Cyber Security Analyst (Part 1 of 3)

Netflow Data Analysis
This series will cover analyzing the common data types found in cyber security incidents; Netflow,  Domain(s) & IP address(es), PCAP. The format of the posts will be as follows Background information, Concepts & Techniques, Tools, and Recommended reading and/or videos. 



The information in this blog is design to help people analyzing Netflow data. There are many programs which can automate the manipulation and organization of Netflow data for the end user. I believe it is always a good idea to know how to perform these task manually because every environment will be different.



Background
Having a working understanding of the Threeway Handshake, Session Flags, Port Numbers, and Domain Name System (DNS) are essential to being able to read Netflow data.

A. Threeway Handshake

• Threeway Handshake is used to establish a connection between a client and a server. 
• Client is a device which request services. 
• Server is a provider of services to clients. 
• Threeway Handshake Process: 
1. Client sends a "SYN" flag to the server  
2. Server responses with "SYN-ACK"   
3. Client sends a "ACK" flag  
4. The connection is now complete. 

B. Session Flags [1]

• URG (1 bit)  indicates that the Urgent pointer field is significant 
• ACK (1 bit)  indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set. 
• PSH (1 bit)  Push function. Asks to push the buffered data to the receiving application. 
• RST (1 bit)  Reset the connection SYN (1 bit)  Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. Some other flags change meaning based on this flag, and some are only valid for when it is set, and others when it is clear. 
• FIN (1 bit)  No more data from sender

C. Port Numbers [2]

• Port Numbers can be linked to certain applications and services to give one a better idea of the type of activity which is occurring during the communication they are observing. 
• Port number: 1 - 1023 well know server services. 
• Port numbers 1024 - 5000 ephemeral port numbers. 
• An ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically from a predefined range by the TCP/IP software.

D.  Domain Naming System (DNS)

• DNS interactions are required for all internet activity.
• DNS Process:
1. Client issues a DNS query.
2. A DNS Server accepts the query.
3. If the first DNS server does not know the answer to the query request, then it will ask additional DNS servers.
4. When the DNS server receives the answer to the DNS query, it returns the Domain to the client.

Concepts & Techniques
The Netflow data is used to confirm activity through correlation of information across different mediums. For example correlating network traffic with system logs to determine what the system was doing at the specific point in time. When analyzing Netflow data keep the following in mind:

• Netflow data can be queried like a database.
• Organize the data according to the "Time" field preferably the start time option. 
• You may not be able to see the complete session due to network a lack of network coverage.
• Go back a week or a month from the initial date of the suspicious traffic in order to try and establish a normal behavioral pattern to compare the infected system to. 
• A few common attacks that can be observed in Netflow:
• Beaconing
• DDoS
• TCP Reset attack

 

Tools
The list tools are free open source tools for Linux and Windows respectively:

• tcpdump
• WinPCAP

These tools will allow you to capture Netflow data from the network interface of your PC. I recommend practicing observing the Netflow data from your PC while it is idle in order to see which services are continuously communicating with the internet and browsing the web.


Recommended Reading and/or Videos

• Real Digital Forensics: Computer Security and Incident Response by Keith J. Jones, Richard Bejtlich, and Curtis W. Rose.
• ISBN-13: 978-0321240699
   
• Extrusion Detection: Security Monitoring for Internal Intrusions by Richard Bejtlich, foreword by Marcus Ranum.
• ISBN-13: 978-0321349965

References 

1. Transmission Control Protocol
2. Ephemeral Port

Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec

Cuckoo Sandbox Installation (Part 4 of 4)

This is 4 of a 4 part series on the installation of Cuckoo Sandbox. Part 4 will focus on preparing the guess Operating System of the Virtual Machine for use with the Cuckoo Sandbox.

Patch Management
One of the keys to using Cuckoo successfully is to track the applied patches/updates to your guess Operating System (OS) and application(s) also known as a baseline. The baseline eliminates specific vulnerabilities in certain software based on the applied patch/update level. A baseline allows one to rule out malware which effects vulnerabilities covered by your baseline. My recommendation is to have your baseline patched/updated between 1 - 3 months behind the current month. This is because every environment handles patches/updates differently which can lead to delays in rolling out patches/updates. 


Guess Operating System
Cuckoo supports Linux, Unix, and Windows operating systems. While Linux and Unix Operating systems are targets for malware, Windows is the most used Operating System in the business sector and therefore will be the Operating Systems of focus for this post. My recommendations are to test malware samples on Windows 7 (32-bit/64-bit) or Windows 10 (32-bit/64-bit). 


Steps

1. Guess Operating System Configurations

• Disable the Windows Firewall
• Disable the Windows Defender
• Reason for disabling the above is that organizations use third party vendors to manage those functions (i.e. Norton anti-virus, Sonic wall, etc)

• If possible, set automatic updates to "notify when updates are available and let me chose which ones to download and install."

