Friday, August 01, 2014

toolsmith - Threats & Indicators: A Security Intelligence Lifecycle

 *borrowed directly from my parent team, thanks Elliot and Scott

Microsoft .NET Framework, Version 3.5 or higher for IOCe
Python 2.7 interpreter for OpenIOC to STIX

I’ve been feeling as if it’s time to freshen things up a bit with toolsmith and occasionally offer a slightly different approach to our time-tested process. Rather than always focusing on a single tool each month (fear not, we still will), I thought it might be equally compelling, perhaps more, if I were to offer you an end-to-end scenario wherein we utilize more than one tool to solve a problem. A recent series I wrote for the SANS Internet Storm Center Diary, a three-part effort called Keeping the RATs Out (Part 1, Part 2, Part 3), I believe proved out how useful this can be.
I receive and review an endless stream of threat intelligence from a variety of sources. What gets tricky is recognizing what might be useful and relevant to your organizations and constituencies. To that end I’ll take one piece of recently received intel and work it through an entire lifecycle. This intel came in the form of an email advisory via the Cyber Intelligence Network (CIN) and needs to remain unattributed. The details, to be discussed below, included malicious email information, hyperlinks, redirects, URL shorteners, ZIP archives, malware, command and control server (C2) IPs and domain names, as well as additional destination IPs and malicious files. That’s a lot of information but sharing it in standards-based, uniform formats has never been easier. Herein is the crux of our focus for this month. We’ll use Mandiant’s IOCe to create an initial OpenIOC definition, Mitre’s OpenIOC to STIX, a Python utility to convert OpenIOC to STIX, STIXviz to visualize STIX results, and STIX to HTML, an XSLT stylesheet that transforms STIX XML documents into human-readable HTML. Sounds like a lot, but you’ll be pleasantly surprised how bang-bang the process really is. IOC represents Indicators Of Compromise (in case you just finally just turned off your vendor buzzword mute button) and STIX stands for Structured Threat Information eXpression. STIX, per Mitre, is a “collaborative community-driven effort to define and develop a standardized language to represent structured cyber threat information.” It’s well worth reading the STIX use cases. You may recall that Microsoft recently revealed the Interflow project which incorporates STIX, TAXII (Trusted Automated eXchange of Indicator Information), and CybOX (Cyber Observable eXpression standards) to provide “an automated machine-readable feed of threat and security information that can be shared across industries and community groups in near real-time.“ Interflow is still in private preview but STIX, OpenIOC, and all these tools are freely and immediately available to help you exchange threat intelligence.

The intel

As received from the undisclosed source via CIN, following is the aggregated threat telemetry:
·         Email Subject: Corporate eFax message
·         Email “Sender”: eFax Corporate
·         Malicious Email Link: hxxp://
·         Redirects to: hxxps:// (still active as this is written)
·         Expands to: hxxps://
·         Drops:
·         Contains: Fax_001_992819_12919.scr
o   Malware is CryptoWall variant:
§  MD5: 668ddc3b7f041852cefb688b6f952882
§  SHA1: 2bbab6731508800f3c19142571666f8cea382f90
·         C2:
o   hxxp://
o   hxxp://
o   hxxp://
o   hxxp://
o   hxxp://
o   hxxp://
o   hxxp://
o   hxxp://
·         Destination IPs and related domains
§  hxxps://
§  hxxps://
§  hxxps://
§  hxxps://
§  hxxp://
§  hxxp://
·         tor2800.tar
o   MD5: 14bbdcd889ec963d7468d26d6d9c1948
o   SHA1: 39d3bc26b8b6f681cc41304166f76f01eee5763b                      

Additional analysis in my malware sandbox yielded the following information:
·         Each time the .scr is executed it spawns a randomly named portable executable, negating the value of using said name as an indicator.
o   That said, the randomly generated PE spawns an additional PE file, consistently named dttey.exe
o   Dttey.exe deletes the randomly named PE that spawned it, and itself spawns vsspg.exe
o   There is extensive registry modification by all of the above mentioned PEs, some of which we can use for IOCs
o   Randomly named PE is Ransom:Win32/Crowti (CryptoWall)
§  Malware encrypts files on victim PC using a public key.
§  The files can be decrypted with a private key stored in a remote server.
§  Recovery of files is via a personal link that directs you to a Tor webpage asking for payment using BitCoin. The above mentioned IP,, is a TOR node. Netresec’s Erik Hjelmvik (CapLoader, Networkminer) covered this node as part of a deeper analysis well worth your reading.
·         Review the Anubis analysis as supplemental information

