450 likes | 555 Views
Sales Training ’08 I n s i d e T D A. Threat Team Network Content Security Group. AGENDA. Terminologies TDA Introduction TDA 2.0 Architecture Simplified Data Flow NCIT Modules Correlation Data Flow Examples Top 10 Commonly Triggered Rules IAE Rule (TMS - Cloud Correlation Rules)
E N D
Sales Training ’08I n s i d e T D A Threat Team Network Content Security Group
AGENDA • Terminologies • TDA Introduction • TDA 2.0 Architecture • Simplified Data Flow • NCIT Modules • Correlation Data Flow Examples • Top 10 Commonly Triggered Rules • IAE Rule (TMS - Cloud Correlation Rules) • Threat Mitigation Policies • Threat Mitigation Scenarios • TDA Severity Description and Rule Mapping • Q & A Classification
Terminologies • NCIT – Network Content Inspection Technology • NCCE – Network Content Correlation Engine • NCIP – Network Content Inspection Pattern • NCCP – Network Content Correlation Pattern • TDA – Threat Discovery Appliance • VSAPI1+ – modified VSAPI File Scan engine • VSAPI2 – VSAPI Network Scan engine also known as ScriptEngine™ • FSE – File Stream Extraction • TSE – TCP Stream Extraction Classification
Terminologies • TDME – Threat Discovery Mitigation Engine • (Leveraged by TDAgent at the endpoint to do clean-up) • TMTM – Trend Micro Threat Mitigator • IAE – Incident Analysis Engine Classification
TDA • VSAPI+ (VSAPI extension) • File-based malware signature detection • Produces hints (triggers) for CAV rules • Now uses VSAPI 8.710 build • Script Engine (NCIE) • Network viruses & exploits (NVW patterns) • Application layer protocol parsing and content extraction • Generate hints (triggers) for CAV rules • CAV (NCCE): • Correlates triggers • Logs detection results to database • TMUFE • Receives and Sends URL detections to CAV; useful for in-the-cloud correlation Classification
TDA Rule Support Correlation Rules in CAV & Script Engine • Detects malicious/suspicious email attachments • Detects suspicious IM links • Detects suspicious files dropped in shared folders • Detects suspicious DNS queries • Detects Malware and Spyware phone-home (Web threats) • Detects Malware and Spyware downloads (downloader dogarp case, true file type) • Detects protocol mis-use • Detects IRC bots • Detects rogue services (SMTP, DNS) • Detects Kraken-bobax domains Classification
TDA Rule Support Correlation Rules in CAV & Script Engine • Detects P2P traffic via DAE • Detects buffer-overflow attempt in SMB • Detects WMF, EMF, ANI, JPEG, SWF, BMP, and PNG exploits in HTTP • Detects remote shell payload • Detects Malicious URL/URI access • Detects Phishing • Detects Oracle Web attacks • Detects unauthorized DNS zone transfers • Detects default account usage • Detects suspicious downloads • Detects Rogue DNS servers Classification
TDA Rule Support Will have support for Info-Stealing Malware • Detects phone-home • Detects download sites • Detects destination drop sites • Email address • FTP username and FTP server • URL Post/Get • URI Post/Get • IP address and/or Port (for encrypted protocols) • Domains • IRC Channel Name Classification
Simplified Data Flow Log Statistics Event info Trigger info/ File descriptor FileScan NCCE Event log count File descriptor Session info Trigger info/ File descriptor/ Captured File FileStore Byte Stream block TSE FSE Trigger info Session info Byte Stream block Session info NCIE Trigger info Classification
TSE • TSE acts like the “man in the middle”. It will extract streams from raw packets in TCP connections, send streams ScriptEngine™ to scan. Based on the scan result, it will then either forward or kill the connection to scriptengine. Classification
TSE - Packet Scan • TSE accepts Ethernet packets as its input • Forwards packets to ScriptEngine™ for PacketScan • Check the PacketScan result, and take actions • PacketScan results can be VirusFound or VirusNotFound • Drop packets of illegal formats Classification
TSE - Byte Stream Scan • Extract stream from TCP packets, and send the stream to ByteScan ScriptEngine™ to scan • handle out-of-order packet • handle overlapped packet Classification
TSE - Other • IP defragment: assemble IP fragments, and sends it back to ScriptEngine™ for PacketScan • Write a log when if either PacketScan or ByteScan detects a threat. • Provide configuration settings • Timeout • Maximum stream size • Enable PacketScan • Enable ByteScan • Also send stream to FSE Classification
FileScan • Supports file scanning • VSAPI • SSAPI • Identify virus type from scan result and send triggers to NCCE Classification
FSE • FSE has two inputs: session blocks, from TSE, containing TCP streams, and triggers, from ScriptEngine™ , indicating where a file is located in the TCP stream. From those two inputs, FSE will assemble all the files in a TCP connection, and send the file descriptor to FileScan to scan. Classification
