You are on page 1of 23

Issue2 Mar2010 | Page-1

Issue2 Mar2010 | Page-2

Issue2 Mar2010 | Page-3

APT1: One of Chinas Cyber Espionage Units

In the Information Age it wont sound farfetched, if were told that an entity is involved in Cyber Espionage at a Global Scale. But its a whole other story if were told that this Cyber Espionage is funded by the government of an Emerging Economy. Mandiant is a Security Company that investigates Cyber Security Breaches around the world. Much of these Security Breaches are caused by Advanced Persistant Threats (a term coined by the US Air Force in 2006), meaning that these threat actors have advanced capabilities and they are obstinate in the face of Security.

In January 2010 Mandiant published an interesting theory that these APTs may be funded by the Chinese Government however they did not have sufficient evidence to prove it. In 2013, Mandiant published another report on APT1 which primarily blames the Chinese Government to be involved in funding Cyber Espionage activities around the Globe and contains the supporting technical evidence. Mandiants VP says Weve provided all the evidence here. This is something our industry needs to do more of, Mandiant is proud to participate in this kind of information sharing. We are not issuing a one page baseless accusation; were providing 60 pages of evidence and over 3000 technical indicators like IP Addresses, domain names and encryption certificates. We welcome scrutiny and invite other researchers to take a look at the evidence and we are confident they will arrive to the same conclusion.

Issue2 Mar2010 | Page-4

Gist of the Mandiant Report: There are more than 20 APT Groups in China, however the report focuses on one of them (referred to as APT1) which is the most prolific one. APT1 has direct Government support and it is similar in its characteristics as the PLAs Unit 61398 of the Chinese Army and has the same location. This Unit 31698 is located at Datong Road, Pudong New Area of Shanghai. This building which is estimated to be inhabited by 1000s of People, is a 130,663 square foot facility and has 12 stories (see figure).

requested channelsince this is concerning defense construction. The professionals inside the building are trained in computer Security (the APT1 Actors) and have proficiency in the English language (these APT Actors need to carry out Social Engineering attacks like formulating a Spear Phishing Email that requires clever use of the English language since mostly English Speaking countries are targeted). This is a stable day job for them.

Facts about the APT1: APT1 establish min. of 937 Command and Control (C2) servers o hosted on 849 distinct IP addresses in 13 countries. o Majority were registered to organizations in China (709) o followed by the U.S. (109) In the last several years mandiant have confirmed 2,551 FQDNs attributed to APT1 Between January 2011 and January 2013 Mandiant confirmed o 1,905 instances of APT1 actors using their attack infrastructure o from 832 different IP addresses

Figure 1: APT1 Building (Source: Mandiant APT1 Report)

Special fiber optic Communication facilities are provided for this unit in the name of national defense. Mandiant was able to locate a scanned China Telecom memo over the Internet which talked about approval for providing the

Issue2 Mar2010 | Page-5

Figure 2: Noted APT1 Victims over the years (Source: Mandiant APT1 Report)

Figure 3: Industries compromised by APT1 (Source: Mandiant APT1 Report)

Issue2 Mar2010 | Page-6

Figure 4: Global Distribution of APT1 Servers (Source: Mandiant APT1 Report)

Figure 5APT1 Servers Distribution in China (Source: Mandiant APT1 Report)

Issue2 Mar2010 | Page-7

APT1 Attack Methodology: Typical APT1 Attack begins by sending a Spear Phishing E-Mail to the victim. These Emails seem to have official language and themes (suggesting their authenticity) and carry malicious attachment, For Example, an APT1 backdoor that appears to have a pdf extension and icon, which is actually 119 spaces after .pdf followed by an .exe. When the unsuspecting victim opens the attachment, the backdoor does its job and gives control to the APT1 actor.

mobile verification before you can create the account. So now he enters his country as China and provides a cell phone number that is located in the Shanghai in China. dota then logins to his Email account, this Email account is used for Spear-phishing and generating more Email Accounts. Command and Control

Installing Server

dota checks a RAT called Ghost on

Figure 6: APT1 Attack Lifecycle (Source: Mandiant APT1 Report)

