Category Archives: BlueTeam

A Glimpse into AI and the SOCs of the Future

About twenty years ago, antivirus, IPS and firewall were managed by security teams – mostly organizations had only one information security team, and the most important thing was getting up to date IPS signatures and antivirus database. But, SOCs are growing year by year because of new attack techniques and new security controls to prevent them. Today, an enterprise organization has more than fifty different security technologies to defend against these complex attacks. But, a SOC has two core elements: Security controls and people.

With the increasing number of devices, the logs of all these devices need to be analyzed and interpreted. And the log size that needs to be analyzed has reached enormous amounts. As data grows, human resources must also increase in direct proportion. Meanwhile, one of the biggest problems of the sector is to find trained analysts. We see that many organizations are trying to continue their SOC operations with less personnel than they need. And, these personnel is not only responsible for incident response, but also for red teaming, purple teaming, threat hunting, threat intelligence, and others.

The task of an analyst is not only to examine that log, but also to analyze the logs of other devices with the findings he/she detects after the examination. While the log size increasing day by day, it may take hours in some cases to analyze all these logs for only one incident. Because of these situations, many SOC analysts are experiencing burnout on the job and most of the organizations cannot response to alerts as fast as it should be.

At this very point, AI, the most popular technology of recent years, comes to the aid of SOCs. The use of AI powered autonomous platforms – as an example, Mandiant’s Automated Defense and DarkTrace’s Cyber AI Analyst – have become widespread and looks like it will have a bigger role in future SOCs. These devices can collect logs, analyze, determine and keep analyzing other system’s logs to decide whether the alert is false positive or a real incident. With AI, all these processes are done at machine speed and analysts can get the results in a very short time. So, this provides SOC teams to respond as fast as possible. Additionally, AI makes fewer mistakes than human analysts. In recent years, we saw many cases that although there were logs showing an attack, it was marked as false positive by analysts and closed.

AI is still evolving. As in all other fields, it is obvious that it will add a lot to us in the field of information security in the future. And with this evolving AI, in future SOCs, team member will focus on threat hunting, threat intelligence and red teaming works more. This situation will enable people to do better quality work and to educate themselves.

Parrot is Used to Conduct Malicious Campaigns

Parrot TDS (Traffic Direction System) has infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local government sites.

The situation discovered by Avast and is currently being used to run a campaign called FakeUpdate that distributes the NetSupport Remote Access Trojan (RAT) via fake browser update notifications.

FakeUpdate Campaign (From Avast’s post)

Parrot TDS acts as a gateway for further malicious campaigns to reach potential victims. Attackers buy TDS services to filter incoming traffic and send it to the final destination serving malicious content.

According to Avast analysts, activity in TDS servers increased in February 2022 by detecting suspicious JavaScript files on compromised web servers.

A detailed technical analysis shared by Avast here.

Biggest Insider Threat – Lapsus$ Job Advertisement

A few months ago, there were reports that threat groups were contacting the employees of the companies they were planning to attack and asked for their support to infiltrate in exchange for a certain share. It seems that this issue is getting more and more important every day.

Lastly, Lapsus$ group published a job advertisement that they are recruiting employees that working in certain companies including Claro, Telefonica, ATT, Microsoft, Apple and similar ones.

Insider threat is already a major risk for companies because they are trusted people of the company and have access to various data and systems. Until now, we have mostly treated internal threats as individual initiatives. These may be some employees who are unhappy, want to achieve different personal gains, just careless ones who sending e-mail to wrong destinations or untrained ones making mistakes on working systems. But with employees who started working with threat groups, insider threat goes to another dimension. Now, with the support and motivation of the threat groups, insider threats becomes more dangerous as knowing what she is doing really and is focused.

In the job advertisement, Lapsus$ also calls for the ones who are not employee but already has VPN to these companies. This also shows us the importance of the 3rd party risk and NDA agreements. even if you take adequate precautions with your own users inside – which is not 100% possible, this 3rd party connections poses great risk.

There is a lot to be done about this. As a post incident activity, the penalties given to the cases that have emerged can provide a deterrent in this regard. But the most important thing undoubtedly should be to increase the loyalty of the users to the company.

Conti CVEs Leaked

On 27th of February, a member of Conti threat group started leaking data from the group, after Conti group announced that they are fully supporting Russia against Ukraine. Leakage process is still going on via “ContiLeaks” Twitter account.

Leakage started with unencrypted chat messages between Conti members. On 1st of March, the threat actor shared access information to several Conti storage servers and some screenshots of the folders in server.

On 4th of March, another Twitter account @c3rb3ru5d3d53c shared the vulnerabilities that Conti is using to compromise the systems with the screenshot below.

Conti has harmed many organizations and continues to do so. We know that even in February alone, they hacked many organizations and managed to get their data out.

