The Threat Landscape — An Overview

by: Jon Little — find me on github — github.com/JonLittleIT

What does it take to be a security engineer? In this blog post, we will see various types of threats such as ransomware attacks, crypto mining attacks. We will discuss modern attack techniques and the administrative failures seen in the face of common cyber attack types. We will identify how to isolate and automate from the alerts seen in guard duty and cloud trail in AWS. We will begin to identify how the business or application behaves day to day and set alerts around those thresholds. When security issues come up either internally reported or externally, having a plan is more important than the choice of response. As threats attack your application, we will review each attack, how we can set alert and react in an automated way and what we need to see in the log in order to do so. When you have important data, hackers can try anything to get that data.

In the blog post we will discuss the threat landscape, ransomware and crypto attacks, IP theft, modern attack techniques.

• threat landscape
• Ransomware and crypto attacks
• Modern attack techniques

Technical requirements

In this blog post you will need to have access to cli and kali linux for the tutorials.

Using Viel Framework https://github.com/Veil-Framework/Veil

if you wana use the easier way of docker you can run this in your shell

docker run -it -v /tmp/veil-output:/var/lib/veil/output:Z mattiasohlsson/veil

A IDE of choice will be used to write scripts in python. Python 3 installed. You will need a IDE editor for building tools in python. You will need virtualbox and kali linux virtualbox image in 64bit. You will need access to AWS and cloud tools to run the tools and install user key before starting this.

The Threat Landscape

When you are working in the field as a Security Engineer there are a lot of types of challenges and security threats to overcome. There are various types of attacks that can leave your network vulnerable to data loss and even system downtime. One of the most common challenges security engineers face is ransomware attacks. At the time of writing this there are new laws proposed by US Senators, which now prohibit companies from paying the ransom. The bills have not been passed at the time of writing this but bill S7246 and S7289 was introduced in January 2020. These bills will help improve cybersecurity with a fund called “The Cyber Security Enhancement Fund”. The City of Atlanta Spent 1.6m to recover from a 52,000 dollar ransomware attack. It was not reported if they paid the ransom or not but the city was down post infection due to not having the means to decrypt the infected computers. They then continue to pay consulting firms millions of dollars to help them recover whatever was left of the compromised systems.

Ransomware and Crypto Mining/crypto-jacking

In fact the more interesting parts of malware attacks is how they can infiltrate into your systems. When I was working with a few clients there were many alerts around bitcoin and crypto mining. Only once I saw ransomware but it was isolated very quickly with proper controls. What you might see more often than ever is the bitcoin mining from a host inside the network. A known insider has gotten malware from a malvertising Ad on a major news website. When your A/V is pattern base it really makes a larger target area to attack against. A lot of developers will use packed or FUD implants with malware. When you FUD a .exe with encryption you can obfuscate the known structure of the binary which might be reported to the A/V databases and virus total websites. It makes the file seem as if it has new “fingerprints” and is of another source. Even popular frameworks like Veil in Kali Linux can provide examples of how you can get past most A/V venders.

Modern Attack Techniques

Evadence is being able to move into your network without detection. This is a popular attack which is less discussed online and becomes something less impactful when talking about criteria for courses. With limited exposure this this is usually covered less. I feel evidence is a more advanced technique. You can use veil framework to test this theory which when using obfuscation to detour investigators. When a AV engine cant read the file it can return a results of null which is nothing and means nothing was able to be done on this file. Unable to analyze the file due to encryption. Lets start looking at how this is done to understand it deeper.

Proposed tool for analysis

Kali Linux

Kali Linux is the swiss army knife of tooling to use with python and all your general hacking skills.

We will need to have a .exe and a kali linux VM to create the file in that OS then to use a python request to test files which are in question when you have something you want to check in VT.

How to use Veil framework

1. Get Kali image for Virtualbox.

https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/#1572305786534-030ce714-cc3b

1. download virtual box to use VM if you don’t have a program for this.

https://www.virtualbox.org/

1. Open kali linux
2. Go to cli

sudo apt-get -y install git
git clone https://github.com/Veil-Framework/Veil.git
cd Veil/
./config/setup.sh — force — silent
Kali > apt-get install veil-evasion
Kali > veil evasion

Screenshot from Kali Linux

Finish install and complete following steps.

When the menu appears, you can select complie_to_exe

Then you will get a encrypted payload.

This will have your metainterperter handler built into the file so you will need to have the used Ips in this attack on the same network to be able to reach each other.

Let’s now compare on a website called virustotal.com with the API. You can use a generic file which you can use for applying Veil framework to it to obfuscate and implant payload. We will review the different results so we can see what a good find would be and what’s either benign or a hidden payload. We can write a simple python script to examine the common attack technique seen in malware using a test file. Among other results we can see from looking at a file .exe or any file that looks suspicious and upload to vt with ease. Here is the following steps to follow.

1. Import requests
2. Add URL
3. Then set API key params.
4. Set the file.
5. Configure apikey to be used from ENV
6. Set apikey ENV
7. Export apikey=A0B908908980A (example)
8. Then = the response to the request post message and params.

When it’s all put together here it is in python:

import requests
url = ‘https://www.virustotal.com/vtapi/v2/file/scan'
apikey = os.environ[‘apikey’]
params = {‘apikey’: ‘apikey’}
files = {‘file’: (‘myfile.exe’, open(‘myfile.exe’, ‘rb’))}
response = requests.post(url, files=files, params=params)
print(response.json())

using the myfile.exe name we can drop the exe into the folder we run the script from and this script will look for the files to upload to VirusTotal for analysis. We can use any sample files you needed to take a deeper look. Usually when someone forwards phishing emails or send a file that seemed like malware, but you don’t want to open it and it would be must faster to test online. You can use debugger type programs and we will later in this book but this example is supposed to help build your toolbox with custom things you can use on the job or consulting at any business.

