Wednesday, June 1, 2016

snort oinkmaster

To modify Signatures using oinkmaster.

modifysid 1000000 "\$EXTERNAL_NET" | "!\$HOME_NET"

modifysid 1000001 "\$EXTERNAL_NET" | "![,]"

modifysid 1000001 "\-> any" | "\-> ![]"

disablesid 1000002

DANGER:  Don't you dare leave spaces between the IP address while you are negating them in modifysid shown in the second line.  The reference for that is shown below from snort manual.

Friday, May 20, 2016

Blue Team hand book notes - Categorize Cyber attacks Effects (MITRE)

Performance impact before and after the event.
System that is unavailable for a time period.
Things which were altered during rest or transit.
Planting new or fake info into a system.
Unauthorized Use
Resources used by an attacker or inappropriate use by a person in position of trust.
Information is leaked and used by an attacker.

Tuesday, May 17, 2016

Blue Team hand book notes - "Lessons Learned" - Step 6

Lessons Learned or Follow up
Key Steps
Write followup report / Conduct lessons learned meeting
IR Team writes full report by checking with SME.  They also follow up on recommendations.
Key Decisions
Is mgmt. satisfied that the incident is closed?
Proceeding  forwared from Lessons learned
Mgmt is satisfied that incident is closed.

Blue Team hand book notes - "Recovery" - Step 5

Recovery Steps
Key Steps
Verify systems, application and DB are operating and free from signs of compromise.
Restore Ops
Coordinate the restore ops time window with the business
Implement Monitoring
For eg. Snort, OS integrity check like tripwire, increase router logging, configure supplemental system and application logging.
Key decisions
Any sign of repeat events?
Proceeding forward from Recovery
No sign of events or incident to repeat.

Blue Team hand book notes - "Eradication" - Step 4

Eradication Steps
Key Steps
Root Cause Analysis
Identify and determined root cause of execution path and remove the attacker from the system.
Check for Rootkit
·         If rootkit is suspected reimage.
·         Reimage the system from the most recent clean backup.
Improve defense
Improve perimeter, DMZ, n/w, OS and application based on findings everywhere.
Perform Vulnerability scans
Do VA scans and identify and eradicate the same vulnerability if it is found.
Key decisions
Have we hardened the environment enough to reduce potential recurrences?
Proceeding forward from Eradication
IR team and business is confident that this won’t happen again.

Friday, May 6, 2016

Blue Team hand book notes - "Containment" - Step 3

NIST SP 800-61 combines Containment, Eradication & Recovery steps into one.

Characteristics which drives follow on activity
The type of incident will determine our action.
Control WAN/ISP
Virus infection
Contain LAN/system
Remote Compromise
Firewall, net trace, update ACL
Data Loss
User activity, data breach
System held hostage
Recover from backup & harden system.
Website defacement
Repair & harden
Monitor & HR
Domestic Espionage
Evidence & Civil suite
International Espionage
Govt support
Other policy violation
Evidence Support
Notification Role
Public Affairs Officer
Media Liaison
University media relation office
·         Various parties may require notification.
·         Use caution when notification attacker may be insider.
·         Follow “need to know” principle in notification.
·         Remain factual & avoid speculation.
Immediate Action
·         Stop attacker with ACL or disabling account.
·         Avoid changing too much before collecting volatile info.
·         Maintain low profile without any tip off.
Initial data collection: What together early?
·         Collect n/w trace, logs, system volatile info & memory image.
·         If needed dd the disk.
Immediate isolation
System or n/w isolation.
Try to get memory before shutting down.
Longer term actions
If system cannot be taken offline we can start to see network activity post initial perimeter containment.
Key decision
1.       Use specific methods to stop attackers.
2.       What are the risks to continuing operations?
3.       What actions are necessary to mitigate?
Containment step exit criteria
C2 to Attacker is stopped.
Affected system identified.
Compromised system volatile data collected? HDD image collected?

Wednesday, May 4, 2016

Blue Team hand book notes - "Detection&Analysis" A.K.A Identification - Step 2

NIST SP 800-61 calls this phase as "Detection&Analysis" A.K.A Identification.

Initial determination
Try to see if the event is a possible incident to start with IR.
If possible assign two IR people, have a start time logged.
Check identification points
Perimeter, DMZ, Internal systems, line of business apps, and notification from external sources.
Understand limitations
"No one size fits all" you need to have a baseline to see what sticks out.
Run through system checklist
OS, network devices and app specific logs to be checked for suspicious activity.  Analysis should be guided by checklist to help provide a uniform and consistent response.
Perform internal Vs External system & n/w consistency check
If netstat & tcpdump must not have discrepancy. Likewise nmap scan vs process vs memory analysts should all match up.
Key decision
1. Is the event an actual incident?
2. Do we watch and learn or pull the plug?
Identification step exit criteria
The assessment process has determined events constitutes a real incident so activate the IR process and continue.

Example question for assessment.
1. Can you give justification for the event not to be an incident like typo ?
2. Is there a deviation from the norm ?
3. How wide is the problem from an availability perspective?
4. Does RCE vulnerability have a say here ?
5. Do we have a publicly posted exploit code ?
6. Are there any compensatory controls ?