With Zone Identifier, we can say whether a file downloaded from internet or not.
A file with zone.identifier extension is an ADS (Alternate Data Stream) file that contains information about another file. It describes the security zone for the file. Zone identifier files are generated by Internet Explorer and Outlook when saving files to a Windows operating system. These files are normally hidden and cannot be opened directly.
Via powershell, we can find Zone Identifiers of a file;
Redline is a free tool for investigation malicious activity through memory and file analysis. It has a lot of features for investigation but in this post, we will only mention searching for IoCs in the endpoint with Redline.
In previous post, we created an IoC to detect WinSCP.exe. Now, we will search it with Redline as the example.
We will go on with “Create an IOC Search Collector” menu in the main page of Redline. For doing this, we browse the folder that including IoCs we want to search in the PC. We have only one IoC here but if you have more IoCs in the folder, you will see all of them in “Indicators” tab.
Then we create a folder for IoC Collector and after clicking “Next” button, we show this folder. Redline creates the IoC Collector in this folder. We will now use RunRedlineAudit.bat file with the command line. Once the bat file finishes running, it will create a folder called “Sessions” and save outputs to this folder in the same directory.
Just run the “RunRedlineAudit.bat” file and wait for finishing. Then, open the “Sessions” folder. Each IoC sweep placed in its own folder calle “AnalysisSessionX”. This was our first sweep, so we click on “AnalysisSession1” folder. Our IoC report will be in “AnalysisSession1.mans” file. So, we click on this file, and it will take some time it generates the report.
When IoC report generated, we can see it on Redline tool, “IOC Reports” tab. As you can see in the screenshot, our WinSCP Indicator IoC got hits. When we click on it, we can see why this IoC got hit. Here, our IoC catch the file with its MD5 hash value and file name. With clicking on “View Details” button, we can see more details about the hit.
As we discuss before, Redline is a great tool for investigating endpoints. In this post, we will explain how to collect memory data with Redline.
First, in the main page of Redline, we click on “Create a Standard Collector” button. In the opened window, we click on “Edit your script” label and be sure we choose all we need for memory analysis. Then we create a folder for analysis and show it with browsing in the Redline window.
This process will create the data collector in the folder we choose. Then we open a cmd and run “RunREdlineAudit.bat” script in this folder.
Once the script starts to run, you can see some analysis created in “Audit” folder. Sure, it will take some time to finish the analysis.
When it finishes, click on “AnalysisSessionX.mans” file in the “Audit” folder and this will open Redline again.
This file provides us all the information that we checked at the beginning (Edit your script).
In “Open Threat Exchange” post we mentioned that shared IoCs by other parties on Open Threat Exchange. Open IoCs are nice since they are manufacturer independent and can be used in a lot of different technologies for detecting threats.
Viewing Existing IoCs
In this post, we will mention on Mandiant IOC Editor. First of all, Mandiant IOCe could be used to view open IoCs which you downloaded from different sources. Here, we will show a simple example to view an existing IoC. So, as example, we download an IoC from Open Threat Exchange. This is the IoCs of malicious files found on Pulse Connect Secure devices. This is an xml file downloaded and has 108 IoCs containing 36 MD5, 36 SHA1, and 36 SHA256 hash values. You know, IoCs are not only hashes. They can contain a lot of different attributes about the attack, but in this example, we only have hash values. Later in this post, we will create IoC with different attributes also.
After we download the IoCs as xml file, from File > New > Indicator From File menu and choose the xml file. Here, we can see all the IoCs we downloaded and if we want we can change, delete or add IoCs in that file.
Create an IoC
It is also so easy to create IoC with Mandiant IOCe. We start from File > New > Indicator menu. Firstly, IOCe provides us to give a name and description for the IoC. As the example, we will create IoC for detecting WinSCP file. Let’s check hash values of WinSCP.exe file first. MD5 and SHA256 is enough for us now.
From Item > File Item menu, we choose File MD5 and paste the MD5 value of the file. Let’s do the same for File sha256 menu. Additionally, we add File Name in OR logic.
Then, we can add more attributes from hundreds of items in IOCe. We tried to show some of them in the screenshot below.
