hbss tricks chris rooney we need a recipe, map, something… for many people audits are like easter
Post on 17-Dec-2015
216 Views
Preview:
TRANSCRIPT
HBSS Tricks
Chris Rooney
We need a recipe, map, something…
For many people Audits are like Easter
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data1.1 Establish firewall and router configuration standards that include the following:blah blah1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
1.4 Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network.
Requirement 5: Use and regularly update anti-virus software or programs
5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
5.2 Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs.
Requirement 6: Develop and maintain secure systems and applications6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.
Requirement 8: Assign a unique ID to each person with computer access
Requirement 10: Track and monitor all access to network resources and cardholder dataTheir own words - Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.
10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.
Requirement 12: Maintain a policy that addresses information security for all personnel.
A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it. For the purposes of Requirement 12, “personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are “resident” on the entity’s site or otherwise have access to the cardholder data environment.
12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel.12.9.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts.
12.9.5 Include alerts from intrusiondetection, intrusion-prevention, and fileintegrity monitoring systems.
NIST SP800-53A Recommended Security Controls for Federal Information Systems
AU-2 AUDITABLE EVENTS(1) The information system provides the capability to compile audit records from multiple components throughout the system into a systemwide (logical or physical), time-correlated audit trail.
AU-4 AUDIT STORAGE CAPACITYControl: The organization allocates sufficient audit record storage capacity and configures auditing to prevent such capacity being exceeded.
AU-6 AUDIT MONITORING, ANALYSIS, AND REPORTINGControl: The organization regularly reviews/analyzes audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions.
CA-7 CONTINUOUS MONITORINGControl: The organization monitors the security controls in the information system on an ongoing basis.
IR-4 INCIDENT HANDLINGControl: The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.
IR-5 INCIDENT MONITORINGControl: The organization tracks and documents information system security incidents on an ongoing basis.
RA-5 VULNERABILITY SCANNINGControl: Using appropriate vulnerability scanning tools and techniques, the organization scans for vulnerabilities in the information system [Assignment: organization-defined frequency] or when significant new vulnerabilities affecting the system are identified and reported.
What you had to buy:
FirewallIDS - (I Detect Stuff)IPS - (I Prevent Stuff)
AVLogging solution of some type - Centralized logging
HIPS HIDS
Attacker
WHA!? The Auditor said we were “Compliant”
Following this:
In no way makes you this:
What this isn’t –•You’re not going to replace your AV
solutions•You’re not going to replace <insert
everything>•Also we are not curing diabetes, cancer, or
insomnia
What This Will Do
This will help your internal incident responseThis will possible help you find root cause fasterThis might actually help you detect some thing
Defense in DepthorLayered Security
What this will require
Proactive monitoringReviewing a lot of logsReviewing a lot of logs
Why?
Because AV sucks.
No really, because AV sucks.
AV is signature based, you are always playing “catch up”
Tools sets are rarely going to be picked up by AV. Malicious DLL’s, Memory Resident, etc etc…
AV is not designed or capable of detecting nearly anything related to a compromise!
After initial compromise Attacker will use available system tools against you.
Anatomy of an AttackRecon
ScanningExploit SystemsKeeping AccessCovering Tracks
Recon – Hard to DetectNot Detectable: Web Searches (Google , Bing, etc)Whois – Registrar info etc
Detectable:DNS Zone transfers – AXFR or IXFRDNS Reverse Lookup – Brute forceServers named <company>DC#, <company>MAIL#, etc or Mythological Dieties, Heroes, Lord of the Rings, etc
Firewall, IDS/IPS, and Server Logs help here
Basic Network monitoring – DO IT.
