swannysec2022-09-20T05:04:47+00:00https://swannysec.netOn Risk, Incident Response, and Coronavirus2020-03-08T00:00:00+00:00https://swannysec.net/2020/03/08/on-risk-incident-response-and-coronavirus<p>If you want to skip to the goods, click <a href="#coronavirus---a-primer-and-personal-approach">here</a>. If you want to skip straight to the purely professional content, click <a href="#thinking-about-risk">here</a>.</p>
<h2 id="foreword">Foreword</h2>
<p>It’s been <a href="https://swannysec.net/2017/03/07/brian-krebs-and-the-yugoslavian-business-network.html">a while</a> since I spent time writing for personal gratification. My personal and professional journey has lead me pretty far from analyzing exploit kits on a day to day basis. I’ve spent the last three and a half years building out and leading GitHub’s Security Incident Response Team (SIRT) and the processes that guide it. I’ve had an opportunity to take the foundation of <em>how</em> we work laid out by those that came before me, frame it out with scalable and compliant process that fits GitHub’s remote-first, asynchronous-by-default culture, and accelerate it through massive company growth and acquisition by Microsoft. I was something like employee number 310 (not accounting for churn, of course); we’re now over four times that size and still accelerating with an ever growing and awesome platform and product portfolio I’m proud to help protect. I’d be remiss, however, if I didn’t take an opportunity to thank the amazing professionals I’m lucky enough to call peers and teammates, GitHub SIRT would be nothing without their dedication, their creativity, their camaraderie, and their tireless excellence.</p>
<p>With that out of the way, on to the purpose of this post: thinking about risk management and incident response as framed by current events, namely the novel coronavirus officially known as COVID-19. Before we get to the good stuff, a brief disclaimer:</p>
<p>Though this post discusses coronavirus, this is simply a way to frame thinking about the disciplines of risk management and incident response. None of the statements that follow should be interpreted as authoritative guidance on coronavirus or disaster preparedness and all of it is subject to my personal opinion and admitted lack of expertise regarding anything like epidemiology or traditional emergency management. If you’re looking for formal, sanctioned advice, seek out the <a href="https://www.who.int/emergencies/diseases/novel-coronavirus-2019">World Health Organization</a>, US <a href="https://www.cdc.gov/coronavirus/2019-ncov/index.html">Centers for Disease Control</a>, or your <a href="https://www.naccho.org/membership/lhd-directory">local health authorities</a>. <strong>I say again, <em>do not</em> take my personal opinions on and preparations for COVID-19 as professional advice</strong>.</p>
<p>Further, my professional background is much more about threat and risk mitigation than forecasting and quantification. There is a formal discipline associated with risk that I have limited formal training in; as such, I tend to simplify risk into a basic framework that allows me to make informed decisions. I have found it effective throughout my life and career, but I have no doubt it could be done more scientifically or more comprehensively.</p>
<h2 id="coronavirus---a-primer-and-personal-approach">Coronavirus - A Primer and Personal Approach</h2>
<p>Unless you’re living under a rock or in some sort of news-vacuum (ignorant bliss?), you’re well aware by now of the rapid spread of coronavirus, officially known as COVID-19. Believed to have originated in Hubei Province, China, this is a new strain (hence the term novel coronavirus) of a class of cross-species viruses capable of infecting humans. In many humans, the disease appears to be mild, but in some percentage of cases, particularly among the elderly or those with underlying conditions, victims can develop severe and even fatal respiratory complications. Though it’s early and a <em>lot more</em> study is required, COVID-19 appears to spread more readily than the flu and carry a higher (but not outrageous) mortality rate than the seasonal flu.</p>
<p>In terms of perspective and forming the basis of a risk picture, the seasonal flu has sickened between 34 and 49 million individuals this season. The death toll for seasonal flu in 2019-2020 stands somewhere between 20,000 and 52,000 (¹). COVID-19, on the other hand, since its known emergence in late December 2019 and at time of writing on March 8, 2020, has resulted in 109,965 clinically confirmed cases and 3,824 deaths (²). It’s important to understand, that despite these much lower numbers, there’s a substantial amount of uncertainty due to the mild presentation of many cases and the low availability of test kits worldwide. That said, you’re still <em>far</em> more likely to be affected by the seasonal flu than you are COVID-19 unless you happen to reside in a viral hotspot where the disease is more prevalent. That’s about as much explanation as I’m going to give because I’m not really qualified to give it; see the disclaimer above for more authoritative info.</p>
<p>With a basic understanding of COVID-19 established, I want to share some of my personal perspective on the virus and my family’s risk assessment and preparation for it. Below, I’m going to outline some of my thought process, the resulting “threat model” we used, and the preparation we undertook to meet that threat based on our personal situation. All of this has parallels to security risk management and incident response and I’ll discuss that following this section.</p>
<h3 id="situational-awareness">Situational Awareness</h3>
<p>The first, and perhaps the most important thing I focused on was maintaining well-informed situational awareness, right from the get-go. While I do not consider myself remotely paranoid and I am fortunate enough not to suffer hypochondria in this particular case, I do keep my head on a swivel at a global scale for both personal and professional reasons. Perhaps a decade of security, risk, and intelligence work is the reason for this, but I was sort of loosely tracking this coronavirus outbreak as early as the first two weeks of January.</p>
<p>It wasn’t a focus, I didn’t dwell on it all day, but I did watch closely enough to be able to begin building a mental model for the risk it represented to me, my organization, and to daily life. I paid attention less to the specifics of the outbreak than the <em>shape</em>, <em>size</em>, and <em>velocity</em> of it. This feeds a sort of equation in my head that is constantly re-computing based on the new input I gather daily, for lack of better terms. While there is a formal scientific discipline dedicated to this work, I’m not trained for it, so my internal calculation is intentionally vague and elementary in nature. The point is simply to be able to track the overall <em>trend</em> represented by developments related to coronavirus and how the basic risk I assign any event or circumstance, in this case COVID-19, is growing or changing. Understanding this, even within my own mental framework, is the basis of how I make informed decisions with risk in mind.</p>
<p>It is <em>absolutely vital</em> that you maintain situational awareness at all times. Failure to identify and assess a risk in the first place leaves you unable to prepare, rendering your ability to level the playing field as much as circumstances permit essentially null.</p>
<h3 id="building-a-basic-mental-model-of-the-problem">Building a Basic Mental Model of The Problem</h3>
<p>My next step is to begin developing mental models around the problem and its possible manifestations. In the case of COVID-19, I began thinking about some plausible long-term outcomes. Those outcomes roughly looked as follows and are oversimplified, discounting a whole lot of good epidemiological science about things like R0 and mortality rates among other things:</p>
<ul>
<li>Virus is largely contained by aggressive response in China and fizzles as the warm season approaches, remaining only an isolated and periodic threat relegated to dozens or fewer easily isolated cases per year.</li>
<li>Virus is not contained, but does not readily spread. Slowed by control and isolation efforts, it does spread globally or regionally, but is limited to local clusters and eventually snuffed out before the following flu season.</li>
<li>Virus is not contained and spreads rapidly in an increasingly interconnected world. Governments in free societies or underdeveloped nations struggle to contain local clusters and rapid community transmission occurs. Seasonal impact is high, akin to other modern seasonal flu epidemics (see <a href="https://www.cdc.gov/flu/pandemic-resources/2009-h1n1-pandemic.html">2009</a> or <a href="https://www.cdc.gov/flu/pandemic-resources/1957-1958-pandemic.html">1957-1958</a>) but eventually slows to a crawl and peters out, representing no threat greater than a moderate flu pandemic.</li>
<li>Virus is not contained, spreads rapidly and with limited impact from control and isolation efforts. Virus develops a rather severe mortality rate and has a major global impact, presenting a substantial risk to health and way of life for one or more years. An example might be the flu pandemic of <a href="https://www.cdc.gov/flu/pandemic-resources/1918-pandemic-h1n1.html">1918</a>.</li>
</ul>
<p>Keep in mind that these models aren’t set in concrete and they change as time goes on and things change on the ground; I’m constantly re-calculating them. These models shouldn’t be static and should adjust to the reality you face. On a personal level, I suspect we’re looking at either the third or fourth model at this point. Much remains to be seen, but those models are the basis upon which I am operating today.</p>
<h3 id="develop-a-more-nuanced-threat-model">Develop a More Nuanced “Threat Model”</h3>
<p>Now that I understood the basic shape of the problem, I wanted to think more concretely about what the actual <em>threat</em> looks like. My wife and I discussed (and continue to discuss) our mental threat model and this is the set of things we selected as threats, based on our home and life situation:</p>
<ul>
<li>Possibility of voluntary or mandatory at-home-isolation for as long as a month due to local outbreak</li>
<li>Possibility of temporary (lasting a month or two at maximum) supply shortages of items like food, medicine, paper products, and cleaning supplies</li>
<li>Increased risk related to public gatherings or travel via public transit</li>
<li>Possibility of caring for one or more sick and contagious persons at home with limited external assistance</li>
</ul>
<p>Things we decided to exclude from our model based on available evidence:</p>
<ul>
<li>Water shortages or water quality problems (some preppers out there are probably incensed at this decision)</li>
<li>Utility outages</li>
<li>Large-scale societal breakdown or zombie apocalypse</li>
</ul>
<h3 id="identify-your-assets-and-vulnerabilities">Identify your Assets and Vulnerabilities</h3>
<p>The next step for us was <em>asset</em> identification. We wanted to think deliberately about what we needed to protect and any special considerations that affected those things. We identified the following critical assets, all living things due to the nature of the problem:</p>
<ul>
<li>Two adults</li>
<li>Two school-age children, the most important assets we have to protect (talking about your children as assets is admittedly uncomfortable)</li>
<li>One indoor cat</li>
</ul>
<p>With the basic assets identified, we set out to think about the things needed to keep them happy and healthy, with an eye toward identifying <em>vulnerabilities</em> or gaps that might increase our risk if unaddressed:</p>
<ul>
<li>One of the adults in our home has substantial underlying conditions that may place them at increased risk for infection and subsequent complications</li>
<li>One adult has a significant dietary restriction which requires low fat consumption</li>
<li>Both children are in public school, which represents a substantial vector for transmission</li>
<li>We don’t keep deep stockpiles of most things, we’re prepared for brief life interruptions, but nothing beyond a week or ten days</li>
</ul>
<h3 id="prioritize-and-prepare">Prioritize and Prepare</h3>
<p>Incident response, whether it be related to an epidemic or otherwise, is all about effectively mitigating as much of the risk represented by that incident as possible. In order to do this effectively, you need to be prepared <em>before</em> the incident begins. Regarding COVID-19, this meant that once we developed situational awareness and took stock of our threats, assets, and vulnerabilities, we needed to begin preemptively addressing those things. We began by collecting information related to epidemic and disaster preparedness from sources such as the CDC, FEMA, WHO, and others. We developed a simplistic spreadsheet of items we needed to stockpile as well as a to-do list.</p>
<p><img src="https://swannysec.net/public/prep_spreadsheet.png" alt="Prep_Spreadsheet" /></p>
<p>Once we had a basic list, we began prioritizing that list based on our own ground-truth surfaced via the threat, asset, and vulnerability analysis we already completed. For instance, we know we have an adult with underlying conditions, we therefore assume the likelihood we will need to self-isolate is higher than the population at large and that we’ll need to do so sooner. Therefore, we accelerated our purchasing of absolutely essential items like food and critical prescriptions a number of weeks ago.</p>
<p>We also know that with two public-school age children, we’d need to be more aggressive than the average household in disinfecting and personal hygiene, particularly in light of the health conditions of one of the adults. Therefore, we prioritized cleaning supplies, hand soap, and hand sanitizer early on and bought them in responsible quantities before any sort of public panic set in.</p>
<p>Many of you are probably wondering about masks, particularly N95 masks. We deprioritized them aggressively because they’re difficult to fit, wear, and dispose of properly, making the effectiveness substantially lower for non-medical professionals. Further, masks really need to be preserved for medical and emergency response personnel as much as possible. All that said, because of the vulnerable adult in our home, we did purchase a <em>small</em> quantity, primarily to be worn <em>by someone who is already ill</em> inside the home. The intent is not to wear these in public day to day in a futile effort to reduce daily exposure, but instead to lower the risk of in-home transmission if, and only if, someone becomes ill while we’re isolated.</p>
<p>We also took care to prioritize some things people don’t generally think of until it’s too late because we took the time to look at our threats, assets, and vulnerabilities. Extra cat food and cat litter are perfect examples, as were our food purchasing choices; whereas many tend to stockpile comforting foods high in fat, we needed to make different choices based on our health situation. Instead, we’re stockpiled with lower-fat choices like beans and lean meats like chicken breast. Further, with a couple of young children, we made some deliberate choices designed to keep spirits up in tough times. We prioritized some fun snacks and silly foods that will add variety and spark joy during a monotonous isolation should one come to pass.</p>
<p>A final note on stockpiling and disaster preparedness: these things live on a spectrum and some folks have a <em>very</em> different personal risk calculation. We took a fairly lightweight approach to our preparedness. If full societal breakdown was part of our threat model, we’d be having a very different conversation that would drastically affect our day to day lives just to prepare. In our case, we basically deepened our stockpiles of things we already use every day. None of what we purchased will go to waste or burn a hole in our pocket if COVID-19 fizzles out.</p>
<p>While I’m hopeful COVID-19 fizzles out as the warm months approach, I now feel much more confident when faced with the possibility it will instead disrupt our lives in a significant way.</p>
<h2 id="thinking-about-risk">Thinking about Risk</h2>
<p>Preparation for COVID-19 is nice, but why does any of that matter if you’re here to read about security? The answer is simple: the basic framework I applied to assess and prepare for the risk represented by COVID-19 is the same one I apply at work every day and there are lessons to be learned and reinforced from that experience that can be useful in our day-to-day professional lives.</p>
<p>The process I use boils down to the following:</p>
<ol>
<li>Keep your head on a swivel, never stop consuming data about potential problems. Identify and track potential problems early and often. Calculate and constantly re-calculate a basic trend for any potential problem - understand if it’s becoming more prevalent or impactful so you can begin preparations <em>before</em> it’s too late.</li>
<li>When a given problem becomes relevant enough to begin preparing for, build a simplistic model of the problem and its potential outcomes, even if only in your head.</li>
<li>Identify the threats posed by that problem, the assets you need to protect, and the vulnerabilities or gaps you have surrounding those assets.</li>
<li>Prioritize and prepare based on a combination of the possible outcomes, the threat model you built, and the ground-truth regarding your assets and vulnerabilities.</li>
<li>Though I didn’t cover this above, documentation is the final step in my process. Where time allows, you should not allow all the hard work in steps one through four go to waste. If the risk fizzles out, you have fantastic prior art to reference should it reappear later.</li>
</ol>
<p>Some additional points to keep in mind when thinking about risk:</p>
<blockquote>
<p>Paranoia is unhealthy, we have lives to live and businesses to run.</p>
</blockquote>
<p>Awareness of and preparation for risk does not mean that you stop the presses, hole up in your home, or stop your organization from doing business in order to avoid a risk. As security professionals, we’re in the business of mitigating or preventing risk as much as possible, <em>not eliminating it</em>. <strong>Do not let preparation affect your organization’s goals and success; instead, protect and enhance the success of your organization by insulating it from risk with careful preparation that does not inhibit progress</strong>.</p>
<blockquote>
<p>Your preparation should never harm others - or your business.</p>
</blockquote>
<p>An extension of the point above, risk preparedness should never be completed at the expense of others. In our personal lives this means responsible supply purchases well before panic buying sets in. It means not panic-buying all the hand sanitizer or masks, which you’ll never use, at the expense of other families or medical professionals. In our professions, this means that we don’t require absurd and expensive risk reduction measures in the name of security alone. We instead <strong>take a balanced approach to risk preparedness and reduction with our productivity and efficiency in mind</strong>.</p>
