Proofpoint Emerging Threats Suricata 5.0 Webinar

1 © 2019 Proofpoint, Inc.
PROOFPOINT
EMERGINGTHREATS
ETPROSURICATA5.0

The ET team today on the call:
 Richard Gonzalez
 ET Manager
 Jason Williams
 ET Researcher
 @switchingtoguns
 Jack Mott
 ET Researcher
 @malwareforme
 Brad Woodberg
 ET Product Manager

Agenda
 We've never done this before...please go easy on our lack of webinar
skills.
 Where we've been.
 Where we are.
 Where we're going.
 Thanks and QA

WHERE WE'VE BEEN

Where we've been
 It's been ~4 ½ years since ET was acquired by Proofpoint
 We've seen the shifts in landscape from EKs to Ransomware to
Maldocs to Coinminers to Phish and all in between.
 We've been shifting focus in our detections with those changes in the
landscape to help analysts detect network comms best we can.
 ET rules and detection logic are part of many Proofpoint products even
when you might not see it in the traditional sense.
 Visibility gained from Proofpoint has been extremely valuable in writing
new detections, but we're still a small scrappy team.
 The research teams at Proofpoint are fantastic. We work closely with
them and they have helped to fuel our detections.

Where we've been
 We love the ET ruleset but there are things we know we can improve
The categories & classifications are dated
TROJAN and MALWARE don’t entirely mean what they are called
CURRENT_EVENTS turned into a dumping ground for all the "cool stuff".
 We want to better prune and update older rules within the ruleset.
 That documentation thing
 Yea we read the tweets about us
 These things take people, time, and effort.
 It is complicated and dangerous to make sweeping rule edits.
 It's not just a sed replace for various things.
 We always have perf and QA in mind with our changes

Where we've been
 We have a LOT of malicious traffic, but we don't have complete visibility
into non-malicious traffic.
 We rely on our users and our partners to give us more visibility into
wider networks and geos. Every network is special.
 We were happy when we were able to fork the ruleset to 4.0 (then 4.1
came out)
 Our internal tools have sometimes kept us from being able to act as
fast as we have wanted. (4.1)
 ET OPEN vs ET PRO – Still the same policies, still committed to
supporting the community

WHERE WEARE

What is ET focused on today?
 We tend to spend much of our time writing rules on the things that we
see hitting people today out in the world.
 ITW > !ITW
 We're always writing rules for malware
 This means that we follow today's landscape writing lots of:
 Social Engineering / Credential Theft – Phishing
 Malicious Documents
 Coinminers
 RATs, Keyloggers, VARIOUS CnC
 Things that are SSL encrypted (more on this later)

We're supporting Suricata 5.0 at launch (today)
 We are actively supporting 60k (PRO) rules across 4 rule engines.
 ~48k active and ~12k disabled
 Snort 2.9.x / Suricata 2 / Suricata 4 / Suricata 5
 Suricata 4 will continue to be supported for the foreseeable future.
 Suricata 2 will be EOL'd in 90 days. (no new rules)
 We look forward to supporting Snort3 when it goes GA.
 The Suricata 5 ruleset will feature new categories and classifications as well
as updates to existing categories and rules to make more sense.
 Some of these things haven't been changed in a decade or more and most
are a result of drift.

New Categories - msg:"ET $CATEGORY"
 This will be the first iteration of the ruleset that steps into the current
malware landscape in terms of metadata
*These changes are only affecting the new Suricata 5 ruleset
 MALWARE will be renamed to ADWARE_PUP
 TROJAN will be renamed to MALWARE
 New Categories:
- PHISHING (phishing.rules)
- COINMINER (coinminer.rules)
- JA3 (ja3.rules)
- EXPLOIT_KIT (exploit_kit.rules)
- HUNTING (hunting.rules)

New Classtypes - classtype:this-stuff-is-new;
 classtype:credential-theft; (phishing)
 classtype:social-engineering;
 classtype:command-and-control; (replacing lots of trojan-activity)
 classtype:coin-mining;
 classtype:external-ip-lookup;
 classtype:domain-c2;
 classtype:exploit-kit;
 classtype:pup-activity; (possibly unwanted program)
 classtype:targeted-activity;
https://github.com/OISF/suricata/blob/master/classification.config

New things/trends in the Suricata 5 ruleset
 New sticky buffers utilized immediately, and old rules will be converted
over time. There are some perf bonuses to be had here:
 content:".php"; http_uri; isdataat:!1,relative; (old)
 http.uri; content:".php"; endswith; (new hotness)
 Support for JA3 and JA3S hash rules:
 https://suricata.readthedocs.io/en/latest/rules/ja3-keywords.html
 Usage of transforms:
 https://suricata.readthedocs.io/en/suricata-5.0.0-beta1/rules/transforms.html
 More frequent usage of XBITS:
 https://suricata.readthedocs.io/en/suricata-5.0.0-beta1/rules/xbits.html
 Datasets...?

