hidden empires of malware
Post on 22-Jan-2018
200 Views
Preview:
TRANSCRIPT
© 2017 SPLUNK INC.
The “Hidden Empires” of Malware
DaveRyan
International
Conference on
Cyber Security
January 2018
© 2017 SPLUNK INC.
Disclaimer
2
During the course of this presentation, we may make forward looking statements regarding
future events or the expected performance of the company. I often lie. Maybe this is a lie.
Wik Alsø wik Alsø alsø wik Wi nøt trei a høliday in Sweden this yër? See the løveli lakes
The wøndërful telephøne system And mäni interesting furry animals The characters and
incidents portrayed and the names used in this Presentation are fictitious and any similarity
to the names, characters, or history of any person is entirely accidental and unintentional.
Signed RICHARD M. NIXON Including the majestik møøse A Møøse once bit my Marcus...
No realli! He was Karving his initials on the møøse with the sharpened end of an
interspace tøøthbrush given him by Svenge – his brother-in-law – a Canadian dentist and
star of many Norwegian møvies: "The Høt Hands of an Canadian Dentist", "Fillings of
Passion", "The Huge Mølars of Horst Nordfink"... In addition, any information about our
roadmap outlines our general product direction and is subject to change at any time
without notice. Splunk undertakës no øbligation either to develøp the features or
functionality described or to include any such feature or functionality in a future release.
© 2017 SPLUNK INC.
▶ 17 years of cyber security experience
▶ Current role on Security Practice team focuses on incident/breach response, threat intelligence, and research
▶ Also investigating why printers are so insubordinate ಠ_ಠ3
Staff Security Strategist
Minster of the OODAloopers
@meansec
# whoami > Ryan KovarCISSP, MSc(Dist)
© 2017 SPLUNK INC.
- 20+ years IT and security- Information security officer, security architect, pen tester, consultant, SE, system/network engineer
- Former SANS Mentor
- Co-creator of Splunk Boss of the SOC
Security Architect @splunk
@daveherrald
# whoami > Dave HerraldCISSP, GIAC G*, GSE #79
© 2017 SPLUNK INC.
Agenda
▶ Answering some W ’s
• What are we talking about with “Hunting Empires”?
• What are SSL certificates and why do I care?
• What can I do with them?
▶ Talk about the “H”
• How can I get this data myself?
▶ And now another W
• Where can I get this awesome stuff!
5
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
On the shoulders of giants
© 2017 SPLUNK INC.
Mark Parsons“Lord of SSL Pivoting”
@markpars0ns
▶ https://t.co/amyR9pU8o4
▶ https://medium.com/@mark.parsons/hunting-a-tls-certificate-series-post-1-6ad7adfebe44
▶ https://mpars0ns.github.io/bsidescharm-2016slides/
▶ https://mpars0ns.github.io/archc0n-2016-tls-slides/#/
▶ https://www.slideshare.net/MSbluehat/bluehat-v17-using-tls-certificates-to-track-activity-groups
© 2017 SPLUNK INC.
What are these “Hidden” Empires?
© 2017 SPLUNK INC.
POWERSHELL EMPIRE
10
© 2017 SPLUNK INC.
• Similar to Metasploit
in user experience
• C2 functionality
• Second stage
infection/implant after
initial infection
• Used extensively for
lateral movement
© 2017 SPLUNK INC.
Sometimes its hard to find evidence that
© 2017 SPLUNK INC.
Place Holder PowerSploit Capabilities
13
© 2017 SPLUNK INC.
Place Holder PowerSploit Capabilities
14
© 2017 SPLUNK INC.
15
© 2017 SPLUNK INC.
16
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
SSL Certificates
© 2017 SPLUNK INC.
What are SSL
certificates and
why do I care?
© 2017 SPLUNK INC.
[SSL certificates are] Small
[unencrypted] data files that
digitally bind a cryptographic
key to an organization’s
details.” [1]
Sooo… SSL
Certificates?
[1] https://www.godaddy.com/help/what-is-an-ssl-
certificate-542
© 2017 SPLUNK INC.
So that shows SSL
certificates?
© 2017 SPLUNK INC.
Censys.io
© 2017 SPLUNK INC.
Circl.lu
© 2017 SPLUNK INC.
Passivetotal.org
© 2017 SPLUNK INC.
Splunk!
© 2017 SPLUNK INC.
Internet-Wide Scan Data Repository
▶ Public archive of research data
▶ Hosted by the Censys team at the University of Michigan
▶ Perform scans, and host results from other teams
▶ The data on the site is restricted to non-commercial use
▶ https://scans.io (https://scans.io/json)
© 2017 SPLUNK INC.
Exploring scans.io Studies
Web Interface
https://scans.io
JSON
https://scans.io/jsonCommand Line
$ python ./download.py --liststudieshttps://github.com/daveherrald/scansio-sonar-splunk
© 2017 SPLUNK INC.
Project Sonar by Rapid7
https://sonar.labs.rapid7.com/
▶ Many studies
• SSL Certificates
• HTTP Content
• HTTPS Content
• DNS
• Various TCP/UDP services (SSH, SMB, Telnet, etc.)
▶ Hosted at scans.io
▶ Please review Project Sonar TOS
▶ Thanks to Rapid7 Labs!
© 2017 SPLUNK INC.
SSL Certificates Study (sonar.ssl)
▶ October 30, 2013 – Present
▶ Raw size
• Entire data set: 315 GB compressed (as of 02JAN2017)
• Weekly: ~1.5 - 2.0 GB compressed
▶ Entire data set indexed in Splunk: ~1.2TB
▶ Scan the entire Internet (TCP/443 only)
▶ Comprised of:
• Observed certificates *
• Observed IP address / certificate *
• Names
• Endpoints
© 2017 SPLUNK INC.
sonar.ssl Certificates
2 Column CSV
SHA1 Hash + Base64 Encoded DER
Decoded DER
( https://gchq.github.io )
© 2017 SPLUNK INC.
sonar.ssl Certificate in Splunkindex=sonarsslcert earliest=0 hash_id=b4c68c2fe3e689bd51c3676c69c02454be1f545f
© 2017 SPLUNK INC.
sonar.ssl Hosts
2 Column CSV
IP Address + Certificate hash (SHA1)
Host, IP Address, Observation Date
Enriched with Country and ASN via Maxmind
© 2017 SPLUNK INC.
sonar.ssl First/Last seen
Search for a hash, or pivot here from search
© 2017 SPLUNK INC.
HTTPS (TCP/443) (sonar.https)
▶ July 25, 2016 – Present
▶ Raw size
• Entire data set: ~3.2 TB compressed (as of 02JAN2017)
• Weekly: ~25 GB compressed
▶ Entire data set indexed in Splunk: ~10TB
▶ Scan the entire Internet (TCP/443 only)
▶ Comprised of:
• IP
• Path
• Port (Always 443)
• Certificate Subject
• Payload!
© 2017 SPLUNK INC.
HTTPS (TCP/443) (sonar.https) in Splunk
index=sonarhttps earliest=0
© 2017 SPLUNK INC.
[1] David Bianco http://detect-respond.blogspot.com/2013/03/the-
pyramid-of-pain.html
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
openssl req -new -x509 -keyout
../data/empire-priv.key -out
../data/empire-chain.pem -days
365 -nodes -subj "/C=US"
>/dev/null 2>&1
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
VS
© 2017 SPLUNK INC.
And I care why?
© 2017 SPLUNK INC.
One of these is not like the others
We use Splunk
But you don’t have to!
© 2017 SPLUNK INC.
▶DAVE. DONE UP TO HERE
But what do
we do with it?
© 2017 SPLUNK INC.
You can do at least two things with SSL Certificate information
Known
Unknown
© 2017 SPLUNK INC.
THE SSL CERTIFICATES IN YOUR
INCIDENTS ARE REAL.
© 2017 SPLUNK INC.
Start with some known naughty SSL SHA1 fingerprints
© 2017 SPLUNK INC.
Gozi Trojan
8fc4a51bb808d0050a85f55de93b3aa9db4fef90
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
“As we know, there are known
knowns; there are things we know we
know. We also know there are known
unknowns; that is to say we know
there are some things we do not
know. But there are also unknown
unknowns – the ones we don't know
we don't know. And when someone
tries to hunt in CyberSpace the
known unknowns are the hardest
to find ”
- Donald “Cybersfeld”
© 2017 SPLUNK INC.
Hunting PowerShell Empire
© 2017 SPLUNK INC.
C=US is weird…
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
200MM IPs
90 suspect
3 PSE
:-)
© 2017 SPLUNK INC.
63
Oh… Just
one more
thing…
© 2017 SPLUNK INC.
Splunk-based Certificate Research Platform
Splunk Indexers QTY=3
i3.2xlarge
8 TB EBS Volume (10,000
IOPs)
Elastic IP
Splunk Search Head
QTY=1
c3.4xlarge
Elastic IP
Data Staging and Load
QTY=1
i3.16xlarge
8 TB EBS Volume (10,000
IOPs)
Elastic IP
Elastic Load Balancer
TCP/8088
Splunk HTTP Event
Collector
Internet –Wide Scans
Repository https://scans.io
Processing and Load
Metrics
6,000 Certificates /
Second
25,000 Hosts / Second
© 2017 SPLUNK INC.
Certificate Research Platform Resources
https://github.com/daveherrald/scansio-sonar-splunk
• Download any scans.io study, load sonar.ssl & sonar.https into Splunk for analysis
https://github.com/mpars0ns/scansio-sonar-es
• Download sonar.ssl load into Elasticsearch
© 2017 SPLUNK INC.
Splunk Licensing
Free: 500MB / day
Enterprise Trial: 500MB / Day
Developer: 10 GB/Day
Enterprise Dev/Test: 50GB/day
Splunk Enterprise
Each approach has its pros and cons, but recall:
© 2017 SPLUNK INC.
Can we wrap
this up?
© 2017 SPLUNK INC.
Conclusion
68
▶ SSL certificates can be a great way to track adversary behavior
▶ Consider tracking from known and unknown
▶ Think about bringing SSL certificates “in house” to use and run greater analysis against with temporal knowledge
© 2017 SPLUNK INC.
Special Thanks
69
▶ Mark Parsons
▶ IKBD
▶ Rapid 7
▶ Censys team at University of Michigan
▶ ICCS Conference
▶ Fordham University
▶ The FBI
© 2017 SPLUNK INC.
Dave Herrald
@daveherrald
Ryan Kovar
@meansec
Contact info(Come see us at SANS CTI where we talk about ML against SSL data!)
top related