Home-Grown

Cyber Security

John B. Folkerts, CISSP

https://www.linkedin.com/in/john-b-folkerts

About Me …

20 years doing Information Security, Architecture, and Risk Management in

large enterprise environments

Prior to that, a Communications Officer in the US Air Force

Involved in many incident response efforts and technology deployments,

including Identity Management, Data Loss Protection, Antivirus, Malware

Sandbox technology, Log Management, and Intrusion Detection

Classical music fan, developing jazz aficionado

Disclaimers

My comments reflect my own opinions, and not those of my employers, past, present, or future.

The tools and services mentioned in this presentation are freely available on the internet. They may not be suitable for your specific environment. Think carefully about your support requirements before using free or open source software or services.

Despite being free, most of the tools mentioned have software licensing that governs their use, distribution, etc.... Please read the licenses and check with an attorney as needed to determine whether they are suitable for your environment.

Traditional Approach to Security

(Controls-based: Patching, Antivirus, Firewalls, Complex Passwords … )

The Strengths

Protective – stop what we know is bad

The Weaknesses

Zero Day Exploits

Constantly changing malware signatures

Encryption, Tunneling through and around firewall rules

Passwords attacked at the weakest point – the user

… or worse the password hash database

Enter the Cyber Security Framework …

Cyber Security Framework

Many/most of the traditional Info Security capabilities are included

Threat-centric model which “connects the dots” between security

capabilities

Greater focus on detection and actionable response

Firewall

Printer LaptopLaptop

Internet

Workstation

Wireless Router

Basis for Home-grown Cyber Security

Not Optimal for

Finding the Source

of the Problem

What’s Going On in My Network?

“If you really want to protect your network,

you have to know your network”Rob Joyce, Chief, Tailored Access Operations

National Security Agency

Check out: https://www.youtube.com/watch?v=bDJb8WOJYdA

Monitoring and detection inside your network is just as

important as your network boundary.

Modifications for MonitoringParts List:

Extra PC with (2) NIC

cards and 16Gb RAM

Re-use Wireless Router

Inexpensive 8-port switch

with span port capability

WiFi Access Point

Firewall

Printer

Switch w/ Span Port

LaptopLaptop

WiFi Access Point

Internet

Network Monitor

Wireless Router

Monitor Span Port

Workstation

“To Know Thyself …”

What’s on my Network?

Systems: DHCP assignments, IP

addresses, MAC addresses

“Things” – Xbox, Ecobee, Raspberry Pi

What’s running on my Network?

User Agents: Common (Chrome, IE)

and uncommon (powershell, …)

Executables: capture and hash

OBSERVED assets, executables, etc…

are usually good enough!

“… is the Beginning of

Intelligence” (apologies to Socrates)

Threat Intelligence Types

IP, Domain BlackLists

MD5, SHA256 Hashes

Tactics, tools, shared analysis

Sources

intel.criticalstack.com

otx.alienware.com

threatconnect.com

us-cert.gov

abuse.ch

Many more at https://github.com/hslatman/awesome-threat-intelligence

Ref: Threat Intel Pyramid of Pain courtesy of David Bianco

http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

Basic Protections

On The Network:

Firewall – enable IP blocking

DNS “Firewall” – enable Domain blocking

BIND9: http://www.zytrax.com/books/dns/ch7/rpz.html

DNSMASQ: https://wiki.archlinux.org/index.php/dnsmasq

On The Host:

Current Patches

Current Antivirus

Backup and Recovery

Need Visibility!!

