Case study: “Imminent RATs” (II)

Analysis (follow-up)

In the previous article, we had determined there was “something weird” in the computer, and we had downloaded both, a possibly malicious .doc and a user executable and mailbox. It’s time to get down to work to see what they may contain…

[Note: As a good security practice, malicious files should NEVER be shared without minimal protection. Therefore, you can download both files from here, but they are zipped with the password “infected”. Please, handle them with extreme care, you’ve been warned.]

To start with, we can open the user’s .pst to verify that the infection path is correct, something we can easily do from Windows with the Kernel Outlook PST Viewer:
[Read more…]

Case study: “Imminent RATs” (I)

Note: This is a fictional story; the characters and situations are not real. The only real thing is the technological part, which is based on a mixture of work done, experiences of other colleagues and research carried out.
These articles are part of a basic incident response workshop. Therefore, there are things that could be done more efficiently and elegantly… but the idea was to do them in a simple way so that they were easy to understand. And like any good practical workshop, you can follow it step by step: you can download a Remnux virtual machine with everything you need for the workshop here (for VMWare) or here (.ova format)).

Incident Response in less than 15 lines

Ultra-fast summary of incident response:

  • Preparation: We prepare ourselves for a possible attack by deploying detection and response measures in the Organization.
  • Detection and analysis: We detect possible attacks and analyze them to determine whether or not they are false positives, and in the event of an attack we analyze its severity.
  • Containment, eradication and recovery: We contain the spread of the attackers through the system, expel them and return the system to normal operation.
  • Post-incident lessons: We analyze the incident in search of measures to improve both the security of the system and the response itself for future incidents.

[Read more…]

Exchange forensics: The mysterious case of ghost mail (I)

Articles in the series “Exchange forensics: The mysterious case of ghost mail”: [1] [2] [3] [4]

(Note: This is a fiction story, the characters and situations are not real, the only real thing is the technical part, which is based on a mixture of work done, experiences of other colleagues and research carried out. If you want a version with the same technical dose but with less narrative, you can consult the video of the talk that the author gave at the 11th STIC Conference of the CCN-CERT here).

Another day in the office, with a list of pending tasks to plan longer than the beard of Richard Stallman and none of them entertaining: reports, documentation of a couple of projects and the preparation of a meeting is what the menu of the day offers for almost the entire week.
Luckily, the saying that “no plan survives contact with the enemy” in this case works in our favor. The phone rings, and my boss goes straight to the point: “A YARA rule has been triggered from the ATD group in CARMEN of [Redacted] (entity whose identity we are going to leave anonymously, calling it “the Organization” from now on). Take your stuff and rush over there.”

The adrenaline rush at the thrill of the hunt is instantaneous: ATD is our internal name of a group of attackers that we hunted a few months ago on another client, and our reversers ripped the malware open from top to bottom without mercy. The analysis allowed us to detect a series of particular “irregularities” in their way of acting, which allowed us to generate a series of high fidelity YARA rules (that is, false positives practically null). If it was triggered on CARMEN (our advanced intrusion detection tool), then 99% sure to be infected”.
[Read more…]

Clearing up the complexity: Security for non-technicians

IT security is almost always complex, covering many different areas and creating the sensation of a technical equivalent to “doctors’ handwriting”.

Who hasn’t had a moment where two security technicians start talking about the “APT exploiting a XP kernel CVE and exfiltered by HTTP using 404 modifieds, and thank God the IDS caught it and we put up a deny in the firewall before it dropped a new version of the malware C2”.

If you’re a security technician you’re probably smiling at these lines, but if not, you probably haven’t understood a word of it. The problem is obvious: IT security is complicated, and communicating in IT security is even more complicated.

In my opinion, all us IT security experts should work on our communication skills. We need to convince management to invest more time and resources in improving it, and convince users that security is necessary (for their own good in many cases).

For that reason, I’d like to propose a book list, of texts written by technicians, but where several of the main IT security concepts are explained in clear, simple and even agreeable ways.

”Secrets and Lies: Digital Security in a Networked World”, Bruce Schneier – Ed Wiley

Schneier is one of the best disseminators of IT security around at the moment. As well as his IT security blog he has published several books where he treats in a simple way such subjects as risk, system protection, cryptography and even society’s own trust base. All his books are interesting but “Secrets and lies” is the best. If your boss only has time to read one security book, let it be this one.

”The Code book”, Simon Singh – Ed. Anchor

If there’s one field of IT security that’s particularly complicated that’s cryptography (I have the theory that “public key cryptography can only be understood the third time it’s explained”). However, Singh does a great job of perfectly explaining the most complex concepts of cryptography, all based on historic moments and full of anecdotes. A wondrous book.

“Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon”, Kim Zetter – Ed Crown

Stuxnet is considered by many to be the first act in the cyberwarfare in all senses: intention, sophistication and complexity are words that spring to mind when we think about a malware that, possibly, has opened Pandora’s box and without doubt will be studied in future times. Zetter is able to tell us how it was detected, analyzed and eradicated in such a pleasant almost addictive way and his story becomes a kind of techno thriller.

“Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door” – Brian Krebs, Ed. Sourcebooks

Krebs is possibly the most famous journalist specialized in IT security in the world. From blog“>his blog he analyses all the most important IT security news critically but clearly. His book is a complete guide to cybercrime, telling us, with all the inside details, the sub world of IT crime from spammers to how they launder the money they make.

“The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers” – Kevin Mitnick & William Simon, Ed. Wiley

Kevin Mitnick (aka “The Condor”) is one of the better known hackers in history, being especially famous for his mastery of social engineering (or as he calls it, “hacking people”). In his book, based on his own stories and those of other hackers from the time, he tells how to overcome several different security systems with few or no technicisms. Applying lateral thinking is very interesting and how they attack certain problems jumping security in sometimes dumb but very effective ways.

“Inside cyberwarfare” – Jeffrey Carr, Ed O’Reilly

Cyberwarfare, cyberespionage, cybercrime… However tightly we close our eyes, they’re still going to be there. Carr makes a very complete list of problems we can find in the Internet, concentrating on how far different countries are capable of cyberwarfare, as well as the different scenarios and technologies to use. Although Carr is analytical and clear, running from trying to panic people, the fear it puts into you when you read it is … upsetting.

There are plenty more “simple” books talking about IT security, but these are the ones I think most representative. What about you? Do you have a bedside book to teach non-technicians about IT security? Share it!