Even More reasons to register. Choose between a scholarship seat where you pay $2,700 (a saving of $1,460) limited time offer or a free exam worth over $1,000, when combined with early bird discount. Now that's some BIG saving for SANS training.
Use registration code "MenScholar15" when registering to receive your scholarship seat.
Use registration code "MGIAC15" when registering to receive your GIAC exam at no extra cost. If you would like to do the training but not the exam, we are also hear to accommodate you. You can receive a discount of $629 off the course tuition, in place of the GIAC exam.
Register early, to save $400 on early bird registration.
For further information please visit http://www.sans.org/mentor/class/sec503-toronto-17sep2015-nik-alleyne
Monday, April 6, 2015
The long and short term effects of the Target breach on the retail sector
About
Target
Target Corporation
was incorporated in Minnessota in 1902 and currently offers everyday essentials
and fashionable differentiated merchandise at discounted prices. Target relies
strongly on its technology infrastructure to deliver a preferred shopping experience.
Prior to the first quarter of 2013, Target operated in the US credit card
segment, providing credit to its Guests. Additionally, until January 15, 2015
Target also operated within the Canadian segment (Target Corporation, 2015).
About the data breach
During
the fourth quarter of 2013, Target experienced a significant data breach which impacted
its ability to handle customer enquiries resulting in weaker than expected
sales along with the loss of certain payment card and guest information from
its network (Target Corporation, 2015). The information which
was taken included names, email addresses, phone numbers or mailing addresses
and has affected up to 70 million individuals. Additionally the breach has
impacted approximately 40 million credit and debit card accounts (corporate.target.com, n.d.).
Short term effects
From
Target’s perspective, as of January 31, 2015 the financial impact of the data breach
was costly as it has incurred net cumulative breach expenses of $162 million.
In addition, fraudsters and scam artists were using the opportunity to target
Target’s customers via various attack vectors such as phishing, social
engineering, smishing and pretexting. In addition, Target took a number of
initiatives to enhance monitoring and logging, create application whitelisting
of point-of-sale systems, implementation of enhanced segmentation, reviewed and
limited vendor access while resetting passwords of 445,000 within its
infrastructure while also broadening the use of two-factor authentication (corporate.target.com, 2014). All these initiatives may be part of the $162
million Target spent as a result of the data breach.
Even though the
above is directly related to Target, the short term effect on the industry has
seen more companies allocate resources towards preventing, detecting and
resolving cyber breaches. Cyber Security budgets have increased by 34 percent,
with fifty percent of this going towards Security Incident and Event Management
(SIEM) tools, forty eight percent to Endpoint Security, forty four percent
going to Intrusion Prevention and Detection technologies and thirty eight
percent towards encryption and tokenization (Ponemon, 2015). While the companies have also focused
on technologies, Senior Management in general has shown extremely high concern
to Cyber Security incidents (Ponemon, 2015).
While companies
may be in a position to implement new processes and hire new people to deploy
and or maintain the latest and or greatest technologies, the same cannot be
readily said about individuals. In the short term individuals need to be
vigilant, when receiving any communications purporting to be from Target and or
any other breached entity. As stated above, fraudsters have chosen techniques
such as phishing, social engineering, smishig and pretexting to dupe potential
victims. Individuals may help to protect themselves by at a minimum, having all
patches and relevant updates installed on their computer, while also having
up-to-date antivirus or other anti-malware tools.
Long
Term effects
In the long term,
greater effort would be placed on the strategic importance of IT security to
the operations of the companies. This would result in more focus being placed
on the people and the process rather than on the technology. As an example,
companies are now focusing on the creation of an Incident Response Team,
training and awareness activities, measurement of data security effectiveness,
policies and procedures along with specialized education for IT security staff (Ponemon, 2015).
In addition, as in
the case with Target, companies may face court action from customers, card
issuing banks, shareholders and or other individuals seeking relief (Target Corporation, 2015).
While it is
expected that companies will continue to invest in people, processes and
technologies, they will also look into buying insurance to cover any costs
which may be associated with a data breach on its infrastructure. Target
maintains a $100 million network security insurance coverage, above a $10
million deductible. It is believed that this coverage along with other
insurance may reduce its exposure to cyber attacks (Target Corporation, 2015). In the next 5 years
a larger amount of services will be conducted online. This increase in online
activity will result in more companies looking to lower the risk from cyber
attacks (ibisworld.com, 2014)
More importantly,
as hacks similar to Target continues to occur, greater efforts will be made
towards information sharing, so as to reduce the probability (and effects) of
the breaches propagating beyond its initial target. In his Cyber Security
Legislative Proposal, President Obama has included voluntary information
sharing with Industry, States, and Local Government as one of the key methods
for protecting the security of the United States (US) digital infrastructure (whitehouse.gov, 2011).