A compromised victim would be treated to a “service” to decrypt their files as seen in Figure 1. These spectacular @$$h@t$ even offer a very detailed instruction file that pops up, including an FAQ. What I wouldn’t do to these people…

FIGURE 1: CryptoWall decryption “service”
This is more than enough information with which to build a very useful and portable profile, starting with Mandiant’s OpenIOC and IOCe.

OpenIOC and IOCe

Per Mandiant, who created OpenIOC, it is “an extensible XML schema that enables you to describe the technical characteristics that identify a known threat” and allows for “quickly detecting, responding and containing targeted attacks.” Mandiant IOCe allows you to edit and create OpenIOC definitions with ease. Once downloaded and installed IOCe 2.2.0 opens to a fairly simple, rudimentary UI and workspace. Give the User Guide installed with IOCe a read, you’ll see a shortcut for it in your start menu. At first run you’ll need to establish a directory for your IOCs. Go grab the examples from the OpenIOC website as well (under Resources) and drop them in your newly created directory, they serve as good reference material as you begin to build your own.
I always include a description of the parent evil for which I’m populating indicators and give the .ioc a relevant name for the UI list. Recognize that the actual .ioc filename will be the GUID that IOCe generates for it. IOCe utilizes simple AND OR operators for its logic. Basic IOCs can be a collection of OR items; if you use the AND operator all connected elements must be true or the logic fails.
Given the data from the intel provided above, each entity would be added to the IOC definition via the Add: AND OR Item menu. The Item is an expending dropdown menu divided into multiple IOC families such as Email, FileItem, PortItem, and RegistryItem, all of which we’ll used given the data provided. You’’ find the MostCommonly Used Indicator Terms section of very useful to more easily search specific entries. Also keep in mind that both Mandiant Redline and Intelligent Response utilize and generate IOC definitions.
After generating all the related entries the resulting definition appears as seen in Figure 2.

FIGURE 2: IOC definition for CryptoWall variant created with IOCe
You can use this IOC definition with your Mandiant tools that consume it, or open it in IOCe to extract the indicators you may wish to add detection for via other tooling. This IOC, Ransom:Win32/Crowti (2a1b3f5d-b6ce-41d9-8500-153a1240a561.ioc) can be found on my website if you’d like to use it try these tools out.
We now have the opportunity to convert this .ioc file into STIX.


OpenIOC to STIX conversion is easily accomplished with Mitre’s script which is simply and OpenIOC XML to STIX XML converter.
One note, as I was writing this I was having trouble with the two email entities we added to the IOC definition; crashed until I pulled those entries.
Update 7 AUG 2014:  The bug related to (was actually in
has been repaired. Thanks to the Mitre team, Greg, Ivan, and Bryan for the outreach and rapid bug fix. See
You’ll need a system with a Python 2.7 interpreter available and Pip installed. You’ll need to then use Pip to install the Python STIX and Cybox library dependencies:
pip install stix 
pip install cybox
Then download and unpack the openioc-to-stix ZIP package or use the Git clone option. Once you have dependencies met and the scripts in place you need only run python -i -o . To convert the IOC definition I created above I simply ran python -i 2a1b3f5d-b6ce-41d9-8500-153a1240a561.ioc -o CryptoWallVariant.xml after commenting out the email indicator related markup; I’ve also hosted this file for your use.


