mod5 C02_M05 Detecting Worms and Data Exfiltration links ../C02_M05/assets/coursemap.swf courseMenuBtn Course menu Course menu. Select this button to access the course menu. MainMenuButtonClicked moduleMapBtn Lesson Map Lesson Map. Select this button to access the lesson map. CourseMapButtonClicked glossaryBtn Glossary Glossary. Select this button open the glossary. GlossaryButtonClicked resourcesBtn Resources Resources. Select this button open the resources. ResourcesButtonClicked exitBtn Exit Exit. Select this button to exit the course. ExitButtonClicked replayBtn Replay Replay. Select this button to replay the current screen. ReplayButtonClicked pauseBtn Pause Pause. Select this button to pause the course. PauseButtonClicked resumeBtn Resume Resume. Select this button to resume the course. ResumeButtonClicked previousPgBtn Previous Page Previous. Select this button to go to the previous screen. PreviousButtonClicked nextPgBtn Next Page Next. Select this button to go to the next screen. NextButtonClicked disaidscr5_01 1 Welcome to the Detecting Worms and Data Exfiltration with NIDS lesson. When you have completed this lesson, you will be able to identify how to detect worm and bot activity on your network. You will also explore the benefits and risks of using NIDS to detect data exfiltration. Finally, you will use this information to write a complex NIDS rule using advanced detection capabilities such as pattern matching. This lesson consists of five topics. After completing the introduction, you will learn about worms and bots and the phases of a typical worm outbreak. Then you will learn about using NIDS to detect data exfiltration and its limitations. Finally, you will write a NIDS custom rule. Rich Media Text Description, Course: D O D Intrusion Detection System (I D S) Analysis, Part 3, Module 2: DoD Network Intrusion Detection System (NIDS) Custom Rules Module, Lesson 5: Detecting Worms and Data Exfiltration, For each screen you will hear a description. The description is cued by an audio tone. Listen to the description, and then select the play audio narration button to continue. Screen 1 of 16. Lesson title: Detecting Worms and Data Exfiltration. Topic title: Introduction. Screen title: Objectives and Topics. Three learning objectives display in support of audio. Five topics display. The first topic is titled Introduction. The second topic is titled Worms and Bots. The third topic is titled Phases of a Typical Worm Outbreak. The fourth topic is Detecting Data Exfiltration, followed by the final topic Conclusion. disaidscr5_02 2 As CND-IS personnel, securing the data on and passing through the network remains a primary responsibility. One prominent way networks are compromised is through worm and bot infections. They move rapidly and can be far reaching once they have replicated. Data exfiltration poses one other way information can be extracted via the network. Whether the user sends sensitive data intentionally or unintentionally, the user exposes that data, making it visible outside the security of your network. Fortunately, accurate, well-written custom NIDS rules identify both worm/bot activity and data exfiltration. Skilled analysis of the NIDS log files help attain solutions to these problems more readily. Screen 2 of 16. Screen title: Overview of Network Threats. Reprise image of computer network with malicious actor displays. Reprise image of C N D - I S personnel displays. In support of audio, a line representing cyber connection extends from malicious actor, through the firewall to a user computer. The user computer displays infection logo. A line representing a connection extends from user computer to all other computers on the network. The other computers display infection logo. Next a different line representing an e mail reply is extended from a user computer to the malicious actor. This line is labeled data exfiltration; the previous line is labeled worm/bot activity. An alert message displays on the C N D - I S monitor. disaidscr5_03 3 A worm can be defined as malware that self-propagates across the network. Typically, when a worm infects a system, it will begin scanning for other vulnerable systems. One instance of a worm outbreak is called a segment. Some of the most damaging worm infections on government and military networks include Operation Buck Shot Yankee and Titan Rain. Many times worms represent just the first step. The initial worm installs bots on the compromised system. A bot is malicious code that allows remote control of and full access to the infected system. Malicious actors can use bots to extract sensitive or classified data from the system, launch denial of service attacks on servers, or provide a gateway for other types of network penetrations. Bots are typically designed to join a botnet, which is controlled by a designated bot herder. Botnets can range from thousands to millions of systems. Screen 3 of 16. Topic title: Worms and Bots. Screen title: Defining Worms and Bots. Text displays, Worms. First of three bulleted