De-Coder’s Ring

Software doesn’t have to be hard

Month: December 2016

Grizzly Steppe: Lighting up Like A Christmas Tree

Grizzly Steppe:  JAR-16-20296

Yesterday, US CERT along with the US Department of Homeland Security (DHS) released a Joint Analysis Report (JAR) on GRIZZLY STEPPE. If you’ve been reading the news over the past few months, you’ve seen the accusations of Russia’s interference on the 2016 US Election. In generalities, the US alleges that Russian nationals hacked into the Democratic National Conventions systems, and through a series of campaigns, were able to leak internal documents that were a bit damning. Many believe there was a direct influence into the results of the election, therefore messing with our need for a pure and ‘internal’ election. This post is not to discuss the politics of it, but more to discuss the GRIZZLY STEPPE release that came out yesterday.

GRIZZLY STEPPE

As you know from my other posts about Threat Intelligence ( Overview, Mini Rant, etc)

a briefing like this comes across in a few formats. First is the writeup:

Security Briefing

Then the STIX:

STIX Documents

Then a PDF:

PDF Documents

 

Overview of the attack

These are a mix of analysis and marketing, in my opinion. That’s not a bad thing. There is a ton of useful information in that PDF that describes that context around these attacks. You can read in there that there were two groups (APT 28 and APT 29) that were active over the same time period. The attacks came through ‘neutral space’ (AKA The Internet), so there was a tech/air gap between the attackers and the victims. This provides a way of hiding the true source of the attack.

From US CERT – Grizzly Steppe Attack Flow

The initial penetration came from targeted spear-phishing. These are custom crafted emails, that are meant to seem legitimate. Spear-phishing is different from phishing, and can be generally distinguished between the approach. A typical phishing campaign will blast the same email to hundreds or thousands of email addresses, hoping someone clicks a link and enters their bank account information. Spear-phishing is hyper targeted. They will research the recipient, and craft messages to them.

Once a message ends up in someone’s inbox, the user still has to typically perform an action (click a link). When the user clicks the link, they are directed to a malicious website that will drop malware on their machine. After the malware is installed, it can do the nasty things we’re all scared of. In this case, the two types of malware behaved a little differently.

From US CERT – APT 28 and APT 29 Comparison

APT 29’s malware was focused on finding internal data, and sending it out over an encrypted channel using their own encryption keys, making it impossible for anyone to read what was coming out. APT 28’s malware acted more as a zombie piece of code. It waited for command and control messages from an external system before executing. According to the writeup, it logged real time data (keyloggers) and executed code , instead of finding existing files to exfiltrate.
Let’s talk about the observables

Before the briefing (above) got to my inbox, the Perch Security system had already pulled the latest data from DHS AIS. DHS AIS is the Automated Indicator Sharing platform that the Department of Homeland Security runs. Essentially, it’s their TAXII feed that serves STIX data. (( For a refresher, look here: ))

The data comes out in a bunch of documents, that together, form this story.

Grizzly Step STIX content in graphical format

The yellow in the center is the STIX Package. This package let’s us know the general context. In this case, there isn’t much beyond a title: “JAR-16-20296” and the description: “This indicator is alleged to be connected to suspicious malicious activity.”. The TLP (Traffic Light Protocol) of all this is WHITE , which means I can freely share all this information.

There are 912 Indicators (Pink) and each Indicator has an Observable (Blue).
The indicator descriptions are also quite generic.

877 of them have the description”Malicious IPv4 Indicator”

24 of them have the description “Malicious File Indicator”

10 of them have the description “Malicious FQDN Indicator”

1 of them has the description “Malicious URL Indicator”

You can see a full breakdown of the Observables below.. mostly IP addresses, a few domain names and a few file hashes.

