://evil.com/inst.exe - DIRECT/5.85.165.245 application/x-msdos-program 01-Apr-2012 17:16:43.087 client 10.0.0.10#58382: query: evil.com IN AAAA + (10.0.0.10) 01-Apr-2012 17:16:43.088 client 10.0.0.10#58382: query: evil.com IN A + (10.0.0.10) 04/01-17:16:30.902006 [**] [1:100001:1] inst.exe Download Detected [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.20.30.11:1138 -> 10.0.0.10:8080 MALWARE INSTALL Apr 1 17:16:47 10.20.30.11 Process ID: 1208 Apr 1 17:16:47 10.20.30.11 Image File Name: C:\Documents and Settings\Administrator\My Documents\Installs\inst.exe Apr 1 17:16:48 10.20.30.11 Process ID: 1464 Apr 1 17:16:48 10.20.30.11 Image File Name: C:\WINDOWS\system32\reg.exe Apr 1 17:16:48 10.20.30.11 New Process ID: 1836 Apr 1 17:16:48 10.20.30.11 Image File Name: C:\DOCUME~1\ADMINI~1\LOCALS~1\APPLIC~1\47501.exe CALLBACK ACTIVITY 1-Apr-2012 17:18:15.231 client 10.0.0.10#58382: query: littlepayform.biz IN AAAA + (10.0.0.10) 1-Apr-2012 17:18:21.223 client 10.0.0.10#58382: query: littlepayform.biz IN AAAA + (10.0.0.10) 1-Apr-2012 17:18:22.687 client 10.0.0.10#58382: query: littlepayform.biz IN A + (10.0.0.10) 1-Apr-2012 17:18:28.400 client 10.0.0.10#58382: query: billextrapay.com IN AAAA + (10.0.0.10) 1-Apr-2012 17:18:31.141 client 10.0.0.10#58382: query: billextrapay.com IN A + (10.0.0.10) 1333040144.983 59 10.20.30.11 TCP_MISS/503 4060 GET http://littlepayform.biz/buy.php? - DIRECT/littlepayform.biz text/html 1333040145.819 565 10.20.30.11 TCP_MISS/302 441 GET http://billextrapay.com/buy.php? - DIRECT/69.43.161.176 text/html 1333040146.483 661 10.20.30.11 TCP_MISS/200 53962 GET http://ww35.billextrapay.com/buy.php? - DIRECT/141.8.224.44 text/html 1333040147.548 112 10.20.30.11 TCP_MISS/200 383 POST http://ww35.billextrapay.com/rg-rlog.php - DIRECT/141.8.224.44 text/html 1333040261.553 49 10.20.30.11 TCP_MISS/503 4060 GET http://littlepayform.biz/buy.php? - DIRECT/littlepayform.biz text/html 1333040261.902 297 10.20.30.11 TCP_MISS/302 441 GET http://billextrapay.com/buy.php? - DIRECT/69.43.161.176 text/html 1333040262.189 285 10.20.30.11 TCP_MISS/200 53847 GET http://ww35.billextrapay.com/buy.php? - DIRECT/141.8.224.44 text/html BEACONING ACTIVITY 1333050577.463 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html 1333050655.557 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html 1333050733.653 63099 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html 1333050811.747 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html 1333050889.841 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html 1333050967.938 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html 1333051046.030 63101 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html 1333051124.124 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html 1333051202.220 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html 1333051280.314 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html 1333051358.409 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html 1333051436.505 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html 1333051514.601 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html 1333051592.692 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html 1333051670.788 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html 