This document summarizes a presentation about investigating security incidents. It discusses: 1) Useful protocols to investigate like DNS, HTTP, SMTP and Netflow which can help detect data exfiltration and malware communications. 2) Public resources for intelligence like malware domain lists, blacklists, and Google's safe browsing to correlate with firewall and DNS logs. 3) Online tools and open source software like OSSEC, Logstash, and Malcom that can help aggregate, parse, and correlate security data from multiple sources to aid investigations.

1. What WillYou
Investigate Today?
RMLL 2013 - Xavier Mertens - Brussels

2. TrueSec
$ whoami
• Xavier Mertens (@xme)
• Consultant @ day
• Blogger @ night
• BruCON co-organizer
2

3. TrueSec
$ cat disclaimer.txt
“The opinions expressed in this presentation
are those of the speaker and do not necessarily
reflect those of past, present employers,
partners or customers.”
3

4. TrueSec
Agenda
• Introduction
• Interesting protocols
• Public resources
• Toolbox
4

5. TrueSec
Feeling This?
5

6. TrueSec
Me? Breached?
6
• In 66% of investigated incidents, detection
was a matter of months or even more
• 69% of data breaches are discovered by
third parties
(Source:Verizon DBIR 2012)

7. TrueSec
“Grepping” for Gold
7
• Tracking users
• Suspicious traffic
• Out-of-business
• Compliance
• Exfiltration
• “Below the radar”

8. TrueSec
Sources
8
• OS / Applications Events
• Network protection
(FW, ID(P)S, Proxies, etc)
• Users Credentials
• IP, Domains, URLs
• Digests (MD5, SHA1)
• Metadata

9. TrueSec
Multiple Sources
• Automatic (logfiles, events)
• Online repositories
• Internal resources
• Developers!
9

10. TrueSec
“Active” Lists
10
• Temporary or suspicious information to
track and dynamically updated
• Examples:
Contractors, Admins,Terminated Accounts,
Countries (GeoIP)
• If grep(/$USER/, @ADMINS) { ... }

11. TrueSec
Correlation
11
Your
Recipes
Evidences

12. TrueSec
Visibility!
12

13. TrueSec
Agenda
• Introduction
• Interesting protocols
• Public resources
• Toolbox
13

14. TrueSec
DNS
• No DNS, no Internet!
• Can help to detect data exfiltration,
communications with C&C (malwares)
• Alert on any traffic to untrusted DNS
• Allow only local DNS as resolvers
• Investigate for suspicious domains
14

15. TrueSec
HTTP
• HTTP is the new TCP
• Investigate for suspicious domains
• Inspect HTTPS
(Check with your legal dept!)
• Search for interesting hashes
15

16. TrueSec
SMTP
• Track outgoing emails
• Investigate for suspicious domains
16

17. TrueSec
Netflow
• Analyze network flows
• Src Port
• Src IP
• Dst Port
• Dst IP
• Timestamp
17

18. TrueSec
Agenda
• Introduction
• Interesting protocols
• Public resources
• Toolbox
18

19. TrueSec
IP Addresses
• http://www.malwaredomainlist.com/
hostslist/ip.txt
• Correlate your firewall logs
• GeoIP
19

20. TrueSec
Domains
• DNS-BH (malwaredomains.com)
http://mirror1.malwaredomains.com/files/domains.txt
http://mirror1.malwaredomains.com/files/spywaredomains.zones
http://www.malwaredomainlist.com/hostslist/hosts.txt
• Correlate your resolver logs
20

21. TrueSec
URLs
• http://malwareurls.joxeankoret.com/
normal.txt
• Google SafeBrowsing
use Net::Google::SafeBrowsing2;
use Net::Google::SafeBrowsing2:::Sqlite;
my gsb = Net::Google::SafeBrowsing2->new(
key => “xxx”,
storage => Net::Google::SafeBrowsing2::Sqlite->new(file =>
“google.db”)
);
$gsb->update();
my $match = $gsb->lookup(url => “http://evil.com”);
if ($match eq MALWARE) { ... }
21

22. TrueSec
$ cat disclaimer2.txt
22
“Data are provided for ‘free’ but the right to us
can be restricted to specific conditions (ex:
cannot be re-used for commercial applications).
Always read carefull the terms of use. Some
services require prior registration and use of
APIs”

23. TrueSec
OSINT
“Set of techniques to conduct regular
reviews and/or continuous monitoring over
multiple sources, including search engines,
social networks, blogs,
comments, underground
forums, blacklists/whitelists
and so on.“
23

24. TrueSec
OSINT
24
• Think “out of the box”!
• What identify you on the Internet?
• Domain names
• IP addresses
• Brand

25. TrueSec
Agenda
• Introduction
• Interesting protocols
• Public resources
• Toolbox
25

26. TrueSec
pastebin.com
• A gold mine for exfiltrated data!
• Tool: pastemon.pl
• https://github.com/xme/pastemon
26

27. TrueSec
Data Parsers
• d3.js Javascript library
• Example of implementation: malcom
(Malware Communications Analyzer)
• https://github.com/tomchop/malcom
27

28. TrueSec
Data Parser
28

29. TrueSec
The Conductor
• OSSEC
• Log Management
• Active-Response
• Powerful alerts engine
29

30. TrueSec
Online Tools
• http://urlquery.net
• http://www.scumware.org/index.scumware
• http://bgpranking.circl.lu/
• https://malwr.com/
• http://www.informatica64.com/foca.aspx
• http://virustotal.com
30

31. TrueSec
Conclusions
• Know your environment
• You have plenty of useful (big)data
• Free software can help you (but the project
is not free)
31

32. TrueSec
Questions?
@xme
xavier@rootshell.be
http://blog.rootshell.be
https://www.truesec.be
32