STIXViz is really easy to install and run. Just download and unpack the package appropriate for your system then execute (StixViz.exe for Windows).
STIXViz is best exemplified with a more complex STIX file such as a Cyber Information Sharing and Collaboration Program (CISCP) Consolidated Indicators as collected by the IT-ISAC (Information Sharing and Analysis Center) and sourced from US-CERT Current Activity data. Note that you need to be an IT-ISAC member for access to these. STIXViz is written by Mitre’s Abigail Gertner and Susan Lubar and for those of you who share my fondness for visualization will represent a wonderful vehicle to do so with threat data. STIXViz includes Graph, Tree, and Timeline views. The Tree view is likely to be deprecated but the Graph View includes linking and relationship labeling (think Maltego) while the Timeline View “shows timestamped STIX data, such as incidents and their associated events, in a zoomable, scrollable display” as noted in release notes. Simply open STIX and select the STIX XML you wish to visualize from your file system via the Choose Files button. Once opened, you can select indicators of interest. I selected exfiltration indicators as seen in Figure 3.

FIGURE 3: STIXVix visualizes CISCP Consolidated Indicators
You will definitely enjoy playing with STIXViz and manipulating the view options as you can pin, freeze, and group until you’ve perfected that perfect report snapshot.
Speaking of that report, want to turn threat data into nicely managed HTML? You can Show HTML in STIXViz or use the STIX XML to HTML transform.


STIX-to-HTML is an XSLT that transforms a STIX 1.0/1.0.1/1.1 document containing metadata and categorized top level items into HTML for easy viewing. As with STIXViz, download the ZIP, unpack it and grab Saxon as this tool requires an XSLT 2.0 engine. I downloaded Saxon HE which provides saxon9he.jar as described in STIX-to-HTML guidelines. I simply copied saxon9he.jar right in my STIX-to-HTML directory for ease and convenience. Thereafter I ran java -jar saxon9he.jar -xsl:stix_to_html.xsl -s:CryptoWallVariant.xml -o:CryptoWallVariant.html which resulted in the snippet seen in Figure 4, only a partial shot given all the indicators in this STIX file.

FIGURE 4: STIX-to-HTML transforms CryptoWall STIX into an HTML report
You can also customize the STIX-to-HTML transform and add new STIX and CybOX as noted on the Wiki associated with the STIX-to-HTML project page.

In Conclusion

Great tools from Mandiant and Mitre, all of which make the process of gathering, organizing, and disseminating threat intelligence and easier prospect than some might imagine.
This is an invaluable activity that you should be situating close to or within your security monitoring and incident management programs. If you maintain a security operations center (SOC) or a computer emergency response team (CERT) these activities should be considered essential and required. James Madison said “Knowledge will forever govern ignorance; and a people who mean to be their own governors must arm themselves with the power which knowledge gives.” Those words will ring forever true in the context of cyber and threat intelligence. Use the premise wisely and arm yourself.
Ping me via email if you have questions (russ at holisticinfosec dot org).
Cheers…until next month.

Tuesday, July 01, 2014

toolsmith: ThreadFix - You Found It, Now Fix It


ThreadFix is self-contained and as such runs on Windows, Mac, and Linux systems
JEE based, Java 7 needed

As an incident responder, penetration tester, and web application security assessor I have long participated in vulnerability findings and reporting. What wasn’t always a big part of my job duties was seeing the issues remediated, particularly on the process side. Sure, some time later, we’d retest the reported issue to ensure that it had been fixed properly but none of the process in between was in scope for me. Now, as part of a threat intelligence and engineering team I’ve been enabled to take a much more active role in remediation, often even providing direct solutions to discovered problems. I’m reminded of a London underground (Tube) analogy for information security gap analysis (that space between find and fix) taken whilst stepping on the train. Mind the gap!

