HBSS Tricks

Chris Rooney

We need a recipe, map, something…

For many people Audits are like Easter

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data1.1 Establish firewall and router configuration standards that include the following:blah blah1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.

1.4 Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network.

Requirement 5: Use and regularly update anti-virus software or programs

5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).

5.2 Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs.

Requirement 6: Develop and maintain secure systems and applications6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.

Requirement 8: Assign a unique ID to each person with computer access

Requirement 10: Track and monitor all access to network resources and cardholder dataTheir own words - Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.

10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.

Requirement 12: Maintain a policy that addresses information security for all personnel.

A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it. For the purposes of Requirement 12, “personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are “resident” on the entity’s site or otherwise have access to the cardholder data environment.

12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel.12.9.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts.

12.9.5 Include alerts from intrusiondetection, intrusion-prevention, and fileintegrity monitoring systems.

NIST SP800-53A Recommended Security Controls for Federal Information Systems

AU-2 AUDITABLE EVENTS(1) The information system provides the capability to compile audit records from multiple components throughout the system into a systemwide (logical or physical), time-correlated audit trail.

AU-4 AUDIT STORAGE CAPACITYControl: The organization allocates sufficient audit record storage capacity and configures auditing to prevent such capacity being exceeded.

AU-6 AUDIT MONITORING, ANALYSIS, AND REPORTINGControl: The organization regularly reviews/analyzes audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions.

CA-7 CONTINUOUS MONITORINGControl: The organization monitors the security controls in the information system on an ongoing basis.

IR-4 INCIDENT HANDLINGControl: The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.

IR-5 INCIDENT MONITORINGControl: The organization tracks and documents information system security incidents on an ongoing basis.

RA-5 VULNERABILITY SCANNINGControl: Using appropriate vulnerability scanning tools and techniques, the organization scans for vulnerabilities in the information system [Assignment: organization-defined frequency] or when significant new vulnerabilities affecting the system are identified and reported.

What you had to buy:

FirewallIDS - (I Detect Stuff)IPS - (I Prevent Stuff)

AVLogging solution of some type - Centralized logging

HIPS HIDS

Attacker

WHA!? The Auditor said we were “Compliant”

Following this:

In no way makes you this:

What this isn’t –•You’re not going to replace your AV

solutions•You’re not going to replace <insert

everything>•Also we are not curing diabetes, cancer, or

insomnia

What This Will Do

This will help your internal incident responseThis will possible help you find root cause fasterThis might actually help you detect some thing

Defense in DepthorLayered Security

What this will require

Proactive monitoringReviewing a lot of logsReviewing a lot of logs

Why?

Because AV sucks.

No really, because AV sucks.

AV is signature based, you are always playing “catch up”

Tools sets are rarely going to be picked up by AV. Malicious DLL’s, Memory Resident, etc etc…

AV is not designed or capable of detecting nearly anything related to a compromise!

After initial compromise Attacker will use available system tools against you.

Anatomy of an AttackRecon

ScanningExploit SystemsKeeping AccessCovering Tracks

Recon – Hard to DetectNot Detectable: Web Searches (Google , Bing, etc)Whois – Registrar info etc

Detectable:DNS Zone transfers – AXFR or IXFRDNS Reverse Lookup – Brute forceServers named <company>DC#, <company>MAIL#, etc or Mythological Dieties, Heroes, Lord of the Rings, etc

Firewall, IDS/IPS, and Server Logs help here

Basic Network monitoring – DO IT.

Review the Logs, Detections etc

Forget about the “color” Red, OJ, Yellow etc. Look at the finding, evaluate it, Act Appropriately