<blockquote>
<p>Track problems early and often, even if you can’t or shouldn’t act on them now.</p>
</blockquote>
<p>If you make a regular habit of identifying and trending various problems, you will be infinitely better situated to prepare for and respond to them if circumstances require. In our COVID-19 case, this meant that I was preparing in February and <em>way</em> ahead of the game here in the United States; I wasn’t subject to supply shortages or the panic buying now taking place. At work, this means that we’re planning and prioritizing day to day work with possible problems in mind on an ongoing basis. Where possible, we <strong>rely on an inventory of possible risks to better inform resourcing and technical decisions every day</strong> instead of blindly checking checkboxes from some compliance checklist.</p>
<p>In short, risk awareness and preparation are really the name of the game. Bad things happen - that’s why incident response professionals exist after all. If you’re already aware of those bad things, know how they might manifest, and have completed reasonable preparations, you’re going to be able to respond and mitigate the risk much more effectively.</p>
<h2 id="incident-response-and-communication-for-incident-coordinators">Incident Response and Communication for Incident Coordinators</h2>
<p>You’ve been minding the shop and you’ve successfully identified and prepared for a given risk, but now it’s on your doorstep and you’re forced to respond - what happens now? I won’t be discussing incident response in depth here, but I do want to highlight some critical items that are particularly important for incident coordinators specifically - and relevant to current events.</p>
<p>If you <em>actually have</em> prepared, the first step is the easiest: <strong>have an effective incident response process in place</strong>. This should be well documented, it should define all the inputs and outputs of the process in accordance with your organization’s needs or compliance and regulatory obligations, and it should clearly delineate all the major IR stakeholders and their responsibilities. Most importantly, it should be easy to digest, easy to operate, and readily repeatable for any kind of crisis. Have this figured out <em>before</em> you’re facing that crisis. If you don’t, you’ll lose valuable time during the event and lost time usually results in more risk.</p>
<p>During an incident, as incident coordinator, it is your responsibility - your duty - to <strong>set the tone and lead from the front</strong>. Responders, whether security professionals or otherwise, rely on the incident coordinator for their example. If you panic, the rest of the team will likely do so as well; if - instead - you respond with calm and confidence, chances are you’ll make everyone in the room a more effective responder.</p>
<p>This doesn’t mean you make decisions in a vacuum or act like a tyrant. You’re neither omniscient nor omnipotent. If you make decisions without care and consideration and fail to collaborate with the talented professionals that make up your response team, you’re adding substantially to the risk incurred and it’s possible you’ll accidentally pour gasoline on the figurative dumpster fire. You should <strong>seek to make decisions by consensus and make those decisions guided by data</strong> as often as possible. That said, sometimes you may have to break a tie in deliberations or rely on your experience or even your gut to make a tricky decision. This is where it’s critical to <strong>set the course confidently, document your decision making reasoning, and orient the team to that course</strong>.</p>
<p>In terms of coming to those decisions, it is <em>critical</em> that <strong>action must be swift and decisive</strong>. Inaction is the enemy, whether by lack of preparation or analysis paralysis. Inaction delays mitigation, demoralizes responders, increases the risk incurred by the incident, and makes loss of victim or public goodwill more likely in the event that the incident goes public. As incident coordinator, keep the response tempo up and ensure the bias is toward action. Do not act rashly at the cost of analysis or consensus, but ensure that efforts to develop those things are always moving forward with clear deliverables and timelines established and understood by all responders. If things get stuck, it is important to call this out and either immediately clear the roadblocks or carefully make a decision to move ahead with the best information available - this is where past experience or your gut sometimes play a part. That leap of faith can be a nerve-wracking and imposter-syndrome inducing situation, but be confident in your skills and experience and let them light the way forward for you.</p>
<p>Once a direction has been established, no matter what part of the incident response process you’re in, that <strong>direction must be communicated unequivocally and with perfect clarity</strong>. No one in the room should be unaware of or uncertain as to the current course of action and their own responsibilities. If they are, for some reason, that <strong>course of action and those responsibilities should be quickly, easily, and clearly discoverable</strong>. Keeping status summaries and responsibility assignments up to date in a well-known and accessible location is critical and should be a top priority for the incident coordinator. Nothing will feed chaos and increase risk more than a room full of people without clear direction and assignments running in different directions and working at cross purposes.</p>
<p>Finally, extend these principles, particularly regarding <strong>clear, decisive communication when informing customers or the public</strong>. If clear and decisive communication are critical inside a room full of professionals, imagine how important they are for an uninformed or unprepared public or customer audience. <strong>All of your communications with external parties should make it very clear, in plain english, what happened, how it affects them, what you’re doing to respond, what they can do to help themselves, and where they can get help</strong>. Delivering anything less only compounds the incident by causing confusion, inciting concern or panic, and adding work for responders that get tied up in responding to a million questions and clarifications.</p>
<p>Incident response is a broad discipline and circumstances can vary wildly from event to event, but I’ve generally found that the principles above can and should be applied at all times. These aren’t specific technical to-do list items; they’re a philosophical approach for clear incident response coordination, leadership, and risk mitigation. These things make any incident coordinator, in any situation, a more effective force multiplier for a capable and prepared incident response team, which is the crux of the role.</p>
<h2 id="a-call-to-action---for-incident-responders-public-health-professionals-and-emergency-management-leaders-alike">A Call to Action - For Incident Responders, Public Health Professionals, and Emergency Management Leaders Alike</h2>
<p>Too often, I see, hear, or read about incident responders wrapped up in the technical nuts and bolts of their professions. In the case of COVID-19, I see a lot of discussion about the technical intricacies of R0(the reproductive factor of the virus, or how easily it spreads from one host to others) or the mortality rate in clinical environments. In the security profession, it’s endless presentations and blog posts about the specifics of a hot new exploit or analysis technique. To be clear, these things <em>matter immensely</em> and have their place in our professions, but it’s vital not to focus on these things <em>at the expense of</em> some of the fundamentals, particularly in the role of incident coordinator.</p>
<p>To those working in incident response, or emergency management, I’d encourage you to buckle down on your risk management practices, your leadership and decisiveness, and your communication. These last few weeks, various governments and health agencies across the globe have been criticized for <a href="https://www.sciencemag.org/news/2020/02/united-states-badly-bungled-coronavirus-testing-things-may-soon-improve">poor</a> <a href="https://www.nytimes.com/2020/02/27/us/politics/coronavirus-us-whistleblower.html">preparation</a>, <a href="https://www.ft.com/content/6996d92a-3ce2-11ea-a01a-bae547046735">slow decision making and dissemination of those decisions</a>, <a href="https://www.sciencemag.org/news/2020/02/scientist-decries-completely-chaotic-conditions-cruise-ship-japan-quarantined-after">poor decisions</a> made with <a href="https://www.sciencemag.org/news/2020/02/coronavirus-infections-keep-mounting-after-cruise-ship-fiasco-japan">incomplete data</a>, and <a href="https://www.theguardian.com/us-news/2020/mar/01/trump-science-coronavirus-public-trust">public messaging as clear as mud</a>.</p>
<p>These things matter. Response time and effectiveness is risk. If we’re slow and perform poorly, risk increases. If we’re decisive and effective, it declines. In responding to epidemics, this is especially so (³):</p>
<p><img src="https://swannysec.net/public/epidemic_response.jpg" alt="Epidemic_Response_Graph" /></p>
<p>While we can’t prevent the likes of COVID-19 or the security incidents we’re responsible for entirely, we <em>can</em> be better prepared and respond more effectively. If you do nothing else, <strong>prepare yourself, your organization, or the public on a constant basis, take decisive data-driven action swiftly, and communicate that action with indisputable clarity</strong>.</p>
<p>As always, I welcome your feedback; please reach out <a href="https://twitter.com/swannysec">@swannysec</a>.</p>
<h2 id="references-and-more-information">References and More Information</h2>
<p>¹ <a href="https://systems.jhu.edu/research/public-health/ncov/">https://systems.jhu.edu/research/public-health/ncov/</a> <br />
² <a href="https://www.arcgis.com/apps/opsdashboard/index.html#/bda7594740fd40299423467b48e9ecf6">https://www.arcgis.com/apps/opsdashboard/index.html#/bda7594740fd40299423467b48e9ecf6</a> <br />
³ <a href="https://wwwnc.cdc.gov/eid/article/26/5/19-0995-f1">https://wwwnc.cdc.gov/eid/article/26/5/19-0995-f1</a></p>
<p>For more on Coronavirus risk from a business perspective:</p>
<ul>
<li><a href="https://www.bridgewater.com/research-library/daily-observations/Richard-Falkenrath-how-we-are-thinking-about-coronavirus-and-its-impact-on-markets/">https://www.bridgewater.com/research-library/daily-observations/Richard-Falkenrath-how-we-are-thinking-about-coronavirus-and-its-impact-on-markets/</a> (hat tip to <a href="https://twitter.com/CYINT_dude">@CYINT_dude</a>)</li>
<li><a href="https://medium.com/sequoia-capital/coronavirus-the-black-swan-of-2020-7c72bdeb9753">https://medium.com/sequoia-capital/coronavirus-the-black-swan-of-2020-7c72bdeb9753</a> (hat tip to <a href="https://twitter.com/rickhholland">@rickhholland</a>)</li>
</ul>
Brian Krebs and the Yugoslavian Business Network - Analyzing Nebula2017-03-07T00:00:00+00:00https://swannysec.net/2017/03/07/brian-krebs-and-the-yugoslavian-business-network<h1 id="the-rise-and-fall-of-an-empire">The Rise and Fall of an Empire</h1>
<p>Angler, and to a lesser extent, Nuclear, were the predominant exploit kits (EKs) of 2015 and the first half of 2016 before suddenly disappearing early last summer. With plenty of money to be made on the distribution of ransomware and banking trojans, other EKs quickly filled the void. Neutrino and RIG were the first to respond, though Neutrino itself disappeared in September of 2016.</p>
<p>Around the same time, Empire, a privately-sold EK with roots in the more widely-available RIG kit, appeared on the scene, ostensibly to steal a piece of the crimeware pie. Sometimes referred to as RIG-E, Empire delivered a wide variety of payloads during the fall of 2016, including <a href="http://www.broadanalysis.com/2016/12/20/2613/">custom ransomware</a> and <a href="http://www.broadanalysis.com/2016/12/09/compromised-sites-rig-e-and-rig-v-exploit-kits-deliver-cerber-chthonic-gootkit/">banking trojans</a>. According to Brad Duncan over at <a href="http://www.malware-traffic-analysis.net/2016/12/21/index2.html">Malware-Traffic-Analysis</a> and Palo Alto Unit42, Empire was often utilized by the <a href="http://researchcenter.paloaltonetworks.com/2016/10/unit42-eitest-campaign-evolution-angler-ek-neutrino-rig/">EITest</a> campaign, which had previously utilized Angler in great quantities.</p>
<p>Unfortunately for the purveyors of Empire, and fortunately for the rest of us, Empire’s reign was short-lived. Like its predecessors Angler, Nuclear, and Neutrino, Empire itself mysteriously disappeared at the end of December 2016.</p>
<h1 id="nebula-appears">Nebula Appears</h1>
<p>While Empire enjoyed only a short period in the sun, RIG itself continues to operate successfully as does Sundown, another exploit kit seeing success in the wake of Angler. Additionally, it seems a new contender has appeared, seeking to take up the slack left by Empire. Seemingly a hybrid of Sundown and Empire, Nebula, first appearing for sale on February 17th, integrated an internal traffic direction system (TDS) seemingly salvaged from the ashes of Empire. For more information, check out Kafeine’s excellent post <a href="http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html">here</a>.</p>
<p>As a long-overdue exercise in crimeware analysis using OSINT, I decided to take a crack at examining the Nebula EK infrastructure in an attempt to better understand the actors utilizing it and the payloads being delivered. What I found was both amusing and unexpected for an exploit kit so new to the scene.</p>
<h1 id="tools-of-the-trade">Tools of the Trade</h1>
<p>All of the tools I use to perform this analysis are available either completely free of charge or as full-featured community editions. For visual analysis, I use Paterva <a href="https://www.paterva.com/web7/buy/maltego-clients/maltego-ce.php">Maltego</a>. As data sources used to expand on and add context to the blogs of Kafeine and Brad Duncan mentioned above, I use <a href="https://www.threatcrowd.org/">ThreatCrowd</a>, <a href="https://www.threatminer.org/">ThreatMiner</a>, <a href="https://otx.alienvault.com/">Alienvault OTX</a>, and RiskIQ’s <a href="https://passivetotal.org/">PassiveTotal</a>. All of these offer transforms for Maltego either directly or via other community members.</p>
<h1 id="brian-krebs-ek-peddler">Brian Krebs: EK Peddler</h1>
<p>Analysis begins with a single Nebula EK delivery subdomain provided by Brad Duncan’s <a href="http://malware-traffic-analysis.net/2017/03/02/index.html">analysis</a> of a recent Nebula infection chain: ehpcc.chggannel[.]stream. As a starting point, I dropped the subdomain into PassiveTotal:</p>
<p><img src="https://swannysec.net/public/Nebula1.jpg" alt="Nebula1" /></p>
<p>Clearly, the subdomain is brand new, having been first seen (and in fact, last seen) on March 2nd, resolving to a Worldstream IP out of the Netherlands. We’ll come back to the IP and the rest of the chggannel domain in a moment. What immediately proved far more interesting to me was the whois record for the domain. Whois pivoting is not always reliable, nor is it always even possible, depending on the registrar used and the OPSEC practices of the actor. Fortunately, in this case, the actors gave us something to work with.</p>
<p><img src="https://swannysec.net/public/Nebula2.jpg" alt="Nebula2" /></p>
<p>So it seems Brian Krebs has turned to a life of crime and is now a member of the Yugoslavian Business Network? As amusing and unlikely as that is, we likely have a couple of interesting indicators to work from, including a whois name, e-mail, org, and perhaps a phone number. PassiveTotal is a fantastic source for this kind of data and we should be able to pivot on those indicators to learn more, provided the actors have used them with any consistency. Before we move to Maltego and continue exploring, let’s check out the rest of that domain. Looks like there are two other subdomains here, giving us a good starting point to work from:</p>
<p><img src="https://swannysec.net/public/Nebula3.jpg" alt="Nebula3" /></p>
<p>We’ll go ahead and drop the domain into Maltego and add in the other Nebula domains provided by Brad Duncan’s post. As a first step, we’ll pull in the whois details for all four domains to see whether or not we have consistent indicators to work with:</p>
<p><img src="https://swannysec.net/public/Nebula4.jpg" alt="Nebula4" /></p>
<p>Sure enough, we’ve definitely got consistent use of the same data for the whois records.</p>
<p><img src="https://swannysec.net/public/Nebula5.jpg" alt="Nebula5" /></p>
<p>Quickly pivoting through the registrant name, e-mail, org name, and phone number in PassiveTotal show that the e-mail and phone number have the most consistency, as there are obviously some legitimate domains registered by real people named Brian Krebs. There are an identical 114 domains registered with the nista@pusikurac[.]com e-mail adress and the same phone number. We’ll go ahead and pivot inside Maltego off the e-mail and pull back all the domains PassiveTotal knows about registered with that address.</p>
<p><img src="https://swannysec.net/public/Nebula6.jpg" alt="Nebula6" /></p>
<p><img src="https://swannysec.net/public/Nebula7.jpg" alt="Nebula7" /></p>
<p>Pivoting from these new domains to their IPs by pulling the Passive DNS results from PassiveTotal brings back a whopping one IP. Why? Mr. Krebs seems to be making extensive use of subdomains. The second screenshot shows what happens when we pull in all the subdomains for the domains present, the entity count of the graph nearly triples.</p>
<p><img src="https://swannysec.net/public/Nebula8.jpg" alt="Nebula8" /></p>
<p><img src="https://swannysec.net/public/Nebula9.jpg" alt="Nebula9" /></p>
<p>Once more pulling in the IPs via Passive DNS, we see that 300+ domains and subdomains return to only fourteen IPs, in the red-orange color. It should be noted that a few of these IPs are shared webhosts and that the legitimate domains are not displayed on this graph.</p>
<p><img src="https://swannysec.net/public/Nebula10.jpg" alt="Nebula10" /></p>
<p>Unfortunately, ThreatCrowd, ThreatMiner, and Alientvault OTX all return no results when I attempt to query for malware samples observed at the domains registered by this actor. Further, none of the domains or subdomains host SSL certificates according to PassiveTotal. Accordingly, we’ll wrap up our pivoting here, having exhausted the unique whois indicators provided by the Nebula actors.</p>
<h1 id="nebulas-extent-and-payloads">Nebula’s Extent and Payloads</h1>