But with new responsibilities comes new challenges. How best to organize all those discovered issues to see them through to repaired nirvana? As is often the case, I keep an eye on some of my favorite tool sources, and NJ Ouchn’s Toolswatch came through as it often does.  There I discovered ThreadFix, developed by Denim Group, a team I was already familiar thanks to my work with ISSA. When, in 2011 I presented Incident Response in Increasingly Complex Environments to the ISSA Alamo Chapter in San Antonio, TX, I met Lee Carsten and Dan Cornell of Denim Group. They’ve had continued growth and success in the three years since and ThreadFix is part of that success. After pinging Lee regarding ThreadFix for toolsmith he turned me over to Dan who has been project lead for ThreadFix from its inception and provided me ample insight. Dan indicated that while working with their clients, they saw two common scenarios – teams just getting started with their software security programs and teams trying to find a way to scale their programs – and that ThreadFix is geared toward helping these groups. They’d seen lots of teams that had just purchased a desktop scanning tool who’d run some scans and the results would end up stored on a shared drive or in a Sharepoint Document Repository. Dan pointed out that these results though were just blobs of data such as PDFs being emailed around to development teams with no action being taken. ThreadFix gives organizations in this situation an opportunity to start treating the results of their scanning as managed data so they can lay out their application portfolio, track the results of scanning over time and start looking at their software security programs in a much more quantitative manner. Per Dan, this lets them have much more "grown up" conversations with management about application and software risk. A natural byproduct of managed data leads to conversations that evolve from "Cross-site scripting is scary" to "We've only remediated 50% of the XSS vulnerabilities we've found and on average it takes us 120 days which is twice as slow as what others in our industry are doing." WHAT!? An informed conversation is more effective than a FUD conversation? Sweet! Dan described more sophisticated organizations who are tracking this "mean time to fix" metric as better managing their window of exposure, and that public data sets, such as those released by Veracode and WhiteHat Security, can provide a basis for benchmarking. Amen, brother. Mean time to remediate is one of my favorite metrics.

Dan and the Denim team, while working with bigger organizations, saw huge struggles with teams getting bogged down trying to deal with different technologies across huge portfolios of applications. He cites the example of the Information Security group buying scanner X while the IT Audit group purchased scanning service Y and the QA team was starting to roll out static analysis engine Z. He summed this challenge up best with “The only thing worse than approaching a development team with a 300 page PDF report with a color graph on the front page is approaching them with two or three PDFs and expecting them to take action.” Everyone familiar with Excel hell? That’s where these teams and many like them languish, trying to track mountains of vulnerabilities and making no headway. Dan and Denim intended for ThreadFix to enable these teams to automatically normalize and consolidate the results of different scanning tools even across dynamic (DAST) and static (SAST) application security testing technologies. This is achieved with Hybrid Analysis Mapping as developed under a contract with the US Department of Homeland Security (DHS). According to Dan, with better data management, security teams can focus on high value tasks such as working with development teams to actually implement training and remediation programs. Security teams can take the data from ThreadFix and export it to developer defect tracking tools and IDEs that developers are already using. This reduces the friction in the remediation process and helps them fix more vulnerabilities, faster.
Great stuff from, Dan. The drive to remediate has to be the primary goal. The industry has proven its ability to find vulnerabilities, the harder challenge and the one I’m spending the vast majority of my focus on, is the remediation work. Threat modeling, security development lifecycles, and secure coding best practices are a great start but one way to take your program to the next level is the tuning your vulnerability data management efforts with ThreadFix. There is a Community Edition, free under the Mozilla Public License (MPL), which we’ll focus on here, which includes a central dashboard, SAST and DAST scanner support, defect tracker integration, virtual patching via WAF/IDS/IPS options, trend analysis & reporting, and IDE integration.
If you seek an enterprise implementation you can upgrade for LDAP & Active Directory integration, role based user management, scan orchestration, enhanced compliance reporting, and technical support.

Preparing ThreadFix

First, I tested both the 2.0.1 stable version and the 2.1M1 development version and found the bleeding edge to be perfectly viable. ThreadFix includes a number of plugins, and most importantly for our scenario, for OWASP ZAP and Burp Suite Pro. There is also a plugin for Eclipse too though for defect tracking and IDE I’m a Microsoft TFS/Visual Studio guy (shocker!). Under Defect Tracking there is support for TFS but I can’t wait until Dan and team implement a plugin for VS. J To get started ThreadFix installation is a download-and-run-it scenario. ThreadFix Community Edition includes a self-contained .ZIP download containing a Tomcat web & servlet engine along with an HSQL database. That said, most production environment installations of ThreadFix use a MySQL database for scalability; if you wish to do so instructions are provided. As ThreadFix uses Hibernate for data access, other database engines are also be supported.
Once you’ve downloaded ThreadFix, navigate to your installation directory and double-click threadfix.bat on a Windows host or run sh on *nix systems. Once the server has started, navigate to https://localhost:8443/threadfix/ in a web browser and log in with the username user and the password password. Then immediately proceed to change the password, please.
Click Applications on the ThreadFix menu and add a team, then an application you’ll be assessing and managing. My team is HolisticInfoSec and my application is Mutillidae as it has obvious flaws we can experiment with for remediation tracking.
After you download the appropriate plugins, unpack each (I did so as subdirectories in my ThreadFix path) and fire up the related tool. Big note here: Burp and XAP default proxy ports conflict with ThreadFix’s API interface, you’ll have contention for port 8080 if you don’t configure Burp and ZAP to run on different ports. For Burp, click the Extender tab, choose Add, navigate to the Burp plugin path and select threadfix-release-2.jar. You’ll then see a new ThreadFix tab in your Burp UI which will include Import Endpoints and Export Scan. You’ll need to generate API keys as follows: click the settings gear in the upper right hand of the menu bar and select API keys as seen in Figure 1.