Finally and most
importantly, governments can and may enact laws which controls how companies
respond to data breaches. At present, a number of US states and some of its
territories have enacted data breach laws, which dictates who must comply with
the law, what constitutes a breach, requirements for notice along with
exemptions (ncsl.org, 2015). At the federal level, the proposed Data
Security and Breach Notification Act of 2015 requires entities that owns or
possess data in electronic form containing personal information to notify
affected individuals and a designated government entity (FTC, Secret Service, FBI, Attorney General, etc )
no later than 30 days after the date of discovery of a breach. In the event of
a breach, any individual who intentionally and willingly conceals the fact that
a breach occurred and there is damage greater than $1000 may be fined and or
imprisoned for not more than 5 years (congress.gov, 2015).
Conclusion
In the long term,
hacks like target will cause both individuals and companies to place more
attention on cyber security. Companies though will be the ones that ultimately
need to make the investments to secure our personal data. The world is becoming
more networked and big data is the ultimate objective for most of these
companies. They more data is had, the more companies can predict your next
move. However, how they protect this data will be the ultimate concern. Action
by governments is needed to ensure that all companies respond consistently
whenever a breach occurs.
References
congress.gov. (2015, 1 13). S.177 - Data Security
and Breach Notification Act of 2015. Retrieved from
https://www.congress.gov/bill/114th-congress/senate-bill/177/text
corporate.target.com.
(2014, 04 29). updates on Target’s security and technology enhancements.
Retrieved from corporate.target.com:
https://corporate.target.com/discover/article/updates-on-Target-s-security-and-technology-enhanc
corporate.target.com.
(n.d.). data breach FAQ. Retrieved from corporate.target.com:
https://corporate.target.com/about/shopping-experience/payment-card-issue-faq
ibisworld.com. (2014, 08).
Cyber Liability Insurance in the US: Market Research Report. Retrieved
from ibisworld.com:
http://www.ibisworld.com/industry/cyber-liability-insurance.html
ncsl.org. (2015, 12 1). Security
Breach Notification Laws. Retrieved from
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
Ponemon. (2015). 2014:
A Year of Mega Breaches. Ponemon Institute LLC.
Target Corporation.
(2015). Annual Report . Minneapolis.
whitehouse.gov. (2011, May
12). FACT SHEET: Cybersecurity Legislative Proposal. Retrieved from
https://www.whitehouse.gov/the-press-office/2011/05/12/fact-sheet-cybersecurity-legislative-proposal
QRadar - Threat Intel On the Cheap - Checking our environment for suspect IPs
In this our final post in this series, we will search our logs and flows to see if any of the suspected IPs.
P.S. Point to note is the quality of these list are dependent on the people who publish them. I give no warranty or am I vouching for these lists. These IPs and or domains should be used as a starting point of your investigation not the ultimate decision as to whether something good or bad has happened.
To search our logs let's do the following:
1. Login to QRadar
2. Select "Logs" or "Network Activity" tab
3. From the "Search" dropdown, select "New Search"
3. Select your "Time Range"
Let's start with the "Last 7 Days"
4. In the "Search Parameters" choose "Reference Set"
5. In the "Value: Data Entry" select "Destination IP"
6. Operators select "Exists in any of"
7. From the "Reference Set" list, choose "SecurityNik_IP_Darklist"
8. Click the "+"
9. Click "Add Filter"
10. Click "Search"
Based on the search query we just entered, you would be able to see if any of the hosts in your environment has been or is communicating with any of the IPs in the SecurityNik_IP_Darklist.
To check for domains in the SecurityNik_DNS_Darklist, you would basically do the same steps above. However, you would chose a different reference set.
Have fun and don't forget the other posts in this series to ensure your reference set and rules are properly created.
1. The Code to download the Darklist
2. Verifying the Reference Set Creation
3. Writing the Common Rule to check for the IPs
4. Writing the Event Rule to check for the domains
5. Checking your environment for the malicious IPs and or domains.
P.S. Point to note is the quality of these list are dependent on the people who publish them. I give no warranty or am I vouching for these lists. These IPs and or domains should be used as a starting point of your investigation not the ultimate decision as to whether something good or bad has happened.
