CISCO Cyberops Associate 4 - Advanced intrusion analysis techniques

In

Categorize intrusion events

  • By security models (see “Cybersecurity investigation techniques”):
    • Cyber kill chain model:
      • Visibility into an attack.
      • Attacker’s tactics, techniques and procedures.
        Stages Attacks
        (1) Reconnaissance, (2) Weaponization, (3) Delivery Compromised sites, Phishing, Web scrapping.
        (4) Exploitation Exploit kits.
        (5) Installation, (6) Command and Control, (7) Actions on Objective Ransomware, Trojans, Bots…
    • Diamond model of intrusions: “for every intrussion event, exists an adversary taking a step towards an intended goal by using a capability over infrastructure against a victim to produce a result”.
          graph LR;
A(adversary);
B(capability);
C(infrastructure);
D(victim);

subgraph diamond_model
  A
  B
  C
  D
end

A --- B;
A --- C;
A --- D;
B --- C;
B --- D;
C --- D;
      • Core features of every malicious activity:
        • Adversary: attackers and tools.
        • Capability: malware, exploits, web-scrapping, other tools.
        • Infrastructure: network and shares, servers, accounts, services.
        • Victim: IP addresses, domain names, ASN, email addresses.

Source technology and events

  • IDPS/IPS:
    • Most frequent attacks.
    • Source and target of attacks.
    • Attack trends.
  • Firewalls:
    • Aggregate on 5 tuples (source, destination, source-port, destination-port, protocol).
    • Rules to allow or deny traffic.
    • Incoming and outgoing connections.
  • Network Application Control:
    • Applications.
    • Applications usage (user, apps and content).
    • Web traffic, threats, data patterns.
  • Proxy logs:
    • User, application and service requests.
    • 5 tuples.
    • Timestamp.
    • HTTP request and reply.
  • Antivirus:
    • Detections.
    • Events.
    • Scan results.
    • Blocked.
    • Audit logs.
  • Transaction data (netflow):
    • Flow records.
    • North-south (different hierarchy level), east-west (on the same hierarchy level) traffic.
    • Missing firewall rules.
    • Prohibited service usage.

Firewall operations

  • Deep packet inspection:
    • Inspect data payload and header of packet.
    • Act based on dat payload.
    • Work at layer 7 (OSI).
    • Most often inspection point is firewall.
  • Stateful firewall operation:
    • Monitor connections (flow).
    • Default blocks all inbound traffic.
    • Exception: requested traffic.
  • Packet filtering operation (e.g. ACLs):
    • Only inspects the header of each packet.
    • Does not consider the connection.

Traffic analysis techniques

  • Inline traffic interrogation (choose depending):
    • Physical device (“tap the phone-line”).
      • 100% copy of data.
      • Does not drop frames.
      • Less vulnerable.
      • No duplicates.
      • Recommended method.
      • No port contention.
      • No configuration.
    • Traffic Monitoring (SPAN, “Switch Port analyzer”, physical device between computer and switch):
      • Switch mechanics, it will drop some layer 1 and layer 2 data (filtered).
      • Configuration necesssary.
      • Port contention.
  • Netflow analysis (e.g. Wireshark):
    • Aggregates 5-tuples data.
    • Collects and stores information about the endpoints, communications, applications and users.
    • Can identify malicious activity and users.
  • Network traffic analysis:
    • Missconfigurations of network devices.
    • Data exfiltration.
    • Network scans from external source.
    • Denial of Service attacks.
    • Machines that are beaconing.

Extract files from a TCP stream

  • Now almost all traffic is encrypted. Wireshark can decrypt:
    1. Look on environment variables for SSLKEYLOGFILE, to locate the log file.
    2. Go to wireshark (edit → preferences → protocol → TLS → pre-master secret log filename) and add the log file address.
    3. Read messages, acting similar to Firepower Management Center.

Intrusion elements from PCAP file

  • Components and capture demo:
    • .pcap (Package CAPture file): Wireshark file (monitor).
      1. Select a package you don’t like, right click and follow → TCP stream (you may find a malware upload… Save it!).
    • Metasploitable intentionally vulnerable Linux machine, for exploits demo (target machine).
    • Kali Linux: pentesting (attacking machine).
      • Armitage: graphical cyber attack management tool for Metasploit.
        1. Connect, to select the host to attack.
        2. Right click on machine, scan.
        3. After finished, right click on it and login.
        4. After finished, right click on it and shell. 
          1
          2
          3
          ls -ls
          # and you may be in
          mkdir malware
        5. Right click on it and upload (send up some nasty stuff).
  • Analysis:
    • Right click and follow → TCP stream.
    • Look for compromised password.
    • Retrieve trace.

Artifact elements from an event

  • Firepower Management Center dashboard:
    • Intrussion events tab:
      • Top attackers (by IP addresses).
      • Top targets.
      • Total events by user.
      • Application + protocol (frequency).
    • Analysis tab:
      • Intrussions, Malware events.
        • Same hash = same attack.

Basic regular expressions

Regular expressions: great for checking router logs. We will use grep ( Global Regular Expression Print) on shell.

  • Gather interface info:
    1
    2
    3
    4
    enable
    show ip interface brief
    # a lot of info, reduce scope
    show ip interface brief | exclude unassigned
  • Gather IP route info:
    1
    2
    3
    4
    5
    enable
    show ip route
    # a lot of info, reduce scope
    show ip route | begin Gateway
    show ip route | include OSPF
  • Process huge file
    1
    2
    3
    4
    5
    6
    7
    8
    # any single character
    grep .* HugeFile.txt
    # Extended version, using OR
    grep -E 'Potato|Tomato' HugeFile.txt
    # Find by date on a log file
    grep ^May\ 04 syslog
    # Grep can be piped with more grep
    grep ^May\ 04 syslog | grep systemd