<p>In order to clean up the graph and ensure all the data is likely relevant to Nebula, we want to take a look at the registrations from a temporal perspective. Of the 114 domains registered using the farcical Brian Krebs moniker and nista@pusikurac[.]com at the time of writing, 12 were registered in May of 2016. All 12 of these domains were also registered under a different whois org name, <code class="language-plaintext highlighter-rouge">ISP</code>. Since February 8th, 2017, 102 domains have been registered under the Krebs/nista@pusikurac[.]com combination, of which 97 used Yugoslavian Business Network as their org name. Curiously, however, the 12 domains registered earlier have active subdomains observed during the recent Nebula campaign.</p>
<p>Little additional information can be gleaned from the OSINT sources I have available to me, but from the analyses performed by Kafeine and Brad Duncan, we know that Nebula leads to a variety of payloads including <a href="https://www.cylance.com/a-study-in-bots-diamondfox">DiamondFox</a>, <a href="https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/">Gootkit</a>, <a href="https://securityintelligence.com/ramnit-rears-its-ugly-head-again-targets-major-uk-banks/">Ramnit</a>, and <a href="https://www.f-secure.com/weblog/archives/00002738.html">Pitou</a>. With the exception of Pitou, which is a spambot, all of these are bankers. At this time, there is no evidence the Yugoslavian Business Network actors are distributing ransomware via Nebula.</p>
<h1 id="conclusions">Conclusions</h1>
<p>The Yugoslavian Business Network actually has a significant history with the Sundown EK. According to Ed Miles at <a href="https://www.zscaler.com/blogs/research/sundown-chronicles-observations-exploit-kits-evolution">Zscaler</a>, the first indications of Yugoslavian Business Network involvement with Sundown began in July of 2016. At this time, however, it was unclear how the group, which advertised their coding services in German on forums, was associated with Sundown. By September, <a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/Sundown-EK-%E2%80%93-Stealing-Its-Way-to-the-Top/">Trustwave</a> indicated that the Sundown actors had “outsourced” their DGA work to the Yugoslavian Business Network. By the end of October 2016, Nick Biasini at Cisco’s Talos Intelligence <a href="http://blog.talosintelligence.com/2016/10/sundown-ek.html">concluded</a> that Yugoslavian Business Network indicators were associated with all Sundown landing pages and that Sundown’s actors were operating a very large domain shadowing and wildcarding operation to power the exploit kit’s spread. Interestingly, he also concluded that the payloads from this operation were exclusively banking trojans.</p>
<p>Given the close historical ties between Sundown and the Yugoslavian Business Network, it is probable that Nebula is simply a new iteration on the existing Sundown exploit kit, operated by the same actors or a closely related group of actors. The willingness of the Yugoslavian Business Network to flaunt their moniker throughout their involvement with Sundown squares with the appearance of that name in the whois records for the Nebula campaign. Additionally, two other calling cards of the YBN appear to be present in the Nebula campaign, the use of subdomains/domain wildcarding and the almost exclusive delivery of banking malware vs. ransomware. Finally, the gang at Digital Shadows has additional <a href="https://www.digitalshadows.com/blog-and-research/sun-to-set-on-bepssundown-exploit-kit/">details</a>, including tweets from @CryptoInsane and @666_KingCobra (the alleged author of the Terror exploit kit) which seem to indicate that the Nebula source code offered for sale is in fact that of Sundown.</p>
<p>As an alternative hypothesis, it is possible that the Nebula activity I have analyzed here is indicative of a copycat operation, designed to look like the Sundown/YBN activity using the leaked source code. However, I believe that the balance of the evidence supports the original conclusion and that this is probably not a copycat operation.</p>
<p>In a follow-up to this post, I will be detailing the process of using PassiveTotal to set up a public project and the monitor function to track the YBN actor and Nebula campaign. IOCs are provided below. As always, I invite comment, debate, or criticism <a href="https://twitter.com/swannysec">@swannysec</a>.</p>
<h1 id="iocs">IOCs</h1>
<h4 id="passive-total-project">Passive Total Project</h4>
<p><a href="https://passivetotal.org/projects/80ab2f3f-e08f-f86a-fade-6f9d3f8a12c6">https://passivetotal.org/projects/80ab2f3f-e08f-f86a-fade-6f9d3f8a12c6</a></p>
<h4 id="alienvault-osx-pulse-note-due-to-an-ingestion-issue-not-all-domainssubdomains-present">Alienvault OSX <a href="https://otx.alienvault.com/pulse/58bcfae15b9a136ec4bc220a/">Pulse</a> (Note: Due to an ingestion issue, not all domains/subdomains present)</h4>
<script src="https://otx.alienvault.com/pulse/58bcfae15b9a136ec4bc220a.js"></script>
<h4 id="domainssubdomains">Domains/subdomains</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>half-sistergoalindustry[.]pro
deficitshoulder.lossicedeficit[.]pw
hulbyking[.]stream
supportpartner.lossicedeficit[.]pw
tafgste[.]stream
siberianbangladeshtransport[.]win
commissionmice.lossicedeficit[.]pw
brabynch[.]stream
ovalsharevault[.]info
tom-tomchardcomparison[.]club
birthlasagnaexplanation[.]info
rootym[.]stream
knowledgedrugsaturday[.]club
qgg.losssubwayquilt[.]pw
hmn.losssubwayquilt[.]pw
chggannel[.]stream
tboapfmsyu[.]stream
offertom-tom.commissionlegshoemaker[.]bid
bitpurchasetempo[.]loan
signaturelilac.commissionlegshoemaker[.]bid
decimalyugolead[.]pro
commissionlegshoemaker[.]bid
mistmessage.commissionlegshoemaker[.]bid
losssubwayquilt[.]pw
profitwhiskey.commissionlegshoemaker[.]bid
suggestiondentistrectangle[.]club
bandfactorycroissant[.]bid
begoniamistakemeal[.]club
facilitiesturkishdipstick[.]info
textfatherfont[.]info
canfragranceretailer[.]site
certificationphilosophy.decimalyugolead[.]pro
harborinterestrecorder[.]club
pheasantmillisecondenvironment[.]stream
jebemtimater[.]xyz
retailergreasebottom[.]win
transportdrill.facilitiesturkishdipstick[.]info
cityacoustic.textfatherfont[.]info
foundationspadeinventory[.]club
chargerule.textfatherfont[.]info
alleyasphaltreport[.]party
chefarmadillo.o88kd0e1yehd1s5[.]bid
basketballoptionbeat[.]win
applyvelvet.o88kd0e1yehd1s5[.]bid
decisionpropertytuba[.]site
colonsuccesston[.]info
herondebtor.o88kd0e1yehd1s5[.]bid
maskobjectivebiplane[.]trade
handballsupply.hockeyopiniondust[.]club
shelfdecreasecapital[.]win
creditorclutch.hockeyopiniondust[.]club
alligatoremployeelyric[.]club
77e1084e[.]pro
basementjudorepairs[.]club
greenpvcpossibility[.]tech
step-unclecanadapreparation[.]trade
birchbudget.hockeyopiniondust[.]club
shockadvantagewilderness[.]club
distributionjaw.hockeyopiniondust[.]club
grasslettuceindustry[.]bid
competitionseason.numberdeficitc-clamp[.]site
oakcreditorcirculation[.]stream
loafmessage.numberdeficitc-clamp[.]site
guaranteepartridgeoven[.]pro
rkwurghafq4olnz[.]site
advantagelamp.numberdeficitc-clamp[.]site
improvementdeadlinemillisecond[.]club
approveriver.jsffu2zkt5va[.]trade
44a11c539450ac1e13a6bb9728569d34[.]pro
dependentswhorl.jsffu2zkt5va[.]trade
pumpdifferencecymbal[.]club
countrydifferencethumb[.]info
fearshareoboe[.]trade
debtbaconslip[.]stream
penaltyshock.gumimprovementitalian[.]stream
barberfifth.hnny1jymtpn2k[.]stream
permissionquiversagittarius[.]space
closetswissretailer[.]bid
e10a12e32de96b60e95e89507e943c14[.]bid
priceearthquakepencil[.]bid
divingfuelsalary[.]trade
swissfacilities.gumimprovementitalian[.]stream
brokerbaker.hnny1jymtpn2k[.]stream
improvementpaperwriter[.]bid
calculatefuel.hnny1jymtpn2k[.]stream
possibilityshare.gumimprovementitalian[.]stream
transportbomb.gramsunshinesupply[.]club
goallicense.shearssuccessberry[.]club
purposeguarantee.shearssuccessberry[.]club
apologycold.shearssuccessberry[.]club
paymentceramic.pheasantmillisecondenvironment[.]stream
limitsphere.pheasantmillisecondenvironment[.]stream
dancerretailer.shearssuccessberry[.]club
instructionscomposition.pheasantmillisecondenvironment[.]stream
pyramiddecision.356020817786fb76e9361441800132c9[.]win
printeroutput.pheasantmillisecondenvironment[.]stream
clickbarber.356020817786fb76e9361441800132c9[.]win
refundlentil.pheasantmillisecondenvironment[.]stream
boydescription.356020817786fb76e9361441800132c9[.]win
handballdisadvantage.harborinterestrecorder[.]club
gondoladate-of-birth.harborinterestrecorder[.]club
multimediabuild.textfatherfont[.]info
buglecommand.textfatherfont[.]info
hygienicreduction.brassreductionquill[.]site
authorisationmessage.brassreductionquill[.]site
rainstormpromotion.gramsunshinesupply[.]club
apologycattle.gramsunshinesupply[.]club
supplyheaven.gramsunshinesupply[.]club
startguarantee.gramsunshinesupply[.]club
agendawedge.shoemakerzippersuccess[.]stream
profitcouch.shoemakerzippersuccess[.]stream
battleinventory.nigeriarefundneon[.]pw
mistakefreezer.nigeriarefundneon[.]pw
deadlinepelican.shoemakerzippersuccess[.]stream
authorizationposition.nigeriarefundneon[.]pw
costsswim.nigeriarefundneon[.]pw
flycity.7a35a143adde0374f820d92f977a92e1[.]trade
dohmbineering[.]stream
customergazelle.cyclonesoybeanpossibility[.]bid
7a35a143adde0374f820d92f977a92e1[.]trade
invoiceburst.cyclonesoybeanpossibility[.]bid
wdkkaxnpd99va[.]site
nigeriarefundneon[.]pw
distributionstatementdiploma[.]site
decreaseclarinet.tom-tomchardcomparison[.]club
columnistsalescave[.]xyz
bassoonoption.tom-tomchardcomparison[.]club
retailersproutalto[.]pro
billcoast.tom-tomchardcomparison[.]club
cyclonesoybeanpossibility[.]bid
cocoacustomer.tom-tomchardcomparison[.]club
reductiondramathrone[.]trade
jumptom-tomapology[.]bid
agesword.alvdxq1l6n0o[.]stream
hnny1jymtpn2k[.]stream
o88kd0e1yehd1s5[.]bid
356020817786fb76e9361441800132c9[.]win
shearssuccessberry[.]club
protestcomparisoncolor[.]site
bombclick.alvdxq1l6n0o[.]stream
gramsunshinesupply[.]club
bakermagician.alvdxq1l6n0o[.]stream
brassreductionquill[.]site
date-of-birthtrout.87692f31beea22522f1488df044e1dad[.]top
goodswinter.retailersproutalto[.]pro
supportmensuccess[.]bid
chooseravioli.87692f31beea22522f1488df044e1dad[.]top
potatoemployee.retailersproutalto[.]pro
freckleorderromania[.]win
asiadeliveryarmenian[.]pro
exhaustamusementsuggestion[.]pw
pedestrianpathexplanation[.]info
retaileraugustplier[.]club
phoneimprovement.retailersproutalto[.]pro
derpenquiry.87692f31beea22522f1488df044e1dad[.]top
spayrgk[.]stream
certificationplanet.87692f31beea22522f1488df044e1dad[.]top
instructionssaudiarabia.retailersproutalto[.]pro
f1ay91cxoywh[.]trade
competitorthrillfeeling[.]online
cowchange.distributionstatementdiploma[.]site
enquiryfootnote.bubblecomparisonwar[.]top
transportavenueexclamation[.]club
fishsparkorder[.]trade
organisationobjective.bubblecomparisonwar[.]top
departmentant.distributionstatementdiploma[.]site
suggestionburn.distributionstatementdiploma[.]site
soldierprice.distributionstatementdiploma[.]site
secureconfirmation.bubblecomparisonwar[.]top
redrepairs.distributionstatementdiploma[.]site
advertiselaura.bubblecomparisonwar[.]top
casdfble[.]stream
confirmationwoman.decimalyugolead[.]pro
excyigted[.]stream
beastcancercosts[.]pro
appealbarber.decimalyugolead[.]pro
nationweekretailer[.]club
advisealgebra.decimalyugolead[.]pro
detailpanequipment[.]site
rectangleapologyfeather[.]trade
bubbbble[.]stream
visiongazellestock[.]site
mxkznekruoays[.]trade
debtorgreat-grandmother.bitpurchasetempo[.]loan
mandolincamprisk[.]info
paymentedge.bitpurchasetempo[.]loan
comparisonrequestcrocodile[.]trade
cookmorningfacilities[.]bid
crabbudgetfahrenheit[.]tech
periodicaldecision.bitpurchasetempo[.]loan
deliverycutadvantage[.]info
strangersharesnowflake[.]top
enemyorder.bitpurchasetempo[.]loan
passbookresponsibilityflare[.]bid
knowledgedoctor.bitpurchasetempo[.]loan
governmentsignaturepoint[.]top
date-of-birthfender.tboapfmsyu[.]stream
jailreduction.edgetaxprice[.]site
shoemakerzippersuccess[.]stream
invoicegosling.edgetaxprice[.]site
lipprice.edgetaxprice[.]site
bubblecomparisonwar[.]top
applywholesaler.tboapfmsyu[.]stream
distributionfile.edgetaxprice[.]site
87692f31beea22522f1488df044e1dad[.]top
ehpcc.chggannel[.]stream
alvdxq1l6n0o[.]stream
peqmk.chggannel[.]stream
erafightergoal[.]website
lossathleteship[.]site
edgetaxprice[.]site
factoryslave.erafightergoal[.]website
transportseptemberharp[.]club
preparationshark.erafightergoal[.]website
xgiph47su3ym[.]info
tyqan.chggannel[.]stream
lossicedeficit[.]pw
offertenor.erafightergoal[.]website
gumimprovementitalian[.]stream
marketdisadvantage.reductiondramathrone[.]trade
area-codebobcat.knowledgedrugsaturday[.]club
jsffu2zkt5va[.]trade
actressheight.knowledgedrugsaturday[.]club
librarysuccess.reductiondramathrone[.]trade
numberdeficitc-clamp[.]site
alcoholproduction.reductiondramathrone[.]trade
congoobjective.erafightergoal[.]website
hockeyopiniondust[.]club
lightdescription.erafightergoal[.]website
approvepeak.knowledgedrugsaturday[.]club
successcrow.reductiondramathrone[.]trade
yewdigital.mxkznekruoays[.]trade
domainconsider.mxkznekruoays[.]trade
citizenshipquotation.44a11c539450ac1e13a6bb9728569d34[.]pro
agendarutabaga.44a11c539450ac1e13a6bb9728569d34[.]pro
stationdeadline.improvementdeadlinemillisecond[.]club
maracaenquiry.nationweekretailer[.]club
brandfloor.improvementdeadlinemillisecond[.]club
clausmessage.nationweekretailer[.]club
pleasureestimate.permissionquiversagittarius[.]space
marginpaint.permissionquiversagittarius[.]space
sandlimit.permissionquiversagittarius[.]space
experienceiris.permissionquiversagittarius[.]space
disadvantagegerman.crabbudgetfahrenheit[.]tech
driverknowledge.crabbudgetfahrenheit[.]tech
distributionpopcorn.debtbaconslip[.]stream
scooterrise.crabbudgetfahrenheit[.]tech
dinosaurbudget.fearshareoboe[.]trade
canadaenquiry.crabbudgetfahrenheit[.]tech
spongedeadline.crabbudgetfahrenheit[.]tech
decreaseoil.fearshareoboe[.]trade
debtordoor.fearshareoboe[.]trade
employercurler.cookmorningfacilities[.]bid
increaserock.fearshareoboe[.]trade
elbowdebt.cookmorningfacilities[.]bid
commissioncooking.comparisonrequestcrocodile[.]trade
elizabethcosts.countrydifferencethumb[.]info
equipmentdate.comparisonrequestcrocodile[.]trade
rulesupport.countrydifferencethumb[.]info
marketphilippines.comparisonrequestcrocodile[.]trade
cicadareport.countrydifferencethumb[.]info
baitfacilities.comparisonrequestcrocodile[.]trade
debtordecision.comparisonrequestcrocodile[.]trade
lossornament.countrydifferencethumb[.]info
reindeerprofit.divingfuelsalary[.]trade
outputfruit.divingfuelsalary[.]trade
decembercommission.divingfuelsalary[.]trade
marginswiss.divingfuelsalary[.]trade
clickdecrease.strangersharesnowflake[.]top
pricejelly.strangersharesnowflake[.]top
barbercomposer.e10a12e32de96b60e95e89507e943c14[.]bid
apologyunit.strangersharesnowflake[.]top
employerrange.strangersharesnowflake[.]top
employergoods.deliverycutadvantage[.]info
acknowledgmentinterest.permissionquiversagittarius[.]space
fallhippopotamus.deliverycutadvantage[.]info
employeegarlic.deliverycutadvantage[.]info
angoraadvantage.shelfdecreasecapital[.]win
orderbooklet.shelfdecreasecapital[.]win
outputvolcano.shelfdecreasecapital[.]win
debtorcave.shelfdecreasecapital[.]win
budgetdegree.maskobjectivebiplane[.]trade
instructionspair.freckleorderromania[.]win
equipmentwitness.maskobjectivebiplane[.]trade
cardiganopinion.freckleorderromania[.]win
forum.freckleorderromania[.]win
motherresult.basketballoptionbeat[.]win
orangedecision.freckleorderromania[.]win
museumcosts.freckleorderromania[.]win
apartmentapology.basketballoptionbeat[.]win
competitionsunday.freckleorderromania[.]win
millisecondpossibility.basketballoptionbeat[.]win
c-clamppayment.asiadeliveryarmenian[.]pro
phonefall.asiadeliveryarmenian[.]pro
productionbanker.alleyasphaltreport[.]party
penaltyinternet.asiadeliveryarmenian[.]pro
reportbranch.alleyasphaltreport[.]party
goodsyellow.alleyasphaltreport[.]party
rollinterest.asiadeliveryarmenian[.]pro
offeraftershave.alleyasphaltreport[.]party
comparisonneed.alleyasphaltreport[.]party
explanationlier.asiadeliveryarmenian[.]pro
authorizationmale.foundationspadeinventory[.]club
birthdayexperience.foundationspadeinventory[.]club
sexdebt.competitorthrillfeeling[.]online
lossbill.competitorthrillfeeling[.]online
dinosaurfall.competitorthrillfeeling[.]online
cannoncountdecide.f1ay91cxoywh[.]trade
bugleathlete.f1ay91cxoywh[.]trade
goalpanda.retaileraugustplier[.]club
confirmationaustralian.retaileraugustplier[.]club
holidayagenda.retaileraugustplier[.]club
jobhate.pedestrianpathexplanation[.]info
europin.pedestrianpathexplanation[.]info
buysummer.77e1084e[.]pro
borrowfield.77e1084e[.]pro
shinyflaky.pedestrianpathexplanation[.]info
captaincertification.77e1084e[.]pro
slippery.pedestrianpathexplanation[.]info
deficitairbus.exhaustamusementsuggestion[.]pw
penaltydrug.exhaustamusementsuggestion[.]pw
environmentbasket.alligatoremployeelyric[.]club
blowsalary.alligatoremployeelyric[.]club
digitalgoods.alligatoremployeelyric[.]club
clerkbird.grasslettuceindustry[.]bid
hygienicreduction.casdfble[.]stream
disadvantageproduction.casdfble[.]stream
deodorantconsider.grasslettuceindustry[.]bid
authorisationmessage.casdfble[.]stream
hellcustomer.grasslettuceindustry[.]bid
equipmentparticle.shockadvantagewilderness[.]club
shouldertransport.shockadvantagewilderness[.]club
salaryfang.shockadvantagewilderness[.]club
descriptionmoon.competitorthrillfeeling[.]online
estimatememory.competitorthrillfeeling[.]online
</code></pre></div></div>
<h4 id="ips">IPs</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>188.209.49[.]151
93.190.141[.]39
188.209.49[.]135
217.23.7[.]15
91.214.71[.]110
185.93.185[.]226
188.209.49[.]49
93.190.137[.]22
93.190.141[.]45
93.190.141[.]166
93.190.141[.]200
45.58.125[.]74
77.81.230[.]141
173.224.121[.]91
</code></pre></div></div>
<h4 id="whois-e-mail">Whois E-mail</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nista@pusikurac[.]com
</code></pre></div></div>
<h4 id="whois-name">Whois Name</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Brian Krebs
</code></pre></div></div>
<h4 id="whois-organization">Whois Organization</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Yugoslavian Business Network
</code></pre></div></div>
<h4 id="whois-phone">Whois Phone</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>96311273808008
</code></pre></div></div>
Changing Things Up2016-08-09T00:00:00+00:00https://swannysec.net/2016/08/09/changing-things-up<p>If you’re reading this, you’ve likely noticed that this blog and my twitter account have been quiet of late. Summer is often a busy time, but my reasons for that are different than usual this year. Over the last few months I’ve been engaged in a lengthy recruitment and interview process and I’m really excited to share that after a decade in public higher education, I’ll be joining <a href="https://www.twitter.com/sroberts">Scott Roberts</a> and the other fine folks at GitHub next week! I’ll be working in some form of DFIR role, but I’m not exactly certain what it will entail over the long run; GitHub is still a growing company after all. In the near term, I intend to play Robin to Scott’s Batman or perhaps serve as “Bad Guy Catcher Minion” while I learn as much as I can and find my “sea legs.”</p>
<blockquote>