Slicing and Dicing

Title Description Count
Malicious IPv4 Indicator This IP address is located in China. 45
Malicious File Indicator It is recommended that network administrators review systems for the existence of this hash and determine possible malicious activity. 17
Malicious IPv4 Indicator This IP address is located in France. 11
Malicious IPv4 Indicator This IP address is located in Japan. 6
Malicious IPv4 Indicator This IP address is located in Canada. 6
Malicious IPv4 Indicator This IP address is located in Thailand. 6
Malicious IPv4 Indicator This IP address is located in Mexico. 3
Malicious IPv4 Indicator This IP address is located in the United Kingdom. 3
Malicious IPv4 Indicator This IP address is located in Puerto Rico. 3
Malicious IPv4 Indicator This IP address is located in Italy. 3
Malicious IPv4 Indicator This IP address is located in Luxembourg. 2
Malicious IPv4 Indicator This IP address is located in Iran. 2
Malicious IPv4 Indicator (empty) 2
Malicious IPv4 Indicator This IP address is located in India. 2
Malicious IPv4 Indicator This IP address is located in Brazil. 2
Malicious File Indicator This DLL is a fully functioning Remote Access Tool and variant of OnionDuke malware family. The following text is … 1
Malicious FQDN Indicator It is recommended that network administrators review traffic to/from the IP address to determine possible malicious activity. 1
Malicious FQDN Indicator The Remote Access Tool malware “AE7E3E531494B201FBF6021066DDD188” attempts to use this C2. 1
Malicious IPv4 Indicator This IP address is located in Mongolia. 1
Malicious IPv4 Indicator This IP address is located in Kenya. 1
Malicious IPv4 Indicator This IP address is located in Cambodia. 1
Malicious IPv4 Indicator This IP address is located in United Kingdom. 1
Malicious IPv4 Indicator This IP address is located in Ukraine. 1
Malicious IPv4 Indicator This IP address is located in Austria. 1
Malicious URL Indicator It is recommended that network administrators review traffic to/from the URL address to determine possible malicious activity. 1

Looking at the data

One issue that is regularly seen is the quality of the Observables, and I’ve blogged about this before (( Mini Rant, again )). Just because an IP address was found during research, doesn’t mean it’s an Indicator of Compromise (IOC). This is a challenge, because sometimes, a ‘safe’ IP address can act bad. How do we list that in STIX? For instance, when a known shared web host, or even a CDN like Amazon or Akamai, temporarily hosts a bad file that one of their customers (hacker?) uploaded. Do you put that IP address in your list of Observables? Do you put the full URL of the specific file? The file hash?

  1. In this technologists opinion, we need a few things.
  2. In the STIX standard, indicators give us context. We need to know when something is always bad (file hash)
    If a URL, web domain, etc are maliciousn (www[.]g00gle[.]com, let me know that.. then I need a way to know what IP address that domain resolved to at the time of attack… but consider that ‘meta-data’. Don’t consider the IP address as necessarily malicious.

As far as I know, some tools like to add the IP address at the time an analyst enters the domain name. That’s fine, but it should not be treated as the ‘Observable’ of concern. This is a tough concept for some analysts who aren’t as well versed in how networks/shared hosts, etc work, but with education, we should be able to fix some of this.

Example From the GRIZZLY STEPPE documentation

You can find reference to:
65[.]55.252.43
Observable ID: NCCIC:Observable-bfb9577a-f49e-49f8-8e71-02bf68e4cc1b
Which I’ve related to Indicator NCCIC:Indicator-3b9b8d85-ad2c-4759-83d7-b2b2d29e35be

The indicator is also related to a phase of the Lockheed Martin Kill Chain phase of “Command”.

Command IP Address defined from Lockheed Martin Kill Chain

After our research, (nslookup and whois), we determined this to be a Microsoft node used for telemetry.

NSLOOKUP

$ nslookup 65.55.252.43
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
43.252.55.65.in-addr.arpa name = msnbot-65-55-252-43.search.msn.com.

WHOIS

Snippet (Full Whois below):

NetRange: 65.52.0.0 – 65.55.255.255
CIDR: 65.52.0.0/14
NetName: MICROSOFT-1BLK
NetHandle: NET-65-52-0-0-1
Parent: NET65 (NET-65-0-0-0-0)
NetType: Direct Assignment
OriginAS:
Organization: Microsoft Corporation (MSFT)

Yep, that’s pretty straight forward that it’s part of the Microsoft block of IPs.  With a little networking-foo, it can be determined that this MAY have been observed during the incident.. and if it were a CDN (which this isn’t, from what we can tell), it MAY have been used to serve static content that acted as the C&C channel… but we know that this isn’t forever bad, or permanently bad.

Impact to Analysts

If you aren’t aware, give me a second to tell you about the startup I’m working on right now.  I’m building a platform that allows communities to share and detect threat intelligence data.  There are intelligence sharing communities out there (ISAC: Information Sharing and Analysis Center, ISAO: Information Sharing and Analysis Organization).   ISACs are centered around critical infrastructure, ISAOs are centered around companies/industries of like-ness.   Find more here:

National Council of ISACs

DHS ISAO FAQ

We pull in data regularly on behalf of our customers in order to allow them to effectively leverage the intelligence.   Essentially, we pull the data, and use it in our network monitoring platform to detect bad things for them.    In addition to ISAC/ISAO data, we provide a ‘community’ around the DHS AIS data.

Ok, that’s the context, now the reason I’m telling you this.

