Combating Spear-phishing:

Combating Spear-phishing:

Convergence of Intel, Ops, Forensics, and

Vulnerability Management

Mr. Billy Rodriguez, GCIH

Chief

Intrusion Prevention Section

Mr. Jacob Stauffer, GCFA, GREM

Chief

I n t e g r i t y - S e r v i c e - E x c e l l e n c e 2

BLUF



Air Force networks are constantly under attack



Overview of the 33NWS mission



Discuss AF vulnerability management

33 NWS (AFCERT)

Vision

Air Force network defenders providing Joint War Fighter freedom of action by employing pro-active network defense capabilities.

Mission

To produce effects for the Air Force and Combatant Commands in, through, and from cyberspace by employing synchronized network defense operations to detect, respond, and prevent network intrusions.

I n t e g r i t y - S e r v i c e - E x c e l l e n c e 4

Semper Excubia

26 NOG Network Defense Team

33NWS (AFCERT) “Mighty Griffins” 24x7 AF Network Defense -Prevent -Detect -Respond 26 NOS “Always On, Always Ready” 24x7 AF Network Operations, Support, & Defense 352 NWS “Firebirds” OPSEC & Force Protection Monitoring, Cyber Data Analysis 68 NWS “Purple Dragons” OPSEC Monitoring Web Risk Assessment Cyber Battle Damage Assessment 426 NWS "Committed to Excellence" OPSEC Monitoring OPFOR Analysis Threat Presentation

Partnerships

 Military

 USCYBERCOM

 Army, Navy, Marine CERTs

 NSA / NTOC  Intelligence  NSA / NTOC  CIA  NASIC  Law Enforcement  AFOSI  DHS

I n t e g r i t y - S e r v i c e - E x c e l l e n c e 6

Mission Ops Tempo

127 204 204 156 59 812 906 1287 ₁₂₇₂ 429 0 200 400 600 800 1000 1200 1400 2008 2009 2010 2011 2012 YTD Incidents

I n t e g r i t y - S e r v i c e - E x c e l l e n c e 8

Vulnerability Management

Risk Management

Monitoring Advisories

Patch Management

Vulnerability Scanning

Risk Management

 Common questions to ask

 What systems do you have?

 What products do you have?

 Are you affected by each vulnerability?

 Does every vulnerability receive a “critical” designation?

 How do you prioritize?

I n t e g r i t y - S e r v i c e - E x c e l l e n c e 10

Advisories

 Threat Advisories

 Security Tips

 Tangible Stories

Patch Management

“How do you receive your patches?”

Adobe Microsoft Java

I n t e g r i t y - S e r v i c e - E x c e l l e n c e 12

Patch Management (cont’d)

Adobe

Microsoft

Java

Workstation A Workstation B Workstation C Test System

Vulnerability Scanning

Blue Team

Red Team

Green Team

I n t e g r i t y - S e r v i c e - E x c e l l e n c e 14

Host Based Security

Protect your host by analyzing the norm and weeding

out the unknown.

“The last line of defense!”

X

X

Why don’t you just educate

users?

I n t e g r i t y - S e r v i c e - E x c e l l e n c e 18

Spear-phishing

 Supervisor to subordinate

 Conference Attendance invites

Case Study: Vulnerability

Acknowledged

I n t e g r i t y - S e r v i c e - E x c e l l e n c e 20

Initial Attacks Observed

 Days later…

 Federal Tax Law Changes for 2010-2017

Additional Attacks Observed

 4 Jan 10 – Additional attempts observed on “Federal Tax Law Changes for

2010-2017” (Version 2)

 Highly successful

 Malware had been modified to evade AV

 Targeted mainly JA/ADC officers

I n t e g r i t y - S e r v i c e - E x c e l l e n c e 22

Analysis Begins

 5 Jan 10 – Malware obtained/analyzed

 5 Jan 10 – Blackhole listed malicious URL’s

 7 Jan 10 – Developed and pushed the “Magic Signature”

Even More Attacks

 11 - 15 Jan 10 – Observed 5 additional email subjects/attachments

 “OPM Form 71 – Request for Leave/Approved Absence (Jan 2010)” (11 Jan)

 “MPUC 2010” (12 Jan)

 “China’s Evolving Strategic Strike Capability” (13 Jan)

 “News Highlights 13-01-2010” (13 Jan)

 “USEUCOM Intelligence Summit” (15 Jan)

 12 Jan 10 – Adobe released patch

I n t e g r i t y - S e r v i c e - E x c e l l e n c e 24

The “Magic Signature”

The malicious PDF was first opened in WinHex…

a review for possible code following EOF

tags was done

nothing suspicious

this looked suspicious however…

…plus, a pattern emerged revealing a portion of a rolling

The full XOR key was uncovered. Using the embedded binary as a starting point, the key began with \x00 and continued in descending order with

\xFF \xFE \xFD \xFC \FB etc, thus revealing the executable

A script was written to apply this XOR key to the PDF and the embedded binary was

extracted for analysis

More importantly, this led to an extremely valuable IDS signature

first, the offet of the malicious binary was noted

(in this case 68CF)

then the PDF was

converted to Base64 since that’s the encoding used when

sent as a email attachment

however, the size difference

between the raw PDF and it’s Base64 variant had to be factored in

Since the Base64 variant is 125% larger that the raw PDF (chunks of 4 vice chunks of 3),

the raw PDF offset of the malicious binary (68CF) was divided by 3 then multiplied by 4

giving us (8FBC)

This revealed the correct offset in the Base64 version of the PDF to create an

IDS signature This procedure was

repeated twice by adding one and two offsets to the original PDF,

in order to account for the three base64 possibilities

Mighty Griffins - 24x7 AF Network Defense

Questions?

I n t e g r i t y - S e r v i c e - E x c e l l e n c e 32

Contact Information

Ms Christi Ruiz, 33 NWS/DOU

christi.ruiz@us.af.mil

Mr Jacob Stauffer, 33NWS/DOUF

jacob.stauffer@us.af.mil

Mr Billy Rodriguez, 33NWS/DOUP