As the main purpose of APT1 actors is to steal confidential documents, once access is obtained to victims systems, documents are gathered, zipped in a rar file and passwordprotected. Then this rar archive is sent to the APT1 Actor. Captured attacker session Video This video given by Mandiant shows an active attackers session: The Hacker makes an operational Email account on Gmail (named as dota). First he tries to fake his location and enters USA but then notices that Google requires a

his own system in Shanghai. We can see that this Ghost RAT has a GUI with features like Keylogger, File Manager, Screen Capture, Webcam Capture Remote Shell and Voice Chat. Another APT Actor uses a web C2 command and control server. This has a command line interface. The APT Actor uses this client to list the incoming connection from a victim computer. And two victim computers check in. APT Actor can be seen using the stolen credentials to log into a mail exchange server and lists the Inbox contents which show the message

Issue2 Mar2010 | Page-8

numbers and the size of the messages. APT Actor goes to an FTP Server and downloads lightbolt, then uses this tool to steal files from the victim machine. The lightbolt tool stores stolen files to password protected rar archive which is then uploaded to an FTP.

Is China really doing it? Are they admitting it? China says We have said repeatedly that such attacks are transnational and anonymous and determining their origins is extremely difficult. So they are firmly denying the accusation. The approach is indirect. First the hacker would compromise a US server then use that for further attacking. The security people would visit that server and then sit there and trace back the activity. After all this evidence, theres no way for them to deny that but they dare not admit the Cyber Espionage. The thinking may be that America is doing that all the time, so let us too. The most damning evidence against China, is the attackers infrastructure from which they launch attacks, 98% of the times they were logging in from that one block in Shanghai and 97% of the times they were using Chinese set of characters in their systems. News groups like CNN were stopped from trying to take pictures of the building and were chased by Chinese military guards. Finally the footage was confiscated (see Figure 8).

Case Study China believed to have copied MQ-1 Predator Drone through Cyber Hacking QinetiQ North America (QQ) is a world leading defense technology and Security Company providing satellites, drones and software services to the U.S. Special Forces deployed in Afghanistan and Middle East. In 2009, China had almost its complete control over QinetiQ TSG's computers stealing 1.3 million pages of documents and 3.3 million pages of Microsoft Excel containing TSG's code and engineering data. These Documents were believed to be used by chinese to build MQ-1 drone.

Figure 7: MQ-1 Predator Drone

Figure 8: Chinese Military Guards chasing the CNN News Crew around the APT1 building

Issue2 Mar2010 | Page-9

Skepticism report




Some Security Researchers are raising eyebrows at this report mainly because there are a lot of ways in which an attacker of this level of sophistication would hide his/her location. So why did they not cover up their tracks better? Some agree that the attacks originated in China but are doubtful of their connection with the Chinese government. The attacker session video released by Mandiant shows the attacker use common attack tools like Ghost RAT that are freely available over the Internet which is in contradiction to the Advanced Persistent threats that we are talking about. Summary Such attacks are targeted towards private industries that are not equipped to deal with threats from the cyber resources of a nation. So this is government versus private industries, which is not fair. US President Obama says America must face the rapidly growly threats from Cyber-attacks. Now such attacks are focused on sabotaging our power grids, our financial institutions and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and economy. We should all be glad that the Virginia based security firm Mandiant decided to expose one of the most prolific Cyber Espionage activity group and make all the relating evidence public. This bold activity may be initialized by the PLA but theres definitely a government approval. Now that the reports are public, if the APT1 activity still continues then the

government is definitely involved, even the top leaders. There seems to be a clear strategic planning behind this. Chineses government monitors and censors the Internet. China is focusing on economic espionage, stealing trade secrets and structural property and negotiation strategies and passing these off to their companies to compete with other companies worldwide. This is a Massive Cyber Espionage campaign. What are they trying to achieve? It may be motivated by political reasons. It may be a kind of security against what USA can do. Chinese information gathering system has been morphed into a new kind of mode that would that would make it very scary in terms of its effect.

