Showing posts with label IOC. Show all posts
Showing posts with label IOC. Show all posts

Tuesday, November 12, 2019

Building a DirtyNet - The Ultimate Malware Playground

By Tony Lee


Do you have a safe place to handle and investigate potential malware? Maybe you are you doing this on your home PC or in a VM to try to protect the rest of your network?  Whether you have a DirtyNet or not, let’s start an open discussion that covers some safe malware handling possibilities along with the pros and cons of each. Maybe this will help provide justification or a framework for even a minimal amount of funding to build something official and supported.

Figure 1:  DirtyNet Information Flow

 
The Benefits

There are many benefits to building a DirtyNet to take a closer look at potential malware, here are a few:

  • Determine maliciousness of malware
    • Never seen before binaries – Threat intel and malware repositories know nothing about it
    • Low conviction rate – Threat intel and repositories have seen it, but are not convinced of the maliciousness

  • Extract Indicators of Compromise (IOCs)
    • Useful in hunting for presence in the rest of the environment

  • Protect the rest of the network
    • Prevent users from mishandling malware on their corporate PCs by providing a dedicate environment

 
Possible Solutions
There are probably a large number of potential solutions – many of them bad ideas and some good ideas. We will cover the two most common setups here:

1) Stand-alone Malware Analysis Laptops

This is very common because it is easy to implement and somewhat reduces the risk of accidental malware spread.  There are some pros and cons that should be noted though:

Pros

  • Lower risk of mishandled malware than using a VM on your corp machine

Cons
  • Requires sneaker net – USB drives with write-blockers
  • Not real-time feeding from sensors
  • Difficult to connect/automate sensors and analysis stack
  • Difficult to scale to a large amount of malware
  • Difficult to extract and harvest IOC for reuse

 
2) Building a DirtyNet

This is not always the route chosen, but when built correctly, it is a beautiful and graceful solution. Here are the pros and cons:


Pros
  • Can be automated
  • Flexible sensor integration
  • Flexible automated malware analysis stack
  • Scales to higher volume of malware


Cons
  • Higher risk of mishandled malware when not following proper procedures

 
DirtyNet Rules

Notice the single con of the DirtyNet…  But just like fight club, it is important that EVERYONE follow the rules:

  • Write-only file share exposed to larger environment to accept malware and move inside DirtyNet
  • Malware stays within DirtyNet.  No outbound traffic except whiteline for FireEye AX / Malware analysis stack
  • Malware can be taken from the Malware repo and moved to an analysis workstation within DirtyNet
  • Malware is ideally password protected zipped with “infected” before transfer and during storage
  • Analyst connection to dirty net does not compromise the rest of the network. Virtualized desktops through a browser plugin with no file sharing is a decent option.

 
Requirements

So you want to build a DirtyNet now... and you are curious as to what you might need. The info below contains the high-level requirements:
  • Hardware or Virtual (AWS/Azure/GCP) capacity 
  • Whiteline randomized POP for malware to make callouts (ideal but not necessary)
  • Viper or similar framework for the Malware repository
  • Time from a network engineer to set up network and hosts


Conclusion
Now that you have the blueprint, will you be building a DirtyNet of your own? Also, if you already have a DirtyNet, we would be interested in hearing your tips, tricks, or opinions posted in the comment section below. As a bonus, do you have any cool integrations setup?  For example, we have CyBot’s (https://github.com/cylance/CyBot) Cuckoo plugin safely feeding out instance with malware. Thanks for reading!

Figure 2:  CyBot Cuckoo plugin safe submission to DirtyNet


Posted by at No comments:
Labels: , , , , , , , , , , , , , , ,

Monday, July 1, 2019

Quick and Flexible IOC Hunting in Splunk

By Tony Lee and Arjun Mathew

Imagine that you are battling a known threat actor.  You have gathered indicators of compromise (IOCs) from reversing malware as well as helpful contributions from the rest of the security community.  But how could those IOCs be tasked across your existing data quickly in order to track attacker movement in real-time?  Here is one possible solution:
  1. Use a lookup file
  2. Clever Splunk search
  3. Even more clever dashboard
This article will outline the process and even share an example dashboard (shown in the screenshot below).

Figure 1:  Known IOC Dashboard provided at the end of the article

Lookup File

We used the following process to create a lookup file and definition.  Create a file in excel and save it as a CSV called known_iocs.csv (similar to the file below).

Figure 2:  CSV that we initially populated with our IOCs

Then within Splunk, navigate to the following to create the lookup and the definition:

Settings > Lookups > Lookup table files > Add new

  • Destination app:  Select the app
  • Upload a lookup file:  known_iocs.csv
  • Destination filename:  known_iocs.csv


Settings > Lookups > Lookup definitions > Add new

  • Destination app:  Select the app
  • Name:  known_iocs.csv
  • Type:  File-based
  • Lookup file:  known_iocs.csv


Now, here is the problem.  How do you scale this solution to a group effort to update a lookup table with IOCs?  It does not work well to pass the CSV around and then constantly upload.  Enter another graceful solution from Luke Murphey -- The Lookup File Editor Splunk App (https://splunkbase.splunk.com/app/1724/).

Figure 3:  Lookup File Editor App from Luke Murphey

Once the Lookup File Editor Splunk App is installed, navigate to it, search for your known_ioc.csv file.  Open it and right click on the bottom line and "Insert a new row".  You can edit the lookup file right in Splunk.  Once it is saved, the correlation searches will automatically run with the new IOC data.