texts displays: malware that self-propagates. User computer with infection logo image displays. Image displays of infected computer image scans and locates other user computers which become infected. Second bulleted text displays, some of the most damaging government/military network attacks. The final bulleted text displays, often used to deploy bots. Text displays, bots. First bulleted text displays, malicious code allows remote control. Reprise image of infected user computer displays, and is labeled botnet. Second bulleted text displays, functions include data exfiltration, DoS, other malicious activities. Image evolves with additional infected user computers displaying. Final bulleted text displays, joins a botnet. Computer server image displays and is labeled bot herder. disaidscr5_04 4 The goal of writing effective custom rules for your NIDS helps you to identify the vulnerability, not the exploit. To do this accurately, you should understand common exploitation techniques. Let's walk through the initial stage of how worms and bots seize systems and networks. A typical scenario begins with the worm entering your network. This can happen because of any user in many different ways, to include transferring data from USB storage devices, connecting mobile devices such as smartphones or tablets to a computer on your network, or clicking a malicious link from email or chat. Within seconds the worm compromises your first computer and the malicious activity begins. Once the worm installs itself on the first system, it begins scanning for more victims. Worms scan for open ports using various protocols and begin targeting other victims with buffer overflows, password guessing attacks, or other system vulnerabilities. In addition to computers and servers, worms can also infect connected media devices including USB drives, external hard drives, smartphones, and tablets. The worm may not damage the functionality of the device, but instead lie dormant until connected to a new system where the events begin all over again. The first round of system infections, the first segment, will communicate back to a home system outside of the network, typically through a C2 channel. The protocols used vary but include IRC, HTTP, HTTPS, and custom encrypted protocols. The segment will often use standard ports to reduce risk of detection by hiding in plain sight. The C2 channel is used to send commands or updated code to the bots and for the bots to upload stolen data. Each new victim of the worm infection becomes a clone, thus creating a new segment. The new segment begins scanning for more vulnerable systems. It targets the new victim and creates a C2 channel back to the host system. As worm outbreaks occur, network traffic volume quickly becomes substantial. The aggressive scanning and replication of some worm infections may cripple the network through a denial of service, or DoS. Screen 4 of 16. Screen title: Stage 1 Worm Outbreak. Text displays, best to catch the vulnerability, not the exploit. Reprise images of malicious actor and user computer display. In support of audio three images: U S B memory stick, tablet/smartphone, and email display. Image of user computer becomes infected. Additional infected user computers display, with an image of the USB memory stick, tablet/smartphone, or email attached to each. This is labeled First Segment. The images of the infected computers connect back to the malicious actor image. Text displays, C 2 Channels via protocols — I R C, H T T P, H T T P S, and custom encrypted. Image of first segment begin scanning and images of additional infected computers display, labeled additional segments. Additional segments computer images make connections with malicious actor; as screen feels with dashed lines representing network traffic. Text displays, aggressive scanning increases network traffic to capacity causing denial of service. disaidscr5_05 5 Once the worm infects numerous systems, including computers and servers, Stage 2 of the worm outbreak begins. The worm continues scanning systems to install and spread malware. The host system controls numerous systems, and is now known as a bot herder. With an open C2 channel each new segment may receive updated code from the host with additional capabilities. You may find the updated code installs modules which add additional functionality and capabilities. Stage 2 may include the installation of modules seeking password information, giving the malicious actor possible access to other systems. Another common feature is to monitor keystrokes providing insight into classified or business sensitive data, usernames, and passwords. Worms can be programmed to parse local disks searching the system for classified or business critical documents and files. It may be difficult to predict exactly what malware developers are seeking, as each new segment may have updated code providing different instructions and functions to the compromised machine. Screen 5 of 16. Screen Title: Stage 2 Worm Outbreak. Images of infected