FSE - File Composing • Gets session blocks from TSE • Gets triggers from ScriptEngine™: • BoB (Begin of Block) • EoB (End of Block) • BoS (Begin of Session) • EoS (End of Session) • BoF (Begin of File) • EoCF (End of Chunk File) • EoF (End of File) • After each file is assembled, it sends the following information to FileScan: • File descriptor • FileID • PatternID • PatternVersion • SessionID Classification
FSE - Other • Relay triggers to NCCE • Timeout for session blocks • Provide configuration settings • Enable/Disable sending to FileScan • Enable/Disable relaying trigger to NCCE • The size of backward buffer • File resource management • Large file handling Classification
FileStore • Stores the suspicious files in the HD • Combines event details and captured files with logs by pre-pending event detail info as a header • Encrypts the file • Manages stored files and purges them if required Classification
NCCE (also known as CAV) • Receives triggers from FPGA (software). • Trigger comes from the NCIP that ScriptEngine™ executes. • Protocol Parser is an NCIP designed to perform protocol parsing and aid in extraction/composition of files on certain protocols. • Receives FileScan triggers. • FileScan triggers are generated by FileScan which scans files extracted/composed by FSE with the help of the Protocol Parser. Classification
NCCE (also known as CAV) • Uses NCCP to load: • Blacklist • C&C server IP addresses and domain • Malware and Spyware User-agents • Bad Subjects used by Malware for Social Engineering • Suspicious Filenames used by Malware and Spyware • Suspicious file extensions • Rogue DNS Servers • Whitelist/Exceptions • Trusted Domains/Sites,User-agents • Reserved IP range • Rule Exceptions • Known Security Risk Detection Prefix Exception • Configurations • Rule Descriptions, Confidence Level • Threat Mitigation Policies and Mitigation Parameters • Performs the rule matching by trigger correlation. • Generates threat/risk logs and stores into the log database. Classification
Top 10 Commonly Triggered TDA Rules • Monitored client is connecting an authorized service that presents a security risk. (Rule 52 - Email message sent through a non-trusted SMTP server) • Monitored client is receiving a suspicious link. (Rule 43 – Email contains hard-coded IP address) • Monitored client is downloading malware. (VSAPI) • Hacking attempt. (Rule 38 – Multiple logon failed) • Monitored client has potential outbound security risk. (Rule 105 – Possible Kraken-Bobax) Classification
Top 10 Commonly Triggered TDA Rules • Hacking attempt. (Rule 26 – Too many logon failed) • Monitored client is receiving an email with a suspicious attachment. (Rule 54 - Email message contains an archive file with a packed executable file) • Monitored client is sending out suspicious email. (Rule 29 – SMTP Open-Relay access attempted) • Monitored client is receiving email with phishing link. (Rule 72 - Email contains a suspicious link to a possible phishing site.) • Monitored client has a malware that is communicating to an external party. (Rule 18 – DNS query of known IRC Command and Control Server) Classification
Commonly Triggered Rules Monitored client is connecting to an authorized service that presents a security risk. (Rule 52: Email sent through a non-trusted SMTP server) • This rule is triggered when an internal host sends an email to an SMTP server that has not been registered in TDA’s registered services. • If malware-related, this could be a source of information leakage or that email spam is being sent out to public SMTP servers. • However, this may be a common occurrence in networks where the use of a public SMTP servers is allowed. • It is recommended to investigate the log for suspicious content whenever possible. • Use discretion when registering to TDA’s registered services. Classification
Commonly Triggered Rules Monitored client is downloading a malware. (VSAPI) • This rule is triggered when a malware detected by VSAPI is downloaded from the internet. • On most cases, it is inaccurate to assume that the user or machine has been infected especially if an end-point solution is present. • Along with other rules, this event is sent to the cloud for correlation. Classification
Commonly Triggered Rules Hacking attempt. (Rule 38: Multiple logon failed/Rule 26:Too many logon failed) • Numerous failed authentication attempts are a good indication of a malicious user or process trying to gain network access by performing password guessing. This is typically done using a so-called ‘dictionary attack’, where a list of words often used as passwords is simply tried on a given account. An alternative type of attack is the so called ‘brute-force’ attack. Here, a massive amount of passwords are automatically generated and tried. During a brute force attack, theoretically all combinations are tried, making it a very lengthy operation and thus, generating many more failed logins than the dictionary attack. • This rule is triggered when a certain threshold of failed login attempts is reached. Below are the details of these thresholds per protocol. • For the SMB protocol, the possible attacker is the destination IP address. • Also for the SMB protocol, there are chances for false positives due to technical reason. You should consult the customer if you have suspicions. Classification
