Leveraging Threat Intelligence with Active Defense White ... - HBGary
Leveraging Threat Intelligence with Active Defense White ... - HBGary
Leveraging Threat Intelligence with Active Defense White ... - HBGary
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
LEVERAGING THREAT<br />
INTELLIGENCE<br />
IN THE ENTERPRISE<br />
USING HBGARY’S ACTIVE DEFENSE<br />
Cyber-espionage and digital crime became a dominant issue during the first decade of this century. As we step<br />
into the next ten years we are going to discover that most of what we have known about computer security is<br />
wrong. The perimeter-based view of the network is too narrow. Checksums and signatures are non-scalable. DNS<br />
blackholes do not address advanced multi-protocol command and control. Software security efforts have not<br />
delivered safe code. Networks are more at risk today than they were at the turn of the century. This is an emerging<br />
threat landscape that is changing everything we know about risk. The bad guys are in. This paper illustrates how<br />
<strong>HBGary</strong> is solving the problem.
2 THREAT INTELLIGENCE WITH HBGARY’S ACTIVE DEFENSE<br />
SUMMARY OF ADVANCED CYBER THREATS<br />
Traditional security solutions, many of which were designed over 10-20 years ago, are struggling to keep up <strong>with</strong> the<br />
amount of malware being released daily. Signatures, blacklists, and other security solutions that require prior knowledge<br />
of a threat are losing against adaptive attackers. The efficacy of traditional solutions dwindles as the sheer volume of<br />
malware increases. There needs to be a change in thinking about security. Focus needs to be on understanding how<br />
malware succeeds and why. Today, malware is a tool for persistent adversaries. These adversaries could be financially<br />
or politically motivated. The attackers are using whatever tools they have to their advantage. This includes the ability<br />
to create malware <strong>with</strong> toolkits that have the ability to evade detection at the perimeter. The war is being fought on<br />
the desktop <strong>with</strong> exploitation methods such as PDF’s, Flash, spearfishing email, and other targeted approaches. While<br />
existing tools may be cumbersome to manage, newer technological advances have made it possible to get a better<br />
handle on the malware coming into an organization. This paper describes that approach and how it can be used to<br />
leverage an Enterprises’s existing security investment.<br />
ACTIVE DEFENSE<br />
<strong>Active</strong> <strong>Defense</strong> is designed to combat advanced malicious<br />
intrusions and cyber threats in the Enterprise. <strong>Active</strong> <strong>Defense</strong><br />
gives an unprecedented view of the host-level threat and<br />
can succeed where traditional antivirus has failed. <strong>Active</strong><br />
<strong>Defense</strong> can detect unknown threats <strong>with</strong>out prior knowledge<br />
or signatures by leveraging <strong>HBGary</strong>’s patent-pending Digital<br />
DNA system. Once a potential threat is detected, <strong>Active</strong><br />
<strong>Defense</strong> can follow-up <strong>with</strong> enterprise-wide, scalable hostlevel<br />
scans for indicators of compromise. <strong>Active</strong> <strong>Defense</strong><br />
is designed for rapid threat detection and near-realtime<br />
response. Critical intelligence about an intrusion can be<br />
gained in just minutes, including discovery of additional<br />
infections and information about communication protocols<br />
that can be used to create IDS signatures and block<br />
communication at network egress points.<br />
DETECTING INTRUSIONS WITH DIGITAL DNA<br />
Digital DNA is exceptional at detecting hidden backdoors<br />
<strong>with</strong>in the Enterprise. Digital DNA detects malicious backdoor<br />
programs by evaluating program behaviors. Behaviors can<br />
include how a program survives reboot, how it communicates<br />
on the network, or detected capabilities such as file downloads<br />
or remote command shells. No single behavior makes a<br />
program suspicious. Digital DNA sums all the program<br />
behaviors together to determine if the program is suspicious.<br />
The sum of these behaviors is what creates the Digital DNA <br />
sequence for the binary and also the resulting weight. If the<br />
weight is over a certain value (30.0) the program is considered<br />
suspicious.<br />
Figure 1, <strong>Active</strong> <strong>Defense</strong> monitors physical memory, raw disk, and live<br />
operating system across the Enterprise. This is an unprecedented view<br />
of host-level threats.<br />
Figure 2, Digital DNA detects unknown and emerging threats <strong>with</strong> no<br />
prior knowledge or signatures. Software behaviors are revealed and no<br />
reverse-engineering is required.