Manager Receipt Time Name Transport Protocol Priority Severity Device Action Source Address Source Port Destination Address Destination PortMar 27 2013 12:00:32 SERVER-IIS view source via translate header TCP 5 3 Gray -- Unknown 74.82.248.186 4609 137.161.202.92 80Mar 27 2013 12:03:37 Mandiant WebC2-GDOCUPLOAD User-Agent 3 TCP 9 10 Gray -- Unknown 10.78.66.100 42853 68.142.251.159 80Mar 27 2013 12:04:17 DNS SPOOF query response with TTL of 1 min. and no authority UDP 5 3 Gray -- Unknown 199.66.238.112 53 10.161.231.150 11758Mar 27 2013 12:23:30 SERVER-IIS view source via translate header TCP 5 0 6 52.129.8.51 41314 10.82.250.31 80Mar 27 2013 12:24:30 Mandiant WebC2-GDOCUPLOAD User-Agent 3 TCP 8 5 Gray -- Unknown 10.80.29.105 45382 165.254.99.35 80Mar 27 2013 12:13:38 DNS SPOOF query response with TTL of 1 min. and no authority UDP 5 3 Gray -- Unknown 199.66.238.112 53 192.161.231.150 62800Mar 27 2013 12:27:35 Mandiant WebC2-GDOCUPLOAD User-Agent 3 TCP 7 0 Gray -- Unknown 10.80.174.11 32137 165.254.99.24 80Mar 27 2013 12:15:09 SCAN UPnP service discover attempt UDP 3 0 Gray -- Unknown 176.10.35.241 30987 10.78.84.67 1900Mar 27 2013 12:16:14 SCAN UPnP service discover attempt UDP 3 0 Gray -- Unknown 176.10.35.241 45317 192.152.169.252 1900Mar 27 2013 12:16:19 SCAN UPnP service discover attempt UDP 3 0 Gray -- Unknown 176.10.35.241 2032 10.83.194.160 1900Mar 27 2013 12:20:04 DNS SPOOF query response with TTL of 1 min. and no authority UDP 5 3 Gray -- Unknown 199.66.238.112 53 192.161.231.150 35177Mar 27 2013 12:20:39 SCAN UPnP service discover attempt UDP 3 0 Gray -- Unknown 94.142.155.123 23396 10.83.192.239 1900Mar 27 2013 12:23:35 DNS SPOOF query response with TTL of 1 min. and no authority UDP 5 3 Gray -- Unknown 199.66.238.112 53 192.161.231.150 20869

OK…

Reviewing pages of this is “No Bueno”

It needs to be usable convey something

Now that makes it a heck of a lot easier to read

Scanning

Port ScansService ScansScanning Web ServersVPN GatewaysFTPDNSCitrixDatabase (Yes we do find databases in DMZ sometimes)

Detected with - Firewall, IDS/IPS, Logging

Exploit SystemsWeb browsers, Operating

System vulnerabilities

and

JAVA

andEverything made by Adobe

EVER!!!!!!

Let’s talk users

Shouldn’t have admin rights

They just want to see the kittehs

They will keep you up at night

With out them you’d be unemployed

Are you familiar with Indicators of Compromise?ZeroAccess/Siref.PThis is looking for indicators found from a recent ZeroAccess/Siref variant. Files are located in users profile\local settings\application data\{}\@ or \n and also seen in c:\windows\installer. Registry KeyPath Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32

WinLogon Shell Persistence <IndicatorItem id="f0a5abaa-41f4-488e-9acf-8c7654a71122" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Value" type="mir" /> <Content type="string">%Temp%</Content> </IndicatorItem>

Trojan-Tinba-Zusy<IndicatorItem id="fcfc3866-836f-4a0c-8939-fc23dc22d0a4" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir" /> <Content type="string">All Users\Application Data\default</Content> </IndicatorItem>

They’re not adminsSo we shouldn’t see them executing stuff from:

Internet\local\tempAppData\local\Temp

Temporary Internet Files\

Set up some HIPS rules and let them runWhen ever the HIPS triggers creates an event

Pipe it to centralized logging/monitoringReview often

Does this work?

Typical AV alert report:JS/Exploit-Blacole.gq trojan deleted c:\Documents and Settings\b1odpsaj\Local Settings\Temporary Internet Files\Content.IE5\3LYHPBW3\adds_youngs-tickets[1].htmFakeAlert-Rena!mem trojan deleted C:\Users\g6edxjfs\AppData\Local\ber.exeJS/Blacole-Redirect.y trojan deleted c:\Users\g2odBJPB\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6DRU6D7E\jcap[1].jsJS/Blacole-Redirect.y trojan deleted c:\Users\g2odBJPB\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6EQZXI8W\md5[1].jsJS/Blacole-Redirect.y trojan deleted c:\Users\g2odBJPB\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6EQZXI8W\mm_menu[1].jsJS/Blacole-Redirect.y trojan deleted c:\Users\g2odBJPB\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6EQZXI8W\textsizer[1].jsGeneric.dx!bhml trojan deleted c:\Documents and Settings\L4ECCEER\Application Data\Sun\Java\Deployment\cache\6.0\18\5b0dbf92-27b00084\ConvertVal.classGeneric.dx!bhnq trojan deleted c:\Documents and Settings\U4GGYNT3.ERD\Application Data\Sun\Java\Deployment\cache\6.0\62\51833e7e-6f4af747\Qe9hq0c.classGeneric.dx!bhmj trojan deleted c:\Documents and Settings\l2cocbhs\Application Data\Sun\Java\Deployment\cache\6.0\17\2e230d1-2627f1e2\glof.class

What if you could detect malware without a signature anywhere from 1 to 15 days

before AV?