Important note

Never store your api keys in your source code!

This is a huge issue which is being taught in all dev API guides to get started faster. I am showing you how to do it secure not faster. In the end it will be best for your skill set to do it properly.

Check domain or targets reputation

We can use the examples from the developer website for apivoid. I use ipvoid.com for getting threat intel on the the ip or domain.

They give you ways to use python but in an insecure way. Keep in mind when using python the generic way suggested per API is not always secure best method. Developers will give you an example but usually they will hard code the keys needed to use the code.

we can take this usage example and secure the code by storing creds in the ENV instead of hard coded into the script which is more common then it should be.

python iprep.py 187.41.115.174

we can see this host is on 1 block list and is more than likely something to watch for.

jonathanlittle  MacBook-Pro  ~  code  …  apivoid-examples  python3  ip-reputation-example  %  python iprep.py 209.141.62.246
IP: 209.141.62.246
Hostname: tor-exit-03.nonanet.net
 — -
Detections Count: 6
Detected By: ZeroDot1 Bad IPs, IPsum, EFnet_RBL, S5hbl, Spamhaus, AntiSpam_by_CleanTalk
 — -
Country: US (United States of America)
Continent: NA (North America)
Region: Nevada
City: Las Vegas
Latitude: 36.1749687195
Longitude: -115.13722229
ISP: Frantech Solutions
 — -
Is Proxy: False
Is Web Proxy: False
Is VPN: False
Is Hosting: True
Is Tor: True

Important note:

we can get the location and actor and see if its on TOR and a blocklist. Very useful when tracing a connection

What we can see here is the threat landscape on how to use new tools and how to keep your toolbox diverse. You can take any api and with proper documentation you build your interactions with the API for the cloud or just your laptop to further your hands-on in python skills. As we go through each exercise we will build on to the last set of projects and continue to go deep so we can measure how much we are progressing from the basic of tooling all the way to the complex cloud tools. We have the ability to rapidly prototype then introduce a new tool to give us more skills.

Threat Intelligence

Over time as security engineers we must collect IOC’s from threat intel we find in our networks. Storing iprep info as threat intel of attackers we can use vendor tools which provide ways to store threat intel into a cloud store like threat connect then we can start collecting artifacts into the console for visual representation for each manual investigation and review done by each engineer rather then only what the SIEM sees. There is often always work done in console outside of web GUI tools. Responses from iprep check can be stored in s3 to get access to this data from quick sight so you can visualize the current threat actions your investigating.

Investigation check list:

IpRep check

1)

python iprep.py 122.226.181.165

2) check source for a file or domain for malware suspicious information

jonathanlittle  MacBook-Pro  ~  code  …  apivoid-examples  python3  ip-reputation-example  %  python iprep.py 209.141.62.246
IP: 209.141.62.246
Hostname: tor-exit-03.nonanet.net
 — -
Detections Count: 6
Detected By: ZeroDot1 Bad IPs, IPsum, EFnet_RBL, S5hbl, Spamhaus, AntiSpam_by_CleanTalk
 — -
Country: US (United States of America)
Continent: NA (North America)
Region: Nevada
City: Las Vegas
Latitude: 36.1749687195
Longitude: -115.13722229
ISP: Frantech Solutions
— -
Is Proxy: False
Is Web Proxy: False
Is VPN: False
Is Hosting: True
Is Tor: True

Using some bash with the python script we can now store each investigation to a .json file to then copy to s3 on every run we store our analysis data set to s3.

python3 iprep.py 122.226.181.165 > 122.226.181.165.json | aws s3 cp — s3://mythreatintel/actors/122.226.181.165.json

we can now sync file files to our backup for any having our data backed up by a sync daily and also with lifecycle settings in S3.

aws s3 sync s3://mythreatintel s3://mythreatintelbackup

now we can examine our threats in quick sight for free with AWS account.

Login to Quick sight from AWS console.

https://aws.amazon.com/

create a account if you don’t have one and goto quick sight

https://us-east-1.quicksight.aws.amazon.com/sn/start

see example of easy to use quick sight to see results from a threat hunters report.

Modern Attacks also come to birth new attack counter measures and resources in the threat landscape.

Now the new cool thing to do is having a bug bounty program. If you didn’t try this already you should for yourself.

crowdsourcing issues without having to pay unless the reports meet certain criteria. More or less keeping budgets low and help finding complex critical issues you may not have the team/resources for. See below I created a program for free which highlights my website I have for fun or work.

Using the most basic free services you can make your company known by only using private hackers and still making sure if there is anything critical you can still get eyes on it and review reports and pay per diem as you see fit. I would recommend this to anyone setting up some optics and alerting for a new client this can create a legal passage to get help when doing big releases or changes to your product and you don’t wana staff AppSec you can hire out for only issues found. Not the other way around which is very costly and long process.

You can see in the image below adding assets is easy and can be done for any website.

In this blog post we reviewed and setup a few API interactions and have some dashboards we can now report on threat intel data, and from what we are seeing from a investigation perspective and we can also manage how to learn about the data we use daily to watch for trends in what we investigate outside of Splunk or our tooling. There is always work that comes in per diem in requests from different business units and what we discussed is a example process you can also follow to manage a new request you don’t normally do but there is an API you can get or pull data from to meet your needs.

We also talked about eviadence and modern attack techniques. While talking about what’s happening in the wild, I had to mention what teams are doing to stop sophisticated malware and find bugs in their code. Ways of leverage already existing data and crowd sourcing your red team.

Code link :

GitHub - PacktPublishing/Hands-On-Security-Engineering-with-Python: Hands-On Security Engineering…

questions?

you can tweet me at @Rid3Over / CrashOverrid3