You are browsing the archive for Preaching.

Blue ink, Red ink… Purple Heart

April 4, 2020 in Preaching

In the past I was primarily focusing on the bad stuff. All the malware stats I ever posted were based off a substantial corpora of malware samples that I processes both ‘statically’ and ‘dynamically’… These numbers were pretty high for an individual contributor … 12M+ of samples I did static analysis on & 1.5M+ of dynamic analysis reports (shared with community via the most awesome @VXShare)…

Around 3-4 years things changed.

My primary focus moved from collecting malware samples to building a repo of clean samples (not necessarily signed tho!). There are many reasons for this ‘change of a paradigm’, but any respectable sample hoarder can easily recognize these patterns…

  • you can’t hoard all the malware samples anymore
  • it is growing too fast ($$$ for storage, time for post processing & backups), it’s also hard to classify while ROI of collection is no longer that high…
  • there are more and more boring samples (same old, same old + new fads e.g. ransomware).
  • migration in malicious techniques from a purely binary code (exe, dll, cpl) to PowerShell, C#, as well as return of Office Macros & WScript/CScript coding goodness…

The malware of today is often … an obfuscated script. Plus, many analysts don’t even bother to fully understand the internals of malware anymore as long as we can build a quick detection for it & block it…

Coming back to the ‘good samples repo’ thing – there is more …

I got interested in Living off the land and novelty code injection techniques so having access to the CLEAN sampleset made a huge difference – it suddenly opened many new research opportunities that traditional malware corpora doesn’t usually offer anymore…

How?

Legacy code, silly ideas, copypasta from CodeProject, CodeGuru, StackOverflow… the internetz of copypasta overall… drivers, COM DLLs, funny installer executables, custom installers, broken, broken, and even more broken… then debug functions, test functions, internal environment variables that made it to production, phantom DLLs, hardcoded credentials, and many, many more…

What does it mean though?

I think it’s a symptom of me getting more and more interested in the offensive side of things . And I will be probably the last one to admit that… but I kinda like it. I was never a pentester and never really had an itch to scratch to ‘pwn things’, but I really do love novelty tricks and I hope … it shows…

So… a blue teamer with the red team itch … this itch needs to be scratched.

When I realized that… I also realized that there are a lot of benefits to this ‘change of direction’. My defensive persona loves to know all the ‘new’ so I always feel that when I can contribute a new trick or discovery I become (and make others who read that…) a… better defender.

So…

This is… at least in my eyes… the ultimate destiny of anyone on a blue side of things… You will eventually become as red as the red team, and more. Cuz they just primarily focus on the ‘pwn’ bit (and they are right) and we, blue teamers’, need to be crimson-yearning… strong foundation of blue, lots of red desires, and defo more and more purple… Is lavender is the new black?

The Hour Between Dog and Wolf

January 1, 2020 in EDR, Mitre Att&ck, Off-topic, Preaching, Uncategorized

10-15 years ago DFIR / EDR / Threat Hunting were not even a ‘thing’. Apart from law enforcement efforts, and a few consulting companies… there were literally no companies doing this sort of work, and even if they actually did… their focus was primarily on QIRA/QFI (today’s PFI) aka analyzing carding breaches, or analyzing APT attacks targeting US gov and defense contractors.

At that time my big wishful thinking was that if I had at least a snapshot of volatile logs from the system I wanted to analyze I would be already better off as opposed to if I had to look at the content of the HDD image alone.

Many in this field of course agreed, and even more, often led us all by an example, so in the years that followed we went through iterations of different solutions… from basic volatile data acquisition batch/bash scripts, memory acquisition tools, then memory dumpers supported by parsing scripts, and we finally ended up with EDR solutions that feed our log just-in-time and fulfill our needs very well today.

Are we better off tho?

I am wondering…

The emergence of EDR evasions, living of the land techniques, static EDR rule breakers, reemergence of macromalware, new code injection techniques, powershell obfuscations, supported by exploits, fileless attacks, code signed with stolen certificates, supply chain attacks, etc. makes me believe that… EDR is going to be for a host what IDS/IPS ended up being for a network.

At first all we got power drunk with firewall/IDS/IPS/proxy capabilities… few years later though many companies literally ignore alerts from these systems as they generate too much noise.

I see a similar trend with EDR.

By comparison… we are very used to AV generating many alerts (especially when AV is configured in a paranoid and/or ‘heuristic’ and/or reputation-check state), but AV itself is still a pretty high-fidelity business. And we often ignore AV alerts that are lower fidelity.

When EDR joined the alerting battleground we at first thought it is going to add a lot of value. After the few years of experience now we face the very same alert fatigue as we experienced with firewalls, IDS, IPS, AV, and proxy. Same old, same old. Just a different marketing spiel.

Along came Threat Hunting… a discipline that is hard to define, but it somehow got its foundation solidly embedded in many companies thanks to Mitre Att&ck Framework. Today’s definition of Threat Hunting is pretty much ‘the act of Mitre Att&ck implementation in your org’. It is actually far more serious than it sounds because it is far more difficult than many people feel. You get to implement a lot of detection in your own environment. One that almost by definition is poorly managed, doesn’t have a proper asset inventory and enforcement of rules is hard. It’s fu, but it’s VERY tough in practice. Yes, in practice, we walk through all the known Mitre tactics and techniques, we cross-reference them with our own org threat modelling/log situation and then come up with new alerts/dashboards that help us to cherry-pick the bad stuff…. hah… very easy.. it it not…

So…

Now we have tones of alerts from ‘high-fidelity’ alert sources: AV, IDS/IPS, proxy, WAF. Then we have middle/low level fidelity alerts from EDR/AV/IDS/IPS/WAF/proxy. Then we have very FP-prone alerts / dashboards from Threat Hunting activities.

What is next?

I do believe it’s time to go deeper and trace user’s activity on a spyware level. Ouch. Yes. I said it. It’s a very difficult topic from a legal perspective, but imho it’s the only way to link user’s actions to actual events we see on our blinkenlight boxes. If we can establish a solid link between user clicking certain GUI elements, typing certain commands, credentials, etc. it’s only then we can be sure that we can provide a context for events we observe in our logs. I mean.. seriously… if we need to spend a lot of resources trying to link multiple Windows Event Logs together to narrow down activity that could be easily tracked to actual user’s behavior.. then why not doing it the opposite way? Follow the user’s behavior and track it high-level.

It’s not the first time I refer to this topic, but I guess it finally has to be said: you can’t fully monitor the box if you don’t monitor its users activities _fully_.

Welcome to the world of next-gen, panopticon EDR solutions of tomorrow.

And for the record… take any advanced OCR/ICR dictionary software, desktop enhancer, IME, accessibility suite, etc and then you realize that at least for the Windows platform, problem of tracking/monitoring of UI and the data flow as well as user interaction is already solved. Did I mention existing spyware solution used in the Enterprise environment? EDR can be cool, but will never be as cool as a proper keylogger…

Time to hook more APIs EDR vendors…