<p>Sidebar: When I set this blog up almost a year ago, I chose this theme completely unaware that Scott had done the same and didn’t realize it until months later. Great minds think alike? Either that or I just rode his coattails all the way to GitHub.</p>
</blockquote>
<p>While I won’t go into great detail on the matter, I do want to take a moment to discuss GitHub’s recruitment process. All of my interview experience (both as an interviewee and interviewer) prior to GitHub was extremely formal and restrictive, as might be expected of a state agency. GitHub’s process couldn’t have been more different; it was refreshingly open, honest, and relaxed. This shouldn’t, however, be confused with an easy interview process. GitHub’s process involved multiple video interviews, phone calls, hands-on exercises, and a marathon (for someone new to the public sector world) in-person interview with both technical and non-technical personnel. None of these steps were cake, though I enjoyed every one and learned a lot during most of them as well.</p>
<p>The most fascinating part of the process for me was that each conversation was a two-way street. Not only were my interviewers genuinely interested in my input on challenges they faced at GitHub, but I was able to share some of my own challenges, receiving meaningful input in return. I walked away from many of the conversations with valuable lessons learned and as a better professional, no matter the outcome. That’s a neat feeling, and the further I got into the process, the more I realized that sort of welcoming openness was endemic to GitHub’s culture. Everyone I’ve met so far has been wonderful and despite the length of the process and the inherent stress of any interview situation, I have enjoyed the process enormously. Fortunately, I walked away with more than just lessons learned!</p>
<p>So where do we go from here? I’m presently suffering from an enormous case of <a href="https://sroberts.github.io/2015/05/02/imposter-syndrome-in-dfir/">imposter syndrome</a>. The professional challenges involved in moving to GitHub are not insignificant. The environment is a complete 180 from the one I’ve just spent a decade operating in, save some philosophical similarities. Additionally, I’m going from a very broad infosec role that included engineering, architecture, policy and compliance work, and only some IR work, to a more specialized role that will primarily handle IR. I will need to learn, or re-learn, a lot of new things both technically and in terms of business process. The near term will be dedicated to getting to know GitHub, building or rebuilding DFIR-specific skills, and moving back up Burch’s <a href="https://en.wikipedia.org/wiki/Four_stages_of_competence">hierarchy of competence</a> in an effort to defeat imposter syndrome and be a more effective incident responder.</p>
<p><img src="https://swannysec.net/public/Competence_Hierarchy.jpg" alt="Hierarchy" /></p>
<p>I will continue to blog and tweet, though I expect my focus will shift somewhat from threat intelligence to DFIR matters as I tend to use the blog, and to a lesser extent Twitter, to flesh out and reinforce what I’m learning or working on. I will likely contribute with less frequency, however, as I have a lot to process as I onboard at GitHub and I have some personal goals for the coming year I’d like to devote some time to:</p>
<ul>
<li>Increase the quantity and quality of reading I do.
<ul>
<li>My masters degree sort of killed my desire to read a few years ago, which is a shame. I was a voracious reader prior to that experience, and I believe I need to read more to further my personal development. To this end, I am pushing more of my reading, including blogs/RSS, to my kindle and trying to read away from a PC. This has the side effect of better quality sleep, as I tend to read in the evening and less screen-time will help.</li>
</ul>
</li>
<li>Tackle Python and eventually tinker with Go.
<ul>
<li>I will likely never be a great writer of code; it simply doesn’t come naturally to this liberal arts major. I have to work really hard at it, and I honestly don’t enjoy it all that much. That said, I want to reach a point where I establish a reasonable level of fluency and I’m capable of better communicating with those who do write code well.</li>
</ul>
</li>
<li>Exercise more.
<ul>
<li>Duh. I’m thirty now and I need to be in better shape. I’ve got a couple of awesome kids to be healthy for and I want to feel better too. I’d like to ride a bike a couple times a week and also go back to some weightlifting.</li>
</ul>
</li>
<li>Spend more time with my kids.
<ul>
<li>I was seriously burnt out over the last couple of years. My kids are growing up fast and I want to enjoy this time. My oldest is getting into computers, gaming, and shares my love of military history (win!). My youngest is a stout-hearted wild-child that brings me equal joy and trepidation by way of a risk-taking sense of adventure. Both are bright, curious, adorable, and deserve more of Dad’s time.</li>
</ul>
</li>
<li>Begin speaking at conferences.
<ul>
<li>I originally planned to begin speaking this fall or winter, but in light of the new challenges I’m taking on, I’ve decided to spend a little more time absorbing/observing and begin speaking next spring/summer. Nonetheless, it’s on my agenda.</li>
</ul>
<p>Thanks for tagging along for this wild ride. I look forward to sharing more of my journey as I take on new challenges at GitHub. For now, off to GitHub HQ! As always, feel free to reach out to me <a href="https://www.twitter.com/swannysec">@swannysec</a> with your feedback!</p>
</li>
</ul>
Talking Point - The Whiz-Bang Intel Bias2016-05-17T00:00:00+00:00https://swannysec.net/2016/05/17/talking-point-the-whiz-bang-intel-bias<p>I recently had an interesting conversation with a couple of people from the threat intelligence community around the idea of adversary innovation. Essentially, someone linked to a twitter blurb from a recent convention or trade show where the speaker mentioned that we, as defenders, need to innovate faster because our adversaries are doing it every day.</p>
<p>The immediate reaction, from a couple of very smart people who I consider to be mentors, as well as my own reaction, was that the idea was hogwash; attackers are lazy like the rest of us and only innovate when forced to do so. This makes sense, right? Humans, as a species are inherently lazy, and I know for a fact that most of those involved in technical fields loathe extraneous effort. So, this idea that attacker methods are constantly evolving and we must rise to meet that challenge is surely patently false, correct?</p>
<p>Upon further reflection, I decided that our initial instinct was in actuality incorrect, and may, in fact, indicate a bias on our part. While there are certainly those attackers out there who will innovate only when absolutely forced to do so, and many who never do at all, I think these may represent a smaller sample of the total population than we realize. Those working in or otherwise involved in the serious study of threat intelligence tend to dwell in the land of the APT. We eat, sleep, and breathe cyber-espionage, state-sponsored actors, and super-sophisticated financial crime syndicates. We do this because it’s our job, because it’s what keeps the lights on, because it’s fascinating, or maybe just because we all secretly imagine ourselves to be Jack Ryan.</p>
<p><img src="https://swannysec.net/public/jackryan1.jpg" alt="JackRyan" /></p>
<p>The reality, however, is that these kinds of threats probably represent a fraction of what the majority of the world contends with every day. In fact, for most, the biggest threat comes from financially-motivated commodity malware. The ransomware industry (and it certainly qualifies as an industry at this point) and banking trojans are likely responsible for far more damage to the worldwide economy than APTs and other sophisticated attacks will ever be. This year’s Verizon DBIR supports this conclusion, as summarized perfectly by <a href="">Rick Holland</a> below:</p>
<p><img src="https://swannysec.net/public/rickdbir1.jpg" alt="RickDBIR" /></p>
<p>The shocking part of this realization, for me, came when I reflected on just how much innovation actually occurs in the malware industry. Take a look at any of the major ransomware or exploit kit campaigns over the last six months. The rate of change is astounding! I probably read two or three reports every week about how the actors behind Angler EK, Locky, TeslaCrypt, or CryptXXX have changed something in their delivery method, in their infrastructure, or their anti-detection measures. Here are a few examples:</p>
<table>
<thead>
<tr>
<th>Link</th>
<th style="text-align: center">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="http://researchcenter.paloaltonetworks.com/2016/03/unit42-how-the-eltest-campaigns-path-to-angler-ek-evolved-over-time/">How the EITest Campaign’s Path to ANGLER EK Evolved Over Time</a></td>
<td style="text-align: center">Excellent overview of EITest and the payload and URL scheme changes it has seen since 2014.</td>
</tr>
<tr>
<td><a href="https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chain">Your Package Has Been Successfully Encrypted</a></td>
<td style="text-align: center">In-depth examination of a relatively new variant of the oft-iterated TeslaCrypt ransomware. Includes a great graphic that shows the rapid fragmentation of the ransomware industry.</td>
</tr>
<tr>
<td><a href="http://www.broadanalysis.com/2016/03/08/angler-ek-from-82-146-46-242-new-uri-pattern/">Angler EK from 82.146.46[.]242 – New URI Pattern</a></td>
<td style="text-align: center">Analysis of Angler EK traffic from a particular host, showing a brand new URI pattern.</td>
</tr>
</tbody>
</table>
<p>It makes sense that commodity malware has to innovate more often. Their methods are simpler, more visible, and ultimately easier for defenders and their technology to defeat. Signature generation and alerting for commodity malware is likely automated or semi-automated by many, raising the stakes for those peddling that malware. If they fail to innovate, they stop making money as signatures and patch management invalidate their methods. APT groups or those engaging in cyber-espionage? Their methods are more complex and sophisticated, in addition to the added burden of attempting to maintain their persistence inside an organization without being detected.</p>
<p><img src="https://swannysec.net/public/pyramid1.png" alt="Pyramid" /></p>
<p>At the end of the day, this is a problem most simply demonstrated by David Bianco’s <a href="http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html">Pyramid of Pain</a>. In essence, the Pyramid of Pain illustrates the concept that the majority of indicators (IPs, hashes, domains) are simple and low cost/effort to either defend against or replace as an attacker while the more challenging, complex indicators like tools and TTPs are both hard to effectively defend against and costly for an adversary to replace. Commodity malware authors and distributors simply need to change their executable or packaging or their URL-redirect/gate scheme and push the change out across their delivery network, without regard for the noise they make while doing so. These changes live primarily at the bottom of the pyramid; they’re not terribly costly for the adversary. In the case of APTs and other sophisticated intrusions, however, most of their methods exist higher up the pyramid. Accordingly, the cost of changing those methods, particularly while avoiding detection, is quite high. No wonder more sophisticated adversaries innovate only when they absolutely must.</p>
<p>Now, armed with an understanding that the speaker we criticized initially was probably more correct than we gave him credit for, where does the bias lie and how can we combat it? Personally, I have to remember to pinch myself now and then and be mindful of the fact that the world really isn’t as full of Lotus Blossoms, PLATINUMs, and APT6s as it seems. While those types of things are amazing brain fodder for me, my own day-to-day job is a prime example of the broader reality, which is far less exciting.</p>
<p><img src="https://swannysec.net/public/wizard1.jpg" alt="Wizard" /></p>
<p>Image courtesy <a href="https://www.flickr.com/photos/38446022@N00/">floodllama</a>, provided under a Creative Commons <a href="https://creativecommons.org/licenses/by-nc-nd/2.0/">license</a>.</p>
<p>That reality is that commodity malware is my organization’s single largest threat (which can be just as damaging, if not more so than some APTs). Further, the unfortunate truth is that those threats do iterate quickly. So, sometimes, it’s important to take off my whiz-bang intel wizard hat and look up from the ground; the perspective it brings is critical. I suggest we all take that step back and try to take in a little perspective now and then.</p>
<p>As always, I’d love your feedback; please reach out <a href="https://twitter.com/swannysec">@swannysec</a>.</p>
Uncovering a New Angler-Bedep Actor2016-04-12T00:00:00+00:00https://swannysec.net/2016/04/12/uncovering-a-new-angler-bedep-actor<p>Some time ago, I did some <a href="https://swannysec.net/2015/10/31/linking-torrentlocker-to-pony.html">analysis</a> that linked a fairly run-of-the-mill Torrentlocker distribution network to actors and infrastructure delivering Pony. I promised some follow-up on that, and it’s still coming, but it’s proving to be a bit of a rabbit hole. I need some more time to dot my i’s and cross my t’s, but I hope to have something to share soon.</p>
<p>In the meantime, I wanted to take some time to write up another piece of research I recently completed on a group of well known Angler EK and Bedep actors. If you’ve followed along with Angler and Bedep over the last year or so, you’ll no doubt be familiar with yingw90@yahoo.com, potrafamin44as@gmail.com, and john.bruggink@yahoo.co.uk. These accounts are responsible for the registration of large numbers of domains associated with the distribution of Angler EKs and Bedep, as well as some other unpleasant creatures such as Kazy and Symmi. For more information, check out this great <a href="http://blog.talosintel.com/2016/02/bedep-actor.html">write-up</a> from <a href="https://twitter.com/infosec_nick">Nick Biasini</a> over at Talos. An Alienvault OTX pulse with all the goodies is available, likely from <a href="https://twitter.com/alexcpsec">Alex Pinto</a> at Niddel, <a href="https://otx.alienvault.com/pulse/56ba694867db8c168ff1d1e8/">here</a>.</p>
<p>Now that you’re familiar with the campaign in question, let’s take a deep-dive. For this analyis, I will be using <a href="https://www.paterva.com/web6/">Paterva’s</a> Maltego loaded with transforms from two fantastic sources, <a href="https://www.passivetotal.org/">PassiveTotal</a> and <a href="https://www.threatcrowd.org/">ThreatCrowd</a>. These are fantastic tools with free options that can get you started on some great analysis, so give them a try!</p>
<p>To begin, I entered the three well-known actors referenced above as e-mail entities in Maltego:</p>
<p><img src="https://swannysec.net/public/bedep1.jpg" alt="Starting Actors" /></p>
<p>Once entered, I started by utilizing PassiveTotal to return all known domains registered by these addresses as shown in the screenshot below (do note that you could manually import these from the Alienvault IOCs provided above, as well). The results follow in the second image, that’s a lot of domains!</p>
<p><img src="https://swannysec.net/public/bedep2.jpg" alt="Whois" /></p>
<p><img src="https://swannysec.net/public/bedep3.jpg" alt="First Expansion" /></p>
<p>Enter ThreatCrowd. Let’s go ahead and enrich each of these domains with any available information ThreatCrowd has to offer (sorry for the API load, Chris!). Select all the domains as follows:</p>
<p><img src="https://swannysec.net/public/bedep4.jpg" alt="Domain Select" /></p>
<p>Once you have all the domains selected, use the following transform from ThreatCrowd. The results are below.</p>
<p><img src="https://swannysec.net/public/bedep5.jpg" alt="Domain Enrich" /></p>
<p><img src="https://swannysec.net/public/bedep6.jpg" alt="Clusters" /></p>
<p>As you can see above, I’ve re-arranged the graph into the Organic layout in order to make the clustering around each registrant e-mail (in red) apparent. Below, observe a zoomed view of the links indicating domains from each cluster sharing IP infrastructure. The links are hard to see, so I circled them in red:</p>
<p><img src="https://swannysec.net/public/bedep7.jpg" alt="First Links" /></p>
<p>At this point, we have clear overlap between these three actors as they’re utilizing some of the same hosting providers and individual hosts to serve malicious domains. In order to go one step further, I expanded the graph again, this time by enriching all IP addresses with ThreatCrowd. (A note of caution here: this can return large number of domains if an IP you choose to expand is a large webhost, so take care to double-check whether returned entities are relevant.) Here’s what the graph looks like after one round of domain enrichment and one round of IP enrichment:</p>
<p><img src="https://swannysec.net/public/bedep8.jpg" alt="IPs Enriched" /></p>
<p>From here, I began working through new clusters of domains looking for new leads by checking whois records with PassiveTotal and looking for malware and other associated infrastructure with ThreatCrowd. After hunting around for a while, I discovered the following indicator, with new domains discovered from it circled in red:</p>
<p><img src="https://swannysec.net/public/bedep9.jpg" alt="New Cluster" /></p>
<p>This indicator uncovered something new. Below is a fresh graph, for clarity, containing the new domains discovered from that IP, followed by their enrichment via PassiveTotal’s whois details (scrubbed of all but registrant name, e-mail, and address):</p>
<p><img src="https://swannysec.net/public/bedep10.jpg" alt="New Domains" /></p>
<p><img src="https://swannysec.net/public/bedep11.jpg" alt="New Whois" /></p>
<p>Who is Sara Marsh, why is she registering obviously junky (and potentially DGA-generated) domains, and why is she sharing infrastructure with the likes of the actors we started with? At this point, I almost hit a dead end. Most of my normal, publicly available sources had no information of significance on Sara Marsh, her e-mails, or the domains she registered. <a href="https://www.threatcrowd.org/email.php?email=saramarsh29@yahoo.com">ThreatCrowd</a> showed her domains as adjacent to, but not directly hosting malware. Alienvault OTX had no information on her or her domains, and neither did most of the other sources I usually check. However, good old-fashioned google came to the rescue. A quick search of the new e-mail address revealed a pastebin <a href="http://pastebin.com/cLSHWfT5">paste</a> from an anonymous source that referenced saramarsh29@yahoo.com.</p>
<p><img src="https://swannysec.net/public/bedep12.jpg" alt="Pastebin" /></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Post-compromise Bedep traffic observed to destination domains bokoretanom()net, op23jhsoaspo()in, koewasoul()com, and dertasolope7com()com.
