Cyber Threat hunting with Sqrrl (From Beaconing to Lateral Movement)

This is a review of one of the new generation continuous security monitoring solutions. They have been evolving from a reactive to a proactive approach, today we call them threat hunting platforms. Sqrrl combines outstanding visualization capabilities and strong cyber analytics models to make threat hunting and incident detection a walk in the park.

To do this demo and evalution I am using their ‘Test Drive Sqrrl Enterprise’ that you can download here.

http://info.sqrrl.com/trial-software-vm-1

The demo data is real data from Los Alamos National Labs cyber security research center and it contains the following log sources.

  • 12,000 users
  • 17,000 computers
  • 62,000 processes
  • 1,000,000 million DNS resolutions
  • 11,000 indicators provided by Anomali threat intelligence

It is a pretty short number of log sources however they are very well distributed across the network. They provide good network and endpoint visibility in order to make incident detection effective and contextual when the  incident is detected.

This solution, as well as the current SIEM technology is as effective as the log sources you feed them with. To be fair, Sqrrl excels at this, even without the most suitable log sources it can do pretty good things due to their analytics technology.

Before you decide to implement this or any other SIEM solution be sure you are going to pull out logs from the right places in your organization and that you have the right logs offering the righ behavioural information so your analysts and the cyber analytical models do have enough context-behaviour information to take a decision.

Long gone are the days in which feeding only perimeter logs to the SIEM was enough to do incident detection. Internet has grown massively and so have the security controls in your organization and internal network. Seeing traces of malicious activity in the perimeter tell very little and detection has beeen taken all the way to the endpoint. This has happened primarilty because of the complexity of the maneuvers taken by attackers inside the network, a change in their motivation and an increase in the type of attackers that carry on these attacks.

This makes it a necessity to pull logs from the path between the perimeter and the endpoint. The closer organizations get their detection to the endpoint the faster they will be able to mitigate risk and detect incidents. The endpoint will always contain the biggest footprint of malicious activity.

Do you remember the old pyramid of pain by David Bianco? It is a few years old now however we have quickly evolved to the top of the pyramid, we have the solutions and threat knowledge to accomplish the detection we dreamt about 5 years ago.

The higher in the pyramid the closer you get to the human perpetrating the breach, and this is the goal we are walking towards today. Human fighting human, behing every breach there is human activity and in order to detect it we need to make it humanly understanbable.

Let’s not delay the demo any further, this is how the Sqrrl main dashboard looks like straight out of the box.

dashboard

 

The solution provides 6 detectors, these detectors are built following the cyber kill chain therefore allowing you to pin point exactly in which phase of the attack cycle the attacker may be in. It is impossible for this solution or any other solution to detect all possible combinations of attacks and multiple variables than can happen in an incident however, looking at the well known phases of an attack it is possible to look for indicators of attack within your logs. Sqrrl ingests them and they do their magic. One more time, this is probalby the most importan message from this post and technology review, this magic depends on the nature of your logs, they can stretch the reality but not make the impossible possible. 

Where do we go from here?

Let’s do a quick investigation into one of these Beacon detectors and see where it leads us to.

beacon

This is the initital information we get after clicking in the beacon – the source IP and destination of the beacon, additionally we can see the beacon activity on the bottom right corner.

beacondetail.PNG

Below a detailed view of the beacon activity and a chart legend. Something inside the network its communicating at regular intervals with an external infrastructure.

beaconanalytics.PNG

We can also see the logs involved in the detection, in this case netflow and threat intel feeds from Anomali against IP 118.184.176.15.

Within the next couple of clicks we are going to see the power of this solution, going back to the previous screen for the beacon.

beacon2.PNG

If we click in the IP destination 118.184.176.15 which is the potential threat infrastructure we can see the following,

beaconfull

This is where the power of the solution is, a full view of the threat in a couple of clicks. I have gone from one sinlge beacon view to see all nodes in my network involved in the beacon. The analytical models and the visualization component are providing us all the information we need to start understanding the threat we are dealing with, the impact, the footprint and the entities involve in it.