FIGURE 1: Create ThreadFix API keys for plugin use
Click Export Scan and paste in the API key you created as mentioned above. Similarly in ZAP, choose File then Load Add-On File and choose threadfix-release-1.zap. After restarting ZAP you’ll see ThreadFix: Import Endpoints and ThreadFix: Export Scan under Tools.
You may find it just as easy to save scan results from Burp and ZAP in an .xml format and upload them via the ThreadFix UI. Go to Applications, then Expand All, select your Application, and click Upload Scan. You’ll benefit from immediate results as seen from an incomplete Burp and ZAP scans of Mutillidae in Figure 2.

FIGURE 2: Scan results uploaded into ThreadFix
The ThreadFix dashboard then updated to give me a status overview per Figure 3.

FIGURE 3: ThreadFix dashboard provides application vulnerability status
Drilling into your target via the Application menu will provide even more nuance and detail with the ability to dig into each vulnerability as seem in Figure 4.

FIGURE 4: ThreadFix vulnerability details
In order to enable IDE support for the like of Eclipse you’ll need to take a few steps from here
  • Have Team/Application setup in Threadfix
  • Have source code for an Application linked in Threadfix
  • Have a scan for the Application in Threadfix
  • Have the Applications scan linked to a Defect Tracker
Once you have it configured, you can select specific vulnerabilities and submit them directly to your preferred Defect Tracker under the Application view, then click Action. This is vital if you’re pushing repairs to the development team via the likes of Jira or TFS.
Additionally, if you’re interested in virtual patching, first create a WAF under Settings and WAFs where you choose from Big-IP ASM (F5), DenyAll rWeb, Imperva SecureSphere, Snort, and mod_security, which I selected and named it HolisticInfoSec. Click Applications again, drill into the application you’ve added scans for, then click Action and Edit/Delete. The Edit menu will allow you to Set WAF. I then selected HolisticInfoSec and click Add WAF. You can also simply add a new WAF here as well. Regardless, go back to Settings, then WAFs, then choose Rules. I selected HolisticInfoSec/Mutillidae and deny then Generate WAF rules. The results as seen in Figure 5 can then be imported directly into mod_security. Tidy!

FIGURE 5: ThreadFix generates mod_security rules
So many other useful features with ThreadFix too. Under Settings and Remote Providers you can configure ThreadFix to integrate with QualysGuard WAS, Veracode, and WhiteHat Sentinel. There are tons of reporting options including trending, snapshots (point in time), scan comparisons (Burp versus ZAP for this scenario), and vulnerability searching. Try the scan comparisons; you’ll often be surprised, amused, and angry all at the same time. That said, trending is vital for tracking mitigation performance over time and quite valuable for denoting improvement or decline.

In Conclusion

Make use of the ThreadFix wiki to fill you in on the plethora of detail I didn’t cover here and really, really consider standing up an instance if you’re at all involved application security discovery and repair. This tool is one I am absolutely making use of in more than one venue; you should do the same. You’re probably used to me saying it every few months but I’m really excited about ThreadFix as it is immediately useful in my every day role. You will likely find it equally useful in your organization as you push harder for find and fix versus find and…
Ping me via email if you have questions (russ at holisticinfosec dot org).
Cheers…until next month.


Dan Cornell, CTO, Denim Group, ThreadFix project lead
Lee Carsten, Senior Manager, Business Development, Denim Group