• Author / Uploaded
• chajim

Citation preview

Use Case implementation Wednesday, September 11, 2019 Master Skills University Munich 2019 — WW QRadar Exec Consulting Team

Contents Mitre Attack Framework Short Overview Command and Control Analyze Network Data Domain Generation Algorithm Connection Proxy Data Exfiltration

Privilege Escalation

Lateral Movement

IBM Security / © 2019 IBM Corporation / Master Skills University Munich 2019

2

Mitre Attack Matrix Speaker: Dieter Riexinger

IBM Security / © 2019 IBM Corporation

3

MITRE ATT&CK: Enterprise Matrix The full ATT&CK Matrix™ below includes techniques spanning Windows, Mac, and Linux platforms and can be used to navigate through the knowledge base.

https://attack.mitre.org/matrices/enterprise/

Command & Control: List of Techniques and Detection Methods

Monitor for applications and processes related to remote admin tools. Correlate activity with other suspicious behavior that may reduce false positives if these tools are used by legitimate users and administrators. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used. Domain Fronting may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote tools to compromised systems. It may be possible to detect or prevent the installation of these tools with host-based solutions.

Command & Control: List of Techniques and Detection Methods Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.

Techniques

Detection Method

Commonly Used Ports Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Fallback Channels Multiband Communication Multilayer Encryption Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).

Commonly Used Ports Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Fallback Channels Multiband Communication Multilayer Encryption Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service

Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious

Commonly Used Ports Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Fallback Channels Multiband Communication Multilayer Encryption Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service

Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

Communication Through Removable Media

Monitor file access on removable media. Detect processes that execute when removable media is mounted.

Connection Proxy

Network activities disassociated from user-driven actions from processes that normally require user direction are suspicious.

Connection Proxy

Analyze network data for uncommon data flows (e.g., between clients that should not or often do not communicate with one another

Custom Command and Control Protocol Standard Non-Application Layer Protocol

Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.

Custom Command and Control Protocol Standard Non-Application Layer Protocol

Monitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.

Command & Control: Detection (Page 1) Techniques

Detection Method

Commonly Used Ports Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Fallback Channels Multiband Communication Multilayer Encryption Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).

Custom Cryptographic Protocol Multilayer Encryption Standard Cryptographic Protocol

If malware uses custom encryption with symmetric keys, it may be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures.

Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious

Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

Analyze network data for uncommon data flows: Detection

How can we detect that? Data needed? • Firewall events containing meta data events • Netflow SIEM Use Case? • CRE Rule looking for firewall web traffic events having byte-ratio mostly outbound • CRE Rule looking for web traffic having byte-ratio mostly outbound

Command & Control: It's lab time - warm-up! How can we detect if there is outbound web traffic?

We already have default rules for that: • Large Outbound Transfer High Rate of Transfer on flows • Large Outbound Transfer Slow Rate of Transfer on flows

Go to the Offenses tab and look for offenses having similar name These rules require tuning! • Exclude well known upload domains e.g., IBM Box

• You might use Remote Networks for that kind of tuning where you define upload sites Add filter:

Command & Control: It's lab time - warm-up! How to tune the rule for detecting outbound web traffic?

• Exclude well known upload domains e.g., IBM Box • You might use Remote Networks for that kind of tuning where you define upload sites

Command & Control: It's lab time - warm-up! How to tune the rule for detecting outbound web traffic?

• Exclude well known upload domains e.g., IBM Box • You might use Remote Networks for that kind of tuning where you define upload sites

Then add filter:

Command & Control: What to look for

Other patterns for "uncommon data flows"? Repeating HTTP Requests in intervals to the same destination IP/Port (events) Repeating DNS Requests in intervals to the same destination IP/Port (flows/events)

Command & Control: It's lab time! How can we detect if there is repeating communication at fixed intervals? ➔AQL How to define an AQL statement to detect beaconing traffic on your QRadar CE edition? Example:

SELECT sourceip, destinationip, destinationport, "unique hours", "total events" FROM ( SELECT sourceip, destinationip, destinationport, UNIQUECOUNT(DATEFORMAT(devicetime,'hh')) as "unique hours", count(*) as "total events" FROM events WHERE eventDirection='L2R' AND destinationport in (80,443) GROUP BY sourceip, destinationip, destinationport last 24 hours ) WHERE "unique hours" > 20 and "total events" < 25

Command & Control: It's lab time! ▪ In our lab we do not have data from the last 24 hours.