3<br />
THE NATURE OF ADVANCED THREAT<br />
Intruders will often leave backdoors installed so they<br />
can have persistent ongoing access to the network. These<br />
backdoor programs have the ability to connect outbound to<br />
an external server on the Internet (called a ‘command and<br />
control server’). This external sever is used by the intruders<br />
to deliver command messages to the backdoor program.<br />
This means the attacker has remote access to the internal<br />
network.<br />
External control servers are often unsuspecting victims,<br />
such as a hacked webserver. Many times, the connections are<br />
HTTPS and it can be difficult to block this traffic <strong>with</strong> firewall<br />
policy or inspect it <strong>with</strong> IDS equipment. Many backdoor<br />
programs are configured <strong>with</strong> multiple different control<br />
server addresses. The attackers keep these DNS addresses<br />
pointed to 127.0.0.1 until they are ready to attack. They use<br />
multiple DNS addresses so they can rapidly switch over and<br />
defeat filtering if they are detected at the network perimeter.<br />
This means DNS black-holes are not enough to address the<br />
threat.<br />
Web traffic is not the only means for command and control.<br />
Attackers will often install multiple backdoors <strong>with</strong> multiple<br />
different control protocols (for example, using instant<br />
messaging instead of HTTPS). These secondary backdoors<br />
are used as backup in case the primary backdoor program is<br />
blocked or detected. If the primary backdoor is detected,<br />
the attacker uses the secondary system to re-infect the<br />
network <strong>with</strong> a new version of the primary tool. Removing<br />
infections on a host-by-host basis <strong>with</strong>out an enterprise<br />
view of the problem is doomed to failure.<br />
Many backdoor programs can be upgraded in the field and<br />
allow the attacker to upload and download files. Attackers<br />
can request, via the command server, that the backdoor<br />
program download and execute any program. Furthermore,<br />
most of these backdoors can connect out and offer a live<br />
system shell to an attacker. This offers almost limitless<br />
capabilities to the attacker.<br />
Advanced attackers will typically leave multiple backdoor<br />
programs <strong>with</strong>in a single enterprise environment. Some<br />
backdoors will be designed to hide for an extended period<br />
of time <strong>with</strong>out detection. They may sleep for weeks before<br />
attempting to connect out to a command server. They may<br />
have innocuous sounding names so they appear to be part<br />
of the normal operating environment (such as a registered<br />
service). Regardless of the name, the code-level behaviors<br />
of the backdoor program will remain suspicious in physical<br />
memory. Very often, the variant remote access tools are all<br />
compiled from a common source base that can be detected<br />
in physical memory. This is why it’s absolutely critical to<br />
have a host-level view of the enterprise.<br />
Figure 3, <strong>Active</strong> <strong>Defense</strong> supports triage of systems in large groups.<br />
CONTINUOUS CYCLE OF PROTECTION<br />
The optimum use of <strong>Active</strong> <strong>Defense</strong> is continuous scanning<br />
of the network for early detection of intrusion. Detection<br />
can be made in two ways. First, the Digital DNA system is<br />
integrated into <strong>Active</strong> <strong>Defense</strong>. The Digital DNA system<br />
is maintained by <strong>HBGary</strong> as a subscription and is updated<br />
frequently. Digital DNA will detect suspicious programs<br />
that will need a closer analysis. Second, the user can<br />
add their own search patterns to <strong>Active</strong> <strong>Defense</strong> custom<br />
to their environment. This allows the user to extend the<br />
detection capability of Digital DNA <strong>with</strong> known indicators of<br />
compromise.<br />
To support ‘continuous cycle’ protection, <strong>HBGary</strong><br />
recommends a triage process in conjunction <strong>with</strong> <strong>Active</strong><br />
<strong>Defense</strong>. Within <strong>Active</strong> <strong>Defense</strong>, machines can be organized<br />
into groups and subgroups (Figure 3, A.). For example,<br />
physical locations and offices can be separated into groups.<br />
Figure 4, Continuous cycle of protection - the goal is to get all machines<br />
into the ‘CLEAN’ group and continuously verify they stay clean.
4 THREAT INTELLIGENCE WITH HBGARY’S ACTIVE DEFENSE<br />
For each primary location, <strong>HBGary</strong> recommends that the<br />
following subgroups be created:<br />
- Clean<br />
- Look at closer (LAC)<br />
- Infected<br />
The clean group is for all machines that don’t appear to<br />
have host-level threats. This can be determined using Digital<br />
DNA and verified using scans for indicators of compromise.<br />
Machines that have suspicious binaries or behaviors can<br />
be put into the ‘Look at closer (LAC)’ group. Finally, if the<br />
machine is suspected as containing malware, remote access<br />
tools, or other evidence of intrusion, they are placed into the<br />
‘Infected’ group. Ultimately, the goal is to get all machines<br />
into the ‘Clean‘ group (Figure 3, B.). On a periodic schedule,<br />
a full scan for indicators of compromise (see next section)<br />
should be applied against the set of ‘Clean’ machines, and any<br />
machines that have suspicious behaviors are pulled back into<br />
the ‘Look at closer’ or ‘Infected’ groups. This is a continuous<br />
process.<br />
INDICATORS OF COMPROMISE<br />
Cyber threats are ever-present. In almost all cases, it is<br />
not possible to fully eliminate the human attacker behind the<br />
cyber threat. Even if an attacker is cut off from a network,<br />
they are very likely to re-infect over time (i.e., eventually<br />
someone will click on the infected PDF file).<br />
Because of the constant nature<br />
of threats, enterprises need to<br />
focus on early detection and loss<br />
prevention. The good news is that<br />
because these attacks are digital,<br />
there is almost always an artifact<br />
that can be detected. Attackers<br />
Because these<br />
attacks are<br />
digital, there is<br />
almost always an<br />
artifact that can<br />
be detected.<br />
not only use exploits, they also use tools to steal credentials,<br />
move laterally about the network, and compress and exfiltrate<br />
data. All of these activities leave behind forensic toolmarks<br />
that can be detected <strong>with</strong> <strong>Active</strong> <strong>Defense</strong>. Once a threat is<br />
detected, indicators can be developed to detect the attacker’s<br />
tools, techniques, and methods.<br />
Some example indicators are:<br />
- Code-specific data <strong>with</strong>in malware and remote access<br />
tools, even those that are packed, obfuscated, or have<br />
polymorphic MD5 checksums<br />
- Compiler signatures specific to the attacker - detecting<br />
any tool that may have been compiled by the attacker<br />
- Last access times of command-line tools known to be<br />
used by the attacker, such as ‘net.exe’, ‘at.exe’, and ‘ping.<br />
exe’, detecting lateral movement<br />
- Existence of deleted files, such as tools that were<br />
downloaded to the system by the attacker, used, and then<br />
deleted<br />
- Artifacts of tool usage in memory, such as pass-the-hash<br />
attack kits and network scanners<br />
- Protocol-specific strings used by the attacker’s<br />
command-and-control channel<br />
<strong>Active</strong> <strong>Defense</strong> excels at detecting these indicators<br />
of compromise and can detect re-infection when applied<br />
continuously over time. Inevitably, new attacks will be<br />
discovered and new indicators of compromise will be added<br />
to the <strong>Active</strong> <strong>Defense</strong> scan policies. This creates a constant<br />
opposing force that works against the attacker.<br />
HOST LEVEL THREAT INTELLIGENCE<br />
<strong>Active</strong> <strong>Defense</strong> has three primary information sources for<br />
host threat intelligence:<br />
1. Physical Memory and Digital DNA <br />
2. Raw physical disk volumes<br />
3. Live operating system data<br />
Physical memory contains decrypted data buffers,<br />
fragments and artifacts of activity, and all code that is<br />
executing on system - even if that code is hiding from the<br />
operating system (see Figure 5). Even packed or obfuscated<br />
binaries are visible and present in physical memory. Physical<br />
memory is superior in every way for the detection of malicious<br />
code. Physical memory is the primary means by which Digital<br />
DNA is calculated.<br />
Figure 5, Digital DNA detects an injected memory module, even<br />
though it has been unlinked from the list of loaded DLL’s. This<br />
screenshot is from Responder PRO, <strong>HBGary</strong>’s stand-alone product<br />
for physical memory analysis. Responder PRO integrates <strong>with</strong><br />
<strong>Active</strong> <strong>Defense</strong> for detailed memory analysis of compromised<br />
systems.<br />
Raw physical disk volumes are also a powerful source<br />
of host-level information. Because the scan is against a<br />
physical volume, files can be scanned even if they are inuse,<br />
slackspace can be examined, and deleted files can be<br />
scanned. Critical files can obtained in a forensically sound<br />
manner, including the system registry, event logs, copies<br />
of files that are locked or in-use, prefetch queue, user.DAT,<br />
Figure 6, <strong>Active</strong> <strong>Defense</strong> is used to scan for last access times on<br />
the ‘net.exe’ and ‘at.exe’ command line tools during the window of<br />
compromise. This reveals machines the attacker has used.