On The Network:

Security Onion – https://securityonion.net/

Bro - https://www.bro.org/

Snort – https://www.snort.org/

Sguil – https://www.sguil.net/

Wireshark – https://www.wireshark.org/

NetworkMiner – http://www.netresec.com/?page=NetworkMiner

ELSA – Enterprise Log Search & Archive - https://github.com/mcholste/elsa

On The Host:

OSSEC – https://ossec.github.io/

Sysmon - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Detection Principals

Keep History

Continuous Monitoring of IOCs

Look for Anomalies

Match up Host Monitoring and

Network Monitoring

Host Monitoring

Sysmon 6.10

Brought to you by Microsoft Sysinternals – Windows system monitoring

Install: sysmon.exe –accepteula -i sysmon-config.xml

Update: sysmon.exe -c sysmon-config.xml

Remove: sysmon.exe –u

Features: Windows Log Process creation, File hashes, network connections, remote threads, registry mods, alternate data streams

OSSEC HIDS

Monitoring and Alerting of Unix and Windows systems

Use OSSEC to forward Sysmon logs to a safe place (like SecurityOnion/ELSA)

Resources

Swiftonsecurity Config - https://github.com/SwiftOnSecurity/sysmon-config

ION Storm Threat Intel Config - https://github.com/ion-storm/sysmon-config

Game Show Time!

“Does it Belong?”

(on my network)

Does it Belong? – Long DNS request

DNS query

Request:

tnncuaacaakn433maecaaagsaqaaa2lpfo3ve5lzd7ldo33maeaaaac3aaaabug.scjsaaaata

aiaaa3n4zozkkr23mbxemjxewjevkw5s5zrcfqsbc5njwaqwstwnx.7tyud5d4yh3zsqcdiz6icp

mlqyzfpubuw5ervi3so4q4mdhhxf64ctgre4zxyaa.aaaaaaaaaaa4x3qkm2ettg7a.a.j.e5.sk

Response

TXT 176

ANX8KgACABQAAAAAAAAA0gQAAAAAAAAAAAAAAAAAAAIAAABXAAAAJaPE4QAAEAAAAA

AAAAAAAAAAAACnSdJrgTMO0oGe+2yVIa5YnbWRYq4kTMA6646ejwBHvY4yVgmIg2DMJKMfn

AS1GH5nFGbv3/MjUUxO5U0QDFEPbeZdlQoKAA==

Snort Alert:

MALWARE-OTHER dns request with long host name segment –

possible data exfiltration attempt

Data Enrichment with

domaintools.com

Does it Belong? – TOR Exit Node

Snort Alert:

ET TOR Known Tor Relay/

Router (Not Exit) Node UDP

Traffic group 87

Research using Wireshark

Does it Belong? – Malware IOC

Data Enrichment with

Threat Research Tools

Game: “Does it Belong?”ssl001.insnw.net, *.ewatches.com, *.honestqa.com, *.inscname.net, *.insnw.net, *.instart.co, *.instartlabs.com, *.instartlogic.com, *.onekingslane.com, *.pionline.com, *.smartbargains.com, *.stelladotstg.co.uk,

*.thewatchery.com, *.uniqlo.com, *.v1host.com,adage.com, *.adage.com,airgundepot.com, *.airgundepot.com,airgundepot.net, *.airgundepot.net,allcdn.net, *.allcdn.net,api.m.reebonz.com,

*.api.m.reebonz.com,ashleymadison.com, *.ashleymadison.com,assets.pixlee.com, *.assets.pixlee.com,atlanticmedia.com, *.atlanticmedia.com,auto-insurance-experts.com, *.auto-insurance-experts.com,

barenecessities.com, *.barenecessities.com,bareweb.com, *.bareweb.com,bdcstatic.com, *.bdcstatic.com,bedroomworld.co.uk, *.bedroomworld.co.uk,blair.com, *.blair.com,bookit.com, *.bookit.com,bookitimages.com,

*.bookitimages.com,bookitspeedtest.com, *.bookitspeedtest.com,boutique24.com, *.boutique24.com,business.com, *.business.com,canpages.ca, *.canpages.ca,cdn-api.arcpublishing.com,cdn.cb.pj.ca,cdn.cb.yp.ca,

