Monday, October 14, 2019

Man in the Cloud (MITC) Attacks


  • Man in the Cloud (MITC) Attacks


These MITC attacks rely on common file synchronization services (such as GoogleDrive and Dropbox) as their infrastructure for command and control (C&C), data exfiltration, and remote access. Without using any exploits, we show how simple re-configuration of these services can turn them into a devastating attack tool that is not easily detected by common security measures
In the MITC attacks, the attacker gets access to the victim’s account without compromising the victim’s user name or password. As we show in this report, this type of compromise is very hard to detect (contrary to attacks that involve compromising password

For the first part of the mitigation strategy, we urge organizations to use a Cloud Access Security Broker (CASB) solution that monitors access and usage of enterprise cloud services by the enterprise users. We believe CASB solutions can effectively detect, in a timely manner, anomalies in the way an account for a file synchronization service is used and access. The more effective CASB solutions (such as those deployed virtually online) can also make mitigation easier by blocking access of unrecognized devices to the data.
The second part requires that organizations deploy controls such as DAM and FAM around their business data resources, and identify abnormal and abusive access to the data. Again, the better solutions are also capable of quickly mitigating the threat and containing the compromised device or account by restricting further access to all enterprise data or to the sensitive part of it.
https://www.imperva.com/docs/HII_Man_In_The_Cloud_Attacks.pdf


  • Database Activity Monitoring (DAM)

 Database activity monitoring (DAM, a.k.a Enterprise database auditing and Real-time protection is a database security technology for monitoring and analyzing database activity that operates independently of the database management system (DBMS) and does not rely on any form of native (DBMS-resident) auditing or native logs such as trace or transaction logs. DAM is typically performed continuously and in real-time.
https://en.wikipedia.org/wiki/Database_activity_monitoring


  • File Activity Monitoring (FAM)

File Activity Monitoring discovers the sensitive data on your servers; classifies content using pre-defined or user defined definitions; configures rules and policies about data access, and actions to be taken when rules are met.
File activity monitoring consists of the following capabilities:
    Discovery includes collecting metadata and entitlements for files and folders.
    Classification uses decision plans to identify potentially sensitive data in the files, such as credit card information or personally identifiable information.
    Monitoring and collection of audit information and policy rules, and real time alerts or blocking of suspicious users or connections.
https://www.ibm.com/support/knowledgecenter/en/SSMPHH_10.6.0/com.ibm.guardium.doc/getstart/getting_started_fam.html
at No comments:
Labels:

ICMP attacks


  • ICMP Attacks


ICMP stands for Internet Control Message Protocol and is the most used protocol in networking technology.
A connectionless protocol, ICMP does not use any port number and works in the network layer.
ICMP is commonly used for diagnostic purposes, error reporting or querying any server, and right now attackers are using ICMP to send payloads

ICMP Attack Types

ICMP Tunnelling
An ICMP tunnel establishes a channel between the client and server, forcing a firewall not to trigger an alarm if data are sent via ICMP
ICMP tunnelling is a covert connection between two endpoints using ICMP echo requests and reply packets. So by using ICMP tunnelling, one can inject arbitrary data into an echo packet and send to a remote computer. The remote computer injects an answer into another ICMP packet and sends it back. This type of communication traffic remains undetectable for a proxy-based firewall, as they are more focused on source and destination IP address.

Hping is a packet crafter tool used to conduct a test or attack on a device. For a normal ping message that we send using a command prompt, it sends four packets of data. So if we want to send a particular ICMP request with a particular type or code set then we can use Hping

The most common ICMP tunnelling program is LOKI. It uses the ICMP echo response packet to carry its payload. By using LOKI, one can transmit data secretly by hiding the traffic so networking devices cannot detect the transmission. It can also be used to set a backdoor into a target system and execute commands on the machine with admin privileges, as well as leak information and start/stop critical services without users’ knowledge.