Suricata 5 rule examples (1)
#
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET
JA3 Observed Malicious Hash (Trickbot CnC)";
flow:established,to_server; ja3_hash;
content:"6734f37431670b3ab4292b8f60f29984";
classtype:command-and-control; sid:1; rev:1;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET
EXPLOIT_KIT Spelevo EK Landing";
flow:established,to_client; file_data;
compress_whitespace; content:"function
CheckVersionFlash("; classtype:exploit-kit; sid:2;
rev:1;)

Suricata 5 rule examples (2)
#
alert dns $HOME_NET any -> any any (msg:"ET MALWARE
Observed Glupteba CnC Domain in DNS Query"; dns_query;
content:"postnews.club"; bsize:13; nocase;
classtype:domain-c2; sid:3; rev:1;)
#
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET
MALWARE Observed Cobalt Strike User-Agent";
flow:established,to_server;
http.user_agent; content:"Mozilla/5.0 (compatible|3b
20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b
20|Trident/5.0|3b 20|BOIE9|3b|ENGB)"; bsize:82;
classtype:command-and-control; sid:4; rev:1;)

Rule Migrations
 If you've been watching the rulesets, we've had some big rule
migrations
 Things leaving CURRENT_EVENTS:
- Some things being disabled, like a SSL cert that hit for a week in 2017
- Some things being moved, like Maldoc signatures into the MALWARE category
- Some other things being moved, like EK signatures into the WEB_CLIENT
category (this includes Suri4)
 Things being rewritten:
- We had a lot of DNS rules that were written for *most* cases, but not all. Rewritten
for all engines and updated for dns_query where possible.
 Things generally being disabled that haven't hit in a long, long time or are no
longer around.

WHERE WE GOIN'

Where we're going – Our Vision for ET ruleset
 Enable analysts to make informed decisions about what actions to take
on their network. Suricata is NSM not just IDS.
 The old way of thinking "An alert means something bad" should
not always be applied to every alert.
 If you see something fire from the MALWARE (or TROJAN) category, it
should be malware. You probably need to do something about it.
 If you see something fire from the INFO category, it is just trying to save
you some time and help provide context to other events around it.
 Lots of rule migration will continue to occur... HUNTING.
 The community matters.

Where we're going
 We will continue to support both the PRO and OPEN rulesets along
with the ETPRO Telemetry edition.
 Writing more rules with the stipulation that they require SSL MITM to
trigger. See metadata tag 'SSLDecrypt' for 'Signature Deployment'
 More automation around the signature "performance impact"
metadata tag to help provide some more accurate data here based on
larger datasets.
 Actively seeking organizations who can share pcap data for usage in
our QA processes.

Where we're going
 We don't expect to be making large changes in category and
classification like this outside of major engine releases.
 Like we saw in Suricata 4.1, which had many new features, we don't
expect to be able to fork the ruleset for minor versions.
 Suricata 2 will be EOL'd in 90 days (no new rules)
 Working on more documentation™.
 We do expect to be adding more metadata to the rules such as:
 Mitre ATT&CK Framework
 Backfilling Legacy Rules with Metadata
 Source
 SSL_Decrypt

What do I do if I see a FP in an ET rule?
 https://feedback.emergingthreats.net
 If you're seeing it, other people are seeing it.
 We always want to know about it.
 We can see a lot of data, but chances are we can't see YOUR data--so
help us help you help everyone.
 If you want to discuss the rule the mailing list is a great option. If you
want it fixed the feedback portal is the fastest way to do so. We check
the twitters, but it's not part of our ticketing workflow.
 POLICY rule firing on stuff you don’t care about is not a FP.
 Local tunes vs global tune

I'm an ET user, what do I need to do?
 If you're on Suri 2, you need to look at migrating in the next 90 days to Suri 4
or 5 to continue getting rule updates. If you're lower than 2, update. Please.
 If you're on Suri 4 and you don't have the ability to update, update when you
can. This ruleset will continue to get new rules.
 I want to Upgrade
 Upgrade Suricata on your sensors
 Change your download links to point to the Suricata 5 download location
- OPEN: https://rules.emergingthreats.net/open/suricata-5.0/
- PRO: https://rules.emergingthreatspro.com/[LICENSE_CODE]/suricata-5.0/
 If you are only pulling in certain rulesets – You may want to re-eval which
ones you are grabbing. Eg. CURRENT_EVENTS won't have any EKs

How can I participate?
 The mailing list
 https://lists.emergingthreats.net/mailman/listinfo/
 Twitter
 @et_labs (research and cool stuff)
 @emergingthreats (probably more marketing type stuff)
 The Malware Exchange
 Join our team (senior researcher role open)
 ETPRO Telemetry edition
 Custom sharing agreements (NDA)
 Report issues via feedback portal
 https://feedback.emergingthreats.net

Thanks from the whole ET team to the
community
 PT Security – Contributing some great rules to ET Open
 Travis Green – OG ET, still contributing to the community
 Protectwise – Thank you for all the reports of ways various rules could
be improved
 Opnsense – Thank you for the partnership in helping bring the ETPRO
Telemetry to life
 MS-ISAC
 GM CIRT
 The Suricata and OISF Teams (Suricon 2019)

Q & A

Proofpoint Emerging Threats Suricata 5.0 Webinar

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Proofpoint Emerging Threats Suricata 5.0 Webinar

Ähnlich wie Proofpoint Emerging Threats Suricata 5.0 Webinar (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Proofpoint Emerging Threats Suricata 5.0 Webinar