To search our logs let's do the following:
1. Login to QRadar
2. Select "Logs" or "Network Activity" tab
3. From the "Search" dropdown, select "New Search"
3. Select your "Time Range"
Let's start with the "Last 7 Days"
4. In the "Search Parameters" choose "Reference Set"
5. In the "Value: Data Entry" select "Destination IP"
6. Operators select "Exists in any of"
7. From the "Reference Set" list, choose "SecurityNik_IP_Darklist"
8. Click the "+"
9. Click "Add Filter"
10. Click "Search"
Based on the search query we just entered, you would be able to see if any of the hosts in your environment has been or is communicating with any of the IPs in the SecurityNik_IP_Darklist.
To check for domains in the SecurityNik_DNS_Darklist, you would basically do the same steps above. However, you would chose a different reference set.
Have fun and don't forget the other posts in this series to ensure your reference set and rules are properly created.
1. The Code to download the Darklist
2. Verifying the Reference Set Creation
3. Writing the Common Rule to check for the IPs
4. Writing the Event Rule to check for the domains
5. Checking your environment for the malicious IPs and or domains.
QRadar - Threat Intelligence On The Cheap - Creating the rule to detect IPs in the SecurityNik_DNS_Darklist
Most of the information in the previous post can be used to develop the rule for detecting the malicious domains.
P.S. Point to note is the quality of these list are dependent on the people who publish them. I give no warranty or am I vouching for these lists. These IPs and or domains should be used as a starting point of your investigation not the ultimate decision as to whether something good or bad has happened.
Follow the steps below to create an Event rule:
1. Click "Offenses" tab
2 Select "Rules"
3. Select "Action" menu
4. From the "Action" menu, select "New Event Rule"
Once the "Rule Wizard" opens, it should default to "Events"
Next you build your rule by selecting your criteria.
1. First in the search box, type "referen". This reduces the number of rule options to sort through
2. select the one which states "when any of these properties is contained in any of these reference set(s)"
3. Assign your rule a name
4. Click "these event properties".
5. When the window pops up, select the "domain"
6. Click "OK"
7. Click "these reference set(s)"
8. From the pop up window select the "SecurityNik_DNS_Darklist", then click add
9. Click "OK"
Selecting the "Rule Response"
1. Ensure that a new event gets created
2. you may set the severity, credibility and relevance of the new event which gets created
Note that these setting may influence the values of an offense but does not specifically set the values on the offense
3. Create a new offense when the domain from the SecurityNik_DNS_Darklist reference set is seen in either an event
4. Send off an email once a detection is made
Verify the rule is as expected.
You should be good to go.
In the final post, we will run a query against the environment to see if any of the detected IPs (or you can do the domain) is found in our logs and or flows.
Have fun and don't forget the other posts in this series to ensure your reference set and rules are properly created.
1. The Code to download the Darklist
2. Verifying the Reference Set Creation
3. Writing the Common Rule to check for the IPs
4. Writing the Event Rule to check for the domains
5. Checking your environment for the malicious IPs and or domains.
P.S. Point to note is the quality of these list are dependent on the people who publish them. I give no warranty or am I vouching for these lists. These IPs and or domains should be used as a starting point of your investigation not the ultimate decision as to whether something good or bad has happened.
Follow the steps below to create an Event rule:
1. Click "Offenses" tab
2 Select "Rules"
3. Select "Action" menu
4. From the "Action" menu, select "New Event Rule"
Once the "Rule Wizard" opens, it should default to "Events"
Next you build your rule by selecting your criteria.
1. First in the search box, type "referen". This reduces the number of rule options to sort through
2. select the one which states "when any of these properties is contained in any of these reference set(s)"
3. Assign your rule a name
4. Click "these event properties".
5. When the window pops up, select the "domain"
6. Click "OK"
7. Click "these reference set(s)"
8. From the pop up window select the "SecurityNik_DNS_Darklist", then click add
9. Click "OK"
Selecting the "Rule Response"
1. Ensure that a new event gets created
2. you may set the severity, credibility and relevance of the new event which gets created
Note that these setting may influence the values of an offense but does not specifically set the values on the offense
3. Create a new offense when the domain from the SecurityNik_DNS_Darklist reference set is seen in either an event
4. Send off an email once a detection is made
Verify the rule is as expected.