Do not forget that attributes you choose should be unique to the file, so it can be detectable and less false positives occur. Description is important while creating an IoC, since open IoC is developed to be used by everyone, and if you create an IoC, it is better to write enough description to understand by others.
Open Threat Exchange is a threat intelligence platform from Alien Vault. It is not limited to use this platform to get intel information.
When you register and log in to OTX, you can easily see the summary of the threats in “Subscribed Pulses” section.
Let’s choose a threat, called “Wiper luring the Olympic Games”. When we click, we can see details of the threat like a brief description, reference, tags for searching easily later, and TTP Id for Att&ck.
In the same page, in Indicator of Compromise section, we see IoCs of this threat. For this example, we have an MD5, a SHA1 and a SHA256 hash values as IoC. These IoCs have more details and you can easily see the details with blue “go to details” button at the right of the IoC.
We have more details here like file type, size, different hash values, metadata information, and VirusTotal check.
In the main page of the pulse, you can download the IoCs in different forms. You can easily download and use these IoCs to detect the threats.
In the Browse tab of OTX, it is classified by pulses, groups, indicators, malware families, industries and adversaries. It is valuable to search for specific threat actors and their TTPs, and IoCs to detect them.
OTX also provides to create pulses and API connection. It has a simple user interface so do not want to touch all menus here.
An effective threat hunting is critical because it is hard to think like attackers and to search for the unknown in an enterprise network. This post may help organizations for an effective and successful threat hunting.
Knowledge of Topology and Environment
The purpose of threat hunting is to find the anomalies and their sources in the network and endpoint. So, a threat hunter should know what is normal and so can understand what is not normal.
From the risk management point of view, critical assets – servers, applications, data – should be known to protect more effectively. With the knowledge of the environment, the threat hunter knows the critical assets and hunts according to this. If there is segmentation in network, it is also critical to know the network topology and networks – or vlans – of these critical assets.
It is also necessary to know which application is running on which operating system, so the threat hunter can know the weaknesses of the system and can search according to these weaknesses.
Effective Endpoint Management
For threat hunting, the most used tools are EDRs. Organizations should be sure that they installed endpoint security tools to all endpoints and detect when they removed or stopped. Asset management is something more than CMDB. It must be managed by security teams whose understanding the criticality of the lack of endpoint security tool in an endpoint.
Threat intelligence is one of the most important feeds of threat hunting. Threat hunters need to have most recent intelligence and IoCs so they cant perform hunting the latest threats. Many malicious are produced and detected every day. This situation causes a lot of noises about intel. To avoid this noise, hunters should get valuable intelligence about their organization’s sector and geolocation, and integrate these IoCs with SIEM, EDR, etc..
We all know that new tactics and techniques are created by attackers in general. The most important reason for this is while security professionals in organizations have to deal with so many different things, attackers can only focus on their target. Even if it so important to have valuable/experienced personnel, if they are dealing with different organizational missions while they are working, it will be difficult for them to think like an hacker and detect the unknown in the network. Threat hunters should focus to their mission to create their methodology and hunt. So, there should be dedicated personnels for threat hunting.
Coordination Across the Organization
Yes, threat hunters work in a strange mission, think like a hacker and search across the network but they must not work alone. A threat hunter should have a good relationships with key personnel in IT departments like network and system admins, help desk personnel and so on. With these relationships, they better understand the network, systems and more importantly the company’s and personnels’ way of doing business. For organization’s perspective, when a threat hunter finds a weaknesses during the hunting process, they inform critical IT personnel for remediation. This team working will result as a success in remediation phase of the incidents or weaknesses.
Intelligence is critical for hunting for the known threats but hunters should be familiar with the TTPs of the attackers against the zero day threats. Threat hunters also should be aware of the updated or newly TTPs. Only with this knowledge hunters can act like an attacker. TTPs are at the top of Pyramid of Pain (defined by David Bianco).
To disclose the anomaly or malicious activity, threat hunters should use advanced tools like EDR, NDR, SIEM, FIM, etc.. These tools will help hunter to find abnormal activities if configured properly. In different posts, we tried to explain why they should be used.
Sophos announced that analysts uncovered a new ransomware – called Epsilon Red – that developed in Go programming language. The code is placed in PowerShell script.