2. Cuckoo Dependencies [1]

• Download and install Python 2.7
• (Optional) Download and install Python Image Library 1.1.7 for Python 2.7 
• Transfer the Cuckoo Agent via a temporary shared folder between the host and guess operating system.

3. Additional Software

• Install the following commonly used programs: Microsoft Office (2007, 2010, 2013), Adobe Flash player, Adobe Reader, and Java.

4. Plugins

• Add commonly used browser plugins  

5. Paranoid Fish (Pafish)

• Purpose is to help one determine if their Sandbox is detectable by malware.
• Some malware has the capability to detects the presents of a sandbox. If it detects one it will fail to execute preventing one from obtaining any analytical information from it.  
• Installation:
• Download the executable file Paranoid Fish to your Virtual Machine.
• Install the executable.
• Run it.

References
1. Cuckoo Sandbox Documentation.


Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec

Cuckoo Sandbox Installation (Part 3 of 4)

This is 3 of a 4 part series on the installation of Cuckoo Sandbox. Part 3 will focus on editing the configuration files for the Cuckoo Sandbox. 

Video Instructions
Cuckoo Sandbox Installation Part 3


Steps

To edit the configuration files:

• Open a terminal
• Navigate to the directory of the configuration files 
• /home/YourUserName/Downloads/cuckoo/conf
• Open a specific file using nano editor
• nano FileName
• Replace the value on the right side of the equal sign with a corresponding value (i.e replace "yes" with "no", or change a numerical value). 
• Note: The items in "[ ]" are the section heads within the specific configuration file.  

• Nano editor Basics
• To save the edited file hold the "Ctrl" button on your keyboard and press the "x" button on your keyboard.
• Type "Y"

• How to Find the IP Address of your Windows virtual machine:
• 1. Power on the VM.
• 2. Open a command prompt and type the command:
• ipconfig  

• How to Find the Network Interface of your virtual machine:
• 1. Open a terminal
• 2. Type the command:
• ifconfig
• Look the IP Address range which your VM's IP Address falls within. To the left of the IP Address range will be the name of the Network Interface associated with it. Below is a picture containing an example:
•   
  

• How to Find the vmx_path:
• Type the following command:
•  find / -name "*.vmx"

• How to Find the IP Address of your host machine:
• 1. Open a terminal
• 2. Type the command:
• ifconfig

Configuration Files[1]

• cuckoo.conf 
• nano cuckoo.conf
• [cuckoo]
• memory_dump = on
• machinery = virtualbox or vmware

• [resultserver]
• ip = ip address of the host system not the virtual machine.

• auxiliary.conf
• nano auxiliary.conf
• [mitm]
• enable = yes

• [sniffer]
• interface = the network interface of your virtual machine

• vmware.conf
• nano vmware.conf 
• [vmware]
• machines = name of virtual machine
• interface = name of the network interface for the virtual machine
• [Name_of_the_Virtual_Machine]
• vmx_path = ../name_of_virtual_machine/ name_of_virtual_machine.vmx
• ip = ip address of the virtual machine

• processing.conf
• nano processing.conf
•  [memory]
• enable = yes

• memory.conf
• nano memory.conf
• [basic]
• guest_profile = volatility's profile name for your guest operating system
• Here are a list of profile names for the various Windows operating systems
•  
  

• reporting.conf
• nano reporting.conf 
• [reporthtml]
• enable = yes

• [mongodb]
• enable = yes

References  
1. Cuckoo Sandbox Configuration Files

Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec 

Cuckoo Sandbox Installation (Part 2 of 4)

This is 2 of a 4 part series on the installation of Cuckoo Sandbox. Part 2 will focus on installing additional functionality to the Host Operating System for the Cuckoo Sandbox. 

Video Instructions
Cuckoo Sandbox Installation Part 2


Steps
All  commands are Italicize. To install the software open a terminal and copy & paste the commands. During the installation of the various software you will be prompted with the options of "Yes/No" type "Yes or Y" to all prompts.

1. Install Django-based web interface [1]

• sudo apt-get install mongodb

2. Install TCPdump [1]

• sudo apt-get install tcpdump
• sudo apt-get install libcap2-bin
• sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
• getcap /usr/sbin/tcpdump

3. Install Volatility [2]

• sudo apt install git
• git clone https://github.com/volatilityfoundation/volatility.git
• Navigate to the volatility folder 
• cd /home/YourUserName/volatility
• sudo python setup.py install

4. Install Volatility Plug-ins

• Distorm3
• Download Distorm3  
• Navigate to the Downloads folder
• tar -xvzf distorm-3.4.0.tar.gz
• Navigate to the distorm-3.4.0 folder
• cd /home/YourUserName/Downloads/distorm-3.4.0
• sudo python setup.py install

•  Yara [3]
•  Install autoreconf
• sudo apt-get install autoconf
• Install libtool-bin
• sudo apt-get install libtool-bin
• Download Yara
• Navigate to the Downloads folder
• tar -xvzf yara-3.5.0.tar.gz
• Navigate to the yara-3.5.0 folder
• cd /home/YourUserName/Downloads/yara-3.5.0
• ./bootstrap.sh
• ./configure --with-crypto --enable-magic --enable-cuckoo
• make
• sudo make install 
• sudo -H pip install yara-python

• PyCrypto [4]
• Download PyCrypto
• Navigate to the Downloads folder
• tar -xvzf pycrypto-2.6.1.tar.gz
• Navigate to the pycrypto-2.6.1 folder
• cd /home/YourUserName/Downloads/pycrypto-2.6.1
•  python setup.py build
• sudo python setup.py install

• Openpyxl [5]
• sudo -H pip install openpyxl

• UJSON [6]
• sudo -H pip install ujson

•  IPython [7]
• sudo -H pip install jupyter

5. Install Mitmproxy

• sudo apt-get install python3-pip python3-dev libssl-dev libtiff5-dev libjpeg8-dev zlib1g-dev libwebp-dev
• sudo pip3 install mitmproxy
• mitmproxy
• cd ~/.mitmproxy
• cp mitmproxy-ca-cert.p12 /home/YourUserName/Downloads/cuckoo/analyzer/windows/bin/cert.p12 
•  mitmdump = /usr/local/bin/mitmdump

References
1. Cuckoo Sandbox Documentation
2. Volatility Documentation
3. Yara Documentation
4. PyCrypto Documentation
5. OpenPyxl Documentation
6. UJSON Documentation
7. IPython Documentation


Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec

Cuckoo Sandbox Installation (Part 1 of 4)

This is the first of four parts series on the "Installation of Cuckoo Sandbox." Part 1 will focus on preparing the Host Operating System. 

Video Instructions
Cuckoo Sandbox Installation Part 1

Background
In order to successfully install Cuckoo Sandbox you must setup the required environment. The required software is Linux, Python, and a virtualization platform (i.e Virtualbox or VMware Player).

Steps

All  commands are Italicize. To install the software open a terminal and copy & paste the commands. During the installation of the various software you will be prompted with the options of "Yes/No" type "Yes or Y" to all prompts. 

1. Linux

• Install Linux as your main operating system. This can be any distribution of Linux. (My choice was  Ubuntu 16.04).
• Run the update command to update your Linux distribution. 
• sudo apt-get update

2. Python libraries [1]

•   Install the dependencies 
•  sudo apt-get install python python-pip python-dev libffi-dev libssl-dev 

• Install libxml2-dev and libxslt-dev 
• sudo apt-get install libxml2-dev libxslt-dev

•  Install the requirements from the requirements text file using PyPI 
• Download Cuckoo Sandbox and extract it.  
• Command to extract the .tar.gz file: tar -xvzf 
• Example: tar -xvzf FileName.tar.gz
• Navigate to the cuckoo folder:
• cd /home/YourUserName/Downloads/cuckoo
• sudo -H pip install -r requirements.txt 
• sudo -H pip install --upgrade pip

 3. Virtualization Software

• Install VMware player
• Download VMWare Workstation Player for Linux
• Navigate to 
• cd/ home/YourUserName/Downloads

• sudo chmod u+x VMWare-Player-12.5.1-4542065.x86_64.bundle
• sudo ./VMWare-Player-12.5.1-4542065.x86_64.bundle

4. Create a user for cuckoo

• sudo adduser cuckoo

References:
1. Cuckoo Sandbox Documentation


Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec

Entering The Field of Cyber Security

Background
As the internet growth accelerates, the need for innovative approaches to combat new cyber threats has grown as well. Corporations and governments invested billions of dollars annually to establish and maintain a defense against cyber-attacks. It is estimated that by 2019 the cost of cyber security will exceed $155 billion. The demand for certified Cyber Security specialists continues to exceed the number of available certified individuals. There are several options to obtain and maintain security certifications. Internet based training is available to everyone who has access to the internet and by far the most flexible (self-pace) and cost effective. 
  

Certifications
Security+ and Network+ certifications are required to apply for entry level Information Technology positions. Advertise Cyber Security positions "Requests for Proposals" always include requirements for individuals with key internet security certifications. 

Online Internet Course Market Place

•  Udemy -Is an internet marketplace with over 22,000 courses available for a variety of career fields. Udemy offers free membership to its alumni and course enrollment cost is very small.  

•  Cybrary.IT  Is free to join and each available course is free to enroll in.

 Books

The recommended books below contain hands on labs at the end of each chapter. 

•   Security+

• (ISBN-13: 978-1118875070), (ISBN-10: 1118875079)

• Network+

•    (ISBN-13: 978-1119021247), (ISBN-10: 1119021243)

(Disclaimer: I am not sponsored by any of the companies . All my opinions are my own.)

Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec