Remediating compromised environments: Case Studies from large and small enterprises
Wendi Rafferty (Mandiant, US)
Commercial sector breakdown (2010 Mandiant data)
Breakdown of IR investigations preformed in 2010 by Mandiant
- Cryptograph and Communication – 20%
- Space and satellites and Imagery – 19%
- Energy – 18%
- Media / Public Relations – 10%
- Technology – 10%
- Legal – 9%
- Chemical – 5%
- Hospitality – 2%
- Mining – 2%
- Automotive – 2%
What is remediation?
Usually divided into 2 or more distinct phases. Once you’ve discovered and remediated that direct attack, the second phase involves reviewing processes, systems and controls to prevent future attacks and enable faster response in the future.
Part 1 –> Successfully removing an attacker from your network
- Identifying their activity
- Implementing countermeasures
Part 2 –> Developing a plan and capabilities to:
- Successfully detect future attacker activity
- Respond quickly to future attacks
Solutions and investments in protection are individual to an organization based on a number of factors. The goal is not to prevent a future attack, but to mature the organisations posture to better react and detect further attacks. Quicker response, prevents an attacker from spreading further into your network.
What makes remediating a targeted attack difficult?
- Attackers have access to a wide range of malware
- Attackers who escalate behaviour based on your response
- You can’t stop 150,000 users from opening an email. Something will get through
Visibilty –> Detection –> Response
If you’re not tracking, logging and analysing data then you’re at a disadvantage.
Initial Leads -> IOC Creation -> Deploy IOC -> Identify Suspect Systems -> Preserve / Collect Evidence -> Analyse Data
Understanding your network
List your resources… DNS Servers, DHCP Servers, Internet Connections, VPN Concentrators, Domains, Network Diagram, …
If your data on resources isn’t centralised and easily accessible, you can lose a lot of valuable time dealing with a targeted attack.
Knowledge of who is responsible for what, where the contacts work and how to contact them is very important. A repor with other teams is a must to work through these situations smoothly.
Monitoring on the outbound parameter is great, but a central logging location for ease of comparison between different systems. Even in cases where it’s not possible to review these logs on a daily basis, it’s better to have the logs available for review when needed. Without logs it’s hard to know where to start on large network breaches. Storage is now pretty cheap, so there’s almost no reason not to be storing logs anymore.
A Tale of two investigations
Two victim organisations
Different sizes (< 1,500 and > 150,000 hosts), strengths and capabilities
Both were advised of the breach by the FBI
Both case studies occurred in the last year in the US
Both companies cleaned their environment, only to be re-attacked multiple times
- <1,500 hosts
- < 20 Compromised hosts
- 5 compromised accounts
- < 10 different types of malware used
Strong network visibility
- 2 Network egress points
- Full packet capture
- DNS logging
- Proxy logging and blocking
- Aggregation at SIEM
- Threat-specific network sensors
Tight host control
- Removing internet access from all users
- Conducted traditional remediation event and implementing security best practices
- Reintroduced users to internet access with highly customized internet isolation application
- > 150,000 hosts
- > 30 distinct types of malware used, incl. 12 different keyloggers
- Use of email harvesting (> 50 employees)
- Used / Targeted Service Accounts
- Lateral movement using net use, scheduled tasks, …
identified attack as an email harvesting attack from a known group. In total there were 5 groups identified conduction attacks against the organisation. This caused a lot of overlapping evidence and issues in remediation.
Identified Critical Infrastructure
- Identified hosts and personnel targeted
- Hardened critical infrastructure first from the inside out
- Removed new credential harvesting capabilities from attackers
- Encrypted communications and identified next victims
- Continuous threat-specific monitoring of hosts and network
- Continued investigation until new compromises dwindled
- Conduction traditional remediation event
- In process of building a response team
Defining the win
The end goal can never be to be 100% immune to attack.
The end goal (or win) is to gain a good overview of your network and better detect and remediate attacks in the future.
Point Solutions (Free Tools)
- Web Historian (browser analysis)
- Memoryze (memory forensics)
- Audit Viewer (memoryze front-end)
- Highlighter (log analysis)
- Red Curtain (malware identifier)
- IOCe (indicator of compromise editor)
- OpenIOC (Common language to describe IOCs)