Stalking the Kill Chain: Tying it All Together
By Alex Cox, Sr. Researcher, RSA FirstWatch team
The Single Event Mentality
Historically, security technologies tend to be focused in a single place, or at most, two places on the kill chain, but lack the entire context behind an event that a complete analysis system imparts. When using the phrase “stalking the kill chain”, we are focusing on the ability to use a structured approach to watching the network with the idea of identifying kill chain events in progress, across the entire kill chain.
- Anti-virus is focused on the delivery and exploitation phases, attempting to detect known shellcode, previously identified malware, or heuristically interesting binaries
- Intrusion Detection is focused on detection of exploitation events or C2, based on known signatures or communication methods.
- Content Filtering and proxy technologies are focused on blocking of known C2 or exploit sites or the categorization of sites for additional analysis.
Tracking an event holistically in NetWitness NextGen
Ultimately, we seek to move our analysis techniques and ability from a single or dual stage approach, to a seamless approach that allows free flowing movement in any direction along the kill chain during an investigation, with the goal of being able to gauge the scope and magnitude of the intrusion quickly.
Using RSA NetWitness Live, a NextGen user is able to consume and leverage related content to help track events across the kill chain.
While the detection of malware is important, a holistic approach to threat detection also needs to focus on the detection of “quiet” activity after a foothold is established by the attacker. According to industry reports, attackers use malware in only 54 percent of a compromise and secondary detection was only possible through holistic analysis.
Signs of Weaponization/Delivery/Exploitation
For detection of weaponization, delivery and exploitation events within NetWitness, the following content can be consumed and utilized from NetWitness Live:
FlexParsers – Malware PDF, Fingerprint office2007, Fingerprint office97-2003, Fingerprint pdf, Fingerprint jar, Exploit Web Pages, HTML Threat Analysis (Spectrum Subscribers), Encoded File Fingerprinting, XOR Executable (Spectrum Subscribers), Advanced Executable (Spectrum Subscribers)
To further augment the security analysis specifically, the following custom drills in Investigator should be employed:
General PDF identification
filetype = pdf
filetype = base64 encoded pdf
Anomalous PDF identification
risk.warning begins pdf || risk.suspicious begins pdf || risk.info begins pdf
Office Documents
General Office Document Identification:
filetype = office2007 || filetype = office97-2003
filetype = base64 encoded office
Suspicious Web Pages (potential exploit or browser fingerprinting activity)
Existence of Java Applets:
filetype = jar
Existence of suspicious HTML elements:
risk.suspicious = js scan for adobe
risk.suspicious = iframe src pdf
risk.suspicious = iframe src cgi
risk.suspicious = iframe src htm
risk.suspicious = iframe src html
risk.info = embedded html applet
risk.info = embedded html applet with params
risk.info = embedded html codebase
risk.info = embedded html object
risk.suspicious = iframe embedded js
risk.suspicious = iframe hidden values
risk.suspicious = iframe inside hidden div
risk.suspicious = iframe src php
risk.suspicious = pdf inside hidden div
risk.warning = iframe src pdf
General Executable Detection
filetype = windows executable
filetype = base64 encoded exe
Anomalous Executable Detection
risk.info begins exe || risk.suspicious begins exe || risk.warning begins exe
risk.warning = potential binary from duqu group
risk.warning = hex encoded executable
risk.warning = xor encoded executable
Signs of Command and Control
For detection of command and control events within NetWitness, the following content can be consumed and utilized from NetWitness Live:
FlexParsers – Botnet Traffic Patterns, Htran, ShadyRat, HTML Header, Verbose DNS, Duqu Binary Detection, Windows Command Shell
To further augment the security analysis specifically, the following custom drills in Investigator should be employed:
Specific Malware C2 Behavior
risk.warning ends “botnet activity”
risk.suspicious = “htran redirector”
risk.suspicious = “shadyrat encoded command”
Generic HTML and DNS Anomaly Detection
risk.info begins http
risk.info begins dns
Remote Windows Shell
risk.warning = windows command shell
risk.suspicious = windows cli admin command
Remote Desktop Connection
service = 3389
Signs of Exfiltration
For detection of command and control events within NetWitness, the following content can be consumed and utilized from NetWitness Live:
FlexParsers – Fingerprint RAR, Encoded Hashes, pkware
To further augment the security analysis specifically, the following custom drills in Investigator should be employed:
Generic FTP Detection
service = 21
Generic Archive File Identification
filetype = rar
filetype = zip
filetype = base64 encoded zip
filetype = base64 encoded rar
Password Hash Exfiltration or Movement
risk.warning begins plaintext pwdump
risk.warning begins xor encoded pwdump
risk.warning begins base64 encoded pwdump
While this is not an exhaustive list, it provides a basic guideline for analysis of advanced threats across the kill chain.
Conclusion
Given the prevalence and velocity of malware production incorporated with sophisticated attack strategies , it is common for advanced threats to successfully infiltrate organizations, despite defenders having “checked all of the blocks” for a robust security infrastructure. Only through a comprehensive understanding of the organization’s current capabilities to detect and respond along the kill chain, the use of pervasive visibility and threat intelligence combined with intelligent security analytics and intuition can a defending organization hope to level the playing field. Let this whitepaper serve as high-level guidance and a starting point for identifying and tracking attacks which may pose a threat to your organization – happy hunting!
Alex Cox, MSIA, CISSP, GPEN, GSEC is a Senior Consultant and Security Researcher with RSA FirstWatch team responsible for advanced threat intelligence research. Alex has worked more than a decade in IT with a background in desktop architecture, emerging threat research, network forensics and behavioral malware analysis.
