“Action is the true measure of intelligence.” There is much truth in these words by Napoleon Hill; and, even though they are aimed at personal improvement, they also apply to cybersecurity. Intelligence allows for better organization, prioritization, and display of network and threat data. Intelligence, applied in the right way to network security, leads to informed and fast action necessary to prevent cyberattacks from succeeding.
Having actionable, well-organized information about network traffic and threats at your fingertips is more crucial today than ever before. IT and security organizations are inundated with unmanageable and uncorrelated amounts of data from multiple, independent security deployments, making it impossible to find critical threats buried in mountains of information.
Frequently it is not a lack of data that leads to a data breach but a lack of appropriately prioritized, actionable data. When it comes to network security management, complexity really is your enemy. Today’s security environment results in multiple independent interfaces and policy engines, or loosely integrated security solutions with several bolted-on technologies falsely marketed as unified products. Companies these days usually have a legacy web security product, many firewalls, a mobile and an endpoint security deployment, and more. IT teams have to manage too many data sources. Security teams don’t have the time or the resources to pinpoint critical threats among the mountains of data. Both teams are simply too overwhelmed to find the needle in the haystack and, as a result, can’t prioritize responses appropriately. That becomes a dangerous problem because real threats slip through among thousands of alerts.
What is needed is a platform that simplifies and consolidates data flows, highlights critical data, offers quick answers to security questions, and streamlines creation and management. A well-designed security platform should provide:
Visual Display of Data– A visual interface is critical because the overwhelming amounts of data in today’s cybersecurity space are just too confusing.
Customization– Every network administrator has different needs. Customization of the UI allows the system to display exactly what the user is looking for in the best possible way.
Interaction– When you are searching for answers, you need them fast. Easy drill-down capabilities within the UI should provide these answers with just a few clicks.
Automation– Automation is critical in today’s security environment. Automation eliminates duplication of work, cuts back on manual research, and reduces human error and oversight.
Palo Alto Networks Next Generation Security Platform offers all of these benefits in its UI. Learn more about how we provide actionable intelligence within our UI by downloading the Actionable Threat Intelligence whitepaper.
The Sofacy group, also known as APT28 and Sednit, is a fairly well known cyber espionage group believed to have ties to Russia. Their targets have spanned all across the world, with a focus on government, defense organizations and various Eastern European governments. There have been numerous reports on their activities, to the extent that a Wikipedia entry has even been created for them.
From these reports, we know that the group uses an abundance of tools and tactics, ranging across zero-day exploits targeting common applications such as Java or Microsoft Office, heavy use of spear-phishing attacks, compromising legitimate websites to stage watering-hole attacks, and targeting over a variety of operating systems – Windows, OSX, Linux, even mobile iOS.
The Linux malware Fysbis is a preferred tool of Sofacy, and though it is not particularly sophisticated, Linux security in general is still a maturing area, especially in regards to malware. In short, it is entirely plausible that this tool has contributed to the success of associated attacks by this group. This blog post focuses specifically on this Linux tool preferred by Sofacy and describes considerations and implications when it comes to Linux malware.
Malware Assessment
Fysbis is a modular Linux trojan / backdoor that implements plug-in and controller modules as distinct classes. For reference, some vendors categorize this malware under the Sednit attacker group naming designation. This malware includes both 32-bit and 64-bit versions of Executable and Linking Format (ELF) binaries. Additionally, Fysbis can install itself to a victim system with or without root privileges. This increases the options available to an adversary when it comes to selecting accounts for installation.
Summary information for the three binaries we analyzed follows:
Table 3: Sample 3 – Late 2015 Sofacy 64-bit Fysbis
Overall, these binaries are assessed as low sophistication, but effective. They epitomize the grudging reality that Advanced Persistent Threat (APT) actors often don’t require advanced means to affect their objectives. Rather, these actors more often than not hold their advanced malware and zero day exploits in reserve and employ just enough resources to meet their goals. It is only fair that defenders use any shortcuts or tricks at their disposal to shorten the amount of time it takes to assess threats. In other words, defenders should always look for ways to work smarter before they have to work harder.
Getting the Most Out of Strings
Binary strings alone revealed a good amount about these files, increasing the efficacy of activities such as static analysis categorization (e.g., Yara). One example of this is Fysbis installation and platform targeting information for the samples in Table 1 and Table 2.
Figure 1: Sofacy Fysbis installation and platform targeting found in strings
In this case, we can see the binary installation path and local reconnaissance to determine which flavor of Linux the malware is running. This is followed by a number of Linux shell command style commands related to the malware establishing persistence.
Another example of easily obtained information from these samples is capability based.
Figure 2: Sofacy Fysbis capability related leakage through strings
Figure 2 shows interactive status / feedback strings that can give a defender an initial profile of capabilities. In addition to contributing to static analysis detections, this can be useful as a starting point for further incident response prioritization and qualification of the threat.
Symbolic Information Can Shorten Analysis Time
Interestingly, the most recent ELF 64-bit binary we analyzed (Table 3) was not stripped prior to delivery, which offered additional context in the form of symbolic information. Defenders more familiar with Windows Portable Executable (PE) binaries can equate this with compilation of a Debug version versus a Release version. For comparison, if we were to inspect Fysbis “RemoteShell” associated strings in one of the stripped variants, we would only see the following:
Little static analysis gifts like these can help to speed defender enumeration of capabilities and – more importantly – further contribute to correlation and detection across related samples.
Additionally, this latest sample demonstrated minor evolution of the threat, most notably in terms of obfuscation. Specifically, both samples in Table 1 and Table 2 leaked installation information in the clear within binary strings. This was not the case with the sample in Table 3. Taking a closer look at this non-stripped binary using a disassembler, the following corresponds to decoding malware installation information for a root-privilege account.
Figure 5: Assembly code view of Sample 3 installation decoding
In this case, the symbolic information hints at the method used for decoding, with references to mask, path, name, and info byte arrays.
Figure 6: Assembly view of Sample 3 root installation related byte arrays
As it turns out, the referenced byte mask is applied to the other byte arrays using a rolling double-XOR algorithm to construct malware installation paths, filenames, and descriptions for a Linux root account. Corresponding INSTALLUSER byte arrays exist, which facilitate the non-root installation for the trojan. The same masking method is also used by the binary to decode malware configuration C2 information, further showcasing how a little symbolic information can go a long way towards completeness and higher confidence in assessment of a malware sample.
If you would like to learn more about how Fysbis works, the samples analyzed remain fairly consistent with the sample analysis found here.
Infrastructure Analysis
As Unit 42 has discussed in depth in other blog articles, we have observed that adversaries in general are seemingly hesitant in changing their infrastructure. This may be due to not wanting to commit additional resources, or simply a matter of retaining familiarity for the sake of timeliness. In either case, we see the same type of behavior here with the Fysbis samples in use by Sofacy.
The oldest sample (Table 1), was found to beacon to the domain azureon-line[.]com, which had already been widely publicized as a known command and control domain for the Sofacy group. Using passive DNS, we can see that two of the original IPs this domain resolved to, 193.169.244[.]190 and 111.90.148[.]148 also mapped to a number of other domains that had been in use by the Sofacy group during that time period.
Figure 7: Sample 1 C2 resolutions
The first of the newer samples (Table 2), continues the trend and beacons to an IP also widely associated with the Sofacy group, 198.105.125[.]74. This IP has been mostly associated with the tool specifically known as CHOPSTICK, which can be read about here.
Figure 8: Sample 2 C2 resolutions
The newest sample (Table 3), introduces a previously unknown command and control beacon to mozilla-plugins[.]com. This activity aligns with the previously observed Sofacy group tactic of integrating legitimate company references into their infrastructure naming convention. Neither this new domain nor the IP it resolves to have been observed in the past, indicating that the sample in Table 3 may be associated with a newer campaign. Comparing this sample’s binary with the other two however, shows there are significant similarities on the code level as well as in terms of shared behavior.