Review the Logs, Detections etc
Forget about the “color” Red, OJ, Yellow etc. Look at the finding, evaluate it, Act Appropriately
Manager Receipt Time Name Transport Protocol Priority Severity Device Action Source Address Source Port Destination Address Destination PortMar 27 2013 12:00:32 SERVER-IIS view source via translate header TCP 5 3 Gray -- Unknown 74.82.248.186 4609 137.161.202.92 80Mar 27 2013 12:03:37 Mandiant WebC2-GDOCUPLOAD User-Agent 3 TCP 9 10 Gray -- Unknown 10.78.66.100 42853 68.142.251.159 80Mar 27 2013 12:04:17 DNS SPOOF query response with TTL of 1 min. and no authority UDP 5 3 Gray -- Unknown 199.66.238.112 53 10.161.231.150 11758Mar 27 2013 12:23:30 SERVER-IIS view source via translate header TCP 5 0 6 52.129.8.51 41314 10.82.250.31 80Mar 27 2013 12:24:30 Mandiant WebC2-GDOCUPLOAD User-Agent 3 TCP 8 5 Gray -- Unknown 10.80.29.105 45382 165.254.99.35 80Mar 27 2013 12:13:38 DNS SPOOF query response with TTL of 1 min. and no authority UDP 5 3 Gray -- Unknown 199.66.238.112 53 192.161.231.150 62800Mar 27 2013 12:27:35 Mandiant WebC2-GDOCUPLOAD User-Agent 3 TCP 7 0 Gray -- Unknown 10.80.174.11 32137 165.254.99.24 80Mar 27 2013 12:15:09 SCAN UPnP service discover attempt UDP 3 0 Gray -- Unknown 176.10.35.241 30987 10.78.84.67 1900Mar 27 2013 12:16:14 SCAN UPnP service discover attempt UDP 3 0 Gray -- Unknown 176.10.35.241 45317 192.152.169.252 1900Mar 27 2013 12:16:19 SCAN UPnP service discover attempt UDP 3 0 Gray -- Unknown 176.10.35.241 2032 10.83.194.160 1900Mar 27 2013 12:20:04 DNS SPOOF query response with TTL of 1 min. and no authority UDP 5 3 Gray -- Unknown 199.66.238.112 53 192.161.231.150 35177Mar 27 2013 12:20:39 SCAN UPnP service discover attempt UDP 3 0 Gray -- Unknown 94.142.155.123 23396 10.83.192.239 1900Mar 27 2013 12:23:35 DNS SPOOF query response with TTL of 1 min. and no authority UDP 5 3 Gray -- Unknown 199.66.238.112 53 192.161.231.150 20869
OK…
Reviewing pages of this is “No Bueno”
It needs to be usable convey something
Now that makes it a heck of a lot easier to read
Scanning
Port ScansService ScansScanning Web ServersVPN GatewaysFTPDNSCitrixDatabase (Yes we do find databases in DMZ sometimes)
Detected with - Firewall, IDS/IPS, Logging
Exploit SystemsWeb browsers, Operating
System vulnerabilities
and
JAVA
andEverything made by Adobe
EVER!!!!!!
Let’s talk users
Shouldn’t have admin rights
They just want to see the kittehs
They will keep you up at night
With out them you’d be unemployed
Are you familiar with Indicators of Compromise?ZeroAccess/Siref.PThis is looking for indicators found from a recent ZeroAccess/Siref variant. Files are located in users profile\local settings\application data\{}\@ or \n and also seen in c:\windows\installer. Registry KeyPath Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32
WinLogon Shell Persistence <IndicatorItem id="f0a5abaa-41f4-488e-9acf-8c7654a71122" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Value" type="mir" /> <Content type="string">%Temp%</Content> </IndicatorItem>
Trojan-Tinba-Zusy<IndicatorItem id="fcfc3866-836f-4a0c-8939-fc23dc22d0a4" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir" /> <Content type="string">All Users\Application Data\default</Content> </IndicatorItem>
They’re not adminsSo we shouldn’t see them executing stuff from:
Internet\local\tempAppData\local\Temp
Temporary Internet Files\
Set up some HIPS rules and let them runWhen ever the HIPS triggers creates an event
Pipe it to centralized logging/monitoringReview often
Does this work?
Typical AV alert report:JS/Exploit-Blacole.gq trojan deleted c:\Documents and Settings\b1odpsaj\Local Settings\Temporary Internet Files\Content.IE5\3LYHPBW3\adds_youngs-tickets[1].htmFakeAlert-Rena!mem trojan deleted C:\Users\g6edxjfs\AppData\Local\ber.exeJS/Blacole-Redirect.y trojan deleted c:\Users\g2odBJPB\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6DRU6D7E\jcap[1].jsJS/Blacole-Redirect.y trojan deleted c:\Users\g2odBJPB\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6EQZXI8W\md5[1].jsJS/Blacole-Redirect.y trojan deleted c:\Users\g2odBJPB\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6EQZXI8W\mm_menu[1].jsJS/Blacole-Redirect.y trojan deleted c:\Users\g2odBJPB\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6EQZXI8W\textsizer[1].jsGeneric.dx!bhml trojan deleted c:\Documents and Settings\L4ECCEER\Application Data\Sun\Java\Deployment\cache\6.0\18\5b0dbf92-27b00084\ConvertVal.classGeneric.dx!bhnq trojan deleted c:\Documents and Settings\U4GGYNT3.ERD\Application Data\Sun\Java\Deployment\cache\6.0\62\51833e7e-6f4af747\Qe9hq0c.classGeneric.dx!bhmj trojan deleted c:\Documents and Settings\l2cocbhs\Application Data\Sun\Java\Deployment\cache\6.0\17\2e230d1-2627f1e2\glof.class
What if you could detect malware without a signature anywhere from 1 to 15 days
before AV?