Commonly Triggered Rules Monitored client is sending out suspicious email (Rule 29: SMTP Open-Relay access attempt) • An open mail relay is an SMTP server configured to allow anyone on the Internet to send email through it. This is commonly abused by spammers and is recommended to be disabled. Some third-party security vendors identify and blacklist SMTP Open-relay servers being used to send spams. • This rule is triggered when an internal host or machine sends an SMTP email where neither the domain of the “sender” nor the “recipient” exists in TDA’s registered domains; a common characteristic of “spoof” emails. Email aliases are considered trusted for this rule. • This requires that the admin adds all the email domain that their company uses into TDA’s registered domains. Use discretion when adding public domains. Or add only those you trust. Note: it is not necessary to register the full domain. The primary domain can also be used as a wildcard. Classification
Commonly Triggered Rules Monitored client is receiving email with phishing link. (Rule 72: Email contains a suspicious link to a possible phishing site) • It is common for a phishing email to contain a hard-coded IP address to the phishing site. Legitimate emails from your bank or ecommerce service would not contain such links. • This rule is triggered when the domain of the sender’s email address matches our list of commonly phished domains (eg. Citibank, PayPal, eBay, etc.) and the message contains a hard-coded IP address in any form (integer, octal, hexadecimal, etc.). Classification
Commonly Triggered Rules Monitored client has a malware that is communicating to an external party. (Rule 18: DNS query of a known IRC C&C) • The Internet Relay Chat (IRC) protocol is commonly used by malicious bots for communications. • C&C stands for Command & Control. C&C servers are used by bot masters to control botnets. Typically, a bot will contact these servers to receive instructions and updates, in this case using the IRC protocol. • This rule is triggered when a DNS query is made for a domain that is present in our blacklist of known IRC C&C servers. This happens because “bots” that have hard-coded C&C domains needs to obtain the respective IP address prior to establishing a TCP/IP connection. • On most cases, this gives away the presence of bot in the network even when the C&C domain has been deactivated. Classification
Commonly Triggered Rules Monitored client has a malware that is communicating to an external party. (Rule 20: Malicious URL access attempt) • This rule is triggered when a host attempts to access a URL whose URI matches our blacklist of known malicious URIs. These URIs are commonly contacted by malicious downloader applications, adware, malware phone-homes and those that contacts scripts used to test HTTP proxies. • Example: http://0001.0168168.cn/VerText.txt (TSPY_DELF.IGU) http://0001.6658588.cn/VerText.txt (TSPY_DELF.ILW) In the above example, we only need to match “/VerText.txt” URI to cover this two variant. Also this provides an added advantage of detecting more variants especially if the URI is static. Classification
Commonly Triggered Rules Monitored client is downloading a suspicious file. (Rule 1: Suspicious file extension for an executable file) • This rule is triggered when a host attempts to download a file that is determined to be an executable but has an extension of a .com, .bat, .pif, or .cmd. These file extensions are commonly used to disguise malware. Classification
Commonly Triggered Rules Monitored client is propagating malware. (outbound) Monitored client is receiving a malware from another client. (inbound) (Rule 9: Suspicious archive file) • This rule is triggered when a file contained in an archive attachment in an SMTP or POP3 email has an extension of a .com, .bat, .pif, or .cmd. These file extensions are commonly used to disguise malware. Classification
Commonly Triggered Rules Monitored client is downloading a suspicious file. (inbound) Monitored client is dropping a suspicious file via network share (outbound) Monitored client is receiving a suspicious file from another client. (inbound) Monitored client is sending a suspicious file. (outbound) (Rule 47: Suspicious packed file) • Trend's IntelliTrap detection technology heuristically identifies variants of known malware by detecting the use of the popular compression application that hackers use to create them. • This rule is most commonly triggered when a host attempts to download a file that is detected by Intellitrap. Classification
