1 / 52

HBSS Tricks

HBSS Tricks. Chris Rooney. We need a recipe, map, something… For many people Audits are like Easter. Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data

kiri
Télécharger la présentation

HBSS Tricks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HBSS Tricks Chris Rooney

  2. We need a recipe, map, something… For many people Audits are like Easter

  3. Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data 1.1 Establish firewall and router configuration standards that include the following: blah blah 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. 1.4 Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network.

  4. Requirement 5: Use and regularly update anti-virus software or programs 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). 5.2 Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs. Requirement 6: Develop and maintain secure systems and applications 6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.

  5. Requirement 8: Assign a unique ID to each person with computer access Requirement 10: Track and monitor all access to network resources and cardholder data Their own words - Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs. 10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.

  6. Requirement 12: Maintain a policy that addresses information security for all personnel. A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it. For the purposes of Requirement 12, “personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are “resident” on the entity’s site or otherwise have access to the cardholder data environment. 12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel. 12.9.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts. 12.9.5 Include alerts from intrusiondetection, intrusion-prevention, and fileintegrity monitoring systems.

  7. NIST SP800-53A Recommended Security Controls for Federal Information Systems AU-2 AUDITABLE EVENTS (1) The information system provides the capability to compile audit records from multiple components throughout the system into a systemwide (logical or physical), time-correlated audit trail. AU-4 AUDIT STORAGE CAPACITY Control: The organization allocates sufficient audit record storage capacity and configures auditing to prevent such capacity being exceeded. AU-6 AUDIT MONITORING, ANALYSIS, AND REPORTING Control: The organization regularly reviews/analyzes audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions.

  8. CA-7 CONTINUOUS MONITORING Control: The organization monitors the security controls in the information system on an ongoing basis. IR-4 INCIDENT HANDLING Control: The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. IR-5 INCIDENT MONITORING Control: The organization tracks and documents information system security incidents on an ongoing basis. RA-5 VULNERABILITY SCANNING Control: Using appropriate vulnerability scanning tools and techniques, the organization scans for vulnerabilities in the information system [Assignment: organization-defined frequency] or when significant new vulnerabilities affecting the system are identified and reported.

  9. What you had to buy: Firewall IDS - (I Detect Stuff) IPS - (I Prevent Stuff) AV Logging solution of some type - Centralized logging HIPS HIDS

  10. Attacker WHA!? The Auditor said we were “Compliant”

  11. Following this:

  12. In no way makes you this:

  13. What this isn’t – • You’re not going to replace your AV solutions • You’re not going to replace <insert everything> • Also we are not curing diabetes, cancer, or insomnia

  14. What This Will Do This will help your internal incident response This will possible help you find root cause faster This might actually help you detect some thing

  15. Defense in Depth or Layered Security

  16. What this will require • Proactive monitoring • Reviewing a lot of logs • Reviewing a lot of logs • Why?

  17. Because AV sucks. No really, because AV sucks. AV is signature based, you are always playing “catch up” Tools sets are rarely going to be picked up by AV. Malicious DLL’s, Memory Resident, etc etc… AV is not designed or capable of detecting nearly anything related to a compromise! After initial compromise Attacker will use available system tools against you.

  18. Anatomy of an Attack Recon Scanning Exploit Systems Keeping Access Covering Tracks

  19. Recon – Hard to Detect Not Detectable: Web Searches (Google , Bing, etc) Whois – Registrar info etc Detectable: DNS Zone transfers – AXFR or IXFR DNS Reverse Lookup – Brute force Servers named <company>DC#, <company>MAIL#, etc or Mythological Dieties, Heroes, Lord of the Rings, etc Firewall, IDS/IPS, and Server Logs help here

  20. Basic Network monitoring – DO IT. Review the Logs, Detections etc Forget about the “color” Red, OJ, Yellow etc. Look at the finding, evaluate it, Act Appropriately