Today such attacks are inevitable but if the government is alert and vigilant, such attacks can be nipped in the bud, before a serious security breach takes place. However, a casual attitude towards such advanced threats can have disastrous effects on a country and its people. We can boast all we want but the Bottomline is that India is seriously lagging in its cyber defense capabilities and there are a handful of actual motivated and driven computer security professionals in India. A reason for this can be that no formal education is being provided to students interested in security and these individuals then turn towards certifications which are either too theoretical and provide no

Issue2 Mar2010 | Page-10

hands-on knowledge or are too costly for an average Indian student or require a prior minimum years of experience in the security domain. Some of these certifications in India are started by individuals claiming to be Hackers themselves which take candidates more towards the glam of Hacking Emails or Passwords rather than developing a mature approach towards security. India desperately needs state sponsored programs that teach computer security at masters level to deserving students who clear a well-designed competitive screening process. Cyber espionage is a growing issue and it has to be dealt head-on. In India, a higher level of Information Security Awareness is required. Hacking is not just a bunch of kids randomly doing thing for fun and profit. It is now a national strategy. Important thing to note is that while in countries like USA, hacking is considered illegal and immoral, Chinese government is considering it as a necessity. What would Indian Industries do if they face such attacks? Individual companies can never fight with a nation. The Indian governments support is indispensable against such cyber activities. Such Cyber Espionage is a violation of sovereignty. This is not a minor issue and will continue to grow more severe if nothing is done. This isnt a group of Rogue Hackers, this is a unit of PLA (Peoples Liberation Army of China). We need to get smart with each breach. From knowledge comes power.

On the Web Mandiant Intelligence Report 3d2gyydHwmY CNN News Crew being chased 6p7FqSav6Ho - Video Showing an Attacker Session

Pranshu Bajpai Pranshu Bajpai is a Computer Security Professional specialized in Systems, Network and Web Penetration Testing. He is completing his Masters in Information Security from the Indian Institute of Information Technology. Currently he is also working as a Freelance Penetration Tester on a Counter-Hacking Project in a Security Firm in Delhi, India, where his responsibilities include 'Vulnerability Research', 'Exploit kit deployment', 'Maintaining Access' and 'Reporting. He is an active speaker and author with a passion for Information security.

Issue2 Mar2010 | Page-11

BYOD Policy Are you implementing it correctly?

Bring your own device (BYOD) is the business policy of letting employees bring their own devices at workplace for doing work. The concept has gained popularity in recent years mainly due to the following reasons: Employees are more willing to spend on their devices as they have the ownership of the device. Maintenance and protection of these devices is taken better care of as the employees only will be liable for the losses if they happen to lose them. Allows employees to be more flexible and add more productive hours at workplace since they can contribute more to the organization growth from anywhere, anytime. A correctly implemented BYOD policy can foster a culture of

eagerness to work, producing efficient and productive employees as a result since as their needs are directly addressed by the company. This makes the workplace a "fun" place to work. Reduces the burden of IT inventory maintenance tasks such as commissioning / decommissioning corporate devices used for work. Subsequently, new hardware purchase costs are also lowered down. A start-up, small or medium size company, can avoid high purchase costs for laptops, smartphones, data cards and tablets for their employees since employees have the flexibility to use their own devices at workplace. These smart devices often provide better processing speed and power for accomplishing the tasks better. Substantial Savings are made on carrier/ISP charges since organization doesn't need to maintain elaborate corporate data plans but letting the employees use their own data plans.

Issue2 Mar2010 | Page-12

However, it needs to be remembered that the corporate data which is residing on user's own device remains the property of the company. Hence adequate protection measures need to be in place for protecting that sensitive corporate data.

Defining a Strong Business Case for BYOD

The most common reason which causes the failure of successful implementation of any BYOD policy is that senior management and end users routinely fail to grasp the fundamental concept which drives the BYOD policy; it's all about device ownership. BYOD is fundamentally no different from corporate-owned device policy; but just that the device ownership now resides with end-users instead of the organization. However, the ownership of corporate data will still remain with the company. There is one important caveat while going for the BYOD policy. Going for the BYOD policy is a discretionary judgement which needs to be carefully made by senior management with careful planning. Senior management must not look from only one facet of cost savings. It is an important business decision which will directly affect the growth of the organization. The senior management should have a clearly defined and quantifiable goal to achieve the benefits offered by BYOD. Just by going by the industry trend "Hey, everybody is doing it, let's implement this in our organization attitude can spell disaster for organization's growth if no advance planning measures are taken place. For this, a strong business case is needed to reap the benefits of BYOD policy implementation.

Senior management must also accept the risk that by implementing BYOD, more avenues are opened for the data leakage from employees devices. Many of these devices can also share data in the cloud; increasing the likelihood of data duplication between cloud and apps. Hence, appropriate solutions, tools and techniques to prevent and contain this vital business information from leaking outside must be implemented as well.