Observed referers (forged - machines never actually browsed to the referers): loervites()com, newblackfridayads()com, alkalinerooms()net, new-april-discount()net, violatantati()com, nicedicecools()net, books-origins-dooms()net, adsforbussiness-new()com
Observed traffic patterns:
/ads.php?sid=1923
/advertising.html
/ads.js
/media/ads.js
/r.php?key=a5ec17eed153654469be424b96891e79
Summary:
Bedep immediately opens a backdoor on the target machine; it also generates click-fraud traffic, and can be used to load further malware. Bedep was written by the authors of the Angler Exploit Kit, and as such, AnglerEK is the primary distribution method for this malware.
All observed domains are registered to Sara Marsh (saramarsh29@yahoo.com) and Gennadiy Borisov (yingw90@yahoo.com) through Domain Context. These are certainly fake names and email addresses, but appear to be used often. As such, they are reliable indicators, for the time being, that a domain is malicious.
</code></pre></div></div>
<p>While I don’t usually rely on anonymous sources, this simply served to confirm what was already fairly apparent from appearances. This was backed up by the presence of saramarsh29@yahoo.com on malekal.com’s <a href="http://malwaredb.malekal.com/url.php?netname=RIPE-ERX-146-0-0-0">malwaredb</a>, sharing an IP with a domain from none other than potrafamin44as@gmail.com.</p>
<p>At this stage, I added saramarsh29@yahoo.com back to our original graph, and used PassiveTotal to return all domains registered to that address. The result is below:</p>
<p><img src="https://swannysec.net/public/bedep13.jpg" alt="Fourth Actor" /></p>
<p>Here’s an additional representation using bubble view. This view adjusts the size of the entities based, in this case, on the number of links associated with them. Again, the actor e-mails are in red:</p>
<p><img src="https://swannysec.net/public/bedep15.jpg" alt="Bubbles" /></p>
<p>By now, it is readily apparent that we’ve uncovered an additional actor in this Angler EK/Bedep campaign. In order to further demonstrate some of the relationships between these actors, I selected four related domains from the graph above, moved them to a fresh graph, and enriched them with both ThreatCrowd and PassiveTotal (displaying only relevant results):</p>
<p><img src="https://swannysec.net/public/bedep14.jpg" alt="All in the Family" /></p>
<p>The above image displays in a nutshell the close relationship between these actors. Nick Biasini did some fine work in uncovering the first three actors; now a fourth is apparent as well. A list of domains registered to saramarsh29@yahoo.com is below; this can also be found in an Alienvault OTX <a href="https://otx.alienvault.com/pulse/570d0e86aef92133b75e1635/">pulse</a> which is embedded below. The same list and the Maltego graph are available on my <a href="https://github.com/swannysec/sara-marsh-angler-bedep">GitHub repo</a>.</p>
<p>As always, I appreciate any feedback; give me a shout <a href="https://twitter.com/swannysec">@swannysec</a>.</p>
<script src="https://otx.alienvault.com/pulse/570d0e86aef92133b75e1635.js"></script>
<p>Likely Angler EK/Bedep Domains Registered by saramarsh29@yahoo.com:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>qwmpo347xmnopw[.]in
alkalinerooms[.]net
swimming-shower[.]com
guy-doctor-eye[.]com
dertasolope7com[.]com
abronmalowporetam[.]in
j3u3poolre[.]in
joomboomrats[.]com
7opncxoiep-jek[.]in
violatantati[.]com
xvuxemuhdusxqfyt[.]com
lsaopajipwlo-sopqkmo[.]in
fl4o5i58kdbss[.]in
aneiuayte9k0o[.]in
term-spread-medicine[.]com
betterstaffprofit[.]com
ldsfo409salkopsh[.]in
bokoretanom[.]net
geraldfrousers[.]net
boometread[.]in
80poloertamo[.]in
newblackfridayads[.]com
books-origins-dooms[.]net
shareeffect-affair[.]com
loervites[.]com
axenndnyotxkohhf69[.]com
art-spite-tune[.]com
vewassorthenha[.]in
ruributgot[.]in
1000mahbatterys[.]com
xcmno54pjasghg[.]in
trusteer-tech[.]com
adsforbussiness-new[.]com
nicedicecools[.]net
xbvioep4naop[.]in
taxrain-bottom[.]com
dspo4-skdfhahsyr[.]in
</code></pre></div></div>
Talking Point - On Attribution2016-03-11T00:00:00+00:00https://swannysec.net/2016/03/11/talking-point-on-attribution<p>Over the next week or so, I’m going to cover, in short form, a couple of topics that have been rattling around my brain for a while now as I continue learning and growing more comfortable working with and thinking about threat intelligence. We are fortunate to have a wonderful community built up around the discipline and I’ve had the opportunity to interact with a lot of amazing people who provide immeasurable wisdom and perspective. Exposure to the community and my own work related to the field inevitably leads me to draw some conclusions and formulate some strong opinions, so here we go.</p>
<h4 id="on-attribution">On Attribution</h4>
<p>Whodunnit? <strong>Stop it!</strong> Stop right there. Before you ask that question, or allow it to be asked of you by management, you need to ask a different question first. Does it matter? While I believe attribution has its place in the analytical process associated with generating threat intelligence, I’m not of the belief it’s always relevant to an organization’s aims in producing that intelligence. While I’m certain that your execs would love to hear that “China did it,” does that matter to your organization? Can you actually do anything with that information?</p>
<p><img src="https://swannysec.net/public/electronicdragon.jpg" alt="Electronic Dragon" /></p>
<p>Image courtesy <a href="https://www.flickr.com/photos/tsevis/16022935873/in/photolist-qpTJB4-5oUJqu-6qjo7F-nuiaTX-KHr7-nrz1wK-eNpxAy-bCqu9-4mEqAn-7GNmfR-bW9E-dZUy89-iaCUik-9M2QU4-eNZABc-aUhiG6-dGF3bF-AdrwEt-Cx4Ksx-dMht8x-aUhiGF-e1kFhV-hhRhie-EyNV2-dMggEX-62iHt5-DQShZ-dCAXRk-dEetXz-hdYLzA-dBCVtz-gJjdE7-hhRL3v-9kTbKk-gJj6BY-dB5JAV-dNUFKD-dLrcwz-aUhiGD-aUhiGX-hhQtRr-aUhiGK-eagybK-gZMTn3-dEEHaL-hhRSDr-gJjbi2-dJ4pjJ-ehH35r-7Nfb9c">Charis Tsevis</a>, provided under a Creative Commons <a href="https://creativecommons.org/licenses/by-nc-nd/2.0/">license</a>.</p>
<p>Attribution, as with any other element of good threat intelligence, needs to be actionable for it to be relevant. See Richard Bejtlich’s post on attribution <a href="http://taosecurity.blogspot.ae/2014/12/five-reasons-attribution-matters.html">here</a> for more on the value of attribution used properly. If you can successfully make a strategic, operational, or tactical shift on the basis of knowing who your adversary is, then by all means, attribute! However, I would imagine very few organizations possess the operational and intelligence maturity to respond meaningfully to knowing which specific cybercriminal, activist, or nation-state actor is targeting them. My personal belief is that all the time, effort, and hot air spent over attribution in our industry is largely wasteful. I will say that there is one key exception to this, however; attribution as an element of analysis (as opposed to an end-goal) may give valuable context to an analyst if they can pivot on some element of that attribution and use it to discover additional items of interest related to the actor. Be careful though, because attribution can also introduce cognitive bias! Robert M. Lee, a man much smarter than I, covers this topic and how attribution applies to the various levels of intelligence <a href="http://www.robertmlee.org/the-problems-with-seeking-and-avoiding-true-attribution-to-cyber-attacks/">here</a>.</p>
<p>Attribution is flashy. Attribution makes it sound like you really know your stuff. Attribution might even give your shareholders someone else to blame. However, if you’re producing intelligence with a stated goal of determining attribution, ask yourself if and how that is relevant to your requirements. If you’re able to translate attribution to meaningful action designed to prevent or respond to a threat, bravo, please continue! If you can’t figure out how to make attribution work for you, either as a component of a finished intelligence product or as an analytical tool, re-assess your goals and requirements and re-direct your efforts to more meaningful analysis that will produce real return on investment for your organization. Threat intelligence is hard enough to master and demonstrate the value of without wasting time pointing fingers to no end, so please, think before you attribute.</p>
<p>Your feedback is important, please head on over to <a href="https://twitter.com/swannysec">@swannysec</a> and share your thoughts!</p>
Starting Small with Threat Intel - Pt. 22016-02-05T00:00:00+00:00https://swannysec.net/2016/02/05/starting-small-with-threat-intel-pt-2<p>In part one of this series we looked at the basics of threat intelligence and how you can begin to absorb and apply it without any technological investment or barrier to entry. For the second installment, I had originally planned to write at length about some low-effort and low-investment methods of automating the ingestion, processing, and application of freely available threat intelligence sources. However, I’ve decided to take a bit of a detour because there are some pre-requisites for this type of intelligence automation and I believe they are worth looking at in detail.</p>
<p><strong>Knowledge</strong></p>
<p>While I’ve previously discussed the fact that you don’t need a fully mature information security program to begin working with threat intelligence, it is helpful to have at least a few things in place to make the most efficient use of threat intelligence data. To begin with, you’ll need one or more human beings capable of digesting threat intelligence data as I outlined in the <a href="https://swannysec.net/2016/01/14/starting-small-with-threat-intelligence-pt-1.html">first part</a> of this series. No automated system is going to make any amount of threat intelligence data magically useful without a human being making informed decisions about the information contained therein as it relates to the security and risk posture of the organization. Once you’re ready to understand intelligence data and make decisions based on it and other data available to you, let’s move on to the next prerequisite.</p>
<p><strong>Tools</strong></p>
<p>Threat intelligence indicator feeds, regardless of whether any processing or filtering has been applied, will generate more data than a human can ingest and process via traditional means such as spreadsheets or simple graphs. Therefore, tools capable of accepting, parsing, and manipulating large data feeds are essential. The quickest way to this capability for many organizations will be a flexible SIEM or SIEM-like tool such as <a href="http://www.splunk.com/">Splunk</a>, <a href="https://www.elastic.co/">ELK</a>, or <a href="https://www.graylog.org/">Graylog</a>. These tools will take just about any type of log-oriented data and allow you to parse it and store it as you see fit. Another option is a SIEM that’s designed specifically to accept these feeds. Splunk’s <a href="http://www.splunk.com/en_us/products/premium-solutions/splunk-enterprise-security.html">Enterprise Security</a> product will do so in addition to <a href="https://logrhythm.com/">LogRhythm</a>, <a href="http://www8.hp.com/us/en/software-solutions/siem-security-information-event-management/">ArcSight</a>, <a href="https://www.alienvault.com/products">Alienvault</a> and others. In the next part of this series I’ll also look at some non-traditional, non-SIEM options for handling large intelligence data feeds.</p>
<p><img src="https://swannysec.net/public/typejam.jpg" alt="Jammed Up" /></p>
<p>Photo Credit: <a href="https://www.flickr.com/photos/48424574@N07/">Julie Rybarczyk</a></p>
<p>Once you have a tool in place to help you process and understand large amounts of intelligence data in a meaningful way, you need to operationalize it in some manner. I split this capability into two levels of maturity, which I’ll delve into more in the next post, but can be roughly defined as visibility-only and enforcement. In order to implement visibility-only, you’ll need one or more security devices or systems capable of outputting useful log data that can be cross checked against intelligence data for evidence of malicious or suspicious activity. Possible sources of data ideal for this correlation include firewalls, endpoint logs, an IDS such as Snort, Suricata or Bro (see <a href="https://security-onion-solutions.github.io/security-onion/">Security Onion</a>), web proxies, or forensic artifact collectors like Google’s <a href="https://github.com/google/grr">GRR</a>, Mozilla’s <a href="http://mig.mozilla.org/">MIG</a>, or Facebook’s <a href="https://osquery.io/">osquery</a>. In a more mature program, some of those same systems, should they be capable, can be used to actively enforce decisions on intelligence-provided indicators when provided a correctly processed and formatted feed in which the analyst has high confidence. Palo Alto’s <a href="https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/policy/use-a-dynamic-block-list-in-policy.html">dynamic block lists</a>, Symantec Endpoint Protection’s <a href="https://support.symantec.com/en_US/article.TECH97618.html">hash blocking</a>, and even Microsoft’s own Group Policy <a href="https://technet.microsoft.com/en-us/library/hh994597.aspx#BKMK_Hash_Rules">hash rules</a> are all examples of possible enforcement avenues. Again, more detail coming in the next installment, but let’s move on to the final pre-requisite for now.</p>
<p><strong>Self-Awareness</strong></p>
<p>Finally, before you even consider external sources of intel data, you need to be mining your own internal data sources for actionable intelligence. What can possibly be more relevant than data on what is <strong><em>actually</em></strong> happening on your network? (Author’s note: I wrote the preceding sentence before re-reading the links that follow in a table below. I feel dirty for unintentionally taking the words right out of Rick Holland’s mouth. Sorry Rick!) If you have any relatively sophisticated border controls (firewalls, IDS/IPS, proxy) or endpoint detection suites, they will likely be capable of producing basic reporting on threats seen in your environment. If you have a SIEM, you can glean even more from the data produced by those systems. Additionally, are you mining your incident/malware response process? There is valuable information about the “what, where, when, and how” of threats directed at your organization inside the logs and incident reports produced therein. The “why and the who” may be a little harder to glean, and are largely beyond the scope of this discussion, but all of that is possible with internal threat intelligence.</p>
<p>There is a ton of great work by people far smarter than myself that speaks to the value and methods of internal threat intelligence including things like hunting, which represents a maturity level far outside the scope of this series. If you’d like to know more, read here:</p>
<p><img src="https://swannysec.net/public/knowmore.jpg" alt="Know More!" /></p>
<table>
<thead>
<tr>
<th style="text-align: left">Resource</th>
<th style="text-align: left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left"><a href="http://blogs.forrester.com/rick_holland/15-11-03-maximizing_your_investment_in_cyberthreat_intelligence_providers">Maximizing Your Investment in Cyberthreat Intelligence Providers</a></td>
<td style="text-align: left">From <a href="https://twitter.com/rickhholland">Rick Holland</a>, formerly of Forrester, now VP at Digital Shadows. Covers intel more broadly (and well), but speaks to the value of internal threat intelligence. Rick’s writings on threat intel are a great starting point for anyone interested.</td>
</tr>
<tr>
<td style="text-align: left"><a href="https://speakerdeck.com/syntinel22/threat-intelligence-awakens">Threat Intelligence Awakens</a></td>
<td style="text-align: left">Rick’s recent presentation for SANS CTI Summit. Fun, extremely relevant, and highlights some important points on internal intel.</td>
</tr>
<tr>
<td style="text-align: left"><a href="http://raffy.ch/blog/2015/10/16/internal-threat-intelligence-what-hunters-do/">Internal Threat Intelligence - What Hunters Do</a></td>
<td style="text-align: left">From <a href="https://twitter.com/raffaelmarty">Raffael Marty</a> at pixlcloud. Discusses the use of internal data for hunting.</td>
</tr>
<tr>
<td style="text-align: left">APT Threat Analytics - <a href="https://nigesecurityguy.wordpress.com/2014/01/23/apt-threat-analytics-part-1/">Part 1</a> and <a href="https://nigesecurityguy.wordpress.com/2014/03/14/apt-threat-analytics-part-2/">Part 2</a></td>
<td style="text-align: left">From <a href="https://twitter.com/nigesecurityguy">Nigel Willson</a> at AT&T. Slightly older material, still extremely relevant with excellent information about internal (and external) intelligence gathering and use.</td>
</tr>
<tr>
<td style="text-align: left"><a href="http://blogs.gartner.com/anton-chuvakin/2014/03/20/on-internally-sourced-threat-intelligence/">On Internally-sourced Threat Intelligence</a></td>
<td style="text-align: left">From <a href="https://twitter.com/anton_chuvakin">Anton Chuvakin</a> at Gartner. Talks about a variety of internal intel collection activities, some of which are appropriate for this discussion and some of which are more advanced.</td>
</tr>
</tbody>
</table>
<p>Remember, however, that this doesn’t have to be rocket science; we’re starting small. Generate top ten lists of exploits, malware, brute-force attempts, etc. and start to observe trends in those reports. Is a particular exploit targeting a particular host? Are you seeing an uptick in a particular strain of malware? Is one IP the source of many alerts all of a sudden or consistently? Dig a little deeper by looking at account activity. Failed logins, privilege elevations, password changes, and logins from unusual geographic locations all offer value for internal context. Also make sure you’re looking at your vulnerabilities and you have a reasonable inventory of the assets you’re defending; it’s critical that you understand the attack surface available to bad actors. Think about how all of this internal data speaks to @DavidJBianco’s Pyramid of Pain; can you start to discern actors and TTPs based on what you’re observing and put those findings to use in your decision making? If nothing else, begin learning the natural rhythms of your network; you’ll notice when things stand out! In short, make sure you’re looking at what’s happening on the inside before you begin adding external information to the picture.</p>
<p>As I noted in the first part of this series, however, once you have both internal and external data, put them together to form a holistic view of the threats to your environment; this broad view will enable better decision making and a more effective defense. Hopefully, you’re now equipped with a better understanding of the tools and techniques (TTPs anyone?) you need to have in place before you begin ingesting and operationalizing external threat intelligence data. In the next part, we’ll talk about the nuts and bolts of doing just that, as well as the caveats (external threat intel feeds are not magic; human analysts not included). Please reach out to me <a href="https://twitter.com/swannysec">@swannysec</a>, I’d love to hear your feedback. Thanks for reading!</p>
<p>Note: I will be taking a brief break in this series to run a few analysis pieces in the coming weeks.</p>
Starting Small with Threat Intel - Pt. 12016-01-14T00:00:00+00:00https://swannysec.net/2016/01/14/starting-small-with-threat-intelligence-pt-1<p>In my last <a href="https://swannysec.net/2015/11/07/talking-point-threat-intel-is-not-an-all-or-nothing-proposition.html">post</a>, which appears to have been eons ago, I asserted, contrary to the popular narrative, that I believe it makes a lot of sense for small or still-maturing information security programs to build a threat intelligence capacity. While this may not be a popular opinion, I know that smaller operations can benefit from a right-sized threat intelligence program because I’m in the process of building one currently and there have been tangible results. I also mentioned in my last post that I would provide some details on getting started with threat intelligence.</p>
<p>To begin, one must understand the basics of threat intelligence. I provided the following definition, from Gartner, in my last post:</p>
<blockquote>
<p>“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”</p>
</blockquote>
<p>This blog post will not attempt to teach you all the basics; instead, the focus is on how to start digesting and operationalizing intelligence. Other sources have provided background knowledge more comprehensively; in order to bolster your understanding, I recommend the following:</p>
<table>
<thead>
<tr>
<th style="text-align: left">Resource</th>
<th style="text-align: left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left"><a href="https://cryptome.org/2015/09/cti-guide.pdf">The Definitive Guide to Cyber Threat Intelligence</a></td>
<td style="text-align: left">From iSIGHT Partners. Nice overview, comprehensive and well formatted.</td>
</tr>
<tr>
<td style="text-align: left"><a href="https://www.mwrinfosecurity.com/system/assets/909/original/Threat_Intelligence_Whitepaper.pdf">Threat Intelligence: Collecting, Analysing, Evaluating</a></td>
<td style="text-align: left">From MWR InfoSecurity and CERT-UK/CPNI in the UK. A bit more of a high-level overview, still an excellent starting point.</td>
</tr>
<tr>
<td style="text-align: left"><a href="https://speakerdeck.com/davidjbianco/intelligent-intelligence-secrets-to-threat-intel-success">Intelligent Intelligence: Secrets to Threat Intel Success</a></td>
<td style="text-align: left">From <a href="https://twitter.com/DavidJBianco">David J. Bianco</a> at Sqrrl. Pay particular attention to his “Pyramid of Pain” and the work/knowledge flows he outlines.</td>
</tr>
</tbody>
</table>
<p>With the barebones basics established, how tall must one be to ride? In my estimation, you need a good head on your shoulders, a general understanding of the security space, threats, and countermeasures, and enough technical ability to understand and use the data you will be presented. You don’t need a complete infosec program or a whizbang black box racked in a datacenter somewhere. In fact, you don’t really need anything other than an internet-enabled device and your brain to begin digesting threat intelligence.</p>
<p>I recommend that anyone interested in threat intel start simply by seeking out and reading published threat reports from companies such as FireEye, Palo Alto, or Symantec. A large repository of these reports can be located on Github <a href="https://github.com/kbandla/APTnotes">here</a>. In particular, check out the following as excellent examples:</p>
<table>
<thead>
<tr>
<th style="text-align: left">Resource</th>
<th style="text-align: left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left"><a href="http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf">Mandiant’s APT1 Report</a></td>
<td style="text-align: left">Somewhat dated, but the standard that many threat reports follow to this day.</td>
</tr>
<tr>
<td style="text-align: left"><a href="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf">Symantec’s Report on the Dyre Banking Trojan</a></td>
<td style="text-align: left">Top to bottom look at a family of financial malware.</td>
</tr>
<tr>
<td style="text-align: left"><a href="http://researchcenter.paloaltonetworks.com/2016/01/angler-exploit-kit-continues-to-evade-detection-over-90000-websites-compromised/">Palo Alto Unit 42’s Recent Look at Angler’s Continuing Maturation</a></td>
<td style="text-align: left">Really nice in-depth look at a specific exploit kit, showing, among other things, how bad actors utilize counter-intelligence to harden their malware and prevent blue team research.</td>
</tr>
</tbody>
</table>
<p>I also recommend that one follows the twitter feeds and blogs of people who do this kind of work for a living and share what they can with the rest of us. Check out <a href="https://twitter.com/CYINT_dude">Christian P.</a> at his <a href="http://www.cyintanalysis.com/">blog</a> and <a href="https://twitter.com/sroberts">Scott Roberts</a> at <a href="https://sroberts.github.io">his</a>. Learn how they approach threat intel and take their lessons learned into account as you begin your journey. Finally, check out a few of the intel sharing repositories available without expenditure. I recommend Alienvault’s <a href="https://www.alienvault.com/open-threat-exchange">Open Threat Exchange</a> for the general public and CIRCL’s <a href="http://circl.lu/services/misp-malware-information-sharing-platform/">MISP</a> instance if your organization is eligible. These are both excellent sources of human-readable threat intelligence data, but also offer ways to automate collection as you grow into your new threat intel capability.</p>
<p>The key to starting with simple human consumption of publicly available threat intelligence is that one becomes accustomed to how the data is collected, analyzed, and presented. As you digest the information in the reports, start thinking about your own organization. How would you identify this activity on your network? Have you seen any evidence of this in logs? Can you prevent this activity? Can you put proactive alerting in place? This is valuable as a mental exercise and can be translated to real action as your understanding and tools mature. You might even stumble across one of these threats in your organization in real-time. At the most basic level, even if you do nothing further, you are putting threat intelligence to good use by completing this mental exercise and better arming yourself as an analyst with things to watch for and build defenses against.</p>
<p>Ultimately, no matter how you consume and process threat intelligence data, the goal should always be to provide a tangible benefit to your organization by altering or augmenting decision making around both preventative and detective security measures. Learn from the lessons others have endured and prevent your organization from being the victim of something that is already well documented and understood.</p>
<p>In part two, we’ll take the next step by introducing tools such as Bro IDS, Splunk, and CIF, that will facilitate the automated collection and processing of some types of intelligence data. As always, I’m eager to hear your feedback; please reach out <a href="https://twitter.com/swannysec">@swannysec</a>.</p>
Talking Point - Threat Intel is Not an All or Nothing Proposition2015-11-07T00:00:00+00:00https://swannysec.net/2015/11/07/talking-point-threat-intel-is-not-an-all-or-nothing-proposition<p>Last week I read a lot on twitter and elsewhere regarding threat intelligence and its place in an organization. A ton of very smart people have strong opinions on this matter, and those opinions cover a wide spectrum, but one trend I’m noticing is that many believe threat intel has no place in an information security program that isn’t fully mature. Many, including many vendors selling platforms or feeds, seem to think the only way to implement threat intel is to drop a fully operational intel capability into a complete, mature information security organization. Many are saying that “we” as an industry need to temper our expectations on threat intel and only apply it when we’re in a position to dedicate 100% effort and resources to it.</p>
<p>As my grandfather would say, “we is a horse turd.” In other words, I don’t subscribe to that way of thinking, and I’m not interested in being part of that “royal” we. I believe threat intelligence has a place in most organizations and can provide value to smaller, less mature information security programs.</p>
<p>Let’s begin with a definition of threat intelligence, provided by <a href="https://www.gartner.com/doc/2487216/definition-threat-intelligence">Gartner</a> in this particular case:</p>
<blockquote>
<p>“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”</p>
</blockquote>
<p><img src="https://swannysec.net/public/spy.jpg" alt="" /></p>
<p>There are a couple of key things to note about the definition above (which, sadly, does not involve trenchcoats, hats, and hiding in bushes). First, intelligence is comprised of a number of different types of information to include context, indicators, mechanisms, and actionable advice. Second, note carefully the actionable part and that the remainder of the definition states that the intelligence derived can be used to inform how the subject responds to threats.</p>
<p>Given this information, I was taken aback to discover a tweet from an employee of one of the leading threat intelligence providers stating that considering scraping indicators from a public threat report to be good threat intelligence was “doing it wrong.” I challenge this assertion. Working for a small organization (one security professional), I may not be able to make strategic adjustments to better align my whole organization to defend against the actor or his more complex TTPs; what I can do, however, is put those indicators to use immediately to better inform my operations. If those indicators have matches in my environment, be they traffic logs, file hashes, or e-mails, you can bet I’m going to initiate an investigation or formal incident response. Going back to the definition, did I not use derived intelligence to inform how I responded to a threat? Would I have ID’ed the activity without those indicators? Sounds like textbook threat intelligence to me!</p>
<p>Don’t believe me? Take it from some people who live and breathe threat intelligence, <a href="https://twitter.com/dmitricyber">Dmitri Alperovitch</a> and Adam Meyers, Co-Founder and VP Intelligence respectively, at Crowdstrike. In an excellent podcast from Down the Security Rabbit Hole, they state unequivocally that organizations can start small with “finished intelligence” feeds that are actionable by analyzing them with a SIEM or feeding them to an enforcement device for blocking. Of course they mention that a more mature organization can derive more from threat intelligence, particularly at the strategic level, but they don’t devalue starting small either! Check it out <a href="http://podcast.wh1t3rabbit.net/dtr-episode-118-demystifying-threat-intelligence">here</a>. The discussion I’m referencing begins at about 15:30 and runs through 21:30.</p>
<p>Threat intelligence is <strong><em>not an all or nothing proposition.</em></strong> Small organizations can, and should, implement a threat intelligence capability scaled to their maturity level. No one advocates attempting to plop a fully matured infosec program in place on day one. Why should we take the same approach with threat intelligence? Let threat intelligence mature on a scale along with an information security program and make it an integral part of those information security operations.</p>
<p>If you’re still with me, and you want to start small, I’ll outline a few ways to do so in a follow up post in a few days. I’d love to hear some feedback; you can find me <a href="https://twitter.com/swannysec">@swannysec</a>.</p>
<p><em>Photo Credit: <a href="https://www.flickr.com/photos/ocularinvasion/">Emory Allen</a></em></p>
Linking TorrentLocker to Pony - Pt. 12015-10-31T00:00:00+00:00https://swannysec.net/2015/10/31/linking-torrentlocker-to-pony<p><em>If you’re just here for the IOCs, you will find a link to them at the bottom of the post.</em></p>
<p><img src="https://swannysec.net/public/slenderness/suspiciousdns.jpg" alt="" /></p>
<p>It all started with a routine glance at some log data. I noticed a significant uptick in suspicious DNS queries for the subdomain above; thousands were dropped by our security gear over the course of six hours or so. Unfortunately, I have been unable to determine the vector for these because we don’t have full PCAP abilities under normal circumstances. Nevertheless, I was interested in what this subdomain might have been serving up. What I found initially was not terribly surprising. What I found when I continued investigating, however, was a huge surprise. This post will demonstrate how free and open-source intelligence and analysis tools can reveal complex relationships and uncover shared malware infrastructure.</p>
<p>I need to begin with a few caveats:</p>
<ul>
<li>I am not a professional analyst. I am a multi-discipline security engineer responsible for everything from firewall rules, to writing policy, to DFIR. Analysis is 5% or less of my job and is a hobby.</li>
<li>Malware reversing is not a strength of mine. As such, I will not spend a lot of time with the malware discussed in this post. If you’d like to break it down and make a guest post, please contact me! Otherwise, please feel free to write it up yourself, I’d love to know more.</li>
<li>All of the tools used to conduct this analysis are either open-source or free accounts for various services.</li>
<li>I have omitted some data in the analysis, such as phone numbers.</li>
<li>The free versions of Maltego and PassiveTotal have significant limitations which mean that the analysis is not fully “fleshed-out.” I will continue to work on this case going forward.</li>
</ul>
<p>With that said, let’s get started!</p>
<p>My first step was to enter the subdomain into <a href="https://github.com/defpoint/threat_note">threat_note</a>, a handy research and indicator tracking notebook from <a href="https://twitter.com/brian_warehime">@brian_warehime</a>. Threat_note will pull back whois data, passive DNS where possible, and a nice <a href="https://www.threatcrowd.org/">ThreatCrowd</a> visualization with a quick link to pivot into ThreatCrowd.</p>
<p><img src="https://swannysec.net/public/slenderness/firstindicator.jpg" alt="" /></p>
<p><img src="https://swannysec.net/public/slenderness/firstwhois.jpg" alt="" /></p>
<p><img src="https://swannysec.net/public/slenderness/firstviz.jpg" alt="" /></p>
<p>Not much to see here unfortunately. Just a subdomain behind a private registrar. Let’s go up a level and look at that root domain. I dropped it into threat_note as well:</p>
<p><img src="https://swannysec.net/public/slenderness/rootwhois.jpg" alt="" /></p>
<p>Still not much new here, but as with the original subdomain, there is some unusual data present. A Russian registrar located in Nobby Beach, Queensland, Australia? Certainly bizarre, my interest is now piqued. Let’s scroll down a little further and take a look at the ThreatCrowd visualization.</p>
<p><img src="https://swannysec.net/public/slenderness/rootviz.jpg" alt="" /></p>
<p>Now we’re cooking! There are malware hashes, a nice network of subdomains, and an IP all associated with
poytowweryt.com. In order to understand what we’re looking at, understand that ThreatCrowd pulls data from a variety of public intel and analysis sources such as <a href="https://www.virustotal.com">VirusTotal</a>, <a href="https://malwr.com/">malwr</a>, and <a href="https://www.hybrid-analysis.com/">Payload Security</a> and correlates it with its own history of DNS and whois data. Data ingested includes domains/subdomains, IPs, malware hashes, and whois information. Let’s hop into <a href="https://www.threatcrowd.org/domain.php?domain=poytowweryt.com">ThreatCrowd</a> via the handy pivot link provided.</p>
<p><img src="https://swannysec.net/public/slenderness/firstthreatcrowd.jpg" alt="" /></p>
<p><img src="https://swannysec.net/public/slenderness/firstsubdomains.jpg" alt="" /></p>
<p>A substantial network of subdomains is present, all linked back to a single IP. How about the malware?</p>
<p><img src="https://swannysec.net/public/slenderness/firstmalware.jpg" alt="" /></p>
<p><img src="https://swannysec.net/public/slenderness/firstmalwr.jpg" alt="" /></p>
<p><img src="https://swannysec.net/public/slenderness/HashOneBehaviors.jpg" alt="" /></p>
<p><img src="https://swannysec.net/public/slenderness/Slenderness.jpg" alt="" /></p>
<p>Definitely has some unwanted behavior associated. And what is Slenderness? Whatever it is, I stole it as a campaign name for threat_note. Let’s look at <a href="https://www.virustotal.com/en/file/e1c46cd1b9f9b7e4456ab327c299d41cba30e75cb2f819334e5e6fb65dd5743b/analysis/">VirusTotal</a>, what is this thing? Looks like a fairly standard Crypto-variant ransomware, though some vendors appear to be classifying at a Zeus variant or the Androm Backdoor. A google search of the IP hosting it, 51.254.140.74 brings us to abuse.ch’s <a href="https://sslbl.abuse.ch/intel/cc1c9fc84201246c7150de88f65a0d6f14cc2a78">SSL Blacklist</a>. Ah, it’s TorrentLocker; that will surely ruin someone’s day!</p>