You should be good to go.
In the final post, we will run a query against the environment to see if any of the detected IPs (or you can do the domain) is found in our logs and or flows.
Have fun and don't forget the other posts in this series to ensure your reference set and rules are properly created.
1. The Code to download the Darklist
2. Verifying the Reference Set Creation
3. Writing the Common Rule to check for the IPs
4. Writing the Event Rule to check for the domains
5. Checking your environment for the malicious IPs and or domains.
QRadar - Threat Intelligence On The Cheap - Creating the rule to detect IPs in the SecurityNik_IP_Darklist
Now that we've downloaded our suspect IPs and domains with the SecurityNikThreatIntel script along with verifying our reference set creation, we will now create the relevant rules. Note in this post, I will focus primarily on the IP darklist rule creation. Basically the same steps can be used to create a rule to detect the malicious DNS. I will put a quick snapshot below on what needs to be done to get the rule to detect the suspect domains.
P.S. Point to note is the quality of these list are dependent on the people who publish them. I give no warranty or am I vouching for these lists. These IPs and or domains should be used as a starting point of your investigation not the ultimate decision as to whether something good or bad has happened.
Because we would like to detect the suspect IPs in either flows or events we will create a common rule.
Follow the steps below to create a common rule:
1. Click "Offenses" tab
2 Select "Rules"
3. Select "Action" menu
4. From the "Action" menu, select "New Common Rule"
Once the "Rule Wizard" opens, it should default to "Events and Flows"
Next you build your rule by selecting your criteria.
1. First in the search box, type "referen". This reduces the number of rule options to sort through
2. select the one which states "when any of these properties is contained in any of these reference set(s)"
3. Assign your rule a name
4. Click "these event properties".
5. When the window pops up, select the "Source IP", click add, then select "Destination IP"
6. Click "OK"
7. Click "these reference set(s)"
8. From the pop up window select the "SecurityNik_IP_Darklist", then click add
9. Click "OK"
Selecting the "Rule Response"
1. Ensure that a new event gets created
2. you may set the severity, credibility and relevance of the new event which gets created
Note that these setting may influence the values of an offense but does not specifically set the values on the offense
3. Create a new offense when the source or detination IP from the SecurityNik_IP_Darklist reference set is seen in either an event or flow
4. Send off an email once a detection is made
Verify the rule is as expected.
You should be good to go.
Have fun and don't forget the other posts in this series to ensure your reference set and rules are properly created.
1. The Code to download the Darklist
2. Verifying the Reference Set Creation
3. Writing the Common Rule to check for the IPs
4. Writing the Event Rule to check for the domains
5. Checking your environment for the malicious IPs and or domains.
P.S. Point to note is the quality of these list are dependent on the people who publish them. I give no warranty or am I vouching for these lists. These IPs and or domains should be used as a starting point of your investigation not the ultimate decision as to whether something good or bad has happened.
Because we would like to detect the suspect IPs in either flows or events we will create a common rule.
Follow the steps below to create a common rule:
1. Click "Offenses" tab
2 Select "Rules"
3. Select "Action" menu
4. From the "Action" menu, select "New Common Rule"
Once the "Rule Wizard" opens, it should default to "Events and Flows"
Next you build your rule by selecting your criteria.
1. First in the search box, type "referen". This reduces the number of rule options to sort through
2. select the one which states "when any of these properties is contained in any of these reference set(s)"
3. Assign your rule a name
4. Click "these event properties".
5. When the window pops up, select the "Source IP", click add, then select "Destination IP"
6. Click "OK"
7. Click "these reference set(s)"
8. From the pop up window select the "SecurityNik_IP_Darklist", then click add
9. Click "OK"
Selecting the "Rule Response"
1. Ensure that a new event gets created
2. you may set the severity, credibility and relevance of the new event which gets created
Note that these setting may influence the values of an offense but does not specifically set the values on the offense
3. Create a new offense when the source or detination IP from the SecurityNik_IP_Darklist reference set is seen in either an event or flow
4. Send off an email once a detection is made
Verify the rule is as expected.
You should be good to go.
Have fun and don't forget the other posts in this series to ensure your reference set and rules are properly created.
