Each NSM collection write can communicate indisputable pieces of substance. Tenfold data types and binary aggregation sources staleness be misused unitedly to expose all the substance. To put the info together, the analyst must be fit to variable aggregation of distinguishable types from other sources. The IP 5-tuple and second stamps are invaluable for correlating events across denary information sets. Here is an admonition where fourfold data sources can be old and correlated to get a larger illustration.
The amount summarizes leash IPS alerts. Each lidless contains the sounding IP 5-tuple. The direction left (TCP opening 25) identifies the SMTP protocol. The timestamps are congruent. Netmail services are configured where inward netmail is first conventional by a method on the DMZ and then forwarded to the interior telecommunicate server. IPS sensors are deployed on both the DMZ subnet and the internal server subnet. With noesis of the DMZ and intrinsic computer addresses and IPS sensor position, the psychiatrist can deduct that all three alerts are related with the style of the homophonic email, as it was conventional on the DMZ, then forwarded from the DMZ and finally received on the intrinsic computer subnet.
three IPS alerts
Looking promote at the alert info, the shrink sees that the fly is related with a suspicious workable telecommunicate adherence, which can correlate with extracted assemblage. Bro is organized to create all telecommunicate attachments. The psychiatrist examines the files that Bro has extracted and finds that there are troika files that are extracted from SMTP by Bro with the synoptic experience stamps as the three alerts. A quick hash sum procedure on the trine files verifies that they are all monovular. Again, the like telecommunicate with the tenderness was seen leash times as it was forwarded through the web. The analyst submits this enter it to a sandbox blowup force to see if any malicious manifestation is triggered. As seen in the amount, when the enter is executed, it attempts to connect to a group on the internet.
when the file is executed, it attempts to connect to a system on the Internet.
The sandbox analysis produces an indication of compromise. 209.165.200.233 is a suspicious IP address. Any internal systems that attempted to communicate with this address may be compromised. Currently, the analyst knows which email server received the email, but does not know who the email recipient was, or if the email was received. The analyst correlates with transaction data to get more information. The analyst looks at the transaction logs on the internal SMTP server. This log will not have the entire 5-tuple in any entries. Given that the log records SMTP activities, the destination IP address can be assumed to be the server’s own IP address, the destination port is 25, and the transport layer protocol is TCP. Using the time stamp and peer information, the analyst finds log records that are associated with the reception of this email. The log entries are displayed below. Now the analyst has a user name. The email was directed to Wendy.
Oct 12 19:53:29 inside-srv postfix/smtpd[4620]: connect from dmz-srv.abc.public[
172.16.1.10]
Oct 12 19:53:29 inside-srv postfix/smtpd[4620]: 9F659187BDC: client=dmz-srv.abc.
public[172.16.1.10]
Oct 12 19:53:29 inside-srv postfix/cleanup[4625]: 9F659187BDC: message-id=<894ec
b45-9d17-474e-e263-cb8184c24f02@services.public>
Oct 12 19:53:29 inside-srv postfix/qmgr[4607]: 9F659187BDC: from=<karla@services
.public>, size=102582, nrcpt=1 (queue active)
Oct 12 19:53:29 inside-srv postfix/smtpd[4620]: disconnect from dmz-srv.abc.publ
ic[172.16.1.10]
Oct 12 19:53:29 inside-srv postfix/local[4626]: 9F659187BDC: to=<wendy@abc.priva
te>, orig_to=<wendy@abc.public>, relay=local, delay=0.07, delays=0.05/0.01/0/0.0
1, dsn=2.0.0, status=sent (delivered to maildir)
Oct 12 19:53:29 inside-srv postfix/qmgr[4607]: 9F659187BDC: removed
So far, the logs show that the email reached the internal SMTP server and was directed to Wendy. Looking further in the log file shows that Wendy logged in with an IMAP client. IMAP clients automatically synchronize mailboxes upon connection. The analyst can assume that Wendy did receive the email. The log also indicates Wendy’s IP address, which is an important artifact.
Oct 12 20:57:29 inside-srv imapd: LOGIN, user=wendy, ip=[::ffff:10.10.6.10], port=[1677], protocol=IMAP
The analyst still does not know if Wendy opened the email or executed the attachment. Session data can be used in the next step of the analysis. The analyst knows the suspicious IP address (209.165.200.233) and the analyst knows Wendy’s IP address (10.10.6.10). Querying session data for conversation from 10.10.6.10 to 209.165.200.233 confirms that there has been some activity, as shown in the screenshot. One of the conversations is to TCP port 4444, which is likely a command and control channel. The other conversation is to TCP port 21, which is the standard FTP port. There may have been data exfiltration.
Leave a Reply