When a system like ours gets this ‘muddy’ intel data, our system lights up like a Christmas Tree.   Within an hour of the DHS AIS system having the GRIZZLY STEPPE data available, we started notifying our customers that they’re seeing those Observables (IOCs) on their network.    AWESOME!! Except that the data is pretty much determined to be a False Positive (FP).  Sure, the intel was found during the analysis to write up the paper for US-CERT/DHS, but now every consumer of that intel has to determine that this Observable is a FP.    Normally, every consumer would do this research.   Thankfully, with a shared community around DHS AIS within our system, we do the research once, and suppress it for the time being.   This goes to the power of a community as I write up in “Other People’s Analysts“.

Ok, if you don’t belong to an ISAC/ISAO, or any sharing communities, we’d be happy to help you find the right one.  Check us out at https://perchsecurity.com or email ‘info[@]perchsecurity[.]com’

defanging email addresses in a blog post feels so 1999, but, I think I still have to do it….

Thanks for reading!

chris.

Appendix

Full WHOIS

$ whois 65.55.252.43

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#

#
# Query terms are ambiguous. The query is assumed to be:
# “n 65.55.252.43”
#
# Use “?” to get help.
#

#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=65.55.252.43?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange: 65.52.0.0 – 65.55.255.255
CIDR: 65.52.0.0/14
NetName: MICROSOFT-1BLK
NetHandle: NET-65-52-0-0-1
Parent: NET65 (NET-65-0-0-0-0)
NetType: Direct Assignment
OriginAS:
Organization: Microsoft Corporation (MSFT)
RegDate: 2001-02-14
Updated: 2013-08-20
Ref: https://whois.arin.net/rest/net/NET-65-52-0-0-1

OrgName: Microsoft Corporation
OrgId: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
RegDate: 1998-07-10
Updated: 2016-06-30
Comment: To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:
Comment: * https://cert.microsoft.com.
Comment:
Comment: For SPAM and other abuse issues, such as Microsoft Accounts, please contact:
Comment: * abuse@microsoft.com.
Comment:
Comment: To report security vulnerabilities in Microsoft products and services, please contact:
Comment: * secure@microsoft.com.
Comment:
Comment: For legal and law enforcement-related requests, please contact:
Comment: * msndcc@microsoft.com
Comment:
Comment: For routing, peering or DNS issues, please
Comment: contact:
Comment: * IOC@microsoft.com
Ref: https://whois.arin.net/rest/org/MSFT

OrgAbuseHandle: MAC74-ARIN
OrgAbuseName: Microsoft Abuse Contact
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse@microsoft.com
OrgAbuseRef: https://whois.arin.net/rest/poc/MAC74-ARIN

OrgTechHandle: MRPD-ARIN
OrgTechName: Microsoft Routing, Peering, and DNS
OrgTechPhone: +1-425-882-8080
OrgTechEmail: IOC@microsoft.com
OrgTechRef: https://whois.arin.net/rest/poc/MRPD-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#

Bad URI Found:

http://efax.pfdregistry.org/eFax/37486.ZIP

Bad Domain Names Found

editprod.waterfilter.in.ua
efax.pfdregistry.net
insta.reduct.ru
littjohnwilhap.ru
mymodule.waterfilter.in.ua
one2shoppee.com
private.directinvesting.com
ritsoperrol.ru
wilcarobbe.com
www.cderlearn.com

Bad File Hashes Found

617BA99BE8A7D0771628344D209E9D8A
7FCE89D5E3D59D8E849D55D604B70A6F
81F1AF277010CB78755F08DFCC379CA6
8F154D23AC2071D7F179959AABA37AD5
AE7E3E531494B201FBF6021066DDD188

Bad IP Addresses Found

1.112.1.1
1.212.1.1
101.64.234.86
101.98.11.146
103.16.152.10
103.21.198.13
103.226.132.7
103.23.136.10
103.244.164.3
103.253.41.55
103.254.108.7
103.254.16.168
103.38.193.6
103.38.43.207
103.41.177.77
103.41.52.37
103.41.52.39
103.8.24.66
104.128.161.233
104.152.208.166
104.207.130.126
104.233.108.157
104.236.58.27
104.237.152.195
104.36.83.204
104.93.114.201
106.187.37.101
106.187.99.148
107.181.174.84
107.182.131.117
108.166.168.158
108.28.164.248
108.61.123.73
108.61.123.81
108.61.152.252
108.61.166.139
108.61.187.24
108.61.228.153
109.103.167.206
109.163.234.2
109.163.234.5
109.163.234.8
109.173.113.248
109.173.45.225
109.188.124.120
109.188.124.135
109.188.124.168
109.188.124.23
109.188.124.25
109.188.124.36
109.188.124.43
109.188.124.46
109.188.124.47
109.188.124.65
109.188.124.80
109.188.125.12
109.188.125.13
109.188.125.19
109.188.125.20
109.188.125.3
109.188.125.30
109.188.125.32
109.188.125.33
109.188.125.4
109.188.125.40
109.188.125.5
109.188.125.52
109.188.125.60
109.188.125.9
109.188.126.11
109.188.126.12
109.188.126.13
109.188.126.14
109.188.126.15
109.188.126.18
109.188.126.181
109.188.126.21
109.188.126.30
109.188.126.39
109.188.126.43
109.188.126.44
109.188.126.57
109.188.127.23
109.188.127.27
109.188.127.28
109.188.127.34
109.188.127.52
109.188.127.60
109.201.133.100
109.201.152.246
109.201.152.26
109.201.154.170
109.201.154.186
109.201.154.205
109.236.89.125
109.68.20.194
109.72.73.18
109.74.151.149
115.178.58.19
115.238.95.4
115.249.128.114
116.211.105.140
116.76.255.86
117.121.136.83
117.34.88.250
120.29.217.46
121.243.46.164
122.147.230.8
122.154.162.222
122.155.194.125
122.192.65.73
122.228.113.135
122.228.193.115
122.228.89.137
123.103.23.169
123.125.196.254
123.81.251.190
125.129.112.29
125.181.204.230
125.90.93.55
128.146.176.6
128.153.145.125
128.199.108.0
128.52.128.105
128.73.141.124
128.75.159.209
131.72.138.33
131.72.138.99
132.248.64.121
134.121.241.31
134.170.108.26
134.74.98.42
139.59.9.200
140.130.213.5
141.138.141.208
141.255.162.162
141.255.162.166
141.255.162.175
142.10.38.212
146.0.74.7
146.0.77.50
146.185.135.43
146.185.139.55
146.185.161.126
146.185.177.103
147.102.10.1
148.202.105.33
148.202.239.38
148.251.255.92
149.154.158.51
149.202.17.236
149.202.42.188
149.202.44.177
149.202.47.181
149.202.62.12
149.56.223.241
149.56.229.17
149.56.99.36
149.56.99.37
149.56.99.38
151.1.182.128
151.100.179.50
151.236.195.105
151.236.20.113
151.236.23.54
151.236.25.57
151.80.220.34
153.214.197.133
153.92.126.148
153.92.127.138
154.70.153.175
158.130.0.242
158.255.211.156
158.58.170.186
158.58.170.222
158.69.172.225
158.69.194.36
158.69.208.131
158.69.244.40
159.203.30.48
162.209.125.127
162.209.125.237
162.209.125.247
162.244.25.249
162.244.26.76
162.247.72.199
162.247.72.200
162.247.72.201
162.247.72.202
162.247.72.216
162.247.72.217
162.247.72.27
162.247.73.204
162.247.73.206
162.250.234.177
162.253.42.208
163.172.129.70
163.172.135.172
163.172.136.101
163.172.138.68
163.172.140.30
163.172.143.114
163.172.152.231
163.172.154.105
163.172.158.208
163.172.209.46
163.172.211.135
163.172.214.76
163.172.29.81
163.172.29.9
163.172.38.173
163.172.43.52
163.177.65.209
163.47.21.101
164.132.102.184
164.132.51.91
167.114.238.104
167.114.35.70
167.114.92.50
171.25.193.132
171.25.193.20
171.25.193.235
171.25.193.25
171.25.193.77
171.25.193.78
172.98.67.32
173.208.213.114
173.246.103.8
173.254.216.66
173.255.231.225
175.105.185.86
175.126.148.37
176.10.104.243
176.10.107.180
176.10.99.200
176.10.99.208
176.111.109.155
176.114.0.120
176.114.0.157
176.31.180.157
176.31.7.241
176.58.100.98
176.9.25.114
177.85.98.227
178.140.158.79
178.151.182.123
178.162.193.233
178.162.199.142
178.162.205.2
178.162.211.216
178.162.216.42
178.17.163.82
178.17.170.124
178.17.170.164
178.17.170.179
178.17.170.201
178.17.170.238
178.17.174.10
178.17.174.99
178.175.128.50
178.175.131.194
178.175.144.43
178.20.55.16
178.20.55.18
178.217.187.39
178.239.167.15
178.32.251.109
178.32.53.124
178.32.53.131
178.32.53.94
178.62.18.173
178.62.71.57
179.43.143.162
182.16.23.41
184.105.220.24
185.100.84.254
185.100.84.82
185.100.85.101
185.100.85.132
185.100.85.176
185.100.85.190
185.100.85.191
185.100.85.192
185.100.85.236
185.100.86.122
185.100.86.128
185.100.86.155
185.100.86.167
185.100.86.69
185.100.86.86
185.100.87.120
185.100.87.139
185.100.87.44
185.100.87.63
185.100.87.73
185.100.87.82
185.104.11.154
185.104.120.2
185.104.120.4
185.104.120.7
185.104.9.39
185.11.180.67
185.12.46.178
185.128.40.220
185.129.62.62
185.129.62.63
185.13.76.45
185.135.156.94
185.16.200.176
185.17.184.228
185.3.135.58
185.34.33.2
185.36.100.145
185.38.14.171
185.38.14.215
185.55.217.127
185.61.138.104
185.65.134.75
185.65.134.76
185.65.134.81
185.69.168.112
185.7.34.251
185.76.35.10
185.76.35.11
185.77.128.27
185.80.222.78
185.80.50.33
185.82.202.102
185.82.202.174
185.82.202.45
185.86.148.111
185.86.148.227
185.86.149.223
185.86.149.97
186.215.192.2
188.126.81.155
188.138.1.217
188.138.9.41
188.162.64.72
188.162.64.83
188.42.254.26
188.93.234.203
190.97.163.207
191.96.66.15
192.121.252.153
192.121.46.121
192.151.155.130
192.160.102.164
192.160.102.166
192.195.80.10
192.198.82.58
192.207.61.178
192.40.57.129
193.111.136.162
193.138.219.231
193.15.16.4
193.169.4.29
193.169.86.78
193.169.87.71
193.171.202.150
193.182.144.34
193.200.241.195
193.238.157.16
193.24.208.113
193.24.240.200
193.90.12.86
193.90.12.87
193.90.12.88
193.90.12.89
193.90.12.90
194.187.249.135
194.187.249.87
194.88.143.66
195.154.15.227
195.154.255.174
195.154.8.111
195.154.81.29
195.154.90.122
195.228.45.176
197.251.205.172
198.105.125.74
198.134.125.78
198.167.223.38
198.50.159.231
198.50.177.202
198.50.200.131
198.50.200.135
198.50.200.137
198.50.200.139
198.58.107.53
198.96.155.3
199.127.226.150
199.59.148.23
199.68.196.125
199.71.233.138
199.71.233.139
199.71.233.140
199.71.233.141
199.71.233.142
199.87.154.251
199.87.154.255
2.189.142.80
201.77.124.118
202.158.120.51
202.28.103.150
202.28.194.6
203.157.155.8
203.169.48.15
203.190.241.33
203.218.5.241
204.11.50.131
204.155.30.75
204.155.30.76
204.155.30.77
204.155.30.78
204.155.30.79
204.155.30.80
204.155.30.81
204.155.30.82
204.194.29.4
204.85.191.30
207.176.226.8
207.244.70.35
207.244.97.183
209.133.66.214
209.222.77.220
209.249.180.198
209.66.119.150
210.14.70.140
210.245.123.180
211.194.50.61
211.226.72.236
212.109.194.126
212.113.32.242
212.117.180.130
212.117.180.21
212.47.194.250
212.47.195.52
212.47.227.72
212.47.238.193
212.47.246.21
212.47.247.226
212.47.248.81
212.68.41.83
212.7.192.148
212.7.217.50
212.7.219.155
212.83.190.65
212.83.40.238
212.83.40.239
213.179.207.166
213.202.214.148
213.215.9.162
213.39.51.93
216.110.195.12
216.17.99.183
216.218.134.12
216.230.148.77
216.239.90.19
216.58.216.142
216.58.216.174
216.75.21.31
217.115.10.131
217.115.10.132
217.12.201.109
217.12.204.104
217.13.197.5
217.13.56.9
217.23.10.184
217.23.10.188
217.23.10.189
217.23.12.10
217.23.14.168
217.79.188.43
219.249.95.108
221.138.128.116
23.239.10.144
23.254.211.232
27.111.202.78
27.24.190.240
27.50.94.251
31.132.0.11
31.132.0.12
31.148.219.166
31.148.219.168
31.148.219.176
31.148.219.50
31.16.91.237
31.168.172.147
31.185.104.19
31.186.96.19
31.186.96.20
31.192.228.185
31.210.109.147
31.210.111.154
31.210.117.131
31.210.118.89
31.210.123.213
31.210.123.214
31.210.125.100
31.210.125.105
31.210.125.99
31.220.43.99
31.31.72.43
35.0.127.52
37.0.127.44
37.123.130.176
37.123.130.186
37.139.52.47
37.146.14.44
37.187.239.8
37.187.247.3
37.187.7.74
37.220.35.202
37.220.35.36
37.233.99.157
37.235.53.237
37.247.54.157
37.48.109.107
37.48.93.246
37.59.123.142
37.59.14.201
37.59.42.55
37.59.63.190
38.110.220.169
41.206.188.206
41.212.1.1
41.215.241.147
41.77.136.250
42.1.1.1
42.112.33.43
42.51.11.66
43.1.1.1
45.32.239.246
45.33.48.204
45.55.178.34
45.56.90.85
45.62.255.94
45.79.85.112
46.101.138.211
46.101.197.155
46.102.152.132
46.105.100.149
46.108.39.193
46.108.39.198
46.148.17.100
46.148.17.210
46.148.17.98
46.148.17.99
46.148.26.78
46.165.196.229
46.165.197.1
46.165.223.217
46.165.228.119
46.165.230.5
46.166.137.224
46.166.137.240
46.166.137.245
46.166.138.129
46.166.138.141
46.166.138.142
46.166.138.147
46.166.186.243
46.166.188.208
46.166.188.228
46.166.190.182
46.166.190.192
46.166.190.223
46.17.100.14
46.182.106.190
46.242.66.240
46.28.110.136
46.28.111.122
46.28.68.158
46.29.248.238
46.39.102.250
46.4.193.146
46.73.164.160
5.1.82.130
5.1.82.140
5.133.179.243
5.133.8.152
5.133.8.162
5.134.1.250
5.135.158.101
5.135.186.35
5.135.199.28
5.135.65.145
5.135.65.146
5.149.249.172
5.149.254.114
5.152.205.159
5.153.233.58
5.153.234.90
5.157.38.34
5.189.188.111
5.196.1.129
5.196.58.96
5.199.171.58
5.199.172.147
5.2.64.10
5.212.1.1
5.249.145.164
5.255.80.27
5.28.62.85
5.34.150.2
5.34.183.55
5.40.21.27
5.45.183.194
5.56.133.125
5.56.133.19
5.56.133.23
5.77.47.142
5.9.32.230
5.9.98.43
50.2.64.140
50.7.176.2
50.7.62.27
51.254.215.7
51.255.202.66
51.255.33.0
51.255.38.226
52.29.252.84
54.146.128.140
58.20.114.95
58.250.19.237
58.49.61.252
58.68.148.37
58.68.148.42
58.80.109.59
58.83.208.24
59.115.115.115
60.12.119.222
60.18.131.233
60.18.147.185
60.190.22.202
60.191.138.222
60.191.139.42
60.191.139.86
60.2.237.27
60.211.204.110
61.135.149.124
61.144.244.217
62.1.1.1
62.102.148.67
62.113.238.165
62.149.25.15
62.193.51.144
62.210.105.116
62.210.129.246
62.212.73.141
62.244.176.139
62.4.22.48
63.141.226.34
63.214.136.153
64.113.32.29
64.124.32.84
64.137.178.3
64.137.206.52
64.137.215.208
64.27.12.41
64.27.17.140
64.79.108.197
65.15.88.243
65.158.81.132
65.181.112.128
65.19.167.130
65.19.167.131
65.19.167.132
65.23.129.79
65.36.205.1
65.55.252.43
66.158.142.2
66.180.193.219
66.196.116.112
67.52.39.166
68.64.143.103
69.10.162.154
69.12.73.174
69.162.139.9
69.25.242.15
69.30.251.26
69.30.251.27
69.30.251.28
69.30.251.29
69.30.251.30
69.63.147.49
69.70.199.50
69.89.191.8
69.89.37.90
69.89.37.91
69.89.37.92
71.19.157.127
72.21.91.121
72.30.196.161
72.5.72.225
72.52.75.27
74.11.216.239
74.208.191.194
74.208.191.202
74.217.184.206
78.106.220.129
78.108.154.254
78.138.104.178
78.138.106.231
78.138.106.234
78.138.106.235
78.138.106.247
78.138.97.15
78.138.98.92
78.138.98.95
79.134.234.247
79.134.255.200
79.143.111.228
79.172.193.32
79.98.107.90
8.39.147.120
80.221.159.67
80.240.139.111
80.244.81.191
80.255.12.232
80.67.172.162
81.17.18.50
81.170.184.90
81.171.56.203
81.210.129.164
81.30.158.81
81.7.15.115
81.7.16.13
81.95.126.15
82.163.79.61
82.211.19.129
82.211.19.143
82.221.129.96
82.221.139.25
83.136.253.147
83.138.176.21
83.220.236.147
84.117.113.152
84.200.56.34
84.232.5.230
84.251.91.165
85.143.219.211
85.143.95.50
85.159.237.210
85.195.97.226
85.195.97.227
85.195.97.230
85.204.74.91
85.207.155.39
85.24.197.4
85.248.227.163
85.248.227.164
85.248.227.165
85.25.100.104
85.25.103.119
85.90.244.52
86.105.18.111
86.127.210.14
87.120.254.200
87.170.206.84
87.185.31.200
87.236.194.23
87.236.211.182
88.150.157.14
88.198.14.171
88.198.25.92
88.80.7.5
89.163.135.98
89.163.142.94
89.163.237.45
89.169.218.249
89.187.142.208
89.187.144.122
89.187.145.103
89.188.9.91
89.190.34.200
89.248.162.179
89.31.57.5
89.32.40.4
89.33.246.114
89.34.237.101
89.34.237.11
89.34.237.12
89.35.178.104
89.36.208.231
89.45.67.6
89.46.101.79
90.154.72.187
91.1.1.1
91.108.183.170
91.121.230.209
91.134.232.63
91.146.121.3
91.213.8.235
91.213.8.236
91.213.8.84
91.217.91.79
91.219.236.136
91.219.236.218
91.219.236.222
91.219.236.232
91.219.238.231
91.219.239.245
91.219.30.81
91.228.151.52
91.229.77.64
91.230.60.42
91.230.61.68
91.241.33.73
92.114.92.107
92.114.92.125
92.222.103.234
92.222.28.243
92.222.6.12
92.222.71.173
92.222.88.7
92.222.92.152
92.240.253.181
93.115.241.194
93.115.38.141
93.115.94.23
93.115.94.26
93.115.95.201
93.115.95.202
93.115.95.205
93.115.95.39
93.171.203.244
93.174.90.30
93.174.93.133
93.184.215.200
93.184.66.227
93.219.113.201
94.102.49.175
94.102.49.64
94.102.53.177
94.102.63.139
94.103.175.86
94.126.8.21
94.142.242.84
94.185.85.42
94.185.85.43
94.185.85.44
94.185.85.46
94.198.100.8
94.23.147.30
94.242.195.186
94.242.206.196
94.242.222.23
94.242.239.162
94.242.239.163
94.242.239.165
94.242.239.177
94.242.239.181
94.242.239.183
94.242.239.189
94.242.251.32
94.242.57.104
94.242.57.2
94.254.2.71
94.26.140.150
94.31.53.203
95.0.26.199
95.105.72.78
95.130.11.147
95.153.31.53
95.163.107.14
95.163.107.15
95.183.50.23
95.211.205.151
95.211.214.81
95.213.157.140
95.213.157.141
95.215.44.115
97.74.237.196
98.138.199.240
98.138.79.73

Other People’s Analysts

Over the last 6 years, I have been entrenched in Cyber Security.

  • Packet capture
  • Network Forensics
  • Identity and Access Management
  • Threat Intelligence

During my nPulse Technologies days (acquired by FireEye), I relearned all the network packet stuff that I had been taught in college.  The OSI network layers, VLANs, Q-in-Q… oh boy!    Reassembling packets (with python no less) was a REALLY fun exercise…  never made it into the product, since there were open source tools that did it better (faster?).. but I did it….   then came the challenge of using the reassembled data in an application.

Imagine this now, you’re a cyber analyst.  You’ve got some juicy intel from your ISAC (FS-ISAC? NH-ISAC?) … or maybe it’s from your industry buddies that you share intel with.   You set up your alerting mechanisms, you set up your SIEM, and you wait.

PING!  You get a hit!   You know now have an IP address that a machine in your network tried to go to.   You start your research, do a little OSINT, do some googling… find out it’s a shared host.  Oh well.

False Positive.

You tell your buddies, and that’s it for the day.

Guess what just happened?   Your group just got smarter because two of you did some work.  The first guy set up the intel, and you validated it as a false positive.    Since you both shared within your community, you just got smarter! You leveraged a few members of the community to make you all better!

This is the best scenario we have today.   Some communities share data.  Not many communities allow for automatic sharing of sightings (did you see that IOC in the wild?).  NO communities allow you to share what you did in regards to that IOC.  Did you block it in a Firewall? Did you mark it as a False Positive?

There aren’t many tools out there that can help this process..    The more we can share, the more we can attribute, the more we can automatically know what’s going on in the network of our peers, the safer we’ll all be.

www.perchsecurity.com

 

Mini Rant: Stix Confuses My Computer

For some background, please see my post here

13-023-image-stix-taxii-cybox_v4-02

Here at Perch Security (perchsecurity.com) we’re building a community intelligence sharing platform that adds value to existing intelligence sharing communities… (our marketing folks say that better than I do!).

I’m building a bunch of services to ingest external intelligence, normalize, persist etc. I’m very thankful for standards such as TAXII (transport) and STIX (intelligence).

Reading a STIX doc makes sense for an analyst. The document gives great context around some piece of intelligence. An analyst can look it over, figure out some bad IP addresses and figure out what to do with them. The challenge comes with machine to machine communication. STIX can be used to relate Observables (IP addresses) into context.

For example, when analysts set of a new Indicator (the story of why we care about these IP addresses), they can set a relationship between ports and IP addresses. The facts are the observables (Port 80, IP: 8.8.8.8) etc.

So, looking at this net flow, 192.168.1.1:6633 -> 8.8.8.8:53 , we can very quickly determine that it’s a DNS request from an internal IP to Google’s DNS server. If that was determined to be malicious, the STIX should be set up like this:

Observable 1: IP 8.8.8.8
Observable 2: Port 53
Observable 3: 192.168.1.1
Observable 4: Port 6633
Observable 5: “Observable 1” AND “Observable 2”
Observable 6: “Observable 3” AND “Observable 4”
Observable 7: “Observable 6” AND “Observable 5”

See the tree?

Indicator
– Description: “There’s a story here about malicious DNS traffic going to host 8.8.8.8 on port 53. We observed this on our network from an internal client 192.168.1.1:6633”
– Observables: “Observable 7”

So, an analyst reading that understands what’s going on. The immediate issue though for a Machine, is that the ‘internal’ IP part is effectively useless. No big deal, I can programmatically ignore internal IP addresses.

BUT, The REAL problem comes with fast analysts or bad tools. My Stix document comes back looking like this:

Indicator –
– Description: “Bad IP address found”
– Observables: “Observable 1” OR “Observable 2” OR “Observable 3” OR “observable 4”

That’s just plain wrong! Now, all my signature triggers on ALL DNS requests.

I see an education opportunity here for analysts using tools that create this intelligence. Not calling them wrong, but it’s an opportunity to learn to use the tooling a little better to improve all of our communities.

What’s your Risk Tolerance?

I keep running around saying “Go Big or Go Home”…. a lot of times appropriate, sometimes maybe not..

It almost sounds like the stupid “YOLO” trend that went around the internet.  YOLO: You only live once.  This mantra was used to justify doing stupid.  Drugs, Party, Lottery, Not Saving for Retirement… a plethora of stupid.

Today, I wanted to talk about risk tolerance, and when is it appropriate to Go Big or Go Home.

What’s the balance between risk and reward?

  • Personal Finances
  • Career
  • Specific Job
  • Technology Choices
  • Marketing
  • etc

I’ve spoken with many colleagues about leaving the ‘saf’e corporate world to go to a startup.  I’ve done it a few times ( new one can be found @ http://perchsecurity.com ).   I get a lot of comments like:

  • “Oh man, I’m so jealous, I wish I could do that..”
  • “Don’t you worry about stability?”
  • “Going without my 401k is blasphemous, there’s no way!”
  • “My job is stable, I’m not interested..”

 

I get it.  It’s hard to jump into the unknown.  It’s hard to leave a role, or a company that you’ve been with for 10 years (people still do that??).  It always comes down to fear.  Now, I’m not saying if you don’t go to a startup then you’re scared.  I’m saying, if you WANT to go to a startup, if you WANT to try something new, but you’re scared, that’s when there’s a problem.

The majority of jobs in the US are for small companies.  If you find the right company, solving the right problem for the right people, take faith in your ability to problem solve.

For me, I’ve gotten myself into a level of confidence around my employment abilities that I’m not too worried.  If I lose my job,  I’m confident I’ll be able to find a new one.  Heck, THAT role could be even better.   I tend not to be all ‘doom and gloom’, (unless I’m going through a serious case of the “impostor syndrome”  https://en.wikipedia.org/wiki/Impostor_syndrome …. seriously, that’s for REAL), but I’m confident that I have knowledge, skills, experience etc, that will be valuable to another employer.

Because of these traits that I’ve internalized, I can accept a higher level of risk in employment.   Start ups are my jam.  I can work well in any environment, but I find passion building something new. There’s an excitement in a tiny company that’s unrivaled. Think about it.. if you’re at a large mega bank (no insult to mega banks, I may want a consulting gig some day), but if your project is late by a month. Meh, you’ll get yelled at.. You might get a bad review, might lose some of your bonus. That sucks. but , at a startup, if you piss off your biggest (and only?) customer, and they stop ordering. You’re done. The game is over.

Don’t hear that as “I like risk! I’m a glutton for punishment!”. It just shows the level of excitement… because now, imagine you pull an all-nighter, and get the updated code to a customer BARELY in time, and then they double their order. YES! You win! THAT’s the excitement. (True story, I’ll tell you over a beer, because it was fun.. and scary)

Here’s a list of books that are wonderful, and can really help:

This one is my current read.. blowing my mind:

**Referral links at amazon…. gotta buy my starbucks, yo!

And for fun:

 

© 2017 De-Coder’s Ring

Theme by Anders NorenUp ↑