One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 282206 |
| Date de publication | 2016-12-29 20:40:33 (vue: 2016-12-29 20:40:33) |
| Titre | Some notes on IoCs |
| Texte | Obama "sanctioned" Russia today for those DNC/election hacks, kicking out 35 diplomats, closing diplomatic compounds, seizing assets of named individuals/groups. They also published "IoCs" of those attacks, fingerprints/signatures that point back to the attackers, like virus patterns, file hashes, and IP addresses.These IoCs are of low quality. They are published as a political tool, to prove they have evidence pointing to Russia. They have limited utility to defenders, or those publicly analyzing attacks.Consider the Yara rule included in US-CERT's "GRIZZLY STEPPE" announcement: What is this? What does this mean? What do I do with this information?It's a YARA rule. YARA is a tool ostensibly for malware researchers, to quickly classify files. It's not really an anti-virus product designed to prevent or detect an intrusion/infection, but to analyze an intrusion/infection afterward -- such as attributing the attack. Signatures like this will identify a well-known file found on infected/hacked systems.What this YARA rule detects is, as the name suggests, the "PAS TOOL WEB KIT", a web shell tool that's popular among Russia/Ukraine hackers. If you google "PAS TOOL PHP WEB KIT", the second result points to the tool in question. You can download a copy here [*], or you can view it on GitHub here [*].Once a hacker gets comfortable with a tool, they tend to keep using it. That implies the YARA rule is useful at tracking the activity of that hacker, to see which other attacks they've been involved in, since it will find the same web shell on all the victims.The problem is that this P.A.S. web shell is popular, used by hundreds if not thousands of hackers, mostly associated with Russia, but also throughout the rest of the world (judging by hacker forum posts). This makes using the YARA signature for attribution problematic: just because you found P.A.S. in two different places doesn't mean it's the same hacker.A web shell, by the way, is one of the most common things hackers use once they've broken into a server. It allows further hacking and exfiltration traffic to appear as normal web requests. It typically consists of a script file (PHP, ASP, PERL, etc.) that forwards commands to the local system. There are hundreds of popular web shells in use.We have little visibility into how the government used these IoCs. IP addresses and YARA rules like this are weak, insufficient for attribution by themselves. On the other hand, if they've got web server logs from multiple victims where commands from those IP addresses went to this specific web shell, then the attribution would be strong that all these attacks are by the same actor.In other words, these rules can be a reflection of the fact the government has excellent information for attribution. Or, it could be a reflection that they've got only weak bits and pieces. It's impossible for us outsiders to tell. IoCs/signatures are fetishized in the cybersecurity community: they love the small rule, but they ignore the complexity and context around the rules, often misunderstanding what's going on. (I've written thousands of the things -- I'm constantly annoyed by the ignorance among those not understanding what they mean).I see on |
| Envoyé | Oui |
| Condensat | about across act active activity actor addresses afterward all allows also among analyze analyzing announcement:what annoyed anti any appear appears are aren around asp assets associated attack attackers attacks attribute attributing attribution avoid back base64 because been bits broken btw burning burns but can cert changes classify closing comfortable commands common community: complexity compounds concern consider consists constantly context copy could cybersecurity defenders designed detect detection detects dhs diagrams different difficult diplomatic diplomats dnc/election does doesn download encoded encrypted enthusiastic etc evade every evidence excellent exfiltration fact fbi/nsa/etc fetishized file files find fingerprints/signatures fits forum forwards found from further gets github going google got government grizzly groups hacker hackers hacking hacks hand has hashes have here how hundreds identify ignorance ignore imbedded implies impossible included individuals/groups infected/hacked information instead insufficient intrusion/infection involved iocs iocs/signatures judging just keep kicking kit know known like limited little local logs love low makes malware many mean minor misunderstanding most mostly move multiple name named nearly normal not note#1: note#2: note#3: note#4: notes obama often once one only ostensibly other out outsiders overall pas password pasv3 pasv4 patterns pdf people perl php picture pieces places point pointing points political popular posts praising presumably pretty prevent problem problematic: product prove publicly published publishing quality question quickly really reflection releasing requests researchers rest result rule rules russia russia/ukraine same sanctioned script second see seizing server shell shell tool shells show signature signatures since small some specific statements steppe strong stuff such suggests system systems tell tend that them themselves then these they things those thousands throughout today tool tools track tracking traffic trigger triggers trying twitter two typically understanding use used useful using utility variety various victims view virus virus/intrusion visibility want way weak web well went what where which who will words world would written yara |
| Tags | |
| Stories | APT 29 APT 28 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.