computers and infected servers display, labeled bot net. Malicious actor image displays, labeled bot herder. Text displays, Bot Activities. Under text images labeled: H T T P or F T P access, password detection, keystroke monitoring, and data mining display. Text displays, each new update can change code, so it can be difficult to determine the attacker's purpose. disaidscr5_06 6 The capabilities and functionality programmed into malware continues to evolve at an accelerated pace. But a worm/bot infection may have characteristics that can assist you in detecting an outbreak. For example, you may be able to detect stage 2 malware by strings in the executable. Here is a sample PCAP file. Both portable executable and DOS executable files once infected begin with bytes "MZ" and include one of the strings: "This program cannot run in DOS mode," "This program must be run under Win32," or "This program must be run under Win64." Note that all Windows executables will contain these strings. To limit false positives you should use what you have learned previously in this module to optimize rule performance. If you look further in the PCAP you see "UPX," indicating that this file has been packed. Packed and compressed files avert detection by your NIDS. While this example may not be reflective of the most common current malware functionality, it is meant to demonstrate how clues left behind by malware can be used to develop IDS signatures. Screen 6 of 16. Screen title: Detecting Worm Outbreak. Image of virus, morphs into Trojan horse, morphs to a worm, morphs to a bot displays. Text displays, stage 2 worm outbreaks may include specific strings. Reprise image of P cap file displays. Bulleted text displays: begins with bytes M Z, and includes one of the strings: This program cannot be run in DoS mode, This program must be run under WIN 32, or This program must be run under WIN 64. Text displays, U P X indicates packed executable file. disaidscr5_07 7 Now that you know how to use your NIDS to detect worm and bot outbreaks, let's talk about a common security breach, data exfiltration. Data can leave our networks either maliciously or unintentionally. A malicious actor can collect information from your network using a C2 channel to harvest sensitive data, take screenshots, or gather keystrokes. A user may inadvertently email a database with personally identifiable information unencrypted. Preventing or detecting data exfiltration poses a challenge. Out of the box, NIDS do a poor job of detecting data exfiltration. However, with proper tuning and the use of well-written custom rules, your NIDS can be a powerful tool to identify and help prevent data exfiltration on your network. You may recall seeing this from the HIPAA example in a previous lesson. Screen 7 of 16. Topic Title: Detecting Data Exfiltration. Screen title: Overview of Data Exfiltration. Reprised network and malicious actor images display. Multiple lines representing data, passwords, and user names connect malicious actor with computer user display. Text displays, by default NIDS do a poor job of detecting data exfiltration. Text displays as a header, leverage the power followed by bulleted text: proper tuning, and well written custom rules. disaidscr5_08 8 Detecting data exfiltration can be difficult with your NIDS alone. For example, pattern matching will fail against encrypted data. For standard data streams, your NIDS can view individual bytes and compare against the content of the rules. However, if the data is compressed, there are no plain-text strings for NIDS to compare signatures against. Your NIDS will sometimes fail, giving false positives or missing the data completely. Even though a NIDS may fail to detect the compressed data, it can successfully detect data exfiltration. The previous HIPAA example shows that failure does not mean total failure. Knowing the type of information on your network, what protocols should and should not be in use, and the roles of assets on the network gives you a tremendous advantage to writing rules that effectively monitor activity outside of this scope. In order to write custom rules for your NIDS, you must know your network. Your NIDS should be considered part, not all, of your defense-in-depth strategy for data exfiltration. Screen 8 of 16. Screen title: Limitations of NIDS. NIDS server image displays, labeled: consider NIDS as part of data exfiltration detection in depth. Images of magnifying glass with data stream flowing followed by image of empty magnifying glass with compression icon displays, labeled: NIDS will fail at times. Reprised hospital exterior image displays, labeled: failure does not mean total failure. Images of computer with I R C data stream leaving and image of two computer linked together display. No symbol, red circle with slash inside, displays over these two images, and labeled: know your network. disaidscr5_09 9 Let's look at one way to use custom rules to detect data exfiltration. Pattern matching represents one of the easiest ways to use your