5<br />
and last access times (Figure 6, A). This information can be<br />
used to reconstruct a timeline of host-level events. Raw<br />
volume scanning performance is very fast, in excess of 4GB<br />
per minute. The scans are distributed and parallel, no data<br />
is transferred over the network unless a hit is found. With<br />
<strong>Active</strong> <strong>Defense</strong>, wordlist and pattern scans are now scalable<br />
across the Enterprise. Results are easily exported into .XLS<br />
spreadsheet form (Figure 6, B).<br />
<strong>Active</strong> <strong>Defense</strong> can also query the live operating system.<br />
Although the live operating system is not used <strong>with</strong> Digital<br />
DNA , it still provides highly valuable information that can<br />
be used during an incident response. The advantage to a live<br />
operating system scan is the speed. Live operating system<br />
scans have been known to complete in seconds. Incident<br />
responders can scan thousands of machines in the Enterprise<br />
for processes, DLL’s, strings, events, and registry keys. These<br />
types of scans are often used to detect additional machine<br />
infections.<br />
ACTIVE DEFENSE QUERIES<br />
<strong>Active</strong> <strong>Defense</strong>s supports a<br />
simple-to-use query language that<br />
will let you scan for host-based<br />
Indicators of Compromise (IOC’s)<br />
across the enterprise. This allows<br />
systems <strong>with</strong> abnormal or specific<br />
behaviors to be isolated as a subset<br />
of the entire population of systems.<br />
Anyone who is<br />
skilled enough<br />
to use Google<br />
‘advanced query’<br />
is skilled enough<br />
to use the <strong>Active</strong><br />
<strong>Defense</strong> query<br />
builder.<br />
A query has several parts<br />
(Figure 8). Queries can be executed against archived data,<br />
or deployed live across the Enterprise. Queries allow the<br />
user to build custom search criteria for their environment,<br />
specific to the intrusions and threats that are known in that<br />
environment. Over time, the set of queries will grow as more<br />
intelligence is gained about the attacker’s and their methods.<br />
Queries can be made against any data source that <strong>Active</strong><br />
<strong>Defense</strong> supports (Figure 7). These include:<br />
- Physmem, a physical memory snapshot and analysis data<br />
- LiveOS, a query against the live running operating system<br />
- RawVolume, a query against a raw physical disk volume<br />
Figure 8, The <strong>Active</strong> <strong>Defense</strong> query builder. Queries are very easy<br />
to build. Anyone who is skilled enough to use Google ‘advanced<br />
search’ can use the <strong>Active</strong> <strong>Defense</strong> query builder.<br />
A query can be thought of as a statement like “match A in<br />
B” where A is your search term, and B is a fully qualified path<br />
to an object type. An example object type would be:<br />
RawVolume.File.FileName<br />
The above object type would target the raw physical<br />
disk volume. Then, every filename on that volume would be<br />
matched against your search term. For example, consider<br />
Figure 9 - this simple query is made against filenames,<br />
irrespective of path. The scan is forensically sound and will<br />
not alter access times on files.<br />
Figure 9, A simple query to detect the presence of ‘rar.exe’ on disk<br />
The query builder interface (Figure 8) allows you to specify<br />
multiple AND and OR relationships between search terms,<br />
and has convenient drop-down lists to help you select search<br />
criteria. A full description of all available searches can be<br />
found in the <strong>Active</strong> <strong>Defense</strong> user documentation. Throughout<br />
the rest of this whitepaper you will find example queries that<br />
are useful for incident response.<br />
Figure 8, A: the name of the query. Queries are saves and can be<br />
re-used in multiple scan policies or report templates.<br />
Figure 8, B: drop down listing available objects that can be<br />
queried (also shown in Figure 7, A).<br />
Figure 8, D: The subtype. This allows object meta-data to be<br />
queried, such as path or timestamps, or internal data such as the<br />
raw binary contents of the object, to be queried.<br />
Figure 8, E: This is where you specify your match criteria. You<br />
can specify a substring, timestamp, or a binary pattern <strong>with</strong><br />
wildcards.<br />
Figure 8, F: OR boolean logic. You can specify multiple patterns<br />
to be OR’d together.<br />
Figure 8, G: AND boolean logic. You can specify multiple<br />
patterns to be AND’d together. AND and OR can be combined.<br />
Figure 8, H: Click here to save your query.<br />
Figure 7, The various data sources that can be queried <strong>with</strong> <strong>Active</strong><br />
<strong>Defense</strong>.<br />
QUERY BUILDER
6 THREAT INTELLIGENCE WITH HBGARY’S ACTIVE DEFENSE<br />
The query builder lets you define one or more statements<br />
into a single query. First, a query is given a descriptive name<br />
(Figure 8, A.) All statements in a query must draw from the<br />
same source. For example, if the query targets physical<br />
memory, then all statements in the query are considered<br />
rooted in the Physmem.* namespace. The source for a query is<br />