<p><img src="https://swannysec.net/public/slenderness/firstvt1.jpg" alt="" />
<img src="https://swannysec.net/public/slenderness/firstvt2.jpg" alt="" /></p>
<p>So what do we have so far? Looks like a small distribution network for ransomware. That’s a pretty common thing these days, likely a dime a dozen if you’re really looking. Let’s hop over to <a href="https://www.paterva.com/web6/products/maltego.php">Maltego</a> and explore a little more using <a href="http://threatcrowd.blogspot.co.uk/p/threatcrowd-maltego-transform.html">ThreatCrowd</a> and <a href="http://blog.passivetotal.org/passivetotal-maltego-transforms/">PassiveTotal</a> transforms.</p>
<p>This is the first domain expanded via the ThreatCrowd transform. As noted above, I do not have access to the full version of Maltego, so all the subdomains are not present.</p>
<p><img src="https://swannysec.net/public/slenderness/Maltego1.jpg" alt="" /></p>
<p>The next step is to enrich the IP using the ThreatCrowd transforms. These transforms basically extend all the search and correlation power of ThreatCrowd right into Maltego.</p>
<p><img src="https://swannysec.net/public/slenderness/Maltego2.jpg" alt="" /></p>
<p>Here we can see the IP hosts the second piece of malware from the main domain as well as a bunch of the subdomains that represent it. At this point, I want to be sure I’ve got the full history of the IP, so I elect to transform via PassiveTotal and pull back their entire passive DNS history (sadly I cannot do this for all of the IPs during the investigation due to limitations of the free account).</p>
<p><img src="https://swannysec.net/public/slenderness/Maltego3.jpg" alt="" /></p>
<p>The result is a new domain not picked up by ThreatCrowd, highlighted below! The PassiveTotal <a href="https://www.passivetotal.org/passive/51.254.140.74">results</a> are available below as well.</p>
<p><img src="https://swannysec.net/public/slenderness/Maltego4.jpg" alt="" /></p>
<p><img src="https://swannysec.net/public/slenderness/PassiveTotal1.jpg" alt="" /></p>
<p>Now we’ve got a new lead. Enriching itroxitutr.net gives us a new IP and we can see it’s hidden behind the same suspicious registrar as before, based on the contact e-mail present.</p>
<p><img src="https://swannysec.net/public/slenderness/Maltego5.jpg" alt="" /></p>
<p>Expanding the discovered IP leads us to new malware and two new domains.</p>
<p><img src="https://swannysec.net/public/slenderness/Maltego6.jpg" alt="" /></p>
<p>At this stage, I went back to threat_note for some whois data (it can be produced in Maltego too). Recognize what’s circled? It’s that same shady domain registrar. Aside from the direct DNS associations, there’s a very obvious theme present in that all of the domains are registered behind an unusual private registrar.</p>
<p><img src="https://swannysec.net/public/slenderness/itroxwhois.jpg" alt="" /></p>
<p>The IP itself, however, gives our second clue in terms of Geolocation (the first being the TLD of the registrar). It’s hosted in Ukraine. That won’t shock anyone in our line of work, but it certainly raises the probability of nefarious intent given the other indications present here. See below.</p>
<p><img src="https://swannysec.net/public/slenderness/itroxipwhois.jpg" alt="" /></p>
<p>What can we learn about the malware related to itroxtutr.net?</p>
<p><img src="https://swannysec.net/public/slenderness/itroxmalwr1.jpg" alt="" /></p>
<p><img src="https://swannysec.net/public/slenderness/itroxmalwr2.jpg" alt="" /></p>
<p><img src="https://swannysec.net/public/slenderness/itroxvt1.jpg" alt="" /></p>
<p><img src="https://swannysec.net/public/slenderness/itroxvt2.jpg" alt="" /></p>
<p>Looks like more crypto-variant ransomware, very similar to what was hosted by the original domain, quite likely TorrentLocker again. At this stage, we’ve discovered two separate IPs fronted by a good number of domains and subdomains all serving ransomware. Still nothing out of the ordinary present here, but this is a great exercise nonetheless.</p>
<p><img src="https://swannysec.net/public/slenderness/maltegopostitrox.jpg" alt="" /></p>
<p>Expanding and enriching the two new domains lunoxdyv.com and towovker.com brings the following results:</p>
<p><img src="https://swannysec.net/public/slenderness/Maltego7.jpg" alt="" /></p>
<p>What do we have here? More malware and our first actor, that’s exciting! We’ll leave Mr. Malkovich alone for a bit and check on the malware. More ransomware according to VirusTotal:</p>
<p><a href="https://www.virustotal.com/en/file/3d48318c27d12ee7d3a4699bfac3c3ac42acc18d511862c7ab94e04810c9c21e/analysis/">0e66f3725446fb6502e91830582452de</a></p>
<p><a href="https://www.virustotal.com/en/file/0e68f675c2c2e183ff872b4090ddf73fc45adc5191ae21b60e360a492a7ba4e0/analysis/">e242fdb77bb2d75bfc29c086ddd4985e</a></p>
<p>The third file is a zip with the goods inside:</p>
<p><a href="https://www.virustotal.com/en/file/5154a59c4626790a7a3fe7221f1bca34d829e3c2d9a1e786f80589e106bdcac4/analysis/">c8f5cd83c585dee882dc531a29b14e85</a></p>
<p><a href="https://www.virustotal.com/en/file/cc6c121899a682d838b93889a4fa4d6c7a7b1523e1cc834dfea287aff2ef08bd/analysis/1445406210/">78cc33f7f5be12aa7871dd854de1741b</a></p>
<p>Before expanding things any further, here’s a look at an overview of what we have discovered so far. It’s reaching a point that it is difficult to take readable screenshots, especially if I use the hierarchical views. It would appear that these may be two slightly different malware networks sharing a common piece of infrastructure: 93.171.159.109. Unsurprisingly, that IP is on the SSL Blacklist for being a TorrentLocker C&C host. There’s a nice write-up on TorrentLocker from <a href="https://twitter.com/marc_etienne_">@marc_etienne_</a> at ESET <a href="http://www.welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf">here</a>.</p>
<p><img src="https://swannysec.net/public/slenderness/Maltego10.jpg" alt="" /></p>
<p>We want to continue following the breadcrumbs, so let’s go back to Mr. Malkovich. What can we find out by pivoting off his address via ThreatCrowd?</p>
<p><img src="https://swannysec.net/public/slenderness/Maltego8.jpg" alt="" /></p>
<p>We’re not in Kansas anymore, Toto! That makes two new domains. Expanding those domains reveals yet more malware and a shared host, 191.1.156.96.</p>
<p><img src="https://swannysec.net/public/slenderness/Maltego9.jpg" alt="" /></p>
<p>What kind of malware is Mr. Malkovich serving up at motohex.net and hexdroid.net? More ransomware? Looks like it.</p>
<p><a href="https://www.virustotal.com/en/file/68971172e5d1cf5d82776280f67218ba0cf233731e583dfde342afa7ee25ccdd/analysis/">09e54636eb4de5e782cc19a9b7dcf267</a></p>
<p><a href="https://www.virustotal.com/en/file/18440e1faa8186e153e8fe175cdc1c971dceec20e38d92fc8fdbfe9bc7f310e5/analysis/">98ac006fdb0880711509a51ab4901eec</a></p>
<p><a href="https://www.virustotal.com/en/file/1b7e194848522c4bee4a870ef4f74c5b8cec030cb3f61ce60f55db8d67f14fb8/analysis/">ebacb76eb45d6800da6f4f074ae24e61</a></p>
<p><a href="https://malwr.com/analysis/YmQ3ZmIyYTE1MGYyNGMzNDkxZDJiYmJlMGJkODg0YmY/">e9923215f43335260ad445ebf9375035</a></p>
<p><a href="https://www.virustotal.com/en/file/b230f30fd26be4a879d8bdf4504ecf3e374c25ac2bd2880b1342a35284a80d8d/analysis/">2e902e458d88cea396a9cf73068db07d</a></p>
<p>Sure enough, it’s <a href="https://sslbl.abuse.ch/intel/3df43035b3d1c665d55a334e41c5bcd3a6a5fc67/">TorrentLocker</a> again! Taking a look in threat_note for the whois records of these domains brings something very interesting:</p>
<p><img src="https://swannysec.net/public/slenderness/motorhexwhois.jpg" alt="" /></p>
<p><img src="https://swannysec.net/public/slenderness/hexdroidwhois.jpg" alt="" /></p>
<p>A name to go with that e-mail! Sergey Yashin, perhaps a play on a retired ice hockey <a href="https://en.wikipedia.org/wiki/Sergei_Yashin">player</a>. Though a likely alias, let’s pull the whois in Maltego and draw a link between Sergey and his e-mail. I’ll revisit Sergey in another post.</p>
<p><img src="https://swannysec.net/public/slenderness/Yashin1.jpg" alt="" /></p>
<p>From here, I expanded the malware hashes and checked for other communication. False positives have been removed, such as communication to Windows Update. Looks like everything communicates with 194.1.156.96:</p>
<p><img src="https://swannysec.net/public/slenderness/motornet.jpg" alt="" /></p>
<p>Let’s do a whois via Maltego and expand 194.1.156.96. At this point, I have to apologize because the relationships start to become so tangled that it’s difficult to work in Maltego and display things in a way that’s organized:</p>
<p><img src="https://swannysec.net/public/slenderness/leavingransomware.jpg" alt="" /></p>
<p>So, now we have three more domains and a new actor, Alexey Morozov (I omitted the listed phone number). In addition, the IP is not owned by Sergey Yashin as I had expected. How strange! Alexey is a malware author, as seen <a href="https://www.virustotal.com/en/file/28a07f8c8deaf19268b21cd1af381e91c5028dbc547c49c1037957b1cd469f67/analysis/">here</a> on the file detail tab. It’s also possible he’s really an attempt at registering as another hockey <a href="https://en.wikipedia.org/wiki/Alexei_Morozov">player</a>. Sad to see retired hockey players need to supplement their income in this manner (obviously, again, these are likely aliases).</p>
<p>Once we expand wsevgocis.com and hosiroxair.net, we find a familiar sight, the same anomalous private registrar from our earliest findings:</p>
<p><img src="https://swannysec.net/public/slenderness/194expanded.jpg" alt="" /></p>
<p>At this point, we’re still in a network that appears to be dedicated to the distribution of ransomware, primarily, if not entirely TorrentLocker. That’s about to change. Let’s expand madfortgoes.ru. Just one link, to a piece of malware, and no useful whois information. Is this a dead end?</p>
<p><img src="https://swannysec.net/public/slenderness/madfortmalware.jpg" alt="" /></p>
<p>Investigating the malware brings about something substantially more <a href="https://www.virustotal.com/en/file/b1378cc0168beefd7b7891cbd58d5282e9d33fd6c159464d6f728d46797ba76a/analysis/">nefarious</a> than TorrentLocker.</p>
<p><img src="https://swannysec.net/public/slenderness/firstponylink.jpg" alt="" /></p>
<p>It looks like we finally have our first link to something more than ransomware. If we assume the <a href="https://www.virustotal.com/en/user/kingxyz/">commenter</a> is correct, we’ve clearly left pure TorrentLocker network. On top of that, it’s dropped by <a href="https://www.virustotal.com/en/file/90857805c139b3acea91fe38a49db3a50281d2f9e6f1f3af63770736225f44be/analysis/">Pony/Fareit</a>. Let’s expand that potential bot:</p>
<p><img src="https://swannysec.net/public/slenderness/betabot.jpg" alt="" /></p>
<p>There’s a lot to process here. I begin by expanding the IPs first (I left the whois details out as they do not appear to be relevant):</p>
<p><img src="https://swannysec.net/public/slenderness/betaexpandips.jpg" alt="" /></p>
<p>The IP’s don’t reveal any complex relationships so I began digging through the domains. Rearmheadfire.com is the only domain with whois data and additional links outside this network, as seen below:</p>
<p><img src="https://swannysec.net/public/slenderness/betabotexpandeddomains.jpg" alt="" /></p>
<p>At last, this is where we hit our first undeniable links to the Pony botnet after the mention from the VT comment above. <a href="https://www.damballa.com/">Damballa</a> has a fantastic write-up available <a href="https://www.damballa.com/wp-content/uploads/2015/08/Damballa_PonyUp.pdf">here</a>. Contained within is the following:</p>
<p><img src="https://swannysec.net/public/slenderness/damballavaleryy.jpg" alt="" /></p>
<p><img src="https://swannysec.net/public/slenderness/damballaponyip.jpg" alt="" /></p>
<p>Well, hello! Looks like a clear link indeed from our rinky-dink TorrentLocker network to the Pony botnet!</p>
<p>Here’s what the final view looks like in two different formats:</p>
<p><img src="https://swannysec.net/public/slenderness/finaloverview.jpg" alt="" /></p>
<p><img src="https://swannysec.net/public/slenderness/finaloverview1.jpg" alt="" /></p>
<p>This is by no means the end of this network, but this post is long enough. I am continuing to investigate and my current view looks something like this:</p>
<p><img src="https://swannysec.net/public/slenderness/continuingwork.jpg" alt="" /></p>
<p>What conclusions can we draw from this analysis? First and perhaps foremost, open source and free tools can be tremendously powerful. Beyond my own hardware, I didn’t pay a dime for any of this data or the tools to analyze it. The result is pretty interesting; I managed to uncover, in the span of an evening, a link from an operating TorrentLocker distribution network to the Pony botnet. Second, this analysis reveals that malware infrastructure sharing and reuse is likely prevalent among Eastern European cybercriminal groups. As I continue to analyze this case, I’m curious to see if there will be links to additional malware distribution networks. I spoke with <a href="http://nullsecure.org">Brian Warehime</a> about this and he mentioned something really interesting: changing infrastructure and TTPs is expensive. The bad guys probably have their own version of the <a href="http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html">Pyramid of Pain</a> in which it is more costly and resource consumptive to change certain parts of their operation. Finally, and perhaps unsurprisingly, these cybercriminals are making heavy use of private registrars and false whois data to shield both themselves and their infrastructure.</p>
<p>I welcome any comments or additional analysis! Find me over at <a href="https://twitter.com/swannysec">@swannysec</a>.</p>
<p>The IOCs generated by this investigation are hosted on <a href="https://github.com/swannysec/slenderness-torrentlocker-pony-network">github</a>. For now, a Maltego Entity file is all that’s available. As soon as I can get my hands on a full version of Maltego I will add CSVs (CSV export is disabled in the free version). IOCs will be updated as I progress through additional analysis.</p>
<p>Credits:</p>
<ul>
<li>Brian Warehime for inspiration and <a href="https://github.com/defpoint/threat_note/">threat_note</a>.</li>
<li>Christian P. and his excellent <a href="http://www.cyintanalysis.com/">blog</a> for giving me the confidence to tackle analysis and providing some “blueprints.”</li>
<li>Chris Doman for <a href="https://www.threatcrowd.org/">ThreatCrowd</a>.</li>
<li><a href="https://www.passivetotal.org/">PassiveTotal</a>, <a href="https://malwr.com">malwr</a>, <a href="https://www.virustotal.com/">Virustotal</a>, and <a href="https://www.paterva.com/web6/products/maltego.php">Paterva Maltego</a>.</li>
</ul>
Talking Point - On Education - Pt. 12015-10-27T00:00:00+00:00https://swannysec.net/2015/10/27/talking-point-on-education-pt-1<p><em>Note: This post is the first of a series of non-technical topics relevant to information security and other aspects of technology at large.</em></p>
<p><strong>Education’s Place in InfoSec - Or: Certs, Degrees, and Experience, oh my!</strong></p>
<p>Earlier this week on Twitter, Christian P. (<a href="https://twitter.com/CYINT_dude">@CYINT_dude</a>), Kyle Maxwell (<a href="https://twitter.com/kylemaxwell">@kylemaxwell</a>), and myself had a brief conversation about education. Education is a somewhat divisive subject in our field and it was nice to hear from them on the issue. Like others, I have very strong feelings about education, shaped largely by my journey and the impact varying types of education have had on my personal development and career. This post and its second part will outline my take on the topic, which is wholly personal and meant as food for thought.</p>
<p>One of the questions I see asked most often in public communities is whether or not a four-year computer science or other IT-related degree is a hard requirement for working in the security field. Let me be completely honest: <em>in some cases, yes</em>. Many positions require that degree as a bare-minimum foot-in-the-door differentiator. Technical degrees such as Computer Science or Cybersecurity provide a great starting point for someone interested in Information Security. That said, I find a hard requirement for a technical degree foolhardy and obtuse.</p>
<p><img src="https://swannysec.net/public/college.jpg" alt="College" /></p>
<p>You’re probably expecting me to say I don’t think a degree is important at all; you’ll be disappointed. While it should not be required in most cases, a degree still has a lot of value. What I do believe, however, is that the degrees sought should not be limited to CS/IT fields. My Bachelor’s Degree is in Political Science with a focus on International Relations and a minor in History. So what’s this liberal arts yuppie doing in InfoSec? What might surprise you is just how valuable that degree has been for me. A degree in Political Science/International Relations will ensure that you can effectively communicate, both verbally and in writing. It will ensure you are well prepared to build, relay, and defend an argument. It will give you the foundations of good research and analytical procedure.</p>
<p>In short, such a degree will give you the ability to enrich and exhibit your technical skills for the better. As an added bonus, a background in International Relations is extremely helpful in understanding the geopolitical aspects of attribution, global cybercrime, and cyber espionage and warfare.</p>
<p>The benefits of non-technical degrees don’t stop with Political Science. Education majors are great teachers and communicators. Marketing, Finance, and Business majors understand the needs and realities of operating a business. Communications and Art majors understand the art of communicating their message to varying audiences visually or in other useful forms. Science majors develop excellent troubleshooting and analytical skills. I could go on for days, highlighting some huge benefits of just about any undergrad degree. So please, if you’re a student interested in InfoSec, or a recruiter or HR person, give serious consideration to non-technical degrees.</p>
