Sunday, December 4, 2016

Recovering Luddite?

Growing up Mennonite in Lancaster County with no computer, and no television, only to become a Digital Forensic Analyst and Incident Response Specialist living in New York City, has been quite a journey. My friends tell me the uniqueness of my life requires a blog, but I tell them, I haven't changed much, really.

Personal blog, nothing on here represents my employer.

Threat Intelligence

I am really looking forward to sharing a new post with the community! 

I revamped my older "Links I Follow" spreadsheet and added a repository of Threat Intelligence portals, Hunt tactics and more malware links.  The new spreadsheet has tabs, so don't miss all three tabs. The "Research" tab has my old "Links I Follow" spreadsheet, with anything new in bold.  A good portion of the entries are free or open source, but if you like something you see and the author asks for a small donation, remember it's nice to give back if you are able.

Some time ago my "IR A-Z" paper was warmly welcomed, as was my list of tools that I shared.  I've since found a whole bunch more tools, but my new list doesn't have very many tools in it, instead I decided to focus my energy on answering a question I received from a former co-worker as well as from some of the listserv's I follow.  A few weeks back a good friend texted me, "Do you happen to have a list of blog intel stuff, API feeds, or anything that reports on current malware or phishing?"  Well, turns out I did, but it seems now that I follow Twitter, I come across so much incredible intel every day, that all I have time to do is copy the URL and move on!  I'd had links and links and links that I had saved but not taken the time to add to my spreadsheet!  But I knew, that in order to help my friend, I needed to sit down and take some time to cull through my pile of information and organize some of it.  There's tons more, but it's an infinite process, which at some point I just have to cut my losses and say, here's all I have time to record.

So that's what this post is about.  It's not meant to be an exhaustive directory by any means, and trust me, I've labored over how to categorize things, where to place them in the list, and eventually just ran out of time. So you might find some malware research under Threat Intelligence or some Hunt stuff under Tools, etc.  I did the best I could with the little bit of free time that I had, so please know that the list is far from perfect, but hopefully it will be helpful to the community.

Friday, November 18, 2016

Unofficial Holiday Hack Countdown

I am so eager for this year's SANS Holiday Hack Challenge that I created a fun counter for myself! Thank you to the wonderful Katie Knowles for letting me use her pic!

Wednesday, June 29, 2016

Incident Response: A-Z

Update: I am incredibly humbled by the positive responses I've received since posting my paper on Incident Response A-Z. I am very grateful to each and every person who added their suggestions, and pointed out that glaring mistake on page 6 where I duplicated the first 3 processes.  I was on my way to Disneyland when I noticed it, and was mortified (and humbled in a different way)!  I have just posted a revised and corrected copy/link below.  Thank you again everyone for all your input, that's what makes community great, enjoy!

I began the concept of this paper with one sentence, almost 5 years ago. I have slowly expanded upon that sentence over the past 5 years, and I fully expect that trend to continue. Over the course of chipping away at the paper, I have published portions of it on my blog.

A likely follow-up would be an example investigation, soup to nuts, along with a final report that you would hand to the client. That may be my next endeavor. I started that process recently, but with not a lot of free time in my schedule, I decided to go ahead and publish what I have so far, and if I can eke out enough time to do the rest and tack on other stuff, I certainly will.

The paper is dedicated to my daughters. My 1 year old cannot yet grasp the concept of malware, however while traveling recently and Skyping with my 5 year old who is crazy about princesses and of course “Frozen,” we were sharing stories about our day and I mentioned that I had come across a very interesting piece of malware, to which she responded, “Mom, was it pink malware?!” And thus, "pink malware" was born, because of course I had to come home with some for her.

Lastly, my thoughts and processes are just one of a thousand ways you can approach an incident. I am making no claims that the paper is perfect, or exhaustive. I do, however, hope that someone will find something meaningful that they can take away from it. I recently received a private message from someone anonymously via my blog who encouraged me to keep putting things like this out there because it was incredibly helpful to the DFIR community. I am releasing this paper in the spirit of that post. It’s far from ready for publishing, or complete, but it is good enough for now: It opens to PDF: http://bit.ly/IR_A2Z_Updated

Monday, May 30, 2016

Memorial Day Blessings

This past weekend I had the privilege of participating in a memorial service for a loved one in San Diego. Our beloved grandfather (through marriage, and great-grandfather to our children) passed away last week, and we all scrambled to fly to San Diego and celebrate his life.