set using a drop-down (Figure 8, B.).<br />
After selecting the source, you must choose the full path of<br />
the target you want to match against (Figure 8, D.). Here are<br />
some examples:<br />
Physmem.Process.CommandLine<br />
LiveOS.Module.BinaryData<br />
RawVolume.File.LastAccessedTime<br />
The next step is to choose an operator. The list of available<br />
operators may change depending on the object type that is<br />
being queried. Example operators include:<br />
“Contains”<br />
“Matches Exactly”<br />
“>=”<br />
“=”<br />
“Ends With”<br />
Finally, once you have chosen the operator, you enter the<br />
pattern or word that you want to match against (Figure 8, E.).<br />
In addition to single-word queries, <strong>Active</strong> <strong>Defense</strong> supports<br />
wordlists and pattern files.<br />
Multiple queries can be combined together into an OR<br />
relationship (Figure 8, F.). This would allow you to create a<br />
query such as:<br />
What follows is a description of a typical cyber-intrusion.<br />
The attacker is a human being who is operating malware<br />
and hacker tools from remote in order to steal information<br />
from the Enterprise. This is sometimes called an ‘Advanced<br />
Persistent <strong>Threat</strong>’ or APT attack. Because the attack is digital<br />
in nature, malware is involved and forensic artifacts are left<br />
behind. Detecting the malware and the forensic artifacts are<br />
crucial to reconstructing the attack. In the following sections<br />
we will use <strong>Active</strong> <strong>Defense</strong> to collect evidence and scan for<br />
indicators of compromise across a large Enterprise deployment<br />
covering tens of thousands of nodes.<br />
INITIAL EXPLOITATION<br />
In order to gain initial access to the network, the attacker<br />
will typically use spearfishing, booby-trapped documents, and<br />
web-browser exploits. Open source directories and domain<br />
research can be used to recover hundreds of potential emails<br />
to use for spearfishing attacks. Social networking sites that<br />
cater to professional industry segments are also an avenue for<br />
attack.<br />
INITIAL DETECTION OF COMPROMISE<br />
Initial detection of an intrusion can take many forms.<br />
RawVolume.File.FileName = “mssrv.sys”<br />
OR<br />
RawVolume.File.FileName = “acxts.sys”<br />
You can also combine AND and OR together (Figure 8, G.).<br />
This would allow you to create a query like:<br />
AND<br />
RawVolume.File.FileName = “mssrv.sys”<br />
OR<br />
RawVolume.File.FileName = “acxts.sys”<br />
RawVolume.File.Deleted = TRUE<br />
The above query would match if a deleted file <strong>with</strong> the<br />
name “mssrv.sys” or “acxts.sys” was detected. By using a<br />
combination of multiple statements, very specific queries can<br />
be crafted. Once a query has been defined, simply click SAVE<br />
(Figure 8, G.).<br />
ANATOMY OF AN ATTACK<br />
Figure 10, Boobytrapped documents often contain javascript to call<br />
out to exploitation servers. The actual exploit target is delivered<br />
from the server and exploits the browser.<br />
Digital DNA may reveal a strange program that appears to<br />
be malware. SEIM products may produce alerts, or employees<br />
may notice spearfishing emails or strange computer<br />
behavior. This may alert you to an initial attack. In the case<br />
of spearfishing, message archives can then be used to reveal<br />
who has been targeted and which subnetworks may have been<br />
attacked.<br />
Machines that suffer from initial attacks may execute<br />
boobytrapped documents, such as PDF documents, that<br />
contain embedded shellcodes. These shellcodes must be<br />
small by design, so these types of attack payloads will connect<br />
out onto the Internet to download an additional executable.<br />
Advanced server-backends exist to supply downloads and<br />
exploit payloads to victim machines (Figure 10). After<br />
execution, these malicious shellcodes will leave forensic<br />
artifacts in physical memory, including the addresses and<br />
URL’s of the external servers used for subsequent executable
7<br />
downloads (Figure 11).<br />
Downloaded executables will typically be camouflaged to<br />
look like a non-executable file. This is specifically to evade<br />
Figure 11, The physical memory of a compromised host reveals<br />
the path used on the command and control server. Stripped of<br />
the domain name, this becomes a generic IDS signature to detect<br />
additional infections regardless of server address.<br />
IDS systems. These files may be camouflaged as JPG images or<br />
other binaries to evade IDS systems.<br />
If such a file is detected as downloaded to a host, this<br />
means the shellcode executed properly and thus the host<br />
machine was successfully compromised. Machines that are<br />
detected in this manner should be immediately scanned<br />
<strong>with</strong> Digital DNA using <strong>Active</strong> <strong>Defense</strong>. If the URL’s of the<br />
download path are known, the physical memory of the victim<br />
host should be scanned for the URL path (Figure 11). This<br />
may reveal the malware executable and reveal other potential<br />
network IDS patterns.<br />
INITIAL INFECTION<br />
Only a small percentage of initial attacks may succeed, but<br />