1. The Code to download the Darklist
2. Verifying the Reference Set Creation
3. Writing the Common Rule to check for the IPs
4. Writing the Event Rule to check for the domains
5. Checking your environment for the malicious IPs and or domains.
QRadar - Threat Intelligence On The Cheap - Verifying Reference Set Creation
P.S. Point to note is the quality of these list are dependent on the people who publish them. I give no warranty or am I vouching for these lists. These IPs and or domains should be used as a starting point of your investigation not the ultimate decision as to whether something good or bad has happened. To verify that the reference set exists you can do the following.
1. Logon to QRadar
2. Select "Admin" Tab
3. Under the section "System Configuration" select "Reference Set Management"
4. From the Reference Set window, scroll until you find the 2 reference sets.
a. 'SecurityNik_IP_Darklist'
b. 'SecurityNik_DNS_Darklist'
5. You can now double click the list or click "Edit" to verify their contents.
Once you have verified that the reference sets have been successfully created and contains your IPs and or DNS Entries. You may now go ahead and create your rules.
Have fun and don't forget the other posts in this series to ensure your reference set and rules are properly created.
1. The Code to download the Darklist
2. Verifying the Reference Set Creation
3. Writing the Common Rule to check for the IPs
4. Writing the Event Rule to check for the domains
5. Checking your environment for the malicious IPs and or domains.
QRadar - Threat Intelligence on the Cheap - The Code
Ever thought of a way to get get threat intelligence information for your QRadar on the cheap. Here it is, I'm making your life and or job easier :-).
Basically this script goes out to a few websites and download lists of suspected bad IPs and Domains. From this list I then compile one list for IPs and one for DNS.
Once I have the above lists, I then create 2 reference sets in QRadar to import the data.
Once the script runs for the first time, you will need to create your QRadar rules manually. This post addresses that issue.
P.S. Point to note is the quality of this list is dependent on the people who are putting it out. I give no warranty or am I vouching for the list. These IPs should be used as a starting point of your investigation, not the ultimate decision as to whether something good or bad has happened.
As stated above, hopefully this script makes someone else happy.
Have fun and don't forget the other posts in this series to ensure your reference set and rules are properly created.
1. The Code to download the Darklist
2. Verifying the Reference Set Creation
3. Writing the Common Rule to check for the IPs
4. Writing the Event Rule to check for the domains
5. Checking your environment for the malicious IPs and or domains.
SecurityNikThreatIntel.py
This project can also be found on github at https://github.com/SecurityNik/QRadar---Threat-Intelligence-On-The-Cheap
Basically this script goes out to a few websites and download lists of suspected bad IPs and Domains. From this list I then compile one list for IPs and one for DNS.
Once I have the above lists, I then create 2 reference sets in QRadar to import the data.
Once the script runs for the first time, you will need to create your QRadar rules manually. This post addresses that issue.
P.S. Point to note is the quality of this list is dependent on the people who are putting it out. I give no warranty or am I vouching for the list. These IPs should be used as a starting point of your investigation, not the ultimate decision as to whether something good or bad has happened.