Figure 9: Sample 3 C2 resolutions
Conclusion
Linux is used across business and home environments and appears in a variety of form factors. It is a preferred platform within data centers and the cloud for businesses, as well as an ongoing favorite when it comes to a majority of Internet-facing web and application servers. Linux is also at the foundation of Android devices and a number of other embedded systems. The value proposition of Linux – especially when it comes to its use in the enterprise – can be broken out into three perceived benefits: lower total cost of ownership (TCO), security, and feature set. While numbers and comparison alone can contribute to measurement of TCO and feature set, security requires further qualification. Expertise in the Linux platform is highly sought after across all industries for multiple disciplines, from system administration to big data analytics to incident response.
The majority of businesses still maintain Windows-heavy user environments where certain core infrastructure components also operate under Windows servers (e.g., Active Directory, SharePoint, etc.). This means, from a practical perspective, most of a business’s focus remains on supporting and protecting Windows assets. Linux remains a mystery to a number of enterprise IT specialists –most critically for network defenders. Identifying and qualifying potential incidents requires a familiarity with what constitutes normal operation in order to isolate anomalies. The same is true for any other asset in an environment, normal operation is entirely dependent on a given asset’s role / function in the enterprise.
Lack of expertise and visibility into non-Windows platforms combine in some environments to present significant risks against an organization’s security posture. As a recent caution, the Linux vulnerability described under CVE-2016-0728 further demonstrates the potential breadth of real-world risks to associated platforms. A natural extension of this exposure is increased targeting by both dedicated and opportunistic attackers across various malicious actor motivations. Despite the lingering belief (and false sense of security) that Linux inherently yields higher degrees of protection from malicious actors, Linux malware and vulnerabilities do exist and are in use by advanced adversaries. To mitigate associated risks requires tailored integration of the people, processes, and technology in support of prevention, monitoring, and detection within an environment.
Linux malware detection and prevention is not prevalent at this time, but Palo Alto Networks customers are protected through our next-generation security platform:
IPS signature 14917 deployed to identify and prevent command and control activity
The C2 domains and files mentioned in this report are blocked in our Threat Prevention product.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Two tectonic shifts that helped create the data-rich Dragnet Nation where we live today both date back to 2001, argues Julia Angwin in her powerful treatise on privacy.
The U.S. government began its mass data collection efforts in earnest after the terrorist attacks of September 11, 2001, when traditional surveillance methods failed. Meanwhile, technology companies, reeling from the dotcom crash, turned to data as their hope for more sustainable revenue and profits.
In Dragnet Nation, the author, an award-winning investigative journalist, tackles both government and corporate mass surveillance, stressing that they are “deeply intertwined”. “Government data are the lifeblood of commercial data brokers. And government dragnets rely on obtaining information from the private sector,” she writes.
Review
Fifteen years on, we now live in a world where billions of dollars are made off the back of data collected from sites and apps where we read, chat and shop online, and hundreds of thousands of jobs depend on it. What would once have horrified – a newspaper filled with gay interest ads delivered only to a homosexual reader – is now expected on sites such as Google and Facebook.
Angwin excels at putting this new race for data dominance in historical context. She shows how even the most benign data collection tools, such as the census, were used for ill during both world wars, tracing draft violators and tracking down Japanese Americans.
She travels to Berlin to examine the records of the world’s most pervasive secret police, who had 1 in 4 East Germans working as informants for them. While there, she shows an administrator in the Stasi archives how easy it is to build a picture of an individual’s social connections using sites such as LinkedIn – far easier than it was for the Stasi.
The bulk of the book is a tale of Angwin’s journey to reduce her online footprints, to escape the dragnet by minimising tracking of her location, her contacts, and her shopping habits. She meets characters and companies trying to create technologies that could help her and others evade the data trawl of corporations and the government.
For a reader with little knowledge of the privacy tools she describes, the book could almost function as a how-to guide. In particular, the chapter where she finally manages to peak her children’s interest in privacy would be engaging for many parents struggling to make keeping safe online as fun as sharing everything with friends on social networks.
