Business case to convince Management for Security Incident Response center

Today i am reading through mandiant document named ‘Planning for Failure”. It contains real data that emphasizes on breaches and necessity to plan for failure to protect. For any company or security consultancy that real data can be used for business case for getting budget for security. Hence i am including that document here.

 

This document can also be helpful to CISO to show to management and startup guidelines to initiate building up Incident Response Center.

http://fred.mandiant.com/planning_for_failure.pdf

 

Advertisements
Posted in Articles, Security Management | Tagged , | Leave a comment

PCI Compliance Dashboard guiding PCI Compliance journey

A well composed guide for PCI Compliance,
it includes “SANS Top 20 Critical Security Controls” and many others.

It helps giving simple and clear guidelines for ensuring security for any organization irrespective of PCI compliance mandate.

It can be downloaded from https://community.rapid7.com/docs/DOC-1512

Posted in Articles, Resources, Security Management | Tagged | Leave a comment

ZeroAccess Rootkit Detection

Hi,

A quick short overview of ZeroAccess Rootkit, The malware Propagates via Exploit packs (blackhole) and Keygens.
It escalates priveliges by faking UAC for Flash Player installer where in it drops malicious dll filer in the flashplayer installer directory which will be loaded instead of legitimate dll file in system root directory (old flaw in windows). As user accepts the UAC thinking its a genuine flash player installation, Zero access rootkit is installed as bonus.

It lowers security of infected machine by disabling Windows Security Services. It also replaces driver files in system root directory.

It then downloads config file from algorithm generated domain whose tld is .cn and downloads the config file.

It communicates to P2P botnet using commands “getL”, “getF”, “srv?”

Detection
In order to detect the config file request, i analyzed the URL which are cn domain and domain name is non readable such as pnwjogba.cn, moayuetc.cn. Also As i tested sample set of ZeroAccess Rootkit domians on Bluecoat, These domains fall into below categorization ‘Suspicious’ , ‘Malicious Sources’,”Malicious Botnets”,’none’.
As the domains are generated there is good probability that there is no rating for those domains.

Our TakeAways:
1) As P2P communication is not on 80,443 which will be blocked on any organizations network, damage will be reduced.
2) I have included below Pattern to Suspicious URL Pattern Query.
(web_host like ‘%.cn’ and url like ‘%.php?_=%’ and (“filter” like ‘Suspicious’ or “filter” like ‘%Malicious%’ or “filter” like ‘none’))

3) I would recommend to block suspicious domains such as .cn, .ru, .cc, .su whose Proxy rating as “none”

Ref: https://www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-ZeroAcess-Botnet-final.pdf
The ZeroAccess rootkit

Posted in Uncategorized | Tagged , , | Leave a comment

Leaveraging Third Party Intelligence to protect your organization

While Having a good traditional secure architecture is important and also very important to have Third Party intellegence to foster security of your organization.
Gone are the days reactive security handling protect your organization. Being proactive is highly needed and critical.

Below are few ways to initiate threat intelligence for your organization to start with.
Verify your organization’s risk to the critical active threats as early as you are aware.

Requirement for third party Intel to figure out below threats

1) SPAM campaigns distributing Malware
2) Phishing campaigns.

3) Active and Critical Threats
4) Zero-day Threats

===============================================================
http://spamalysis.wordpress.com/ – It contains SPAM threat emails everyday.
Fulfils (1) and (2) Requirements
Frequency: 0-4 posts / day
Strategy:
Subscribe the email address to this blog
Create a case for each blog post and follow SPAM Handling Process

http://blog.dynamoo.com/ – It contains SPAM threat emails everyday.
Fulfils (1) and (2) Requirements
Frequency: 1-4 Posts / day
Strategy:
Subscribe the email address to this blog
Create a case for each blog post and follow SPAM Handling Process

http://blog.fireeye.com/research/ – Fireeye is actively researching on Internet Threats. The blog contains summary of threat research
Fulfils (3) and (4) Requirements
Frequency: 1-4 posts / month
Strategy:
Subscribe the email address to this blog
Review every blogpost feed received,
If any IOC can be obtained from the blogpost create a case and work. Otherwise Ignore

http://contagiodump.blogspot.com/ – Analysis of Malware samples of actively distributed
Fulfils (1), (3) requirements
Frequency: 2-6 posts / month
Strategy:
Subscribe the email address to this blog
Create a case for each malware sample analysis post and identify IOC from analysis and identify infected machines

http://isc.sans.org/ – SANS blog of Incident Handlers (A MUST be aware)
Fulfils (3) and (4) Requirements
Freqency: 0-2 posts/day
Strategy:
Configure one of your monitoring screen to this blog post or atleast your threat intelligence team member to look into daily.