#!/usr/bin/env python
# This is code is designed to download list of known bad IPs and domains
# Once the lists have been downloaded, 2 reference sets are created
# 1 for IPs and 1 for domains
# Manual creation of QRadar rules are then done. These rules are then run against these
# list to identify known bad IPs and Domain
#
# SecurityNikThreatIntel.py v1.0
# Author: Nik Alleyne, CISSP|GCIH|A < nikalleyne at gmail.com >
# Date: 2015-02-25
# Disclaimer: In no way am I responsible for any damages which you may
# cause to your system by running this script.
from os import uname, path, system, remove, getcwd
from shutil import rmtree,copytree
from subprocess import call
from sys import exit
from time import sleep
# This function checks to see if this script is running on Linux.
def check_os():
qRadar_path = '/opt/qradar/conf/'
qRadar_ver = '/opt/qradar/bin/myver'
print(' Checking OS ... ')
if ( uname()[0] == 'Linux' ) or ( uname()[0] == 'linux'):
#print(' Running on Linux ... ')
if ( path.exists('/etc/system-release') and path.isfile('/etc/system-release') ):
call(['cat', '/etc/system-release'])
else:
print('\n Looks like you are running Linux. ')
print('\n However, I am unable to determine your version info. ')
print(' \n Looking for an installed version of QRadar')
if ( path.exists(qRadar_path) and ( path.isdir(qRadar_path)) ):
print(' \n looks like you are running QRadar version ... ')
call([qRadar_ver])
print(' \n Good stuff ... \n Blast off =>>>>>>> ')
else:
print(' An installed version of QRadar was not found on your system ')
print(' This script will not work for you, it was designed to be used on box running IBM QRadar ')
print(' Exiting ... ')
exit(0)
sleep(2)
else:
print(' Running this is a waste of your time. ')
print(' This script is SPECIFICALLY for QRadar ')
exit(0)
# This function downloads a list of known bad IPs and
def grab_ip_list():
ip_path = ''
bad_ip_list = ['http://malc0de.com/bl/IP_Blacklist.txt' ,
'http://talosintel.com/feeds/ip-filter.blf',
'http://malc0de.com/bl/IP_Blacklist.txt',
'http://www.malwaredomainlist.com/hostslist/ip.txt',
'https://zeustracker.abuse.ch/blocklist.php?download=badips' ,
'http://www.spamhaus.org/drop/drop.txt',
'http://www.spamhaus.org/drop/edrop.txt',
'http://www.spamhaus.org/drop/drop.lasso',
'http://www.okean.com/chinacidr.txt' ,
'http://myip.ms/files/blacklist/general/latest_blacklist.txt' ,
'http://myip.ms/files/blacklist/csf/latest_blacklist.txt' ,
'http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt' ,
'http://rules.emergingthreats.net/blockrules/compromised-ips.txt' ,
'http://feeds.dshield.org/block.txt' ,
'http://feeds.dshield.org/top10-2.txt',
'http://www.dshield.org/feeds/topips.txt'
'https://feodotracker.abuse.ch/blocklist/?download=ipblocklist',
'https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist' ,
'https://zeustracker.abuse.ch/blocklist.php?download=badips' ,
]
# Check to see if ip_tmp/ folder exists - This folder stores the files a the first download.
# Basically this will determine if its the first time the script is being run
if ( path.exists('.ip_tmp/') and (path.isdir('.ip_tmp/')) ):
ip_path = '.ip_tmp_path/'
else:
ip_path = '.ip_tmp/'
try:
print(' Preparing to download list of bad IP addresses ')
for link in bad_ip_list:
print(link)
call(['wget', link, '--directory-prefix='+ip_path , '--tries=2', '--continue', '--timestamping', '--timeout=5', '--random-wait', '--no-proxy', '--inet4-only'])
print(' \n %s \n retrieved successfully \n' %link )
sleep(2)
except:
print(' A problem occurred while downloading IP information from %s ' %link )
print(' This link may be broken. Please copy the URL and paste into a browser to ensure it is accessible')
else:
# Looks like all went well
print(' \n Looks like we have some baddddd IPs! ')
# This fuction download the list of malicious and or suspected domains
# DO NOT add entry to this list unless you are sure what you are doing
# These files are in different formats, thus may need to be manipulated the files individually
def grab_dns_list():
dns_path = ''
bad_dns_list = [ 'http://www.joewein.net/dl/bl/dom-bl.txt',
'http://www.joewein.net/dl/bl/dom-bl-base.txt',
'http://mirror1.malwaredomains.com/files/immortal_domains.txt',
'http://mirror1.malwaredomains.com/files/dynamic_dns.txt',
'https://zeustracker.abuse.ch/blocklist.php?download=baddomains',
'http://www.malwaredomainlist.com/hostslist/hosts.txt',
'http://malc0de.com/bl/BOOT',
'http://malc0de.com/bl/ZONES'
]
if ( path.exists('.dns_tmp') and (path.isdir('.dns_tmp')) ):
dns_path = '.dns_tmp_path'
else:
dns_path = '.dns_tmp'
try:
print(' Preparing to download list of bad Domain ')
for dns in bad_dns_list:
print(dns)
call(['wget', dns, '--directory-prefix='+dns_path , '--tries=2', '--continue', '--timestamping', '--timeout=5', '--random-wait', '--no-proxy', '--inet4-only'])
print(' \n %s \n retrieved successfully \n' %dns )
sleep(2)
except:
