overall thinking and basic process of emergency response

In 2018, information security incidents occurred frequently, and the demand for information security skills and talents increased greatly. Now, no matter ordinary enterprises or professional security manufacturers, they inevitably need to master and use the knowledge and skills of information security, so that they can resist the enemy for thousands of miles when they need to. The so-called "military training for a thousand days, military employment for a while", with a perfect team or complete process, can ensure that the enterprise can deal with major security incidents in an orderly manner, and reduce the scope of damage in time.

We are deeply convinced that EDR security team has participated in the emergency response of various major epidemic viruses and security events throughout the year. Here, we share the whole year's thinking and the formed process of the team, hoping to give some enlightenment to the people who are going to be engaged in the future or engaged in emergency response and security research for a long time.

We describe from eight aspects: the overall idea of emergency response, the basic process of emergency response, the introduction of emergency tool set, system log and log analysis, the role of threat intelligence, common viruses and classification, understanding vulnerabilities and patches, and suggestions for skill improvement.

1、 The whole idea of emergency response

The overall idea of emergency response is that the upper level has guiding principles and ideas, and the lower level has skills, knowledge points and tools to jointly promote and guarantee the whole life cycle of emergency response process.

Principles and guiding ideas

3w1h principle: 3W is who, what, what, and 1H is how. In emergency response, we should work with questions, and we must collect these information. What is the network topology like? What are the needs? What is going on? What can you do? What products do users use? What is the product version? What is the virus library version? How many hosts are there? Is the host a normal PC or a server? What does the server do The more information is collected, the more favorable it is for emergency response.

The principle of vulnerability: information collection and evidence collection are necessary for emergency response, but there is a certain sequence here, that is, the most easily lost data should be collected first, and others in turn.

Element principle: emergency response mainly focuses on key evidence, i.e. elements, including samples, traffic, logs, processes and modules, memory and startup items.

Principle of avoiding harm: in order to make emergency response, it is necessary to seek benefits and avoid harm. Instead of solving the problem, new problems are introduced. For example, the tools used by oneself are infected without knowing; the improper tools or software used by users cause problems in the client host; sending samples to others without encryption or compression leads to others' poisoning by delay. The most extreme scenario is sending extortion samples to others without compression, leading to others' poisoning by delay.

Skills, knowledge points and tools

Emergency tool set: a set of tools necessary for emergency response, which can assist emergency personnel to make analysis and improve efficiency.

Log analysis: it can analyze logs, including but not limited to system logs (Windows / Linux, etc.), application logs, security device logs (firewall, antivirus, situational awareness, etc.).

Threat Intelligence: security events may not be isolated, and security sites or search sites can find information related to security events.

Vulnerability patch knowledge: know the relationship between vulnerabilities and patches, their roles in emergency response, and understand common vulnerabilities and patches.

Common viruses and classification: know the general classification of viruses and common viruses.

Sample analysis: at least one simple and dynamic analysis can be performed on the sample.

Operating system knowledge: at least have certain knowledge reserve for Windows system and Linux system, and know its basic working principle.

2、 Basic process of emergency response

Emergency response can be roughly divided into five parts, and its basic process includes collecting information, judging types, in-depth analysis, clearing and disposal, and output reports.

Collect information: collect customer information and poisoning host information, including samples.

Judgment type: judge whether it is a safety event, what kind of safety event, blackmail, mining, network disconnection, DOS, etc.

In depth analysis: log analysis, process analysis, startup analysis, sample analysis.

Clean up: directly kill the process, delete the file, patch, or repair the file.

Output report: sort out and output complete security incident report.

Blackmail and mining events can account for more than 50%, and the business characteristics of these two kinds of security events are very distinct, so the process can be put forward separately for disposal.

Information collection form

Customer name

What area and what customers

Number of infected hosts

Infected most hosts

Patch situation

What patches have been applied and whether there are any missed patches

Poisoning phenomenon

Blackmail / mining / DOS / botnet / back door / Trojan

Account password

Confirm whether there is a weak password

External development port

What ports have been developed externally

Services opened

What services are enabled

Operating system version

Operating system version information

customer demand

Confirm the specific needs of customers

Forensics elements: forensics is not without clue. The virus itself must have network behavior and the memory must have its binary code. It is either a separate process module or a DLL / so module of the process. Generally, in order to keep alive, it is likely to have its own startup item and network heartbeat package.

