Sunday, March 25, 2012

Artifacts of Intrusion

As many of us in the network forensics/network traffic analysis field know, looking for the artifacts of infection/intrusion can often be much easier than catching the actual infection.  Regardless of how one "latches on" to or otherwise becomes aware of an infected system, one should also take the time to perform due diligence in confirming that the system is indeed infected.  Here are some points that can be helpful during this process:

  1. Look for the infection vector.  Was it web-based?  Email-based?  Some other means?  Can information relating to the infection vector be used to harden the enterprise or otherwise improve the enterprise's security posture?
  2. Check anti-virus or host-based IDS/IPS logs.  Was the threat detected and remediated by either of those?  Could there have been more than one threat, one or more of which was perhaps not caught by either of those?
  3. Can a sample of the malicious code be isolated for analysis?  Does analysis of the malicious code sample provide any information or intelligence (such as callbacks or other artifacts of intrusion) that can be fed back into the analysis process and/or used to harden the enterprise or otherwise improve the enterprise's security posture?
  4. Look for the artifacts of intrusion in the network traffic data.  Does the network traffic data provide evidence that the malicious code successfully infected the machine?
  5. Based on the information gathered in steps 1-4, make an educated decision, rather than a happenstance decision, regarding remediation.
This certainly isn't an exhaustive list, but it does provide a skeleton analysis process for malicious code incidents.  Perhaps useful to those who may be less familiar with or less experienced in this realm....

An Inspiring Phone Call

Last night, I received a phone call from a neighbor asking if he should renew his home anti-virus subscription.  I typically shy away from giving people advice on this sort of question, but it did give me pause and caused me to do some thinking before I answered him.

I thought about how in most large enterprises that I advise, anti-virus is <25% effective at detecting malicious code threats.  Worse yet, most anti-virus vendors have not only sold large enterprises software that is largely ineffective, but they have also sold those enterprises on a mantra/workflow/philosophy that is nearly useless.  In other words, most anti-virus vendors will suggest that you review their logs regularly to identify systems infected with malicious code.  I remember from graduate school that this is, by definition, the quintessential biased sample.  In other words, since anti-virus is <25% effective at detecting and identifying threats, the enterprise is left with a gaping hole/blind spot of >75%.  Stated another way, if you trust anti-virus logs to guide your analysis, workflow, and/or process, you will be left largely in the dark.

The "Know Your Network" philosophy discussed in this blog and elsewhere is really the only way to effectively monitor a large, enterprise network.  Unfortunately, anti-virus vendors do not seem to be interested in improving through novel or cutting edge techniques.  They are quite content to sell both home users and enterprises the 21st century equivalent of a bridge.

Of course, anti-virus logs are somewhat useful as a supporting/corroborating data source for investigations that begin with true network forensics/network traffic analysis, but not much else.  In other words, anti-virus logs can tell you if the malicious code that you see a user downloading in the proxy logs or via deep packet inspection (DPI) data was somehow detected and cleaned by anti-virus.  As an aside, even this is not 100% reliable though, as it is not uncommon for malicious code infection vectors to try several different exploits and/or executable downloads.  Just because anti-virus caught one of them, doesn't mean it caught all of them.  The analyst still needs to examine the proxy logs, firewall logs, DPI data, and/or any other relevant data looking for artifacts of infection.

So back to my neighbor.  After thinking about this for a moment, I explained to him that the anti-virus vendor he was thinking of sending additional money to was really no more effective than some of the free products that are available.  I advised him to hold onto his money.  After all, if one ignores the hype and thinks about it logically, it only makes sense.

Sunday, March 4, 2012

Passive DNS Expansion

Recently, I learned that an analytical method I had experimented with a while back was being used by an organization to generate intelligence.  It would have been nice to have been given proper credit, but regardless, it's still great that the method is in use.  I've called the method "Passive DNS Expansion" for lack of a better term.  The basic idea is that you use a combination of forward DNS resolution and passive DNS data to generate lists of malicious domain names that can be used for analysis and/or network defense purposes.  It turns out to be a pretty handy way to generate some actionable intelligence.  The basic algorithm is as follows:

1) Begin with a known malicious domain name
2) Forward resolve the known malicious domain name and obtain its current IP address
3) Leverage passive DNS data to identify the domain's IP address history
4) Search passive DNS data for the IP addresses to obtain a list of domain names associated with those IP addresses
5) Perform some cursory research on the domain names to determine whether or not they can be reliably used for analysis/network defense

I'd like to illustrate this with an example.  I picked the domain name at the top of the Zeus Tracker list this morning to use as an example for illustrative purposes:

1) I begin with the domain name freetop[.]mobi, which I obtained from the Zeus Tracker list
2) The domain name forward resolves to 69[.]175[.]127[.]82
3) Passive DNS data shows only one IP address for this domain: 69[.]175[.]127[.]82
4) In this case, there is only one additional domain name associated with this IP address in passive DNS data: mymobilewap[.]info
5) A Google search for mymobilewap[.]info indicates that the domain name is most likely malicious and could probably be used reliably for network traffic analysis purposes.

I'm a big fan of this method.  In the past, I've scripted these steps to automate the process with positive results.  Feel free to give it a try and let me know your thoughts!