print(' A problem occurred while downloading DNS information from %s ' %dns )
print(' This link may be broken. Please copy the URL and paste into a browser to ensure it is accessible')
else:
# Looks like all went well
print(' \n Looks like we have some baddddd domains! ')
# Checking the directories to see if the last run added new info
def compare_ip_dirs():
print(' Checking if there is need for an update .... ')
#first check to see if .ip_tmp_path exists
if ( path.exists('.ip_tmp_path') and (path.isdir('.ip_tmp_path')) ):
print(' Give me just a few seconds more')
sleep(2)
if ( int(path.getsize('.ip_tmp')) <= int(path.getsize('.ip_tmp_path')) ):
print(' \n Looks like new content is available ')
# copying new content in .ip_tmp_path to .ip_tmp
try:
rmtree('.ip_tmp')
copytree('.ip_tmp_path','.ip_tmp')
except:
print(' Failed to copy new data ... ')
print(' Exiting ... ')
exit(0)
else:
print(' Successfully moved new data')
else:
print(' Nothing new was added ... ')
print(' Exiting ... ')
exit(0)
else:
print(' This is first run ... \n moving on ... ')
sleep(2)
# Comparing the DNS folders to see if new content may have been added
def compare_dns_dirs():
print(' Checking if there is need for an update .... ')
#first check to see if .ip_tmp_path exists
if ( path.exists('.ip_tmp_path') and (path.isdir('.ip_tmp_path')) ):
print(' Give me just a few seconds more')
sleep(2)
if ( int(path.getsize('.ip_tmp')) <= int(path.getsize('.ip_tmp_path')) ):
print(' \n Looks like new content is available ')
# copying new content in .dns_tmp_path to .dns_tmp
try:
rmtree('.dns_tmp')
copytree('.dns_tmp_path','.dns_tmp')
except:
print(' Failed to copy new data ... ')
print(' Exiting ... ')
exit(0)
else:
print(' Successfully moved new data')
else:
print(' Nothing new was added ... ')
print(' Exiting ... ')
exit(0)
else:
print(' This is first run ... \n moving on ... ')
sleep(2)
# Now that the files have been successfully downloaded, let's combine them all
def combine_ip_files():
print(' \n Checking for .ip_tmp folder ... ')
sleep(2)
if ( path.exists('.ip_tmp') and path.isdir('.ip_tmp') ):
print(' directory .ip_tmp/ found ')
system('cat .ip_tmp/* | grep --perl-regexp --only-matching "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | sort -i | uniq --unique --check-chars=15 > SecurityNikBadIPs.txt')
if ( path.exists('SecurityNikBadIPs.txt') and path.isfile('SecurityNikBadIPs.txt') ):
print(' Successfully created file SecurityNikBadIPs.txt ')
else:
print(' Unable to create SecurityNikBadIPs.txt file ')
print(' The program will now exit ... Exiting ... ')
exit(0)
else:
print(' \n ip_tmp/ directory not found ')
print(' Unable to continue ... Exiting!')
exit(0)
# This function manipulates the downloaded DNS files, so that all can be placed into one standard file
def combine_dns_files():
print(' Combining DNS files ')
if ( path.exists('.dns_tmp') and path.isdir('.dns_tmp') ):
print(' directory .dns_tmp/ found ')
try:
print(' Combining downloaded files into .... ')
system('cat .dns_tmp/dom-bl.txt > .SecurityNikBadDomains.txt')
system('cat .dns_tmp/dom-bl-base.txt >> .SecurityNikBadDomains.txt')
system("cat .dns_tmp/hosts.txt | awk '/127.0.0.1/ { print $2 }' >> .SecurityNikBadDomains.txt")
system('cat .dns_tmp/immortal_domains.txt | grep -i -P "This is a list|^$" -v >> SecurityNikBadDomains.txt')
system('cat .dns_tmp/BOOT | grep -i PRIMARY | cut -f 2 -d " " | grep -i -v -P "ibm\.com" -v >> .SecurityNikBadDomains.txt')
system('cat .dns_tmp/dynamic_dns.txt | grep -P -v "^#|^$" | cut -f 1 -s >> .SecurityNikBadDomains.txt')
system('cat .dns_tmp/blocklist.php\?download\=baddomains | grep -P -v "^#|^$" >> .SecurityNikBadDomains.txt')
system('cat .SecurityNikBadDomains.txt | sort -i | uniq --unique > SecurityNikBadDomains.txt')
except:
print(' Looks like an error occurred while combining the files')
print(' Please retry later ... \n Exiting ... ')
exit(0)
else:
print(' files successfully combined ')
print(' A list of known bad domains can be found in SecurityNikBadDomains.txt')
remove('.SecurityNikBadDomains.txt')
else:
print(' \n dns_tmp/ directory not found ')
print(' The program will now exit ... Exiting ... ')
exit(0)
# This function does all the work for the IP reference set
def verify_create_ip_reference_set():
reference_set_name = 'SecurityNik_IP_Darklist'
ip_txt = getcwd()+'/SecurityNikBadIPs.txt'
rows = []
print('Checking to see if the reference set %s already exists' %reference_set_name)
f =open('.count.txt', 'w')
call(["psql", "-U", "qradar", "--command=SELECT COUNT(*) FROM reference_data WHERE name='SecurityNik_IP_Darklist'"], stdout=f )
f.close()
# Resting ... I'm tired
sleep(2)
f = open('.count.txt', 'r')
for line in f.readlines():
rows.append(line.strip())
#print(rows)
if (rows[2].strip() != '0'):
print(' Looks like reference set already exists \n ')
else:
print(' Reference Set %s not found ... %reference_set_name ')
print(' Looks like we will have to create this bad boy ...')
