Friday, September 28, 2018

Hack and Detect - Mapping a Threat Actor's Tools, Techniques and Procedures (TTP)

One of the critical steps in performing your network forensics analysis, is to be able to generate a visual of what transpired. This visual allows you to get a graphical representation of a threat actor's TTPs.

Below is an example of mapping a threat actor's TTPs from my upcoming book. This graphic below represents the activity performed on a Windows 10 host with an ultimate pivot (lateral movement) to a Windows XP host on another subnet. Note, this all started via a spear-phishing attack. All it took was one click and its game over.



Map of the threat actors Tools, Techniques and Procedures (TTPS), providing Nakia with the necessary intelligence into how this Threat Actor operated, including its lateral movement from the compromised Windows 10 machine to a Windows XP device isolated from the internet.

If you like this mapping of the TTPs, prepare to grab a copy of the book from your favourite seller to learn more about how you can build your own.


You can download the pre-publication sample chapters here while you wait for the published version.

It will be here sooner than you think. Hack and Detect - Leveraging the Cyber Kill Chain for Practical Hacking and its Detection via Network Forensics

Learning by Practicing
Hack & Detect
Leveraging the Cyber Kill Chain for Practical Hacking
and its Detection via Network Forensics  


Author Nik Alleyne
www.securitynik.com
2018-09-01


Currently wrapping up my book and am attaching the sample chapters for you my readers to get a head start into what to expect. Please note these are sample chapters and not the final product. 

If you have some comments and or suggestions to provide, feel free to either drop me a line or leave a comment below. 

To download click here.
MD5: F5AA9B28678051CBE29AA07DB4410140
SHA256: CBF93818218A53002B10C48F5C200D7C1B31D02536168D979F997DFBBA79B0C4

Bro Configuration

The first set of configuration you should do once you install bro, is to tell it the network(s) you would like to protect. Realistically, the first three files you should be looking at are:
node.cfg
networks.cfg
broctl.cfg


Let's start off with networks.cfg

root@securitynik:/opt/bro/etc# cat /opt/bro/etc/networks.cfg
192.168.0.0/24       SecurityNik LAN

For the node.cfg, bro runs in either standalone mode or clustered configuration. I will simulate a clustered configuration on one host. For the clustered configuration we need a Manager, Proxy and a Worker. Also I modified the local hosts file to resolve the following names:


root@securitynik:~# cat /etc/hosts
127.0.0.1       localhost
192.168.0.4     securitynik.n3.local  securitynik
192.168.0.4     securitynik
192.168.0.4     n3-bro-mgr
192.168.0.4     n3-bro-proxy
192.168.0.4     n3-bro-worker

Once the hosts file as been modified, the following represents the node.cfg configuration.


root@securitynik:~# cat /etc/bro/node.cfg
[n3-bro-mgr]
type=manager
host=n3-bro-mgr

[n3-bro-proxy]
type=proxy
host=n3-bro-proxy

[n3-bro-worker]
type=worker
host=n3-bro-worker
interface=enp0s25


Next up let's configure the broctl.cfg. You should check this file to see if ther is anything needed to be modified for your site's specific configuration

root@securitynik:~# cat /opt/bro/etc/broctl.cfg | more

###############################################
# Mail Options

MailTo = root@localhost
MailConnectionSummary = 1
MinDiskSpace = 5
MailHostUpDown = 1

###############################################
# Logging Options
LogRotationInterval = 3600
LogExpireInterval = 0
StatsLogEnable = 1
StatsLogExpireInterval = 0

###############################################
# Other Options

StatusCmdShowAll = 0
CrashExpireInterval = 0
SitePolicyScripts = local.bro
LogDir = /opt/bro/logs
SpoolDir = /opt/bro/spool
CfgDir = /opt/bro/etc


Let's now load up broctl

root@securitynik:~# broctl

Then look at the current status

[BroControl] > status
Name         Type    Host             Status    Pid    Started
n3-bro-mgr   manager n3-bro-mgr       stopped
n3-bro-proxy proxy   n3-bro-proxy     stopped
n3-bro-worker worker  n3-bro-worker    stopped


Once a change was made, we should do an install


[BroControl] > install
removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/site ...
removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/auto ...
creating policy directories ...
installing site policies ...
generating cluster-layout.bro ...
generating local-networks.bro ...
generating broctl-config.bro ...
generating broctl-config.sh ...
updating nodes ...

We then start the different services/roles


[BroControl] > start
starting n3-bro-mgr ...
starting n3-bro-proxy ...
starting n3-bro-worker ...

