Black Hat Asia NOC: Malware visibility

By Chris Thomas and Mike Sconzo

In the Black Hat Asia NOC we worked to ensure the wireless network was available for presenters and attendees. As part of our monitoring, we kept an eye open for any malware present on the network. RSA NetWitness® Suite’s Malware Detection capabilities look for network sessions containing file-types typically associated with malware delivery, and extracts them for analysis. During the conference, for the system alerted against possible unknown malware. This particular alert triggers when our analysis methods return a very high score while Community-based analysis returns a very low score – indicating there are no antivirus (AV) signatures and no community knowledge of the file (Figure 1).

Fig1_Apr17

Figure 1 Malware dashboard with alerts

The Analysis summary reveals that the top indicators are from our Sandbox analysis (Figure 2). RSA NetWitness partners with Cisco AMP Threat Grid for sandbox analysis.

Fig2_Apr17

Figure 2 Top indicators from sandbox analysis

RSA NetWitness Network Session analysis shows indicators for the delivery of the file with some Warning and Suspicious level alerts (Figure 3).

Fig3_Apr17

Figure 3 Network Session analysis results

The sandbox analysis from Cisco AMP Threat Grid also displays what the file did as it ran, with a number of high confidence indicators (Figure 4).

Fig4_Apr17

Figure 4 Cisco Amp Threat Grid analysis

To obtain more insight into the actions the executed sample took we pivot across to the Cisco AMP Threat Grid portal for their detailed analysis (Jessica Bair from Cisco AMP Threat Grid has written more about the detection from Cisco’s perspective in her blog post), which shows a breakdown of their Behavioral Indicators and Network Indicators. This detailed analysis also reveals the domains and IP addresses used for check-in/Command and Control (C2) (Figure 5).

Fig5_Apr17

Figure 5: Cisco Amp Threat Grid domains and IP addresses

To determine if the sample infected any systems on the Black Hat Asia network, we input these network indicators back into RSA NetWitness, looking for C2 traffic. By querying for network traffic using the hostname or IP address from the Cisco AMP Threat Grid portal, we verified that the malware executable did not communicate on the Black Hat Asia wireless network to reach out to the C2 server (Figure 6).

Fig6_Apr17

Figure 6 RSA NetWitness network traffic query

In addition to querying for the indicators, RSA NetWitness also ingests threat intelligence information from various sources. We currently support CSV and STIX formatted data (TAXII support will be available in RSA NetWitness Suite version 11.0 later this year). Not only can you keep track of when these indicators are present in your environment, but it’s possible to add more context around the intelligence source, thus enabling you to make appropriate response decisions (Figure 7).

Fig7_Apr17

Figure 7 RSA NetWitness threat intelligence display

By making threat hunting easier, and enabling the analysis output (intelligence) back into the product for easy on-going detection customers can level-up their operational maturity. This entails a combination of the right features to highlight suspicious behavior, driving a work flow that allows analysts to dive deeper, and ingesting standard data formats to aid in detection and provide context.

Our time in the Black Hat NOC is always a great experience. It allows us to get additional exposure in a live environment and make sure our products are delivering value both internally and externally (both to the NOC and our partners).It’s even better when we’re able to leverage our products and our ecosystem to hunt for interesting and malicious behavior, understand what the root cause of the behavior is, and follow up with easy addition of IOCs to find that behavior in the future.

Happy Hunting!

No Comments