http://www.shadowserver.org – Threat research intelligence (botnets and malware)
Third party intelligence Report of compromised devices on our network
Frequency:

Compromized Host Report – Daily
C&C Report – Weekly
More reports to review if required – http://www.shadowserver.org/wiki/pmwiki.php/Services/Reports
Strategy:

Get Subscription with it
More info: http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork
To request a free subscription to The Shadowserver Foundation’s ASN/netblock reporting service, send an email from your organization’s email account to admin ** shadowserver.org
Please provide the following information:
• Full Name (and we need to have a real person, not just an organizational contact)
• Organization
• Networks of responsibility by ASN or CIDR (ASN is always better) – Do not list your ISP’s AS or networks, list only your own that you directly control)
• Email address(es) of the report recipients
• Phone number of contact
• Contact information for verification – Examples of this would be alternative contact information, other responsible groups in your organization, network validation links, etc.
C&C Report
o We can run against GP to identify infected hosts weekly.
o Feed Informer (I believe if this can be done)

Note: If we could contact member of shadowserver.org research group and get his feed of their communications, it would be highly helpful that fulfils Requirement (4) i.e.,Zero-day threats.

Be Aware and stay protected. 🙂

Posted in Articles, security, Security Management, Uncategorized | Leave a comment

A Way to get private information out of Europe

As a security incident responder,EU Privacy laws is always a barrier dealing with a security incident involving a device/person in Europe. It sucks.
US Safe harbor is a way to get that information legally where in your organization which is in US has to be Certified (self or third party) to follow US Safe Harbor Framework to ensure below principles.
Notice – Individuals must be informed that their data is being collected and about how it will be used.
Choice – Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.
Onward Transfer – Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
Security – Reasonable efforts must be made to prevent loss of collected information.
Data Integrity – Data must be relevant and reliable for the purpose it was collected for.
Access – Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
Enforcement – There must be effective means of enforcing these rules.

However, Its not easy. It involves lot of cost setting up a secure environment.This where many companies fails to recertify every year. As per galexia.com,Only 348 organisations passed this Compliance to a good degree.

In today’s world, security is very important you can take pride to boost confidence to your client, your money pocket.

Posted in Articles, Security Management | Tagged , , | Leave a comment

Superb Automated Malware Binary Analysis Service – Figure out what malware does in minutes

These days, malware are VM aware to defend against automated analysis tools such as anubis, cukoo. And these automated analysis are based on behaviour analysis of malware that gives only tip of what actually it does as they are now intellegent and donot reveal at one instant. I am not at all satisfied with the automated analysis report i see these days.

Static analysis of unpacked malware provides much better picture of its capabilities and here is the a nice tool for this need.

This is superb service, i need not be a reverse engineer however with some little technical knowledge i can figure out hostile info and what the malware does based on API Calls, Control flow and Its Capabilities in Graph view.
It tracks the malicious process via the system call interface to identify where malware unpacked itself and then dumped for dissesmbly for analysis.
http://eureka.cyber-ta.org/

A great magic wand to help any organization if they can’t afford a malware researcher.
Thanks to its development team 🙂

Posted in Articles, Notes, security | Tagged , , | Leave a comment

How do you deal forensics with physically damaged harddisk

How do you show up chain of custody for a physically damaged disk that gives different md5sum every time you compute.

mahesh@jacksparrow:~#script (saves all the commands and output to file typescript)

mahesh@jacksparrow:~#dd if=/dev/dev2 bs=512 | md5sum (1st time)
mahesh@jacksparrow:~#dd if=/dev/dev2 bs=512 | md5sum (2nd time)
mahesh@jacksparrow:~#dd if=/dev/dev2 bs=512 | md5sum (3rd time)

Each instance will report different hash proving that you haven’t tampered the disk and it was little damaged.

So How do you identify damaged disk? 😉
some clues – Is it making trance kinda music while reading? Is it not fit when you take it in hand?

Posted in Uncategorized | Tagged , , | Leave a comment