*.cdn.cb.yp.ca,cdn.circusbysamedelman.com,cdn.mediative.ca,cdn.submissionplatform.com,chess.com, *.chess.com,chesscomfiles.com, *.chesscomfiles.com,ci.pj.ca, *.ci.pj.ca,ci.yp.ca, *.ci.yp.ca,ci1.pj.ca,

*.ci1.pj.ca,ci1.yp.ca, *.ci1.yp.ca,ci2.pj.ca, *.ci2.pj.ca,ci2.yp.ca, *.ci2.yp.ca,ci3.pj.ca, *.ci3.pj.ca,ci3.yp.ca, *.ci3.yp.ca,ci4.pj.ca, *.ci4.pj.ca,ci4.yp.ca, *.ci4.yp.ca,ci5.pj.ca, *.ci5.pj.ca,ci5.yp.ca, *.ci5.yp.ca,ci6.pj.ca,

*.ci6.pj.ca,ci6.yp.ca, *.ci6.yp.ca,ci7.pj.ca, *.ci7.pj.ca,ci7.yp.ca, *.ci7.yp.ca,ci8.pj.ca, *.ci8.pj.ca,ci8.yp.ca, *.ci8.yp.ca,ci9.pj.ca, *.ci9.pj.ca,ci9.yp.ca, *.ci9.yp.ca,citylab.com, *.citylab.com,classesusa.com,

*.classesusa.com,cms.yp.ca, *.cms.yp.ca,columbiaspectator.com, *.columbiaspectator.com,commun.it, *.commun.it,defenseone.com, *.defenseone.com,digital.firstchoice.co.uk,digital.thomson.co.uk,distillery.pixlee.com,

*.distillery.pixlee.com,duolingo.com, *.duolingo.com,ehealthinsurance.com, *.ehealthinsurance.com,ever-skincare.com, *.ever-skincare.com,everskin.com, *.everskin.com,evite.com, *.evite.com,evitecdn.com,

*.evitecdn.com,fasttrack360.com.au, *.fasttrack360.com.au,findfinancialsavings.com, *.findfinancialsavings.com,fivefourclothing.com, *.fivefourclothing.com,flights.thomsonprjuat.co.uk,frankandoak.com,

*.frankandoak.com,g00.ranker.com, *.g00.ranker.com,g00.slickdeals.net, *.g00.slickdeals.net,gbot.me, *.gbot.me,gogobot.com, *.gogobot.com,govexec.com, *.govexec.com,hayneedle.com, *.hayneedle.com,honest.com,

*.honest.com,honeywell.jp, *.honeywell.jp,html5.kongalong.com, *.html5.kongalong.com,html5.kongboat.com, *.html5.kongboat.com,html5.kongbus.com, *.html5.kongbus.com,html5.kongcab.com,

*.html5.kongcab.com,html5.kongdiddy.com, *.html5.kongdiddy.com,html5.konghaul.com, *.html5.konghaul.com,html5.kongice.com, *.html5.kongice.com,html5.kongluge.com, *.html5.kongluge.com,html5.kongregate.com,

*.html5.kongregate.com,html5.kongregatestage.com, *.html5.kongregatestage.com,html5.kongregatetrunk.com, *.html5.kongregatetrunk.com, html5.kongshred.com, *.html5.kongshred.com,html5.kongwater.com,

*.html5.kongwater.com,html5.kongyak.com, *.html5.kongyak.com,html5.kongzep.com, *.html5.kongzep.com,iassets.anki.com,ifttt.com, *.ifttt.com,iggcdn.com, *.iggcdn.com,indiegogo.com,

*.indiegogo.com,ins.cm.ehealthinsurance.com, *.ins.cm.ehealthinsurance.com,insight.com, *.insight.com,instart.co,instartlabs.com,instartlogic.com,int10.newokl.com,integration.modaoperandi.com,

