Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sample Security Assessment Report

Published byBernard Lewis Modified over 7 years ago

Similar presentations

Presentation on theme: "Sample Security Assessment Report"— Presentation transcript:

1 Sample Security Assessment Report
Joe Poehls | Senior Security Solution Architect APJ

2 PCAP Assessment using the SA Portal

3 Overview Capture queries and responses to and from the customer’s DNS servers (closest to the users) Upload PCAP file to Infoblox’s portal site, wait for automatic analysis to complete Download report Summarize report for delivery to customer Make proposal based on report

4 DNS Security Assessment Portal
Site: How to Video: Tech Brief: 4

5 The PCAP-files analysis flow (Current)

6 Where should I capture PCAP-files?
GOOD OK BAD Queries & Responses Queries & Responses Queries & Responses Internet Queries & Responses Network Edge Forwarding Layer DNS Cache already contains bad domains Customer Edge DNS - DNS Cache contains bad domains - Attacks reached the DNS server GOOD PCAP-files contain all queries so we can detect all possible attacks and malware OK Many attacks were terminated and malware domains were cached on the Customer Edge DNS servers BAD Queries send to the Internet. PCAP doesn’t contain cached queries and almost all attacks. Only DNS Firewall analysis

7 PCAP-files requirements
PCAP should contain all packets going to and from DNS Server; Do not limit packets size. Upload PCAP-files as is. Do not modify them if it’s possible: ADP can identify attacks which are not related to DNS protocol; ADP highlights unexpected traffic. Please remove telnet traffic if it is used in customer’s network; If a PCAP file contains traffic to the several DNS servers (IP addresses) – change them to one IP (other restrictions will be discussed later) Minimum requirements: DNS Queries and Responses

8 Current restrictions and limitations
PCAP Files limits: 2 Gb and/or 60 minutes (each), 5 files per batch; If ADP analysis was selected the portal analyses the traffic only towards 1 IP-address (1 DNS Server); All reports based on syslog. ADP doesn’t report how many matches (alerts and drops) were per second. There can be a difference in count of ADP events if you rerun the same PCAP-file (with high quantity of events) several times;

9 Example capture via TCPDUMP on BIND Server
Install TCPDUMP apt-get update apt-get install tcpdump Running TCPDUMP verbose for viewing in Wireshark tcpdump -n -vv -x -X -s i eth0 'port 53' -c 50 -w /root/port53.txt Running TCPDUMP verbose for PCAP security assessment tcpdump -i eth0 'port 53' -c w /root/port53.pcap Run TCPDUMP with a larger snaplens in order not to lose truncated packets 9

10 Upload PCAP into Security Assessment Portal
Enter customer name and info Choose a malware feed (use default malware.rpz.infoblox.local unless require specific data in other feeds) Agree to Terms and Conditions Hit Upload and Analyaze 10

11 Wait for Results!

12 Download Results and Create Customer-facing report
We will look at the report format and how to interpret and summarize in a later section

13 Assessment Report

14 Report from standpoint of Risk Analysis
Do not simply provide the PDF from the portal to the customer Interpret the results and identify as specifically as possible what risks are in their environment Bad ”We found 200 queries to suspicious sites” ”50 Critical threats were found” Good “We found 200 suspicious queries, here are the top 10 by level of risk” Best “The top 5 risks we found were: Cryptolocker, Locky, Undetermined botnet, Zeus, and Xcodeghost”

15 How to determine top 10 threats
If many come up in the report, start with the ones classified as “Critical” Start with suspicious looking domains, such as DGAs or typo domains Aweirjasdf1jfaso.ru Googie.com Use research tools to determine what type of malware or threats use those domains Alienvault OTX: Cuckoo Sandbox Malwr: Virus Total: Threatcrowd: And of course, when we make it available, ActiveTrust Dossier The portal csp.infoblox.com for the IID DNSFW may also be of use

16 3 sections of the report Remember to analyze all 3 types of logs that are flagged in the report Threat Insight ADP Rules DNSFW

17 Template 1) Show summary
2) Rank top 10 from your research in order of threats 3) For each of top 10: A) One page to describe the generics of the threat B) One page to describe what we found in the report (domain name, how many queries, client IP) C) One page describing recommended actions (i.e. scan that client, block this domain, etc.) 4) Final summary of all recommended actions

18 Undisclosed DNS Security Threat Assessment Report
Findings Date of Capture Monday, March 8, 2016 Identified DNS Servers --omitted-- Capture Duration Total of 30 minutes Packets Captured 29million (estimated queries) Critical Threat Destinations Found 24 Total DNS Queries from Packet Capture 14.5million (estimated) Suspicious Queries found by DNS Firewall 224 Threat Categories Accessed 44 Severity of Attacks (sorted from High to Low risk): DNS Tunneling/Exfiltration: 4 occurrences Anomalous Traffic sent by many clients Cryptolocker domain: Sanpin.mobi DGA/Malware related domains: At least 8 suspect domains XcodeGhost iPhone malware detected UDP Anomalies ICMP errors