  21. Manager Receipt Time Name Transport Protocol Priority Severity Device Action Source Address Source Port Destination Address Destination Port Mar 27 2013 12:00:32 SERVER-IIS view source via translate header TCP 5 3 Gray -- Unknown 74.82.248.186 4609 137.161.202.92 80 Mar 27 2013 12:03:37 Mandiant WebC2-GDOCUPLOAD User-Agent 3 TCP 9 10 Gray -- Unknown 10.78.66.100 42853 68.142.251.159 80 Mar 27 2013 12:04:17 DNS SPOOF query response with TTL of 1 min. and no authorityUDP5 3 Gray -- Unknown 199.66.238.112 53 10.161.231.150 11758 Mar 27 2013 12:23:30 SERVER-IIS view source via translate header TCP 5 0 6 52.129.8.51 41314 10.82.250.31 80 Mar 27 2013 12:24:30 Mandiant WebC2-GDOCUPLOAD User-Agent 3 TCP 8 5 Gray -- Unknown 10.80.29.105 45382 165.254.99.35 80 Mar 27 2013 12:13:38 DNS SPOOF query response with TTL of 1 min. and no authority UDP 5 3 Gray -- Unknown 199.66.238.112 53 192.161.231.150 62800 Mar 27 2013 12:27:35 Mandiant WebC2-GDOCUPLOAD User-Agent 3 TCP 7 0 Gray -- Unknown 10.80.174.11 32137 165.254.99.24 80 Mar 27 2013 12:15:09 SCAN UPnP service discover attempt UDP 3 0 Gray -- Unknown 176.10.35.241 30987 10.78.84.67 1900 Mar 27 2013 12:16:14 SCAN UPnP service discover attempt UDP 3 0 Gray -- Unknown 176.10.35.241 45317 192.152.169.252 1900 Mar 27 2013 12:16:19 SCAN UPnP service discover attempt UDP 3 0 Gray -- Unknown 176.10.35.241 2032 10.83.194.160 1900 Mar 27 2013 12:20:04 DNS SPOOF query response with TTL of 1 min. and no authority UDP 5 3 Gray -- Unknown 199.66.238.112 53 192.161.231.150 35177 Mar 27 2013 12:20:39 SCAN UPnP service discover attempt UDP 3 0 Gray -- Unknown 94.142.155.123 23396 10.83.192.239 1900 Mar 27 2013 12:23:35 DNS SPOOF query response with TTL of 1 min. and no authority UDP 5 3 Gray -- Unknown 199.66.238.112 53 192.161.231.150 20869 OK… Reviewing pages of this is “No Bueno” It needs to be usable convey something

  22. Now that makes it a heck of a lot easier to read

  23. Scanning Port Scans Service Scans Scanning Web Servers VPN Gateways FTP DNS Citrix Database (Yes we do find databases in DMZ sometimes) Detected with - Firewall, IDS/IPS, Logging

  24. Exploit Systems Web browsers, Operating System vulnerabilities and JAVA and Everything made by Adobe EVER!!!!!!

  25. Let’s talk users Shouldn’t have admin rights They just want to see the kittehs They will keep you up at night With out them you’d be unemployed

  26. Are you familiar with Indicators of Compromise? ZeroAccess/Siref.P This is looking for indicators found from a recent ZeroAccess/Siref variant. Files are located in users profile\local settings\application data\{}\@ or \n and also seen in c:\windows\installer. Registry KeyPath Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32 WinLogon Shell Persistence <IndicatorItem id="f0a5abaa-41f4-488e-9acf-8c7654a71122" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Value" type="mir" /> <Content type="string">%Temp%</Content> </IndicatorItem> Trojan-Tinba-Zusy <IndicatorItem id="fcfc3866-836f-4a0c-8939-fc23dc22d0a4" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir" /> <Content type="string">All Users\Application Data\default</Content> </IndicatorItem>

  27. They’re not admins So we shouldn’t see them executing stuff from: Internet\local\temp AppData\local\Temp Temporary Internet Files\ Set up some HIPS rules and let them run When ever the HIPS triggers creates an event Pipe it to centralized logging/monitoring Review often

  28. Does this work?

  29. Typical AV alert report: JS/Exploit-Blacole.gqtrojan deleted c:\Documents and Settings\b1odpsaj\Local Settings\Temporary Internet Files\Content.IE5\3LYHPBW3\adds_youngs-tickets[1].htm FakeAlert-Rena!memtrojan deleted C:\Users\g6edxjfs\AppData\Local\ber.exe JS/Blacole-Redirect.ytrojan deleted c:\Users\g2odBJPB\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6DRU6D7E\jcap[1].js JS/Blacole-Redirect.ytrojan deleted c:\Users\g2odBJPB\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6EQZXI8W\md5[1].js JS/Blacole-Redirect.ytrojan deleted c:\Users\g2odBJPB\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6EQZXI8W\mm_menu[1].js JS/Blacole-Redirect.ytrojan deleted c:\Users\g2odBJPB\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6EQZXI8W\textsizer[1].js Generic.dx!bhmltrojan deleted c:\Documents and Settings\L4ECCEER\Application Data\Sun\Java\Deployment\cache\6.0\18\5b0dbf92-27b00084\ConvertVal.class Generic.dx!bhnqtrojan deleted c:\Documents and Settings\U4GGYNT3.ERD\Application Data\Sun\Java\Deployment\cache\6.0\62\51833e7e-6f4af747\Qe9hq0c.class Generic.dx!bhmjtrojan deleted c:\Documents and Settings\l2cocbhs\Application Data\Sun\Java\Deployment\cache\6.0\17\2e230d1-2627f1e2\glof.class