Commonly Triggered Rules Monitored client is running IRC. (Rule 49: IRC protocol detected) • The Internet Relay Chat (IRC) protocol is commonly used by malicious bots for communications. • This rule is triggered when the IRC protocol is detected on an incoming or outgoing connection. • This does not necessarily signify the presence of a “bot” and could simply be some users chatting via IRC. Consult with the company policy if such activities are permitted. • In any case, it is worth to check if there are other suspicious activities involving those hosts. Classification
Commonly Triggered Rules Monitored client is hosting an unauthorized service that presents a security risk. Monitored client is using a protocol on a non-standard port. (Rule 33: IRC protocol uses non-standard port) • The Internet Relay Chat (IRC) protocol typically uses a port in the range of 6665-6669. It is common for malicious IRC bots to use non-standard ports for their communication. It is common now to see some “bots” communicating via IRC protocol on port 80 or 8080. • This rule is triggered when an incoming or outgoing connection is detected using the IRC protocol on a port outside of this range. There is still a chance this is legitimate IRC traffic, but more likely it is a “bot” communication. Classification
Commonly Triggered Rules Monitored client is attempting to access a service using a default account. Non-monitored client is attempting to access a service using a default account. (Rule 58: Default Account Usage) • Many services and applications come with a privileged default account which the user is expected to change the password for once installed. Not changing the default password for these default accounts poses a risk of unauthorized use. Some blended threats such as a “bot” or a worm have been known to spread or probe for such holes. • This rule is triggered when someone attempts to login to the default account for SQL or a Cisco switch present in the network regardless whether it was successful or not. • SQL using “sa” account with a blank password • Cisco using “cisco” account with the password “cisco” Classification
Commonly Triggered Rules Monitored client is receiving an email with a suspicious attachment. (Rule 54: Email contains a packed executable in an archive file attachment) • Trend's IntelliTrap detection technology heuristically identifies variants of known malware by detecting the use of the popular compression application that hackers use to create them. • This rule is triggered when an email attachment contains a file detected by IntelliTrap. Classification
Commonly Triggered Rules Monitored client is propagating malware. (outbound) Monitored client is receiving an email with a malicious attachment. (inbound) (Rule 51: Email subject matches malware-used subject and contains an executable file attachment) • This rule is triggered when an SMTP or POP3 email has a subject commonly used by email worms and contains an executable attachment. • If outbound, this is indicative of an infection if a host (not an SMTP server) has been detected several times. • If inbound, this just signifies that your SMTP server has received a new variant of an undetected malware. This can become as a source of a new infection. Classification
Commonly Triggered Rules Monitored client has a malware that is communicating to an external party. (Rule 26:IRC session established with a known IRC C&C) • The Internet Relay Chat (IRC) protocol is commonly used by malicious bots for communications. • C&C stands for Command & Control. C&C servers are used by bot masters to control botnets. Typically, a bot will contact these servers to receive instructions and updates, in this case using the IRC protocol. • This rule is triggered when a host connects with an IRC server present in our blacklist of known IRC C&C servers. • It has been known that bot masters host C&C channels in some public IRC servers. In any case, this is worth investigating. Classification
Commonly Triggered Rules Hacking attempt. (Rule 25: Host DNS IAXFR/IXFR request from a non-trusted source) • The data contained in an entire DNS zone is sensitive. A hacker with this data could easily plan an attack on your network. • This rule is triggered when any machine not listed in TDA’s trusted DNS services requests a DNS zone transfer (attempts to download all your DNS information). • For this rule, the possible attacker is the destination IP address. Classification
