BDIR Podcast Episode-003

Join our #Slack Channel! Email us at bds.podcast@gmail.com or or DM us on Twitter @brakesec

Join us for Episode-003, our guest will be:

         Lesley Carhart - Principal Threat Hunter at Dragos Inc.

News-Worthy - City of Atlanta ransomware FOLLOW-Up

Atlanta Working 'Around The Clock' To Fight Off Ransomware Attack

City ATL.JPG

ATLANTA SPENT $2.6M TO RECOVER FROM A $52,000 RANSOMWARE SCARE

Atlanta government was compromised in April 2017 – well before last week’s ransomware attack

Compromised Connected Fish Tank - Comes from a global threat report (2017) from Darktrace - a summary of their case studies for the year

Malware of the Month

Sigma Ransomware - Notable artifact

  • No text in the body of the message, just an image of text

  • Breaks any scanning of text for passwords to use in the attached Office documents by sandbox evaluation solutions

Site-Worthy

1.  BDIR - ISO 27035 - Information security incident management

2.  BDIR - NIST 800-61

Guest - Lesley Carhart

  1. http://www.forensicmethods.com/

  2. http://windowsir.blogspot.com/

  3. https://forensiccontrol.com/resources/free-software/

  4. https://digital-forensics.sans.org/blog

Tool-Worthy

  1. BDIR - Blue Team Handbook: Incident Response Edition: A :  by Don Murdoch GSE
  2. BDIR - Blue Team Field Manual (by Alan J White and Ben Clark

Guest - Lesley Carhart

1.  Didier writes lots of handy tools useful for forensics and IR. I use his pdf tools

2.  A fair bit for inspecting suspicious attachments; rtfdump and oledump seem to do the same for OLE and RTF files.

Other tools Lesley recommends you learn:

Books Lesley recommends everyone read for IR

  • Blue Team Field Manual (BTFM) - by Alan White (Author), Ben Clark (Author)
  • Windows Internals, Part 1: System architecture, processes, threads, memory management, and more (7th Edition) 7th Edition - by Pavel Yosifovich (Author), Mark E. Russinovich (Author), David A. Solomon (Author), Alex Ionescu (Author)
  • Windows Forensic Analysis DVD Toolkit, Second Edition 2nd Edition - by Harlan Carvey (Author)
  • Digital Forensics with Open Source Tools: Using Open Source Platform Tools for Performing Computer Forensics on Target Systems: Windows, Mac, Linux, Unix, etc 1st Edition, Kindle Edition - by Cory Altheide (Author), Harlan Carvey (Author)
  • The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory 1st Edition - by Michael Hale Ligh (Author), Andrew Case (Author), Jamie Levy (Author), AAron Walters (Author)
  • Practical Malware Analysis: A Hands-On Guide to Dissecting Malicious SoftwareFeb 1, 2012 - by Michael Sikorski and Andrew Honig

Topic of the Day

The Incident Response Process,  - Program, Plan, Policy, Process, Playbooks, and roles

The Program

  • ISO 27035 - Information security incident management
  • NIST 80-61 - Computer Security Incident Handling Guide (August 2012)

Plan

Model

  • PICERL - SANS

  • Prep, Detect/Analysys, Contain/Eradicate/Recovery, Post Incident Activity - NIST

Playbooks: (or “What to do in the event of...”)

  1. Ransomware

  2. Malware infection

  3. Website defacement

  4. Unauthorized Domain Admin Access

  5. Multiple Simultaneous Logins

  6. Media call / report of an incident from external entity

  7. DoS

https://ayehu.com/cyber-security-incident-response-automation/top-5-cyber-security-incident-response-playbooks/

8.  Phishing

9.  Credential Stealing phishing  

10.  Lost or stolen equipment

11.  When to use Forensics

12.  How to do forensics

IESO - Cyber Security Forum - Playbooks

CERT SOCIETE GENERALE - IRM (Incident Response Methodologies)

(From a list found on Peerlyst)

  1. Phishing

  2. Virus or Worm

  3. Ensure that the host has an updated virus definition file

  4. Traffic Flows

  5. Denial of service (Network Crafted)

  6. Denial of service (spam)

  7. Host Compromise (Trojan)

  8. Network Compromise (Cracking)

  9. Host Compromise (physical Access)

  10. Domain Hijacking

  11. Dns Cache Poisoning

  12. Suspicious User Activity

  13. User Account Compromised

  14. Unauthorized Access (Employee)

  15. Corporate espionage

  16. Internet Hoaxes

  17. IP Telephony denial of service or Outage

  18. Unauthorized remote access protocol

  19. Suspicious website access

  20. Unexpected administrative account / permissions added.

Roles:

  • What is each person responsible for?

