What is really being proxied?
An observation from the road, was with a client recently and the discussion of proxy entered into the conversation. Now before we get all “Political” and start dropping packet bombs, a technical challenge came up that made me really think.
- What traffic is ‘really’ hitting the proxy?
- How many proxy ‘bypass’ rules are in place?
- Are you inspecting Encrypted Traffic?
- Who/What is in the Encryption Inspection Bypass list?
Google recently released some numbers on encrypted traffic and we are WELL past the 50% mark [1] [2] [3]. With the ease of getting signed certificates through organizations like Letsencrypt and the high level of privacy concerns in the world, it only makes sense [4].
The observation, proxy was politically driven, senior management did not have the right business understanding of what a proxy does. Further, the word “proxy” had become and abstract term for the concept of filtering, blocking, and proxy. This made it hard when ‘vendor’ uses industry language and organization says “yes, we understand that is what’s REALLY going on but please say proxy for that with management.”
Now to the discovery portion of our diary, how long has it been since you have looked at what is actually flowing out of your environment? Yes yes.. we know that ‘everything’ runs over ports 80 or 443, but after taking a look at my own environment? A little bit more of non 80/443tcp traffic was leaving that expected (and that was even with the cynical pre-disposition).
With a greater than 50% of traffic being encrypted it is clear that the topic of decryption needs to be revisited. Along with that, what is actually being picked up outbound and what is not hitting the known exit points (e.g. is it really going over 443?).
[1] http://www.pcmag.com/news/342935/77-percent-of-google-internet-traffic-now-encrypted
[2] http://www.newsfactor.com/news/Google--77--of-Traffic-Is-Encrypted/story.xhtml?story_id=111003TV6AOF
[3] https://www.inferse.com/40477/google-transparency-report-2016/
[4] https://www.nytimes.com/2017/03/07/world/europe/wikileaks-cia-hacking.html?_r=0
Richard Porter
--- ISC Handler on Duty
Searching for Base64-encoded PE Files
When hunting for suspicious activity, it's always a good idea to search for Microsoft Executables. They are easy to identify: They start with the characters "MZ" at the beginning of the file[1]. But, to bypass classic controls, those files are often obfuscated (XOR, Rot13 or Base64). Base64 is very common and it's easy to search for Base64 encoded PE files by searching the following characters:
TVoA TVpB TVpQ TVqA TVqQ TVro
(Credits go to a tweet from Paul Melson[2])
I added a new regular expression to my Pastebin scrapper:
TV(oA|pB|pQ|qA|qQ|ro)\w+
It already matched against interesting pasties :-)
The same filter can be applied to your IDS config, YARA rule, email filters, etc...
[1] https://en.m.wikipedia.org/wiki/DOS_MZ_executable
[2] https://twitter.com/pmelson
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
If you have more information or corrections regarding our diary, please share.