This is a manual process in other solutions where you have to skim through logs and search or pivot over the  information presented to ascertain the extend of the incident. Sqrrl analytical models and the visualization component eliminate the complexity presented in your data by visualizing and analysing them for you.

The IP itself will not provide enough information to understand the full picture of this threat however on the botton right corner we can see that in the alert there are  Netflow, Proxy logs, Windows logs and endpoint.

beaconsources.png

 

Until here, we have enough information to understand what is happening in the network. Let’s now do a quick research into the threat. We have above what it seems a process (4vnrye74vmugh.php) connected to the external IP 118.184.176.15 plus an external domain MTZLPLK.3322.org

Let’s look at the domain first, I am going to use other solutions that are not Sqrrl related but this will ilustrate how the information used and log sources + Anomali intel is providing an accurate picture. Then again, choose your inteligence sources and logs wisely.

osint domain.png

whois.PNG

The main domain seems to be blacklisted, the IP seems to be based in China and it also host additional threat infrastructure. I normally use PassiveTotal which is out of the scope of this post but it is my preferred tool for this quick investigation.

Now, let’s investigate the process.

OSINT.PNG

The list returned by the solution:

http://www.talosintelligence.com/zeus-trojan-analysis/

It seems we are dealing with the infamous Zeus trojan. Just to be sure let’s do another quick search in Google and Virustotal for the URL and you will confirm the results.

https://www.virustotal.com/es/url/8dc4999013bede82cac5c6fbac704e48af18d4d170efcad8b45f1562cf8b1f9b/analysis/1480950737/

Once confirmed we have a potential Zeus malware let’s go back to SQRRL.

 

clickdomain.png

date.PNG

redirect

 

After clicking in the URL involved in the attack, we discover additional network artifacts like an additional URL. As explained before we also have involved Windows Event Logs and here they take part in the detection, account U3845 seems to be involved in the compromise.

From the above screen we can infer that account U3845 sitting on IP 10.10.1.2 visited the compromised URL and there seems to be an additional URL, we do not know its role yet but we will find out soon.

Let’s quickly research what is this URL sitting in the domain 9991.com

https://www.virustotal.com/es/url/20de462f5db1f89cd9407d82068fbb1bded005052157b7d27703a1b251dcb7cd/analysis/1480952718/

Only one hit in the AV engines, for me only one hit is far more intriguing 30 as we may be researching a new threat not very extended. The link above dates from 4 months ago when I tested this solution, today you analyze the link and it seem it has been clean up so do not doubt the results.

Let’s take the analysis a bit further:

urlquery.PNG

There was definitivelty something wrong with that domain in May 2016 as previously seen.

Let’s quickly look into the raw logs to finally uncover the role of that new URL found,

drilling.png

 

proxylogs.PNG

If we sort the logs a bit,

logs referral.PNG

This pretty much explains the infection, it happened throuh a referral from 991.com the typical drive by download attack.

Let’s continue with the invetigation.

Another click in the account displays additional activity.

accountclick.png

The compromise account seems to be U3845 and it seems it is also contacting other suspicious domains.

fullpicaccount.PNG

 

As explained before SQRRL is unravalling all the information in your raw logs and creating the necessary visual representation to allow the investigastor understand the complexity and maneuvers taken by the threat actor.

Following the trace of this account, U3845, we can see how the account is related to all the previous indicators such as:

  • process 4vnrye74vmugh.php
  • IP 10.10.1.2
  • URL mtzlplk.3322.org
  • URL 991.com

Additionaly we are discovering more indicators of compromise in the endpoint such as a new processes called skype.exe and ccleaner64.exe and 2 workstations C395 and C586. This is starting to look like lateral movement?

Let’s continue focusing the investigation in the account U3845 and take the last snapshot of what we have discovered so far.

snapshot.PNG

 

Why is the process ccleaner64.exe and skype.exe realated to the compromised account?

