Enterprise Incident Response:

Network Intrusion Case Studies and Countermeasures

Eric J. EifertVice President, Cyber Defense DivisionManTech’s Mission, Cyber, & Technology Solutions

Presentation Overview

• Background

• Intrusion Methodology

• Case Studies

• Impact to Organizations

• Countermeasures and Mitigations

Speaker Background• I have worked in the Incident Response, Investigation,

and Computer Forensics industry for 15 years• I lead a specialized division of Network Security

professionals supporting both US Government and Commercial customers

• I am a Special Agent of the Air Force Office of Special Investigations

• I have spent a number of years living and working cyber crime in Europe, Africa, and SW Asia

Material Background

• Case studies are a blend of real world intrusions impacting large commercial and government organizations

• Incidents range from enterprise wide intrusions to small localized attacks

• All examples are UNCLASSIFIED; materials are open source or approvals were obtained to provide this data without attribution

• Three different delivery methods with the same payload types, quirks, and style

• 3 Definitive Stages/Techniques

– Initial Attack Vector

– Second-Stage Toolkit

– Lateral Movement, with Data Exfiltration in certain instances

Intrusion Methodology

• Over the past several years we have seen a shift away from attackers targeting network devices

• Targeting the individual User is becoming much more popular and successful

• Objective to gain control of User’s workstation on internal network then move across the network

• Variety of attack vectors– Email– Introducing Removable Media– Web Browser

Stage 1: Initial Attack Vector

• Additional tools uploaded to victim system– These tools were used for C2 – control system functions, collect and

exfiltrate data, scan network, and cover the intruder’s tracks• Used a variety of common outbound communications ports

to hide traffic• TCP/53 (DNS)• TCP/80 (Web)• TCP/443 (SSL)

• Outbound traffic typically encrypted or obfuscated• Variety of beaconing methods used to alert intruder of

compromise

Stage 2: Second-Stage Toolkits

Analysis uncovered C2 and phone-home utilities. Many phone-home remain active while others remain dormant for periods of time.

• Second-Stage Tools Functionality» Identify passwords in system memory» Add/Remove Filtered Ports» List/Kill Processes» Reboot/Shutdown/Logoff» Install/Check/Remove/Reset Port for Terminal Services» List/Install/Remove/Start/Stop Services» Download Files via HTTP/FTP» Clone/Delete/Never-Logged-On Account Manipulation» Secure Deletion of Files/Directories» Wipe Free Space» Log Keystrokes» Capture Webcam shot or Video» Network Scanning

Second-Stage Toolkits

• Trojan that appears to be a folderSecond-Stage Toolkit

Stage 3: Lateral Movement & Data Exfiltration

• Once foothold established and toolkits uploaded, lateral movement begins

• Variety of published and unpublished exploits used to compromise additional systems

• Systems searched and sensitive data exfiltrated via encrypted channels

What makes this relevant?• The current methodologies being used today

have remained in use for several years primarily because it is still producing results.

• Understanding the attack methodology allows us to develop a comprehensive response– We need to increased user awareness and

accountability– We need stronger protection at boundaries– We need to build the right teams and equip them with

the right tools

A moment of reflection…

Case Study 1: Email

Method of Attack

Trojaned emails are sent from intruder targeted at specific organizations and people

Trojaned emails, when opened, compromise a system and enable attackers to infiltrate internal networked systems

Attackers search systems and network for data files and exfiltrate information through encrypted channels

Timeline: Then

Email Attack• Upon opening the document, the real

document would display while hidden activities executed in the background– Application may or may not crash

• A reverse shell leveraging port 443 (SSL) downloaded command and control tools from a dynamic domain– Traffic was not SSL encrypted but was obfuscated

• Intruder then gained access and conducted network scanning, data collection, and data exfiltration

Email Attack• Intruder was identified by network analysis,

outbound IP address for C2 was flagged– List of “notable” IPs collected via all source

intelligence means

• Full content internal network collection allowed for monitoring of intruder as well as collection of tools being utilized by the intruder– Reverse engineering of tools disclosed similarities to

known intrusion sets

• In one instance, Administrators had previously installed anti-spyware utilities, but could not rid system of strange behavior

1

2 3

Email Attack - Payload Analysis

Method of Attack

Trojaned emails are sent from intruder targeted at specific organizations and people

Trojaned emails, when opened, compromise a system and enable attackers to infiltrate internal networked systems

Attackers search systems and network for data files and exfiltrate information through encrypted channels

Timeline: Now

Email Summary• Sent from spoofed email address• Email messages sent to Executive Distro list• Trojaned Adobe PDF or MS Office Attachment

– Contained real Adobe or Office document– Malicious injection file– Reverse shell capability

• Recent exploit took advantage of a memory corruption vulnerability in the JBIG2 filter in Adobe reader

Case Study 2: Removable Media

Unwitting Insider Attack• Virus infected laptop was introduced to the

internal network thus propagating the worm throughout the organization– Individual did not realize they were infected– No anti-virus scanning was done prior to allowing

the laptop to connect to the network• Out of date anti-virus software allowed for a

massive infection of the network• Containment and recovery of operations was

a major challengeTimeline: Both Then and Now

USB-Delivered Malware• Infected USB memory stick carrying Trojan

• Multiple variants; Malware not detected by AV

• Clearly targeted specific orgs and computing infrastructure

• Establishes C2 with comms back to external locations

• Relied on Windows Auto-play feature

– Autorun.inf on infected USB points to malware

– In one instance, malware was located in RECYCLER folder on

device

Timeline: Then

USB-Delivered Malware• Same basic C2 communications obfuscation/hiding

techniques as email– XOR obfuscation/“encryption”

