We are often asked what a typical breach response looks like and the answer is that no two incidents are the same. But here’s one example from a breach we responded to recently. It started after we were contacted by a company in the critical infrastructure sector. The company had noticed some suspicious activity on their network, multiple servers were running unexpected services, there was unusual VPN activity, and they had found suspicious executables. The company knew there was an issue and asked our NDF team to investigate how the breach occurred, determine what if anything had been taken, and to defend against future attacks.
For a little background, the company we were working with has more than 1,600 servers and approximately 6,000 user devices around the world. With that many potential breach points, our first priority was to increase network visibility and perform forensic analysis to determine if intruders were still active within the network.
With that goal in mind we went to work. As is the case with any breach response we first had to put together a plan of attack and in this case our response would include conducting interviews, imaging suspect systems for forensic analysis, reverse engineering suspicious files, and establishing a provisional Security Operations Center manned by our team as the company began to build their own in-house SOC.
Now with a plan in place, we began to execute. Interviews provided us with situational awareness about the known network threats and preventative measures that were already in place, all vital pieces of information for an efficient and effective response.
As we moved on to analysis of the imaged systems, we triaged each for known Indicators of Compromise (IOCs). We also loaded logs and file listings into databases for quick review when new IOCs were identified. As suspicious files were discovered via deep dive forensic analysis and monitoring, we deconstructed them and confirmed malicious behavior. Of the files identified, there were two of particular interest including an export of the Active Directory and an accompanying SYSTEM registry hive which when combined can be cracked to determine user passwords.
Throughout the forensic investigation we were also operating a provisional SOC while the company built their own permanent solution. The provisional SOC, manned by our NDF team and utilizing our CyberSOC to supplement the network and host-based visibility with Fidelis XPS, developed custom rules based on the real-time malware analysis and forensics coming from the investigation team. Using these rules, we were able to identify malware beaconing systems on the system.
We were making great strides in our investigation but threat actors never sleep and while we were looking into the original threats, the company identified an additional attack against the VPN. An attacker was attempting to perform a man-in-the-middle (MITM) attack against one of the site-to-site VPN concentrators. The good news was the customer caught this attempt but it still required a solution to prevent the attack from succeeding.
Now that the ongoing threats had been identified it was time for us to remediate them. The first step was to issue a company-wide password reset to negate the possibly cracked active directory. Due to the size of the company this was rolled out in phases beginning with system administrators and service accounts followed by standard user accounts. To combat the malware beacon, we wrote rules looking for a URL containing a specific ASP file and a URL containing host name information that was custom to each system beaconing. With these rules in place, the team discovered different malware with similar code was active on systems that were not originally identified as infected. We then manually reviewed these systems, identified the malware and added the new hash values to the list of indicators.
While a project to implement two-factor authentication was already in progress, the client recognized that it would not prevent the MITM attack. After analyzing the attempt and noticing some distinguishing characteristics, they were able to limit the types of connections allowed to defend against the attack.
So that, in a nutshell, is an example of the type of work we’re doing in the field. In this case, it was done through collaboration with the customer, in-depth forensic analysis, expert reverse engineering and constant network monitoring. Through this work our team was able to identify what infrastructure had been impacted, how the intruder was accessing the network, push the intruders out of the network, put up defenses to more quickly defend against similar attacks in the future, and determine the type of data that had left the network. In short, it was another successful breach response. On to the next one.