Veramine-Detecting Cyber Attacks

1. DETECTING CYBER ATTACKS
LAN NGUYEN
VERAMINE

2. XIN CHÂN THÀNH CẢM ƠN CÁC NHÀ TÀI
TRỢ
VERAMINE 2

3. OUTLINES
• General Security Problems
• Need to handle to secure IT computer networks
• Computer Systems, Hardware, Software, Data
• Detections
• Tactics, Techniques and Common Knowledge
3

4. GENERAL SECURITY PROBLEMS
1. Authenticity
• Multifactor. Should include Hardware-Support factor. E.g. Taiwan ID cards with weak
random.
• Mutual Authentication: e.g. may help prevent fishing
• FIDO: Strong Authentication Standard. U2F: Universal Second Factor (Yubico)
• Zero Trust
2. Authorization / Access Control
• Very widely applied to Principals and Resources
• Separate Networks. Classified Networks.
• Role-based Principals
• OS: Ring 0 – Ring 3
4

5. GENERAL SECURITY PROBLEMS
3. Confidentiality
• Reduce protecting TBs to thousands bits
• Following Encryption Standards. Crypto Agility
• Key Management is Vital. Hardware Security Module (HSM)
4. Integrity and Non-repudiation
• Signatures and Authenticated Encryption
• Code Signing: Signing process need to be carefully protected. E.g. Ccleaner AV. Flame.
• You can say Blockchain belongs to cybersecurity
• Side effect: Not deniable and accountability. E.g. Signing off releasing software
5. Availability
• DDOS
• Build efficient software: CPU, RAM, Network
• Data Replication and Backup 5

6. GENERAL SECURITY PROBLEMS
6. Monitoring and Auditing
• High Quality Data Collection: Wide Variety but Not too much
• About Processes, Users, Network, Protocols, Registries, Files, Services,
Permissions
• “CCTV” Cameras to Record and Replay
7. Detection
• Data Analysis to find intrusion alerts. Good data collection means good
detection
• Rule-based and Machine Learning
6

7. GENERAL SECURITY PROBLEMS
8. Investigation
• From alerts, find intrusion scope, timeline, approaches and signatures
• Track the intrusion spans: malicious user logons, C&C connections…
• Search, correlate and analyze on Memory, Files and other data
9. Response
• From Investigation results, find a good plan to quickly cleanup the IT
network
• Isolate, suspend and stop malicious endpoints, users, processes,
binaries, network traffic
10.Remediation and Prevention
• Measures, policies and rules to prevent similar attacks
7

8. SECURITY DESIGN PRINCIPLES
Principle Explanation
Open design Assume the attackers have the sources and
the specs.
Fail-safe defaults Fail closed; no single point of failure.
Least privilege No more privileges than what is needed.
Economy of mechanism Keep it simple.
Separation of privileges Don’t permit an operation based on a single
condition.
Total mediation Check everything, every time.
Least common mechanism Beware of shared resources.
Psychological acceptability Will they use it?
8

9. DETECTIONS
• All about https://attack.mitre.org/wiki/Technique_Matrix
• The Attack Dictionary
9

10. ESCALATION OF PRIVILEGE (EOP)
• Attacker exploit bugs to raise privilege level, such as from user
to system
• MITRE says “Detecting software exploitation may be difficult”
• But detection is possible with 100% accuracy, no FP or FN,
based on security permission data
10

11. CREDENTIAL DUMPING
• Harvesting passwords
• Tools: mimikatz, gsecdump
• With System level, open lsass.exe process to decrypt and read
passwords
• Detection is highly accurate
11

12. LSA PACKAGES
• Windows Security Support Provider (SSP) DLLs are loaded into the
Local Security Authority (LSA) process, then have access to passwords
• Modify some Registries to add new SSPs
• Detection by monitoring these Registries
• HKLMSYSTEMCurrentControlSetControlLsaAuthentication Packages
• HKLMSYSTEMCurrentControlSetControlLsaNotification Packages
• HKLMSYSTEMCurrentControlSetControlLsaSecurity Packages
• HKLMSYSTEMCurrentControlSetControlLsaOSConfigSecurity Packages
12

13. CHANGE DEFAULT FILE ASSOCIATION
• File association selections are stored and edited in the Windows
Registry
• Modify the file association to call an arbitrary program for a file
extension
• Detection when the default File Association registry key is
modified
[HKEY_CURRENT_USER]SoftwareMicrosoftWindowsCurrentV
ersionExplorerFileExts
13

14. FILE SYSTEM PERMISSIONS WEAKNESS
• Processes execute binaries with improperly set permissions then the
binary may be overwritten with another binary using lower level
permissions
• The replaced binary will also execute under higher level permissions,
which could include SYSTEM. This technique can also be used for
persistence.
• Service binary replacement and Installers loading from weakly-ACL'd
directories.
• Detection when a process running at high privilege loads a binary
that is ACL'd to allow low privilege user tampering.
14

15. ACCESSIBILITY FEATURES
• Windows contains accessibility features launched with a key
combination before user logon. An adversary can use it to get a
command prompt or backdoor without logon.
• In recent Windows, the replaced binary needs to be signed for x64,
must reside in %systemdir%... The debugger method is a
workaround.
• Detection by Monitoring Registries within
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionImage File Execution Options 15

16. DISABLING SECURITY TOOLS
• Killing security software or event logging processes, deleting
Registry keys…
• Build tamper-resistant security software
• Detection by Deception/Traps of Security Software
16

17. FILE DELETION
• Adversaries may remove malware, tools to clean footprint
• Should preserves a copy of every binary that was loaded by any
process on any system
• They can go to Binary Analysis Pipeline (BAP) to assess a
suspicion score to it.
• And download to any customer.
17

18. APPINIT DLLS
• For persistence, DLLs specified in the AppInit_DLLs value in
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
NTCurrentVersionWindows are loaded by user32.dll into
every process that loads user32.dll.
• Detection where an application has modified the AppInit DLL
registry settings.
18

19. BYPASS USER ACCOUNT CONTROL (UAC)
• Elevate privileges to perform a task under administrator-level
permissions by prompting the user for confirmation.
• Bypass e.g. rundll32.exe load a specifically crafted DLL which loads
an auto-elevated COM object and performs a file operation in a
protected directory. Or malicious software may also be injected into a
trusted process to gain elevated privileges without prompting a user.
• Detection by tracking the state of each process token and reports any
token changes, e.g. unexpected Integrity Level (IL) change from
Medium to High
19

20. COMPONENT OBJECT MODEL HIJACKING
• Adversaries can use this system to insert malicious code that
can be executed in place of legitimate software through
hijacking the COM references and relationships as a means for
persistence.
• Hijacking a COM object requires a change in the Windows
Registry to replace a reference to a legitimate system
component.
• Detection by monitoring Registries of COM, such as Icon
Overlay Handler.
20

21. LOCAL PORT MONITOR
• A port monitor can be set through the AddMonitor API call to set a
DLL to be loaded at startup. This DLL will be loaded by the print
spooler service, spoolsv.exe. Or, an arbitrary DLL can be loaded for a
pathname to
HKLMSYSTEMCurrentControlSetControlPrintMonitors.
• The spoolsv.exe process also runs under SYSTEM level permissions.
• Detection monitoring registry keys under
HKLMSYSTEMCurrentControlSetControlPrintMonitors
• Better, Detection highlights any unknown, new, or suspicious Print
Spooler service DLL image loads
21