Now that you know how to glean information out of a generic NIDS event lets look at a certain type of event and do a bit more analysis.
This applies to any event that appears on one of the following categories:
- ET COMPROMISED: (Compromised category) This is a list of known compromised hosts;
- ET CINS: (CIArmy category) Collective Intelligence generated IP rules for blocking based upon cinsscore.com;
- ET DROP Spamhaus: (Drop category) Rules to block spamhaus “drop” listed networks. IP based. This is a daily updated list of the Spamhaus DROP (Don't Route or Peer) list. Primarily known professional spammers. More info at http://www.spamhaus.org;
- ET DROP Dshield: (Dshield category) IP based rules for Dshield Identified attackers. More information can be found at http://www.dshield.org;
- ET CNC: (Botcc category) These are auto-generated from several sources of known and confirmed active Botnet and other Command and Control hosts.
You can use this query in the analyst portal to find these: https://dsap.netwatcher.com/Ql4bG
In this basic analysis, our task is to search for any indicators of compromise (IoC).
As an example we will use the same event we used in the 'how to glean information out of a generic NIDS event'.
Let's first research the external IP address:
- Determine if this IP address still has a poor reputation. Sometimes the IP address is not in the database anymore.
In our example it is: The external IP was 18.104.22.168 (Ukraine) and on ET DROP Spamhaus list found here http://www.spamhaus.org/drop/drop.lasso
- Check the IP address using other available online tools. The goal is to find any IoC’s or other related information. Some of the tools you might use:
- Where is this IP address geographically located? if the country not normal for this customer then it should spike your interest. In our example it is the Ukraine --you can see this in the event detail page next to the IP address.
- What parties are responsible for an IP address?
- Whois tool $ whois 22.214.171.124
- Passive DNS is an excellent tool for investigating domains and IP addresses
- The Shadowserver Foundation and Team Cymru both run their own WHOIS services that you can query to find out various things such as IP address to ASN mapping. An autonomous system (AS) is a grouping of IP address blocks that are assigned to an Internet Service Provider (ISP). The ISP must also be assigned an autonomous system number (ASN), which is used to uniquely identify the ISP’s networks for routing purposes. Using an ASN, you can find out what IP address ranges belong to an ISP.
- Querying ASNs with Shadowserver:
- $ whois -h asn.shadowserver.org origin 126.96.36.199
- You can now do another query to see what other IP address blocks are covered by ASN:
- If you want to find out who their peers are, you can run the following command:
- Querying ASNs with Shadowserver:
- If the connection originated from a "BAD IP" (external) to the internal assets we must determine whether the network connection was established or not. For this, it is necessary to analyze the NetFlow analytics and the session PCAP information from the event details page.
- If connection was not established the State would be “New”, the Reason would be “Timeout”.
- If connection was established the State would be “Closed”, the Reason would be “Timeout”.
- In our example State was "Established" and Reason was "Timeout"
- PCAP analyses (try to download the session pcap to review the session setup)
- If connection was not established the TCP “three-way handshake” would be unsuccessful.
- If connection was established you will see successful a TCP handshake.
- In our example it was successful as we see the handshake:
- If you see an unsuccessful connection attempt start analyzing other 'related' events at the bottom of the event details page, otherwise continue analyzing the event.
Now that you have all the information you need about the BAD IP address it's time to look at other related events on that asset to see if there are other indicators of compromise for example such as events in one of the following categories:
- ET MALWARE
- ET TROJAN
- ET WORM
or a specific binary download like one of the following NIDS, LOGS or HIDS examples:
- ET POLICY PE EXE or DLL Windows file download Non-HTTP
- [WINDOWS-MALWARE] Suspicious Service Control Manager Call
- ET POLICY PDF With Embedded File
- Registry Integrity Checksum Changed