BSidesATL 2015: Malware Infection, Visualized. by Xavier Ashe

okay mind there we go all right so I'll try to keep everybody awake after eating all the meat I had a nice little pound up um I want to start the afternoon off uh by asking really just kind of G the audience I'm using the right language here um who here we talk about red team blue team who here actually works as a security analyst you know doing stuff for a company and is kind of responsible for responding and [Music] protecting um how many people are you know researchers uh in the security field doing uh you know either working for a bar or a vendor I feel like you're part of the security industry what

indry okay um I assume the rest of you guys have just eaten they had too much meat what what's the other category got uh Consultants that get do anything for money that's good all right so what I'm what I've done today is um uh so my name is Xavier Ash I've done security industry industry guy for about 22 years now um and did some time at uh IBM uh a couple of other places uh and most recently was at bit n uh so I'll be talking about a technology here called carbon black I am now uh uh no longer with company kind of in between gigs right now so uh um I went out and took

this presentation and revamped it to say all right let's let's look at all the tools that are out there and see what capabilities exists to kind of do this without having to buy a commercial tools so hopefully this will be very useful to you guys uh to not only understand and kind of see some oo and a uh uh maybe turn on some light bulbs but also to take away and see that there's some new capability that exist out there that you guys can start using the data in different ways because you know uh this this is some of the stuff is like really new all right it's not the right button no let's try

again all right so uh you know you always got to start off with quotes and say all right how how how big is the problem so what I'm talking about here today is really incident response so incident response is uh you know uh you know something bad has happened uh what are we going to do about it how do how can we detect it how can we respond to it how can we remediate it and uh in that realm uh I I'm got some a couple quotes here so vulnerability being breached 69% of breaches uh over the last year were discovered externally that's where uh you know Visa calls you up and says hey we're detecting a whole lot of Fraud and

it looks like it's coming from you so you've been breached uh FBI coming to you and saying hey uh yeah you're sending out a whole lot of stuff reached so 70% 69% you our companies the guys that said that I'm here protecting my company we're not detecting it other people are um how long does it take to discover that on average 243 days I'm Sor yeah 243 243 days that was 205 205 yeah I think we're getting you're right I saw that one uh that said we are getting a little bit better but still 205 243 that's still months right to to know that you been attacked and then we got to put an average cost on there for the

Bean counters is understand uh that this is not um uh easy thing to recover from stay maximized all right so traditional timeline analysis you talk about uh uh anybody in here that's specifically on the IR team that does incident response um hour analysis a couple of hands here all right so you what you pull the image you or you grab an image uh you you do a you know collect it up rebuild the timeline we've got this detection we think that it's we got this IDs alert around this time we're going to go look to see what was going on around this time we're going to Pivot on this we're going to look over at the uh files that were written around

this time uh what else we've got you know look parse through all the PE headers uh look at uh you know what has been established in the registry building that timeline is a very timec consuming process I pulled this off of a uh great blog if you guys are working in that area Windows forensic analysis uh he basically wrote the book literally and has a lot of great tips he also talks about this uh you know process mapping capability that uh I'll discuss today so uh links in the in the

presentation so we've established a fact I mean compromise happens within seconds right malformed PDF oh there compromis compromise the the exploit goes out downloads a dropper loads itself in exfiltration starts happening within minutes you guess that specific download uh and uh for specifically for your version of of java that knows exactly how to load itself into your version of os and is off off to the Off to the Races just goes we've established goes undiscovered for months and once we find out remediation takes weeks we've got to pull images we got to look back through firewall logs some of the data and we heard this morning from a SIM you know if you're not pulling in all that data

you're trying to recreate something that we might not have enough data for so there's got to be a better way and and that basically a lot of the things that we're missing is what are we not collecting at the time that the attack happened right what are we collecting right now is generally firewall logs uh ID logs things that on the network we've always said well yeah we're going to create a log for every single little packet that goes on well why can't we create a little log that says every time something executes we log it every time something connects to a endpoint let's log it we've got advancy powerful PCS that are basically doing a whole lot of

nothing uh and and um other than downloading lots of movies but that you know you've got you know we've got the capability of being able to create those logs now and so uh that's what I'm going to stress through this and show how we can set that up collect it and also to visualize it so we can understand what malware looks like and um understand now we can start using the data all right so basically we're talking about process mapping uh for uh detection response remediation understanding that when I create a process when I execute a process um and and um who here has worked on the process tracking feature of gpos and windows where you can sit

there and turn on process tracking auditing withinin Windows anybody ever worked on that y we got one two the reason not many has done it because it really is is is fairly useful useless because it says hey this executable start sometimes if you get the right situation and doesn't have a little lot of context well who started that process in what condition what under user context well what's the hash of the file that actually got executed what's the file name what other modules did it load what's the image D what network connections it's not we're not collecting that type of information so that's what we're