*.integration.modaoperandi.com,internal.instartlogic.com, *.internal.instartlogic.com,jayjays.com.au, *.jayjays.com.au,jdvhotels.com, *.jdvhotels.com,julep.com, *.julep.com,keek.com, *.keek.com,keep-collective.com,

*.keep-collective.com,keepcollective.com, *.keepcollective.com,kongalong.com, *.kongalong.com,kongboat.com, *.kongboat.com,kongbus.com, *.kongbus.com,kongcab.com, *.kongcab.com,kongcdn.com,

*.kongcdn.com,kongdiddy.com, *.kongdiddy.com,konggames.com, *.konggames.com,konghaul.com, *.konghaul.com,kongjunk.com, *.kongjunk.com,kongluge.com, *.kongluge.com,kongregate-games.com, *.kongregate-

games.com,kongregate.com, *.kongregate.com,kongregatestage.com, *.kongregatestage.com,kongregatetrunk.com, *.kongregatetrunk.com,kongshred.com, *.kongshred.com,kongwater.com,

*.kongwater.com,kongyak.com, *.kongyak.com,kongzep.com, *.kongzep.com,lepanierfrancais.com, *.lepanierfrancais.com,lightsworld.co.uk, *.lightsworld.co.uk,lmbautofinance.com,

*.lmbautofinance.com,lmbinsurance.com, *.lmbinsurance.com,lmbpersonalloans.com, *.lmbpersonalloans.com,loomandleaf.com, *.loomandleaf.com,lowermybills.com, *.lowermybills.com,m.jayjays.com.au,

*.m.jayjays.com.au,m.thebump.com,mapmywalk.com, *.mapmywalk.com,mccormick.com, *.mccormick.com,mccormickcms.com, *.mccormickcms.com,media.pj.ca, *.media.pj.ca,media.yp.ca,

*.media.yp.ca,modaoperandi.com, *.modaoperandi.com,nakedwardrobe.com, *.nakedwardrobe.com,nastygal.com, *.nastygal.com,nastygal.com.au, *.nastygal.com.au,nationaljournal.com,

*.nationaljournal.com,newmedia.thomson.co.uk,newokl.com, *.newokl.com,nextgov.com, *.nextgov.com,ngimg.com, *.ngimg.com,njdc.com, *.njdc.com,njour.nl,nmr.allcdn.net, *.nmr.allcdn.net,nsit.com,

*.nsit.com,nyc.opensky.com, *.nyc.opensky.com,omnihotels.com, *.omnihotels.com,onekingslane.com,onlineschoolsearch.com, *.onlineschoolsearch.com,opensesame.com, *.opensesame.com,opensky.com,

*.opensky.com,padlockoutlet.com, *.padlockoutlet.com,peteralexander.co.nz, *.peteralexander.co.nz,peteralexander.com.au, *.peteralexander.com.au,petflow.com, *.petflow.com,picdn.net, *.picdn.net,pixlee.com,

*.pixlee.com,pixlee.gallery, *.pixlee.gallery,pregnant.thebump.com,pt.elo.touraidhotels.com, *.pt.elo.touraidhotels.com,pyramydair.com, *.pyramydair.com,qa.keep-collective.com, *.qa.keep-

collective.com,qa.thrivemarket.com, *.qa.thrivemarket.com,qa01.keepcollective.com, *.qa01.keepcollective.com,quartz.cc, *.quartz.cc,qz.com, *.qz.com,ranker-dev.com, *.ranker-dev.com,ranker-stage.com, *.ranker-

stage.com,ranker.com, *.ranker.com,reskin.thrivemarket.com, *.reskin.thrivemarket.com,revolt.tv, *.revolt.tv,rnkr-static.com, *.rnkr-static.com,routefifty.com, *.routefifty.com,saatvamattress.com,

*.saatvamattress.com,saintsociety.com, *.saintsociety.com,scmedia.thenest.com,sensing.honeywell.com,sensing.honeywell.com.cn,sensing.honeywell.de,sensing.honeywell.es,shoptiques.com,

