Saturday, May 10, 2014

Zero day methodology

Why do we need to wait until something happens to us or until someone else reports a problem in order to react?  It is a bad methodology to teach for the next generation of cybersecurity professionals.  Critical thinking is essential in battling the unknown.  There is really no unknown methods of compromising systems, only lack of interest to find out how legitimate methods can be used against us.

For example, we need to deploy the old Art of War methodology of knowing ourselves and knowing our enemy.  Our enemy is the youtube generation that gets its education from watching someone else and only learning what that presenter wants them to learn.  In the evolution of a cybersecurity professional, there are three phases:

1. Awareness: What    --  This is the phase that every one knows from the news and some intrigued enough to start learning about it.

2. Training: How   --  In this phase is where the youtube generation start getting the idea on how to do things, but do not understand enough to be valuable, only dangerous.

3. Education: Why  --  This is the phase where an interested and trained person can become very valuable if educated enough and asked enough why question along the way.

Let me give you an example:

What is a trained incident responder or forensic investigator taught to do in a case of an incident?  Preserve evidence by collecting volatile data.  The better trained might also remember what the OOV stands for and not just run a script that was given to him/her 5 minutes before.  ( Order Of Volatility ) So, that might include the opening of the terminal or CMD.EXE.  Some might even learn about the concept of BYOC ( Bring Your Own Code ) because we should not trust anything on the compromised system.  We might also know that Microsoft protects CMD.EXE and it is harder these days to replace it with a malicious version.  But only those that are educated in this field would dig further into what can be done with CMD.EXE.  Can a malicious user do something while the incident responders trying to collect and preserve evidence?  Have you ever looked at the help of CMD.EXE?

Short example from the CMD.EXE help:
If /D was NOT specified on the command line, then when CMD.EXE starts, it looks for the following REG_SZ/REG_EXPAND_SZ registry variables, and if either or both are present, they are executed first.

    HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
        and/or
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun

Some thirteen year old might read this one night and might ask the question about how to use this and what is possible with this value.  Go ahead and create this value and assign notepad.exe to it.  Notepad.exe will run every time you launch CMD.EXE.  That means that someone can write a short script to delete or modify any relevant data area that might contain valuable artifacts for investigations.


So, now what if someone would create a simple script file with the following entries and would modify the registry to launch when CMD.EXE is executed?

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\SkyDrive /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths /f
reg delete "HKCU\Software\Microsoft\Internet Explorer\TypedURLs" /f

This would not be a malware detectable by protection mechanisms in place, it is a settings that might be set by the network administrator as part of the policy.  This could be a simple AutoIt script received in email or on a thumb drive.  The main point is, the very act of opening CMD.EXE would eliminate artifacts by the first responder action that might be interpreted by the analyst as a intentional data elimination by the suspect. Identifying false positives and eliminating false negatives can only be done by a well educated professional and not by a "bootcamp junky" or a paper certificate holder.

Those in the cybersecurity field are forced to learn every day not just by reading published documents, but thinking like their adversary.  The best education one can receive is the methodology development that enables the person to monitor, evaluate, and analyze systems without help from an outside source.  This can be achieved by knowing the basics - reading and thinking.

I was once ( CEIC 2008 ) lucky to listen to astronaut James A. Lovell when he was talking about his ordeal aboard Apollo 13.  He was in a sophisticated machinery that was nothing without electricity and his education of the basics like constellations and star positions allowed him to steer the not so smart machinery back toward earth.  That was not luck or training or awareness, that was his education in action!  That was his and might be the world's first zero day incident response.


No comments:

Post a Comment