try:
call(['/opt/qradar/bin/ReferenceSetUtil.sh', 'create', reference_set_name , 'IP'])
print(' Successfully created reference set %s \n ' %reference_set_name )
#print(' Looks like that went well ... ' )
except:
#This does not catch any java exception that may be created
print(' Error occurred while creating reference set %s ' %reference_set)
print(' You may create the reference set %s manually if needed ' %reference_set_name )
exit(0)
print(' Loading information into reference set %s ' %reference_set_name )
try:
call(['/opt/qradar/bin/ReferenceSetUtil.sh', 'load', reference_set_name , ip_txt ])
print(' \n You may need to verify that you have rules created to use %s ' %reference_set_name )
except:
print(' An error occurred while loading the reference set ... ')
print(' Please retry later!')
exit(0)
remove('.count.txt')
# This function creates the DNS reference set
def verify_create_dns_reference_set():
reference_set_name = 'SecurityNik_DNS_Darklist'
dns_txt = getcwd()+'/SecurityNikBadDomains.txt'
dns_rows = []
print('Checking to see if the reference set %s already exists' %reference_set_name)
f = open('.count.txt', 'w')
call(["psql", "-U", "qradar", "--command=SELECT COUNT(*) FROM reference_data WHERE name='SecurityNik_DNS_Darklist'"], stdout=f )
f.close()
# Taking a nap ...
sleep(2)
f = open('.count.txt', 'r')
for line in f.readlines():
dns_rows.append(line.strip())
#print(dns_rows)
if (dns_rows[2].strip() != '0'):
print(' Looks like reference set already exists \n ')
else:
print(' Reference Set %s not found ' %reference_set_name )
print(' Looks like we will have to create this bad boy ...')
try:
call(['/opt/qradar/bin/ReferenceSetUtil.sh', 'create', reference_set_name , 'ALN'])
print(' Successfully created reference set %s ' %reference_set_name )
#print(' Looks like that went well ... ' )
except:
# This does not catch any java exception that may be created
print(' Error occurred while creating reference set %s ' %reference_set)
print(' You may create the reference set %s manually if needed ' %reference_set_name )
exit(0)
print(' Loading information into reference set %s ' %reference_set_name )
try:
call(['/opt/qradar/bin/ReferenceSetUtil.sh', 'load', reference_set_name , dns_txt ])
print(' \n You may need to verify that you have rules created to use %s ' %reference_set_name )
except:
print(' An error occurred while loading the reference set ... ')
print(' Please retry later!')
exit(0)
remove('.count.txt')
# Main Function
def main():
#print('You are in the main part of the code')
call('clear')
check_os()
# Let's work on the IP Reference Set
grab_ip_list()
compare_ip_dirs()
combine_ip_files()
verify_create_ip_reference_set()
# Let's work on the DNS Reference Set
grab_dns_list()
compare_dns_dirs()
combine_dns_files()
verify_create_dns_reference_set()
if __name__ == "__main__":
main()
# End of Script
As stated above, hopefully this script makes someone else happy.
Have fun and don't forget the other posts in this series to ensure your reference set and rules are properly created.
1. The Code to download the Darklist
2. Verifying the Reference Set Creation
3. Writing the Common Rule to check for the IPs
4. Writing the Event Rule to check for the domains
5. Checking your environment for the malicious IPs and or domains.
SecurityNikThreatIntel.py
This project can also be found on github at https://github.com/SecurityNik/QRadar---Threat-Intelligence-On-The-Cheap
Subscribe to:
Posts (Atom)