Eric Partington

SSL and NetWitness

Blog Post created by Eric Partington Employee on Aug 29, 2016

Encrypted traffic, we all can see that the percentage of encrypted traffic is increasing month by month making it harder to detect and investigate malicious traffic.  With services like Let's Encrypt the bar is lowering to how much effort it takes to get a valid certificate for whatever purpose.

I was following the twitters and noticed this interesting post which got me thinking about what we can see with regards to ssl certificate information.

Hunting Threat Actors with TLS Certificates

The RSA Live TLS_Lua parser gets you some interesting information about the CA, Subject, and Serial as well as a number of interesting meta artifacts.  There are a few changes that you need to make to the default indexes to be able to perform more than exists or !exists queries on those fields which might be useful to allow pivoting on specific certificate CA or other items.

Default values as of 10.6.1 for index-concentrator.xml

<key description="SSL CA" level="IndexKeys" name="ssl.ca" format="Text" />
<key description="SSL Subject" level="IndexKeys" name="ssl.subject" format="Text" />

 

Changes to default index-concentrator-custom.xml

To make ssl.ca and ssl.subject queryable by more than exists or !exists and adding one more key ssl.serial

Before making changes, test, test again and then test.

 

    <key description="SSL CA" level="IndexValues" name="ssl.ca" format="Text" valueMax="100000" defaultAction="Closed"/>
    <key description="SSL Subject" level="IndexValues" name="ssl.subject" format="Text" valueMax="100000" defaultAction="Closed"/>
    <key description="SSL Serial" level="IndexKeys" name="ssl.serial" format="Text" valueMax="10000" defaultAction="Closed"/>

 

Now you have the ability to search and pivot on CA and Subjects in your environment for unusual CA authorities. 

  • What are your top 10 CA ?
  • What are your bottom 10 CA ? anything unusual there ?
  • self signed internal certificates ?
  • indications of CAs from IOT devices? 
  • Are there alerts or risk.* for self signed certs or cert chain missing ?

I have included a profile group for crypto traffic as well as a meta group for similar traffic.  The profile looks for crypto exists to locate traffic where crypto is detected and that meta is written.

 

Testing with a bunch of test pcaps got me this nice mix of CA's but I'd be curious to see what larger environments with more diverse traffic would see.

SSL CA

 

Here is my meta group to pull together some interesting metakeys for crypto traffic

metakeys crypto

 

If you have access to RSA NW and the RSA Live section you can click on TLS_Lua and locate details to see in depth what is written and when.

 

There is also the ability to create custom lookup actions called Context Menu items that allow you to right click on a meta value and look up that value at an external url (as parameter {0}).  So I have also included below the code to enable right click lookups on the ssl.ca and ssl.subject and query google for that information.  Never know what will pop up that is useful but saves time trying to select, ctrl+c and paste into google.

 

{
    "displayName": "Google SSL CA",
    "cssClasses": [
        "ssl.ca",
        "ssl-ca",
        "ssl.subject",
        "ssl-subject"
    ],
    "description": "",
    "type": "UAP.common.contextmenu.actions.URLContextAction",
    "version": "1",
    "modules": [
        "investigation"
    ],
    "local": "false",
    "groupName": "externalLookupGroup",
    "urlFormat": "http://www.google.com/search?q={0}",
    "disabled": "",
    "id": "GoogleSSLCA",
    "moduleClasses": [
        "UAP.investigation.navigate.view.NavigationPanel",
        "UAP.investigation.events.view.EventGrid"
    ],
    "openInNewTab": "true",
    "order": ""
}

context-sslca-google

 

Happy hunting, comment or DM if you find anything interesting in your networks that you can share.

Outcomes