But this is a guide accompanied with heavy doses of disappointment as Angwin finds even experts struggle to create effective technologies and make them usable.
This is a New York Times bestseller aimed at making privacy accessible, not providing in-depth knowledge for cybersecurity professionals. Angwin’s descriptions of her debates about using PGP and other encryption types may not be particularly relevant within the industry.
However, for those wishing to better understand the behaviour of people who profess to care deeply about privacy but struggle to act, Angwin is bracingly honest. She explains how frustration led her to bad passwords, her struggle to balance disconnecting with having to be available for work and childcare emergencies, and how she felt she lost more than she gained when she took herself off major social networks, even having to cancel a birthday party when few bothered to decrypt her invite.
Dragnet Nation is also worth reading for its conclusion. After a year investigating how to keep away from ever-watching eyes as an individual, Angwin concludes that collective action is necessary to rewrite the rules of the digital data game.
She believes that mass efforts to evade surveillance could spark a conversation and a campaign akin to the protests that helped lead to a reduction in pollution in the U.S. Comparing better rights to privacy to improved air and water quality, she tries to give hope that using the Internet will not always have to mean giving up the right to a private life.
Angwin points to the idea of “sousveillance”, or surveilling the surveillors, as one nascent movement that has changed the balance of power in some situations, for example, with more police violence caught on video by cell phones.
Conclusion
Dragnet Nation is a fair and even-handed look at the problems of living in a state and a market where data has become the primary currency. Angwin does not even completely dismiss the idea that mass surveillance can sometimes be necessary; instead she encourages readers to question each “dragnet” they encounter, asking questions such as, “Can it withstand public scrutiny?” and “Are the operators held accountable for the way it is used?”
I would recommend Dragnet Nation for the Canon as an early stop on the journey for any cybersecurity professional to understand the challenges posed by mass data collection.
2015 was marked by far too many digital security breaches, a trend that every company hopes to see reversed in the coming year. Unfortunately, as industry expert Leo Scanlon notes, it is unlikely that we’ll be able to stop them all. In this digital era, security breaches are part of the new normal.
So, what should you do when facing a security breach? The most important thing that you can do is stay calm. If you keep your wits about you, you will be better able to approach the problem and implement a solution to protect your clients and your company. Here is how to move forward in the face of a digital security breach.
Plan Ahead While you may not be able to plan for the exact details of a security breach – if you could, then you could prevent it from happening – what you can do is prepare a preliminary plan of action for any future breach. Write out a general timeline for what actions need to take place and in what order. This way, when something does happen, you do not lose any time giving direction. All you need to do is to fill in the specifics of the event.
Communicate Clearly and Calmly
When a breach does occur, it is important to prioritize communication with your team and with your clients. Start with your team. Describe the event, review the plan of action, and make sure that everyone is clear on his or her role.
It can be worth it to sit everyone down to discuss the breach rather than send emails about the issue. This allows people to ask questions in real time rather than sending lots of follow-up messages. You might even consider serving everyone a cup of tea. Green tea reduces stress and can calm down anxious team members in a visceral way, moving them from high anxiety to centered focus.
After you have alerted your team, everyone can split off to appropriate tasks ranging from developing a patch to prevent system attacks to calling high profile clients. You will also need to contact a range of other people, including a lawyer and police.
Additionally, make sure your public relations department is ready to issue a statement and field phone calls. Give them a quick FAQ sheet and a directory of who to call about which issues. By preparing public relations as well as you can, you avoid clogging up other employees’ lines with client issues.
Talk and Train
While a security breach tests training effectiveness on the ground, this is also a good opportunity to schedule follow-up training. Then, while working to resolve this breach, note the areas in which employees struggle. These should be central to your next training session.
You should also contact some of your industry peers to find out what they do to prevent security breaches. This does not mean that you need to mimic their strategies, but if you know that someone is using a different approach, you should document clearly why you are doing something else. That way, if you do suffer a breach, you have demonstrated a well-thought-out strategy rather than an arbitrarily chosen system.
