The Hurricane Labs Foundry: Volume 4, Charmed, I’m sure

Welcome to another edition of The Hurricane Labs Foundry! I’m Tony Robinson, one of the senior security operations analysts at Hurricane Labs. The goal of this series is to inform readers about the latest security news and innovation to keep you aware of the latest threats and technology. Additionally, this series discusses various aspects of Splunk deployment, in addition to observations and projects from the Hurricane Labs SOC.

The stories presented here are mostly short digests with links to source material in order for readers to get the full scoop, and additional context as required.

BSidesCharm 2017

Recently I had the good fortune of attending BSidesCharm 2017 as a speaker. I did a 45-minute presentation on the AVATAR project, which garnered a ton of positive feedback. Although I am happy I got a chance to speak, I would like to draw attention to several other talks that I attended over the course of the weekend that, as a network security analyst, I feel could benefit a lot of people.

Robert Lee’s keynote on ICS attack fact and fiction.

This talk was an amazing journey into separating sensationalism from truth in the world of ICS attacks. What was reported on the news versus what actually happened; targeted attacks versus incidental attacks.

Ryan Hays’ talk Weaponizing Splunk: Using Blue Teams for Evil capitalizes on the importance of access control and security in a Splunk environment.

We’re going to take a little bit of time to discuss this talk in depth because it has obvious applications for us as SOC analysts at Hurricane Labs, and to our clients everywhere. The talk boils down to performing regular maintenance on your Splunk deployments, taking the principle of least privilege to heart, and what happens when you do not. This talk discusses things such as:

• Ensuring you are scheduling regular updates of your Search heads, Indexers, and Universal Forwarders across your network.
• Not having Universal Forwarders, Search Heads, or Indexers running as root on Unix/Linux systems, or SYSTEM on Windows systems (e.g. providing least privilege to access the logs you wish to gather on a given system).
• Ensuring that default credentials for the Splunk search head are updated. Typically, on first login, Splunk will prompt you to change the default administrator password from “changeme” to something else, but the interface does NOT force users to change this password. For improved security, it is highly recommended you set a new password.

The talk goes on to demo how easy it is to have an admin user request access to sensitive files on a system you are collecting logs on with little to no warning or notification that this has been done. Hays instructs a search head to request the /etc/passwd file from a server with a Universal Forwarder set up, and later claims that this leaves little to no logging that this task has been performed. Mr. Hays also demos a malicious Splunk application that, when installed, all the attacker has to do is perform a particular query to grant an attacker a bind or reverse shell. Given that a lot of Splunk deployments run as root or SYSTEM, this has the probability to grant users an easy SYSTEM, or root command shell, on a lot of enterprise networks.

While the vast majority of this presentation focuses on Splunk, in reality, these are basic security practices that could affect any enterprise, or any application, including your SIEM. What brings this issue home (especially for us at Hurricane) is that Splunk is a massive data repository. If an attacker gains access to it, it is like handing attackers a diagram of your network. IP address schemes, application versions, and in some cases, even passwords in those application logs, can end up in Splunk (we’ve observed this in the past and have notified customers when we come across it in their deployments). Ensuring that your deployment follows the basic tenants of security is extremely important because of the amount of data at stake.

Hays also discusses how penetration testers can utilize Splunk as a part of their engagements to gather vulnerability scan logs, attack tool logs, enumeration logs from network scanners, password hashes from controlled systems, etc. into one place for easy access during complex engagements.

Sean Metcalf’s presentation on Active Directory threat hunting.

This phenomenal talk goes over common attack vectors on Microsoft Active Directory networks, including the current heavily utilized PowerShell post-exploitation platforms, “kerberoasting”, amongst various other common pivoting techniques that skilled attackers and penetration testers continue to use in this day and age. As well as how defenders of enterprise networks can detect these attacks quickly, simply, and efficiently.

Given that the majority of enterprise networks today are primarily Microsoft Active Directory, this is a valuable talk that teaches defenders on how to find evil in the network with relative ease.

The presentations above were among my highlights. The complete list of videos is already available for your viewing pleasure, courtesy of Adrian “Irongeek” Crenshaw. You can review the full list (including the videos mentioned above) here.

US-CERT issues Alert (TA17-117A)

US-CERT has issued a notification about threat actors compromising IT Service Providers and using that access to pivot into targeted networks in order to gain access to sensitive data. This report, dubbed TA17-117A by US-CERT, is suspected to be reference APT10, a group of threat actors suspected to be tied to China. APT10 is also known as “MenuPass” team.

This campaign, also referred to as “Operation Cloud Hopper”, details how threat actors have been leveraging IT Service Providers (also referred to as MSPs — Managed Service Providers) as a means to pivot into target networks. The reports list out targeted verticals and several indicators of compromise for this campaign that has been said to have gone on from May of 2016 up until April of 2017. US-CERT has an appendix of indicators (in excel spreadsheet format) that can be used to identify these threat actors. Hurricane Labs is currently monitoring for this threat.

