During our presentation we covered the lifecycle common to many Advanced Persistent Threat (APT) attacks and then outlined several case studies to illustrate countermeasures organizations have successfully deployed to combat the APT.  The following items were key points we covered during the workshop:

1.       “This can happen to you!” The time to begin preparing for these activities is now, prior to an incident.

2.       Organizations should define remediation success as removing today’s attackers from the environment and improving visibility such that subsequent attacks will be detected more quickly. It is not reasonable to define success as eliminating the APT threat, or as preventing the APT from re-compromising systems in the environment.

3.       Developing a remediation plan is not a one-size-fits-all process. Among other items, successful plans need to consider the attacker’s techniques and capabilities, the organization’s current visibility across their networks and systems, and resource constraints. Organizations can help prioritize remediation activities, given limited time and resources, by considering how each proposed activity helps detect, contain, or respond to the various stages of the attack lifecycle.

4.       MANDIANT has seen numerous organizations succeed at remediating APT intrusions by planning for and executing a remediation event, during which the organization isolates the environment and simultaneously implements several eradication, recovery and hardening activities. This approach generally increases the chance of successful remediation.

• Not following this approach in response to an APT intrusion generally increases the risk that the incident response effort will decline into a “whack-a-mole” situation.  In this type of situation, responders engage in a losing battle of remediating compromised assets as they are identified, while the attacker continues to compromise additional systems with different malware variants. Many organizations begin responding to APT compromises in this manner; which does not ultimately lead to success.
• This approach may not be appropriate in all situations or for other threat actors, however, we have generally seen this approach executed successfully to remediate APT compromises.

5.      The following activities tend to be critical remediation event activities; organizations should prepare for executing these activities prior to an incident.

• Isolating the WAN from the Internet.
• Blocking attackers’ known command-and-control domain names and IP addresses.
• Resetting passwords enterprise-wide (including all Active Directory infrastructure and any compromised accounts on other platforms).
• Rebuilding compromised systems.

These activities have formed the core of remediation event plans successfully executed by numerous MANDIANT clients.

6.       A few of the most critical hardening countermeasures include

• Ensuring Windows local administrator accounts are disabled or their passwords set to unique values on every system.
• Near-term, implementing application whitelisting on critical systems from which attackers can harvest password hashes en masse (e.g. domain controllers, mail servers, file servers).
• Blocking workstation-to-workstation communications using host-based firewalls.
• Patching third-party desktop applications that constitute the attack surface for spear-phishing attacks.

I hope you find the slides useful. If you have any questions regarding my post or from our presentation, please comment below.

I was able to catch several of the keynote and plenary sessions, as well as several breakouts later on. The published conference theme was “Teaming for Dominance” and “Training for Dominance.”  Without public-private collaboration between the entities that are fighting cyber crime throughout the United States victory against determined adversaries is nigh impossible. Also there is a shortage of properly trained professionals for dealing with cyber crime, and only by providing opportunities for training and education could the country pull together and get ahead.  This covered not only continuing adult education and formal training, but also initiatives for college and high school students as well. I was more interested in the secondary themes that I saw emerging in presentation or discussion: indeed there is a need to work together, cultivating defensive strengths through collaboration on intelligence and innovation, be it in education or implementation of the practice of forensics and incident response.

At the management and policy level, I listened to Jeff Stutzman of the DCISE, Alan Paller of SANS, and panel discussions from leaders in the FS-ISAC, DHS, DoD/DCISE and DSIE (all organizations that are responsible for coordinating information sharing across large groups of important organizations). Regardless of specific messaging items, most of these leaders seemed to feel that too much was getting lost in the large scope of the problem set, and the path to real progress was by focusing on a few key components. Mr. Stutzman talked about focusing on education and collaboration, Alan Paller spoke about security leaders who were making an impact by committing to only a few simple items that create real change (rather than succumbing to the temptation of lengthy checklists and guidance documents), and as the panel addressed the need for real-time information sharing, they admitted that basics needed mastering before more complex solutions could be attempted.