*.shoptiques.com,shoptiques.net, *.shoptiques.net,shutterstock.com, *.shutterstock.com,slickdeals.net, *.slickdeals.net,slickdealscdn.com, *.slickdealscdn.com,smiggle.co.uk, *.smiggle.co.uk,smiggle.com.au,

*.smiggle.com.au,ssmscdn.qa.yp.ca, *.ssmscdn.qa.yp.ca,stage.classesusa.com, *.stage.classesusa.com,stage.lmbautofinance.com, *.stage.lmbautofinance.com,stage.lmbinsurance.com,

*.stage.lmbinsurance.com,stage.lmbpersonalloans.com, *.stage.lmbpersonalloans.com, stage.lowermybills.com, *.stage.lowermybills.com, stage.onlineschoolsearch.com,

*.stage.onlineschoolsearch.com,staging.modaoperandi.com, *.staging.modaoperandi.com,staging.thrivemarket.com, *.staging.thrivemarket.com,static.classesusa.com,

*.static.classesusa.com,static.firstchoice.co.uk,static.parastorage.com,static.pixlee.com, *.static.pixlee.com,static.thomson.co.uk,static.wix.com,static.wixstatic.com,staticmap.yellowpages.ca,

*.staticmap.yellowpages.ca,stelladot.co.uk, *.stelladot.co.uk,stelladot.com, *.stelladot.com,stelladot.de, *.stelladot.de,stelladot.eu, *.stelladot.eu,stelladot.fr, *.stelladot.fr,stelladotfamily.com,

*.stelladotfamily.com,stelladotstg.co.uk,stelladotstg.com, *.stelladotstg.com,stelladotstg.de, *.stelladotstg.de,stelladotstg.eu, *.stelladotstg.eu,stelladotstg.fr, *.stelladotstg.fr,stg.everskin.com, *.stg.everskin.com,stg.keep-

collective.com, *.stg.keep-ollective.com,stg.keepcollective.com, *.stg.keepcollective.com,stg.yp.ca, *.stg.yp.ca,storkie.com, *.storkie.com,tch1.quora.com, *.tch1.quora.com,telstra.inscname.net,

*.telstra.inscname.net,telstra.insnw.net, *.telstra.insnw.net,testing5.dotti.com.au,tgam.io, *.tgam.io,thcdn.co, *.thcdn.co,theatlantic.com, *.theatlantic.com,theatlas.com, *.theatlas.com,theorchidboutique.com,

*.theorchidboutique.com,thereformation.com, *.thereformation.com,thompsonhotels.com, ….

stage.lowermybills.com, *.stage.lowermybills.com,

RESPONDGetting started with Response

First choice: Antivirus – a time saver

Continue to leverage threat intelligence

Analysis tools

Sysinternals tools* – sysmon, procmon, Process Explorer, autoruns, sigcheck, VMMap, ListDLLs – https://www.sysinternals.com/

VirusTotal (use with care) – https://www.virustotal.com/

Malware Sandboxing

Cuckoo Sandbox – https://www.cuckoosandbox.org/

Malwr – https://malwr.com/

Response Planning / Playbook

Develop Playbook for response consistency

Decisions – Eliminate the threat, or allow the threat to remain temporarily

Response Automation

* See also Troubleshooting with the Windows Sysinternals Tools by M. Russinovich & A. Margosis

Recover left as an “exercise for the reader”

a lot easier if the Identify—Protect—Detect—Respond are in place

Summary

Identify

Assets, Executables

Start with Threat Intelligence

Protect

Standard controls (patching, AV, Firewalls)

Add DNS Blocking

Backup your Data

Detect

Monitor your Networks and Hosts

Use Threat Intel for Research / Validation

Ask Yourself: “Does it Belong?”

Respond and Recover