Threat Hunting Via Network Traffic Analysis!
Threat Hunting Via Network Traffic Analysis!
Hassan has had a privilege to develop and lead critical security projects at one of the
largest Fortune groups in Pakistan, Lakson Group of Companies, security advisor to
Yottabyte Ltd and currently is serving as a Principal Threat Researcher at Point0Labs
UK.
Time Distribution
Section 1: ----- 10 mins ----- Section 2: ------ 30 mins -------- Section 3: ---------20 mins------
What is threat hunting? What are the tools available for network traffic Case Studies on biggest security breaches of 21st
analysis? Century
How do we hunt for threats? Practical Demo: Building familiarity with Solarwinds Sunburst breach case study
Wireshark & ?
What is Network Traffic Analysis? Practical Demo 1 – Trickbot Malware Traffic Zyxel firewall backdoor case study
Analysis
How do we analyze network traffic? Lessons learned in light of compliance COVID-19 domain registration statistics
TCP packet header Practical Demo 2 – Qakbot Malware Traffic Dark Market`s Promotional offers during COVID-19
Analysis
4
Who is a threat hunter?
Network traffic analysis (NTA) is a method of monitoring network availability and activity to identify
anomalies, including security and operational issues.
Caveats
Attackers know how to blend their traffic with legitimate traffic and only the skilled network traffic
analyst
How do we perform network monitoring?
Span ports
SNMP
Syslog
Flow data
SDEE etc
Benefits of Malware Traffic Analysis
• Deeper insights into malware behavior and rightly trace technical indicators
• Rightly trace the gaps and holes in existing security control layers
• Greater ROI
Malware vs APT?
APT Case Studies
• Project Sauron
• Plead APT
Tools for Network Traffic Analysis
• Project Sauron
• Plead APT
Analyzing Trickot – Live Malware Traffic Sample
15
Trickbot Archeology
Figure 8: Following the HTTP stream for the HTTP request to 144.91.69.195.
Trickbot Pcap. Analysis
Figure 12: Scrolling down to see more TCP connections over port 443 before a successful
connection to 187.58.56[.]26 over TCP port 449.
Trickbot Pcap. Analysis
Figure 13: Filtering for the certificate data in the HTTPS/SSL/TLS traffic, then expanding lines
the frame details for the first result under TCP port 449.
Trickbot Pcap. Analysis
In Figure 14, we see the following certificate
issuer data used in HTTPS/SSL/TLS traffic to
187.58.56.26 over TCP port 449:
id-at-countryName=AU
id-at-stateOrProvinceName=Some-State
What does a normal certificate issuer look like in Figure 14: Drilling down to the certificate issuer data on the first result over TCP port 449.
legitimate HTTPS/SSL/TLS traffic?
Trickbot Pcap. Analysis
id-at-countryName=US
id-at-stateOrProvinceName=Washington
id-at-localityName=Redmond
id-at-organizationName=Microsoft Corporation
id-at-organizationUnitName=Microsoft IT
id-at-commonName=Microsoft IT TLS CA 2
Figure 15: Certificate data from legitimate HTTPS traffic to a Microsoft domain.
Trickbot Pcap. Analysis
The Trickbot-infected Windows host will check its
IP address using a number of different IP address
checking sites. These sites are not malicious, and
the traffic is not inherently malicious.
api.ip.sb
checkip.amazonaws.com
icanhazip.com
ident.me
ip.anysrc.net
ipecho.net
ipinfo.io
Figure 16: IP address check by the infected Windows host, right after HTTPS/SSL/TLS traffic
myexternalip.com over TCP port 449. Not inherently malicious, but this is part of a Trickbot infection.
wtfismyip.com
Trickbot Pcap. Analysis
A Trickbot infection currently generates HTTP traffic
over TCP port 8082 this traffic sends information from
the infected host like system information and
passwords from the browser cache and email clients.
This information is sent from the infected host to
command and control servers used by Trickbot.
Figure 17: HTTP traffic over TCP port 8082 caused by Trickbot.
Trickbot Pcap. Analysis
Figure 18: Login credentials stolen by Trickbot from the Chrome web browser. This data was
sent by the Trickbot-infected host using HTTP traffic over TCP port 8082.
Trickbot Pcap. Analysis
Figure 19: System data sent by a Trickbot-infected host using HTTP traffic over TCP port 8082. It starts with a list of running processes.
Trickbot Pcap. Analysis
Figure 20: More system data sent by a Trickbot-infected host using HTTP traffic over TCP port 8082
Trickbot Pcap. Analysis
Figure 23: Simplified flow chart for Emotet with Trickbot activity.
Trickbot Pcap. Analysis
• Enable CMD and PowerShell Command Line logging and forward logs on SIEM for audit trails
• Disable the use of SMBv1 across the network and require at least SMBv2 to harden systems against Network
Propagation modules used by TrickBot.
• Adhere to the principal of least privilege, limit administrative credentials to designated administrators.