Commonly Triggered Rules Monitored client is propagating malware. Monitored client is receiving malicious file through network share. (Rule 8: Packed executable file dropped on an SMB administrative share) • Trend's IntelliTrap detection technology heuristically identifies variants of known malware by detecting the use of the popular compression application that hackers use to create them. • The Administrative Shares are the default network shares created by all Windows NT-based operating systems. These default shares share every hard drive partition in the system. These shares will allow anyone who can authenticate as any member of the local Administrators group access to the root directory of every hard drive on the system. • Network worms commonly spread by copying themselves to network shares. Advanced network worms will use password attacks to take advantage of administrative network shares in order to propagate itself to other hosts joined to the network. • This rule is triggered when an IntelliTrap detected file is copied to an administrative share (C$, D$, Admin$). Classification
Commonly Triggered Rules Monitored client is being attacked by a client from a non-monitored segment. Monitored client is propagating malware or is a malicious insider. (Rule 63: Possible Buffer-Overflow attempt detected) • A buffer overflow is a condition where a process attempts to store data in a buffer that is more than what it the buffer is intended to hold. This causes valid data such as those used to store variables or program flow data to be overwritten which may cause a process to crash or produce undesirable results. • Buffer-Overflows can be triggered by malformed inputs that can be specifically crafted to execute arbitrary code; codes that can be used to download a malicious file from the internet, or open a port to execute remote commands. • This rule is triggered when an RPC (Remote Process Call) message is detected to contain a sequence of instructions generally found in buffer-overflow code. • A good indication that this is malware related is when the suspected host has been detected with this rule several times involving connections to different host. Classification
Commonly Triggered Rules Monitored client is being attacked by a client from a non-monitored segment. Monitored client is propagating malware or is a malicious insider. (Rule 64: Possible NOP-sled detected) • NOP (opcode 0x90) is an Intel x86 instruction which stands for “no-operation”. When the CPU encounters such an instruction, it does nothing but move on to the next instruction. A sequence of NOP instructions (also known as NOP-sled) have been used in buffer overflow codes where the memory address to execute cannot be determined accurately. The padding of NOP’s help to slide the execution path to the malicious code. • This rule is triggered when an RPC (Remote Process Call) message is detected to contain a sequence of NOP (no-operation) instructions and thus could be an indication of a buffer overflow attack. • A good indication that this is malware related is when the suspected host has been detected with this rule several times involving connections to different host. Classification
Commonly Triggered Rules Monitored client is downloading a suspicious file. (Rule 66: Possible Downloader) • This rule is triggered when the HTTP content downloaded was declared to be of another type in the response headers, like that of a Shockwave Flash, JPEG, GIF, or Office document type but is actually a Windows executable file. An executable file normally would be declared to be of “application” type. Classification
Commonly Triggered Rules Monitored client is connecting to an unauthorized service that presents a security risk. Monitored client is hosting an unauthorized service that presents a security risk. (Rule 40: Rogue service detected) • Rogue services are security risks in a corporate network as they are generally mismanaged, often lacking compliance with the existing security policies. • The lack of security patches of these services makes them vulnerable to compromise. The lack of proper configurations like authentication can be a cause of information leak. • In some cases, rogue services may be a result of a malware infection; malware infects a system and acts as an SMTP Open-relay allowing unsolicited emails such as spams to be relayed from one domain to another or act like an SMTP server or client to spam emails. • This rule detects SMTP and DNS services that are not registered in TDA’s registered services. It is usually best to confirm with the customer on these detections. • Domain controllers, by default, have a DNS service active which needs to be registered in Total Discovery. Failure to do so will result in this rule being unnecessarily triggered. Classification
Thank You 9/16/2014 45 Classification Classification