All the people add up to  and are a part of your CIRT (NOT CERT)

  • Incident Responder / IR Manager

  • Incident Handler

    • Project Manager

    • Communication lead

    • Documentation lead

  • Security Operations Analysts / Triage Analysts

  • Forensic Analysts:

  • Malware Reversers

  • Security Engineering

  • Threat Intelligence

  • Leadership

  • HR

  • PR / Corporate Communications

  • Legal Council

  • IT (Domain Admin, Help Desk, Server Admins, Client / Patch Admins)

  • Audit

  • GRC / Disaster Recovery / Risk Management

  • Developers / AppSec / Product Engineering

War Room

  • What is it and when to use it and why

Tabletop Exercises

  • What should you do here

IR Firm Retainer & Fees can be used for?

  • What can you use them for?

Breach Notification

  • Who is involved

  • What to prepare

  • Whom to involve

Training:

Carnegie Mellon - SEI - CSIH

  • https://www.sei.cmu.edu/education-outreach/credentials/credential.cfm?customel_datapageid_14047=14324

  • SANS

-----------------------------------------------------------------------------------------------

BDIR Podcast Episode-002

Join our #Slack Channel! Email us at bds.podcast@gmail.com or or DM us on Twitter @brakesec

Join us for Episode-002, our guest will be:

         David Longenecker - InfoSec Practitioner

  • Twitter: @dnlongen
  • Blog: SecurityForRealPeople.com
  • GitHub - https://github.com/dnlongen

News-Worthy - City of Atlanta hit with ransomware, services taken offline

  1. Atlanta Working 'Around The Clock' To Fight Off Ransomware Attack

    1. “Mayor (Keisha Lance Bottoms) told reporters that cybersecurity is now a top priority for the city.”

    2. “Wi-Fi at Hartsfield-Jackson Atlanta International Airport has been shut down as a precaution”

  2. Six days after a ransomware cyberattack, Atlanta officials are filling out forms by hand

    1. “SecureWorks and the city's incident response team are working with law enforcement, including the FBI, Homeland Security and the Secret Service, as well as independent forensics experts and educational partners like Georgia Tech, to determine exactly what happened.”

    2. “I am looking forward to us really being a national model of how cities can shore themselves up and be stronger because of it.” mayor said regarding digital infrastructure

  3. http://malwarejake.blogspot.com/2018/03/atlanta-government-was-compromised-in.html

  4. https://www.tripwire.com/state-of-security/latest-security-news/atlanta-struggling-to-recover-from-ransomware-infection-days-after-attack/

  5. https://www.csoonline.com/article/3264654/security/atlanta-officials-still-working-around-the-clock-to-resolve-ransomware-attack.html

Malware of the Month

Dridex - Artifacts

  1. This came in an email with a URL that auto downloaded and installed the malware, but could be a drive-by as well.
  2. Since Dridex uses actual signed Microsoft binaries located in a different directory (not System32), sideloading is easy, it just has to be named after one of the Dlls that the binary actual needs in the same folder that is usually, and should be located in System32
  3. This method has been making the Con circuit talks as many tools miss or exclude known good Microsoft signed binaries as “Good”.  A popular tool we all use, Microsoft’s Sysinternals ProcessExplorer has an option we all have used to hide the Microsoft signed files to make it easier to see an obvious bad processes.  Dridex exploits this typical behavior by analysts to hide among the known good.

    1. It is important to note that we designed LOG-MD to see these cases since WHERE the file is located can be a BIG clue, even if it is a real and signed MS binary

  4. Morphs on reboot - The DLL changes its hash on each reboot and the .EXE changes as well and the DLL named changed to what will work for that .exe.  So chasing hashes is a waste of time. What you have hash wise is not what the rest of us will have.
Dridex_Morphed_Samples.JPG

 

5. Uses a valid trusted MS signed binary to launch the Bad DLL, which is named for a correct DLL that is needed by the launcher (GamePanel.exe, UxTheme.dll, CameraSettingsUIHost.exe, DUI70.dll, etc.)