Incident Response – if a trickbot infection is identified
• Disable Internet access at the affected site to help minimize the extent of exfiltration of credentials associated with
external, third-party resources.
• Review impacted subnets to identify multi-homed systems which may adversely impact containment efforts. Also,
consider temporarily taking the network offline to perform identification, prevent reinfections, and stop the spread of
the malware.
• Identify, shutdown, and take the infected machines off the network.
• Heighten monitoring of SMB communication or outright block it between workstations, and configure firewall rules to
only allow access from known administrative servers.
• Assess the need to have ports 445 (SMB) open on systems and, if required, consider limiting connections to only
specific, trusted hosts.
• Start with remediation of multi-homed systems (e.g. Domain Controller, File Server) as these can communicate across
Virtual Local Area Networks (VLANs) and can be a potential means for spreading malware.
• Create clean VLANs that do not have access to infected VLANs. After the systems have been reimaged or restored
from a known good backup, place them on the clean VLAN.
Incident Response – if a trickbot infection is identified
• Do not login to infected systems with domain or shared local administrator accounts. This is the best
remediation strategy since TrickBot has several ways of gaining access to credentials.
• As TrickBot is known for scraping both domain and local credentials, it is recommended that a network-wide
password reset take place. This is best done after the systems have been cleaned and moved to the new VLAN.
This is recommended so new passwords are not scraped by the malware.
• Apply host-based isolation via Windows Firewall Group Policy Objects (GPOs), host-based intrusion detection
system/network intrusion detection system (HIDS/NIDS) products, a Private Virtual Local Area Network
(pVLAN), or similar means to help mitigate propagation.
• Determine the infection vector (patient zero) to determine the root cause of the incident.
Analyzing Qakbot Malware– Live Malware Traffic Sample
43
Analyzing XM Rig Miner – Live Malware Traffic Sample
44
Organizations Breach Impact How Hacked?
Yahoo 3 billion Employees were targeted via spear-phishing attacks
Target 110 million Vendor infected via email phishing campaign to pivot into
the network.
77 million System administrator`s PC was compromised to steal the
Sony PlayStation sensitive info. System`s were running on obsolete and out-
dated versions.
76 million An employee`s personal computer was compromised, who
JB Morgan Chase Bank used VPN accesses to connect to corporate network from
home.
SolarWinds Sunburst Breach Case Study
SolarWinds Sunburst Security Breach
• On Sunday, December 13, SolarWinds announced that updates to its leading network management
software Orion, shipped to customers from March 2020, contained malware.
• Malware, distributed by SolarWinds Orion software updates, infected the networks of the following:
White House, the DOJ, the State Department, NASA, NSA, the military, the top IT and
telecommunications companies, and most of the Fortune 500 companies.
In total, up to 18,000 large entities have been infected by the malware.
• The perpetrators of this malware attack were SolarWinds employees, not any outside party.
• The call that he alleged nation-state is Russia was made by the media without any evidence.
• The suspicions against Russia within the cyber security circles are strong. Russia has relatively little
leverage over the tech companies in the US.
• Additionally, SolarWinds develops its products and/or provides support from countries, which are
difficult for Russia to infiltrate (including Singapore and Philippines). The Russian government denies
any involvement.
Dissecting the SolarWinds Malware (ATP)
UNC2452 APT Capabilities
UNC2452/ SolarStorm Att&ck Kill Chain
How to protect yourself from SunBurst?
• Determine if your organization uses the SolarWinds Orion software.
• Isolate the traffic external accesses to and from software winds Orion system, keeping it limited to internal
environments only.
• Review Your Logging from June 2020 till date and perform Indicators of Compromise (IoCs) sweeps against SunBurst
Breach.
• Implement SunBurst detection rules e.g. Yara, Snort etc. on your security devices i.e. IDS, SIEM, Endpoint protection
and EDR.
• Affected Version
Vulnerable firmware of Patch 0 has been removed from Zyxel site and replaced with Patch 1.
You to protect yourself from CVE-240-29583?
• Apply patch 4.60 (Patch 1) immediately or remove the ‘zyfwp’ account from your firmware.
• Perform your access rights review on quarterly basis, revoking unused accounts.
• Make sure, generic user IDs and passwords are not used by any means.
Cyber Threat Landscape In COVID-19
2. Ensure only authorized devices are being used for official work purposes.
3. The connection between the computer and the corporate network must be secured by a VPN
(Virtual Private Network) at all times.
4. Passwords used to access corporate services, and those we use in general, must be complex and
difficult to decipher in order to avoid being compromised. Preferably use MFA.
5. Configure and test host based firewalls on each endpoint and harden systems.
6. Monitoring services for systems, networks, applications and users, and services to respond to and
remedy the setbacks that may arise, are totally necessary to monitor and ensure business continuity
when working remotely.
6. Provide security awareness session towards ensuring digital hygiene to users, and taking written
acknowledgement on Acceptable Use Policy of organizational assets.
61
THANKYOU
ANY QUESTIONS?