Creolisation, Tergiversation and Equivocation of IR language

July 20, 2018 in Off-topic, Preaching

There is a lot of fun made of marketing language of infosec. Anyone who is a bit technical knows that it’s a snake oil game that aims at selling at all cost, and the cyber terms coined by the marketing gurus make us all shake our heads (cyber pathogens, cyber Armageddon, cyber Pearl Harbor, cyber 9/11, etc.).

For a change, I’d like to talk about the language of the people working in IR. I find it quite interesting and actually struggle a lot with adapting to use certain terms as they sound quite foreign to me, if not pretentious.

Newcomers entering this field don’t have an easy life, at least from a linguistical perspective. The field is relatively new, many people still enter it by chance, or thanks to their background from their past work in various ‘related’ disciplines: law enforcement, digital forensics, audits, fraud analysis, network engineering, system architecture, reverse engineering, malware analysis, intelligence services, helpdesk, as well as completely unrelated: chemistry, biology, medicine, music, and many other disciplines. They bring their habits, language, points of view, and attitude which I think make an impact on the IR lingo: one that resembles a pompous creole language of sort.

Many people who came to IR with Digital Forensics experience tend to be very cautious and make lots of statements that are very much aligned with the legal responsibility they encountered as forensic experts testifying in courts. They bring tones of words and statements that often may feel like weasel words to technical people who never experienced the harsh scrutiny witnesses face in court. Hence, we start saying ‘allegedly’, ‘probably’, ‘it would seem’, ‘evidence suggests’, ‘I believe’, etc. more often than in the past. Everything is possible, but… everything is also uncertain.

The non-technical individuals with a background in military, intelligence brought us the very large corpora of terms that even a few years no one in infosec heard of. There are no more ‘bad guys’, ‘virus writers’, and ‘hackers’. Now we all talk about ‘actors’, ‘adversaries’, ‘intel’, ‘TTPs’, ‘indicators’, ‘HUMINT’, ‘SIGINT’, etc. and since we entered the geopolitics we also have ‘attribution’, ‘nation state actors’, plus ‘red teams’, and ‘blue teams’. And let’s not forget to mention the popular units ‘8200’ or ‘61398’. Oh, and we totally ‘nuke’ things.

Let’s admit it. Compliance guys came up with a lot of good ideas. While many technical people don’t like compliance, or auditors, and they perceive these ‘checkbox activities’ as the core ignorance of this industry, it is really important to highlight that these compliance frameworks do impact organizations in a very positive way. They bring structure, force orgs to create processes introducing accountability, affect the architecture, and change the way they do business. As for the language, we all now know about ‘confidentiality’, ‘integrity’, and ‘availability’, don’t we? We also know about ‘business resilience’, or ‘disaster recovery’. And lo, and behold – we even started thinking more about the business we protect than just looking at the technical aspects of attacks and just eyeballing the blinkenlights. While being a ‘cost center’ it is important to have a bit of a thought about the ‘customer’, and where the monies come from. And in my experience the last bit appears in conversations far more often now than say 10 years ago (in technical circles). Then we have ‘findings’, ‘RFIs’, ‘risk scores’, ‘risk posture’, ‘risk management’, and ‘data in transit’, ‘data at rest’, and lo and behold… ‘security controls’, and ‘acceptable use policy violations’. POS malware brought also a lot of opportunities to discuss ‘magnetic stripe’, ‘track data’, and ATMs. IR is becoming compliance on so many fronts!

Then we have network engineers; even today we can come across guys who use a bit archaic terms like ‘octets’ for bytes being transmitted in packets. You probably rarely hear of datagrams, but you definitely hear ‘egress’, ‘ingress’, ‘routing’ all the time. Many younger people find these concepts a bit unclear as in 2018 we all tend to think of uploading / downloading, or sending / receiving data, because … well… that’s how internet works today (in general, I think the mindset of many people entering the IR now is on a much higher level of the OSI model than say… in 2000).

Scientific language brought us ‘viruses’ or ‘samples’ of course, but there are now also ‘implants’, ‘payloads’, ‘detonation’, and ‘anomalies’, ‘regression’, ‘machine learning’, ‘clustering’, and ‘graphs’. And then the whole gallery of code names borrowed from the animal kingdom (‘pandas’, ‘bears’, ‘kittens’, ‘tigers’, etc.). We do ‘Proof Of Concepts’, in the ‘labs’, and we work our ideas starting with ‘hypothesis’. And as for the medicine… some time in 2017 there was a Twitter question about the tech terms that have their roots in medicine. I, among others, contributed quite a few answers to that thread. I thought it will be nice to just drop a superset of IR-related terms here:

