INSIGHTS FROM ENGINEERS
You Can’t Protect What You Can’t See.
You can’t protect what you can’t see. That seems to be the common thread when we are called in to a customer to remediate a security attack or breach. Typically, in the case of ransomware, the client is completely stunned and left with nothing but encrypted files and the thought of “What just happened?”. In some cases, data is stolen and the client doesn’t even know what has been taken other than that drives and directories are empty. There are many more scenarios to discuss, but in almost all cases one of the first thing they ask us is, “How did this happen?”
Unfortunately, without a layered security architecture companies are left with very little to go on when these events occur. So, what does that look like? In many cases most companies don’t know they have a problem. It could be because they are contacted by the FBI and told that their IP address came up on a list. It could be when a user complains that they can’t open a file. These events are never expected when they occur.
We have seen ransomware change all of the file names so the users are left guessing what has been destroyed. Many attacks we have seen deliver a payload (script) and offload data, destroy, or establish command and control (C2). What do you do when you find yourself here?
Memory dumps are key. Because of how operating systems function, it is necessary for all running processes, as well as anything else that is actively being used, to be stored in memory throughout the duration of its use. There is an old adage that states: “Malware can hide, but it must run”, which plays on the fact that no matter how much a process attempts to hide, it will always have to be loaded into memory to run. Sound memory acquisition is the first step of the analysis process. Typically, we utilize FTK Imager. FTK Imager has a standalone executable that can be stored on a forensic USB dongle. In rare occasions where FTK Imager has issues collecting the memory image you should plan ahead and resort to other similar software for memory acquisition. Examples include Belkasoft RAM Capturer, WinPMEM and others.
Once you have acquired your memory dump, we use Volatility Framework, an open source collection of command-line based tools, to allow for the extraction of digital artifacts from memory. Most analysis with Volatility is done through “plugins,” which are commands used to extract a specific set of information or artifacts. This can be a tedious but valuable process.
Endpoint Protection/DNS Filtering
Next, we establish endpoint protection and DNS filtering so we can get visibility on the external communication that is happening. We setup Sysmon to get verbose logging outside of the standard event logs to parse. We check scheduled task to verify that the attacker didn’t leave behind a scheduled script that runs the moment things look clean and backups have restored file access. Within Windows, Task Scheduler can be used to schedule programs or scripts to be executed at a date and time. An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account. We run a pcap with Wireshark or Moloch to get a session-based analysis on what is going on with the network traffic.
If the compromise source can be found after parsing through memory dumps and pcaps we might find that the source system was compromised using a phishing attack. We then can analyze the suspected email using oledump.py (tool written by Didier Stevens, available on Github) to parse the body of the message and any attachments. Next using ExtractMSG (do not perform on a production system) we will parse and extract the attachment. MxToolbox is able to parse the headers and identify the hops this particular email took to arrive at its final destination.
These results confirm the findings from the manual analysis of the headers. Confirm the domain names used and use a WhoIs engine to figure out the domain’s IP and its WhoIs information. Be aware that many cases we see that this information has been privatized through the registrar. On May 25th, 2018, the European Union passed a General Data Protection Regulation (GDPR) aimed at increasing overall security of data relating to its citizens. This further complicated WHOIS analysis as many domain registration services started hiding such data in order to stay compliant with GDPR. Some possible workarounds include performing a reverse domain lookup using the IP, taking legal action against the organization that registered the domain in order to find out the real registration information, or searching a historical data base such as Wayback Machine hosted on archive.org. The information security field is filled with resources, including various research and commercial providers that share their threat intelligence information with the larger community in order to strengthen other’s security postures while making Internet a safer place.
One of the most popular websites used for this purpose is VirusTotal. Inputting the domain into VirusTotal could potentially enrich the current knowledge with valuable intelligence that can be used for gathering additional context around the email. Navigate to the VirusTotal site and conduct a search for the domain.
In many of these attacks, especially on Windows Servers, the software that is used to execute the payload is native (example: Powershell, svchost, etc.). When analyzing the memory dumps if you see svchost being run by anything other than system then you know you have trouble.
We send files that we find to a sandbox environment so that we can see what happens when the script or code is run. Taking that information, it can help in the remediation process. Because of the advanced nature of the code that we have seen we send the files off for analysis to our partners at Talos. In many cases the malicious code is able to detect that it is in a sandbox environment and it won’t execute and tell you anything.
Just about all of the things that I have discussed can be completed with open source (free) utilities and resources. But realize this, it takes a large number of hours, knowledge, experience, and time to complete and detect what happened. Also, unfortunately the compromise has already occurred, the criminals have completed their mission, the company has lost assets, operational time lost, business reputation, and the list goes on. All of this because there wasn’t a thought about proper infrastructure and a layered security posture without any visibility within the company. We can no longer pretend that this is not a problem. I didn’t write this to give another security scare sales tactic to put more money in my pocket. I am not here to tell you that security company A is better than security company B. Listen there is no silver bullet when it comes to IT security. You have to have a layered approach to security. Start the conversation now. You are not going to be able to buy a firewall and anti-virus software and think that you are protected. The security threat landscape has changed and we all need to act and be responsible. This is not a one-dimension issue.
I didn’t include any statics or any “buy our whizbang and your security problems are solved.”, because I get tired of seeing and hearing it. But to tell the truth nothing takes away the pain of seeing business owners closing their business because they didn’t plan, prepare, or listen. Don’t be those people. Contact us or whoever is your IT security advisor and start the conversation today. Get a second opinion. We can do an adversary emulation (fancy words for pretending to be bad guys) for your company. This is not penetration testing, although we can do that, it isn’t always necessary or a good spend of company resources. Contact us and let us have a conversation. Good luck out there.
Feel free to contact us about any of the open source resources that I discussed and their uses.
“The security threat landscape has changed
and we all need to act and be responsible.
This is not a one-dimension issue.” – Todd Ellis, CTO, Secure Networkers