Figure 4:  Inserting a new line to our known_ioc.csv file

Clever Search

Now that we have a lookup table that has our IOCs in it and a convenient way to edit it, we just need a search that will apply the IOCs to our data.  The example below applies the IOCs to the cylance_protect index, but feel free to change the index name as needed.  Additionally, we show how to search just one column of the IOC data as well as multiple columns.


One type of IOC (Hash):

index=cylance_protect [|inputlookup known_iocs.csv | rename Hash as query | table query] | stats count


Two types of IOCs (Hash & FileName)

index=cylance_protect [|inputlookup known_iocs.csv | rename Hash as query | table query] OR [|inputlookup known_iocs.csv | rename FileName as query | table query] | stats count

Note the OR statement between the two inputlookups -- needed when querying multiple columns.


Figure 5:  What will be our top panels showing a count of the hits


Even More Clever Dashboard

Now that we have functional searches, we need a dashboard to monitor our different data feeds such as:
  • Proxy
  • Firewalls
  • DNS
  • Antivirus Hits
  • Email Protection
  • Windows Event Logs

You can see in the screenshot below that we use Single Value panels on the top row.  Each of these panels contains a dynamic drilldown to populate the panel below it with the contents of the Single Value panel when clicked.


Figure 6:  Dashboard displayed at the start of the article and in the Sample Dashboard section below

The drilldown for each Single Value panel sets a token which is essentially the search, but without the stats count (feel free to table the data as needed):

        <drilldown>
          <set token="alert">index=proxy $wild$ [|inputlookup known_iocs.csv | rename Domain as query | table query] | table _raw</set>
        </drilldown>



Then the bottom panel is just a search of the token set in the drilldown above.

        <search>
          <query>| search $alert$</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>

Conclusion

Using a clever combination of features that already exist within Splunk (for the most part), we were able to create a quick method to update an IOC list and apply it against existing data within Splunk. Simply monitor these dashboards and use it to track the attacker's activities in real-time.


Sample Dashboard

The sample dashboard below uses a number of indexes to search over different data feeds.  Just change these indexes to the ones you are interested in monitoring.


<form>
  <label>Known IOC Hits</label>
  <description>Threat Actor</description>
  <fieldset submitButton="true">
    <input type="time" searchWhenChanged="true" token="time">
      <label>Time Range</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" searchWhenChanged="true" token="wild">
      <label>Wildcard Search</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <title>Proxy</title>
        <search>
          <query>index=proxy $wild$ [|inputlookup known_iocs.csv | rename Domain as query | table query] | stats count</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="colorMode">none</option>
        <option name="drilldown">all</option>
        <option name="rangeColors">["0x65a637","0xd93f3c"]</option>
        <option name="rangeValues">[0]</option>
        <option name="useColors">1</option>
        <drilldown>
          <set token="alert">index=proxy $wild$ [|inputlookup known_iocs.csv | rename Domain as query | table query] | table _raw</set>
        </drilldown>
      </single>
    </panel>
    <panel>
      <single>
        <title>Firewalls</title>
        <search>
          <query>index=firewalls $wild$ [|inputlookup known_iocs.csv | rename IP as query | table query] | stats count</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="drilldown">all</option>
        <option name="rangeColors">["0x65a637","0xd93f3c"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
        <drilldown>
          <set token="alert">index=firewalls $wild$ [|inputlookup known_iocs.csv | rename IP as query | table query] | table _raw</set>
        </drilldown>
      </single>
    </panel>
    <panel>
      <single>
        <title>DNS</title>
        <search>
          <query>index=dns $wild$ [|inputlookup known_iocs.csv | rename Domain as query | table query] | stats count</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="drilldown">all</option>
        <option name="rangeColors">["0x65a637","0xd93f3c"]</option>
        <option name="rangeValues">[0]</option>
        <option name="useColors">1</option>
        <drilldown>
          <set token="alert">index=dns $wild$ [|inputlookup known_iocs.csv | rename Domain as query | table query] | table _raw</set>
        </drilldown>
      </single>
    </panel>
    <panel>
      <single>
        <title>Antivirus Hits</title>
        <search>
          <query>index=av $wild$ [|inputlookup known_iocs.csv | rename Hash as query | table query] | stats count</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="drilldown">all</option>
        <option name="rangeColors">["0x65a637","0xd93f3c"]</option>
        <option name="rangeValues">[0]</option>
        <option name="useColors">1</option>
        <drilldown>
          <set token="alert">index=av $wild$ [|inputlookup known_iocs.csv | rename Hash as query | table query] | table _raw</set>
        </drilldown>
      </single>
    </panel>
    <panel>
      <single>
        <title>Email Protection</title>
        <search>
          <query>index=mail_protection $wild$ [|inputlookup known_iocs.csv | rename Domain as query | table query] | stats count</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="drilldown">all</option>
        <option name="rangeColors">["0x65a637","0xd93f3c"]</option>
        <option name="rangeValues">[0]</option>
        <option name="useColors">1</option>
        <drilldown>
          <set token="alert">index=mail_protection $wild$ [|inputlookup known_iocs.csv | rename Domain as query | table query] | table _raw</set>
        </drilldown>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Information Table (Click one of the numbers above to populate this table with Details)</title>
      <table>
        <search>
          <query>| search $alert$</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="drilldown">cell</option>
      </table>
    </panel>
  </row>
</form>

Posted by at 5 comments:
Labels: , , , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)