Detecting Indications of Compromise
and Decreasing Response Time
ISE 6100 – Security Project Practicum – CIO Report
Authors: Gordon Fraser, gordon.fraser@ctipc.com
Tobias Mccurry, tobiasmccurry@gmail.com
Wesley Earnest, wes.earnest@gmail.com
Advisor: Stephen Northcutt
Accepted: November 23, 2016
Abstract
GIAC Enterprises, a small to
medium sized business specializing in Fortune Cookie sayings, is faced with the
risk of its intellectual property being compromised. One of the most common vectors used by
attackers to gain access to this intellectual property via phishing emails
which lure users into executing malicious programs on their computers. To address this risk, GIAC’s CIO established
a tiger team to investigate and examine ways to streamline the incident
response process. Research shows that
only 3% of users report possible phishing emails (Verizon, 2016). Because of
this gap, the team focused on ways to automate detection. The team also looked for ways to decrease the
amount of time it takes for an analyst to respond to a suspected incident. The proposed solution combines open source
tools, Bro and Cuckoo, to analyze incoming email attachments and escalate only
the attachments that deemed suspicious to the SOC Analyst. The proposed solution also includes updates
to GIAC’s incident response procedures to quickly identify compromised systems
using indicators of compromise.
1.
Introduction
GIAC Enterprises, a small to medium sized business
specializing in Fortune Cookie sayings, is faced with the risk of its
intellectual property being compromised.
One of the most common vectors used by attackers to this data is
phishing emails which lure users into executing malicious programs on their
computers. To address this risk, GIAC’s
CIO established a tiger team to examine the following use cases:
·
Users receiving a phishing email with a
malicious attachment.
·
Users receiving a phishing email with a
malicious URL.
·
Drive-by attack resulting from a user visiting a
malicious web site.
1.1.
Current Environment
GIAC’s current detection and response processes require many
inefficient manual steps which are unnecessarily burning incident response
cycles. The current detection process
relies heavily on the end user notifying the security team of suspicious
emails. The Security Operation Center
(SOC) analyst needs to extract the suspicious attachment, upload it to the
sandbox, and wait for analysis to finish. However, research shows that only
three percent of users report possible phishing emails (Verizon, 2016). Because of this gap in the detection process,
the team focused on ways to streamline and automate previously documented
incident response steps.
The team also looked for ways to decrease the amount of
time it takes for an analyst to respond to a suspected incident. In the current process, the email administrators
notify the SOC analysts of the individuals who may have read or opened the
email. The SOC analyst would then take
whatever action was necessary. Per the
Verizon 2016 Data Breach Report (Verizon, 2016) 30% of people who receive a phishing
email open it. Only 12% of the
recipients opened the malicious attachment or clicked on the link. Quickly identifying the individuals who took
the phishing bait would significantly reduce the scope of the investigation and
time to resolution.
GIAC Enterprises recently implemented a pilot SIEM
utilizing AlienVault’s Open Source Security Information Management (OSSIM)
product to improve situational awareness and visibility by correlating log
files and security events. Based on our
team’s research and conversations with AlienVault, neither OSSIM nor
AlienVault’s commercial solution Unified Security Management (USM) is designed
to proactively examine files for malicious behavior. It can only detect the malicious activity
once the compromise has happened. To
protect GIAC’s intellectual property, a more proactive and automated solution
must be implemented to mitigate the risk posed by these use cases.
2.
Proposed Solution
Based on the scenario of a phishing email leading to
ransomware, the team focused its research efforts on points in the existing
process that could be performed proactively or automated to improve the
efficiency of the SOC Analyst’s time.
The proposed solution combines open source tools, Bro and Cuckoo, to
analyze incoming email attachments and escalate only the attachments that
deemed suspicious to the SOC Analyst.
According to AlienVault, “You cannot stop ransomware [...] detecting
[ransomware] within a timely fashion gives you the chance to respond
effectively.” (AlienVault, 2016). The
proposed solution also includes enhancements to GIAC’s incident response
procedures to handle potential incidents.
Figure 1 shows the workflow of the proof-of-concept built during this
project.
Figure 1: Proposed Solution Workflow
1) Monitor
network traffic (incoming SMTP traffic and outbound HTTP requests).
2) Parse
SMTP and HTTP traffic with Bro and extract all files (based on configured list
of MIME types) and URLs of interest.
3) Extracted
files are saved on the Bro server. A
service monitors for new files in a directory.
