SOC

Security Operations Centres Challenges

No Comments

I have been working with Security Operations Centres (“SOC”) for most of my career in the past 9 years, and I have worn many of the hats available – SOC Analyst -> SIEM Engineer -> IR Specialist -> Threat Intel Lead -> Consultant. As with many other careers and jobs, there are always ups and downs, good times and bad times. My first work as a SOC Analyst was to transition the managed SOC service under a new vendor (the company I was hired by). This felt like a smooth introduction to the world of Security, but little did I knew that this was just mainly compliance checks and monitoring. Going straight to the point, what I have learned is that after a while you start to pick up and more easily recognise the challenges that are more common to see in Security Operations.

I tried to categorise the challenges into two main pillars: the most common and the most frustrating. I think many have different experiences, but this is how I feel I would split them up from my point of views. So here it goes, and what I usually watch out for.

Most common SOC challenges

  • Alert fatigue and firefighting with little or no time for critical thinking process
  • Reactive vs Proactive attitude
  • Lack of automation and integration
  • Lack of additional data to triage alerts and understand context behind alerts
  • Lack of understanding of the infrastructure and key security controls
  • No clear processes (SOC, IR, CTI, VM etc.)
  • Lack of documentation (service catalogue, operating model, processes and procedures, etc.)
  • Lack of understanding of business mission and crown jewels
  • Lack of understanding of how the business operates – trying to adapt general processes (every environment is different)
  • Lack of understanding of key stakeholders and escalation points
  • Insufficient authority of the SOC and no clear escalation path
  • No effective measurements of SOC performance, metrics focusing on quantity rather than quality
  • Lack of best practices and standards – not using frameworks
  • No dry run exercises/simulations to prepare for the real thing

Most frustrating SOC challenges

  • No business buy-in
  • No strategy from leadership
  • Relying too much on technology rather than people and processes
  • Not enough staff, not enough skilled staff, not enough training and knowledge transfer
  • Acquiring technology without understanding business needs and requirements
  • Duplication of work (Siloed teams and lack of collaboration medium + too many tools doing the same thing)
  • Recruitment and retention strategy – no clear training and career path for junior analysts ending up in high turnover for the SOC
  • Running too fast without learning to walk first – focusing on advanced capabilities and neglecting the basics
  • Bureaucracy, internal politics and personal agendas

After jotting down some of my points, I started researching for resources on the same subject and found the ones below really good.

References

https://www.researchgate.net/publication/347520429
https://www.devo.com/wp-content/uploads/2019/07/2019-Devo-Ponemon-Study-Final.pdf

APT

Where Kill Chain meets Courses of Action – Bank of Bangladesh Heist

No Comments

After passing my GCTI certification, I said I would go and to a case study on a well-known attack. This would put me on the fence of doing the mapping exercise by flying solo. I choose the “Bank of Bangladesh Heist” scenario.

Attack Sector – Financial Services
Attack Type – APT Style
Impact – Financial Loss

Carbanak MO
Reference – Carbanak APT – The Great Bank Robbery

Intrusion Summary

Several banks and financial institutions have been attacked by an unknown group of cybercriminals. In all these attacks, a similar modus operandi was used. According to victims and the law enforcement agencies (LEAs) involved in the investigation, this could result in cumulative losses of up to 1 billion USD.

An analysis of the campaign has revealed that the initial infections were achieved using spear phishing emails that appeared to be legitimate banking communications, with Microsoft Word 97 – 2003 (.doc) and Control Panel Applet (.CPL) files attached. We believe that the attackers also redirected to exploit kits website traffic that related to financial activity. The email attachments exploit vulnerabilities in Microsoft Office 2003, 2007 and 2010 (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE-2014- 1761). Once the vulnerability is successfully exploited, the shellcode decrypts and executes the backdoor known as Carbanak. Carbanak is a remote backdoor (initially based on Carberp), designed for espionage, data exfiltration and to provide remote access to infected machines. Once access is achieved, attackers perform a manual reconnaissance of the victim’s networks. Based on the results of this operation, the attackers use different lateral movement tools in order to get access to the critical systems in the victim´s infrastructure. They then install additional software such as the Ammyy Remote Administration Tool, or even compromise SSH servers.