This malicious file is written in Go programming language and a 64-bit executable file. It is said that spreading in systems by exploiting security vulnerabilities in Microsoft Exchange servers. It is using vulnerabilities like CVE-2020-1472, CVE-2021-26855 and CVE-2021-27065 that recently discovered Microsoft Exchange servers vulnerabilities. Epsilon Red ransomware scans files and encrypts for ransom when it reach to the target systems. It seems like still there are more than three thousand exchange servers that including these vulnerabilities and this shows us Epsilon Red attacks would be more painful.
According to Sophos, Epsilon Red has been seen in hospitality industry in USA mostly, and it seems like one of their victims paid 4.29 BTC after being affected.
For not being affected, organizations should keep the applications up to date and detect these IoCs below to prevent this attack. Also you can read our short post about prevention agains ransomwares.
Although Threat Hunting is nothing new, it is a very hot topic lately. Even if you have perimeter and endpoint security devices and SIEM for collecting and correlating logs from them, it is not a good way to wait for incidents coming. Without Threat Hunting, dwell time is increasing more than 150 days, and this is not acceptable anymore. While attackers are working proactively and developing new techniques day by day, security teams need to be more proactive too. Threat Hunting is the most proactive approach in an organization’s security structure and improves its security posture.
Dwell time is the dirty metric nobody wants to talk about in cyber security. It signifies the amount of time threat actors go undetected in an environment, and the industry stats about it are staggering. Source: Extrahop
In its simplest definition, Threat Hunting is detecting abnormal activities on endpoints and network. But, what to look for hunting threats?
What to Hunt?
Threat Hunting is a continuous process. Hunters should check anything that could be an evidence of an incident.
Processes: Processes are important components of OSs. Adversaries may inject malicious code into hijacked processes. Therefore, hunters should check processes and child processes regularly.
Binaries: Hunters should check binaries with their checksum, name and other specifications.
Network: Network activities to specific destinations and anomalies in network should be checked.
Registery: Hunters should check registery key additions and modifications.
For a continuous hunting, organizations need to have threat hunters in their CSIRT. The difference between analysts and threat hunters is the proactive approach as mentioned before. Also in smaller organizations, SOC analysts may work on threat hunting but actually, a threat hunter may has more specifications than an analyst. In larger organizations, it is important to have a dedicated threat hunting leader and team. This team should has detailed knowledge about;
OSs: The Threat Hunting team should have knowledge about OSs that organization is using. This knowledge must include process structures, files, permissions, and registery depending on the OS. This is important because malicious files and attackers make changes in OS here. A threat hunter need to understand what is normal and what is not. Something is not normal could be a sign of an intrusion. For having this knowledge, baselines could be created for all critical systems. These baselines will help to know the normal and the anomalies.
Apps: Threat Hunters should have knowledge about the applications used in the organization. It is also important to know perimeter and endpoint security devices and applications used by organization.
Business: Threat Hunting team should have knowledge about the organization’s business so they need to follow adversaries working on the organization’s sector and geographical location. It is also important to know third party companies the organization works and communication ways with them.
Network: In a big and segmented network structure, it is important to know where the critical assets are.
TTPs: IoCs are important components for hunting but they provide to detect “known knowns”. TTPs are at the top of Pyramid of Pain (defined by David Bianco) and especially adversaries’ techniques and tactics should be known those are threatening the organization’s sector and location.
Threat Hunting Tools: In CSIRT plan, it needs to be included that which tools and techniques can be used for threat hunting. Threat hunters should have knowledge of these tools and techniques.
IR&H Plan: Threat hunting is only a step of proactive approach. If threat hunters successfully find an intrusion or anomaly in systems, they need to know the next step. Who should they inform? What should be done?..etc..
Threat Intelligence: Threat intelligence is one of the most important feeds of threat hunting. Threat hunters need to have most recent intelligence and IoCs so they cant perform hunting the latest threats.
EDR: Threat hunters need IoCs but also need to know how to use these IoCs. After gathering the most recent IoCs from TI platforms, an IoC sweep must be made on endpoints.