19 Found Inside Undisclosed Capture -- DNS Tunneling/Exfiltration
Uses DNS as a covert communication channel to bypass firewall Enables attackers to easily pass stolen data or tunnel IP traffic without detection A DNS tunnel can also be used for as a full remote control channel for a compromised internal host. Impact: Most security tools do not inspect DNS packet contents (labels, records, etc.) Most will not track long term transactions over DNS Users typically have no idea they are exposed and whether or not this is occuring How the attack works

20 Tunneling Found Client: 10.29.133.108 Domain: kr0.io
Possibly legitimate

21 Tunneling Recommended Actions
Capture more data from client Goal is to make sure this user is not trying to exfiltrate data from the SP infrastructure or databases. Check other types of traffic from this user to see if they are accessing any internal sites If suspicious pattern continues: Send SMS warning them of hazard (Data Exfiltration) Asking them to bring phone in for service (service fee) If kr0.io is legitimate traffic, add to whitelist

22 Anomalous traffic found
Destination IP is (d.root-servers.net) Traffic is CONTINUOUS Queries are random

23 Anomalous traffic found
Tracing back to the sources, it appears there are multiple clients sending 1 or 2 queries each Looks like slow drip (Random Subdomain) against Root Servers, or cache exhaustion attack against Service Provider’s servers

24 Anomalous traffic recommended actions
Spend more time to trace how many clients are sending these queries Based on client IP address, try to identify any pattern (same OS, same version, same apps, etc.) Send SMS or mail and offer cleaning service or anti-virus software (for free; goal is to protect your service and DNS root servers)

25 Found Inside Undisclosed capture - Cryptolocker Domain
CryptoLocker is a ransomware trojan which targeted computers running Microsoft Windows First been posted to the Internet on 5 September 2013 When activated, the malware encrypts certain types of files Malware displays a message which offers to decrypt the data if a payment (through either bitcoin or a pre-paid cash voucher) is made If the deadline is not met, the malware offered to decrypt data for a significantly higher price in bitcoin.

26 Found Inside Undisclosed capture - Cryptolocker Domain
Client that accessed: Only 1 occurrence in 30mins Domain accessed: Sanpin.mobi Single owner owns 439 other domains, appear to be created for DGAs Likely Malicious

27 Cryptolocker domain recommended actions
Create opt-in service for clients to allow SP to block malicious sites Option 1) SP determines sites and blocks (in this case add sanpi.mobi to RPZ to block) Option 2) Allow users to choose which sites to block, but give them list of suspect sites SP has recorded and give them easy checkbox to allow blocking Send SMS or mail and offer cleaning service or anti-virus software (for fee)

28 Found Inside Undisclosed capture - DGA/Malware Related
Static domains are a weak point of Fast Flux that allow it to be filtered by some security devices Constantly changing the domain name adds another layer of complexity to better prevent detection This also prevents blocking because there is no domain name list in the malware itself Often times is used as backup lookup method since primary method of static domains and P2P networks still often works Impact Avoids detection by Malware prevention tools that try to detect domain names used by C2 servers Example Cryptolocker DGA domains sljjjupfgagolpg.ru uftfesnodnjflwta.info vxagtvsyqxtrfcm.com wxphewjnfhlyyjj.net xckjffnjivafxen.biz Noted Use: Cryptolocker, Game-Over Zeus

29 Found Inside Undisclosed capture - DGA/Malware Related
Site Client that performed lookup Risk Level Description 7450.bodis.com Moderate Name server NS2.BODIS.COM associated with 1324 domains, many suspicious. However domain is over 10 years old and may have legitimate sites as well xtxbj5ing.com High Generated domain name, site has been observed to be spammed to discussion boards to get people to access; low chance of being legitimate site rcdm3.ado-16gs7.com t94.bel-pas.com qrgxdvzqpw.net All registered with GMO Internet, but servers are in Hong Kong and other locations. Domains seem to be generated (DGA). Possibility of legitimate sites, but also could be advertisement fraud or botnet related web.fc2.com Low Domain fc2.com is largely a blogging site, however this particular domain appears to be machine generated and has >100 subdomains under it. Most of the subdomains are related to advertising with some suspicious sites as well. Likely to be safe, but can allow user opt-in blocking Safe-server-click.com “PhoneBooster” app download site that downloads app infected with Android.Trojan Agent kintubo01.70.kg Site has been observed to be spammed to discussion boards to get people to access; low chance of being legitimate site parkingcrew.net Host name appears to be generated and is part a large number of domains under parkingcrew.net. Will redirect users to ads and collect user information, possibly download malware aaqwcltljskhny.com Registered by who owns 1012 other domains, many of which appear to be DGA related. Alienvault has linked this domain to Locky Ransomware C&C servers Specific botnet cannot be determined from DNS traffic alone, but lookups to site sites owned by suspicious owners were seen Sites that seem to be related to DGAs Sites that do not seem to have legitimate owners Sites that have been observed to be distributing malware

30 DGA/Malware Related domain recommended actions
Create opt-in service for clients to allow SP to block malicious sites Option 1) SP determines sites and blocks (in this case add sanpi.mobi to RPZ to block) Option 2) Allow users to choose which sites to block, but give them list of suspect sites SP has recorded and give them easy checkbox to allow blocking Send SMS or mail and offer cleaning service or anti-virus software (for fee)