Once the attackers successfully compromise the victim´s network, the primary internal destinations are money processing services, Automated Teller Machines (ATM) and financial accounts. In some cases, the attackers used the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network to transfer money to their accounts. In others, Oracle databases were manipulated to open payment or debit card accounts at the same bank or to transfer money between 4 TLP: White For any inquiries, please contact intelreports@kaspersky.com accounts using the online banking system. The ATM network was also used to dispense cash from certain ATMs at certain times where money mules were ready to collect it.

As part of the attack´s reconnaissance phase, video recordings of the activities of bank employees, particularly system administrators, were made. The videos were sent to the C2 server. Please note that the attackers abused the aforementioned services by impersonating legitimate local users who had the permissions to perform the actions later reproduced by the cybercriminals. As far as we know, none of the aforementioned services were attacked nor was any specific vulnerability within them exploited.

Stolen funds were transferred out of the affected countries to bank accounts in the US and China. Additionally some of the C2 servers have log entries indicating connections to systems located in the US. Telemetry indicates that the attackers are expanding operations to other regions, such as Asia, the Middle-East, Africa and Europe.

Below is the part where I start mapping the techniques with the relevant Kill Chain phases and then the Course of Action (CoA) mapping. All the mappings would have been easier to read in one table, but formatting here made it a bit difficult to do that. Click the image below for reference on how it should look like, the details I’ve tried formatting in a proper table below.

Click Image to Enlarge

Kill Chain and TTP Mapping

KC PhaseTTP
Recon / Precursor• Gathering info from websites, social media about employees and assets
Weaponisation• Malware samples digitally signed (footprintcrsgn.dll, PAExec_Move0.dat, PAExec-6980-PB-FS-01.ex_) by random entities
Delivery• Spearphishing to employees
• Compromised employee mailboxes and systems
• Drive-by downloads
Exploit• CVE-2012-0158 and CVE-2013-3906 (MS Office)
• CVE-2014-1761 (MS Word)
• Null (IE & Flash) and RedKit EK (Adobe and Java)
• Metasploit
• PsExec
• Mimikatz
Install• Carberp-like Malware
•Copies itself to svchost.exe (under %system32%\com, original file then deleted)
• Creates“Sys” – where ServiceName is any existing service randomly chosen with the first character deleted, to have autorun privileges
• Creates random name and a .bin extension in %COMMON_APPDATA%\Mozilla where it stores commands to be executed
• Sets Termservice service execution mode to Auto (to enable RDP)
• Checks for banking application BLIZKO (funds transfer software)
• Ammyy Admin 3.5 as “svchost.exe”
• PuTTY to connect ot C2
• VNC server (injected in rundll)
C2• C2 Server IPs (managing some Null and RedKit EK infected bots)
• Downloads the file kldconfig.plug ( includes the names of the processes to be monitored)
• Sends ack if BLIZKO app installed on victim
• Uses the HTTP protocol with RC2+Base64 encryption (adds additional characters not included in Base64 & inserts strings with different extensions .gif,.htm at random locations in the HTTP request
• Other C2 servers with associated domains
• Secure SSH using PuTTY
• Types of C2: Linux (issuing commands and receiving data), Windows (for RDP), Backup , Drop (exe files hosted) servers
ActionsMalware:
• Gets the proxy configuration from the registry entry: [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
• Gets the Mozilla Firefox configuration file in: %AppData%\Mozilla\Firefox\prefs.js
• Logs keystrokes and takes screenshots every 20 seconds (via intercepting the ResumeThread call)
• Enables RDP
• Modifies executable code in memory in order to establish simultaneous work processes for both remote and local users (termsrv.dll, csrsrv.dll, msgina.dll and winlogon.exe)
• Sends all collected data to C2 server and can receive various commands (available in report)
• Captures screen video of victim operations
• Creates fake transactions in the victim’s internal databases
• Inserts fraudulent operations in the transaction queue (using victim internal command utilities)
• Limits the amount of money to its maximum
• Exfiltrates of sensitive bank documents (emails, manuals, crypto keys, passwords etc.)
• Remotely withdrawn cash from ATMs (no malware required on the ATM dispenser)