Several technical presenters put forth the message that Indicators of Compromise (IOCs) that describe complex forensic artifacts and innovative methods are the key to success in rapidly detecting intruders. Rob Lee talked about the state of modern forensics, and the DFIR community success story that has led to projects such as log2timeline. Rob also spoke about the next step in responder evolution: taking the information routinely found in timelines, and creating abstracted, generic patterns that always identified compromise, rather than always looking at specific signatures in a timeline. If that can be realized, organizations will be able to identify incidents as soon as an intrusion occurs, allowing for almost instant detection. At the conference MANDIANT’s Ryan Kazanciyan, Chris Nutt, and Mary Singh all cited the need for looking beyond simple signatures and traditional investigative paths in their presentations, which covered some of our best practices in IR and Disk Forensics. Several other speakers also cited the need for complex indicators as the key to success in large, noisy modern enterprise environments, and IOCswere mentioned in a variety of presentations and post-presentation discussions.

During the tradeshow, we spoke with a variety of representatives from different parts of government. Polling attendees showed that no one particular threat stood-out, but most attendees felt this was the year threat awareness went mainstream. Panelists talking about Information Sharing and Analysis Centers (ISACs) echoed this idea: that the time was now for automating the sharing of threat intelligence. In support of that idea, I was fortunate enough to be able to participate in a Birds of a Feather discussion session about potential for automating information sharing in the DCISE, and presented on OpenIOC and potential uses in creating a method of automated information sharing for threat intelligence.

Several of the DIB contractors that we spoke to talked about how they were making detection a top priority. The debate over prevention versus detection is still lively and undecided in many circles, but more and more vendors are focusing on detection as a critical need. It was encouraging hearing a lot of resonance with themes that we have long believed in:

• the ability to describe complex indicators of compromise is necessary for success,
• sharing threat intelligence is critical for the evolution of defense,
• and that belief in rapid detection as a top priority is gaining ground

I hope that the lessons learned, and discussions had at the conference, empower the responders who work with DC3 in the coming year. And that collectively we can help solve the ever-growing needs for better detection and threat intelligence sharing across so many critical sectors of the enterprise.

If you attended DC3 I’d love to hear your take on the conference and themes you noticed from presenters and attendees. If you were unable to go, slides from the MANDIANT presenters will be up soon.

A caveat within MRI I that I want to talk about is Process Path Verification. This rule set is very powerful but there are two ways to define to paths. Neither is documented because currently there is no documentation on MRI.. The first method of specifying a process path is to specify an absolute path such as this:
calc.exe:\windows\system32

MRI interprets this as the only valid path for calc.exe is \windows\system32\calc.exe. However, if I wrote the rule like:
calc.exe:\windows\system32\

MRI would interpret this as calc.exe can be run from any sub directory as long it’s a sub directory within \windows\system32\*

The reason this is important is it gives you flexibility in writing definitions. If I don’t want to specify the exact location of iexplore.exe I can say it needs to be launched from \program files\. This may prove to be too loose, and I may change this behavior going forward. For now you have the flexibility to specify absolute paths or sub paths.

The next “undocumented” tidbit that I want to discuss is within two behaviors. These behaviors actually have the ability to use regex when trying to match up their values. I did not build the regex option into the UI so it has to be manually added to the AuditViewerConfig.xml. The two XML lists that can take regex expressions are IgnoreFilesList, and ProcessSuspiciousHandleList. The regex elements are, IgnoreFileRegex, and HandleRegex. An example IgnoreFileRegex looks like:
<IgnoreFileRegex>mshist.*\\index.dat</IgnoreFileRegex>

This rule specifies that any file matching this regular expression should be ignored when doing process scoring. You can get creative just be careful.

An example HandleRegex looks like:
<HandleRegex>*:.*-7$:mutant:known conficker mutant</HandleRegex>

It breaks down like this:
Process: Regular Expressions : handle type: description

It breaks down like this:
Process: Regular Expressions : handle type: description

This allows you to get more out of your suspicious handles definitions.

Finally, I’d like to take a second to reiterate something I stated at DC3. The “Verify Digital Signatures” option in Memoryze and Audit Viewer wizard can ONLY be run when doing live memory. It is not possible to enable it when doing dead memory analysis. Which means the address scoring is not possible on dead memory, behavioral analysis still works on dead memory. If you are going to acquire memory, please run live analysis jobs as well as acquisition. This way you get the most information possible off the machine. The second thing I wanted to reiterate is that verify digital signatures is great, it really helps potentially speed up an analyst’s job. However, we are only verifying the digital signatures exist and are valid on disk. We are not verifying the module in memory hasn’t been modified. If a userland rootkit exists (again shame on the authors) then we won’t report that. It’s important to remember this. Verifying modules in memory short of doing rootkit detection is not a trivial task. The windows loader is a beast, a behemoth it does a lot to make verification in memory to disk is very hard (not impossible). Thanks again for all the interest in M-Trends, Audit Viewer and Memoryze. As always feedback is always appreciated.

