Friday, February 22, 2013

Watching for the APT1 Intelligence

Earlier this week, Mandiant released their APT1 report which I’m not going to bother providing any analysis or commentary on, there has been plenty of that this week. As a developer on a network analysis tool my interest primarily lies with consuming the intelligence data they provided and seeing how I can use it.

Vern Paxson, the original author of Bro, asked me yesterday morning if I had a simple example of a Bro script that he could use for a talk today. Bro’s current lead developer Robin Sommer, suggested that we could show something related to the APT1 report. That’s when it occurred to me that doing so would actually result in a fairly simple and self contained script so I set off to write it.

Several hours later, interspersed with a few phone calls and lots of instant messaging, I had the script done and documented. Here’s where you can find the script module now: APT1 repository on github

There are a few key points about the script that I wanted to take a moment to highlight.

  1. The entire script really boils down to three ‘if’ statements. One for each of the types of data that Mandiant distributed (certificates, file hashes, and domain names).
  2. Mandiant didn’t actually distribute hashes for the certificates so we had to get a little creative. We took the certificate subject and serial number together to find matches because after searching through the data store for our certificate notary project we discovered that there are legitimate certificates using some of the certificate subjects.
  3. Domain names are only being searched for in DNS queries. This is certainly suboptimal but it’s a first step.
  4. MD5 hashes are only being checked for files transferred over HTTP and only for Windows executables by default. The README included with the bro-apt1 repository includes instructions for expanding that to more files.

This was an interesting experiment for me because it opened my eyes a little bit to a potential use for the upcoming revamp of Bro’s Intelligence Framework. The work on the Intelligence Framework is mostly done already and only has relatively small tuning remaining. If I had used the Intelligence Framework for this script, the domain names would have been searched for in many, many places automatically and not just DNS queries (the next obvious step would be HTTP Host headers). Data loading and distribution would have been abstracted much better, the data would have loaded at runtime and not been encoded in a Bro script which is certainly workable but suboptimal. The result would have been even less code and greater use of the data. Those two features in combination are very attractive to me for obvious reasons!

The script ended up being quite nice for about a combined hour of effort but it’s a very naive implementation compared to what we’re working toward. My only question now is if it ended up being too simple of an example for what Vern wanted.

The script module is fully self-contained and very easy to run. I hope that no one has any hits!

1 comment:

  1. Hello,
    how can I exclude a single ip source(CIF Server) from this dns query check?
    I'm looking into main.bro but I don't know how modify the row
    event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

    Can you please help me?