Hash Values – A Trivial Artefact

Readers!

Merry Christmas and Happy new year to all. The days of holiday spam and vendor predictions are here.

Here I am spending summer afternoon watching TV and writing on my blog. As I am bit lazy during holidays I am posting something simple. The post is about HASH values and how trivial they are in identifying malicious files/programs.

You can read about Hash here.

Hash values are important to first verify the files. Think of it as a signature or footprint. As living beings has a signature or footprint that we can recognise them from, similarly files  have something called digital footprint that we can identify them from.

Take example of HashCalculator. Following screenshot shows different hash values of HashCalc.exe.

hashcalc

As you can see HashCalc provides lot of information (digital footprint) of its own. With regards to security the hashes are normally used to verify the file as mentioned earlier. Let’s look at the output in brief for commonly used hash values :

  • MD5 – Based on Message Digest algorithm. Normally represent as 32 hexadecimal digits. Vulnerable to collision attacks. Read further here.
  • SHA-1 – Secure Hash Algorithm 1. Represented as 40 digit hexadecimal digits. Generates 160 bits message digest. Vulnerable to collision attacks. No longer in use and has been replaced by SHA-2 and SHA-3. Read further here.
  • SHA-256 – Secure Hash Algorithm 2. Represented as 64 digit hexadecimal digits. Generates six digests – SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. Read further here.

Now, why the blog entry. The information is available on google and Wikipedia. Reason for the blog is Hash values are considered trivial/important in Threat Intelligence and/or cyber security world. Lots of OSINT, vendor intelligence systems share hash values of known malware dropper. This could be an executable, MS office document, Adobe document, image files etc.

Following are few scenarios where Hash values can assist :

  • Hash values can assist in identifying whether the file/program that we have is legitimate or not.
  • Lot of malware analysis blogs will always provide Hash value of identified file/program.
  • The Hash value is also used by Endpoint solutions to detect known malicious files/programs.
  • During Incident Response, one can also use Hash values in YARA rules to detect any malicious files/programs.
  • Organisations can have a list of program with the Hash values of known good  and authorised programs in their organisation, which than can be used to identify any unwanted programs on the system, either via endpoint for real time detection and/or during incident resposne. Benchmarking/Baselining is a complicated process and sometimes not feasible in large organisations.

NIST provides list of known good hash values of legitimate programs, that one can use to compare good vs bad. Read here.

Hash values are just another indicator that gives more targeted detection of malicious files/programs. IP address and URLs are dynamic, not 100% reliable and have low confidence level as a Threat Indicator and therefore Hash values is considered important artefact in Security world.

Happy Holidays!

 

SANS FOR578 Cyber Threat Intelligence – Course Review

Readers!!!

Advanced greetings for Christmas. Before I start make sure to check out SANS Holiday Hack Challenge here.

Recently, I was honoured to attend one of the SANS course For578 – Cyber Threat Intelligence. SANS instructor was one of the best in business Robert M. Lee. My reason to attend SANS training is purely because they are one the best security training provider, and when they announced FOR578 last year I was very keen in SANS take on Threat intelligence. I have been self-learning about threat intelligence via Lockheed Martin, various webcasts via SANS and other providers and realised that every vendor has different approach with Threat Intelligence.

I had prior knowledge Threat Intelligence and this course helped to me to get the best out of it.

After the end of the first day, I was having a very good understanding with what Intelligence is and how it is associated with Cyber Threats. Most of the time, in name of Threat Intelligence, vendors or service providers end up sharing Threat Indicators with some nice dashboards and portray the system as Threat Intelligence system. I have always been saying we need to move beyond Indicators based systems (yes its still good to have those), and concentrate more on Tools, Techniques and Procedures of our adversary. The content of the course actually aligned with my thinking and helped in better carve my thinking and actually implement in real life.

During the course, I learned how to track a threat actor or a campaign and how to best showcase that information across your organisation. Tools such as CRITS, MISP, Threat_note were used. Kill-Chain model and Diamond Model were explained in detailed and LABS were designed in way to implement these models.

One of the interesting LAB was to review vendor Threat Intelligence report. The report could be regarding a APT, analysis of an threat actor or generic briefings across the global related to Cyber Threats. In this exercise, we learned about biases and how multiple input to one single report may change the actual outcome of the report or identification of adversary.

Other LABS were related to extracting intelligence out of vendor reports, tracking a campaign and what artefacts to collects during intelligence exercise and how to provide evidence to your hypotheses. LABS that concentrated in how to share Threat Information via STIX, YARA and OpenIOC. The course has very good real life case studies with regards to Thr

At the end of the fifth day, I knew what actual Threat Intelligence means and how we can use that in our organisation.

For those who are thinking to take the course, would highly recommend to take it.