Defining BYOD Policy rollout

For a successful BYOD policy rollout generating maximum return on business (ROI), we must follow these steps: 1.Assess organization readiness and define leadership: A well-defined business case with clear cut goals is a pre-requisite before developing BYOD policy. Next, the control group operating and overseeing the BYOD policy needs to be defined and assigned responsibilities. The policy needs to be communicated in top-down order so that no ambiguity remains in adoption. Penalty clauses and security mechanisms must be designed in BYOD policy for giving adequate security to the devices. 2.Develop BYOD Charter: A well-defined BYOD charter will ensure that regular investments for the security of BYOD devices are required from the business managers. This helps to determine a business justification in monitoring and administration of the corporate data residing on employee-owned devices.

Issue2 Mar2010 | Page-13

3. Setting up BYOD governing body: The governing body of BYOD would be responsible to develop, implement, oversee and maintain the BYOD program. The governing body should include business vertical heads along with HR, legal and finance domain experts for smooth implementation of the BYOD policy. The governing body may start with the rough checklist assigning BYOD tasks such as: Which employees will qualify for BYOD? This should be defined as per role basis Written signed agreements with employees for accepting risks concerning the device usage Which OS version will be supported for devices? Policies regarding wiping of personal/ corporate data in case of device loss Methods used for separation of personal and corporate information on devices Actions to follow after a security violation.

culture effectively and securely across the length and breadth of the organization. 4. BYOD IT Process Group: This IT processing control group will look after the required software upgrades, license implications for mail access from employeeowned devices. 5.Managing BYOD policy: BYOD programs require strong security solutions like network access control (NAC), Wi-Fi routers, Mobile Device Management (MDM) solutions for organization wide personal devices management. Containerization tools to separate corporate data from personal data must be procured. A technical way to separate the employee and personal data is by having dual-persona smartphones; i.e. having one interface for personal use and another for business use. High end smartphones such as Blackberry Z10 currently support this. 6. Post Deployment Support: High quality help desk support is a prerequisite for successful BYOD deployment. It should provide assistance with diagnostics tools for troubleshooting and list of manufacturers support phone numbers for quick reference.

All policies must comply with region specific laws which will automatically be given first priority while designing the BYOD policy. It is important to update the policy document and adjust with the ever-changing landscape of evolving technology. It is better that a BYOD program be implemented in a phased approach. Initial success will generate enough confidence in senior management about its successful operation. Likewise, it can then be applied to other departments. The users from the initial phase of BYOD deployment must emerge as champions for BYOD usage to spread the

Issue2 Mar2010 | Page-14

Common Pitfalls to Avoid During Deployment of BYOD Policy

Though adopting BYOD strategy might seem very attractive proposition at first glance, it is advisable to exercise caution and care during its implementation in your company. Left unhandled, BYOD can act as a constant fund drain for the organization. This holds especially true when BYOD policy is implemented across a large organization spread across multiple geographies. For example, in a traditional setting of following corporate-owned approach for a large firm, the firm typically invests around $200 for compatible smartphones and $500- $1000 for notebooks/tablets along with the high end corporate data plan for all its employees. But here it gets interesting. The corporate data plans allow these companies to pool their voice minutes and their data bucket. If any one employee goes over his or her allotment limit, the company can adjust this by taking unused voice or data from another employees allotment to make up the difference. That gets rid of much of the average fees their employees would otherwise end up charging back to the company. Needless to say, carriers offer better discounts to corporate plans when compared to an individual. National and international roaming charges are also offered at heavily subsidized rates in corporate data plans. The savings made from these fixed cheaper call rates eventually work in favour of the company which has its international footprint across its international offices. Now, imagine if BYOD would replace this system, each user will typically shell out $1-per-minute voice

costs and $10 per 10MB that many individual users pay for when abroad. Multiply this with typical work force of 5000-10000 man-force of large organization. This figure clearly pales in comparison to the savings made while using corporate plans.

BYOD policy seems inevitable in coming years as the technology advancement in smart devices helps the employees to achieve better productivity with flexibility at the workplace. Instead of denying access citing the security concerns, it would be best in business interest to embrace this business policy which allows people to be more productive in longer run. No doubt, we do need clearly defined rules and accountability factors which should be enforced via legal and technological means for protecting the sensitive corporate data residing on people devices. But as the nature of doing business evolves with technological advancement, it's in everybody's best interest to accept BYOD policy since it directly addresses the need to collaborate and communicate at times when it matters most. After all, when it comes to business; time is money!

