You Can’t Protect What You Can’t See.

          You can’t protect what you can’t see. That seems to be the common thread when we are called in to a customer to remediate a security attack or breach. Typically, in the case of ransomware, the client is completely stunned and left with nothing but encrypted files and the thought of “What just happened?”. In some cases, data is stolen and the client doesn’t even know what has been taken other than that drives and directories are empty. There are many more scenarios to discuss, but in almost all cases one of the first thing they ask us is, “How did this happen?”

          Unfortunately, without a layered security architecture companies are left with very little to go on when these events occur. So, what does that look like? In many cases most companies don’t know they have a problem. It could be because they are contacted by the FBI and told that their IP address came up on a list. It could be when a user complains that they can’t open a file. These events are never expected when they occur.

          We have seen ransomware change all of the file names so the users are left guessing what has been destroyed. Many attacks we have seen deliver a payload (script) and offload data, destroy, or establish command and control (C2). What do you do when you find yourself here?

Endpoint Protection/DNS Filtering

Next, we establish endpoint protection and DNS filtering so we can get visibility on the external communication that is happening. We setup Sysmon to get verbose logging outside of the standard event logs to parse. We check scheduled task to verify that the attacker didn’t leave behind a scheduled script that runs the moment things look clean and backups have restored file access. Within Windows, Task Scheduler can be used to schedule programs or scripts to be executed at a date and time. An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account. We run a pcap with Wireshark or Moloch to get a session-based analysis on what is going on with the network traffic.

If the compromise source can be found after parsing through memory dumps and pcaps we might find that the source system was compromised using a phishing attack. We then can analyze the suspected email using oledump.py (tool written by Didier Stevens, available on Github) to parse the body of the message and any attachments. Next using ExtractMSG (do not perform on a production system) we will parse and extract the attachment. MxToolbox is able to parse the headers and identify the hops this particular email took to arrive at its final destination.

Manual Analysis

These results confirm the findings from the manual analysis of the headers. Confirm the domain names used and use a WhoIs engine to figure out the domain’s IP and its WhoIs information. Be aware that many cases we see that this information has been privatized through the registrar. On May 25th, 2018, the European Union passed a General Data Protection Regulation (GDPR) aimed at increasing overall security of data relating to its citizens. This further complicated WHOIS analysis as many domain registration services started hiding such data in order to stay compliant with GDPR. Some possible workarounds include performing a reverse domain lookup using the IP, taking legal action against the organization that registered the domain in order to find out the real registration information, or searching a historical data base such as Wayback Machine hosted on archive.org. The information security field is filled with resources, including various research and commercial providers that share their threat intelligence information with the larger community in order to strengthen other’s security postures while making Internet a safer place.

One of the most popular websites used for this purpose is VirusTotal. Inputting the domain into VirusTotal could potentially enrich the current knowledge with valuable intelligence that can be used for gathering additional context around the email. Navigate to the VirusTotal site and conduct a search for the domain.

In many of these attacks, especially on Windows Servers, the software that is used to execute the payload is native (example: Powershell, svchost, etc.). When analyzing the memory dumps if you see svchost being run by anything other than system then you know you have trouble.

Sandboxing

We send files that we find to a sandbox environment so that we can see what happens when the script or code is run. Taking that information, it can help in the remediation process. Because of the advanced nature of the code that we have seen we send the files off for analysis to our partners at Talos. In many cases the malicious code is able to detect that it is in a sandbox environment and it won’t execute and tell you anything.

Just about all of the things that I have discussed can be completed with open source (free) utilities and resources. But realize this, it takes a large number of hours, knowledge, experience, and time to complete and detect what happened. Also, unfortunately the compromise has already occurred, the criminals have completed their mission, the company has lost assets, operational time lost, business reputation, and the list goes on. All of this because there wasn’t a thought about proper infrastructure and a layered security posture without any visibility within the company. We can no longer pretend that this is not a problem. I didn’t write this to give another security scare sales tactic to put more money in my pocket. I am not here to tell you that security company A is better than security company B. Listen there is no silver bullet when it comes to IT security. You have to have a layered approach to security. Start the conversation now. You are not going to be able to buy a firewall and anti-virus software and think that you are protected. The security threat landscape has changed and we all need to act and be responsible. This is not a one-dimension issue.

I didn’t include any statics or any “buy our whizbang and your security problems are solved.”, because I get tired of seeing and hearing it. But to tell the truth nothing takes away the pain of seeing business owners closing their business because they didn’t plan, prepare, or listen. Don’t be those people. Contact us or whoever is your IT security advisor and start the conversation today. Get a second opinion. We can do an adversary emulation (fancy words for pretending to be bad guys) for your company. This is not penetration testing, although we can do that, it isn’t always necessary or a good spend of company resources. Contact us and let us have a conversation. Good luck out there.

Feel free to contact us about any of the open source resources that I discussed and their uses.