Cyber Security

Posts

ThreatConnect and Maltego

ThreatConnect® has partnered with Malformity Labs LLC to develop a full transform set that allows for data from ThreatConnect to be integrated with the capabilities of Maltego.

All ThreatConnect customers can take advantage of our partnership with Malformity Labs LLC and use the Maltego transform set through the ThreatConnect®  API and a provided transform server. Customers can use this to:

  • Visualize the relationship between incidents, threats, adversaries, and indicators,
  • Uncover relationships between your private data in ThreatConnect and Community Data,
  • Leverage attributes belonging to indicators and threats to create Maltego graphs without losing any of the contextual data within ThreatConnect, and
  • Pivot from ThreatConnect data and external open source data sources using other transform sets within Maltego.

With more than 100 transforms to query and pivot through ThreatConnect’s data, users can easily model threat and the relationships between malware, domains, IPs, and other indicators to the incidents they were observed in, threats they are associated to, or adversary personas.  The use cases are numerous, but to help illustrate how it works we’ve picked a few scenarios to step through how a customer with access to ThreatConnect’s premium features could quickly visualize content and relationships. Click here to learn more about ThreatConnect’s premium service offerings.

You can click on any image below to view the graph larger. Want more?

Maltego Webinar Training

Take a deep dive into our 100+ Maltego transform set. View the webinar slides here.

Scenario1: Visualizing Incidents tagged with Ukraine

1. Imagine you are an organization that is particularly concerned about Ukraine themed targeting. The first step is to look for any instances of targeting, documented as Incidents, that are tagged with “Ukraine” within the ThreatConnect Subscriber Community.  This yields five results, shown below.

threatconnect-maltego-1

2. For additional high level context, you can then pull all other Tags related to these Incidents. This yields several other interesting results. You have a clear view of several interesting Tags now including multiple matches on the use of CVE-2012-0158. It is notable that all the Incidents are also tagged “Russia” and “Advanced Persistent Threat”.

threatconnect-maltego-2

3. Now, to take a deeper look at the context of the Incidents, you can pull all of their Attributesfrom within ThreatConnect. This yields more in-depth descriptions, sourcing, and write-ups of tactics, techniques, and procedures (TTP’s) used in the Incidents.

threatconnect-maltego-integration-3

4. Since the focus is not on targeting to or from China, you can focus on the Incidents that don’t contain that Tag and are only Ukraine focused. Using Maltego, you can pull all the Indicators associated with the incidents of interest.  This yields six IPs, 27 MD5 hash values (including imphashes), 4 Domains, and 2 URLs, all with their own unique context and associations.

threatconnect-maltego-integration

The indicators found can then be used to for monitoring and detection across the network. You can also continue to pivot to discover other relationship on the Indicators in the ThreatConnect Subscriber Community, in other ThreatConnect public Communities, within your own private organization data in ThreatConnect, or by leveraging other Maltego transforms to look for data sources external to ThreatConnect. The possibilities are endless.

Scenario 2: Pivoting on Malicious Registrants from Reverse Whois data, Passive DNS, and DNS monitoring.

1. In this scenario, you can start by taking a domain registrant email address* whose domains are known to show up as malware callbacks.

threatconnect-maltego-5

2. Next, pivot via a transform to pull the Adversary entity associated with this email address.threatconnect-maltego-6

3. Next, leveraging a running Track on the registrant email address within ThreatConnect, you can discover any second level registered domains associated with that email address. With passive DNS (pDNS) integration you can discover any third level domains that have been observed “in the wild” as well. One transform query on the graph below shows all domains associated to the Adversary. For the sake of the size of the graph, we’re looking at just a small subset of the known domains.

Logo-ThreatConnect-Partner-Maltego

4. Now, you can go even deeper and utilize the DNS resolution monitoring for domain indicators within ThreatConnect to observe any overlap in IP address resolutions with date and time of resolution annotated. This yields 22 IP addresses for the over 80 domains in your subset.

threatconnect-maltego-8

Some of the IP addresses will undoubtedly be parking IPs (such as the loopback 127.0.0.1), but others will show historic trending of use of the IP for Command and Control. Leveraging passive DNS again within ThreatConnect, you could check to see if any other suspicious domains have resolved to these IP addresses and assess them further.

This allows you to not only use these domains and indicators as IOC’s across your network, but you can now proactively monitor known infrastructure such as known Command and Control IP’s, domains, and the registrant address itself for activity. This creates a predictive defense against a known adversary, following their movements using concepts true to the Diamond Model of Intrusion Analysis.

For more information on how you can start taking advantage of the ThreatConnect and Maltego partnership, contact us today.

 

The Foundation of Internet Trust May Be Crumbling - DigiNotar Certificate Authority Breached

Google recently reported the possibility of a Man-In-The-Middle (MITM) attack using fraudulent SSL certificates issued by DigiNotar.  The attack affected people logging into Google’s popular email services from Iran, and google has responded by rejecting all the Certificate Authorities operated by DigiNotar. We now know that Google is not the only possible target of these bogus DigiNotar issued certificates.  Rather DigiNotar certificate signing services, used to create a foundation of trust, had been used maliciously to create many fraudulent SSL certificates. Given DigiNotar’s critical role as a certificate authority, how could this have happened?    What does it mean for the perceived “trust” we’ve become accustomed to in our daily usage of the internet?  Given the attackers success with DigiNotar, the Comodo incident back in March, and the use of digitally signed malware, this appears to be a growing trend.  How can we stop this from happening again and what can you as an internet savvy user do to protect yourself?

