All too often I have seen basic operational security practices not being adhered to by analysts when performing their analysis. This article is aimed at the Cyber Security Professional and is designed to provide guidance on general dos and don’ts when conducting intrusion analysis. This is by no means an exhaustive list but will hopefully offer some guidance and provoke thought on what data could be potentially leaked during your analysis process.
Operational Security, or OPSEC is the practice to view your actions (operations) from the attacker’s perspective with the goal to protect sensitive information. It is all about making sure we do what we do safely and securely.
Why is This Important?
As a Cyber Intel Analyst / Intrusion Analyst (whatever the buzzword is now) we handle some sensitive information and hold the keys to the kingdom. Consider what an adversary could do with our credentials! Be mindful of the footprints we leave behind and consider the consequences your actions could have.
Failings in your operational security could impact your employer/company in multiple ways, including:
- Reputational Damage
- Loss of trust in the security team within your company
Open Source Intelligence OPSEC
When conducting your analysis, you will likely perform OSINT (Open Source Intelligence) research in your workflow to identify what the rest of the security community is seeing or if they have seen and documented the malware sample, email campaign, or any other relevant piece of information you are investigating at the time.
Online Analysis Tools (VT, URLQuery etc.)
There are many free tools for looking up potentially malicious domains, URLs, IPs, MD5s etc. From tools such as URLQuery and urlscan.io for domain and link analysis to VirusTotal and Hybrid-Analysis for file upload and analysis.
Although these tools are awesome and should be utilised to (as mentioned above) understand if what you are analysing is already documented in the wild – no need to duplicate work right! You should, however, use these with caution.
Care should be taken when using these online and public tools. There is the potential of operational leakage or tipping off the adversary if you upload a file to VirusTotal for analysis. Even more so if you are analysing a targeted attack, the adversary will likely be monitoring such tools for their malware sample being submitted.
Further any URLs you identify during your analysis that might be used for tracking, and specific to your company domain, you should at least sanitise before submitting to one of these online services, for example, http://www.maliciousdomain.com/bad.php?user=user@yourcompany.com, can be changed to
http://www.maliciousdomain.com/bad.php?user=randomname@example.com
Here is some basic don’ts when it comes to using these online tools:
- Don’t upload an unknown sample to VT, if you search the MD5 on VT and it is not found – do not upload it for analysis
- Don’t submit a suspicious URL for analysis with potential company information included in the URL, such as an email address
- Don’t visit suspicious URLs with potential company information included in the URL – sanitise it first
- Don’t visit suspicious URLs with without first considering the potential risk and the consequences our actions can have – For example a URL with /?a=13637&b=73737&c=736366 could be a potential call back to an adversary.
- Never investigate suspicious URLs on any corporate asset
- Consider your source IP (public IP), if traceable back to your company it may tip off the adversary – Be mindful of the footprints we leave behind
- Don’t upload company code to online parsers/decoders
Note: Check out our article for setting up Lookyloo, a tool similar to URLQuery but local instance – with all data stored locally.
Sanitise Suspicious URLs
It’s important to sanitise any links/URLs shared via email, posted into a chat program, or documented into a ticketing system – ensures they are not clickable. Of course, the full URL is maintained in any database of malicious indicators maintained by the security team. Also, some chat programs will prefetch the page and thereby result in further security alerts. Sanitisation is accomplished by converting http to hxxp and inserting square brackets around any “.” Example:
- http://www.example.com
- Would become:
- hxxp://www[.]example[.]com
Tools Configuration
General security practices apply such as strong passwords, password manager, do not hard code credentials in scripts, and so on. However, there are a few configurations you can make to your tools on your corporate asset to improve OPSEC during your analysis.
Chrome and Firefox
Beyond the basic step of installing an ad blocker such as uBlock Origin – below are some additional settings that I’d recommend are changed to ensure you minimise the risk of data leakage during suspicious URL analysis.
The following settings were verified on version:
- Chrome – Version 74.0.3729.108 (Official Build) (64-bit)
- Firefox – 66.0.3 (64-bit)
Disable DNS Prefetching – Chrome
To disable DNS prefetching in Chrome, follow these steps:
- Type chrome://settings into the address bar, press Enter
- Scroll to the bottom and hit “Advanced”
- Next enter “preload” into the search box
- Ensure the option “Preload pages for faster browser and searching” is switched off, as seen below:
Disable DNS Prefetching – Firefox
To disable DNS prefetching, create a new Boolean preference named network.dns.disablePrefetch in about:config and set it to true, as follows:
- Type about:config into the address bar, press Enter
- Search for network.dns.disablePrefetch to ensure the option isn’t already set, if no results:
- Right-click in the preferences list and select “New -> Boolean”
- Type or paste in the preference name network.dns.disablePrefetch and click OK
- Select true as the value and click OK
- network.dns.disablePrefetch = true
Information Retrieved from: http://kb.mozillazine.org/Error_loading_websites#DNS_prefetching
Disable Link Prefetching – Firefox
Firefox will prefetch certain links if any of the websites you are viewing uses the special prefetch-link tag. To disable link prefetching:
- Type about:config into the address bar, press Enter
- Search for network.prefetch-next
- Double click (or Right-click > Toggle) to change the Value to false
Information Retrieved from: https://support.mozilla.org/en-US/kb/how-stop-firefox-automatically-making-connections
Disable Referer Header – Firefox
HTTP is the application-layer protocol with which most web pages are transferred. As part of HTTP, requests can include a “Referer” (sic) header that tells the server which page the user was on that initiated the request. Servers use this information to track users’ paths through the site and possibly provide additional features. To disable sending the referer header being sent, follow these steps:
- Type about:config into the address bar, press Enter
- Search for network.http.sendRefererHeader
- Double click (or Right-click > Modify) to change the Value to 0
- 0 = Never send the Referer header or set document.referrer
- 1 = Send the Referer header when clicking on a link, and set document.referrer for the following page
- 2 = Send the Referer header when clicking on a link or loading an image, and set document.referrer for the following page (Default)
Information Retrieved from: http://kb.mozillazine.org/Network.http.sendRefererHeader
NotePad++
I use NotePad++ every day during my analysis workflow, dumping analysis data into the tool (which can include URLs or domains). By default, Notepad++ allows clickable links. To disable this feature, follow these steps:
- Navigate to Settings
- Preferences
- MISC.
- Uncheck the box for “Clickable Link Settings” – as seen below:
As mentioned during the intro, this is by no means an exhaustive list, as adversary techniques are constantly changing, so should your methods to remain operationally secure. Further tools are constantly updated with new “features” added or settings overwritten, as such you should maintain and validate your toolset.
Follow @0Cranky_Chris
Run As Root 
Nice post!
LikeLike