any single success becomes an avenue for network infiltration.<br />
These initial systems are exploited and provide a beachhead<br />
for deeper attacks into the network. Some of these initial<br />
infections can be configured as sleeper agents. The systems<br />
will wait anywhere from a few days to a few weeks before<br />
making connections back to the command & control server.<br />
These initial beachhead infections may also involve multiple<br />
different malware and multiple different command and control<br />
server addresses. For example, the attacker may have several<br />
dynamic DNS domains registered for command and control and<br />
several different protocols for communication. Any single<br />
network indicator is not enough, there will be multiple<br />
methods of communication.<br />
Once established, these initial infections are used by a<br />
live attacker to probe deeper into the network. Of the initial<br />
infections, only a few will be used and the rest will be used as<br />
backup in case the initial nodes are detected. This means that<br />
network level indicators are not enough to detect the scope of<br />
the attack. Host level data is absolutely required to evaluate<br />
the extent of an attack.<br />
When an attack agent wakes up, it may report back to a<br />
command and control server. It will usually report system<br />
information about the infected host, the network, and user<br />
accounts.<br />
Once an agent has reported in, it can then be controlled<br />
from remote. The attackers will now take remote-control of<br />
these beachhead machines. Not all of the beachhead machines<br />
will be used at once. Some of them will be reserved as backups<br />
in case of detection. A common next-step is for the attacker<br />
to upload command-line tools to the infected host. A remote<br />
shell will be established using the malware, or commands will<br />
be executed one-at-a-time from remote. The attacker’s goal at<br />
this point is to probe the internal network, steal credentials,<br />
and spread laterally through the enterprise. He will then<br />
locate data and intellectual property worth stealing and<br />
exfiltrate it.<br />
COMMAND AND CONTROL<br />
Once agents have reported in, they will register as a<br />
controllable node <strong>with</strong> a central server. The attacker will<br />
typically spread laterally through the network, installing<br />
additional malicious agents as needed. Potentially hundreds<br />
of these malicious agents are monitored from a central<br />
location. The attack system will usually have a central<br />
management console that resembles an enterprise console<br />
(Figure 12). There are many different attack systems available,<br />
some custom built and some available for purchase in the<br />
criminal underground. Remember that a human attacker is<br />
behind the malware, and even malware systems thought to be<br />
common to only petty theft, such as Zeus, are in fact capable<br />
of full access to the network and represent a clear and present<br />
threat to intellectual property.<br />
In order to evade IDS systems, the attack system will<br />
typically use compliant protocols such as HTTPS. Using <strong>Active</strong><br />
Figure 12, the Zeus management console is better than most products<br />
shown on the RSA ® Conference vendor floor.<br />
<strong>Defense</strong>, the malicious binary can be extracted and analyzed<br />
for protocol strings that are unique to the attack system. For<br />
example, if the malware is using a specific User-Agent string,<br />
this would make a very good IOC for scanning. Even if the<br />
malware program is registered in different ways, as long as<br />
the attacker is re-using the same protocol string then <strong>Active</strong><br />
<strong>Defense</strong> would catch it. In Figure 13, we see an IOC scan for
8 THREAT INTELLIGENCE WITH HBGARY’S ACTIVE DEFENSE<br />
a query on last access times for net.exe.<br />
dumpacls: this tool is a swiss-army-knife for making<br />
queries about machines in a windows domain. A RawVolume.<br />
File.BinaryData scan will detect if dumpacls has ever been<br />
downloaded to a machine.<br />
Figure 13, Scanning the entire physical memory of the enterprise for<br />
known command-and-control strings.<br />
two Mozilla User-Agent strings, one of which has a peculiar<br />
combination of upper and lower case. This effectively detects<br />
any system which has had recent command-and-control<br />
protocol activity and has a near-zero false positive rate.<br />
COMMAND ACTIVITY<br />
Most remote access tools will have the ability to control<br />
the infected computer, including the ability to spawn a<br />
command shell or allow remote desktop control. Remote<br />
controls can be quite complex and feature-rich. Figure<br />
14 shows GhostNet, a Chinese remote access tool that was<br />
suspected to be used for Chinese state-sponsored attacks on<br />
political dissidents. The GhostNet tool has extensive features<br />
for monitoring the desktop, browsing activity, keylogging,<br />
and has full access to the network and filesystem.<br />
Some remote access tools are full-featured, but the<br />
attackers will typically download tools and use the command<br />
Figure 14, The Gh0st remote access tool<br />