NDR: Just like endpoints, network traffic also need to be checked with the latest IoCs. For doing this, CSIRT need to collect all east-west and south-north network traffic. NDR devices those have AI capabilities also detect anomalies in the network.
SIEM: Depending on the hunt’s scope, the threat hunter may need to check IPS/IDS, proxy, DNS, firewall or some other tools’ logs. Because logs are coming from different sources, CSIRT need to collect and correlate these logs in SIEM and feeding SIEM with the latest IoCs, these logs will more meaningful.
FIM: We said that baselines must be created for critical systems. FIM solutions will help CSIRT to create baselines for OSs and alert analysts when an unauthorized transaction is made.
Because an insider is an employee, is a trusted person and has access to various data, insider threats are major risks for organizations. Organizations are investing to prevent perimeter against external threat but focusing less on internal threats. This is the other factor that making insider threat more risky.
Attacks may come from different type of employees. These attackers may be system admins or managers who have authorized access to critical data, some unhappy or terminated employees, users who lost a device including sensitive data, or sending e-mail to incorrect receipints, or untrained personnel about security policies and best practices who subjected to social enginneering attacks.
All types of incidents require similar steps to respond. Here, we will try to explain the stages incident responders and actually whole organization must realize against an insider attack.
EFFECTIVENESS OF INSIDER THREAT
Insider threat is a major risk because these kind of attack are very effective. It is difficult to detect and can go undetected for years. It is very easy to attack from inside since users have authorization to some data and systems, and can easily cover their actions by reaching to logs and deleting or modifying them. This makes also difficult to detect these type of attacks. Organizations need to monitor users’ behavior to detect and respond quickly.
As against all type of attacks, organizations need a well planned and regularly tested incident response plans to contain and eradicate insider attacks.
The organizations must always be ready to an insider attack. Preparation stage is important to detect and respond these attacks.
Conduct security awareness trainings regularly to inform users against social engineering techniques. Insider attacks are not only done by malicious employees. Regular security awareness trainings will prevent your users with access to sensitive data from being used by malicious people.
Train users how to report any policy violation.
Classify organization’s data, identify the critical ones and apply need to know approach to reach to data.
Be sure all necessary logs are collected in SIEM.
Use privileged access management tools for storing passwords for all types of accounts reaching to critical data or production environment.
Make sure that terminated employees’ access rights are immediately removed both for logical and physical systems.
Deploy data loss prevention tools, but never trust that DLP will fully protect you. It is important to know the gaps of DLP tools to prevent data better. Make sure you read our post about DLP 🙂
Install NDR to detect abnormal behaviors of users. You can access our article explaining the importance of NDR against insider threat.
Install honeypot and honeytokens to lure attackers.
Segregate backup network from production or test networks and implement secure access methodologies to backup files.
Device control should be applied in the whole systems of the organizations. Users should not be allowed to use external storage.
Employees should sign a confidentiality and nondisclouse agreement bu Human Resources department.
Regularly and objective interviews and feedbacks from employees will help organization keep employees more peaceful.
DETECT AND ANALYZE
Indicators for insider threats are mostly abnormal behaviors of users. So, NDR with artifical intelligence technologies to detect anomaly in the network, UEBA, and Honeypot tools are critical to detect these type of attacks. The changes in network usage pattern may be indicator for ann insider threat.
It is important to collect logs in SIEM but in most cases, we saw in real life that huge amount of log data causes missing of malicious activity. It is more important to collect valuable logs and corralate them than collecting. Also, missing or modified logs may be indicator for insider threats. All log sources must be checked regularly to detect such an incident.
Accessing resources in unusual time and from unusal location may be indicator of insider threats. However, multiple login fail attempts may be used with these time and location information to cover unauthorized access attempts.
Users’ social media actions should be monitored. Unhappy and unmotivated users may try to post some unnecessary information about the organization.
Incident responders must analyze different logs from different sources after a suspicious activity has been reported. These logs may include IDS/IPS, proxy, NDR, EDR, DLP and email logs. They should check for a suspicious network connection and data transfers outside the network.
For all types of attacks, containment is an indispensable stage for incident responders. It is fatally important to contain the source in question to prevent bad actors’ actions both laterally and outbound. Containment will minimizes the damages. Advanced EDR tools allows containment of such sources without having to be physically present near the source and incident handlers can still keep analyzing these sources while the threat could not be spread.