6. Autoruns are a .lnk file in the users Startup folder and a Scheduled Task pointing to another version

7. Files are found in:

  • %windir%\System32\5_Char_random_name
  • %AppData%\5_Char_random_name

8. Uses SVCHost.exe to phone home and communicate

9. Opens a hole for Explorer in the Windows Firewall

Site-Worthy

  1. www.MalwareArchaeology.com\cheat-sheets

  2. https://www.cisecurity.org/cis-benchmarks/

  3. Guest - David Longenecker

    1. https://attack.mitre.org/wiki/Main_Page - Adversarial Tactics, Techniques & Common Knowledge. A repository of things for which to ask yourself, "would I detect this? Would it set off any alarms?"

    2. https://jpcertcc.github.io/ToolAnalysisResultSheet/ - dozens of tools and exploitation techniques, with detailed artifacts generated by those actions. Again, a great resource for asking "how would I detect this?"

Tool-Worthy

  1. LOG-MD

  2. Guest - David Longenecker

    1. https://blog.didierstevens.com/my-software/ - Didier writes lots of handy tools useful for forensics and IR. I use his pdf tools (https://blog.didierstevens.com/programs/pdf-tools/) a fair bit for inspecting suspicious attachments; rtfdump and oledump seem to do the same for OLE and RTF files.

Topic of the Day

Windows Logging, Who, What, Where, When, Why

  1. Why is logging important?

    1. Incident took place...what happened?  I don’t know!

    2. Research / hunting.

    3. Alerts

  2. Windows Default logging

    1. Some of the improvements since XP

    2. Default is painfully bad, so at minimum set the following

      1. 4688

      2. 5156

      3. PowerShell

      4. CMD Line Logging

    3. Make checks for

  3. Where does one start to improve logging

    1. Industry Standards

    2. Cheat Sheet(s)

  4. Gaps in the industry standards

    1. Why are they inadequate

  5. Log configurations/properties

    1. Log Sizes

    2. FIFO

  6. Centralized / forwarded vs. Local logging

    1. Why some things shouldn’t be forwarded

    2. Log “nice-to-haves” locally (it won’t kill the box -Microsoft Article)

  7. What tools can you use to collect local logs?

    1. Wevtutil

    2. PowerShell

    3. LOG-MD

  8. Filtering logs on the endpoint

  9. 3rd party logging utilities

    1. Sysmon

    2. WLS

10. Advanced Logging

  • NEW - The Windows Advanced Logging Cheat Sheet

11. Log Attacks

  • Clear the logs
  • Stop the logging service
  • Change size to 1k

-----------------------------------------------------------------------------------------------

 

BDIR Podcast Episode-001

Join our #Slack Channel! Email us at bds.podcast@gmail.com or or DM us on Twitter @brakesec

Join us for Episode-001, our guest will be:

  • Martin Brough - Manager of the Security Solutions Engineering team in the email phishing industry

Topic of the day will be:

"Credential Stealing emails what can YOU do"

Show Notes:

  • Introductions
  • Introduce our Guest
    • Martin Brough
      • Twitters - @HackerNinja
      • Blog - InfoSec512.com

News-worthy:

  1. The Register: Perv raided college girls' online accounts for nude snaps – by cracking their security questions.  Personal info obtained to pull off 1,400 password resets. Now he's behind bars.

Powell's interest in all this was obtaining private sexually explicit photos, which people apparently store in their email accounts without much thought about security. It's not immediately clear why the large number of such images on the internet did not suffice.

Jonathan C. Powell, who hacked into over 1,000 email accounts in search of sexually explicit images and videos of college-aged women, was jailed for six months for computer fraud, the US Department of Justice said on Thursday.

"During that time frame, those Reset Utility accesses resulted in approximately 18,600 attempted password changes in connection with approximately 2,054 unique [Pace] email accounts, and approximately 1,378 successful password changes in connection with approximately 1,035 unique [Pace] email accounts," explained FBI special agent Christopher Merriman in the complaint.

2. The Hacker News: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

The article states that “As CrossRAT is written in Java, it requires Java to be installed"  Not entirely true, as the dropper can check for java, if none is present, can download JRE and run locally or can install “jportable launcher”.

Also, it is interesting that the article calls it undetectable in the title, but then tells you how to detect it by looking for a runkey.

3. Windows 10 Creator update breaks purposefully set security tweaks

Win 10 fail Tweet.jpg

4. TrickBot

  • Artifacts

    • Delivered by a Word Doc with Macros

      • So cscript and PowerShell to grab the dropper

      • PS gets the dropper and also launches one of the batch files to load

    • Stores files in %appdata%, so Appdata Roaming\localservice

    • Some oddly named binary

    • Client_ID file

    • Group_tag file

    • A directory named Modules

    • You can see a couple batch files in %temp% and the binary before it is copied

    • Persistence is a Task called “services update”

    • Named Pipes connection for PowerShell

    • The IP it uses was a US based hosting service

Site-worthy:

BDIR Pick

  • MalPedia - reports and info on malware families and their actors and yara signatures

Tools-worthy:

Topic of the DAY

Credential Stealing emails what can YOU do….