When a new file is detected, a script will copy the file to the Cuckoo
server for analysis.
4) Cuckoo
server has a directory that is being watched for new files to analyze. When a new file is detected in the directory,
Cuckoo analyzes the file and generates a text output.
5) A
script parses the Cuckoo output. If no
outbound network connectivity is detected, the file is considered benign and
discarded. If outbound network
connectivity is detected, then the file requires further analysis. An Analyst Report text file is created and
sent to the Bro server.
6) On
the Bro server, a script runs for each Analyst Report file which parses the Bro
logs for the details of the HTTP connection or the SMTP email (to/from/subject)
and appends a set of Powershell scripts to the Analyst Report file.
7) The
Powershell scripts can be used to search through the Exchange server mailboxes
based on:
a. Messages
that contain either the same sender, subject, or attachment.
b. Archive
and/or delete the message containing the suspect file.
8) Notify
SOC analyst of the new Analyst Report for further review and initiate the
incident response process if necessary.
9) Create
a ticket in OSSIM to track the analysis of the suspicious file or URL, and any
remediation effort.
2.1.
Streamlining Incident Response Process
To efficiently streamline the incident response process, the
team identified three sources of network data to include DNS logs, netflows,
and full packet capture. PassiveDNS logs DNS requests and responses. The nfdump suite of tools helps capture the netflow
data, which is a summary of network traffic. Tcpdump is used to collect full
packet captures.
3.
Use Case Validation
The team constructed a lab environment to conduct
simulated attacks. To test the first use case, a phishing email with a
malicious attachment, an email was sent with a word document that contained a
Visual Basic script that executed a malicious payload that connected back to
the attacker’s machine. The second and third use cases, a phishing email with a
malicious URL and drive-by attack, was tested by sending an email that
contained a link to a web site that compromised the browser, connected back to
the attacker, downloaded and executed a malicious payload.
The Analyst Report was generated due to the outbound
connection initiated by the word document and separately the drive-by attack.
Bro appended details from the original vector and the Analyst Report to help
with eradication portion of the incident response process. The eradication phase
was validated by using the Powershell scripts generated from the details
provided in the steps above. These scripts removed the malicious emails from
any users’ inboxes.
Given the indicators of compromise from the Analyst Report,
we quickly identified the systems that were compromised. This would support the incident response team
during triage and allow them to focus their efforts on those systems which pose
the most risk to the organization. During testing, full network traffic was
captured for analysis.
4.
Conclusion
This new workflow provides a much more comprehensive
solution to dealing both phishing emails and attachments and files downloaded
via HTTP. Bro and Cuckoo working
together showed promise in detecting potentially malicious files. Using the DNS logs, netflow data, and full
packet captures proved valuable in streamlining the identification of
compromised systems.
4.1.
Future Enhancements
There are several aspects within this proof-of-concept
that could be enhanced during future phases of this project. First, this proof-of-concept is currently
only able to rule out benign files based on the absence of outbound network
connectivity. If only 3% of suspect
files are currently being reported by end users, it is likely that promoting
this new process to production will substantially increase the SOC analyst’s
workload. Further research is needed to
improve the quality of detection capabilities in Cuckoo. One such approach may be YARA. YARA is a tool that could be integrated with
Cuckoo to identify and classify malware (YARA, 2016).
Integration with Exchange is another area where the
process could be further streamlined. Removing the manual process of the
identifying users that received the email via Powershell would be beneficial. Execution
of the Powershell scripts could be automated and the output included in the Analyst
Report.
The integration with OSSIM could also be enhanced to
provide the SOC analyst with additional visibility into the environment by
creating custom plugins and correlation directives with the log data from Bro,
Cuckoo, and Exchange. Creation of incident tickets could be automated to help
raise awareness to a possible incident.
Like all intrusion detection systems, this new process is
still limited to the traffic it can monitor.
Encrypted files, secure email, and HTTPS websites would require SSL/TLS
termination at the border for the network monitoring tools such as Bro and
nfdump to work.
References
AlienVault. (2016) Detect Ransomeware Before It’s
Too Late with AlienVault USM. Retrieved
October 13, 2016, from https://www.alienvault.com/forms/webcast-thank-you/detect-ransomware-before-its-too-late-with-alienvault-usm
Verizon. (2016) 2016 Data Breach Investigations
Report. Retrieved October 5, 2016, from www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf
YARA. (2016) YARA in
a nutshell. Retrieved October 7, 2016 from http://virustotal.github.io/yara/