▪ Instead we use 1 minute time slots to simulate this behavior

SELECT sourceip, destinationip, destinationport, "unique hours", "total events" FROM ( SELECT sourceip, destinationip, destinationport, UNIQUECOUNT(DATEFORMAT(devicetime,'mm')) as "unique hours", count(*) as "total events" FROM events WHERE eventDirection='L2R' AND destinationport in (80,443) GROUP BY sourceip, destinationip, destinationport last 24 minutes ) WHERE "unique hours" > 20 and "total events" < 25

Command & Control: It's lab time! What kind of tuning would be necessary? Restrict to client network Exclude trusted targets SELECT sourceip, destinationip, destinationport, "unique hours", "total events" FROM ( SELECT sourceip, destinationip, destinationport, UNIQUECOUNT(DATEFORMAT(devicetime,'hh')) as "unique hours", count(*) as "total events" FROM events WHERE NETWORKNAME(SourceIP, DomainID)='Office' AND NOT referencesetcontains('TrustedWebServers', "destinationIP") AND eventDirection='L2R' AND destinationport in (80,443) eventDirection='L2R' AND destinationport in (80,443) GROUP BY sourceip, destinationip, destinationport GROUP BY sourceip, destinationip, destinationport last 24 hours last 24 hours ) WHERE "unique hours" > 20 and "total events" < 25 ) WHERE "unique hours" > 20 and "total events" < 25

Command & Control: Using AQL to find traffic in constant intervals An alternative would be to search for traffic in constant intervals For example malware like DRIDEX, ICEID, TRICKBOT and ZEUS call home in regular intervals e.g., every 300 seconds and vary in message content

How can we detect that independent of protocol, content, interval gap ?

Command & Control: It's lab time!

deviation = 0: deviation = 1000: deviation = 2000:

Since QRadar 7.3.0 we can use AQL Functions. Individual customer specific functions extend the AQL language individually. AQL Function "GAP" reports the number of flows with similar gaps in a row Parameters: lastpackettime,sourceip,destinationip,destinationport,deviation

Example: Flow1, time = 300000 Flow2, time = 300000 Flow3, time = 302000 Flow4, time = 300000 Flow5, time = 301000 Flow6, time = 300000 Flow7, time = 299000

Deviation=0 0 1 0 0 0 0 0

Deviation = 1000 0 1 0 0 1 2 3

Deviation = 2000 0 1 2 3 4 5 6

➔0 ➔3 ➔6

Command & Control: It's lab time! Please download from our box folder: Interval.xml.zip

Deploy on QRadar: 1. Copy file to your QRadar /root folder 2. Import the file using command: /opt/qradar/bin/contentManagement.pl -a update -f /root/Interval.xml.zip

Command & Control: It's lab time! You should have the AQL Function "GAP" already in your QRadar instance. Now we can search for traffic in constant intervals

Example: select sourceip, destinationip, destinationport, "noOfGaps", "noOfPings" from ( select sourceip, destinationip, destinationport, max("gap") as "noOfGaps", count(*) as "noOfPings" from ( select sourceip, destinationip, destinationport, DATEFORMAT(endtime, 'YYYY-MM-dd HH:mm:ss') as flowtime, lastpackettime, APPLICATION::GAP(lastpackettime,sourceip,destinationip,destinationport,3000) as "gap" from flows order by lastpackettime last 30 minutes ) group by sourceip, destinationip, destinationport ) where LONG("noOfGaps") > LONG("noOfPings") -3 and LONG("noOfGaps") > 5

Command & Control: Detection (Page 2) Techniques

Detection Method

Communication Through Removable Media

Monitor file access on removable media. Detect processes that execute when removable media is mounted.

Remote Access Tools

Monitor for applications and processes related to remote admin tools. Correlate activity with other suspicious behavior that may reduce false positives if these tools are used by legitimate users and administrators.

Remote Access Tools

Domain Fronting may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote tools to compromised systems. It may be possible to detect or prevent the installation of these tools with host-based solutions.

Custom Command and Control Protocol Standard Non-Application Layer Protocol

Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.

Custom Command and Control Protocol Standard Non-Application Layer Protocol

Monitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.

Multilayer Encryption

If malware uses Standard Cryptographic Protocol, SSL/TLS inspection can be used to detect command and control traffic within some encrypted communication channels. [7] SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation. [8] After SSL/TLS inspection, additional cryptographic analysis may be needed to analyze the second layer of encryption.

Standard Cryptographic Protocol

SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels. [63] SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.