Organisations have adopted many ways to prevent ICMP tunnelling, like blocking all ICMP traffic, limiting the size of ICMP packets,
The use of IDS/IPS is an effective method and many IPS/IDS devices have a signature to detect the presence of LOKI.

Smurf Attack
As we discussed earlier, whenever a type 8 is sent, a type 0 is sent back, or an ICMP echo reply is sent whenever an echo request is sent. In a smurf attack, an attacker will spoof the source address of the ICMP packet and send a broadcast to all computers on that network. If networking devices do not filter this traffic, then they will be broadcasted to all computers in the network. The victim’s network gets congested by this much traffic, which brings down the productivity of the entire network
Countermeasures for Smurf Attack

    Put filters on routers and firewall to counteract address spoofing. An IP address should be assigned to a LAN segment, and if the IP address of the source machine is not in the range of IP address that is assigned to the segment, then the traffic should be dropped.
    Put filters on L3 devices to not reply for broadcast address.

Fraggle Attack
Fraggle attack is same as a Smurf attack but rather than ICMP, UDP protocol is used.


Information Gathering
Under the information gathering attack, one can use different methods within the ICMP to find out live host, network topology, OS fingerprinting, ACL detection, and so on.A classic way to discover hosts on the network is to send an ICMP echo request (type 8) which should prompt target hosts to respond with ICMP echo reply messages.

Trace Route
how trace route can be used to determine the network topology. The trace route command is used to discover the routes that packets actually take when traveling to their destination.

Windows uses ICMP trace routes, while Linux-based systems use a UDP trace route. So when running a trace route from a Windows computer, three ICMP echo messages with TTL set to 1 are sent out to the destination IP addresses.


Port Scan
ICMP Error Messages (Protocol/Port Unreachable) can be used to find out the open ports to an IP address or a LAN segment.


OS fingerprinting
Fingerprinting is a technique to find out what kind of OS the server is running by looking at the response of the ICMP packet.
if the ICMP reply contains a TTL value of 128 then it is a Windows machine, and if the ICMP reply contains a TTL value of 64 then it is a Linux-based machine.

ICMP Router Discovery
The ICMP router discovery protocol will discover the IP address of the neighbouring routers. The ICMP router discovery messages are called “Router Advertisements” or “Router Solicitations”. The router discovery message is not a routing protocol.

Teardrop
Eventually it is sort of DOS attack that an attacker does using ICMP packets. Teardrop attacks exploit the overlapping IP fragments present in machines. IP packets are broken up into smaller fragments, with each fragment having the original IP packet’s header, and field that tells the TCP/IP stack what bytes it contains. The packet is fragmented and is sent from the source to destination. In the destination point, the fragments need to be put back together again. What happens with teardrop though is that the IP fragments will have overlapping fields. When the destination tries to reassemble them, it cannot do it, and if it does not know to combine these packet fragments out, it can quickly fail.
https://resources.infosecinstitute.com/icmp-attacks/#gref
at No comments:
Labels:

windows forensics


  • Forensics Analysis of Pagefile and hibersys File in Physical Memory


Pagefile.sys:
Microsoft Windows uses a paging file, called pagefile.sys, to store frames of memory that do not current fit into physical memory. Although Windows supports up to 16 paging files, in practice normally only one is used.

Hiberfil.sys: hiberfil file stores the data when Microsoft windows computer system is on Hibernate mode.
These files are very useful for digital investigation because these files are not stored in physical Hard Disk

https://www.hackingarticles.in/forensics-analysis-of-pagefile-and-hibersys-file-in-physical-memory/


  • How to extract forensic artifacts from pagefile.sys?


Microsoft Windows uses a paging file, called pagefile.sys, to store page-size blocks of memory that do not current fit into physical memory.
This file, stored in %SystemDrive%\pagefile.sys is a hidden system file and it can never be read or accessed by a user, including Administrator.
It is possible to read this file by parsing the raw file system, or exact it using tools like FTKImager.