In short, it can be summed up as the following four elements: traffic, memory, module, boot item.

Wireshark can be used for traffic analysis, mainly analyzing which domain names, URLs, services are accessed by the current host, which ports, services and directories are accessed by the external IP addresses of the local host, and which protocols are used.

For example, using Wireshark to observe that the host visited the dynamic domain name sjb555.3322.org, we can roughly guess that this is a C & C server (how to judge a domain name is a suspicious domain name, please refer to the following article).

Sometimes, we can filter and analyze the traffic directly according to the network protocol. For example, IRC protocol is rarely used at present, but the phenomenon of using IRC to establish botnet channel is still common. Using Wireshark, enter "IRC" directly in the filter condition, and enter to see if there is any relevant traffic.

As shown in the figure below, we can see that there is related IRC protocol traffic, which is suspicious.

Wireshark performs the follow TCP stream operation and finds that the current botnet host is joining an IRC channel. In addition, you can start from the destination IP, which can be found to be a malicious IRC botnet server.

For network traffic, you can also use the tcpview tool to view the specific connection established. As follows, we use tcpview to find two connections:

chenyu-57068a53.localdomain.2671 -> 170.178.191.191:6667

chenyu-57068a53.localdomain.2674-> amsterdam.nl.eu.undernet.org.6667

When we encounter difficulties in analyzing virus processes, its memory is the last line of defense for us to find problems.

Take a Linux server emergency event as an example, as shown in the figure below, we find the parent-child relationship of three virus processes [ksoftirqd / 7]. We can see that 11275 pulls up 11276 and 11277, but 11275 is pulled up by process 1, that is, init is its parent process.

This means that the actual parent process (the original virus file) is not traceable in the current state.

The process tree can't track the parent process. There are not many places to start. If the virus file corresponding to [ksoftirqd / 7] is disassembled, the time is short (not enough) for an emergency response event. But simply think about it, that is, no matter what kind of confusion and shelling the virus file, the code that runs on the memory finally is the original code, at least the stack has a lot of information.

In the Linux environment, you can use the system's own GDB, type the command GDB attach 11275, attach to the virus process 11275, and in the GDB environment, use dump binary memory file start ﹣ addr end ﹣ addr to dump the 11275 effective memory space.

For example: file is the output file, which can be specified as 11275.dump, start_addr as the start address, end_addr as the end address. For example, dump binary memory / TMP / 11275.dump 0x13838000 0x13839000 (here is just an example, the actual address is obtained in GDB)

For the memory file 11275.dump, use the command strings - N 8 11275.dump to get the string content with a length of 8 and above. We find the following line:

/etc/security/ntps.conf

This is found in the virus running memory, either the virus configuration file or the original virus file.

We CD / etc / security and use LS - al to view the contents as follows:

As you can see, ntps.conf is not a configuration file, it is executable (you can know it is an elf executable file by using the file command), and the file modification time should be forged.

3、 Introduction to emergency Toolset

If you want to be good at your work, you must first make use of your tools. It's hard for a skillful woman to cook without rice. In fact, it's the same with emergency response. Emergency response and safety researchers must have a complete set of tools available at any time in advance.

Type of emergency tools

Traffic analysis tools: the commonly used traffic analysis tools are Wireshark and tcpview. You can also use branch network analysis tools. You can also use tcpdump, which is familiar with tcpdump under Linux.

Process analysis tool: a tool that can analyze process related information, mainly processhacker, PC hunter, etc.

Startup analysis tool: mainly AutoRuns tool, which is convenient for locating virus startup items.

Special killing tools: some popular virus families usually have inhibitory effect on killing soft, or they are infectious. Special killing tools are needed to kill and repair normal files.

Auxiliary tools: WinHex, file hash tool, everything search tool, Unlocker file unlocking tool, etc.

Memory scanning tool: mainly memscanner.

4、 System log and log analysis

Log type

Windows system log: the audit log, operation log, and fault log of the windows system.

Linux system log: audit log, operation log and fault log of Linux system.

Application log: including but not limited to many complicated logs such as web application.