Verify once again that all services are running

[BroControl] > status
Name         Type    Host             Status    Pid    Started
n3-bro-mgr   manager n3-bro-mgr       running   993    27 Sep 21:58:08
n3-bro-proxy proxy   n3-bro-proxy     running   1039   27 Sep 21:58:10
n3-bro-worker worker  n3-bro-worker    running   1076   27 Sep 21:58:12

Looks good from above.

Looking at the logs below we see:

root@securitynik:~# ls /opt/bro/logs/
2018-09-27  current


Looking specifically at the current logs


root@securitynik:~# ls /opt/bro/logs/current
capture_loss.log   dns.log    known_services.log  stats.log   syslog.log
communication.log  files.log  software.log        stderr.log  weird.log
conn.log           http.log   ssl.log             stdout.log  x509.log


References:
https://www.digitalocean.com/community/tutorials/how-to-install-bro-on-ubuntu-16-04
https://www.bro.org/sphinx/quickstart/index.html




Installing Bro 2.6-beta2

In this post we are looking at installing Bro network and security monitoring framework. I happen to teach this tool in the SANS SEC503 - Intrusion Detection In Depth class and find this to be quite a wonderful tool. As a result, I thought I should put together a quick blog post on its installation and then I can probably build on this post in the future.

Let's get this show on the road.

First up I will be installing on Ubuntu 18.04 (bionic)

root@n3-monitoring:~# lsb_release --all
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.1 LTS
Release:        18.04
Codename:       bionic

First I created a directory for "bro" under "/opt"


root@securitynik:~# mkdir /opt/bro

Then installed the necessary dependecies

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

Then install geoip

apt-get install libgeoip-dev -y

Change to the GeoIP database

root@securitynik:~# cd /usr/share/GeoIP/

Download the GeoIP files

root@securitynik:~# wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz

Unzip the GeoLiteCity files

root@securitynik:~# gunzip GeoLiteCity.dat.gz

Renamed the GeoIP files

root@securitynik:/usr/share/GeoIP# mv GeoLiteCity.dat GeoIPCity.dat


Next up, in my case I switch to the /tmp directory by using "cd /tmp"

Next up, in my case I switch to the /tmp directory by using "cd /tmp", downloaded the file and then untar'd it.


cd /tmp
root@securitynik:/tmp# wget https://www.bro.org/downloads/beta/bro-2.6-beta2.tar.gz
root@securitynik:/tmp# tar -zxvf bro-2.6-beta2.tar.gz

Once the files have been extracted, we next change directory to the "bro-2.6-beta2" directory then run the "configure" scripts/


root@securitynik:/tmp# cd bro-2.6-beta2
root@securitynik:/tmp/bro-2.6-beta2# ./configure --prefix=/opt/bro

====================|  Bro Build Summary  |=====================

Build type:        RelWithDebInfo
Build dir:         /tmp/bro-2.6-beta2/build
Install prefix:    /opt/bro
Bro Script Path:   /opt/bro/share/bro
Debug mode:        false

CC:                /usr/bin/cc
CFLAGS:             -Wall -Wno-unused -O2 -g -DNDEBUG
CXX:               /usr/bin/c++
CXXFLAGS:           -Wall -Wno-unused -std=c++11 -O2 -g -DNDEBUG
CPP:               /usr/bin/c++

Broccoli:          false
Broctl:            true
Aux. Tools:        true

libmaxminddb:      false
Kerberos:          false
gperftools found:  false
        tcmalloc:  false
       debugging:  false
jemalloc:          false

================================================================


Once complete next is to run make followed by make install


root@securitynik:/tmp/bro-2.6-beta2# make
root@securitynik:/tmp/bro-2.6-beta2# make install

Let's now create a symbolic link for bro

root@securitynik:/opt/tmp# ln -s /opt/bro/bin/bro /usr/bin/bro

Let's now install bro-cut via bro-aux


root@securitynik:/opt/tmp# apt-get install bro-aux

Then let's install broctl

root@securitynik:/opt/tmp# apt-get install broctl

Once the install is finished, let's run bro to see what we get:

root@securitynik:/opt/tmp# bro --iface enp0s25
listening on enp0s25

After bro was run for a few minutes and we run ls, we see:

root@securitynik:/opt/tmp# ls *.log
conn.log  packet_filter.log  reporter.log  syslog.log  weird.log

Looks good. Let's now move on to configuring bro.

References:
https://www.bro.org/sphinx/install/install.html
https://blog.rapid7.com/2017/06/24/how-to-install-and-configure-bro-on-ubuntu-linux/
https://www.bro.org/sphinx/frameworks/geoip.html
https://bro-tracker.atlassian.net/browse/BIT-1775