Packetloop's "Threat Analysis" feature started out as a functionality story called "play by play". I wanted to be able to peer inside an attack and step through it play by play. To do this we needed to take every indicator and warning and then perform deep packet inspection on every packet from every conversation and link it into our User Interface. Packetloop's Advanced Filter experience is powerful and fast and Threat Analysis had to be able to respond in the same way. So you could zoom in and out, pan left and right through time and filter on Attacker, Victim, Attack, Port or Industry Reference (e.g. CVE). It was a pretty bold concept and initially difficult enough that we pushed the functionality back - but we didn't give up ;)
Remember this is the canonical DARPA98 data set that I am analysing here. So the attacks have that old school retro feel.
Threat AnalysisIn the previous post the the source of attack 22.214.171.124 was located due to a large number of New Attacks in a very small period of time (12 new attacks in 1 minute). These attacks were related to information discovery (Finger and RPC Mapping) against 172.16.112.50. On closer inspection there was suspected FTP warez activity triggering a number of indicators. Filtering by 126.96.36.199 as the source and then zooming out to a 3 month time window we were able to view the entire attack timeline and find a second host 172.16.114.50 that was also the destination of attacks (x86 NOOP Shellcode). Despite these indicators it was difficult to conclusively prove and analyse the breach.
|The attack timeline shows Finger and RPC requests being used by the Attacker to enumerate the target|
|An open FTP server is used to store and access Warez and Tools including the Linux Root Kit.|
|A vulnerability in BIND is exploited to gain root access|
The attacker logs in to the ftp server as 'ftp' and idents and the changes into the "caliberX" and then the "Win98.Final-PWA" directory. At a glance we have gone from thinking that this might be suspicious activity on our network to knowing that it is. Scrolling down we can view the individual files that the attacker is accessing including the zip files and nfo files.
Later in the attack timeline the evidence becomes clearer and more damning. Looking into more FTP sessions between 188.8.131.52 and 172.16.112.50 we see the attacker download tools for exploiting Linux systems.
Again the attacker logs in as 'ftp' changes directory into 'lr2k-1.1' and then in the final row of output downloads 'lrootk.tgz'. This is a version of the Linux Rootkit.
The Shellcode attacks between 184.108.40.206 and 172.16.114.50 establish a shell that is used to initiate an X11 Window session between the attacker and the target. Using the advanced filter we can limit the search and zoom into the attack timeline. Shellcode is delivered over DNS (UDP/53) in a series of attacks at 12:33AM and then another flurry of attacks at 12:39AM.
The Shellcode targets a vulnerability in BIND 4.9 and BIND 8.0. This can be determined by highlighting the CVE in the Advanced Filter.
The timeline is important as an X11 session is established in the reverse direction (172.16.114.50 to 220.127.116.11) soon after the initial attacks with the first back channel created at 12:39AM. This is shown in the screenshot below.
Packetloop's Threat Analysis provides a full breakdown of the X11 session.
We can tell that the attacker used the DNS exploit to gain root access because they issue an 'id' command that returns 'root'.
Again we can access a detailed breakdown of the X11 sessions where the id command is executed.
This is a canonical example of an attacker performing reconnaissance and targeting, exploiting a vulnerability and establishing full root access. Packetloop allows you to find and analyse these incidents in minutes with full data fidelity. Every attack and attacker can be isolated, every packet in the attack can be stepped through and analysed.
With Packetloop's Threat Analysis there is no guesswork. The entire attack time line can be examined from months to minutes.
Sign Up for a Free account today and explore the 50GB of Public Datasets available on the Packetloop platform using Packetloop Threat Analysis.