line to probe the network, as opposed to using built-in<br />
features of the malware. While the latter is possible, in<br />
general this has not been seen in the wild. There are many<br />
commands and tools that are commonly used for Windows<br />
network exploitation. These include:<br />
password hash dumping: using tools that dump password<br />
hashes - these can later be cracked. There are many versions<br />
of this tool, including PTH toolkit, Gsecdump, and pwdump.<br />
snmputil: this tool ships <strong>with</strong> the Windows Resource Kit<br />
and can be used to gather account names from remote hosts,<br />
even when RPC connections are disabled. A RawVolume.<br />
File.BinaryData scan will detect if snmputil has ever been<br />
downloaded to a machine.<br />
at: this command is already present on windows and is<br />
used to schedule services on remote machines. This is often<br />
used <strong>with</strong> drive shares to infect remote nodes <strong>with</strong> additional<br />
copies of the malware backdoor program. Figure 6 shows a<br />
query for last access times for at.exe.<br />
psexec: another method for running a program on a<br />
remote node, can be used to infect a node <strong>with</strong> a copy of the<br />
malware backdoor. A LiveOS.Registry.Path query can be used<br />
to detect the psexec service.<br />
event log utilities: there are many variations and they can<br />
be used to locate recent account logons on remote nodes, in<br />
order to gather usernames, and can also be used to clean-up<br />
event logs to remove evidence of attack. Again, RawVolume.<br />
File.BinaryData is the most powerful way to detect if files<br />
have ever been downloaded to the machine.<br />
LATERAL MOVEMENT<br />
Once the attacker has access, the goal is to steal user<br />
credentials and spread throughout the network. Attackers<br />
will often scan the network for vulnerable hosts and probe<br />
systems before launching a full scale attack. Machines will be<br />
infected <strong>with</strong> additional sleeper agents, and files will copied<br />
and zipped up for subsequent transfer out of the network. All<br />
of these activities leave traces on the machine that <strong>Active</strong><br />
<strong>Defense</strong> can detect in physical memory and on the raw disk<br />
volume.<br />
For example, assume the attacker manages to crack a<br />
password hash for a domain-level account that is not typically<br />
used for interactive logon. For example, this could be the<br />
case if the attacker were to steal the admin account used <strong>with</strong><br />
a security or patching framework. If the attacker uses that<br />
account to perform interactive logon sessions, a directory<br />
net: the net command ships <strong>with</strong> windows and is commonly<br />
used to query information about the network. Figure 6 shows<br />
Figure 15, Searching for machines that have had an interactive logon for<br />
the epo_admin account.
9<br />
will be created under ‘Documents and Settings’ that would<br />
not normally be present on a system. To detect all the<br />
systems where the attacker has interactively logged on, you<br />
could run a query similar to the one shown in Figure 15.<br />
stealth since the scan is against physical memory.<br />
Figure 18 shows an IOC scan for variants of the PsKey400<br />
keylogger. The scans are against strings found in the base<br />
DOMAIN CONTROLLER ENUMERATION<br />
The attacker may use a variety of utilities to enumerate<br />
the domain controllers in the forest. Most of these utilities<br />
will use a common set of API functions. Figure 16 shows<br />
the physical memory artifacts left behind after a domain<br />
enumeration tool was executed. Scanning the physical<br />
memory of the enterprise for these strings will reveal which<br />
machines have had domain enumeration tools loaded.<br />
STEALING PASSWORD HASHES<br />
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F<br />
00018630 6F 73 4E 61 6D 65 57 57 00 00 00 00 FF FF FF FF osNameWW....ÿÿÿÿ<br />
00018640 16 00 EE 94 44 43 4C 69 73 74 45 6E 74 72 79 44 ..î”DCListEntryD<br />
00018650 6E 73 48 6F 73 74 4E 61 6D 65 57 57 00 00 00 00 nsHostNameWW....<br />
00018660 70 0E 00 00 13 00 D5 4A 44 43 4C 69 73 74 45 6E p.....ÕJDCListEn<br />
00018670 74 72 79 53 69 74 65 4E 61 6D 65 57 00 00 00 00 trySiteNameW....<br />
00018680 9C 1A 00 00 19 00 F3 20 44 43 4C 69 73 74 45 6E œ.....ó DCListEn<br />
00018690 74 72 79 43 6F 6D 70 75 74 65 72 4F 62 6A 65 63 tryComputerObjec<br />
000186A0 74 57 57 57 00 00 00 00 8C 13 00 00 17 00 51 73 tWWW....Œ.....Qs<br />
Figure 16, Artifacts of domain controller enumeration tools<br />
Attackers will commonly dump password hashes to gain<br />
access to additional user accounts, <strong>with</strong> the goal of reaching<br />
the domain admin account. Figure 17 shows a simple scan<br />
across the enterprise for pass-the-hash toolkit. Any toolkit<br />
imaginable could be scanned for in a similar manner. The<br />
key lies in selecting unique strings from the toolkit binaries<br />
that are certainly going to exist on-disk if the tool was ever<br />
downloaded to a system.<br />
DETECTING INSTALLED PASSWORD SNIFFER<br />
Figure 18, Scanning the entire enterprise for an injected keylogger.<br />
source code and thus detects variants, regardless of MD5<br />
