Filtering by Tag: dfir

How did Target get hacked?

Protection of windows means different things in different environments! If you follow the news, you know that Target got hacked to the tune of at least 110 million credit card numbers (and some PINs) lost.  But, how did it happen?  Hardly anyone is asking or answering that question.  You can find plenty of articles that tell you what happened once the attackers go in:  Memory scraping on the POS devices and servers, a Russian teenager, famous coders, etc.

My question is different.  How did they get in initially?  I think as an industry we focus too much effort on what happened after the attackers get it.  Do not misunderstand me.  We absolutely need to scope the breach, determine what happened, what was stolen, changed,  and such.

We need to spend more time, money, and technology on understanding exactly how the compromises are being made.  I was just talking with another security professional recently who was telling me what versions of Java that current variants of Zeus was exploiting.  Guess what?  Zeus doesn't exploit anything.  It does not take computers over.  Zeus is just a piece of software that can get installed by anyone with administrative access to the computer.  It is what some people call "Stage 2" malware.  In the Cyber Kill Chain, this would be the Install phase.

There is a whole world of what we call "Stage 1" malware.  Some of these software packages are also called "Exploit kits" as it has gotten pretty commercial.  Ones that come to mind are Blackhole, Cool, Phoenix, and others.  There are custom exploit tools as well.    In the Cyber Kill Chain, I'm talking about the Exploit phase.

The problem with what I'm asking is that it is not easy to find out how computers got exploited.  There are very few tools on the market that help give you visibility into Stage 1 malware.  FireEye and Mandiant (now one company) create tools to help.  Most of your anti-virus vendors really focus on Stage 2 malware.  In other words, they are looking for the malware that makes the news like Zeus and others.

Typically, Stage 1 malware (the real exploit) is deleted from the box after it's job is done and the Stage 2 (Zeus, BlackPOS, etc) malware is installed.  That's why it is hard to determine how the computer got "infected".

If we take the money we would spend on that latest silver bullet security product and double down on visibility and process, we can really cut down on large intrusions like the one at Target and now Neiman Marcus.

Here is a list of action items off the top of my head.  I'd like to drill into these in later posts.

  • Build visibility into networks and computers
  • Design an ecosystem to capture that visibility
  • Make it easy to search and narrow down events by time
  • Have your users send you anything they feel is suspicious
  • Determine what exactly got exploited each both by analyzing the events and user input
    • You need people to do this:  Analysts
    • This is where you get some of your best threat intelligence, by the way
  • Measure and track the exploits seen on your network
  • Research what vulnerable pieces of software are hit most often on your network
  • Uninstall that vulnerable software OR put a lot of rigor around patching those vulnerable applications
  • Feed current threat intelligence (not lists of 90000 bad IP addresses) into your detection platform
  • Measure time to detect and remediate exploits and work hard to lower that time.
  • Look for data leaving your company.   Show that to management.  Often.
  • Demonstrate the tie between the trend of exploits and data leaving the building.

There are companies and vendors that get this and are working hard to solve the problem as stated above.  Other companies just want to sell you "signature update" subscriptions on an annual basis and are not really interested in solving the problem wholesale.  The companies most interested in selling subscriptions are short sighted because there will always be a better mouse no matter how good we build the mouse traps!

Just remember:  Stage 1 malware (aka - The exploit) and kick-butt Incident Response is where the money is.  If you cannot get access to the computer, you cannot install your cool botnet or memory scraping software.  When the bad guys are successful, they will have time to stage these large hacks (ala Target, TJX, Sony, etc)  if the Incident Response team kicks them out quickly.

Until next time...


MIRcon 2013 Day One overview

logo_mircon2013Richard Bejtlich (CSO) kicked off the Mandiant's MIRcon 2013.  He talked briefly about the past year including overviews of two public incidents and introduced Kevin Mandia (CEO). The two incidents Bejtlich described are:

Kevin Mandia talked about the evolution of computer incidents from both the attacker and defender perspectives from when he started in security (1993) until today.  Good stuff.  He even talked a little about the old Air Force system that we used to use back in the 1990s, ASIM (Automated Security Incident Manager).  I remember when they started rolling those out.  If memory serves, it was around 1996 or so.

Two points that Kevin made stood out in my mind:

  • Defenders should align vertically the way attackers tend to do.  Bottom line:  Share with like-minded folks in your industry or sector.  He noted that attackers tend to align on sectors and build expertise on like companies.
  • We need to reduce containment times down to ten minutes.  Yes, that is aggressive.  Is it fast enough?  Kevin's simple answer:  Yes.  :-)

Grady Summers hosted a panel of folks that do real-world response for Mandiant.  Keeping with my theme of two's.  There were a couple of things I took away from this panel.

  • Trends show a decrease in the use of malware for maintaining persistence in organizations.   What this really means is that attackers are obtaining and using legitimate user credentials much more often.  This really raises the complexity for incident responders.
  • Attackers are using legitimate sites to get around domain blocking or blacklisting.   Sure, this one is in the weeds, but it just struck a chord with me.  The primary example they mentioned was using Google Translate or Babelfish to get C2 from online discussion forums.  That is beautiful in it's simplicity and effectiveness.  Our global economy requires language translation from time to time.    Another reason it struck me, after the fact, is that Mike Siko blogged about this almost two years ago and I missed it!  Bottom line:  Make sure your web proxy is configured to look for URLs in GET requests.

There are two main tracks for the conferece:  Management and Technical.  I attended sessions from both tracks and will put out some thoughts from those sessions if anyone is interested.

Former FBI director, Robert Mueller gave a late afternoon keynote.  His talk warrants a dedicated blog post.  Lots of wisdom from him.  It was a great way to close the day.