Forget About IOCs… Start Thinking About IOPs!

Wednesday, June 10, 2015

Ronnie Tokazowski

Bbd4f9420cc0edec55cb25411422efd2

By: Ronnie Tokazowski and Aaron Higbee

For those who may have lost track of time, it’s 2015, and phishing is still a thing. Hackers are breaking into networks, stealing millions of dollars, and the current state of the Internet is pretty grim.

We are surrounded with large-scale attacks, and as incident responders, we are often overwhelmed, which creates the perception that the attackers are one step ahead of us. This is how most folks see the attackers, as being a super villain who only knows evil, breathes evil, and only does new evil things to trump the last evil thing.

This perception leads to us receiving lots of questions about the latest attack methods. Portraying our adversaries as being extremely sophisticated, powerful foes makes for a juicy narrative, but the reality is that attackers are not as advanced as they are made out to be.

Rather than being supervillains, our adversaries are more like Gru from Despicable Me – they want to be bad, but often lead double lives. They are humans, too. They have feelings, they have families, and they eat food just like the rest of us. And just as any other human, they are lazy, and will do the least amount of work in order to succeed in life.

How can we use this to our advantage?

As with most of the phishing attacks hitting our enterprises, we are being infected with known families of malware, known C2’s, and known phishing stories.

Searching for the word “fax” in my inbox turns up a year’s worth of phishing emails where the attacker has tried to tell the same story, “You have a fax message.” Here’s the first one and the last one, adding more credence to the fact that the attackers are lazy:

Figure 1

Figure 1 — Lazy attackers recycle content

Why do attackers recycle their techniques? Because they can reuse attacks and still succeed. Hackers are found in our networks 205 days from infection, which is better than last year, but still far too long, especially considering how we are passing up opportunities for earlier detection. We need to change the way we’re thinking in order to make a difference.

Is there a way we can capitalize on the fact that attackers are lacking creativity?

For 205 days in the current threat landscape, here’s where we are sitting.

Current Threat Landscape

Figure 2 — Current Threat Landscape

Let’s put 205 days into perspective. This time gives the attackers a chance to gain information about our organizations, find holes in our systems, weaponize a document or develop a piece of malware, and deliver it to our organization, which we will call t=0. This is the first viable chance to see it (unless you’re the NSA).

Now, we have to fast forward 205 days into the future from when that phishing email hit the organization. Once the attacker drops a backdoor on the system, they will often drop a second stage, and escalate privileges on the system or harvest credentials, if need be. (Still note that we’re still at t=0)

Now that the attackers have credentials, they can watch your user and see what devices on your network they can log into. Moving laterally, attackers will bounce from system to system, server to server, normally dropping malware and tools each time.

Once they are ready, they can ship data out of the organization, with hundreds of days to maintain a foothold in the network. In the case of Dyre or other crimeware families, attackers are often shipping credentials back for use the second they are used on the systems.

While this may be a rather dismal picture, there’s something we can still do. Look at the delivery stage, what if we could stop attacks in this stage?

Figure 3 -- Where we want to be

Figure 3 — Where we want to be

You may be able to catch the attacks in the recon stage when they are scanning your network, but there are hundreds of ways to do this, and it’s very difficult to tell if HTTP connection X is good or bad. The delivery stage is where we are going to exploit the attacker, but first to clear a few things up.

Take the example of the fax notification phishing email. Using Yara, we can write a very simple rule to look for the attacker telling the story of a fax report. It’s as simple as looking for the word fax…and report.

Figure 4 -- Stopping lazy attackers with Yara rules

Figure 4 — Stopping lazy attackers with Yara rules

And by scanning our inbox, we can see that there are roughly 17 emails that would have tripped this signature.

Figure 5 -- Screenshot of Triage Yara editor

Figure 5 — Screenshot of Triage Yara editor

And even across languages, attackers are telling the same story.

Figure 6 -- Attackers telling the same story with fax-themed phishing emails

Figure 6 — Attackers telling the same story with fax-themed phishing emails

We’ve also seen attackers attach .zip files to emails, then get REALLY tricky by changing it to a screensaver. How would you catch something like that? The screenshot below shows a Yara rule that would catch these files hidden within a .zip.

Figure 7 -- Catching .zip files that contain .exe's or .scr's in Triage

Figure 7 — Catching .zip files that contain .exe’s or .scr’s in Triage

With these two simple rules, you can find both weaponized .zip files and fax themed emails, regardless of the seven proxies the attackers use to come at your organization, you can see the attacks when trained users report them.

While we trade IOC’s in secret circles with secret handshakes, we really need to re-think the way we’re doing it. Attackers can obfuscate / hide inside a network a thousand ways to Sunday, and we’re missing very valuable intelligence inside of the phishing email. By looking at indicators of phishing, we can exploit the lazy attacker and help cut off a major infection vector.

This was cross-posted from the PhishMe blog.

13547
Operating Systems SPAM Viruses & Malware General Impersonation Phishing Phreaking
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.