Domain Generation Algorithms

Detecting dynamically generated domains can be challenging…. … another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.

Command & Control: DNS Analyzer App Data Sources: DNS logs DNS queries observed by QNI

Detection: DGA Tunneling Beaconing Squatting

Command & Control: It's lab time! We pre-installed DNS Analyzer on QRadar CE for you In the meantime you should see some results reported by DNS Analyzer Search for events using filter "Log Source is IBM DNS Analyzer"

Command & Control: It's lab time!

Command & Control: Detection (Page 3) Techniques

Detection Method

Multi-Stage Channels Web Service

Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure and infrastructure or the presence of strong encryption.

Multi-Stage Channels

Relating subsequent actions that may result from Discovery of the system and network information or Lateral Movement to the originating process may also yield useful data.

Multi-hop Proxy

When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as Tor) or known adversary infrastructure that uses this technique.

Multiband Communication

Correlating alerts between multiple communication channels can further help identify command-and-control behavior.

Domain Fronting

If SSL inspection is in place or the traffic is not encrypted, the Host field of the HTTP header can be checked if it matches the HTTPS SNI or against a blacklist or whitelist of domain names.

Port Knocking

Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.

Connection Proxy

Network activities disassociated from user-driven actions from processes that normally require user direction are suspicious.

Connection Proxy

Analyze network data for uncommon data flows (e.g., between clients that should not or often do not communicate with one another

Remote File Copy

Monitor for file creation and files transferred within a network over SMB.

Remote File Copy

Unusual processes with external network connections creating files on-system may be suspicious

Remote File Copy

Use of utilities, such as FTP, that does not normally occur may also be suspicious.

Command & Control: Detecting Client-ToClient Traffic

Clients QRadar UBA Identity

Dev/Test

Servers

Core Banking

QRadar Asset Mgmt SW Developer

Core Banking

What kind of data do we need to detect this kind of traffic?

Command & Control: Detecting Client-ToClient Traffic Implementation: 1.

Define Network Client_Network in Network Hierarchy ➔ We have already! Network Hierarchy object "Office"

2.

Define a CRE rule detecting client-to-client communication

Data Exfiltration Speaker: Filip Schepers

IBM Security / © 2019 IBM Corporation

27

Exfiltration: Detection (in transit) Techniques

Detection Method

Automated Exfiltration

Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.

Data Compressed

Compression software and compressed files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known compression utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. If the communications channel is unencrypted, compressed files can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers.

Data Encrypted

Encryption software and encrypted files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. Often the encryption key is stated within command-line invocation of the software. A process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures. Network traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. If the communications channel is unencrypted, encrypted files of known file types can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers.

© 2016 IBM Corporation

28

Exfiltration: Detection Techniques

Detection Method

Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). If a process maintains a long connection during which it consistently sends fixed size data packets or a process opens connections and sends fixed sized data packets at regular intervals, it may be performing an aggregate data transfer. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

Exfiltration Over Other Network Medium

Processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a mouse click or key press) but access the network without such may be malicious. Monitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.

Scheduled Transfer

Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious. Network connections to the same destination that occur at the same time of day for multiple days are suspicious.

© 2016 IBM Corporation

29

Correction ☺

compressed files can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers.

compressed files can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system Insights solution analyzing file headers properties.

© 2016 IBM Corporation

30

Exfiltration detection – dataloss / detection of sensitive content How can we detect potential data loss? ▪ Data needed – Content analysis of files in transit for • Personally identifiable information (PII) • Files tagged as “secret”, “confidential”,… (“entity alert”) → QRadar Network Insights

▪ SIEM Use Case – CRE Rule looking for files containing PII – CRE Rule looking for files that are tagged

© 2016 IBM Corporation

31

Network activity: group by Suspect Content Descriptions

IBM and BP Internal Use only

© 2016 IBM Corporation

32

Detection of compressed / encrypted data in transit How can we detect compressed and encrypted files? ▪ Data needed – Information about files in transit • File type • Encrypted? • Entropy → QRadar Network Insights

▪ SIEM Use Case – – – –

CRE Rule looking for file extensions associated with compressed files CRE Rule looking for file headers of compressed files CRE Rule looking for files using encryption Search for files with deviating entropy

© 2016 IBM Corporation

33

Detection of compressed / encrypted data in transit How can we detect compressed and encrypted files? ▪ Data needed – Information about files in transit • File type • Encrypted? • Entropy → QRadar Network Insights