3/5/2013 12:20 NB-NB-02606043 3776 Microsoft Internet Explorer Vector Markup Language Vulnerability (2) C:\Program Files\Internet Explorer\iexplore.exePermitted bad_parameter Vulnerability Name Vulnerable ActiveX Control Loading A

Please Remove and Investigate - Exploit-FEW!Blacole,NB-NB-02606043 3/10/2013Evidence:9 Mar 2013 04:04:06 EST,9 Mar 2013 10:03:21 EST,trojan,Exploit-FEW!Blacole,1 NB-NB-02606043 c:\Users\ctxctx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\662c0a3d-68bf0762,Infected file deleted.

9 Mar 2013 04:04:06 EST,9 Mar 2013 10:02:20 EST,CENAD,N/A,trojan,JS/Exploit-Blacole.kf, NB-NB-02606043 c:\Users\ctxctx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7KIUL6H4\q[1].htm,Infected file deleted.

3/5/2013 16:02 LOL-NB-01583721 3776 Microsoft Internet Explorer Vector Markup Language Vulnerability (2) C:\Program Files\Internet Explorer\iexplore.exe Permitted bad_parameter Vulnerability Name Vulnerable ActiveX Control Loading A

Please Remove and Investigate - JV/Blacole-FFV!4EBC81B2A371, LOL-NB-01583721 -3/11/2013 9 KB

11 Mar 2013 08:24:07 CDT,Infected file deleted.,JV/Blacole-FFU!9DB0385E2EC8, LOL-NB-01583721,c:\Users\CTMCTM\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\4eb3880-5296bc4f\BadRun.class,8,McAfee,ePolicy Orchestrator

3/5/2013 7:28 MNT-LM01NOL "CMD Tool Access by a Network Aware Application“ C:\windows\system32\services.exe Permitted read,execute C:\windows\system32\sc.exe

Please Remove and Investigate - Possible Malware, MNT-LM01NOL 3/14/2013 33 KB

Evidence:MNT-LM01NOL MCHTJOPJcvgnWvWrnaqeyLRo C:\windows\BhZvccld.exe Own Process Manual

3/4/2013 18:38 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\Windows\system32\cmd.exe3/4/2013 18:38 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\system32\svchost.exe Permitted Read C:\Windows\System32\cmd.exe3/4/2013 18:36 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\Windows\system32\cmd.exe3/4/2013 18:35 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\Windows\system32\cmd.exe3/4/2013 18:38 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\windows\system32\mmc.exe3/4/2013 18:45 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\system32\svchost.exe Permitted Read C:\Windows\system32\tasklist.exe3/4/2013 18:39 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\system32\svchost.exe Permitted Read C:\Windows\system32\tasklist.exe3/4/2013 18:46 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\Windows\SysWOW64\mmc.exe3/4/2013 18:45 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\Windows\SysWOW64\mmc.exe3/4/2013 18:37 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\Windows\SysWOW64\mmc.exe

Please Remove and Investigate - Possible Malware, TS05CPC 3/15/2013

Evidence:TS05CPC Mujkqgnqoz C:\Windows\dcdlGcwB.exe Own Process Manual TS05CPC MSmnVhUJZvFOTMWlOqJ C:\Windows\HgcYJFmB.exe Own Process Manual TS05CPC MYdVQuZoWaSQlQ C:\Windows\KrmWoUKS.exe Own Process Manual

Did I mention that AV cannot be counted on

Keeping Access/Lateral Movement

System Tools used – Netstat, Net View, Create and start services –SC

HIPS/HIDS and Event Logs are key

Visualize them, look at access times, parse them and write them to a spreadsheet

Covering Tracks

Deleting LogsHiding Files

Tunnels

HIDS/HIPS, IPS/IDS, Centralized Logging, Egress Filtering