Before we start – I just want to declare that the thing I publish here are Based on my experience only and in no means you should understand to buy or not to buy specific products.
After understanding the essentials of CISO’s work, I’ll expand on how I did the research work from part1 alongside with my incident response team from part 2.
Regarding the tools I have mentioned earlier , those needs to give you FULL view from the bottom up on every request \ connection to the internet starting from the users endpoint to firewall\proxy and DNS requests and cross dissect the findings to give you positive catch.
C&C life cycle:
1) Hostile Downloaded from “some” website or using exposed browser holes to get into a computer.
BTW – the hostile file can be an innocent legitimate skype.exe file that has been downloaded NOT from skype website…
2) If section 1 succeeded and no AV engine has stopped it , the hostile file is trying to “sniff” it’s way inside your organization , trying to elevate privileges and get as much as information as he can before going into phase II.
3) After getting some idea of how your organization “works” – the hostile file trying to get out and connect to the operator site , this phase usually known as domain fluxing and expressed by multiple burst random DNS searches to sites like [aabbccdd.your company domain extension ] or any other random sequence.
At this step – if you have implemented the right products, the hostile activity should be block at your gateway via IDS\IPS \FW \proxy\url filtering\DLP or any other PREVENTION product.
If it doesn’t and you need to look at step 4 – chances are you are in deep trouble…
4) Also known as Phase II, in which the hostile file –using it’s operator, are evolving into one unit that is fully aware of your organization methods and can exploit almost any aspect on your INTERNAL network.
This includes admin users, passwords, emails, internal ip’s ,DC’s, DNS ,AD and even firewall changing data.
This allows the attacker or shell we say “your commander” , to do whatever he likes in your data. 1-0 to the bad guys….
The first question you might ask is: if my AV vendor is not discovering the bad guys , what can I do?
Well – a good one…this brings me back to my friend original request once again. And the answer is:
No AV vendor is “the one” , enough to look at sites like Virus total or URL Query to see that even 10 AV engines together can miss…therefore you need special tools for this special jobs.
Or worst , if you trust your AV vendor as your sole solution for security – change your job…
It has got to be a BEST OF BREAD solutions that will answer your dynamic organization’s requests and whims..
They MUST be able to do the following in order to crossfire any hostile file in your environment.
Also make sure you IRT team are Using them and their results on a daily bases, in fact – base your security protocols and procedures on their output.
1) Security Event Management (SIEM): [ Such As Arcsight ,Symantec,RSA ]
Connect every available and relevant device to your SIEM and write basic rules .
Improve those rules as you go and remember, those devices can archive almost everything that happened on your network fairly easily, it is the correlation between those events that makes your life easier.
2) A cross stream line analyzer: [ Such As Damballa FailSafe , Fire Eye , websense Full Suite, advanced Proxy\URL filtering ]
This device sole purpose is to analyze the data from the endpoint to the DNS server \ Proxy \ FW and correlate them to one valid event.
As I explained in the C&C life cycle , it is essential to expose the hostile before phase II , meaning if you can catch one machine [or Asset] trying to contact hostile URL or doing a Domain fluxing –than phase II won’t be an issue for you.
Hell , you can even make these connections terminate automatically or have an event based action to your remediate device.
3) Investigating tool: [ Such As : Sillicium ECAT , HBGARY responder or even GMER or Comodo CCE ]
MUST HAVE The “cross platform approach” , meaning running in your whole enterprise as a natural endpoint agent , collecting ALL your computers\servers files into one place ,analyzing them and give you suspected or convicted files.
The methods should be as follow :
a) Compare your files through several MD5 signatures databases such as BIT9, NIST, MSDN, or any other Cloud based comparison engine(HITMAN\CCE)
This will bring UP all the files that has no valid or Root CA or No Company embedded in them -so only sealed authentic files can reside on your machines.
Any other result such as unknown files or broken CA – can imply that the file has been compromised by another hostile that may take additional steps, such as injecting DLL’s into other processes\Services and loading a rootkit, or connecting to additional C&C sites.
b) Use Several AV engines or upload your suspicious files from section A to sites like VirusTotal and similar. You can even upload the MD5 string to the web , you can consult with other findings on your specific hash.
c) Analyze Floating codes and memory Hash in live mode.
d) Create your OWN white list of files that has been created by your organization software developers – and direct them to work as methodically as they can.
e) Check your current network connection from the process and up.
Meaning if you can see EXCEL.exe reaching out to the internet – it is NOT looking to be updated from microsoft…
Even Simple NETSTAT –NAB can give you desired results.
f) Use a good URL filtering engine\Anti Bot – this actually should be the first DOT in the line of crossfire since you will most probably have an alert from your URL filtering device saying on machine tried to reach a hostile website. You can advise many other Online URL Checking tools.
a good tool in this section has to be one that updates as quickly as he can – since automated cleaning processes are happening on those websites almost whithin the hour – so before you block an access to it from your domain – make sure the danger hasn’t passed already…
From there you can start your query using all the tools and methods I have mentioned the more conclusive results on an evil residing on a machine you’ll get – the better.
this approach is the NOT bullet proof – but it will defiantly filter out above 95+% of your hostile files..therefore keep up with the technology and bring the human resource to the game.