Course of Action / CoA Mapping

DiscoverDetectDenyDisruptDegradeDeceiveDestroy
• Passive scanning to identify external assets and what information is open to the public (e.g. vulnerable servers, email addresses etc.)• Monitor web server logs and other server logs to identify scanning activities from external IP addresses. (Can use IPS, WAF, Firewall and other security controls to detect unusual activity)• Implement well-defined rules to shun external IP addresses which are scanning the servers.
Close unnecessary open ports.
Clean Internet facing assets of confidential information.
Run security awareness programme/training with staff to limit what information they post online		• Interrupt scanning activities for a period of timeN/A• Plan false information (e.g. email addresses) on Internet facing assets. Add canaries and honey pots.N/A
N/AN/AN/AN/AN/AN/AN/A
• Log searching for unusual emails containing “.doc” or “.rar” files. Also, searching for other phishing campaigns.
• Log searching for web requests to unusual domains or non-business domains (e.g. non-categorised domains).
• Log searching for unusual emails sent from internal employees		• Detection strategies to identify phishing campaigns given a set of criteria.
• Utilise known bad IOC feeds with hashes, email address to correlate against email logs to identify phishing campaigns.
• Use existing security controls to track blocked phishing campaigns – e.g. Email Gateway
• Staff training to identify phishing campaigns and report them.		• Block emails which don’t comply with SPF, DMARC and DKIM policies.
• Use security controls e.g. Email Gateway to block phishing emails.
• Block access to non-categorised websites.
• Implement endpoint protection controls.
• Staff training to identify phishing campaigns.		• Disable macros in MS docs
• Quarantine emails		• Strip email attachments• Re-route suspicious emailsN/A
• Log searching for vulnerable applications, and any activities on the network associated with Null and RedKit EK.
• Log searching for activities related to Metasploit, Mimikatz or PsExec (even blocked activity, which suggests attempts)		• Regular vulnerability scans against all assets
• Detection strategies to identify use of Metasploit, PsExec or Mimikatz
• Use of existing security controls to track malicious activities (e.g. with IPS use of Metasploit exploit module)		• Robust patching policy for vulnerable assets
• Disable PsExec
• Implement application whitelisting		• Enable DEP, ASLR etc. (have strong Windows Security policies)N/AN/AN/A
• Create baseline of known good files and search for rare files, anomalies etc.
• Log searching for RDP tools		• Detection strategies for copies of svchost.exe under unusual paths
• Detection strategies also for the other behaviours e.g. ServiceName creation, .bin files, Enablement of RDP, VNC server in rundll
• Detection strategies for Ammyy Admin, Putty (connections to external IP addresses)		• Limit user privileges• Application sandboxingN/AN/AN/A
• Log searching for beaconing activities to potential C2s
• Log searching for long or unusual HTTP requests (e.g. with .gif and .htm extensions)
• Log searching for HTTP requests to rare domains
• Log searching for SSH sessions
• Log searching for connections on unusual ports
• Log searching for unusual downloads		• Use existing security controls (e.g. IPS) to track C2 botnet connections (signature and time based bahaviour)
• Detection strategies for the use cases in the Discover phase		• Use security controls (e.g. FW block) to block C2 connections• Sandboxing of downloads from Web (e.g. kldconfig.plug file)
• IPS signatures to block C2 connections		N/A• Redirection to honeypotsN/A
• Log searching for for high volumes of outbound network traffic
• Log searching for uploads to domains or SSH
• Audit transactions on internal databases and any other operations in the transaction queue		• Implement DLP detection capabilities
• Detection strategies to catch data exfiltration
• Detect back and forth C2 communications
• Detect files with certain watermark/control marking being sent externally		• Use security controls (e.g. FW block) to block C2 connections
• Block ability to send files externally (e.g. personal email, Cloud etc.)
• Block files being uploaded or sent (alert for water marked/classified docs)		• Terminate sessions where certain file types are sent over SSH outbound
• Implement segregation of duties, I&AM plan
• Implement Password Management and Vaults (+ process)		• Rate limit connection based on length of session• Redirection to honeypotsN/A