Windows system log

Log path: C: \ windows \ system32 \ winevt \ logs

Required logs: security.evtx, system.evtx, application.evtx

Linux system log

Log path / var / log

Required logs: secure, history

Most logs are readable and easy to understand. For example, it is easy to see. The following log records the SSH blasting process.

5、 The role of Threat Intelligence

In security incidents, Threat Intelligence sometimes provides us with a lot of useful information, and even directly promotes the rapid response of security incidents.

Elements of threat intelligence, including but not limited to domain name, URL, IP, file hash, file path, file name, digital signature, filing information and ranking information.

Sources of Threat Intelligence

Google: www.google.com

Baidu: www.baidu.com

Virustotal：www.virustotal.com

Micro step online: x.threatbook.cn

Tencent Hubble: habo.qq.com

Virscan：virusscan.jotti.org

Freebuf：www.freebuf.com

Jotti：virusscan.jotti.org

Scandir：www.scandir.com

Alexa Rank: www.alexa.com

Record query: beian.cndns.com

Shenxin security center: sec.sangfor.com.cn

Suntrust threat analysis platform: wiki.sec.sangfor.com.cn

Shenxin EDR security software center: edr.sangfor.com.cn

In Threat Intelligence, domain name plays a very basic and key role, and URL is also based on domain name. Here are several types of domain names, which are commonly used (preferred) by hackers. In the process of obtaining evidence, we need to focus on the information of such domain names.

Random domain name (DGA):

Intranet IP uses specific random algorithm to generate domain name (DGA), and hacker will use this random algorithm to register domain name, so as to avoid being blocked due to long-term communication with a domain name or IP.

For example, a source IP in the intranet resolves the following domain names in a short time (log screenshot)

Looking at these domain names, we can see that the "character characteristics" of these domain names look random. The invention of domain name (DNS) was born for the convenience of human memory. Therefore, we often register some domain names that are easy to remember and easy to read. Obviously, the domain name in the example does not have this feature. DGA's behavior in the opposite direction is obviously not from people visiting websites, but from viruses using some algorithm.

Dynamic domain name:

The dynamic domain name is open to other people, and the IP bound by the sub domain name can be obtained dynamically, most of which are free, so it is often used by hackers, such as abc.3322.org (3322.org is the dynamic domain name provider, and the sub domain name abc.3322.org can be used by others).

Common dynamic domain name providers:

'f3322.net','3322.org','7766.org','8866.org', '9966.org','8800.org','2288.org','6600.org', 'f3322.org', 'ddns.net', 'xicp.net', 'vicp.net','wicp.net','oicp.net','xicp.net','vicp.cc','eicp.net','uicp.cn','51vip.biz','xicp.cn','uicp.net','vicp.hk','5166.info','coyo.eu','imblog.in','imzone.in','imshop.in','imbbs.in','imwork.net','iego.cn','vicp.co', 'iego.net','1366.co','1866.co','3utilities.com','bounceme.net','ddnsking.com','gotdns.ch','hopto.org','myftp.biz','myftp.org','myvnc.com','no-ip.biz','no-ip.info','no-ip.org','noip.me','redirectme.net','servebeer.com','serveblog.net','servecounterstrike.com','serveftp.com','servegame.com','servehalflife.com','servehttp.com','serveminecraft.net', 'servemp3.com','servepics.com','servequake.com','sytes.net','webhop.me','zapto.org','dynamic-dns.net','epac.to','longmusic.com','compress.to','wikaba.com','zzux.com','dumb1.com','1dumb.com','onedumb.com','wha.la','youdontcare.com','yourtrap.com','2waky.com','sexidude.com','mefound.com','organiccrap.com','toythieves.com','justdied.com', 'jungleheart.com','mrbasic.com','mrbonus.com','x24hr.com','dns04.com','dns05.com','zyns.com','my03.com','fartit.com','itemdb.com','instanthq.com','xxuz.com','jkub.com','itsaol.com','faqserv.com','jetos.com','qpoe.com','qhigh.com','vizvaz.com','mrface.com','isasecret.com','mrslove.com','otzo.com','sellclassics.com','americanunfinished.com', 'serveusers.com','serveuser.com','freetcp.com','ddns.info','ns01.info','ns02.info','myftp.info','mydad.info','mymom.info','mypicture.info','myz.info','squirly.info','toh.info','xxxy.info','freewww.info','freeddns.com','myddns.com','dynamicdns.biz','ns01.biz','ns02.biz','xxxy.biz','sexxxy.biz','freewww.biz','www1.biz','dhcp.biz','edns.biz', 'ftp1.biz','mywww.biz','gr8domain.biz','gr8name.biz','ftpserver.biz','wwwhost.biz','moneyhome.biz','port25.biz','esmtp.biz','sixth.biz','ninth.biz','got-game.org','bigmoney.biz','dns2.us','dns1.us','ns02.us','ns01.us','almostmy.com','ocry.com','ourhobby.com','pcanywhere.net','ygto.com','ddns.ms','ddns.us','gettrials.com','4mydomain.com','25u.com', '4dq.com','4pu.com','3-a.net','dsmtp.com','mynumber.org','ns1.name','ns2.name','ns3.name','changeip.name','ddns.name','rebatesrule.net','ezua.com','sendsmtp.com','trickip.net','trickip.org','dnsrd.com','lflinkup.com','lflinkup.net','lflinkup.org','lflink.com','dns-dns.com','proxydns.com','myftp.name','dyndns.pro','changeip.net', 'mysecondarydns.com','changeip.org','dns-stuff.com','dynssl.com','mylftv.com','mynetav.net','mynetav.org','ikwb.com','acmetoy.com','ddns.mobi','dnset.com','authorizeddns.net','authorizeddns.org','authorizeddns.us','cleansite.biz'