As can be seen in the screenshot, the threat group is using vulnerabilities that already has patch, instead of using very sophisticated techniques. This situation shows us, even very simple vulnerability management can prevent most of these attacks. Even scanning with free tools and patching the vulnerabilities really can prevent your system actively. So, this sharing from @c3rb3ru5d3d53c Twitter account was very important for us because it shows us that even very simple measures can prevent big problems.

CTI does not mean Fraud Detection

Organizations invests more and more to security tools, breach statistics keep increasing. About ten years ago and more, attackers were mostly alone, and were using basic tools, so it was easier to block them. But with the advanced techniques and tools, and the groups that came together to attack, made these attacks more difficult to block. There was no such thing as intelligence on our agenda. Some basic blacklists and virus databases were enough against most of the attackers.

CTI (Cyber Threat Intelligence) has become indispensable nowadays. We need more and more information about attackers day by day to gain advantage in this fight. At the same time, we see that a lot of people confuse threat intelligence with fraud. People seem really confused about what to expect from threat intelligence. In this post, I try to mention the needs and usage for CTI.

IoCs: Of course, IoCs are one of the most important things that we are waiting from a CTI product. We are feeding our tools with IoCs and this is the simplest thing for our security intelligence. It is possible to find open source IoCs on many historical threats on the internet. Our expectation from a CTI product should be that it gives us the latest IOCs on threats. While evaluating a CTI tool, it should be observed how much IOC it gives compared to its competitors. Some CTI vendors are mostly using Open IoCs, so it is important to check this value before paying money. Meanwhile, the accuracy of the IOCs is also an issue that should not be overlooked. There will be no point in pushing so many wrong IoCs into our systems every day, even those false positive IoC will cause us to waste time. And time is the most important value in a battle.

TTPs: According to Pyramid of Pain – we discussed in the related post deeply – TTPs are the most valued information for defenders. Sun Tzu says that “if you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Of course this is very meaningful. If you do not know what tools, techniques and tactics your enemies are using, it d be very difficult to win a battle. For a defender, the most valuable information are these TTPs and tools that the enemy is using. From a CTI vendor, this must be one of your most important expectations.

Threat Groups: As mentioned before, attackers now works together, they come together and join forces. And while a group is successful on technique with specific tools and malwares, they rarely change these TTPS and tools. So, it is very important to know who is targeting your geography, country and sector. With these information, organizations get really useful IOCs for themselves, and can design their defense according to these attackers’ TTPs. According to this, maybe tracking the threat groups are also the most important thing for the first two bullets (IoCs and TTPs). You can take random IOCs and install them on your systems, but this is never the same as working with the information of attackers you know who they are.

Vulnerabilities: are critical because attackers use these vulnerabilities to infiltrate. It is vital to be aware of vulnerabilities as quickly as possible after they appear. Meanwhile, the information whether these vulnerabilities are exploitable or not, and their criticality and knowledge of affected systems should also be among the things you expect from CTI. Of course, you need a proactive patch management to use these information in success.

Dark Web Tracking: Every day, a lot of information about companies is offered for sale on the dark web or different attackers and groups come together by communicating here. It is not possible to track all forums and portals in dark web continuously for a security team. One of the expectations from the CTI should be the constant monitoring of the dark web and access to information about threats to the organization.

CTI is not Fraud Detection: Fraud is an important subject to save customers our and users. There are many fraud techniques that fraud teams need to be aware of but CTI is not fraud. As mentioned at the beginning, people seem really confused about what CTI and fraud are. Some CTI vendors provide fraud data to their customer. It is undisputed very valuable. But a CTI product should not be evaluated solely on the fraud information obtained. For a good CTI investment, the above issues should be evaluated.

Image Reverse Search

With the growth of social media usage, fake news and social media scams are growing too. For many reasons, we need to correct the posts before we believe and/or share them. Image reverse shell is an OSINT technique, very important because of these social media and news scams and as easy as it is important.

To see if the news is true, one of the tools we can use is image reverse search. There are many ways for this but here, we will explain the easiest ones.

Suppose we have the above image and we want to know when and where it was filmed. We start with Google search.

Google

In Google Images, press the camera icon and upload the image.

We can then directly find the web sites including this image. So, we can find where and when it was filmed. We now learn that this image is from Syria and showing an airstrike. So if we see that it was shared for another news as scam, we can know the truth about it.

Yandex

It is also same with Yandex. We upload the image to Yandex Images in the same way.

Yandex can find more than Google so I recommend you to use Yandex too in your searches.

Threat Hunting III – Pyramid of Pain

As we mentioned in the previous sessions, IoCs are crucial important for a proactive threat hunting process. Threat hunters should know most of the information of newly threats and implement them to their hunting processes. Pyramid of Pain classifies IoCs and helps us understand better the usefulness of them.

The pyramid of pain was created by David Bianco (Fireeye). He also has a Youtube video for presenting it.