abort, agent, anatomy (of a virus), anomaly, antiviral, assessment, attack, backbone, backtracking, bacteria, blackout, blue pill, buffer, cell, census, channel, check-up, clone, compress, congestion, contagion, containment, contamination, defect, defense, diagnose, diagnostics, disc, disease, disinfect, dissection, dissemination, DNA, downstream, epidemics, eradication, exercise, extract, gene, genetic, heartbeat, host, hub, hygiene, immune, immunize, implant, indicator, infection, infestation, influenza, inject, injection, inoculation, isolation, lab, life-support, malignant, microb, monitoring, mutation, nematode, outbreak, patch, pathogen, pathology, patient 0, pattern, penetration, post mortem, probe, prophylactics, quarantine, recovery, red pill, remedies, replication, retrovirus, sample, sanitization, scanning, screen, segment, spread, stat, stop the bleeding, strain (as in malware strain), stress test, subject, system health, tag, test, transmission, trauma, triage, USB condom, vaccine, vector (as in attack vector), virus, vitals, vulnerabilities, worm, x-rays (type of malware scanning), zombie

And last, but not least – let’s not forget about the ‘centrifuges’. Who in infosec would ever imagine talking about stuff like this 10 years ago… ???

Despite all the efforts to stay technical and binary, it would seem that we are more and more vague, indecisive, perhaps way over our heads. We are accidentally ‘jacks of all trades’ in our roles that are dealing with more ambiguity, uncertainty and pure ignorance (our own!**) that needs quick and urgent fixing all the time (**not a fault, just we don’t know everything and we always find something new to learn) than any other IT position.

We are cyber-warriors, cyber-ninjas, white hats, busticati, evangelists, thought leaders, and even celebrity CISOs. But perhaps also, and often without any bad intent, just very lucky career-oriented, fad-driven, over-entitled imposters and… kinda infosec bots. I am confident in my belief that we should wait for more evidence to support my hypothesis, and until then, let’s tentatively agree that IR is an art, and if we lived in ancient Greece, there would be totally a dedicated muse for that.

logman & API Trace & lame anti-tracing trick :)

July 13, 2018 in Archaeology, Malware Analysis, Undocumented Windows Internals

As I explained in my older post I was playing around with an obscure logman functionality that could be used for API Tracing.

Using these two commands:

logman create api foo -f bincirc 
-exe c:\windows\notepad.exe
-o c:\test\notepad.etl
logman start foo

one can start tracing API calls inside the Notepad. The resulting .etl file can be then parsed with ETL Parser – a really cool tool from @HECFBlog‘s @nicoleibrahim.

When I came across it I thought API Tracing supported natively by OS is a cool and promising feature. So I thought at first… then I started digging deeper. In particular, I was curious how the functionality was implemented and why it didn’t work on Windows 10. After some poking around I think I found the answers.

The functionality is implemented via Application patching using these SDB databases:

  • c:\WINDOWS\AppPatch\sysmain.sdb – 32-bit Win7
  • c:\WINDOWS\AppPatch\AppPatch64\sysmain.sdb – 64-bit Win 7, at least in theory

When used (the actual mechanism of loading the patch is not known to me at the moment), the system loads the following files into a traced application’s process:

  • c:\WINDOWS\AppPatch\apihex86.dll (win7 32)
  • c:\WINDOWS\AppPatch\AppPatch64\apihex64.dll (win7 64), at least in theory

Example from Windows 7 32-bit:

You will find a couple of other libs loaded inside the process as well.

  • amxread.dll – API Tracing Manifest Read Library – possibly mapping APIs to their description (?) – have not spent too much time on it
  • apilogen.dll – API Tracing Log Engine – it is responsible for the actual trace writes; anyone who has too much time on their hand could try to reverse it and improve the API Trace parser, but it’s probably not worth it

With Windows 64-bit I couldn’t make it work despite ensuring all the commands were run from 64-bit processes; so… the ‘at least in theory’ bits are referring to this problem. In any case, it’s probably an obscure mechanism that is no longer supported; this leads us to…

Question #2

Windows 10 doesn’t seem to support it. I couldn’t make it work either + I don’t see the aforementioned DLLs in any of the Windows subfolders. Well, there you go. A cool functionality that never stood a chance…  oh well…

Last, but not least – here’s your promised anti-* trick:

  • check if your program is loading any of these listed DLLs and abort if any is found. I have added these to the list of naughty libraries even I know the usefulness is close to nil. Still, what’s documented is better understood.

And one more bit:

When the command to create API trace is called, the system adds this Reghitry key:

  • HKLM\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Schedule\TaskCache\Tree\
    Microsoft\Windows\PLA\foo

and

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Schedule\TaskCache\
    Plain\{F95FD9E0-54DB-464C-B379-FF720B10726A}

 

  • HKLM\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Schedule\TaskCache\
    Tasks\{F95FD9E0-54DB-464C-B379-FF720B10726A}

It survives the reboot, but the trace needs to be restarted.