Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures

Transcription

1 Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures Eric J. Eifert Vice President, Cyber Defense Division ManTech s Mission, Cyber, & Technology Solutions

2 Presentation Overview Background Intrusion Methodology Case Studies Impact to Organizations Countermeasures and Mitigations

3 Speaker Background I have worked in the Incident Response, Investigation, and Computer Forensics industry for 15 years I lead a specialized division of Network Security professionals supporting both US Government and Commercial customers I am a Special Agent of the Air Force Office of Special Investigations I have spent a number of years living and working cyber crime in Europe, Africa, and SW Asia

4 Material Background Case studies are a blend of real world intrusions impacting large commercial and government organizations Incidents range from enterprise wide intrusions to small localized attacks All examples are UNCLASSIFIED; materials are open source or approvals were obtained to provide this data without attribution Three different delivery methods with the same payload types, quirks, and style

5 Intrusion Methodology 3 Definitive Stages/Techniques Initial Attack Vector Second-Stage Toolkit Lateral Movement, with Data Exfiltration in certain instances

6 Stage 1: Initial Attack Vector Over the past several years we have seen a shift away from attackers targeting network devices Targeting the individual User is becoming much more popular and successful Objective to gain control of User s workstation on internal network then move across the network Variety of attack vectors Introducing Removable Media Web Browser

7 Stage 2: Second-Stage Toolkits Additional tools uploaded to victim system These tools were used for C2 control system functions, collect and exfiltrate data, scan network, and cover the intruder s tracks Used a variety of common outbound communications ports to hide traffic TCP/53 (DNS) TCP/80 (Web) TCP/443 (SSL) Outbound traffic typically encrypted or obfuscated Variety of beaconing methods used to alert intruder of compromise Analysis uncovered C2 and phone-home utilities. Many phone-home remain active while others remain dormant for periods of time.

8 Second-Stage Toolkits Second-Stage Tools Functionality» Identify passwords in system memory» Add/Remove Filtered Ports» List/Kill Processes» Reboot/Shutdown/Logoff» Install/Check/Remove/Reset Port for Terminal Services» List/Install/Remove/Start/Stop Services» Download Files via HTTP/FTP» Clone/Delete/Never-Logged-On Account Manipulation» Secure Deletion of Files/Directories» Wipe Free Space» Log Keystrokes» Capture Webcam shot or Video» Network Scanning

9 Second-Stage Toolkit Trojan that appears to be a folder

10 Stage 3: Lateral Movement & Data Exfiltration Once foothold established and toolkits uploaded, lateral movement begins Variety of published and unpublished exploits used to compromise additional systems Systems searched and sensitive data exfiltrated via encrypted channels

11 What makes this relevant? The current methodologies being used today have remained in use for several years primarily because it is still producing results. Understanding the attack methodology allows us to develop a comprehensive response We need to increased user awareness and accountability We need stronger protection at boundaries We need to build the right teams and equip them with the right tools A moment of reflection

12 Case Study 1:

13 Method of Attack Trojaned s are sent from intruder targeted at specific organizations and people Trojaned s, when opened, compromise a system and enable attackers to infiltrate internal networked systems Timeline: Then Attackers search systems and network for data files and exfiltrate information through encrypted channels

14 Attack Upon opening the document, the real document would display while hidden activities executed in the background Application may or may not crash A reverse shell leveraging port 443 (SSL) downloaded command and control tools from a dynamic domain Traffic was not SSL encrypted but was obfuscated Intruder then gained access and conducted network scanning, data collection, and data exfiltration

15 Attack Intruder was identified by network analysis, outbound IP address for C2 was flagged List of notable IPs collected via all source intelligence means Full content internal network collection allowed for monitoring of intruder as well as collection of tools being utilized by the intruder Reverse engineering of tools disclosed similarities to known intrusion sets In one instance, Administrators had previously installed anti-spyware utilities, but could not rid system of strange behavior

16 Attack - Payload Analysis 1 2 3

17 Method of Attack Trojaned s are sent from intruder targeted at specific organizations and people Trojaned s, when opened, compromise a system and enable attackers to infiltrate internal networked systems Timeline: Now Attackers search systems and network for data files and exfiltrate information through encrypted channels

18 Summary Sent from spoofed address messages sent to Executive Distro list Trojaned Adobe PDF or MS Office Attachment Contained real Adobe or Office document Malicious injection file Reverse shell capability Recent exploit took advantage of a memory corruption vulnerability in the JBIG2 filter in Adobe reader

19 Case Study 2: Removable Media

20 Unwitting Insider Attack Virus infected laptop was introduced to the internal network thus propagating the worm throughout the organization Individual did not realize they were infected No anti-virus scanning was done prior to allowing the laptop to connect to the network Out of date anti-virus software allowed for a massive infection of the network Containment and recovery of operations was a major challenge Timeline: Both Then and Now

21 USB-Delivered Malware Infected USB memory stick carrying Trojan Multiple variants; Malware not detected by AV Clearly targeted specific orgs and computing infrastructure Establishes C2 with comms back to external locations Relied on Windows Auto-play feature Autorun.inf on infected USB points to malware In one instance, malware was located in RECYCLER folder on device Timeline: Then

22 USB-Delivered Malware Same basic C2 communications obfuscation/hiding techniques as XOR obfuscation/ encryption Communication over common ports: 80, 8080, 443, 1863 (MS Notification Protocol) Non-standard protocol; in certain instances, not proxy aware C2 capabilities included Shell access Data exfiltration Timeline: Then