1333051748.924 63100 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html 1333051827.049 63101 10.20.30.11 TCP_MISS/503 3886 GET http://195.54.171.33/cb_soft.php? - DIRECT/195.54.171.33 text/html MALWARE DOWNLOAD 31-Mar-2012 17:50:57.005 client 10.0.0.10#58382: query: www.f0se.com IN AAAA + (10.0.0.10) 31-Mar-2012 17:51:00.292 client 10.0.0.10#58382: query: www.f0se.com IN A + (10.0.0.10) 1333233560.373 5 10.20.30.13 TCP_MISS/302 329 GET http://www.f0se.com:8080/earn_CPE - DIRECT/5.85.165.245 text/html 1333233560.577 3 10.20.30.13 TCP_MISS/200 515 GET http://www.f0se.com:8080/earn_CPE/ - DIRECT/5.85.165.245 text/html 1333233569.602 1110 10.20.30.13 TCP_MISS/200 51453 GET http://www.f0se.com:8080/earn_CPE/SiteLoader.jar DIRECT/5.85.165.245 application/octet-stream 1333233570.838 1206 10.20.30.13 TCP_MISS/200 51582 GET http://www.f0se.com:8080/earn_CPE/SiteLoader.jar DIRECT/5.85.165.245 application/octet-stream 1333233578.690 1084 10.20.30.13 TCP_MISS/200 51512 GET http://www.f0se.com:8080/earn_CPE/SiteLoader.jar DIRECT/5.85.165.245 application/octet-stream 1333233579.944 1237 10.20.30.13 TCP_MISS/200 51592 GET http://www.f0se.com:8080/earn_CPE/SiteLoader.jar DIRECT/5.85.165.245 application/octet-stream 1333233581.079 1101 10.20.30.13 TCP_MISS/200 51666 GET http://www.f0se.com:8080/earn_CPE/SiteLoader.jar DIRECT/5.85.165.245 application/octet-stream 1333233582.150 1052 10.20.30.13 TCP_MISS/200 51593 GET http://www.f0se.com:8080/earn_CPE/SiteLoader.jar DIRECT/5.85.165.245 application/octet-stream ODD FILE Apr 1 12:27:40 10.20.30.13 988 <133>1 2012-04-01T13:24:49-04:00 demoxp2 Security 380 - [meta sequenceId="322" sysUpTime="5032725"][origin ip="demoxp2" software="Security"][win@18372.4 EVENT_CATEGORY="Detailed Tracking" EVENT_FACILITY="16" EVENT_ID="600" EVENT_LEVEL="5" EVENT_NAME="Security" EVENT_REC_NUM="1876” EVENT_SID="S-1-5-21-1757981266-413027322-1801674531-500" EVENT_SID_TYPE="User" EVENT_SOURCE="Security" EVENT_TYPE="Success Audit" EVENT_USERNAME="DEMOXP2\\Administrator"] DEMOXP2\Administrator: Security Security: [Success Audit] A process was assigned a primary token. Apr 1 12:27:40 10.20.30.13 Assigning Process Information: Apr 1 12:27:40 10.20.30.13 Process ID: 3184 Apr 1 12:27:40 10.20.30.13 Image File Name: C:\Documents and Settings\TEMP\Local Settings\Temp\~spawn12488.tmp.dir\FSdXvdnm.exe Apr 1 12:27:40 10.20.30.13 New Process Information: Apr 1 12:27:40 10.20.30.13 Process ID: 4028 Apr 1 12:27:40 10.20.30.13 Image File Name: C:\WINDOWS\system32\cmd.exe LATERAL SCANNING Apr 1 12:28:48 10.20.30.13 (EventID 593) Apr 1 12:28:49 10.20.30.13 558 <131>… Unknown User: System Service Control Manager: [Error] Timeout (30000 milliseconds) waiting for the qfdtzy service to connect. (EventID 7009) Apr 1 12:30:37 10.20.30.11 741 <132>…: Security Security: [Failure Audit] Logon Failure: Apr 1 12:30:37 10.20.30.11 Reason: Unknown user name or bad password Apr 1 12:30:37 10.20.30.11 User Name: larry Apr 1 12:30:37 10.20.30.11 Domain: WORKGROUP Apr 1 12:30:37 10.20.30.11 Workstation Name: VKFzuLVYrkeh2qpP (EventID 529) Apr 1 12:31:25 10.20.30.11 741 <132>..: Security Security: [Failure Audit] Logon Failure: Apr 1 12:31:25 10.20.30.11 Reason: Unknown user name or bad password Apr 1 12:31:25 10.20.30.11 User Name: lucky Apr 1 12:31:25 10.20.30.11 Domain: WORKGROUP Apr 1 12:31:25 10.20.30.11 Workstation Name: Dn6cPTbMWvhxuSYC (EventID 529) Apr 1 12:32:33 10.20.30.11 749 <132>…: Security Security: [Failure Audit] Logon Failure: Apr 1 12:32:33 10.20.30.11 Reason: Unknown user name or bad password Apr 1 12:32:33 10.20.30.11 User Name: Administrator Apr 1 12:32:33 10.20.30.11 Domain: WORKGROUP MALWARE INSTALL Apr 2 20:37:05 10.20.30.102 657 <133> … [origin ip="10.20.30.102" … EVENT_TYPE="Success Audit" EVENT_USERNAME="NT AUTHORITY\\SYSTEM"] <U+FEFF>NT AUTHORITY\SYSTEM: Security Security: [Success Audit] A process has exited: Apr 2 20:37:05 10.20.30.102 Process ID: 2248 Apr 2 20:37:05 10.20.30.102 Image File Name: C:\WINDOWS\IaBOwFIe.exe Apr 2 20:37:05 10.20.30.102 User Name: MACHINEA2$ Apr 2 20:37:05 10.20.30.102 Domain: AD Apr 2 20:37:05 10.20.30.102 624 <133> … [origin ip="10.20.30.102" … EVENT_USERNAME="AD\\larry"] <U+FEFF>AD\larry: System Service Control Manager: [Information] The MIbRQJsnmQcTDtfmHx service was successfully sent a start control. (EventID 7035) Apr 2 20:37:05 10.20.30.102 566 <133> … [origin ip="10.20.30.102" … EVENT_SOURCE= "Service Control Manager" … [Information] The MIbRQJsnmQcTDtfmHx service entered the running state. (EventID 7036) Apr 2 20:37:05 10.20.30.102 566 <133> … [origin ip="10.20.30.102" … EVENT_SOURCE= "Service Control Manager" … <U+FEFF>Unknown User: System Service Control Manager: [Information] The MIbRQJsnmQcTDtfmHx service entered the stopped state. (EventID 7036) Apr 2 20:37:07 10.20.30.102 610 <133>… machinea2 … EVENT_CATEGORY="Logon/Logoff" …EVENT_USERNAME="AD\\larry"] <U+FEFF>AD\larry: Security Security: [Success Audit] User Logoff: Apr 2 20:37:07 10.20.30.102 User Name: larry Apr 2 20:37:07 10.20.30.102 Domain: AD DATA EXFIL INPUT: 12947 Records for 12765 Bins and 44577810 Total Bytes OUTPUT: Top 30 Bins by Bytes sIP|sPort| dIP|dPort| Bytes| %Bytes| cumul_%| 10.20.30.102| 3869|5.85.165.245|33333|38229438|85.758897| 85.758897| 10.20.30.102| 4435| 10.0.0.15| 2006| 438480| 0.983628| 89.699344| 10.20.30.100|63464| 10.0.0.15| 2008| 388211| 0.870862| 90.570205| 10.20.30.13| 2166| 10.0.0.15| 2001| 388120| 0.870657| 91.440863| 10.20.30.11| 1176| 10.0.0.15| 2000| 388080| 0.870568| 92.311430| 10.20.30.100|65247|65.55.184.16| 443| 213243| 0.478361| 94.202196| 10.20.30.102| 3249| 10.0.0.15| 4444| 116425| 0.261173| 94.463369| 10.20.30.100|52086|4.59.136.208| 443| 81870| 0.183656| 94.647025| 10.20.30.100|51314|5.85.165.245|33333| 48004| 0.107686| 94.754711| KILL CHAIN Military Concept – target identification, force dispatch to target, decision and order to attack the target, and finally the destruction of the target Air Force’s process subdivided into seven “events” Anticipate Find Fix Track Target Engage Access http://ftp.rta.nato.int/public//PubFullText/RTO/TR/RTO-TR-SAS-050///TR-SAS-050-10-06.pdf KILL CHAIN THEORY Cybersecurity – Understanding the phases of a cyber attack in order to eliminate it and defend against it To record, track and group information about a cyber attack to develop profiles that allow us to defend against particular types of attacks and adversaries Enables analysts to identify adversary attack patterns Enabling next step predictions Enabling proactive defense Cyber Attack Progression