look

e

e

e

e e

yeah the place in Linux where that you get that capability is in um the the security module I think names areel mod yeah uh there yeah the colel Lo modules but it's in the it's in this basically uh the same thing that se Linux Taps into um okay uh is I think it's called just the know Linux security module and a lot of times on production systems if if customers are not using SE Linux or or SC they'll actually take that out of the the the kernel build and you know you don't have those capabilities uh but uh just like um um the windows kernel filter driver was actually uh created around XP Service Pack 3 back when Microsoft said okay

antivirus companies please stop hacking R OS to be able to do the thing you're going to do will give you an open spot to be able to slide in here and it'll be supported and that was the kernel filter driver same thing with Linux is you have to have that security module that says I'm allowing something to come in here and shim um and uh I'm going to do things in a very specific way uh um OSX uh has um um also you know you can load in kex libraries but that uh they have not really officially kind of opened that up uh uh OSX apple is still trying to figure out how to work with security

vendors and and so basically security vendors still have to kind of hack around uh OSX because there's not that easy module load all right so uh so cismon collects the information where do it put it uh it puts it in a Windows Event log so uh if you you know we talked about log parser earlier today that's one way of getting at there's um um there are some python modules out there that can uh extract out U uh out of the event log you can now do the event log forwarding where you can then you know send all this information to a Central site um and other you know uh log generation tools that do the same thing that allows

uh for uh you to get all those events so bottom line is we got Sison 2.o free download go download it you can install it with a couple of different options very easy to set up it'll automatically start sending to the event log and that's what I did to to set this up um and uh then just used log parser and some other uh Pearl and python scripting to kind of do some uh data magic any questions on on kind of how the the lab set up and how how I get this set up all

right oh sorry I have some bullets here other other make sure that we cover these um it does collect the full command line uh it's very similar to if you uh you know uh process man uh procmon or uh and and the newer task managers that Microsoft has allows you to see the actual full command line of the image that was loaded same thing here uh so for Java apps you get to see the actual load command um and um especially when you mount most malware loads itself stff with completely benign Microsoft tools right you'll see uh you know uh regon dll load U dll host being used and then you can actually get the

full string to see oh it's actually loading this other dll that is uh the hash value has got you know it's malware so there's a lot of things that you do when you get the full command line um it does record the hash of the processes this is really neat because uh it actually supports I think like five or six different hash types defaults uh sha one you can do sha 256 and 5 and there was like one or two others that I've never messed with for all of mine I did an adobe flash setup that is not the real Adobe Flash setup um and some other smile downloaders and I mean look at all those

sub executions so this is a baby Bo on the internet yeah yeah this is somebody that that needs needs to keep up with his uh uh Teenage done to be able to use the right Smileys uh and uh load them up all right so then if you could if you could take this immediately you know sends all these hashes in maybe you've got uh Next Generation firewalls that can do file aware stuff throw these hashes we have talked about uh security uh intelligence earlier right feed this into your list of hashes once you've got a list of bad hashes then you can go back and look at all the network connections I did now I've got even more intelligence I got an

IDs that did a known CNC I got I got did this then I did the full map and now I say tell me all the uh IP IPS that all of this connected to I get a list of ips block it done within an hour you're able to to to do an incident report and say you know Sally from Finance clicked it again I was able to detect it but now that we have this new capability it didn't take me 3 weeks to do it and we found more intelligence more than our paid for intelligence feeds are given us because you got to remember that a lot of those uh paid for intelligence feeds they have a very

specific scope that they're looking for all right there's one big company that starts with them that likes to look at the state sponsored threats right and then you got uh antivirus that was looking for the the type of threats that can be signatured and then there's all the stuff in the middle um we're talking about Finance there was a finance worm that you mentioned that had the same thing a c a customer that got hit by a finance worm they weren't in finance they're in research but they got hit by it and so was able to uh um get this all this all this information they created this list and they went to that security

intelligence firm I'm sending you a million dollars to do all the scans and uh you didn't find this here's all these uh IPS that have connected here are all these hashes that have been used by this one uh variant of this uh um uh um Bank stealing U Trojan why didn't you find this it's not they said it's not state sponsored and it took them a week to say it's not you know sorry we didn't you know here's what we have on it and 80% of it is what you just sent me so this capability really explodes out the amount of information that you can load in to a a a uh security uh framework I

love this quote especially coming after that last screenshot the user is going to pick dancing pigs over security every time by our uh uh leader in in crypto Bruce well I appreciate uh you know not everybody uh falling asleep during this and uh those that did I'll I'll come over and smack you in the back uh a little bit later um but to kind of add it all up is that this capability exists both in commercial tools and freeware tools the freeware tools give you the capability but you need to take that capability and design how to operationalize it in your environment maybe you're not in that type of uh security team and you need to buy tools

and so and then the uh the tools do exist and do so much more already packaged out and so uh you know build versus buy it's a common thing that we're faced with here um and that uh I think one of the more powerful things out of this is the network correlation piece it's tying together network security data versus endpoint security data and that alone I think is is uh worth the price of a mission uh in getting this type of capability set up so thank everyone for uh for listening to me and uh you have any questions