One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 373291 |
| Date de publication | 2017-06-13 01:26:00 (vue: 2017-06-13 01:26:00) |
| Titre | More notes on US-CERTs IOCs |
| Texte | Yet another Russian attack against the power grid, and yet more bad IOCs from the DHS US-CERT.IOCs are "indicators of compromise", things you can look for in order to order to see if you, too, have been hacked by the same perpetrators. There are several types of IOCs, ranging from the highly specific to the uselessly generic.A uselessly generic IOC would be like trying to identify bank robbers by the fact that their getaway car was "white" in color. It's worth documenting, so that if the police ever show up in a suspected cabin in the woods, they can note that there's a "white" car parked in front.But if you work bank security, that doesn't mean you should be on the lookout for "white" cars. That would be silly.This is what happens with US-CERT's IOCs. They list some potentially useful things, but they also list a lot of junk that waste's people's times, with little ability to distinguish between the useful and the useless.An example: a few months ago was the GRIZZLEYBEAR report published by US-CERT. Among other things, it listed IP addresses used by hackers. There was no description which would be useful IP addresses to watch for, and which would be useless.Some of these IP addresses were useful, pointing to servers the group has been using a long time as command-and-control servers. Other IP addresses are more dubious, such as Tor exit nodes. You aren't concerned about any specific Tor exit IP address, because it changes randomly, so has no relationship to the attackers. Instead, if you cared about those Tor IP addresses, what you should be looking for is a dynamically updated list of Tor nodes updated daily.And finally, they listed IP addresses of Yahoo, because attackers passed data through Yahoo servers. No, it wasn't because those Yahoo servers had been compromised, it's just that everyone passes things though them, like email.A Vermont power-plant blindly dumped all those IP addresses into their sensors. As a consequence, the next morning when an employee checked their Yahoo email, the sensors triggered. This resulted in national headlines about the Russians hacking the Vermont power grid.Today, the US-CERT made similar mistakes with CRASHOVERRIDE. They took a report from Dragos Security, then mutilated it. Dragos's own IOCs focused on things like hostile strings and file hashes of the hostile files. They also included filenames, but similar to the reason you'd noticed a white car -- because it happened, not because you should be on the lookout for it. In context, there's nothing wrong with noting the file name.But the US-CERT pulled the filenames out of context. One of those filenames was, humorously, "svchost.exe". It's the name of an essential Windows service. Every Windows computer is running multiple copies of "svchost.exe". It's like saying "be on the lookout for Windows".Yes, it's true that viruses use the same filenames as essential Windows files like "svchost.exe". That's, generally, something you should be aware of. But that CRASHOVERRIDE did this is wholly meaningless.What Dragos Security was actually reporting was that a "svchost.exe" with the file hash of 79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a was the virus -- it's the hash that's the important IOC. Pulling the filename out of context is just silly.Luckily, the DHS also provides some of the raw information provided by Dragos. But even then, there's problems: they provide it in formatted |
| Envoyé | Oui |
| Condensat | we 79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a ability about actually address addresses against ago all allowed also altered among another any are aren attack attackers aware bad bank because been between blindly bonus but cabin call can car cared cars cases causes cert certs changes checked claimed color command company compromise compromised computer concerned confused cons consequence consumers content context control copies corrupts crashoverride cyberczar daily daniels data description details dhs did distinguish distracted document documenting documents does doesn doing dow downstream dragos dubious dumbed dumped dynamically email employee empowering entities essential even ever every everyone example example: examples excel exe exit expertise fact fascinated feature file filename filenames files finally first focused following:import form formatted from front generally generic get getaway getting giving grid grids grizzleybear group hacked hacker hackers hacking had happened happens harm has hash hashes have headlines highly him his hostile html humorously identify important included indicators information instead institutionally intel ioc iocs itself junk just know knowledge lack laugh less letter level like list listed little long longer look looking lookout lot luckily machine made marginalized marks mean meaningless meet michael mistakes months more morning multiple municipal mutilated mutilating name national negative network next nodes not note notes nothing noticed noting number obama ocred often oil once one order organizations original other out own parked passed passes pdf people perpetrators picture plant pointing police potentially power press printed probably problem problems problems: promote provide provided provides providing published pulled pulling quote quotes randomly ranging raw readable reason relationship report reporting reports resulted robbers running russian russians same saying scanned second security see seen sensors servers service several should show silly similar smart snake solutions some something specific sprinklings stop stories strategic strings stupidity such suspected svchost technical tens than that them then there these things those though thousands threat through time times today too took tor triggered true trusted trying two types ultimate ultimately updated use used useful useless uselessly using value vermont virus viruses wasn waste watch webpage what when which white who wholly windows woods word work worth would wrong yahoo yet you “hashâ€Âamong “peâ€Âimport |
| Tags | |
| Stories | Yahoo |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.