Friday, March 28, 2014

Sophos Antivirus and EMET

In looking for mitigations for the recently announced Microsoft Word 0-day, I decided to install EMET on both my desktop and my laptop.  I fully admit, I'm not an EMET guru, nor do I know a lot about it.  I have found many directions for EMET (a good one here) so installation was a bit of a breeze.  However, tweaking it is another story.

First, Firefox 28 wouldn't start.  So, I had to tweak the application settings for Firefox to find out which particular protection was preventing it from starting up.  (Turns out, it was ROP.)

Then, upon turning EMET loose, I received two "Quarantine Announcements" from our Sophos Antivirus.  The notice was for a buffer overflow in IE and Acrobat reader.  From my analysis, the best I can tell is that Sophos saw EMET protecting those applications and didn't know how to report it.  I asked our Sophos administrator if he had heard anything about Sophos and EMET, but he didn't know what EMET was.  I authorized the activity in Sophos, and rebooted a couple of times to see if Sophos would report the activity each time I booted up.  So far, so good.

If I find out exactly how the buffer overflow was caught by Sophos, I'll update this post.

Monday, March 24, 2014

Python Links Updated

Just a quick note that I've updated my list of Learning Python resources after reading Harlan's great post.  My original (and now updated) post (and list) can be found here.

Thursday, March 20, 2014

Getting Started with Security Onion

After getting alerts from our DoS protection company that are vague, one of the network engineers and myself decided we needed to gain more visibility into the network.  We want to better understand these events and make a decision as to whether or not they are truly incidents.  Further, after we get notification of an event, we want to find the traffic to study it.  Enter Security Onion.  This tool is awesome, as we can run Snort, shoot the output to Snorby, and capture the data as well.  We're pretty sure that we have a box capable of running Security Onion, it's more a matter of how much data we want to keep.  Right now, we have a 1+ terabyte drive doing the heavy lifting.  We're just barely making it before the job to purge runs.

Our first shot at getting it up and running was fairly successful.  Data is flowing, we saw some alerts.  Next on the agenda was to start tuning it such that we are not drinking from the fire hose.

And, now we've broken Security Onion.  We're not sure where yet.  Events are coming in.  Our sensor NIC has packets traversing it.  However, there's nothing showing up in Snorby.  So, on to more trouble shooting.  Fortunately, this Security Onion server is not production-ready.  We knew going in that we would have much tuning before we could start truly relying on the output in a production environment.  The next step is to figure out what broke down and see what we can get back.

Wednesday, March 12, 2014

Finding hostnames on a Subnet

We have offices all over the world.  What I came to learn today is that there are two countries where we have very poor visibility into our own corporate networks.  To the point that I suspect that they are not managed very well, if at all.  I know I chase down malware in a couple of the networks on a daily basis. 

One of our admins asked me if there is a way that we can get all of the hostnames on one of those subnets that we don't have much visibility to.  NMAP would have worked well, but I wanted to come up with a command that I could have had a non-technical person run and send me the output. So, using a little Command Line Kung-Fu, I came up with:

for /L %A in (0 1 255) do nbtstat -A "XXX.XX.XXX.%A">>hosts.txt
Substitute your subnet for the Xs in that command.

It worked like a champ.  I suspect that there is an easier way to do this, but this worked easy enough.

Thursday, March 6, 2014

Hunting for Zeus Throughout the Network

I average finding a little more than one Zeus infection a day.  I know the reasons.  The root causes are there are some major security controls missing from the environment due to culture.  Adding those controls is a challenge and is a long-term strategy.  We are in the infancy of a Security Awareness campaign that is just starting to teach people the dangers of clicking on links in Spam or falling for phishing.  Occasionally, the FireEye sensor would alert to someone clicking a Zeus link.  I suspect more click the links than I am aware.

Using the Check Point's SmartLog, I've worked up a little query to help me spot some of the big outbreaks.  I grabbed the domains from the ZeusTracker, and built a mini-query (which I then pasted in the query bar.) 

dest:(domain or domain or domain or bizserviceszero.com or ....)
Periodically, I'll check the domains on ZeusTracker and run a diff to see what enters the list and what gets removed.  I know that there are better ways to do this, and I'd love to implement  some of those methods.  High on my list is adding a Snort box, or even SecurityOnion.

A small win for the day, but at least I can find these machines.  Hopefully, when I've built up some metrics, I can support changing the environment, and use the number of infections cleaned up as the driver.

Sunday, March 2, 2014

RSA Conference: Friday

I woke up on Friday to cloudy weather.  With an afternoon flight, I was on the fence with going to hear more talks.  I figured I would wait until after a shower.  Upon getting out of the shower, it was POURING out.  I'm glad California was getting the rain it needed, but...I didn't want to walk in it.  However, after getting dressed, it had stopped raining, and actually looked like it was lightening up. I decided to chance it for one more talk.  I probably could have gone to two...but there was no way I wanted it to be close at the airport.

The talk I went to was:
  • Operation Olympic Games is the Tom Clancy Spy Story that Changed Everything - by Rick Howard.  Wow, this was a great talk. I'm looking at my notes, and I see that I stopped somewhere after the first ten or fifteen minutes.  It was that good and engaging.  Rather than tell the technical story of Stuxnet, this talk discussed the history of the operations and the planning that went into it.  Further, Rick put forth some interesting theories that certainly have merit.
And with that I bid the conference goodbye. I fully admit that I wasn't sure what I would get out of it, and expectations were exceeded.  I've written the dates down for next year, and we'll see what happens.  As I write this, I'm starting to plan on how I'll use and implement some of the notes and ideas that were generated at the show.