After detecting the malicious insider and containment, all privileges and credentials of this actor should be blocked, including e-mail and domain account and physical access cards.
The organization should have an incident response plan and procedures to be able to move fast after an incident occurs. Eradication is also an important stage for incident handling and incident handlers should know in advance what to do in a case of insider attack by checking the policies and procedures. However, eradication is not just CSIRT’s job. These are some processes all departments and emmployees must be involved. Malicious actor’s behaviors should be determined step by step and the preventive or detective control missings that allow her to do must be corrected. New security controls should be added and preperation stage should be reviewed again.
The recovery stage must begin immediately after detecting, containing and eradicating the insider threat incident. If data is stolen and exfiltrated, incident responders should contact immmediately with the threat actor before selling or disclosuring it publicly.
Incident responders must be sure to gather ennough evidence for legal proceedings. This evidence will also help insurance processes.
In case the attacker placed malware or a backdoor inside the network, all systems should be checked carefully and all outbound connections should be checked against a C&C communication. A threat Hunting activity may be required.
If information is stolen and the stolen data is including user credentials, passwords should be changed whole over the organization.
This is one of the most important steps in incident Response. CSIRT should create a lessons learnt document after all incidents, this is also goes for insider threat incidents too. This lesson learnt documents will help organization preparing more effective to possible future incidents. In this stage, all the confusion caused by the incident will be gone and teams and responsible can identify what needs to be done for future readiness. Also, policies and procedures should be reviewed and changed if needed after lesson learnt works.
Also, all incidents and evidences should be documented properly to use in future.
As organizations, and security teams, we purchased many security devices for providing both network and endpoint security. However, attacks continue at the same pace, even we faced bigger attacks last year, and they are getting more sophisticated. So, what is the next step for organizations?
NDR market guide was shared last year by Gartner. As the idea, NDR uses (or must use) artifical intelligence to detect malicious behaviors, both from external threat actors and insider threats. This means, we will no longer just store the huge network traffic data via full packet capture products, but also detect the anomalies in these captured traffic. So, NDR will play a major role in helping security team to response quicker.
Unfortunately, the only obstacle to the teams last year was not the more sophisticated attacks, but also the “new normal” made security teams so hard. Now, more users are reaching to organization’s sources, getting e-mails and downloading files out of office. Control over users’ behaviors is less and less. When that happens, the need for more sophisticated technologies is also increasing.
Even if we implement many security technologies to our structure, attacks are still going on. Now it is necessary to detect whether there is anyone inside as much as protecting the border. Honeypot technologies and EDRs have been used for this for years but these are not enough to decrease the dwell time. If you failed to prevent and detect an attacker inside your network, or an insider threat, it is always difficult to prevent data exfiltration, or your file from being encrypted.
Machine learning is the key here. The main idea is anomaly detection inside the network. The first step is to profile entire organization’s network and users’ and computers’ traffic. After having such a profiling, it will be easier to detect anomalies inside the network. Anomalies can be in different forms like data exfiltration to some rare destinations, uploading files to IP addresses without hostnames, login attempt from strange destinations (for cloud or vpn), and copying in large number of files from an smb share. We expect the NDR to catch all of that, of course more.
More otganizations are using cloud infrastructure more and more. Public, private, or hybrid, cloud infrasturctures are also a part of us. Critical files are stored and applications work there, and the responsibles are the customers for the data’s security.
Think of a scenerio like that; you have users storing files in cloud and they are working with a few of these files during their work. A user, has a permission to reach these files, downloading most of the files in a very short time, then resigns from work. Or, this user’s credentials have been compromised, and someone connected to your cloud from a country that non of your users normally connect and made anomalous behaviors. NDR must cover also cloud and detect these incidents. It is hard to implement a UEBA solution, thus, NDR can be implemented to detect insider threat.
THE NEW NORMAL
Most of the organizations were caught unprepared for Covid situation. Users had to work at home and connected to organizations’ network or cloud from home. That means, users can connect to internet less controlled. An NDR with endpoint capabilities will also cover users at home, corralate users behaviors with your network traffic and can detect threats.