References

Carbanak APT – The Great Bank Robbery
Lazarus Under the Hood
Carbanak Profile

General

Hello World! And what motivated me to create this Blog

No Comments
Hello World

I finally decided to create a website. I want it to be a place where I can post meaningful things about Infosec that the whole world can benefit from. Well, at least this is what I am hoping for, but it’s easier said than done. I will let the next few months dictate what this will turn into.

I wanted to mention in a few words what actually inspired me to do this.  A couple of years ago, I read this post from Daniel Miessler on How to Build A Cyber Security Career. Despite ticking of many of the items on that list, there were some other things which made sense to me but which I never got around doing such as “having a presence” and “contributing to the community”.  But that’s not all of it.

Last year, in July 2019, I went to give a presentation at the University of the West of Scotland part of NCSC’s CyberFirst UK programme. I did two talks of 30 minutes each, the first to 13 to 16-year old students, and the second to 16 to 19-year old students (~25 students in each group). In my spiel for the greater good of Cyber Security (or at least that’s what I thought it was), I mentioned how I got to where I was with my current job, the different areas of expertise you can get into and various resources available online that can help guide your path to becoming an information security professional. On one of the slides, I showed the very same resource from Daniel Miessler. So that’s when I thought: “Wait! I am telling these people what to do, but some of the things here I am not doing myself?!”.

My first presentation went fairly well, the younger folks were quite timid and there were only a few questions at the end (we probably spent about 10 minutes). Nevertheless, for the second group of students, surprisingly we stayed over more than 30 minutes chatting through some of the things they weren’t sure about and additional questions.

I was so impressed that they were genuinely interested, they were so motivated at such a young age and that they were already on the front foot of Infosec, miles ahead from when I started. There were some funny questions too, such as: “What’s your salary now?” or “Does a Black Hat earn more than a White Hat?” For this second question, I interpreted that the student was referring to offensive security such as Pentesting or Red Teaming, but then I thought carefully and realized that he was actually thinking of illegal stuff. At that point I tried to pull them back on track and explained some of the consequences that come with doing illegal things (this is one of the purposes of the CyberFirst programme as well). But even though I was a bit shocked about this, I realized that this is the reality we live in. The student approached me after we finished, and he explained to me that it is very difficult for him to land a job at that moment, that he doesn’t have all the years of experience employers are looking for and that he had already been rejected several times. I encouraged him and told him that by staying positive and motivated, it will be just a matter of time until he will find his dream job. One of the moderators had to listen to the conversation all the way and while rushing us to finish she said I needed to be careful not to influence negatively. That was the least of my intentions. And I am wondering now if there could have been anything more that I could have told or help him with.

So, with all this said, what I am trying to do now is give a bit back to the community. I started posting and commenting on Twitter a couple of weeks back (maybe not everyone’s cup of tea) but I can already say that this helps me a lot with my confidence and to think retrospectively on all of my experiences and it is something which I would encourage everyone to do. Also, if you are reading this and have any questions or are in need of any advice or help, please do reach out to me!

This concludes my story and what motivated me to start writing this blog.

Close Menu