Being a Mennonite, I had not previously had an opportunity to be exposed to a ceremony which included military honors. However, I have always adopted the philosophy that although our Mennonite theology is one of pacifism, we would not be able to have the choice to worship freely if those liberties hadn't been defended, fought for, and if many hadn't sacrificed their lives for them. So my belief on that matter has always been a very thoughtful one, and quite frankly with the threats our nation now faces, well, it's complicated,,,but I digress.

While poring over many photographs and memories of our dear grandfather, I learned about the Murmansk Run and how dangerous that passage was during World War II. So dangerous in fact that our grandfather, who was a Gunner in the Navy, had earned a Bronze Star and a Purple Heart.


The graveside message that the Reverend left us with will stick with me for a very long time. He opened by saying, "No matter what your political beliefs are in this heated election year, there's nothing that unifies us greater than the loss of someone who has served our country."

And that, my friends, is why I have had many conversations over the course of this Memorial Day weekend, to stop, pause, and make sure my 6 year-old and my 2 year-old, understand why they have the day off school, and how important Memorial Day is, not just today, but every single day.  Blessings to all the families who have lost a loved one who has made the ultimate sacrifice, and to all who are serving and have served our great country.

Friday, April 29, 2016

I Heart Malware!


I love malware, I really do.  And let’s face it, malware gets a really bad rap!  After all, it’s evil, it’s vicious, and no one wants it, right?  Hmmm…that’s funny, cuz I download as much of it as I can!  It fascinates me, almost to the point of getting me in trouble with one of my Supervisors.  Yup.  As it was so delicately explained to me, “Mary Ellen, malware to you is like a needle to an addict.  I can remove the drug but the needle is still stuck in your vein.”  There’s a back-story to that which I won’t bore you with, but it was all in good fun mind you, he was absolutely right-on with his assessment and here's why.  I was way too focused on commodity malware, meanwhile behavioral hunt-work such as lateral movement and looking for good-tools (#Goodware) being used for bad was taking too much of a backseat.  But, I digress.

So why do I enjoy looking at malware so much anyway?  Well, it’s smart enough to sneak through a ton of sensors (like a good pen-tester), and occasionally it’s very well written.  OK, so where am I going with all of this?

I was recently discussing a custom piece of “malware” that a co-worker had written, and as he was describing it to me, my mind was racing to a million different places.  What a cool piece of code!  Most of the a/v engines were calling it malware, but it was really just a cleverly crafted program that wasn’t evil at all. Yes, it stopped a process to inject something then started it back up again, but it didn't do anything malicious per se.

OK, OK, so the hardcore malware entomologists amongst the group could argue that in fact that’s actually not malware to begin with, it’s #goodware…but the end-point solutions are all whacking it due to its “malcode”, so doesn’t that make it malware?  If malware was strictly defined by heuristics, maybe, but that could lead to too many false positives.

What’s my point?  Whatever you want it to be.  If your take-away is simply to think about “good code” vs. “malcode” then maybe that’s beneficial to you.  If you’re now wondering about or reevaluating your current security controls and why those solutions are allowing grayware or adware into your enterprise, then maybe that’s helpful also.  And BTW, what files does your organization currently allow or block?  Do you allow zips?  If so, do you block zips if they're encrypted?  Or, maybe you filter zips by file-type content, like .exe, .js or .scr inside of a zip (of course one could manually change the file extensions to bypass)?  Additionally, are there files that you block as attachments straight-up such as .doc, .docm, .rtf or .xls?

I wrote the above blurb earlier in the week but didn't have a chance to post it, and just today a friend sent me a link to a FAR BETTER post, so check that one out too!

Friday, April 22, 2016

What Language Does Malware Dream In?