23 Case Study 3: Web

24 Web Attack Scenario Attackers planned ahead and identified their targets Compromise website(s) Drop malicious code or IFRAME link to users in certain instances Compromise systems Rifle or Shotgun approach Elevate privileges IFRAME Attack Scenario In certain instances, password-capturing binaries used Spread laterally to other systems from points of entry Timeline: Both Then and Now

25 Targeting Common Sites IFRAME dropped on USA Today, ABC News, Target, Walmart, Miami Herald, Bloomingdales, Sears, Forbes, etc. Code placed on a variety of systems in order to redirect users to malicious websites

26 Summing it all up Three case studies containing real-world examples from both THEN and NOW Demonstrates techniques intruders have used for the past few years and are actively using today to compromise networks Let s expand on the following: Impact Countermeasures & Mitigations

27 Impact Many, many incidents to-date; attack frequency continues to increase Adversary methodology has evolved; getting bolder after every successful exploitation One case study: Countless systems compromised and many tools uploaded 73 unique malicious executables prior to containment Data exfiltration occurred via obfuscated channels 120+ confirmed compromised hosts; mostly servers communicating outbound over port 443 to DynDNS sites Another example: Specialized tools/techniques used to hide activities Extremely difficult to determine if all implants were discovered Some remained dormant for up to six months at a time Potential data loss is immeasurable Multiple GB of data compressed and exfiltrated

28 What is being stolen? All user generated data No system files, executables, or other common files Personally Identifiable Information (PII) Research documentation, proposals, proprietary information System information Used to attribute the exfiltrated data Gain a better understanding of system configuration Network structure Mapping of internal network Target lists for lateral movement

29 Anti-virus Encoding or 1 st -Gen evaded AV Employees Unwittingly exploited Awareness Increase awareness training and testing (weakest) Firewalls Permitted services/ports Fully Patched IDS Countermeasures & Mitigations Exploited prior to public release or patch availability Thwarted by encoding or modified communications (in certain instances) Detect, block, and capture malicious messages Extract user files and analyze for maliciousness IDS/IPS & SIM Comprehensive traffic analysis and reporting Constant signature modification and tuning Internet Authenticated access Patching Mitigate exposure to public vulnerabilities Enterprise interim patching for unpubs Privileges Least privilege principle Proxy and firewall control Block domains, IPs, and strings Enterprise IR Capabilities Skilled team and tools

30 User Awareness Training Include authentic scenarios in security education programs and user awareness Reoccurring and specialized one-time or onthe-spot training hold users accountable

31 Test the Awareness Training Program Use technical Social Engineering to test security education programs and user awareness Phishing Unofficial use of USB thumb drive s Etc. Provides immediate feedback Assesses organization s structure for reporting and responding to suspicious activity

32 G0-Green Scenario Phishing scenario designed to solicit user action and involvement in the Go Green for Government contest. Once users click contest link, they are prompted to download and execute the ImageViewer.exe trojan Mock G0-Green Website w/ File Download Window sent to Employees

33 USB Thumb Drive Scenario Foreign USB Thumb Drives Designed to extract user name, computer name, remote IP address, date/time, and send it back to a designated location for harvesting

34 USB Thumb Drive Scenario 1. Test team places USB key near the entrance, break area, or inside common areas of an organization s facility. Places USB Key near building Victim Facility 2. User finds USB key and inserts it into his/her workstation and the attacker s program is automatically executed. The program contacts the attacker s computer, giving him complete control of the user s computer. Victim Computer Program contacts Attacker s computer

35 Enterprise IR & Forensics In all case studies the attackers utilized custom tools and spread (or attempted) rapidly throughout the enterprise Containment was the primary goal of the IR Team, identification of all victims remains a challenge Capturing network traffic allows an IR team to gather clues Using enterprise forensic capabilities quickly allows team to identify compromised hosts throughout an enterprise Evidence collection may be accomplished from around the world via a centralized place, saving time and money

36 Enterprise IR & Forensics What capabilities are needed? What skillsets are required on the team? Full-scope incident response, analysis, and investigation From initial telephonic response to final report and support in legal proceedings Range from internal investigations involving employee misuse to large scale intrusions committed by sophisticated global attackers Includes log analysis, capturing volatile data, installing network sniffers, network forensics, and host-based forensic analysis Advanced capabilities to include malware analysis, cyber CI analysis, memory collection/analysis, reverse engineering, and custom tool development 36

37 MEMORY ANALYSIS WinDD capture memory Dump and analyze contents Enterprise IR & Forensics Tools Binaries OS version PID & PPID PWD DLL & image path Window title Modules loaded Open handles Create and exit time Sockets FUZZY HASHING Enterprise level IR comparison of files recovered from multiple systems confirms 1, 3, and 4 are closely related a x a a b f y z d f e f COMBINATION NETWORK/HOST Network-based utilities SIM/IDS/FCTC/Proxy/Network forensics Response and volatile data utilities Open source/custom (BEEP) Host-based forensics utilities Commercial/Open source/custom utilities AD-HOC Immediate ad-hoc support available Code/application/OS review Hook vulnerable functions and monitor calls Correct calls prior to exploitation Configurable to send alerts Baseline and analyze enterprise traffic Monitor and baseline traffic Identify and report anomalous traffic Utilities and Methodology: Custom and Commercial

38 Conclusion Provided you a brief overview of current attack methodologies and how our current defense-in-depth security practices are failing Upgrading defenses and processes are essential Moving from signature based IDS to intelligence IPS systems Developing comprehensive awareness training to include testing Properly preparing for the inevitable compromise Building sufficient IR teams with the right skill set and equipment Having situational awareness of your network and collecting data that can be used during an incident response

39 QUESTIONS