Issue2 Mar2010 | Page-15

1.InformationWeek - 8 steps CIOs should take to maximize BYOD ROI
2. InfoWorld - Buckle up -- here comes the hard part of mobile 3. COMPUTERWORLD - BYOD, or else. Companies will soon require that workers use their own smartphone on the job 4. NetworkWorld - Forrester Research calls mobile-device management 'heavy-handed approach' 5. InfoWorld - The right way to manage BYOD 6. InforWorld - The unintended consequences of forced BYOD 7. InforWorld - Why almost everyone gets it wrong about BYOD 8. InforWorld - How a trickle of BYOD costs can turn into a deluge 9. InforWorld - Message to old guard: Accept social business 10. CIO.IN - The Dark Side of Today's Hottest Tech Trends

About the Author

Manasdeep Manasdeep currently serves as a Security Analyst in the Technical Assessment team at NII Consulting, Mumbai. His work focuses on conducting Security Audits, Vulnerability Assessment and Penetration Testing for NIIs premier clients. He possesses strong analytical skills and likes to keep himself involved in learning new attack vectors, tools and technologies. He has flair in technical writing and shares his thoughts on his blog Experiencing Computing at He has also published information security paper(s) in International Journal of Computer Science and Information Security (IJCSIS) along with various seminar / conference proceedings.

Issue2 Mar2010 | Page-16

Drupal Scanner
CMS - What's the Fuss all About?
A Content Management System makes your life easy. It makes the online presence of your business more accessible and hence the probability of the success of your business soars higher. Incredibly, if you are unfamiliar with CMSes, the best part is, you need not be a nerdy, high-tech web developer to give this touch of virtuality to your ideas and convert them to online reality. You need not have your armour flooding with all sorts of programming and impressive and crisp UI design skills. Neither do you need to have those 'supernatural' scripting and back-end management skills. So that's the power you get when you use a CMS for you websites. All that you need is some anciently basic idea about creating websites and you are absolutely ready to go and get it done.And what more, you have different flavours to choose from. So depending on your requirements and taste you can go for any of the three major CMSes out there, viz. WordPress, Joomla or Drupal.

OK...Whats the Catch!

But, like all interesting stories, this one too has a catch. "With great power comes great responsibility". These CMSes have their own guidelines for secure implementation to safeguard the integrity, confidentiality and availability of your websites. WordPress and Joomla have their flaws and to deal with them, they have their standard counter attack tools in place. We have Wpscan and Joomscan for WordPress and Joomla respectively, that can be used to scan websites built on these CMSes for security issues and do the needful to reduce the risk and diminish the impact of the threat. As of people who find their taste satisfied by Drupal, they might not be much in luck on these lines, as there is no such tool out there, (at least not one that you can find free of cost, and accept it, everyone likes free stuff) that can take care of your Drupal powered websites as their WordPress and Joomla counterparts do.

Issue2 Mar2010 | Page-17

The Inception
Enter the idea of creating one such tiny little tool that can be handy enough to just find out that exact detail about your Drupal powered websites tool that could be your compass to guide you to a more secure version of your websites. And what better than making use of an already freely available web application security tool to start off with this project. Thus it was decided that IronWasp shall be the mother for this Drupal security scanner, which for now we will term as DrupScan to bein phonetic sync with its counterparts. So effectively, once the tool gets made and is available, it can be easily accessed as yet another module of IronWasp. So put yet more simply, you download IronWasp and you know how to access its different modules, that's it. You know how to ensure better security for your Drupal powered websites.

just looks up for the details available for the module and it's specific version in question in the CVE ids database and thus decides if the website in question is vulnerable or not. Using this simple and obvious technique saves a lot of time as the web application does not really need to be tested for security vulnerabilities from the scratch. We simply make use of the information that is already readily available as the result of intensive research. Thusefficiently delivering the required solution. The Technology and Progress so far The scanner itself since is powered by IronWasp, makes use of all the APIs made available by IronWasp. It is majorly being written in IronPython, again something that has full-fledged interactive learning support through the scripting engine of IronWasp. So far a proof of concept is available for the DrupScan which works on the same principle as explained above. The exact function names that do the respective jobs are listed down. (For details the function definitions please refer the script itself). The processing starts from the main function named runAsMain(). 1. Simply takes up 2 versions of a specific module, say ver1 and ver2. 2. It lists out all the files in these 2 versions, finds the difference between the 2 file listings. Taken care by passDirPath(), fileLookUp(), dictComp(), createDic():passDirPath():- For the proof of concept 2 instances of the same Drupal site are installed on to the localhost. On one of the instances an

For once, please be crapless!