Analysis with YARA rules
you may scan the pagefile.sys using YARA.
you may scan the pagefile in order to seek some malware artifacts not found in the volatile memory:
https://www.andreafortuna.org/2019/04/17/how-to-extract-forensic-artifacts-from-pagefile-sys/



  • Finding malware on memory dumps using Volatility and Yara rules


a brief and simple workflow, useful for a first high-level analysis of memory dumps in order to search the presence of a generic malware

During the first phase of a memory dump analysis, could be useful check the dump for the presence of artifacts related to the most known malware: but to performs this operation should be needed to scan the image with all rules located in “malware” section of repository.

The memory analysis with Volatility
Although all Volatility commands can help you find malware, there are a few designed specifically for hunting rootkits and malicious code.

One of this is the “yarascan” plugin, that can help you locate any sequence of bytes (like assembly instructions with wild cards), regular expressions, ANSI strings, or Unicode strings in user mode or kernel memory.
https://www.andreafortuna.org/2018/07/16/finding-malware-on-memory-dumps-using-volatility-and-yara-rules/


  • WHAT IS UNALLOCATED SPACE AND WHY DOES IT MATTER?


Just what is unallocated space, and why is it important? Data and information are located in two areas on a computer’s hard drive: allocated and unallocated space. Allocated space typically contains all active system and user generated data, including email messages, documents, photographs, log files, and database files in an organized structure that allows for easy access and retrieval. Unallocated space on the computer is where deleted documents, file system information, and other electronic artifacts reside on the hard drive, which is often able to be recovered and analyzed through a forensic investigation. Unlike allocated space on the hard drive, the electronic evidence in unallocated space may be overwritten (and thus lost completely) with new data as the computer continues to be used.

For example, nefariously deleted documents can be recovered using data carving tools which enable the reconstruction of file fragments by scanning the raw bytes of the disk and reassembling them. Similarly, fragments of emails from a web-based personal email account of the departed employee to a competitor may exist in unallocated space which would prove the theft of company trade secrets and establish the participation of the competitor in the theft
https://insights.bit-x-bit.com/computerforensics/what-is-unallocated-space-and-why-does-it-matter/




  •  Splunk App for Stream for Enhanced Operational Intelligence from Wire Data 

  Custom Content Extraction Enables Efficient Real-Time Insights
  Improved Security Posture
  • Easily and selectively analyze web traffic for security risks
  • Identify data exfiltration, including PII or exposed assets
  • Prevent data loss, perform forensics and reduce troubleshooting time

  Efficient Real-Time Business Analyses
 
  • Real-time granular insights into key business indicators from web traffic
  • Selective on-the-fly visibility into shopping carts, user interactions, etc.

   Efficient IT Ops and Applications Visibility
  • Monitor web services performance on-the-fly for quick troubleshooting and performance analysis
  • Enable real-time custom protocol monitoring
  https://www.slideshare.net/Splunk/splunk-app-for-stream-nyc-deck


  • FOR500: Windows Forensic Analysis


FOR500.1: Windows Digital Forensics And Advanced Data Triage
Exercises
    Install the Windows SIFT Workstation and get an orientation about its operations
    Image a hard drive for evidence using a WiebeTech UltraDock Write Blocker
    Undertake advanced triage-based acquisition and imaging - rapid acquisition
    Mount acquired disk images and evidence
    Carve important files from free space
    Recover critical user data from the pagefile, hibernation file, memory images, and unallocated space
    Recover chat sessions, web-based email, social networking, and private browsing

FOR500.2: Core Windows Forensics Part I: Windows Registry Forensics And Analysis   
Exercises

    Profile a computer system using evidence found in the Registry
    Conduct a detailed profile of user activity using Registry evidence
    Examine which programs a user recently executed by examining Registry-based UserAssist, AppCompability, Amcache, RecentApps, BAM/DAM, and others
    Determine which files a user recently opened via the RecentDocs keys in the Registry
    Examine recently opened Office 365 files and determine first/last open times
    Find folders recently accessed by a user via the Open/Save keys in the Registry