Pyramid of Pain

This pyramid classifies the IoCs and with going up the pyramid, IoCs help us more to detect the suspicious. Also, as we go up, it is harder to obtain these IoCs. Now, lets check these IoC types shortly;

Hash Values: A hash value is a unique identifies of the data. In theory, the hash value of each data is expected to be unique to itself. So, it gets easier to identify a data, file with its hash value. As an example, you can see below the hash values (both md5 and sha256) of openvpn.exe.

Hash values of openvpn.exe

Hash values are at the bottom of the pyramid because it is very easy to change a file’s hash value and if you do not have the newly changed hash, that means you cannot detect this file anymore.

IP Addresses: IP blacklists still used by many different products, however it is also easy to change the IP address for an attacker. So, it is again does not help much to detect an adversary.

Domain Names: Everyday we can see that attackers can obtain new domain names very fast and can continue their attacks with ever changing domain names.

Network/Host Artifacts: These are the clues that adversaries left on the pc or network. These can be registery keys, processes, user agent strings, etc. Surely, to obtain such information, a forensic analysis need to be done in compromised pcs or networks.

Tools: Adversaries have their favorite tool to attacks, like pentesters have. It is important to know the tool that your enemy using and if you are good at detecting these tools, you can easily detect the attack or this situation forces the attackers use some other tools. This situation will slow down the attack and will save your time.

TTPs: Tactics, techniques and procedures are the patterns of activities or methods of a specific threat actor. As you all know, you can find all TTPs in the Mitre’s website and they are the most valuable data to identify an attack. If you know the TTPs of your enemy, it means you know what to check for a possible attack and mitigate.

Zone Identifier Commands

With Zone Identifier, we can say whether a file downloaded from internet or not.

A file with zone.identifier extension is an ADS (Alternate Data Stream) file that contains information about another file. It describes the security zone for the file. Zone identifier files are generated by Internet Explorer and Outlook when saving files to a Windows operating system. These files are normally hidden and cannot be opened directly.

Via powershell, we can find Zone Identifiers of a file;

PS C:\Progs\Forensics> Get-Content -Path C:\Progs\Forensics\autopsy-4.17.0-64bit.msi -Stream zone.identifier

PS C:\Progs\Forensics> Get-Item -Path C:\Progs\Forensics\autopsy-4.17.0-64bit.msi -Stream *

How To Remove Zone Identifier

For several reasons, you may choose to delete zone.identifiers. It is very easy to do it. Just right click the file and click “Unblock” tick in “Properties > General” menu.

If you want to remove multiple files, it is still easy. Just navigate to folder including files you want to remove with Powershell and type;

dir .* | Unblock-File

This will clear zone identifier from this folder.

Searching for IoC with Redline

Redline is a free tool for investigation malicious activity through memory and file analysis. It has a lot of features for investigation but in this post, we will only mention searching for IoCs in the endpoint with Redline.

In previous post, we created an IoC to detect WinSCP.exe. Now, we will search it with Redline as the example.

We will go on with “Create an IOC Search Collector” menu in the main page of Redline. For doing this, we browse the folder that including IoCs we want to search in the PC. We have only one IoC here but if you have more IoCs in the folder, you will see all of them in “Indicators” tab.

Then we create a folder for IoC Collector and after clicking “Next” button, we show this folder. Redline creates the IoC Collector in this folder. We will now use RunRedlineAudit.bat file with the command line. Once the bat file finishes running, it will create a folder called “Sessions” and save outputs to this folder in the same directory.

Just run the “RunRedlineAudit.bat” file and wait for finishing. Then, open the “Sessions” folder. Each IoC sweep placed in its own folder calle “AnalysisSessionX”. This was our first sweep, so we click on “AnalysisSession1” folder. Our IoC report will be in “AnalysisSession1.mans” file. So, we click on this file, and it will take some time it generates the report.

When IoC report generated, we can see it on Redline tool, “IOC Reports” tab. As you can see in the screenshot, our WinSCP Indicator IoC got hits. When we click on it, we can see why this IoC got hit. Here, our IoC catch the file with its MD5 hash value and file name. With clicking on “View Details” button, we can see more details about the hit.

Data Collection with Redline

As we discuss before, Redline is a great tool for investigating endpoints. In this post, we will explain how to collect memory data with Redline.

First, in the main page of Redline, we click on “Create a Standard Collector” button. In the opened window, we click on “Edit your script” label and be sure we choose all we need for memory analysis. Then we create a folder for analysis and show it with browsing in the Redline window.

This process will create the data collector in the folder we choose. Then we open a cmd and run “RunREdlineAudit.bat” script in this folder.

Once the script starts to run, you can see some analysis created in “Audit” folder. Sure, it will take some time to finish the analysis.

When it finishes, click on “AnalysisSessionX.mans” file in the “Audit” folder and this will open Redline again.

This file provides us all the information that we checked at the beginning (Edit your script).