Stages Courtesy Mike Cloppert, Lockeed Martin Thank you Mike Cloppert http://computer-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill-chain/ OTHER BUZZ WORDS AND STRATEGIES One for One – better known as “Whac-a-Mole” method SEIM Model Packet reconstruction Flow APT Continuous Monitoring Exploitation Life Cycle Ostrich Method TOOLS AND TECHNIQUES USED TODAY SEIM IDS Firewall Packet Reconstruction Network Forensics Flow Data Host Based Detection Host Forensics Honey Pot Vulnerability and Patch Management Tools Configuration Management Tools Network Management Tools Scanners Virtualization – Hypervisor Monitoring Tools AND IT LOOKS LIKE THIS: DATA AND ANALYTICS – THE ACHILLES’ HEEL Massive amount of Data 165,000 end users – 6000 servers 3 core enterprise domains 10 internet gateways – 4 OC-12s, 6 OC-3s 126 TB of network traffic a day Roughly one billion events received by SIEM and log aggregation devices daily Expensive analysts often repeating analysis Doesn’t include remediation or compliance data WHAT DOES IT TAKE TO DO KILL CHAIN? Threat Intelligence = Data Indicators TTPs – Tactics, Techniques, Procedures Adversary Behavior System Monitoring = Data System Knowledge = Data Known vulnerabilities Known users + there behaviors Mission and criticality Analysts and Hunters The ability to process the data quickly Not on a one for one alert basis Enable pattern recognition http://computer-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill-chain/ SO…NOW YOU HAVE DETECTED A PATTERN – WHAT DO YOU DO? Prioritize the Monitoring – prioritized threat Remediation Policy You might not have it all How is the mission owner involved Tie back to audit It’s not just a technical fix! Manage the RISK Not just what you have detected! Take advantage of understanding their patterns Make it not happen again! FISMA DIACAP Make it operational no matter what you call it! Defense Make strategic changes – configuration of architecture, network, devices, procedures Monitor, monitor, monitor the hard stuff Control the domain, control administrative power Be creative SOLUTION – ONE SECURITY PLATFORM Courtesy MKA VSOC™ SCALABILITY, SPEED, FLEXIBILITY NEW DATA STRUCTURES, IN MEMORY ANALYSIS http://www.experiencesaphana.com/community/solutions/predictive-analysis CHALLENGES Storing the data Accessing the data Fast Analysis Engine – in memory Analysis Engine must allow for simple model modification Mapping Reporting and Metrics How does policy keep up with the actions of the adversary? Risk Technical Managerial Executive Mission Policy Attack patterns – whether all the pattern has happened or not Attack points to vulnerabilities Vulnerabilities to Controls and Policies Attack results to mission So much data – how do you understand the ultimate risk to the mission? Budget How do you right size this How do you articulate the need, successes, and cost effectiveness to the Executive level FUTURE (WISH LIST ☺) Shared Pattern Libraries – on the meta data level Vulnerability management based on patterns not just one for one One data format Acceptance and tools to manage other data storage formats Shared Analyst pools Mission participation in Risk Analysis Questions? For copies of slide and or more information contact: Mischel Kwon: info@mkwonassoc.com,