<p>So, what about a Master’s Degree? Is it necessary? Probably not. Is it helpful? Absolutely. A Master’s allows you a hone the communication skills you developed in the course of a four-year degree. It often requires you to work in a more “professional” format, communicating less academically, and working in groups to accomplish tasks. Sound familiar? Just like the real world. (Detour: do yourself a favor and get your Master’s as soon as practical. The further out you are from college and the more you have going on at home, the harder it will be.) I recommend you seek a Master’s that’s markedly different than your previous education. If you completed a four-year liberal arts or business degree, go get a technical degree, or vice-versa. I got a Master’s in Information Assurance. This ensures you add context, broaden your horizons, and prove you can tackle multiple disciplines. Information security is a broad domain and it requires tackling multiple disciplines; do the same in your education and benefit!</p>
<p>All that said, are degrees the be-all-end-all? Absolutely not. Some of the sharpest security professionals I know don’t have any degrees. I respect them no less than those with degrees, and they’re just as important to their organizations as those with degrees. Certifications and practical experience also have a role to play, which will be discussed in greater detail in Pt. 2 of this series. In closing, consider a degree, or two! Be open to non-technical fields; enrich yourself and add context to your work. Feel free to give me your feedback <a href="https://twitter.com/swannysec">@swannysec</a>!</p>
<p><em>Photo Credit: <a href="https://www.gotcredit.com">Got Credit</a></em></p>
Building an Analysis Toolkit Pt. 12015-10-10T00:00:00+00:00https://swannysec.net/2015/10/10/building-an-analysis-toolkit<p><strong>“A wise man without a book is like a workman with no tools.” - Supposed Moroccan Proverb</strong></p>
<p>Where we’re going, both knowledge (books), and analytical aids (tools) will be required. Anyone working in security can attest to the fact that there’s simply too much going on at any given time to process and store solely in one’s own mind. This is particularly true when investigating something that may lead to hundreds, if not thousands of related domains, IP addresses, e-mails, or file hashes.</p>
<p>Fortunately, the days of simple notepads are long behind us. And while I still use both paper notepads and Microsoft OneNote for spur of the moment scribbling and free-form thought storage, there are now a whole host of analytical aids that serve not only to store investigative material, but to enrich that data via lookups and API integrations of varying sorts. Such tools vary in focus, platform, cost, and complexity, so just about anyone should be able to find tools that are a good fit for their purpose, budget, and personal workflow.</p>
<p>In part two of this post, I’ll be covering my own personal choices for investigative tools and sharing how I set them up. The remainder of this post, however, contains the goods: a curated list of investigative and analytical tools that I’ve collected over time. Some of these are things I use daily and some are simply things on my to-do list to check out, but I think all of these have merit and are worthy of your time and attention to explore.</p>
<p>The list leans toward the free/cheap side of things so there won’t be a slew of enterprise-grade products contained therein. It should also be noted that some of the tools listed likely fall into more than one category depending on the breadth of their feature sets; therefore, I have tried to give them the most logical home according to my own twisted mind. Finally, individual threat feeds, honeypots, and tools with more specific technical purposes such as deobfuscation or reversing are largely beyond the scope of this list. Enjoy.</p>
<h2 id="swannys-big-list-of-security-analysis-tools">Swanny’s Big List of Security Analysis Tools</h2>
<p><strong>Journaling/Incident Tracking/Note-taking</strong></p>
<table>
<thead>
<tr>
<th style="text-align: left">Name</th>
<th style="text-align: left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left"><a href="https://github.com/certsocietegenerale/FIR">FIR</a></td>
<td style="text-align: left">Fast Incident Response. Lightweight IR management platform. Will track and correlate manually entered IOCs.</td>
</tr>
<tr>
<td style="text-align: left"><a href="https://github.com/sandialabs/scot">SCOT</a></td>
<td style="text-align: left">Sandia Cyber Omni Tracker. IR management platform with robust IOC tracking/correlation and plugins for integration with other tools.</td>
</tr>
<tr>
<td style="text-align: left"><a href="https://github.com/bestpractical/rtir">RTIR</a></td>
<td style="text-align: left">Request Tracker for Incident Response. Just what it sounds like. RT with built in workflows for IR.</td>
</tr>
<tr>
<td style="text-align: left"><a href="https://github.com/defpoint/threat_note">threat_note</a></td>
<td style="text-align: left">Lightweight IoC tracking and enrichment, designed as a research tool.</td>
</tr>
<tr>
<td style="text-align: left"><a href="https://www.onenote.com/">Microsoft OneNote</a></td>
<td style="text-align: left">Great notetaking app. Store notebooks locally, or on cloud storage.</td>
</tr>
<tr>
<td style="text-align: left"><a href="https://evernote.com/">Evernote</a></td>
<td style="text-align: left">Robust cloud based notetaking app with great tagging system. Take note: No client-side encryption.</td>
</tr>
<tr>
<td style="text-align: left"><a href="http://www.giuspen.com/cherrytree/">Cherrytree</a></td>
<td style="text-align: left">Simple local note-taking app with an organizational system similar to Evernote.</td>
</tr>
</tbody>
</table>
<p><strong>Threat Intelligence/IoC Aggregation and Processing</strong></p>
<table>
<tbody>
<tr>
<td><a href="http://csirtgadgets.org/collective-intelligence-framework">CIF</a></td>
<td>Collective Intelligence Framework. Collects, aggregates, normalizes, and outputs IoCs in a variety of formats for operationalization. Can search via API/browser extensions as well. Self-hosted.</td>
</tr>
<tr>
<td><a href="https://github.com/certtools/intelmq">IntelMQ</a></td>
<td>Collects and processes large volumes of threat intelligence from traditional feeds, pastebin, twitter, and more. Self-hosted.</td>
</tr>
<tr>
<td><a href="https://intel.criticalstack.com/">CriticalStack</a></td>
<td>Collects and aggregates threat intelligence and outputs to Bro signature files. Get creative and shape the output to your needs or wait for more output formats.</td>
</tr>
<tr>
<td><a href="https://www.alienvault.com/open-threat-exchange">AlienVault OTX</a></td>
<td>Open Threat Exchange. Free web-based threat intel collector/aggregator. Big focus on information sharing.</td>
</tr>
<tr>
<td><a href="http://www.threatconnect.com/">ThreatConnect</a></td>
<td>Full threat intel platform. Enterprise-grade with a nice free feature set ideal for tracking and sharing IoCs individually or in a small team.</td>
</tr>
<tr>
<td><a href="https://github.com/MISP/MISP">MISP</a></td>
<td>Malware Information Sharing Platform. Great IoC management platform. Allows a variety of inputs and outputs and has a robust sharing framework.</td>
</tr>
<tr>
<td><a href="https://crits.github.io/">CRITS</a></td>
<td>Collaborative Research Into Threats. Similar concept to MISP, with a bigger focus on analysis.</td>
</tr>
</tbody>
</table>
<p><strong>Web-based Research Tools</strong></p>
<table>
<tbody>
<tr>
<td><a href="https://www.passivetotal.org/">PassiveTotal</a></td>
<td>Excellent source of context for malware or IoC analysis. Whois lookups, passive DNS, SSL cert history, and tie ins with VirusTotal, Domaintools, Alienvault and more. Good free feature set.</td>
</tr>
<tr>
<td><a href="https://www.threatcrowd.org/">ThreatCrowd</a></td>
<td>Great search engine for IoCs complete with visualizations and RSS feeds. Free.</td>
</tr>
<tr>
<td><a href="https://threatrecon.co/">threatRecon</a></td>
<td>Nice IoC lookup from Wapack Labs. Free after registration for 1000 searches a month.</td>
</tr>
<tr>
<td><a href="https://malwr.com/">malwr</a></td>
<td>Online cuckoo malware sandbox analysis. Free.</td>
</tr>
<tr>
<td><a href="https://www.virustotal.com/">VirusTotal</a></td>
<td>Does this need a description? Analysis of files and URLs against known malware signatures and reputation data.</td>
</tr>
<tr>
<td><a href="https://urlquery.net/">urlQuery</a></td>
<td>URL lookup, provides whois and reputational data as well as running the page load through Snort and Suricata with advanced subscriptions.</td>
</tr>
</tbody>
</table>
<p><strong>Reconnaissance/Context Enrichment</strong></p>
<table>
<tbody>
<tr>
<td><a href="https://github.com/1aN0rmus/TekDefense-Automater">Automater</a></td>
<td>Given a domain or IP, gathers a boatload of useful intel from various web sources. Lightweight Python script.</td>
</tr>
<tr>
<td><a href="https://github.com/HurricaneLabs/machinae">Machinae</a></td>
<td>Similar to Automater with more sources of intel, cleaner config, and additional inputs/outputs.</td>
</tr>
<tr>
<td><a href="https://github.com/elceef/dnstwist">dnstwist</a></td>
<td>Feed it a domain and it will spit out any existing domains that are similar. Useful when looking for fraud, phishing, or typosquatting.</td>
</tr>
<tr>
<td><a href="http://blog.elevenpaths.com/2013/12/foca-final-version-ultimate-foca.html">FOCA</a></td>
<td>Windows based recon tool for exploring/mapping domains and finding files, injection opportunities, or other security issues. Free.</td>
</tr>
</tbody>
</table>
<p><strong>Log Analysis/SIEM</strong></p>
<table>
<tbody>
<tr>
<td><a href="https://www.splunk.com/">Splunk</a></td>
<td>Fantastic log analysis tool\SIEM with loads of integrations and flexibility. Allows for a ton of free-form analysis. Free to 500 MB/day indexing.</td>
</tr>
<tr>
<td><a href="https://www.elastic.co/products">ELK Stack</a></td>
<td>Elasticsearch, Logstash, Kibana. Open source log collector with great visualization via Kibana.</td>
</tr>
<tr>
<td><a href="https://www.graylog.org/">graylog</a></td>
<td>Slightly easier to setup and use than ELK, has a growing featureset in visualization and plugins.</td>
</tr>
</tbody>
</table>
<p><strong>Visualization/Relationship Research</strong></p>
<table>
<tbody>
<tr>
<td><a href="https://www.paterva.com/web6/products/maltego.php">Maltego</a></td>
<td>Industry standard for this type of work. Expensive, but decent free feature-set for getting started.</td>
</tr>
<tr>
<td><a href="http://orange.biolab.si/">Orange</a></td>
<td>Open-source visualization and data analysis.</td>
</tr>
</tbody>
</table>
<p><strong>Bonus Items - Random Stuff I Like</strong></p>
<table>
<tbody>
<tr>
<td><a href="https://github.com/vincentbernat/dashkiosk">Dashkiosk</a></td>
<td>Awesome rotating dashboard creator for static displays. Great for a NOC/SOC. Chromecast friendly!</td>
</tr>
<tr>
<td><a href="https://github.com/Neo23x0/Loki">Loki</a></td>
<td>Scans hosts for presence of a variety of IoCs.</td>
</tr>
<tr>
<td><a href="https://github.com/brianwarehime/gavel">Gavel</a></td>
<td>Nifty transforms for Maltego that allow an analyst to query traffic records, a lot of human intel possible here.</td>
</tr>
</tbody>
</table>
Blog Setup2015-09-25T00:00:00+00:00https://swannysec.net/2015/09/25/blog-setup<p><strong>On choosing a blogging platform and setting up a no-nonsense blog.</strong></p>
<p>When I decided to begin this endeavor, I almost decided not to blog the experience. I don’t enjoy narrative writing outside incident reports; it reminds me too much of my B.A. in Political Science. I’m also not a fan of most blogging platforms. Finding one that is a balance of ease of use, feature completeness, security (looking at you, Wordpress), and cost effectiveness can be a challenge.</p>
<p>I’m a big fan of clean and simple blogs. Brian Warehime’s <a href="http://nullsecure.org/">Nullsecure.org</a> is a prime example of what I like in a blog and served in large part as inspiration for this one. So initially I looked at the platform he chose, <a href="https://ghost.org/">Ghost</a>. Ghost is quite polished and preaches simplicity. It also seemed great from a feature standpoint, but as I dug in, it looked like many of the benefits were derived by subscribing as a Pro member, for $8/month. I’m a public sector employee working in education; needless to say, I don’t make a ton of money, so the idea of spending monthly just to host a blog didn’t sound appealing. I’d rather spend what I can on technical resources. Ghost does allow self-hosting for free, with fewer features, but I decided against that due to added complexity and a clunkier install process.</p>
<p>At that point, I went on the standard blog tour of many of the common names in the business such as Blogger and Wordpress, as well as some newer options like Medium. Ultimately, I stumbled into <a href="https://tinypress.co">Tinypress</a>. Tinypress offered dead-simple setup with a few clean themes, easy markdown drafting, and an Android app to boot. What I didn’t realize until I signed up was that it utilized <a href="https://pages.github.com/">GitHub Pages</a> for hosting and <a href="https://jekyllrb.com/">Jekyll</a> under the hood.</p>
<p>The setup process to get to a point where I could begin posting was no more than five minutes. Unfortunately, I quickly discovered the featureset for Jekyll running on GitHub Pages is somewhat limited due to the small number of GitHub Pages-friendly plugins. Basic things like social sharing buttons and tags are non-existent. So what did I do about it?</p>
<p>For social buttons, I initially looked at the buttons provided by the various social networks, but decided against these based on their need for javascript, the tracking inherently built-in to them, and their generally clunky nature. In the end, I chose the HTML button set provided by the kind folks over at <a href="https://simplesharebuttons.com/html-share-buttons/">SimpleShareButtons</a>. These were easy to set up, they’re simple to add and format, and they do the job nicely without compromising anyone’s privacy. Check them out, they’re at the bottom of this post!</p>
<p>Getting tags up and running was a somewhat hairier proposition. There are loads of posts scattered across the internet regarding tag solutions and GitHub Pages. If you’re running a straight-up Jekyll instance, there are plugins for the purpose. As you might have guessed, GitHub doesn’t support these. After trying a number of solutions for GitHub-friendly tagging without any success, I found the solution provided by Sungjin Han over at meinside.pe.kr <a href="http://blog.meinside.pe.kr/Adding-tag-cloud-and-archives-page-to-Jekyll/">here</a>. Again, straightforward and simple to set up with good results, mission accomplished!</p>
<p>My general impression of the Tinypress/GitHub Pages/Jekyll experience is that it’s a perfect option for either of two scenarios:</p>
<ol>
<li>You want a dead-simple no-frills blog free of any social integration or advanced features that can be easily edited and set up in minutes.</li>
<li>You want a clean, straightforward blog and you’re willing to get your hands dirty with HTML, markdown (which is actually kramdown for those curious), and maybe some javascript to add in additional features such as social integration and post categorization that would otherwise be common to most blog platforms.</li>
</ol>
<p>Overall I’m pleased with the results. I have a few minor issues to clean up, including a mixed content issue that appears to have been part of the Tinypress template I chose, but otherwise I’m satisfied with what I got for an evening’s worth of effort.</p>
And Now for Something Completely Different...2015-09-24T00:00:00+00:00https://swannysec.net/2015/09/24/and-now-for-something-completely-different<p><strong>In the words of the immortal Graham Chapman of Monty Python, “Right, what’s all this then?”</strong></p>
<p>I have a confession: I’m burnt out.</p>
<p>I’ve been a security professional for the better part of seven years now. I’ve done everything from incident response, to network security (think firewalls/IDS), to risk assessments and security architecture. My industry demands that I be a jack-of-all-trades because we’re perpetually underfunded and undermanned. I’m the only person dedicated to security at an organization that protects almost 11-thousand users. Being spread that thin for that long will wear anyone out.</p>
<p>That said, I love my field. Information security is my passion and I want to continue to learn and grow. In an effort to focus that desire and avoid letting burnout beat me, I’ve decided to lay some groundwork for continuing professional development and share the journey here, mostly from a technical perspective.</p>
<p>So, other than a security professional, who am I? First and foremost, I’m the father of two wonderful children who challenge and delight me on a daily basis. I’m also a bit of a history/politics nerd, which actually serves me well in the information security field. I’m a football fan and a lover of craft beer. Finally, when I manage to carve the time, I still enjoy a good PC game; it’s hard not to when you were raised on Doom, Quake, and Descent.</p>
<p>What’s on tap? Much like Sir Bedevere, “I have a plan!”</p>
<p><img src="//swannysec.net/public/holygrail.png" alt="Bedevere" /></p>
<p>Thankfully, my plan does not involve the misuse of Trojan rabbits. This blog will likely discuss professional development and my own journey from time to time, but the focus will be on the technical aspects of that work. I hope to share my experience as both a personal archive of the work and so that others may potentially benefit from the information. I have decided to focus my efforts on incident response, malware/intrusion analysis, and the curation and operationalization of threat intelligence. These are things I work on from time to time professionally, but despite the fact that I enjoy them immensely, they are not the focus of my job. I believe these areas are extremely valuable to any mature information security effort and I’d like to expand my horizons with regard to these specialties.</p>
<p>Thanks for reading, there’s more to come soon!</p>