{"id":540,"date":"2013-05-07T10:41:40","date_gmt":"2013-05-07T15:41:40","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=540"},"modified":"2013-05-07T10:42:30","modified_gmt":"2013-05-07T15:42:30","slug":"combining-tools-for-ultimate-malware-threat-intelligence","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2013\/05\/07\/combining-tools-for-ultimate-malware-threat-intelligence\/","title":{"rendered":"Combining Tools for Ultimate Malware Threat Intelligence"},"content":{"rendered":"

Last year I gave a talk at a number of different conferences called “The Magic of Symbiotic Security: Creating an Ecosystem of Security Systems<\/a>” in which I spoke about how if we can break our security tools out of their silos, then they become far more useful.\u00a0 Lately, I’ve been doing a lot of work at my company in identifying systems infected by malware and getting rid of the infections because, as you are hopefully aware, the presence of malware on your systems is equivalent to hackers on your network.\u00a0 Malware can give the controller backdoor access to the system, allows them to scan the network for other devices to compromise, gives them a platform to launch additional attacks from, and enables them to exfiltrate data out of the network.\u00a0 I have a few different tools which I’ll highlight later that do some really cool things on their own, but when you combine their functionality together, you open up a whole new world of possibilities.<\/p>\n

The first tool that I wanted to talk about is for malware analysis.\u00a0 In our case this is FireEye<\/a>, but this could just as easily be Damballa, Bit9, or any other technology that will allow you to identify IP addresses of hosts infected by malware, servers hosting malware objects, and command and control servers.\u00a0 Alone, this tool identifies a single client-to-server relationship, but it does provide a pattern that we can use as a template to find similar issues in our environment where perhaps we do not have coverage with this device.\u00a0 Now that we have identified the patterns that we are looking for, we need to find a way to discover additional instances of those patterns.\u00a0 This brings me to our second tool.<\/p>\n

The second tool is for NetFlow analysis.\u00a0 In case you are unfamiliar with NetFlow, it is a feature of most network devices that creates summary information about the network activity that is running through them.\u00a0 It includes the source and destination IP addresses, source and destination ports, protocols, and bytes transferred.\u00a0 Specifically, we need a NetFlow analysis tool that is capable of showing us connections between our internal systems and systems on the Internet.\u00a0 In our case, we use a product called LYNXeon<\/a> to do this.\u00a0 Alone, LYNXeon does a good job of allowing us to visualize connections from one system to another, but finding the systems related to malware issues can often be a needle in a haystack because of the NetFlow limitations mentioned above.\u00a0 So while our malware connections (downloads and command-and-control) are buried in the NetFlow data, we really have no way to identify them in the NetFlow tool silo.<\/p>\n

Now comes the fun part.\u00a0 One of the cool things about the FireEye system is that it provides us with the ability to export data and one of the cool things about the LYNXeon system is that it provides us with the ability to import data and tag it.\u00a0 So what we do is, in FireEye, we export the list of all systems that we have detected as having been infected by malware.\u00a0 We also export the list of all of the command and control servers and malware hosting servers that we have seen connections to.\u00a0 Next, we go into LYNXeon and tell it to import these two lists of IP addresses and tag them with a custom tag that we created called “FireEye”.\u00a0 We have now successfully combined these two tools and the payoff is huge.<\/p>\n

Success #1: Detecting the Spread of Malware on Your Network<\/strong><\/span><\/p>\n

Our FireEye system works by executing downloads inside of a virtual machine and analyzing the affect they have on the system.\u00a0 Because the virtual machine doesn’t always match the target system, in many cases we are only able to tell that it was malware and not that the malware actually infected the system.\u00a0 Using LYNXeon, however, we can create special queries that will show us all connectivity from the potentially infected system after the time of the malware download.\u00a0 Did the system immediately make connections to other foreign systems on the Internet?\u00a0 Did it start scanning our internal network looking for other hosts to compromise?\u00a0 All this and more is possible now that we have identified a potentially infected system on our network. \u00a0Here is a pattern file which I created in LYNXeon to do this:<\/p>\n

\"spreading<\/a><\/p>\n

 <\/p>\n

And here is the pattern diagram which this query accomplishes:<\/p>\n

\"spreading<\/a><\/p>\n

Success #2: Finding Other Infected Systems<\/strong><\/span><\/p>\n

FireEye appliances aren’t free and with offices in over 40 countries around the world getting full coverage can get expensive.\u00a0 But, if we can use a handful of appliances to get an idea of where our systems are talking to when compromised, then we have data which we can turn around and use in places where we do not have those appliances.\u00a0 Because we are sending NetFlow data from our devices around the world into LYNXeon, we can search for any connections to these common malware servers.\u00a0 No more needle in a haystack.\u00a0 The data is all there, we just needed to know how to look for it. \u00a0Here is a pattern file which I created in LYNXeon to do this:<\/p>\n

\"pql<\/a><\/p>\n

And here is the pattern diagram which this query accomplishes:<\/p>\n

\"pql<\/a><\/p>\n

Success #3: Discovering Other Types of Attacks<\/strong><\/span><\/p>\n

Often times our adversaries aren’t just trying one type of attack and giving up when it fails.\u00a0 They are trying every trick in their arsenal and trying to gain and maintain a foothold on your network with whatever method they can.\u00a0 Once we’ve identified an attacker’s IP address, we can now use our NetFlow data to see all other traffic coming from that IP address.\u00a0 Often times, expanding these types of relationships can shed light on other activities they are performing on your network.\u00a0 Perhaps they are performing reconnaissance on your servers?\u00a0 Maybe they are trying to DOS one of your systems?\u00a0 The fact is that once they’ve been uncovered as a bad guy on your network, you should be weary of all activities performed by them.\u00a0 Maybe even ban their IP address altogether. \u00a0Here is a pattern file which I created in LYNXeon to do this:<\/p>\n

\"other<\/a><\/p>\n

And here is the pattern diagram which this query accomplishes:<\/p>\n

\"other<\/a><\/p>\n

So there you have it.\u00a0 By combining our malware analysis using FireEye and our NetFlow analysis using LYNXeon, we have created a hybrid system capable of far more than either of these tools by themselves.\u00a0 This is the magic of symbiotic security in action.\u00a0 Our tools becomes infinitely more powerful when we are able to share the data between them.\u00a0 Hopefully you will take that into consideration the next time you are looking at purchasing a security tool.<\/p>\n","protected":false},"excerpt":{"rendered":"

Last year I gave a talk at a number of different conferences called “The Magic of Symbiotic Security: Creating an Ecosystem of Security Systems” in which I spoke about how if we can break our security tools out of their silos, then they become far more useful.\u00a0 Lately, I’ve been doing a lot of work […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[508,489,70,28],"tags":[480,157,416,532,479,484,342,622,531,227],"class_list":["post-540","post","type-post","status-publish","format-standard","hentry","category-malware-security","category-netflow-networking","category-networking","category-security","tag-21ct","tag-analysis","tag-combine","tag-fireeye","tag-lynxeon","tag-malware","tag-pattern","tag-security","tag-symbiotic","tag-tools"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-8I","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/540","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=540"}],"version-history":[{"count":7,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/540\/revisions"}],"predecessor-version":[{"id":553,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/540\/revisions\/553"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=540"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=540"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=540"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}