Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

When MacOS Catalina Comes to Life: The First Few Minutes of Network Traffic From MacOS 10.15.

Published: 2019-10-14
Last Updated: 2019-10-16 22:43:21 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

This post is continuing a series I started in April about network traffic from Windows 10. When dealing with network traffic, it is always good to know what is normal. As part of this series, I will investigate the first few minutes of network traffic from current operating systems. With macOS 10.15 Catalina just being released, I figured this might be an excellent next operating system to investigate.

Lets first start with some basic fingerprinting. TCP SYN packets from MacOS 10.15 look just like SYN packets from earlier macOS versions:

Flags [SEW], seq 4259408247, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 801728007 ecr 0,sackOK,eol], length 0

macOS is one of a few operating systems using ECN by default. It attempts to use the maximum possible window size, but also offers Window Scaling. Like all modern operating systems, macOS uses PMTUD to avoid fragmentation.

1. Catalina Install

For this experiment, I installed Catalina in a virtual machine. The first connections during the install set the time via Apple's "time.apple.com" NTP server. Next, the system connected to "albert.apple.com" via HTTPS, Apple's secure activation server. OCSP is used to verify the certificates. The system also checks if it has internet connectivity via "https://www.apple.com/library/test/success.html" and connects to swscan.apple.com. This server is used to distribute Apple software. The connection uses HTTPS, so it isn't clear what the installer is looking for, but likely supplemental software. In my case, the system connected 18 times and retrieved about 42 MBytes in total.

Interesting: During the install, the system connected 206 times to gspe21-ssl.ls.apple.com, retrieving about 23 MBytes. The system appears to be associated with Apple's mapping service (http://gspe21.ls.apple.com/html/attribution.html), but of course, it may have other functions as well.

Other significant connections retrieve language-specific dictionaries. These are the only significant HTTP connections.

2. First Boot

The first boot started out a lot like the install with a connection to time.apple.com. But unlike during the install, which used connections pretty much exclusively to Apple's own systems, macOS does connect to a few non-Apple networks:

  • apple-finance.query.yahoo.com - Retrieve stock quotes

After starting Safari, a few additional connections popped up to load icons for the start screen:

  • www.yelp.com
  • www.yahoo.com
  • www.weather.com
  • www.tripadvisor.com
  • www.linkedin.com
  • www.facebook.com
  • www.bing.com
  • www.twitter.com

There was a lot of talk about Safari's connection to Tencent for its "Safe Browsing" feature. Apple stated that only systems in China would connect to Tencent, and I did not observe any connections not in line with Apple's statement.

Apple uses various CDNs, so the exact IP addresses will vary based on your location. I ran these experiments while in Chicago, IL. 

Links to PCAP data:

install.pcap
firstboot.pcap

This post has also been cross-posted to our newish SEC503 Blog: Show Me The Packets!

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
Twitter|

Keywords:
0 comment(s)

Security Monitoring: At Network or Host Level?

Published: 2019-10-16
Last Updated: 2019-10-16 09:39:13 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Today, to reach a decent security maturity, the keyword remains "visibility". There is nothing more frustrating than being blind about what's happening on a network or starting an investigation without any data (logs, events) to process. The question is: how to efficiently keep an eye on what's happening on your network? There are three key locations to collect data:

  • The perimeter (firewalls, proxies, etc)
  • Hosts (servers, endpoints)
  • The network

Performing log collection at the perimeter sounds the bare minimum for many years but it's not sufficient (Example: How to detect lateral movement on your LAN?) and everybody agrees to say that the perimeter is gone for years.

You can deploy controls and collect information at the host level with tools like Sysmon[1], OSSEC[2] and many other end-points solutions. The problem is a constant fight between teams in big organizations. System admins are not always happy to deploy more and more agents. It also has a constraint in terms of management, upgrades, costs (license for a commercial product) and how do you handle people who bring their own device?

I'm more and more convinced that network monitoring is a key element today. Just by sniffing the traffic at critical exchange points in the network, you have full visibility and increase capacities to detect suspicious traffic. I'll give you two practical examples that I faced during the BruCON[3] security conference last week (where I'm involved in the NOC/SOC). Basically, the network is used by untrusted devices and people.

First, we had to track somebody based on a downloaded picture. We knew the timestamp and found corresponding pictures on the filesystem of the server. Based on the hash, we found the TCP flow corresponding to the download and finally the IP address assigned by DHCP, the device name and its MAC address. In less than 15 mins.

In the second example, somebody was testing some exploits on a laptop (an official test, nothing malicious). We were able to detect the call-back to the C2 (Cobalt-Strike). In this situation, you don't know what's happening on the end-point but you know that it is for sure compromized.

Even if today more and more traffic is encrypted, it is possible to detect suspicious activity just by having a look at the network flows. When they occur, how often, the size of transferred data, the destination, etc.

What was deployed:

  • Zeek (Bro)
  • Full packet capture
  • Full logging of flows
  • Transparent Proxy
  • DHCP, DNS
  • Extract of interesting files
  • Splunk

Of course, network monitoring can be implemented only on networks that you control. You can't control devices that travel (like laptops). That's why, in a perfect world, you need both (network & host controls) but the amount of information that can be collected and analyzed on networks is amazing! If you are interested in this field, I recommend you the FOR572[4] training: "Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response".

[1] https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
[2] https://ossec.net
[3] https://brucon.org
[4] https://www.sans.org/course/advanced-network-forensics-threat-hunting-incident-response

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Keywords: Monitoring Network
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

When MacOS Catalina Comes to Life: The First Few Minutes of Network Traffic From MacOS 10.15.
Oct 16th 2019
9 hours ago by Johannes (0 comments)

YARA's XOR Modifier
Oct 14th 2019
2 days ago by DidierStevens (0 comments)

YARA v3.11.0 released
Oct 12th 2019
4 days ago by DidierStevens (0 comments)

Mining Live Networks for OUI Data Oddness
Oct 10th 2019
6 days ago by Rob VandenBrink (0 comments)

View All Diaries →

Latest Discussions

convert OST to PST
created Oct 10th 2019
1 week ago by Anonymous (0 replies)

convert OST to PST
created Oct 10th 2019
1 week ago by Anonymous (0 replies)

convert OST to PST
created Oct 10th 2019
1 week ago by Anonymous (0 replies)

Suspicious Domain Scoring
created Oct 4th 2019
1 week ago by Luke (1 reply)

SANS ISC InfoSec News RSS Feed broken?
created Aug 29th 2019
1 month ago by Adi (2 replies)

View All Forums →

Latest News

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 years ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
2 years ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (0 comments)

An infection from Rig exploit kit
Jun 17th 2019
4 months ago by Brad (0 comments)