Big Fixes, Small Details
Ultimately, when you suffer a data breach, it is important to focus your attention on two issues: the big problems that need to be remedied immediately and the small problems that contributed to the breach but were overlooked during earlier development phases. Start big, and then shift to the small to protect yourself now and down the road.
For the sake of companies and clients alike, hopefully 2016 holds fewer security breaches. But, to make this dream a reality, every company will need to assess regularly its security systems and breach preparation. Failure to plan is planning to fail, so put that plan in place now.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
My interest in the Cybersecurity Canon project and appreciation for a common body of knowledge shared amongst professionals can be traced back to my time as an Officer in the Air National Guard.
Each year the Air Force Chief of Staff would issue a “reading list”; in 2010 Cyberdeterrence and Cyberwar by Martin C. Libicki was on the list under Mission, Doctrine and Profession. Back in 2008 Lt. Gen. Robert Elder, Jr., then Commander of Eight Air Force (8AF/CC), sponsored the study “Defining and Implementing Cyber Command and Cyber Warfare.” This book represents the results of that study. The reading list and, more specifically, this book were meant to inform senior Air Force leaders and decision-makers. The basic message of Cyberdeterrence and Cyberwar is: Cyberspace is its own medium with its own rules; thus, deterrence and warfighting tenets established in other media do not necessarily translate reliably into cyberspace.
Review
On June 23, 2009, the Secretary of Defense directed the Commander of U.S. Strategic Command to establish a sub-unified command. The United States Cyber Command (USCYBERCOM), as we know it today, is located at Fort Meade, Maryland. The establishment of U.S. Cyber Command marked the ascent of cyberspace as a military domain. This book focuses on policy dimensions of cyberspace and cyberwar: what it means, what it entails, and what threats can defend or deter it.
Libicki’s background is non-cyber national security history and policy, and that knowledge and background will benefit readers unfamiliar with Cold War era concepts as they relate to cyber.
Cyberdeterrence and Cyberwar is divided into nine chapters. Chapter One covers the introduction and purpose of the book, which clearly is to focus on military policy as it relates to cyberwar. Chapter Two introduces readers to a conceptual framework for cyberdeterrence and cyberwar. It explains external and internal threats and defines cyberattack and cyberdeterrence. Cyberattack is the deliberate disruption or corruption by one state of a system of interest to another, and cyberdeterrence is the capability in cyberspace to do unto others as they would do unto us. Chapter Three asks, “why is cyberdeterrence different?” and focuses on analogies to game theory and nuclear deterrence. Foundationally knowing “who did it” is critical; today we think of it terms of attribution. All decisions, policy or operational, are based on attribution. Chapter Four considers cyberattack and the purpose of the attack. Potential purposes range from “oops” to rogue operators and the implications of each. Chapter Five offers a primer for a strategy of response. This chapter has relevance today as the idea of “hacking back” or “active defense” has become a popular concept in the strategy of response. Chapters Six and Seven outline “strategic” and “operational” cyberwar and offer conclusions on both. Chapter Eight is dedicated to cyberdefense and concludes that deterrence in cyber terms may be too problematic to offer much surcease from cyberattacks. It outlines the goal of cyberdefense to include architecture, strategy and policy. Chapter Nine is simply titled “Tricky Terrain” and offers the defend, disarm or deter triangle as an illustration of approaching a threat that cannot be denied. We know now that cyberattacks are a threat that cannot be denied.
Conclusion
Much has changed since this monograph was published back in 2009; and, while some cybersecurity experts may not agree with Libicki’s conclusions, we can’t argue the significance this work has as a historical text in the cybersecurity professional’s education. I would recommend Cyberdeterrence and Cyberwar for the Cybersecurity Canon. Reading this book in 2016 allows the reader to both compare and contrast Libicki’s conclusions against the backdrop of cyber events that have occurred over the last decade.