DrupScan is based on a very obvious and simple idea. The idea to identify the version of a specific module installed on the Drupal powered website and find thus if the website is secure or not. The CVE ids database has a comprehensive list of all the different vulnerabilities present in the different versions of the different modules that are there for a Drupal site. So, if for example, the website makes use of the 'views' module, and the scanner identifies that the version of the "view" module being used by the website is say 'X.x' and not 'Y.y' Now the CVE ids database holds the following details about version "X.x" of the "views" module: "Vulnerable to XSS and SQLi" and the following about the next version, "Y.y:- "No vulnerabilities found". So now the scanner

Issue2 Mar2010 | Page-18

older and vulnerable version of a specific module, say the "views" module, is installed and on the other instance a newer and patched version of the same module is installed. So correspondingly in the respective paths directories and files are created accordingly. These two paths are passed to the function passDirPath(). fileLookUp():- is a recursive function. It recursively checks all the folders for any files present in it. Each of the files are taken and their hash is calculated. Now each of these hashes along with their corresponding fileis stored in a temp file. dictComp():- this function takes 2 text files as input. These 2 text files contain the list of all the files present in the 2 versions of the folder. IT DOES NOT MATTER WHAT ORDER IS THE CONTENT OF THESE TWO FILES IN. As long as the contents of these 2 text files is in the format "file_path/file_name \t hash_key", it does not matter in which order is the contents being listed in the 2 text files. And finally it finds out the difference between the files and prints out the differences in a text file called dicDiff.txt createDic():- is a helping function for dictComp(). This function simply creates a dictionary or list and returns the same. 3. Then sees which of these files (that were found to be different) are publicly accessible.

4. Stores these publicly accessible files in a db. Taken care publicAccessFiles() requestor():by and

publicAccessFiles():- Send requests for these files present in dicDiff.txt to the 2 instances, containing the 2 versions of the module, on the localhost. Depending on the response code we decide if a particular file is publicly accessible or not. And we populate the PUBLIC_ACCESS database table with the respective details. Later we make use of this table to determine what version of the module the live site is running. The database used is SQLite. requestor():- is a helping function. It simply frames and sends the required requests and returns the response code in case the requestor method is called with a third parameter as "True", it would indicate that the body of the reponse also needs to be saved. 5. Say after all this the db contains 5 files, viz, a,b,c, d and e with its respective hash. 6. Now when doing a scan on a live site, a request is sent for each of these files to the live site. 7. If there is a success response, the hash of the received file is calculatedand it is compared against the hash in the db. 8. Depending on this the status of the site is reported.

Issue2 Mar2010 | Page-19

Taken care liveVersionScan().


Abhinav Chourasia

liveVersionScan():- This function now makes use of the database of the publicly accessible files created by the publicAccessFiles(), and sends a request for same to the live site that needs to be scanned for its version. liveVersionScan() is aided by the helping function requestor(). Thus the above are the major tasks that are currently being taken care of by the proof of concept scanner so far.

Ok. Thats Enough.Shut up! I'll see if I am interested.

A lot more work still needs to be done. Majorly incorporating support for as many modules as possible is one of the major parts that still needs to be completed. The scanner as of now focuses only on Drupal 7.x. Later as the project matures other Drupal versions may also be included. There are a lot of interesting challenges that we have at our hand to solve and that is where community support is needed for people with interest and expertise to contribute.

Final words
The scanner on completion can help pin pointedly highlight the security issues with a Drupal powered website and of course will be a completing part in the group of similar scanners :- WpScan, JoomScan and then why not DrupScan.