  30. What if you could detect malware without a signature anywhere from 1 to 15 days before AV?

  31. 3/5/2013 12:20NB-NB-02606043 3776 Microsoft Internet Explorer Vector Markup Language Vulnerability (2) C:\Program Files\Internet Explorer\iexplore.exe Permitted bad_parameter Vulnerability NameVulnerable ActiveX Control Loading A Please Remove and Investigate - Exploit-FEW!Blacole,NB-NB-02606043 3/10/2013 Evidence: 9 Mar 2013 04:04:06 EST,9 Mar 2013 10:03:21 EST,trojan,Exploit-FEW!Blacole,1 NB-NB-02606043 c:\Users\ctxctx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\662c0a3d-68bf0762,Infected file deleted. 9 Mar 2013 04:04:06 EST,9 Mar 2013 10:02:20 EST,CENAD,N/A,trojan,JS/Exploit-Blacole.kf, NB-NB-02606043 c:\Users\ctxctx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7KIUL6H4\q[1].htm,Infected file deleted.

  32. 3/5/2013 16:02LOL-NB-01583721 3776Microsoft Internet Explorer Vector Markup Language Vulnerability (2)C:\Program Files\Internet Explorer\iexplore.exePermittedbad_parameterVulnerability NameVulnerable ActiveX Control Loading A Please Remove and Investigate - JV/Blacole-FFV!4EBC81B2A371, LOL-NB-01583721 -3/11/2013 9 KB 11 Mar 2013 08:24:07 CDT,Infected file deleted.,JV/Blacole-FFU!9DB0385E2EC8, LOL-NB-01583721,c:\Users\CTMCTM\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\4eb3880-5296bc4f\BadRun.class,8,McAfee,ePolicy Orchestrator

  33. 3/5/2013 7:28 MNT-LM01NOL "CMD Tool Access by a Network Aware Application“ C:\windows\system32\services.exe Permitted read,execute C:\windows\system32\sc.exe Please Remove and Investigate - Possible Malware, MNT-LM01NOL 3/14/2013 33 KB Evidence: MNT-LM01NOL MCHTJOPJcvgnWvWrnaqeyLRo C:\windows\BhZvccld.exe Own Process Manual

  34. 3/4/2013 18:38 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\Windows\system32\cmd.exe 3/4/2013 18:38 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\system32\svchost.exe Permitted Read C:\Windows\System32\cmd.exe 3/4/2013 18:36 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\Windows\system32\cmd.exe 3/4/2013 18:35 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\Windows\system32\cmd.exe 3/4/2013 18:38 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\windows\system32\mmc.exe 3/4/2013 18:45 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\system32\svchost.exe Permitted Read C:\Windows\system32\tasklist.exe 3/4/2013 18:39 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\system32\svchost.exe Permitted Read C:\Windows\system32\tasklist.exe 3/4/2013 18:46 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\Windows\SysWOW64\mmc.exe 3/4/2013 18:45 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\Windows\SysWOW64\mmc.exe 3/4/2013 18:37 TS05CPC "CMD Tool Access by a Network Aware Application“ C:\Windows\Explorer.EXE Permitted Read C:\Windows\SysWOW64\mmc.exe Please Remove and Investigate - Possible Malware, TS05CPC 3/15/2013 Evidence: TS05CPC Mujkqgnqoz C:\Windows\dcdlGcwB.exe Own Process Manual TS05CPC MSmnVhUJZvFOTMWlOqJ C:\Windows\HgcYJFmB.exe Own Process Manual TS05CPC MYdVQuZoWaSQlQ C:\Windows\KrmWoUKS.exe Own Process Manual

  35. Did I mention that AV cannot be counted on

  36. Keeping Access/Lateral Movement System Tools used – Netstat, Net View, Create and start services –SC HIPS/HIDS and Event Logs are key Visualize them, look at access times, parse them and write them to a spreadsheet

More Related