What to look for if you DON’T have a lab or also in your lab

  • Screen Shots – Good indicator a credential stealing site with an authentication page

  • Domain age - How old is the website in days or years.  Is it new? DGA (Domain Generating Algorithms)

  • Blacklists – Is the domain in any blacklists, if so, why is the SMTP gateway not catching it

  • Category – Has the site been categorized (BLOG/Malware/etc.)

  • Reputation – Is this a Bad, Neutral or Good site

  • Country – Where is this URL from

  • Alexa Rating - How known is it

Evaluating it in a Lab

  • LOG-MD Babbeeeee

Steps to take when you get a Phishing email

1.  Of course.. You get an alert of some kind or are notified

2. Get a copy of the email - You can’t evaluate it if you don’t have an actual copy, your help desk copy might not have the context correct

3.  Evaluate the URL

  • In a lab, click all the way through, login too (fake creds)
  • Or with one of the URL eval sites

4.  Block the URL - Ya need a Web Proxy of course

  • Or the IP in the firewall

5.  Monitor the IPs in log management from your firewall logs

  • Who else went there
  • You will have a HUGE gap for offsite/roaming people

6.  Consider Fast and Mass disabling of accounts

7.  Recall the message from your mail servers

  • Keep people from opening it

8.  Monitor any Internet facing non-2-Factor email logins

  • Unless you reset all your users that received the phish

9.  Monitor any Internet facing non-2-Factor VPN logins

  • Unless you reset all your users that received the phish

10.  Monitor any Internet facing non-2-Factor Cloud Storage logins

11.  Monitor any Internet facing non-2-Factor Virtual Desktop logins

12.  Monitor for password resets to make sure you got everybody

13.  Contact the sender to say you have been owned

  • Assuming you know it actually came from them.. SMTP logs

14.  Create a Report

  • What happened, how did it come in
  • What improvements can be made to avoid it
  • Improvements to monitoring or hunting

15.  Update your Email Investigation process

  • You will improve each time
  • Someone will need to do this when YOU are not at work or sleeping

BDIR Podcast Episode-000

Join our #Slack Channel! Email us at bds.podcast@gmail.com or or DM us on Twitter @brakesec

Join us for our inaugural podcast, our guests will be:

  • Dave Cowan - Forensic Lunch Podcast and G-C Partners
  • Tyler Hudak - Trainer in Malware Analysis and Reverse Engineering

Brian and I will kick off this new podcast, and the topic of the day will be:

"What is this new podcast all about, what will it cover? 

Incident Response, Malware Discovery, and Basic Malware Analysis, Detection and Response, Active Defense, Threat Hunting, and where does it fit within DFIR"

Show Notes:

  • Introductions
  • Introduce our Guests
    • Tyler Hudak
    • Dave Cowan

News-worthy:

Site-worthy:

BDIR Pick

Tyler’s Pick

Dave’s Pick

Tools-worthy:

Topic of the DAY

What is this new podcast all about?  Incident Response, Detection and Response, Active Defense, Threat Hunting, Malware Discovery, Basic Malware Analysis

Incident Response.JPG
DFIR width.JPG

  1. Define IR

    1. The process by which you respond to an incident (legal sense)?

    2. Do we agree on the diagram above?

      1. Define Discovery

      2. Define Analysis

      3. Define Forensics

    3. Does IR include preparation for an attack?

  2. What is Active Defense?

    1. Your definition will vary

  3. Threat Hunting - where do Hunters fit into all of this?

    1. JP.Cert paper

BDIR Podcast Sponsor:

LOG-MD.Com

This Podcast Sponsored by:

ANNOUNCING The BD-IR Podcast

BDIR LOGO.JPG

Brian and I are embarking on an expansion of the Brakeing Down Security Podcast, adding the Brakeing Down Incident Response Podcast (BD-IR Podcast).

This will be a once a month podcast with a few extra casts here and there.  The focus will be in the area of Detection and Incident Response, Malware Discovery, Basic Malware Analysis, Threat Hunting and improvements to your overall security posture.

COMING JAN 2018

Join us !