Saturday, January 04, 2014

Red Sky Weekly (1/4/14): "Ya know what we're missing Jeff? Indicator aging."

"Ya know what we're missing Jeff? A way to clean out the old indicators! We need indicator aging processes!"

Indicator aging.. this is one of the questions we get asked ALL of the time. And I've been asked for MANY years... "How do you qualify indicators and clean out the old ones?"  When companies harvest hundreds of thousands of 'IOCs' every month, how do they qualify the good ones over the not so good? When is an IOC outdated? How do you know?

Great questions all. Heck, even my own staff asks this question..  

Here's the deal. Targeted attackers don't pull out the good stuff until they need it. 
  • This week we answered questions about new variants associated with a TTP from early 2012.
  • Every now and again we see WIN XP malware pop up, or better yet, WIN XP VPN! If you've not had the realization yet, nearly every remote access solution associated with Windows XP is compromised. And every now and again, we see them pop up --especially for users who simply don't want to pay for the upgrade (BIG mistake).
If you're using Windows XP SP1 (nobody should be running Windows XP anymore, but if you are...) you're probably suffering silently because you haven't upgraded... or worse, and probably more likely, you're suffering unknowingly. But none-the-less, attackers will use just enough to accomplish their task(s). As soon as you upgrade to SP2, the attacks take on a slightly more complex nature, using attacks designed to get them into SP2 machines. We're in a cat and mouse game.. the cat gets smarter, but so does the mouse. In fact, I sometimes wonder if mice learn faster than cats!

Think nobody uses XP anymore? I wouldn't bet on that. In fact, we came upon a video about six months ago, of an attacker breaking into an ATM. He did it by crashing the underlying OS and going from there.. what was the underlying OS? Windows XP. And what's worse? The bank had just installed the same ATMs in an entire chain of stores.

What about computer aided manufacturing, carousels used to supply parts to manufacturing processes? Robotics? In many cases, the machines that control manufacturing processes run VERY old systems --I've seen them as old as Windows 3.1 and 95.. simple controllers with no networking to speak of. But when these machines get upgraded, often times the simple act of upgrading the OS or patching the current system voids the warrantee on these VERY expensive devices. 

How many times have you gone into your local auto parts store and laughed out loud when you saw the DOS screen that they use to check for the bracket that you need to fix your muffler? Heck, I almost fell out of my chair when I saw the nursing terminal used at the local hospital. Wanna know why healthcare records are at risk? Because hospitals can't afford to upgrade beyond the old systems.  In fact, I saw this in action at two hospitals in the last few weeks. Amazing but real. 

How many consumer electronics are built on Linux? Networking gear, infrastructure, appliances? Yup.. many are stripped down Linux. How often do they get patched and upgraded? Internet of Things and controller area networks going into cars, planes, trains and ships... how old is the code used in these devices, and when was it upgraded last? There's no telling.

So, I ask again.. when should we clean out (ahem) old targeted XP IOCs from our dataset? When XP is no longer used --globally. When all of the code is automatically upgraded to stay current on security patches. Or better yet, when we no longer need them (like YEARS from now?!).

So, when should we clear out are older indicators? 

How many security vendors are built into YOUR environment? My guess? A couple of hundred (probably more!) from bottom of the stack to the top. How many of them are maintained at the most current version?

"Ya know what we're missing Jeff? A way to clean out the old indicators! We need indicator aging processes!"

Here's the problem.

There are some great pieces of work out that help users understand and correlate the all of this information. The taxonomies being developed to classify, prioritize and share indicators are heavy on

detail and give you the ability to sift through all of the information for the things you need. As an example, I've included the architecture of a Mitre developed taxonomy called Structured Threat Information Exchange (STIX for short). STIX is a great way of characterizing all of the information that might help analysts determine the best prioritization for their own use, but at the same time, the idea of its use can be quite overwhelming. It certainly is not for the new user. Why? Look at the blocks. For every block on the diagram, data must be collected, normalized, stored, retrieved, analyzed and correlated. Wow. So today, the likes of Mitre and a handful of large companies with R&D shops, who can afford to build it and integrate it are using this framework. In a few years when the data is more complete, we'll be really glad we have this. For now however, if you need to parse out old indicators because you believe they're no longer relevant, well, I hope you don't filter out the wrong ones. 

What do we do? We keep them all. We present our indicators in full context with a .csv formatted list. If you are a Windows XP SP1 shop, you need XP SP1 IOCs. We don't normally get down to the point where an IOC can be sorted by affected operating systems or components, but it can be quickly derived by going one step further in the kill chain processes. 

My XP SP1 example is highly simplified of course, but in a world of global IOCs being pushed to individual companies, the answer is simply this... you, as the owner of risk management in your organization must decide how to prioritize the indicators and how you deploy protections. Nobody else can do it for you. 

Need help? Ask someone. 


We ended the year with a flurry of activity. Who said the Holiday Season is time to slow down?! We were FLAT OUT! 
  • 12/31/13 - FS-ISAC: Our first piece of work product was delivered to the FS-ISAC on New Years Eve Day, marking the start of what we hope to be a great long-term relationship between Wapack Labs and the FS-ISAC. The submission was a priority intelligence report that was posted to both FS-ISAC and to Red Sky Alliance members, offering warnings of impending New Years Day attacks. 
  • 12/31/13 - Fusion Report 31: In November and December of 2013, Red Sky received information regarding an APT campaign that leveraged a previously unobserved malware. Several infection vectors were observed including the leveraging of Microsoft Word vulnerability CVE2013-3906, a malicious JPG file, and a LNK downloader. The majority of activity appeared to be targeted at Japanese companies; however several additional variants were uncovered and may have affected non-Japanese entities. This report detailed information on the leveraged malware, exploit vectors, and observed targeting. Red Sky has named this new malware family for future tracking and attribution. As with all Fusion Reports, Red Sky members were provided with snort and yara rules, and a list of LM Kill Chain formatted indicators.
  • 12/28/13 - Priority Intelligence Report: In November and December of 2013, Wapack Labs analysts identified a US internet service provider partnering with two Chinese Virtual Private Server (VPS) providers whose infrastructures were used in the Word Zero-day (CVE-2013-3906) attack against a second Asian (non-Chinese) company and a second target, a member of the Red Sky Alliance. Wapack analysts examined and mapped this infrastructure to discover an abundance of malicious activity associated with these infrastructures. Wapack analysts also determined that the US company's Chinese partners are well-connected to US networks, and host well-known hacker clientele. 
  • A Wapack Labs Assessment of Risks to Information Security In IcelandFinally, Wapack Labs delivered the final version of a 40+ page study at the request of an Icelandic Information Security partner Syndis. The study offers a third party perspective of issues associated with Iceland's use as a offshore hosting location for foreign enterprise. The report is being delivered by Syndis to Icelandic officials as we speak, and will be posted in the Red Sky portal sometime next week.
  • ...and we added one new large enterprise financial company to the membership. Welcome!
I'm going to the gym. It's been a long week!

Until next time,
Have a great weekend!