3/5/2013 12:20 NB-NB-02606043 3776 Microsoft Internet Explorer Vector Markup Language Vulnerability (2) C:\Program Files\Internet Explorer\iexplore.exePermitted bad_parameter Vulnerability Name Vulnerable ActiveX Control Loading A
Please Remove and Investigate - Exploit-FEW!Blacole,NB-NB-02606043 3/10/2013Evidence:9 Mar 2013 04:04:06 EST,9 Mar 2013 10:03:21 EST,trojan,Exploit-FEW!Blacole,1 NB-NB-02606043 c:\Users\ctxctx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\662c0a3d-68bf0762,Infected file deleted.
9 Mar 2013 04:04:06 EST,9 Mar 2013 10:02:20 EST,CENAD,N/A,trojan,JS/Exploit-Blacole.kf, NB-NB-02606043 c:\Users\ctxctx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7KIUL6H4\q[1].htm,Infected file deleted.
3/5/2013 16:02 LOL-NB-01583721 3776 Microsoft Internet Explorer Vector Markup Language Vulnerability (2) C:\Program Files\Internet Explorer\iexplore.exe Permitted bad_parameter Vulnerability Name Vulnerable ActiveX Control Loading A
Please Remove and Investigate - JV/Blacole-FFV!4EBC81B2A371, LOL-NB-01583721 -3/11/2013 9 KB
11 Mar 2013 08:24:07 CDT,Infected file deleted.,JV/Blacole-FFU!9DB0385E2EC8, LOL-NB-01583721,c:\Users\CTMCTM\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\4eb3880-5296bc4f\BadRun.class,8,McAfee,ePolicy Orchestrator
3/5/2013 7:28 MNT-LM01NOL "CMD Tool Access by a Network Aware Application“ C:\windows\system32\services.exe Permitted read,execute C:\windows\system32\sc.exe
Please Remove and Investigate - Possible Malware, MNT-LM01NOL 3/14/2013 33 KB
Evidence:MNT-LM01NOL MCHTJOPJcvgnWvWrnaqeyLRo C:\windows\BhZvccld.exe Own Process Manual
3/4/2013 18:38 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\Windows\system32\cmd.exe3/4/2013 18:38 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\system32\svchost.exe Permitted Read C:\Windows\System32\cmd.exe3/4/2013 18:36 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\Windows\system32\cmd.exe3/4/2013 18:35 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\Windows\system32\cmd.exe3/4/2013 18:38 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\windows\system32\mmc.exe3/4/2013 18:45 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\system32\svchost.exe Permitted Read C:\Windows\system32\tasklist.exe3/4/2013 18:39 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\system32\svchost.exe Permitted Read C:\Windows\system32\tasklist.exe3/4/2013 18:46 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\Windows\SysWOW64\mmc.exe3/4/2013 18:45 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\Windows\SysWOW64\mmc.exe3/4/2013 18:37 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\Windows\SysWOW64\mmc.exe
Please Remove and Investigate - Possible Malware, TS05CPC 3/15/2013
Evidence:TS05CPC Mujkqgnqoz C:\Windows\dcdlGcwB.exe Own Process Manual TS05CPC MSmnVhUJZvFOTMWlOqJ C:\Windows\HgcYJFmB.exe Own Process Manual TS05CPC MYdVQuZoWaSQlQ C:\Windows\KrmWoUKS.exe Own Process Manual
Did I mention that AV cannot be counted on
Keeping Access/Lateral Movement
System Tools used – Netstat, Net View, Create and start services –SC
HIPS/HIDS and Event Logs are key
Visualize them, look at access times, parse them and write them to a spreadsheet
Covering Tracks
Deleting LogsHiding Files
Tunnels
HIDS/HIPS, IPS/IDS, Centralized Logging, Egress Filtering
top related