PREFACE: I am not an expert on any of the following, I'm merely sharing my ideas and questions, almost stream of conscious style, cuz sometimes when you ask wacky questions, you glean actionable intel. The following is a learn-as-I-go exercise and not definitive data or even perhaps 100% correct, it's simply a work-in-progress that seemed to make sense to release in the wild, all names removed.

The other day a friend hit me up with a link to a video. That friend is someone I completely admire and he's one of the smartest guys I've ever met. I had a ton of meetings that day, so I couldn't immediately put on my Beats and check it out. A few hours later, he IM's me: "Check out that video yet?" "No, but I will." "Best presentation I've ever seen, I'm going to buy every single one of his books!" That was coming from someone who recommends at least one article or video a week, so for him to come back like that, I knew I had to stop what I was doing and make it a top priority. The video ended up being one of the best I’ve seen as well. Right up there with my two long-time favorites: "Lateral Movement" by Harlan Carvey and "Finding Unknown Malware" by Alissa Torres of "Malware can hide but it must run" fame - the audio on "Finding..." has some issues, but I've watched it so many times I've lost track, it's worth putting up with the less than perfect audio. Alissa actually did another presentation that's similar: "Detecting Persistence Mechanisms" but I digress. So, after watching the video that my friend recommended, I had a conversation with him. After our discussion, I began to think about some things... If organizations are only “watching” their netflow for the English language, could they miss something? In other words, if the Chinese, for example, have infiltrated your network, or are attempting to, they may be writing code or binaries that are in Mandarin and using UTF-16 encoded in 16-bits, which would be 2 bytes and currently not easily or (out of the box) detectable by most sensors.

So then I started to think about all the hundreds of malware samples I’ve looked at in the past year-and-a-half, and I can count on one hand the number of them that had a Chinese signature.

I've also seen artifacts of chats from unwanted guests already on networks, in English. So would it also make sense to hunt for very specific Chinese language characters or strings of characters?

Not having all of the answers, and again not being an authority on any of this, I “phoned a friend” and ended up sitting down with two of my favorite Mandarin character experts, which of course led to even more questions :( ...

 

(1) Speaking only about binaries (not isolated strings or chats), if the binaries are undetected wouldn't they eventually still need (in the end) to convert to Assembly to run, and if so, you'd see them then?
 

(2) Based on (1) above, should one perhaps just be filtering on binary headers and looking at just the signatures?

(3) Would another approach be to search the binary source code for Chinese language characters?

What I learned was that the language of the binary is “usually” defined by the resource section. You have the locale ID and/or language identifier which tells you the language. For example Locale 0x0409 is English, 0x0X04 is Chinese (as well 0x0004, 0x07C04, 0x0404, 0x0804). Or, for example, Lang ID 0x09 is English, 0x0A is Spanish etc. For YARA it would be something like pe.language(0x09) for English.
Other codes: https://msdn.microsoft.com/en-us/library/windows/desktop/dd318693(v=vs.85).aspx

One challenge could be if you have employees who are Chinese, or offices in China, unless your searches are very specific, they could result in multiple false positives. And of course my inquiry isn't really just about China, that's merely one example. From there you could expand your character searches to Arabic, French, Korean, Portuguese, Russian etc.

Yet another one of my trusted contacts with whom I often bounce things off of had previously advised me that using a language scheme as an IOC is not going to generate meaningful data, period. So next I sat down with one more person to discuss all of the above, and quite frankly for a sanity check. My takeaways from that meeting were (a) I wasn't crazy, and (b) there's one more possible angle and it's regional based. For example, malware written in VB may be seen as elementary, and frowned upon by a high caliber of threat actor such as Russian, and that generally the more difficult programming languages are more respected among those circles. That doesn't mean that malware written in VB isn't from Russia, for example, but maybe it could help narrow your initial search.


Lastly, a little bird told me that if you're going to find any of the above proactively, before the headlines hit, your answer may lie in hunting for behavioral anomalies, machine learning,,,and a whole heck of a lot of luck! Because, I was reminded, we have to be lucky all the time, they only have to be lucky once.