checksum.<br />
Some password sniffing tools will install a packet sniffer<br />
Figure 19, Scanning the entire enterprise for machines that have a<br />
packet sniffer.<br />
such as winpcap. In this case, a scan is quite simple. Figure<br />
19 shows a scan to detect machines that have a packet sniffer<br />
installed.<br />
Figure 20 shows a scan for a password sniffer that injects<br />
into LSASS.EXE. This sniffer is of Chinese origin and is<br />
Figure 17, Scanning the entire enterprise for components of pass-thehash<br />
toolkit.<br />
Attackers may also install password sniffers and<br />
keyloggers. These are almost always injected into memory<br />
somehow. Scanning physical memory for strings that are<br />
known to be in the keylogger will reveal systems that have<br />
one installed. This approach will usually defeat packing and<br />
Figure 20, Scanning the entire enterprise for machines that have a<br />
password sniffer injected into LSASS.<br />
injected into heap memory, there is no associated DLL or<br />
module.<br />
DATA EXFILTRATION<br />
Attackers may collect multiple files together and compress
10 THREAT INTELLIGENCE WITH HBGARY’S ACTIVE DEFENSE<br />
them into a single archive before uploading it to a remote<br />
server. The attacker will commonly use ZIP, RAR, or CAB files<br />
for this purpose. The following figures show a variety of<br />
scans.<br />
Figure 21, Searching for ZIP archives<br />
Figure 22, Searching for RAR archives<br />
CONCLUSION<br />
There is no silver bullet. Cyber threats are here to stay.<br />
Enterprise security needs to focus on early detection and<br />
loss prevention. By detecting intrusions early, damage and<br />
loss can be prevented. Because it takes time and money to<br />
build software, even malicious software, the adversaries<br />
won’t be able to change their malware every single day. The<br />
attackers will re-use their software again and again. They<br />
will infect multiple hosts <strong>with</strong> the same remote access tool,<br />
or compile all their variants from the same source code base.<br />
By focusing on code idioms and root behavioral patterns,<br />
<strong>Active</strong> <strong>Defense</strong> can detect all of these variant threats <strong>with</strong><br />
a small number of patterns and over a much longer period<br />
of time. Furthermore, <strong>with</strong> such extensive host-level detail<br />
available, there simply is no better approach for detecting<br />
malicious code in the Enterprise. The <strong>HBGary</strong> methodology<br />
is sound and applies constant pressure against the adversary,<br />
detecting all variants of a remote access tool <strong>with</strong>in hours of<br />
initial detection. Even when the attacker uses command-line<br />
tools and features that are built-in to Windows, the forensic<br />
toolmarks can be detected <strong>with</strong> <strong>Active</strong> <strong>Defense</strong>. <strong>Active</strong><br />
<strong>Defense</strong> will put you ahead of the threat curve.<br />
Figure 23, Searching for split RAR archives<br />
IDS SIGNATURE CREATION<br />
In figure 11 is shown malicious URL artifacts from an<br />
infected machine. Based on the URL we can build an IDS<br />
signature. The domain name itself is stripped but the URL<br />
path is preserved. In this way, even if the attacker moves the<br />
command and control server to a new domain, the path will<br />
still be detected. Based on the physical memory artifacts,<br />
the resulting IDS signatures were created:<br />
alert tcp any any $MyNetwork (content:”kaka/getcfg.<br />
php”;msg:”C&C to rootkit infection”;)<br />
alert tcp any any $MyNetwork (content:”/1/getcfg.<br />
php”;msg:”C&C to rootkit infection”;)<br />
IDS rules such as the above will trigger when the malware<br />
attempts to communicate <strong>with</strong> it’s command server.<br />
Additional infected machines can be detected at the gateway.<br />
Furthermore, these connections can be blocked at the egress<br />
point and the malware can be cut off from the mothership.<br />
Potential data exfiltration can also be blocked. It should be<br />
noted that blocking connections <strong>with</strong>out first knowing the<br />
extent of the infection may tip off the attacker that he has<br />
been detected.
MORE INFORMATION<br />
11<br />
ABOUT HBGARY, INC<br />
<strong>HBGary</strong>, Inc. was founded in 2003 to develop products to<br />
counter APT and other unknown cyberthreats. <strong>HBGary</strong> has<br />
in-depth expertise in advanced malware, rootkits, zero-day<br />
exploits, and targeted threats. Customers include Fortune<br />
500 corporations, DOD and other U.S. government agencies.<br />
<strong>HBGary</strong>, Inc. is headquartered in Sacramento, Calif. <strong>with</strong><br />
offices in the Washington D.C. area. For information, please<br />
visit http://www.hbgary.com.<br />
Contact:<br />
sales@hbgary.com<br />
support@hbgary.com<br />
Web:<br />
www.hbgary.com<br />
Corporate Address:<br />
3604 Fair Oaks Blvd Suite 250<br />
Sacramento, CA 95762<br />
Phone: 916-459-4727<br />
Fax 916-481-1460<br />
Sales@hbgary.com
CORPORATE OFFICE<br />
3604 Fair Oaks Blvd. Ste. 250<br />
Sacramento, CA 95864<br />
916.459.4727 Phone<br />
CONTACT INFORMATION<br />
info@hbgary.com<br />
support@hbgary.com<br />
www.hbgary.com