31 Found Inside Undisclosed capture - XcodeGhost
Compiler Malware: Developers build iPhone apps using a corrupted version of Apple’s Xcode compiler Developers publish app to Apple’s App store, without knowing their code contains malware Over 300 apps in store affected iOS version 9 apps also infected with new XcodeGhost S Collects information about user and sends it to C2 servers, can also open connections and possibly download additional malware to device, even steal passwords Uses static list of C2 servers, so these can be blocked Impact Apple sees the threat level as critical and is attempting to remove all infected apps from the app store XcodeGhost C2 domains: Init.crash-analytics.com Init.icloud-idagnostics.com Init.icloud-analysis.com

32 Found Inside Undisclosed capture - XcodeGhost
Clients identified: Standard A record query-response

33 XcodeGhost recommended actions
No known valid services at these domains, allow ADP to block access to domains Perhaps create notes saying you are blocking this domain to prevent XcodeGhost vulnerabilities

34 UDP Anomalies found in Undisclosed capture
Exploit vulnerabilities in DNS software Use malformed packets and queries to attempt to crash the server Send specific queries to gather information on the network before launching large scale DDoS or other attack Impact Often blend into background noise of all the DNS activity, difficult to notice One key vulnerability in either network or DNS can be exploited to either take site offline or for covert entry into site These were UDP packets with invalid class or count in the question section Most were variation of SRV queries for SIP type services Were answered with Refused Recommend to let ADP block these packets to reduce impact on DNS server; no change would be perceived by users

35 ICMP Errors found in Undisclosed capture
ICMP floods are still sometimes used for basic flood attacks Impact Overload the server with ICMP requests to reduce DNS performance or crash the DNS server RATELIMIT PASS ICMP ping responses|8|src=xx.yy.zz.aa spt=0 dst= RATELIMIT PASS ICMP ping responses|8|src=xx.yy.zz.aa spt=0 dst= RATELIMIT PASS ICMP ping responses|8|src=xx.yy.zz.aa spt=0 dst= RATELIMIT PASS ICMP ping responses|8|src=xx.yy.zz.aa spt=0 dst= RATELIMIT PASS ICMP ping responses|8|src=xx.yy.zz.aa spt=0 dst= RATELIMIT PASS ICMP ping responses|8|src=xx.yy.zz.aa spt=0 dst= RATELIMIT PASS ICMP ping responses|8|src=xx.yy.zz.aa spt=0 dst= RATELIMIT PASS ICMP ping responses|8|src=xx.yy.zz.aa spt=0 dst= RATELIMIT PASS ICMP ping responses|8|src=xx.yy.zz.aa spt=0 dst= One period there was a large amount of ICMP response rate-limiting These errors could be due to some sort of ICMP flood DDoS However after further inspection, we think this server is pinged by many sources as part of normal operation and this time period above was simply many pings coming at same time HOWEVER, these pings are from internet servers, the provider should ensure these IP addreses are allowed to ping the DNS server Recommended action: Check source IPs to determine if these devices should be pinging the DNS server. If not, take action such as block them at the firewall for additional protection.

36 Summary of Recommended Actions
Tunneling Monitor non DNS traffic from IP address, make sure they are not attacking infrastructure If not, then possibly alert user via SMS, offer cleaning service at mobile shop If user explains that the traffic is legitimate; add to whitelist Anomalous DNS traffic to root Monitor and track traffic from IP addresses, try to identify a pattern Based on any patterns action can be taken (agressively block or offer cleanup service) Cryptolocker and other Malicious domains Create opt-in service for users to apply stronger filtering at DNS level SMS or otherwise notify users logged from these domains that they can use this service Offer paid cleaning service at mobile shops XcodeGhost Allow ADP to block Possibly notify user, or release general statement UDP Anomalies Allow ADP to block users to protect DNS infrastructure ICMP Errors Confirm IP addresses that are allowed to ping the DNS server, if required add addtitional blocks at firewall,etc

Download ppt "Sample Security Assessment Report"

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.

© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Motivation. Part of Deutsche Telekom project:

Motivation. Part of Deutsche Telekom project:
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Your Trusted Partner In All Things IT. 20 Years of IT Experience University Automotive Food Service Banking Insurance Legal Medical Dental Software Development.

Your Trusted Partner In All Things IT. 20 Years of IT Experience University Automotive Food Service Banking Insurance Legal Medical Dental Software Development.
Detrick Robinson & Amris Treadwell.  Computer viruses- are pieces of programs that are purposely made up to infect your computer.  Examples: › Internet.

Detrick Robinson & Amris Treadwell.  Computer viruses- are pieces of programs that are purposely made up to infect your computer.  Examples: › Internet.
Malware Hunter How To Guide for SecurityCenter Continuous View™

Malware Hunter How To Guide for SecurityCenter Continuous View™
Staying Safe Online Keep your Information Secure.

Staying Safe Online Keep your Information Secure.
Module 10: Monitoring ISA Server 2004. Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

Similar presentations

Ads by Google