Let’s check where ccleaner64 is hosted.

hostedon.PNG

 

hostedon2.PNG

 

We uncover that the process ccleaner64.exe is hosted in the endpoint C395 and the same process is also running in C586. Let’s get another view of the process.

hostedon3.png

It is clear that a potential rogue process is present in 2 machines and account U3845 logged into C586. Furthermore, account U3845 has been seen in 2 different IP’s and hosts in the network.

2hosts.PNG

 

 

Now we have additional information such as account U3845 being present in:

  • IP 10.10.1.2 host c395
  • IP 10.1.23.137 host c2450

Let’s do a quick drill in to the raw logs from machine C586, these are the Carbonblack logs in the endpoint.

carbon.PNG

carbon2.PNG

carbon3.PNG

As confirmed visually we can see alerts in the raw logs for the processes mentioned before in machine C586. These 2 processes are being flagged up and they are running in the afromentioned machine where U382 authenticated. These processes seem to be connected to China and Russia which are part of the ‘usual suspects list’.

Let’s export the logs to get the full picture, this is the watchlist created in the endpoint by CarbonBlack.

carbon4.PNG

Confirmed – the threat is related to Zeus as per the process information coming out the endpoint.

Continuing the journey of this threat in the network let’s investigate what has happened in the endpoint C395.

c395 investigation

Very revealing, so C395 which confirmed to have been compromised has also connected to C9825 and C2450 outbount and inbound we have C706. Lets try to close the loop and see where these other endpoints have connected in the network. At this point in time we should start thinking about taking notes to provide containment measures. All the endpoints in touch with C395 need to be scrutinized for adversarial activity.

 

c9825lastconnection

Last connection revealed was from C9825 to C586 and with this we have a complete picture of the attackers lateral movement. Let’s double check everything with IP level and account information.

If we go back some screenshots above, we can see all the IP’s involved in the beacon. Among them we can find 10.10.1.2 which seems to be the hostname C395.

beaconfull

 

ipcheck

Also endpoints C706 and C9825 IP’s are involved in the initial beacon.

allIP.PNG

As seen in many cases, the attacker leverages each of the nodes he compromises and leaves an implant to beacon to his threat infrastruture in the internet. This way he is maximizing his gains, if one of these machines is detected to be compromised it will likely be removed from the network or cleaned, however he will still have multiple entry points into the organization.

If we look at lateral movement from the windows account’s perspective we will also see the same activity.

accountlmovement.PNG

By extracting windows logs from the endpoint, we will try to find the entry point in the network. When analyzing the logs we presumed that C395 is connected to C2450 however as seen in the logs it was a failed attempt. Looking at the logs it seems it all started in C706 and from there the attacker extended his footprint.

authentication logs.PNG

Up until now the power of visualization to make sense of the huge amount of data involved in threat detection, is pretty clear. Sqrrl excels in this and unlike other solutions it pushed further providing much needed visual context after processing your logs.

Sqrrl has proven their worth with this exciting detector, lateral movement is likely one of the most difficult maneuvers to detect inside your organization. They have also developed other detectors that are equally impressive however you do not need to use them if you do not want. Another way to use this solution is purely for hunting and log analysis. You may want to focus on a high valuable node in your network and try to understand the behaviour and interactions in order to uncover suspicious activity.

Making sense of the threats your organization is facing is now faster and with this solution it is easier to read the threat’s TTP’s and feedback the business to implement new controls or update existing ones – thus reducing the risk profile of your organization.

I would like to see more solutions such as this in the near future, having a visualization component supports the threat specialist in his journey to the unknown and it also supports the learning needed in order to be able to defend the organization.

If you are not a Sqrrl customer, having a test drive is an excellent option to assess the power of the solution. I think it would also be highly desirable to create a community edition of this Threat Hunting platform. I cannot see a better way of introducing the benefits of this technology and all of the best solutions out there have one.

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s