NIDS to detect data exfiltration from your network. For example, classified projects often have a code word associated to the project. The code word is probably classified itself. In this visual, the rule searches for the code word "BADDOG." Using pattern matching you can write rules using these code words or associated phrases to determine if classified information is potentially leaving your network. Screen 9 of 16. Screen title: Pattern Matching. Image displays representing computer bytes. Text displays, pattern matching followed by two bulleted texts: simplest way to detect classified data, and classified code words and project names. Reprise content rule option image displays. Series of 4 p cap images display as if they are scanned, on the final p cap image the characters in all upper case BADDOG are circled noting the pattern match with the rule. disaidscr5_10 10 When you use your NIDS to detect for sensitive data exfiltration, you need to remember and take into account several things. First you will want to secure permission, in writing, for the custom rules prior to using the NIDS to identify any data exfiltration of sensitive or classified information. Be thoughtful about the words or content you search, or you could make a data spill worse. The alerts you create have the potential to expose classified terms and phrases on the unclassified NIDS console in areas that may not meet classified protection standards. And the information you capture will be saved in the NIDS log files, PCAPs, and other data collecting formats. Screen 10 of 16. Screen title: Considerations for Detecting Data Exfiltration. Reminder image displays with text, reminder - receive permission prior to using I D S to identify sensitive information. Image of data spill displays with text, a data spill could be made worse. Image of a spy displays with text, classified code words could be exposed in alerts. Reprise image of P cap file displays with text, sensitive data could be saved in NIDS log files, p cap files, et cetera. The final image of a burglar displays with the text, mistakes more common than malice. disaidscr5_11 11 Note these parameters as you begin the example using pattern matching. The classified project name should only appear in the closed classified network. The example will search for the now once classified project name "VENONA." The unclassified boundary of the network serves as the location for the NIDS, for which the rule is written. We will use the project name as the search term. "VENONA" should not appear in any data on any port, because it is unique and wouldn't be used in other documents. Let's see how to write a custom rule to detect data exfiltration. [Male Narrator] I need to determine if any data is leaking from the classified network. I will test for the project name "VENONA," because it is so unique. I need to know when something is detected, and I want save a copy of the packet for further investigation. Because I need to know when the rule is triggered, "alert" works as the best action for this. I could test several protocols, but "ip" will give me the largest potential results since this is the bulk of my network traffic. Plus this option will search for both IPv4 and IPv6 traffic. Using "any" for the Source IP will be resource intensive for the NIDS, but I think it is important to test as much data coming from all networks. A data spill could occur in multiple formats, so I will test on all ports. "Any" is the best choice. I only need to check traffic leaving the network, so the directional operator makes sense and will help make the rule more efficient on the NIDS. To test for all destinations outside of the network, I will use "any" for the destination IP and destination port. Now that I have a complete header, what options will work best? The rule options start with open parentheses. Of course I will need a message. While it seems logical to use the classified project name, I do not want to make any possible spill worse by having the name visible on an unclassified NIDS console, so I will use a more generic alert message, "Possible Spillage". Oh, I can't forget the semicolon to close the message option. Let's see, content serves as the next rule option. I need to include the colon between command and content. Choosing the content to search for data exfiltration can present challenges. I'll use the classified code name as the best way to determine a leak. I did secure permission to use this rule to search for the term, so I will search for "VENONA" in quotation marks, followed by a semicolon. The unique rule id is "1000105", and this is the first version. Close the parentheses and that completes the rule. This rule is going to consume more NIDS resources than I would like, but the data is critical and well worth the resource cost. [End Male Narrator.] Screen 11 of 16. Screen title: Pattern Matching Example. Text displays; Venona (declassified example). Image of a square with several user computers and a server connected with data streams with VENONA passing between machines displays, and labeled classified network. Image reprise of a simple network, user computers, server, NIDS server, firewall and internet displays, and labeled unclassified network. Text Venona super imposed with a no symbol displays in the unclassified network. Computer monitor image displays, text is displayed on monitor in support of audio. disaidscr5_12 12 Using your NIDS for data exfiltration has limitations. You can write the best custom rules for your NIDS, but sensitive data can still be exfiltrated physically. In addition, your NIDS will fail if the data is encrypted. NIDS cannot pattern match or scan the content of encrypted data packets. Malicious actors know this, so some bots will install encryption software to run prior to transferring files. NIDS also have a challenging time with compressed files. If the data is compressed, no plaintext strings exist to pattern match. Many modern websites gzip data on the fly; when this occurs the data packet header should include "content-encoding: gzip." Depending on the functionality of your NIDS, it may be able to decompress the file before analyzing it. You should pay special attention to three areas when relying on your NIDS for data exfiltration: physical exfiltration, encrypted data exfiltration, and compressed data exfiltration. These explain why NIDS custom rules should be just one part of your defense-in-depth strategy. Screen 12 of 16. Screen title: Limitations of Detecting Data Exfiltration. Image of computer with USB memory stick displays, and memory stick is removed from computer and placed in a bag. Image of person walking out the door with the bag displays, and labeled physical data exfiltration. Reprised images display of malicious actor, firewall, NIDS server and user computer with animated lines with lock from malicious actor through firewall to user computer and back, labeled encrypted data. Image representing compressed files move along connection between malicious actor and user computer displays. Image representing gzip moves along connection from internet to NIDS to user computer, with the envelope opening at the NIDS. disaidscr5_13 13 Knowledge Check 1 550 550 Which phase of a worm/bot outbreak would a NIDS be least likely to detect the activity? Initial Infection Scanning Phase Network Exploitation Phase Stage 2 Download Phase Correct. The initial infection is when a NIDS is least likely to catch an outbreak, since the infection may not occur via the network. Incorrect. The NIDS is least likely to detect a worm/bot outbreak during the initial phase, since the infection may not occur via the network. Now, check your understanding of when a NIDS can detect a worm/bot outbreak. After you select your answer, select Done. Screen 13 of 16. Topic title: Knowledge Check. Screen title: Knowledge Check 1. This knowledge check consists of one question and four possible answers. Select the best response, and select done. Use the keyboard to cycle through the answers. disaidscr5_14 14 Knowledge Check 1 550 550 Which of the following should your NIDS be able to detect A system user downloading classified document on USB drive and taking it home to review. A user encrypts the classified project list to email to coworker sick at home. A threat actor sends a bot via a chat conversation. A user compresses multiple new hire password lists and sends them to personal email for safe keeping. Correct. With the correct custom rules, your NIDS should detect a threat actor sending a bot via chat. Incorrect. With the correct custom rules, your NIDS should detect a threat actor sending a bot via chat. Remember, that classified document do not traverse the network, therefore would be undetectable by the NIDS. Also, NIDS are typically not configured with decryption capabilities, and would be blind to encrypted data Now, check if you understand the limitations of using a NIDS to detect data exfiltration. After you select your answer, select Done. Screen 14 of 16. Screen title: Knowledge Check 2. This knowledge check consists of one question and four possible answers. Select the best response, and select done. Use the keyboard to cycle through the answers. disaidscr5_15 15 Knowledge Check 1 0 0 Write a complex NIDS rule for the scenario. Screen 15 of 16. Screen title: Knowledge Check 3. This is a free response knowledge check supported by a P D F P CAP file. Type the response in the answer field and select done when complete. disaidscr5_16 16 Congratulations! You have completed the NIDS Rule Optimization lesson. You should now be able to identify how to detect worm and bot activity on your network and identify benefits and risks to using NIDS to detect data exfiltration from your network. Finally, you should be able to write a NIDS custom rule using advanced detection capabilities. Screen 16 of 16. Topic title: Conclusion. Screen title: Summary and Conclusion. The word Congratulations appears in large text. Text displays in support of audio. Objectives bullets change to checkmarks in sync with audio.