Issue2 Mar2010 | Page-20

Effective Log Analysis

Log analysis is a responsibility that a security Analyst need fulfill with at most conviction in all organizations. If our is equipped with security devices like firewall, AV,VPN which is crucial to the organization and breach in any such devices affects the reputation which indirectly or directly hurts the business. Then by performing Log analysis one can foresee many threats and prevents early attacks. Log analysis helps to find the traffic pattern that is occurring in an organization if there is a deviation in the trend of logs under observation from standard trend then it can be considered as a security Incident and investigation should be done on such traffics. Log Analysis also helps to comply some Regulatory standards like PCI DSS, SOX, GLBA. Log analysis also enhances and facilitates the development of new security policies and detection vulnerabilities. Storage and management of logs is also very crucial when we need to do a forensic analysis and incident management. There are many tools available in market to analyze the Logs. Open source tools ( and MindTree tool).In todays world an SIEM is more valuable to an organization rather than a normal other log management solutions.SIEM has features of correlation that other solutions dont have. Some of the SIEM tools that are commonly used are RSA envision,Archsight,Event Tracker, Juniper STRM,Splunk etc.SIEM service providers collects logs based on EPS (the no of events collected per second) i.e. higher the EPS value more the number of events it will collect per second. The pricing of these devices varies based on the number of events collected per second or based on the number of devices sending logs to the collector or the entire appliance cost. Storage of logs is also an important feature that we need to consider while dealing with log analysis. All the logs in a network device need to be stored for at least 2years for any investigation. It is not compulsory that all the 2yrs data are available readily it is based cost that can spend on infrastructure and utility and criticality of device. Old logs can be backed up in tape and is securely stored. This type of storage is storage is called

Issue2 Mar2010 | Page-21

offline storage. When we are in need of the data we can request the backup admin to plugin those tapes for log retrieval.But it should be noted that logs should not be tampered. Segregation of duty control needs to be implemented here. Whenever a legal case happen to come to our environment it is compulsory to provide logs to the court. Talking about Compliance, out of the 12 requirement of PCI DSS, requirement 10 talk about logging and log management. Logs should be reviewed daily and the integrity of the logs also should be maintained. Here I would like to showcase how we can do log analysis on firewall. Say the firewall we consider is Checkpoint firewall. First thing we need to do is to monitor all the drop communications in FW.You can filter the SIEM based on Drop packets only. After that you need to see the destination ports of all Dropped communications. When you monitor internal FW you will find only internal IPS as the source IPS.There are some common ports which you will see always while monitoring dropped logs (53,445,161,80,123,389,3268) Whenever we see many drops to a particular Destination IP with same Destination port we need to investigate why such dropped traffic occurred, this could be some botnet activity that has spread across our network. I have recently come across such an incident where one botnet was spread across 10 machines where our end point security was not able to detect it.During the FW log analysis enormous traffic to port 80 to a single destination IP was dropped which we felts as something suspicious. On detail investigation of that end machines we were able to identify a botnet which is connecting to one C&C Servers. Above is a sample setup that I have created in lab. is the firewall that we are monitoring using Event tracker (SIEM tool) all the logs are pushed to a logging server and from the logging servers events are pushed to SIEM.So is the event source which we have integrated to SIEM. is an users machine infected with a malware which establishes many http connections to a malicious IP.You can check the rating of the websites from ( this case if we are using an AV which doesnt have signature for this particular malware, then by analyzing the firewall logs we can see some suspicious activity is happening on the users machine.Once you find the users machine then you can go ahead with the normal static Malware analysis process to find the exe file which is causing such traffics. You can use various tools like Regshot,processmonitor,wireshark,hijackthi s,rootkit revealer to find the exe file.

Issue2 Mar2010 | Page-22

By default all firewalls will deny all sourceto-destination traffic unless a rule or access list is given to permit traffic. So there is no point in investigating accept logs. But in the meanwhile when you do log analysis on all the successful communication of a URL filtering software you can come across many Websites which your URL filter dare to filter those contents. Your employee can create a website that can be used to host contents and can be used to transfer files from the organization to the outside world. In this dynamic world, Security threats are changing daily from Phishing mails to a website hack or by logging your managers account to apply resignation we must be aware about all the incidents and need to think about its preventive measures.

Ben Abraham Ben Abraham has more than 5 years of experience in the field of Information Security and in implementing,auditing and optimizing SIEM solutions to the clients. He also has knowledge in reverse engineering malware to find the behaviour and has carried out ISO27001 audits, PCIDSS, firewall audits and IT security policy development. Ben has got opportunities to work in companies like Mphasis, Infosys and Ernst & Young. He wishes to learn more about various Information Security domain and conduct training in this domain.

Issue2 Mar2010 | Page-23