▪ SIEM Use Case – – – –

CRE Rule looking for file extensions associated with compressed files CRE Rule looking for file headers of compressed files CRE Rule looking for files using encryption Search for files with deviating entropy

© 2016 IBM Corporation

34

Network activity: File information

IBM and BP Internal Use only

© 2016 IBM Corporation

35

File type – Lab (1) How can we filter files by file type? 1. Using the file extension – AQL: select "file name", SUBSTRING("file name",STRLASTPOS("file name", '.', 1)+1, STRLEN("file name")) as "File type" from flows where "file name" is not NULL last 24 HOURS Note: “STRLASTPOS” requires 7.3.2P2 – on earlier versions, replace with STRPOS("file name", '.', 1)+1 Or custom function, e.g. function str_last_pos(input, substring) { return input.lastIndexOf(substring); } © 2016 IBM Corporation

36

File type – Lab (2)

2. Using ContentType (web, mail, smb) – AQL: select "content type", APPLICATIONNAME(applicationid) as "Application“ from flows where "file name" is not NULL group by Application last 24 HOURS

© 2016 IBM Corporation

37

Network activity: File type

IBM and BP Internal Use only

© 2016 IBM Corporation

38

Exfiltration: Detection (in transit) Techniques

Detection Method

Automated Exfiltration

Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.

Data Compressed

Compression software and compressed files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known compression utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. If the communications channel is unencrypted, compressed files can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers.

Data Encrypted

Encryption software and encrypted files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. Often the encryption key is stated within command-line invocation of the software.

A process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures. Network traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. If the communications channel is unencrypted, encrypted files of known file types can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers.

© 2016 IBM Corporation

39

File type?

3. Yara – E.g. https://github.com/BayshoreNetworks/yextend/blob/master/libs/bayshore_file_type_detect.yara – Windows or ELF executable files based on magic header:

rule yar_windows_executable { condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 } rule yar_elf_executable { condition: uint16(0) == 0x457f }

© 2016 IBM Corporation

40

Detection of compressed / encrypted data in transit How can we detect compressed and encrypted files? ▪ Data needed – Information about files in transit • File type • Encrypted? • Entropy → QRadar Network Insights

▪ SIEM Use Case – – – –

CRE Rule looking for file extensions associated with compressed files CRE Rule looking for file headers of compressed files CRE Rule looking for files using encryption Search for files with deviating entropy

© 2016 IBM Corporation

42

Yara: encrypted archive files rule yar_encrypted_archive_zip { meta: ref = "https://blog.korelogic.com/blog/2015/08/19/yara-ctf-2" comment = "encrypted zip file" strings: $local_file = { 50 4b 03 04 } condition: // look for the ZIP header uint32(0) == 0x04034b50 and // make sure we have a local file header $local_file and // go through each local file header and see if the encrypt bits are set for any i in (1..#local_file): (uint16(@local_file[i]+6) & 0x1 == 0x1) } rule yar_encrypted_archive_rar { meta: ref = "https://github.com/BayshoreNetworks/yextend/blob/master/libs/bayshore_file_type_detect.yara" strings: $encrypted_rar_archive = { 52 61 72 21 1a 07 00 } condition: $encrypted_rar_archive }

© 2016 IBM Corporation

43

Network activity: group by Suspect Content Descriptions

IBM and BP Internal Use only

© 2016 IBM Corporation

44

Exfiltration: Detection (in transit) Techniques

Detection Method

Automated Exfiltration

Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.

Data Compressed

Compression software and compressed files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known compression utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. If the communications channel is unencrypted, compressed files can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers.

Data Encrypted

Encryption software and encrypted files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. Often the encryption key is stated within command-line invocation of the software.

A process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures. Network traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. If the communications channel is unencrypted, encrypted files of known file types can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers.

© 2016 IBM Corporation

45

Detection of compressed / encrypted data in transit How can we detect compressed and encrypted files? ▪ Data needed – Information about files in transit • File type • Encrypted? • Entropy → QRadar Network Insights

▪ SIEM Use Case – – – –

CRE Rule looking for file extensions associated with compressed files CRE Rule looking for file headers of compressed files CRE Rule looking for files using encryption Search for files with deviating entropy

© 2016 IBM Corporation

46

File entropy? ▪ https://en.wikipedia.org/wiki/Entropy_(information_theory) ▪ Higher value means more random (non-uniform) data – Compressed files, packed executables – Encrypted files, containers, volumes – Executables with decryption routines

▪ 0