FOR500.3: Core Windows Forensics Part II: Usb Devices And Shell Items
Exercises

    Track USB and BYOD devices that were connected to the system via the Registry and file system
    Determine first and last connected times of USB devices that are plugged into your system
    Determine last removal time of USB devices that are plugged into your system
    Use Shortcut (LNK) file analysis to determine first/last times a file was opened
    Use Shellbag Registry Key Analysis to determine when a folder was accessed
    Use a jump list examination to determine when files were accessed by specific programs
    Unlock BitLocker-To-Go encrypted USB devices


FOR500.4: Core Windows Forensics Part III: Email, Key Additional Artifacts, and Event Logs
Exercises

    Employ best-of-breed forensic tools to search for relevant email and file attachments in large data sets
    Analyze message headers and gauge email authenticity using SPF and DKIM
    Understand how Extended MAPI Headers can be used in an investigation
    Effectively collect evidence from Exchange and Office365
    Learn the latest on Unified Audit Logs in Office365
    Search for Webmail and Mobile Email remnants
    Understand key concepts like email object filtering, de-duplication, and message similarity
    Use forensic software to recover deleted objects from email archives
    Gain experience with a commercial email forensics and e-discovery tool
    Perform data visualization and timeline analysis
    Analyze document metadata present in email archives
    Analyze the various versions of the Windows Recycle Bin
    Analyze Windows Prefetch files to determine thousands of application execution times
    Use the System Resource Usage Monitor (SRUM) to answer questions never before available in Windows forensics
    Merge event logs and perform advanced filtering
    Profile account usage and determine logon session length
    Audit file and folder access
    Identify evidence of time manipulation on a system
    Supplement registry analysis with BYOD device auditing, including new Windows 10 events
    Analyze historical records of wireless network associations and geolocate a device

FOR500.5: Core Windows Forensics Part IV: Web Browser Forensics for Firefox, Internet Explorer, and Chrome
Exercises

    Track a suspect's activity in browser history and cache files and identify local file access
    Analyze artifacts found within the Extensible Storage Engine (ESE) database format
    Examine which files a suspect downloaded
    Determine URLs that suspects typed, clicked on, bookmarked, or merely popped up while they were browsing
    Parse automatic crash recovery files to reconstruct previous browser sessions
    Leverage Google Analytics cookies to profile user behaviors
    Learn to manually parse SQLite databases from Firefox and Chrome
    Identify anti-forensics activity and re-construct private browsing sessions
    Investigate browser auto-complete data
   

FOR500.1: Windows Digital Forensics And Advanced Data Triage
Install the Windows SIFT Workstation
Image a hard drive for evidence using a WiebeTech UltraDock Write Blocker

FOR500.2: Core Windows Forensics Part I: Windows Registry Forensics And Analysis
        Registry Explorer
        TZWork's CAFAE and YARU (Yet Another Registry Utility)

FOR500.5: Core Windows Forensics Part IV: Web Browser Forensics for Firefox, Internet Explorer, and Chrome       
Tools Used

    Nirsoft Tools
    SQLite Parsers
    ESE DatabaseView
    Hindsight

https://www.sans.org/course/windows-forensic-analysis


  • Forensic Artifacts: evidences of program execution on Windows systems

Background Activity Moderator (BAM)
BAM is a Windows service that Controls activity of background applications
https://www.andreafortuna.org/2018/05/23/forensic-artifacts-evidences-of-program-execution-on-windows-systems/


  • Personal data, also known as personal information, personally identifying information (PII)

sensitive personal information (SPI)
any information relating to identifying a person
https://en.wikipedia.org/wiki/Personal_data
at No comments:
Labels: ,
Subscribe to: Posts (Atom)