F3322.net, 3322.org, 7766.org and so on are dynamic domain name providers.

Sjb555.3322.org is a dynamic domain name, which is marked as malicious on VirusTotal.

Such domain names are often hotbeds of viruses. Both the national Internet Emergency Center and China Anti network virus alliance are the focus of observation. Enterprise users rarely take the initiative to use dynamic domain names.

Recent domain name:

All domain names have a creation time (registration time). Alexa's domain names ranked within one million in the world have been registered for a long time, ranging from several years to more than ten or twenty years. Hacker attacks to avoid blocking the firewall, most likely in the implementation of time, to register a domain name. Registering a domain name with a letter length greater than 7 is not expensive, even as low as 8 yuan / year (some are free). Hackers tend to do this because the old domain name is likely to have been blacklisted (that is, blocked) by security agencies.

Just imagine, why do enterprise users visit a domain just registered for no reason?

For example, the firewall generated logs as follows. It was observed that the log was generated on January 27, 2016 and the site visited was cazwmwez.info.

Next, let's check the registration time of the domain name. Method: through VirusTotal query, in the whois lookup column, as shown in the figure, observe that creation date means the registration time is January 12, 2016, and registry expiry date means the expiration time is one year later. Obviously, this is a newly registered and very short-lived domain name (this domain name comes from a real poisoned customer, at that time, the time to intervene in the forensic investigation was at the beginning of February 2016, i.e. less than one month). The owner of the domain name does not intend to maintain it for a long time. In addition, the owner of the domain name is not the customer's (ask the customer to know).

Dark network proxy domain name:

Dark network, also known as tor network, is the hotbed of black industrial chain because its access and transmission traffic cannot be traced back. To access the dark network, either the virus implements the tor client itself or accesses the tor network through the tor agent. The traffic accessed through the tor agent is unencrypted, and it directly uses the tor agent to access the tor site server.

Therefore, the dark network proxy domain name can be detected.

For example, to visit https://abbujjh5vqtq77wg.onion.link/ because the secondary domain name onion.link belongs to the tor proxy domain name, it is considered that this visit is a tor network access behavior, and the possibility of illegal access is very high.

Top level domain name:

Not all top-level domain names need special attention. It is necessary to start from the customer business to reverse why the client host needs to access the relevant top-level domain names. That is to say, there are a batch of top-level domain names in it. The actual customer business does not need to visit, so the only thing left is hacking. The following table shows such a batch of top-level domain names (including but not limited to the following top-level domain names):

Top-level domain name

Application area or organization

Why focus

.ru

Russia

Russia is rich in hackers

.ws

Eastern Samoa