This document summarizes a presentation about investigating security incidents. It discusses:
1) Useful protocols to investigate like DNS, HTTP, SMTP and Netflow which can help detect data exfiltration and malware communications.
2) Public resources for intelligence like malware domain lists, blacklists, and Google's safe browsing to correlate with firewall and DNS logs.
3) Online tools and open source software like OSSEC, Logstash, and Malcom that can help aggregate, parse, and correlate security data from multiple sources to aid investigations.
2. TrueSec
$ whoami
⢠Xavier Mertens (@xme)
⢠Consultant @ day
⢠Blogger @ night
⢠BruCON co-organizer
2
3. TrueSec
$ cat disclaimer.txt
âThe opinions expressed in this presentation
are those of the speaker and do not necessarily
reďŹect those of past, present employers,
partners or customers.â
3
6. TrueSec
Me? Breached?
6
⢠In 66% of investigated incidents, detection
was a matter of months or even more
⢠69% of data breaches are discovered by
third parties
(Source:Verizon DBIR 2012)
10. TrueSec
âActiveâ Lists
10
⢠Temporary or suspicious information to
track and dynamically updated
⢠Examples:
Contractors, Admins,Terminated Accounts,
Countries (GeoIP)
⢠If grep(/$USER/, @ADMINS) { ... }
14. TrueSec
DNS
⢠No DNS, no Internet!
⢠Can help to detect data exďŹltration,
communications with C&C (malwares)
⢠Alert on any trafďŹc to untrusted DNS
⢠Allow only local DNS as resolvers
⢠Investigate for suspicious domains
14
15. TrueSec
HTTP
⢠HTTP is the new TCP
⢠Investigate for suspicious domains
⢠Inspect HTTPS
(Check with your legal dept!)
⢠Search for interesting hashes
15
21. TrueSec
URLs
⢠http://malwareurls.joxeankoret.com/
normal.txt
⢠Google SafeBrowsing
use Net::Google::SafeBrowsing2;
use Net::Google::SafeBrowsing2:::Sqlite;
my gsb = Net::Google::SafeBrowsing2->new(
key => âxxxâ,
storage => Net::Google::SafeBrowsing2::Sqlite->new(ďŹle =>
âgoogle.dbâ)
);
$gsb->update();
my $match = $gsb->lookup(url => âhttp://evil.comâ);
if ($match eq MALWARE) { ... }
21
22. TrueSec
$ cat disclaimer2.txt
22
âData are provided for âfreeâ but the right to us
can be restricted to speciďŹc conditions (ex:
cannot be re-used for commercial applications).
Always read carefull the terms of use. Some
services require prior registration and use of
APIsâ
23. TrueSec
OSINT
âSet of techniques to conduct regular
reviews and/or continuous monitoring over
multiple sources, including search engines,
social networks, blogs,
comments, underground
forums, blacklists/whitelists
and so on.â
23
31. TrueSec
Conclusions
⢠Know your environment
⢠You have plenty of useful (big)data
⢠Free software can help you (but the project
is not free)
31