The breach of DigiNotar BV has been confirmed through an Interim Report released by Fox IT on the fifth of September, as well as by a flurry of online activity by major Internet browsers. In the report titled “Operation Black Tulip”, Fox IT mentions previous penetration test results from an audit company DigiNotar BV regularly utilized stating “A number of servers were compromised. The hackers have obtained administrative rights to the outside webservers, the CA Server “Relaties-CA” and also to “Public-CA”. Traces of the hacker activity started on June 17th and ended on July 22nd.” According to the report, a total of 531 fraudulent certificates were issued by the attackers.

The report goes on to mention some other key dates and pieces of information:

  • 128 rogue certificates digitally signed by DigiNotar detected on July 19th, revoked immediately.
  • 129 rogue certificated digitally signed by DigiNotar detected on July 20th, revoked on the 21st.
  • No Date Given – DigiNotar implements detection mechanism for invalid serial numbers through OCSP.
  • July 29th, a *.google.com certificate was discovered that had not previously been discovered, revoked immediately.
  • August 30th, Fox IT called in to investigate the incident, and provide mitigation strategies going forward.

According to all reports, the first public mention of this serious breach was not by DigiNotar BV, but rather a user in Iran who was presented with a certificate warning when trying to access https://mail.google.com. His suspicion, as well as other users, drew the attention of Google, who offered the first mitigation strategy, and action against DigiNotar BV by revoking all certificates signed by the CA. Several browser companies immediately followed suite, including Microsoft and Mozilla. Apple has remained close lipped on the issue, most likely due to the fact a bug in the Safari browser will not allow the DigiNotar certificates to be properly revoked.

Right now Google Chrome, IE and Mozilla Firefox have updated their Certificate Revocation Lists (CRLs) to blacklist the DigitNotar signed certificates. Claims by ‘ComodoHacker’ to have access to four additional CAs have prompted Globalsign to stop issuing certificates until they can verify that their infrastructure is secure. And lastly, the Dutch government has stepped into take over DigiNotar’s operations, after Fox IT’s report stated that the official Dutch government CA, PKIOverheid, also run by Diginotar, may also have been compromised.

Still, while the investigation remains ongoing, there are many questions that need answers.

  • Why did DigiNotar BV not notify the proper authorities regarding this breach nearly a month ago?
  • If DigiNotar had notified browser makers immediately, would the follow on invasions of privacy in Iran have happened?
  • How on earth were their most valued, and critical assets so readily available to the outside, and unpatched and outdated?
  • What requirements, policies, standards, and governance do Certificate Authorities need to adhere to, to remain a trusted CA?  For that matter, is there any governance?
  • SSL is the only real technology at this time meant to provide true data integrity, and protection to it’s users on the Internet.  What happens when we cannot count on the CA’s to provide prompt and proper notification, so that we may remain protected? The fact remains that SSL relies on an imperfect trust relationship between Certificate Authorities. Moxie Marlinspike’s presentation from Black Hat 2011, SSL And The Future of Authenticity, details a more distributed alternative.

Okay, so now that you understand the scope of the problem and how bad this is, what can you do to protect yourself?

  • Make sure you browser is up to date
  • Utilize browsers who are taking the necessary steps to protect the users
  • Remain vigilant when browsing secured websites, if you suspect something is amiss, notify the sites abuse or security department immediately with as many details you can document

This and similar past events covered by Cyber Squared where fraudulent certificate signing was involved , makes one wonder if the foundation of Internet trust we have become accustomed, can be trusted in itself.   Although scary, I hope that this serves as a wake-up call that CA’s are targets for sophisticated cyber threats, and that there is currently a lack of policies, standards, and governance that the certificate authorities must adhere to to maintain their “trusted” status.

Malicious Code Goes Mobile

The market store for the Andriod phones has hosted at least 50 different apps that contained malicious software (malware) called DroidDream. The apps loaded with malware ranged from chess apps to photo editing software. At this time the believed methodology of the hackers who performed this activity was to download the official app, inject their malicious code and re-upload the app so unsuspecting users can download the app. This proved to be successful at least 200,000 times over.

Read more

Nasdaq Cyber Attack

Imagine the possibilities for financial gains & loss and potential for worldwide impact if a cyber attacker was able to gain access to  computer systems which run the stock market.   It appears that our adversaries in cyber space are working towards this goal – what are they up to? Read more

The Rise of Digitally Signed Malware

As newer operating systems that either require digitally signed drivers, such as the 64bit version of Vista and Windows 7, or will prompt a user before allowing installation, like the Vista and Windows 7 32bit counterparts, digitally signed malware will become more and more prevalent. FSecure has already noticed this trend. As of July 2010, they had found close to 24,000 examples of digitally signed malware.

Read more

Banks See Increased Cyber Attacks

The Zeus Trojan is in the news once again for its success in stealing money from multiple banks. Eweekeurope.co.uk reported that “Operation Trident Breach”, a FBI named operation, was successful in arresting multiple people in multiple countries. The criminal group using the Zeus Trojan successfully stole up $70 million from US banks and 6 million from UK accounts.

The Trojan can be purchased for as little as a few thousand dollars with other plug-ins being purchased for hundreds of dollars each, including exploits for Windows 7 machines. Such a low cost purchase has yielded a huge return for the cyber criminals, except for the fact they got caught.

Zeus is only the most recent example of a successful Trojan targeting user banking accounts. Luckysploit crimeware kit was used last year in targeting German customers as reported by Finjan Malicious Code Research Center in September 2009.

This is just one report of many that has been released of cyber criminals targeting the banking industry. Banking IT is vulnerable due to the amount of online transactions that take place and the fact that their “network” extends out to their user-base, and therefore client based attacks become a primary concern.