Note: One of the IP addresses, 92.242.144.2, is very likely to be a false positive. This IP address belongs to an organization called Barefruit. Barefruit offers a service to internet service providers. If a user requests access to a domain that doesn’t exist, the DNS server typically responds back to the request with an NXDOMAIN response from that DNS server. Some ISPs have elected to use the Barefruit service to hijack these NXDOMAIN responses to serve search responses or ads to users who utilize the ISP’s DNS server.

My thoughts are that a security researcher for US-CERT attempted to query for one of the domains in the domain IOC lists, the domain had already expired, and was utilizing a ISP DNS server somewhere that uses the Barefruit service. If you are attempting to retroactively search through your historical records for these IP addresses and domains, I would suggest removing this IP address from your queries.

Shadowbrokers Release Additional Tools and Exploits (UNIX and Windows)

The Shadowbrokers group, that claimed to have collected NSA tools and implants, have released two more data dumps that were previously being sold for auction. One of these dumps, from the beginning of April, was an encrypted archive that contains a host of Linux and Unix tools, implants and exploits, some of which were identified to have been zero day vulnerabilities. Later that same month, around the Easter holiday, they released an additional encrypted archive containing a host of Windows tools, exploits, and implants.

Hacker Fantastic, of the Hacker House organization, has done a ton of analysis of the both the Unix and Windows Shadowbrokers dumps. Bottom line up front: There were zero day vulnerabilities released for Solaris (to which Oracle has issued a huge batch of security updates for supported editions of the Solaris OS), and several vulnerabilities published for Microsoft Windows (to which Microsoft has issued this release to assist customers in identifying what patches they should apply for supported editions of Windows).

Cisco’s TALOS and Proofpoint’s Emerging Threats have been steadily releasing coverage for various exploits and implants found in the dump over time, but at this time, your best bet is running vulnerability scans on your systems and ensuring that the latest Microsoft, Linux, and Solaris patches have been applied across your enterprise as necessary.

If you want to read up on the history of the Shadowbrokers and their activity, (up until right before the Windows tool dump), riskbaskedsecurity.com did a really good write-up of all their activity on the internet. On the other hand, if you want a copy of the complete Windows, Linux and Firewall toolkits, there are several repositories hosted on GitHub, like this one, that have all of the Shadowbrokers dumps in one location for your own security research.

Review: Investigation Theory

Recently my boss gave me an opportunity to attend a class taught by Chris Sanders, a man with some measure of SOC experience, perhaps most well-known for the his book, Practical Packet Analysis.

This class, Investigation Theory, is focused on teaching the investigation process. As a relatively seasoned security analyst, who has served in Security Operations Centers in the past prior to my employment at Hurricane Labs, I have found this training to be very enlightening.

This training is unique in that there isn’t a focus on the tools analysts have available at their disposal, but a focus on everything else that goes into making a good investigator/analyst. Things that don’t get touched on a lot, such as good communication skills, metacognition (or the study of thought processes that successful analysts use), combating cognitive bias, making sure that evidence is available to support analyst conclusions, generating playbooks, and so much more.

There have been times where I’ve been asked what makes a good SOC analyst, and it’s like Chris put into words all of the things I couldn’t fully express. If you have new SOC analysts who are interested in what it takes to be great, or senior analysts who could do for some training, I highly recommend this course.

As it stands, the price for the class is $597.00 per seat. If this sounds expensive to you, consider that SANS training can run $5,000.00 per seat for a single week on-site and $1,000.00 or more if you want to do online, on-demand training. Let’s not even mention BlackHat trainings, whose prices can also vary wildly, at rates that have never been less than $2000.00 per seat. The cheapest, quality on-site training I have seen is at Derbycon, and the seats are still $1,000.00 per seat.

Chris’ class is structured like an online college course. There are 10 core lectures, and six bonus lectures. The lectures have quiz questions associated with them to test your understanding of the material, and also feature two group discussion questions related to the lecture where you can see responses from your peers. Some of the exercises have a practical scenario exercise through a platform called “Investigation Ninja”, where you are expected to characterize events and search through a simulated network for evidence to support your characterizations. This is the first blue team SOC/IR simulation environment I have ever seen and it was a GREAT experience. I won’t say more than that because I don’t wanna spoil it.

You’re granted access to the investigation ninja training, and the lectures for nearly 3 months. Chris recommends doing 1-2 lectures per week if you’re busy and have other duties. I crammed it and managed to complete the course in about 4 weeks or so with plenty of note-taking and listening to all of the bonus lectures.

While the class is online, Chris takes great strides to not only interact with the students through their lectures and comments on the scenario exercises, but makes sure to be available if you have any questions you need to ask him, just like a professor. I feel like I’ve become a better analyst, capable of asking better questions of myself and the conclusions I’ve drawn and why I have drawn them when responding to incidents and tickets, and I cannot recommend this class enough. If you are interested, sign up at networkdefense.io.

Until next time!

Keep an eye out for Volume 5 and follow us on Twitter @hurricanelabs for updates!