The talk is going to be interactive. And dammit I don’t care if you don’t want to interact with me. I’m both very convincing, persistent and well…charming! You will feel compelled to join in on this talk. I promise. I know this because I’m bringing bribes… And yes, I’m bringing what you are thinking.

This talk will contain a brief intro to memory analysis, a FAQ etc. We are not going to waste much time on the nitty gritty since most people are not interested in how we chop off the last 12 bits to get a physical offset from a virtual address. I know, you just fell asleep a little.  During this talk I will make a case for why memory analysis is important. I will pull from pervious APT investigations where disk analysis failed and had to be used in conjunction with memory analysis. Finally, we will discuss MANDIANT’s Malware Rating Index (MRI). We will finish with real APT incident demos where I’ll walk through the investigation of an infected system with APT.

Now, a little more about MRI. MRI is a huge update to Audit Viewer.  Instead of going after a fish (malware) with a hook (signatures), I’m going after fish (malware) with a drag net (MRI). The goal of this feature is twofold. First it is going to  help pinpoint specific processes that should be investigated further while attempting to eliminate some of the non-suspicious processes and get them out of the analyst’s way. It’s also designed to try and make APT detection easier. A lot of work went into looking at our samples and how they behave etc, and coming up with definable behaviors that trap those little creatures. MRI is made up of two components. The first component is a definable behavior rule set that is completely customizable. It is made up of three different types of rules:

• Process Path Verification – allows users to define what processes should be launched from what directories. This triggers on malware that copies and names itself after svchost or other system processes to subdirectories within system folders. For example a default rule is that svchost can only be executed from \windows\system32. Any time we see it running from somewhere else we flag the process.
• Process User Verification – allows users to define what processes should be running under what users.  This triggers on malware spawning svchost for purposes of unmapping image bases or hiding dlls within spawned svchost. So, for example, if malware copies itself to system32\dllcache and then names itself svchost.exe, you can define a rule saying svchost.exe should be running as local service, network service, or system. When Audit Viewer see svchost running as administrator it gets flagged.
• Process Handle Inspection – this allows you to define specific rules pertaining to malware or generic behavior. For example a default rule is to flag svchost or iexplore anytime it has a process handle to cmd.exe. There is just no good reason for this to _EVER_ happen. You can also define rules based on specific malware, for example if a3c mutant is present then flag the process as being infected with sality.

All of these features are configurable from the UI by going to operations -> Configure MANDIANT MRI.

The second component of MRI is a process address space scoring mechanism. We will be releasing an update to Memoryze at DC3. The new release will contain bug fixes as well as a new feature called “Verify Digital Signatures.” When this parameter is turned on memoryze will perform a “digital signature check” on all loaded modules. This can only be enabled on live memory analysis. The digital signature check verifies the module on disk is digitally signed. We do a bunch of math and use our Least Frequency of Occurrence to trust modules that aren’t signed but occur in more than X% of processes. Where X is defined by the user. We won’t flag or catch modified binaries in memory. So if a rootkit is doing userland hooking (it should be ashamed) we won’t know about it because we are checking disk to determine if it is digitally signed. There are a lot of reasons why we can’t verify in memory digital signatures.  It might make an interesting blog to detail all the reasons. With that said, this new feature gives us a good working idea of how much of the loaded modules in the process address space are signed and therefore trusted. It’s had fantastic results thus far. I’ve been using it on old incidents to see if we could have sped up results using these new methods. The answer seems to be yes in a lot of cases.

After DC3 I’ll have more blogs detailing how you can use and write better rules for MRI. But for now there will be a default distribution that you can use and modify. Again, like always, Audit Viewer is open source and free. Which means you can see the logic and rules behind MRI. Memoryze is and will stay free.

If you are going to be at DC3 and want to grab a beer I will be there from Sun (night)-Weds. Unfortunately I’m going to be missing all the great talks on Thurs so I can leave to compete in the Tough Guy Challenge. You are more than welcome to join at this race in Northern England. As I understand it there are still some open slots! See everyone at DC3!