... View more
During an incident response, you are usually not lucky enough to have months of full packet capture or forensic images of machines. That is not a problem though, as there are artifacts for use in analysis throughout your network. I'm speaking specifically about log files. The two data sources in particular that can be most useful are Web Server and Proxy logs.
If you think about most common attack patterns, they are either attacks on poorly configured web sites or phishing/malware downloads. If you are using a proxy server, you will see this phishing traffic, and the web server logs (unless compromised) will have traces of the attack.
In a typical web server attack you will see traffic from reconnaissance, attack, and exploit. Reconnaissance traffic will usually be discoverable in log files by looking at the total number of pages viewed by distinct IP. If you are seeing lots of quick, sequential access to pages you can make an assumption it is a scan.
Attack detection could include looking for SQLInjection and other escape characters in post variables. Using pcre would be a quick way to find that data . These are two I use often:
In this scenario, let's just say we see scanning and attacking, and now we will look for the exploit. What you will want to look for is pages that have been targeted for SQLi or other misconfigurations. Many hits will be seen in the file while under attack and suddenly the bytes per page will increase. The bytes will be low or consistent when the attacker is trying to compromise the site. Suddenly the bytes on the page as shown in the log file will increase. This is usually the compromise being successful.
Now we need to look for traces of the exploit. A common method is to upload a new page which allows for remote shell so the attacker can install new code on the site or pivot inside of the network. Often times you will see a page being uploaded, and it being accessed, then quickly deleted. You will not easily see the page on the file system as it has been deleted. But a trail will be left of access on the web server logs. To discover this you can create a list of files that are supposed to be on the web server and diff them with files accessed in the web server log. I do this with a Python script to speed up the process.
Beyond attack detection, looking through logfiles can help determine if there is a long standing compromise. Looking at pages by bytes uploaded or downloaded. Should the site allow uploads? Should a single page have gigabytes of data being downloaded? This could be a sign of a tunnel being used to exfiltrate data.
Proxy servers are a wealth of information for incident response. You can perform very similar analysis as with web server logs but also gain visibility to beaconing and look for signs of traffic to known malicious sites. An example could be a spear phishing attack was used on your business. You know that in the email it has a link to badsite.com/malware.exe. You have responded to the threat by alerting staff not to click on the link. But that was after some users may have checked their email. You can search for the URL in your proxy log and it will show the internal IP of the host that downloaded it.
Also, looking at the log files you can see if internal hosts have been compromised and are being used as tunnels by looking at total data transfered. And by looking at the number of hosts contacted by an individual host you can see if it is being used for scanning activities.
I find it easier to work with the data if I visualize it, you can sort the log files and pull them in to Excel.
Also you may want to use the Google Maps API to see where your traffic is coming from and determine if it is expected.
... View more
I like spotify, it lets me listen to music I would never buy, ok maybe that is a lie. I would buy it, but I don't want anyone to know. But what kind of load is spotify putting on my network? Spotify works by leveraging your machine as part of a peer to peer (P2P) network. This way spotify does not have to build a massive content distribution network(CDN) storing millions of files and incurring huge transit fees. Now what this means to you is that you know are part of the CDN. The reason you can listen to that Def Leppard song is that it is residing on someone else's computer. Initially when you login to spotify your machine connects to a massive directory server and registers your catalog. This is done on port 4070. sIP| dIP|sPort|dPort| bytes| sTime| 192.168.1.120|afton.ash.spotify.com |60831| 4070| 897922|2011/08/15T15:22:18.154| 192.168.1.120|agnes.ash.spotify.com|61133| 4070| 12091|2011/08/15T16:19:14.761| 192.168.1.120|agnes.ash.spotify.com|61133| 4070| 48601|2011/08/15T17:19:14.707| 192.168.1.120|agnes.ash.spotify.com|61133| 4070| 14244|2011/08/15T17:49:14.200| 192.168.1.120|daryl.ash.spotify.com |62410| 4070| 10888|2011/08/15T22:37:50.263| So lets take a look at what we shared out to the world. A good guess is anything that is tcp, outbound, large and has a destination port in the ephemeral range is p2p traffic. Ephemeral ports vary by OS, but lets just assume anything over 1024 is ok. sIP| dIP|sPort|sPort| bytes| sTime| 192.168.1.120| 188.8.131.52|60874|60874| 90640|2011/08/15T15:25:55.382| 192.168.1.120| 184.108.40.206|60855|60855| 107000|2011/08/15T15:25:00.603| 192.168.1.120| 220.127.116.11|60907|60907| 114460|2011/08/15T15:27:09.252| 192.168.1.120| 18.104.22.168|60905|60905| 29508|2011/08/15T15:27:08.262| 192.168.1.120| 22.214.171.124|60967|60967| 94168|2011/08/15T15:32:50.539| 192.168.1.120| 126.96.36.199|60954|60954| 81867|2011/08/15T15:31:17.395| 192.168.1.120| 188.8.131.52|60881|60881| 29751|2011/08/15T15:26:07.259| 192.168.1.120| 184.108.40.206|60963|60963| 83885|2011/08/15T15:31:41.566| 192.168.1.120| 220.127.116.11|60934|60934| 65755|2011/08/15T15:30:24.836| 192.168.1.120| 18.104.22.168|60831|60831| 897922|2011/08/15T15:22:18.154| 192.168.1.120| 22.214.171.124|61133|61133| 48601|2011/08/15T17:19:14.707| 192.168.1.120| 126.96.36.199|61493|61493| 1093022|2011/08/15T18:39:57.437| 192.168.1.120| 188.8.131.52|61810|61810| 1426769|2011/08/15T21:16:32.268| This accounted for 3.9mb of traffic outbound. Date| Records| Bytes| Packets| 2011/08/07T20:00:00| 13.00| 4163348.00| 20772.00| As a percentage of total network traffic what did this p2p traffic account for? 4.2mb total outbound traffic on the network. Date| Records| Bytes| Packets| 2011/08/07T20:00:00| 13.00| 4163348.00| 20772.00| Spotify sharing counted for 92% of all outbound traffic on the network. That is significant as far as percentages, but not in mb total. But what about downloading music? Lets take a look. sIP| dIP| bytes| sTime| 184.108.40.206| 192.168.1.120| 2866430|2011/08/15T15:25:55.504| 220.127.116.11| 192.168.1.120| 7978617|2011/08/15T15:25:00.652| 18.104.22.168| 192.168.1.120| 5465386|2011/08/15T15:27:09.291| 22.214.171.124| 192.168.1.120| 666742|2011/08/15T15:27:12.319| 126.96.36.199| 192.168.1.120| 3918214|2011/08/15T15:32:50.586| 188.8.131.52| 192.168.1.120| 5034746|2011/08/15T15:31:17.456| 184.108.40.206| 192.168.1.120| 13486|2011/08/15T15:31:06.519| 220.127.116.11| 192.168.1.120| 957622|2011/08/15T15:26:07.355| 18.104.22.168| 192.168.1.120| 3635008|2011/08/15T15:31:41.825| 22.214.171.124| 192.168.1.120| 2569946|2011/08/15T15:30:24.883| 126.96.36.199| 192.168.1.120| 27601|2011/08/15T18:39:57.481| 188.8.131.52| 192.168.1.120| 31602|2011/08/15T21:16:32.357| This totaled 200mb of traffic. As a percentage of total traffic that was 17%, 15% total download, 92% total upload. Blocking p2p traffic at the firewall level is notoriously difficult. But if you restrict outbound 4070 you would prevent users from logging in and keep spotify off of your network. Now why does this matter for info sec? You may not have any issues with Spotify, but you want to increase the situational awareness on your network. But by looking at the types of traffic on your network you can detect things such as: Exfiltration Beaconing Port Scanning At a minimum to detect if there is a reverse tunnel or RAT you can look at your network traffic to determine if this is associated to spotify p2p or something else all together. If you are seeing suspicious inbound traffic look to see if that host has registered with a host on port 4070. If the hostname resolves to spotify.com then you can make some assumptions that it is part of the p2p music sharing service. A sign that the traffic is a tunnel may be a short "heartbeat" connection of few bytes at intervals with a standard deviation approaching zero, followed by large traffic exchanges. Be warned this can lead to false positives, something like windows update may routinely checkin, then download updates. As before you will want to look at the traffic. This beaconing traffic is usually characterized by some simple signs, using IP addresses instead of host names, bytes less than 5, and less than 3% of the hosts on the network making connections to that destination. I hope you found this look at spotify traffic interesting.
... View more