Diving into infrastructure security

Trackers

More Sources

In addition to structured information, you will also find simple verbal descriptions of analysis results in various places. Proofpoint, for example, publishes detailed reports on its blog [5]. The authors describe and reference the TTPs and IoCs they were able to identify during their investigations. To provide an overview, all IoCs are once again clearly presented at the end of the articles and enriched with additional data such as URLs and hash values of files and programs or libraries. Some contributions add Yara signatures, which are basically regular expressions you can use to search for patterns in text and binary data with different tools.

The more sources you find and consult, the more descriptions of attacks, malware, and procedures you will have. However, this knowledge alone does not give you any information about how your own systems may be affected. You can collect this information at various points in your infrastructure. Network-based IoCs can be located in centralized locations in most cases. You will want to block IP addresses directly in the packet filter and use your internal DNS server to redirect listed domains to local destinations and route the requests into a black hole. Of course, you will want to log the requesting computers and, if possible, isolate them automatically for further analysis in special network areas. The same applies to URLs, which you can easily transfer to your HTTP proxy to log and prevent access attempts.

To detect host-based IoCs on your organization's computers, you need technical support. One possibility is the well-known GRR Rapid Response open source tool [6]. With its client-server architecture, GRR enables centralized management and asynchronous processing of requests (known as hunts) on the clients. For a defined runtime, clients receive the requests as soon as they are connected to the corporate network.

The results are then published at the next opportunity. This approach also covers mobile devices and home office computers that only sporadically connect to the corporate network. Of course, this means you need to install the GRR clients on your systems; it is not suitable for use on the fly. To test the tool, you can simply store a file named notepad.* in the Windows system folder after installation (Figure 1).

Figure 1: In this example of creating a request for GRR clients, you are looking for notepad.* in the System32 folder.

After clicking Create Hunt , you need to enable the hunt and wait some time for the first clients to execute the target. While the hunt is active, increasing numbers of clients will receive it and run the search until you disable it again. Next, you evaluate the search. Figure 2 shows the results for one of the clients. This response also reveals the variety of search options with GRR for files in terms of timestamps or hash values. To practice, just compare the patch level of your Windows installations with different hash values.

Figure 2: The results of a GRR client in response to a request.

Handling Security Incidents

If you have the capabilities in your company to run incident analysis for attacks and malware infections yourself, you can use The Hive [7] in addition to GRR. In combination with Cortex, I looked at The Hive for incident analysis in a previous article [8], which gives you both an overview and a comprehensive automation tool for the required analysis work. Cortex also lets you automatically enable protections in your infrastructure in the form of responders.

Finally, threat intelligence can also be incorporated into a company's risk analysis. If your company is part of a sharing community, you will receive valuable information, such as attacker groups, attacks within your industry, and attacks against specific classes of software. If you use the software in question, or something similar, in your organization, you need to look into the increased risk and try to respond to it. The systematic use of publicly available information on vulnerabilities (Common Vulnerabilities and Exposures, CVEs) means you are always aware of attack vectors on your infrastructure.

Conclusions

Threat intelligence is a way to learn about an attacker's modus operandi, methods, and tools. Additionally, it gives you valuable advice on what to look for when searching for malware or backdoors on your systems. The data you find in structured threat information mostly consists of signatures used by virus scanners in the same or a similar way.

Meanwhile, polymorphic or other types of dynamic malware cannot be tracked down reliably with the rather static descriptions in STIX/CybOX or similar formats. You will find several providers of commercial threat intelligence feeds online; however, the content can differ significantly. Before subscribing, you should consider whether a feed is useful and up to date.

The Author

Dr. Matthias Wübbeling is an IT security enthusiast, scientist, author, consultant, and speaker. As a Lecturer at the University of Bonn in Germany and Researcher at Fraunhofer FKIE, he works on projects in network security, IT security awareness, and protection against account takeover and identity theft. He is the CEO of the university spin-off Identeco, which keeps a leaked identity database to protect employee and customer accounts against identity fraud. As a practitioner, he supports the German Informatics Society (GI), administrating computer systems and service back ends. He has published more than 100 articles on IT security and administration.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus