Tuesday, May 15, 2012

ELSA: The Security Blog Companion

A healthy reading list is critical for any IT security professional.  In addition to a myriad of blogs I subscribe to, I also keep a close eye on my Twitter feed for the many links published there.  A tweet from Claudio pointed out the new Shadowserver.org post which contained a stellar description of dissecting an APT attack.  As I do with any technical post, while reading, I am unconsciously looking for indicators of compromise to dump into ELSA to see if our org has been affected as well.  Not only does it make reading technical posts more fun by "playing along at home," it's a great way to do some hunting.

So, in that spirit, if you want to play along with your own ELSA instance and read the shadowserver.org post, you'd just keep gedit or notepad open and paste terms in every so often.  The above post makes it especially easy by bolding IoC's.  What you end up with is something like this list of indicators:

Edit: I had to add spaces because Websense keeps flagging this site as malicious.

159.54.62 .92
71.6.131 .8
86.122.14 .140
glogin.ddns .us
222.239.73 .36
www.audioelectronic .com
213.33.76 .135
windows.ddns .us
222.122.68 .8
194.183.224 .73
ids.ns01 .us
javaup.updates.dns05 .com
194.183.224 .73
BrightBalls .swf
nxianguo1985@163.com .fr
www.support-office-microsoft .com

Now the fun part:  Copy and paste that whole list into the ELSA search field and hit submit.  It's as easy as that.  Since this was a targeted attack, there probably wasn't a hit for your org.  Don't feel too left out yet, though!  There's more hunting to be done.  One of the design goals for ELSA was to make it as easy as possible to take a starting point and fuzz the search to find related things.  In this case, you can start looking for domains from hostnames, so you can tack on these terms:

ddns .us
audioelectronic .com
dns05 .com
163.com .fr
support-office-microsoft .com

If you're using the httpry_logger.pl script that ships with ELSA or you've got Bro DNS logs being sent to ELSA, you could get some hits there.  Still no hits?  Let's dig even further.  If you're a member of ISC's DNSDB, you can do some passive DNS checks to see what else those malicious IP's have resolved to (or use the ELSA plugin for DNSDB).  For instance, windows.ddns .us resolved to 59.120.140 .77 on May 9th for some DNSDB member.  You can add that to the search list.  Then, by asking what other domains 59.120.140 .77 has resolved to in the past, you get:

updatedns.ns01 .us 
updates.ns02 .us 
updatedns.ns02 .us 
iat.updates.25u .com 
ictorgil2.updates.25u .com 
win.dnset .com 
xiunvba .com 
update.freeddns .com 
proxy.ddns .info

So you can tack all of these on as well.  If you still haven't gotten any hits, this wasn't all for nothing.  Click the "Results..." button and set an alert to fire on future occurrences of this hit, and now you'll be alerted if ever your org was attacked using any of this infrastructure.  Since these indicators are likely to become irrelevant soon, you can stick with the default end-date of a week, or extend it if you like.

By constantly dumping search terms into ELSA as you read, you can start finding some really interesting events that might have otherwise been missed.  That's why I encourage those of you who have an ELSA instance (if you don't, take a half hour and install it!) to keep it handy as you progress through your daily feeds.