The Case for Wire Data: Security (Interacting with the wire)

Quick post today, I want to go over what I noticed over the weekend after reading up on Quantum Insert and the way Quantum Insert works to infect users with a MOTS (Man-On-The-Side) attack.

On Saturday, I watched a pretty interesting Bro-Con 2015 presentation from Yun Zheng Hu of Fox-IT.com

In the presentation, Yun details how you can use Bro to detect Quantum Insert activity by looking on the wire at Layer 4 sequence numbers and at Layer 7 HTTP headers. While I am still working on the Layer 4 surveillance what I saw on the HTTP headers and payloads were pretty interesting. Basically, the “shooter” has to send back a 302 redirect with a content-length of zero to avoid a malformed HTTP response. As a thought exercise I set up an Application Inspection Trigger to look for this behavior. Using the PCAP they provided we found the following:

First we set up the inspection trigger looking for a status code of 302 and a content-length of zero on the HTTP_RESPONE.

Results:
In looking at the PCAP from their website where they are injecting a redirect from LinkedIn to Fox-IT.com. You note in the results that we see the redirect and we have the ability to report on this type of behavior.

So for a thought exercise, I thought I would take a look at my “hackrificial” VM that I know has some malware/adware on it and did some browsing. What I noticed was that at least 2/3 of the sites that had a 302 redirect code coupled with a content-length of zero. Here are a few examples:

tags.bluekai.com: (Using POSH VirusTotal script)

Pixel.quantserve.com:

Tap.rubiconproject.com:


r2—sn-a8au-5uae.gvt1.com:


uipglob.semasio.net:
No webutation data but we did not that it had a malicious file observed in December of 2016

Now, this does not necessarily mean that 302 with a content-length of zero means malware, adware or anything like that but I think it is worth looking into if you have an ExtraHop Discover appliance. More importantly, what I am trying to point out is how ExtraHop allows you to interact directly with the wire to look for specific scenarios. From here you have the following workflows available:

  • Automate a threat intelligence feed that checks these domains and alerts/orchestrates a response to them.
  • Track them in our Session table and keep a count of them and report them in one minute blocks (instead of each observance) to give you a better idea of your exposure
  • Send them to Splunk or your INFOSEC CSIRT team

Other Wire Data Intelligence scenarios:

  • Banking login failure URI
    • How often does it get hit (thus how often do users fail to log in)
    • Geolocaiton of the IPs that failed to log in (I have a small bank in North Carolina that has ten login failures from China?????)
    • Which usernames are consistently failing?
  • Password Reset/New Cookie Banking Login URI:
    • Who was the referrer (has this user been phished?)
    • Geolocation of the IP Address (is it appropriate)
    • Did the user just log in a few days/hours ago? Why do we see a new cookie after they just recently logged in?

The wire will present you with a deluge of data, what a product like ExtraHop does is allow you to set conditions you want to observe and thread that intelligence into your security practice.

Thanks for reading!

John

 

 

 

Leave a Reply