Combating Spear-phishing:
Convergence of Intel, Ops, Forensics, and
Vulnerability Management
Mr. Billy Rodriguez, GCIH
Chief
Intrusion Prevention Section
Mr. Jacob Stauffer, GCFA, GREM
Chief
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 2
BLUF
Air Force networks are constantly under attack
Overview of the 33NWS mission
Discuss AF vulnerability management
33 NWS (AFCERT)
Vision
Air Force network defenders providing Joint War Fighter freedom of action by employing pro-active network defense capabilities.
Mission
To produce effects for the Air Force and Combatant Commands in, through, and from cyberspace by employing synchronized network defense operations to detect, respond, and prevent network intrusions.
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 4
Semper Excubia
26 NOG Network Defense Team
33NWS (AFCERT) “Mighty Griffins” 24x7 AF Network Defense -Prevent -Detect -Respond 26 NOS “Always On, Always Ready” 24x7 AF Network Operations, Support, & Defense 352 NWS “Firebirds” OPSEC & Force Protection Monitoring, Cyber Data Analysis 68 NWS “Purple Dragons” OPSEC Monitoring Web Risk Assessment Cyber Battle Damage Assessment 426 NWS "Committed to Excellence" OPSEC Monitoring OPFOR Analysis Threat Presentation
Partnerships
Military
USCYBERCOM
Army, Navy, Marine CERTs
NSA / NTOC Intelligence NSA / NTOC CIA NASIC Law Enforcement AFOSI DHS
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 6
Mission Ops Tempo
127 204 204 156 59 812 906 1287 1272 429 0 200 400 600 800 1000 1200 1400 2008 2009 2010 2011 2012 YTD Incidents
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 8
Vulnerability Management
Risk Management
Monitoring Advisories
Patch Management
Vulnerability Scanning
Risk Management
Common questions to ask
What systems do you have?
What products do you have?
Are you affected by each vulnerability?
Does every vulnerability receive a “critical” designation?
How do you prioritize?
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 10
Advisories
Threat Advisories
Security Tips
Tangible Stories
Patch Management
“How do you receive your patches?”
Adobe Microsoft Java
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 12
Patch Management (cont’d)
Adobe
Microsoft
Java
Workstation A Workstation B Workstation C Test System
Vulnerability Scanning
Blue Team
Red Team
Green Team
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 14
Host Based Security
Protect your host by analyzing the norm and weeding
out the unknown.
“The last line of defense!”
X
X
Why don’t you just educate
users?
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 18
Spear-phishing
Supervisor to subordinate
Conference Attendance invites
Case Study: Vulnerability
Acknowledged
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 20
Initial Attacks Observed
Days later…
Federal Tax Law Changes for 2010-2017
Additional Attacks Observed
4 Jan 10 – Additional attempts observed on “Federal Tax Law Changes for
2010-2017” (Version 2)
Highly successful
Malware had been modified to evade AV
Targeted mainly JA/ADC officers
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 22
Analysis Begins
5 Jan 10 – Malware obtained/analyzed
5 Jan 10 – Blackhole listed malicious URL’s
7 Jan 10 – Developed and pushed the “Magic Signature”
Even More Attacks
11 - 15 Jan 10 – Observed 5 additional email subjects/attachments
“OPM Form 71 – Request for Leave/Approved Absence (Jan 2010)” (11 Jan)
“MPUC 2010” (12 Jan)
“China’s Evolving Strategic Strike Capability” (13 Jan)
“News Highlights 13-01-2010” (13 Jan)
“USEUCOM Intelligence Summit” (15 Jan)
12 Jan 10 – Adobe released patch
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 24
The “Magic Signature”
The malicious PDF was first opened in WinHex…
a review for possible code following EOF
tags was done
nothing suspicious
this looked suspicious however…
…plus, a pattern emerged revealing a portion of a rolling
The full XOR key was uncovered. Using the embedded binary as a starting point, the key began with \x00 and continued in descending order with
\xFF \xFE \xFD \xFC \FB etc, thus revealing the executable
A script was written to apply this XOR key to the PDF and the embedded binary was
extracted for analysis
More importantly, this led to an extremely valuable IDS signature
first, the offet of the malicious binary was noted
(in this case 68CF)
then the PDF was
converted to Base64 since that’s the encoding used when
sent as a email attachment
however, the size difference
between the raw PDF and it’s Base64 variant had to be factored in
Since the Base64 variant is 125% larger that the raw PDF (chunks of 4 vice chunks of 3),
the raw PDF offset of the malicious binary (68CF) was divided by 3 then multiplied by 4
giving us (8FBC)
This revealed the correct offset in the Base64 version of the PDF to create an
IDS signature This procedure was
repeated twice by adding one and two offsets to the original PDF,
in order to account for the three base64 possibilities
Mighty Griffins - 24x7 AF Network Defense
Questions?
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 32
Contact Information
Ms Christi Ruiz, 33 NWS/DOU
christi.ruiz@us.af.mil
Mr Jacob Stauffer, 33NWS/DOUF
jacob.stauffer@us.af.mil
Mr Billy Rodriguez, 33NWS/DOUP