– Communication over common ports:

• 80, 8080, 443, 1863 (MS Notification Protocol)

– Non-standard protocol; in certain instances, not proxy aware

• C2 capabilities included– Shell access

– Data exfiltration

Timeline: Then

Case Study 3: Web

Web Attack Scenario• Attackers planned ahead and identified their targets

– Compromise website(s)

– Drop malicious code or IFRAME

– Email link to users in certain instances

• Compromise systems

– Rifle or Shotgun approach

• Elevate privileges

– In certain instances, password-capturing binaries used

• Spread laterally to other systems from points of entry

IFRAME Attack Scenario

Timeline: Both Then and Now

Targeting Common Sites

• IFRAME dropped on USA Today, ABC

News, Target, Walmart, Miami Herald,

Bloomingdales, Sears, Forbes, etc.

• Code placed on a variety of systems in

order to redirect users to malicious

websites

Summing it all up…

• Three case studies containing real-world examples from both THEN and NOW

• Demonstrates techniques intruders have used for the past few years and are actively using today to compromise networks

• Let’s expand on the following:– Impact– Countermeasures & Mitigations

Impact• Many, many incidents to-date; attack frequency continues to

increase• Adversary methodology has evolved; getting bolder after every

successful exploitation• One case study:

– Countless systems compromised and many tools uploaded• 73 unique malicious executables prior to containment

– Data exfiltration occurred via obfuscated channels• 120+ confirmed compromised hosts; mostly servers communicating

outbound over port 443 to DynDNS sites• Another example:

– Specialized tools/techniques used to hide activities• Extremely difficult to determine if all “implants” were discovered• Some remained dormant for up to six months at a time

– Potential data loss is immeasurable• Multiple GB of data compressed and exfiltrated

What is being stolen?• All user generated data

– No system files, executables, or other common files– Personally Identifiable Information (PII)– Research documentation, proposals, proprietary

information• System information

– Used to attribute the exfiltrated data – Gain a better understanding of system configuration

• Network structure– Mapping of internal network– Target lists for lateral movement

• Anti-virus

– Encoding or 1st-Gen evaded AV

• Employees

– Unwittingly exploited

• Awareness

– Increase awareness training and testing

(weakest)

• Firewalls

– Permitted services/ports

• “Fully Patched”

– Exploited prior to public release or patch

availability

• IDS

– Thwarted by encoding or modified

communications (in certain instances)

• Email

– Detect, block, and capture malicious messages

– Extract user files and analyze for maliciousness

• IDS/IPS & SIM

– Comprehensive traffic analysis and reporting

– Constant signature modification and tuning

• Internet

– Authenticated access

• Patching

– Mitigate exposure to public vulnerabilities

– Enterprise interim patching for unpubs

• Privileges

– Least privilege principle

• Proxy and firewall control

– Block domains, IPs, and strings

• Enterprise IR Capabilities

– Skilled team and tools

Countermeasures & Mitigations

User Awareness Training Include authentic scenarios in security

education programs and user awareness Reoccurring and specialized one-time or on-

the-spot training – hold users accountable

Test the Awareness Training Program Use technical Social Engineering to test

security education programs and user awareness Phishing Unofficial use of USB thumb drive’s Etc.

Provides immediate feedback Assesses organization’s structure for

reporting and responding to suspicious activity

G0-Green Scenario Phishing scenario designed to solicit user action and involvement in the “Go Green for Government” contest.

Once users click contest link, they are prompted to download and execute the “ImageViewer.exe” trojan

Email sent to Employees

Mock G0-Green Website w/ File Download Window

USB Thumb Drive Scenario• Foreign USB Thumb Drives

– Designed to extract user name, computer name, remote IP address, date/time, and send it back to a designated location for harvesting

USB Thumb Drive Scenario

Places USB Key near building

1. Test team places USB key near the entrance, break area, or inside common areas of an organization’s facility.

2. User finds USB key and inserts it into his/her workstation and the attacker’s program is automatically executed. The program contacts the attacker’s computer, giving him complete control of the user’s computer.

Program contacts Attacker’s computer

Victim Computer

Victim Facility

Enterprise IR & Forensics• In all case studies the attackers utilized custom tools and

spread (or attempted) rapidly throughout the enterprise

• Containment was the primary goal of the IR Team,

identification of all victims remains a challenge

• Capturing network traffic allows an IR team to gather clues

• Using enterprise forensic capabilities quickly allows team

to identify compromised hosts throughout an enterprise

• Evidence collection may be accomplished from around the

world via a centralized place, saving time and money

36

• Full-scope incident response, analysis, and investigation– From initial telephonic response to final report and support in legal

proceedings• Range from internal investigations involving employee misuse

to large scale intrusions committed by sophisticated global attackers

• Includes log analysis, capturing volatile data, installing network sniffers, network forensics, and host-based forensic analysis

• Advanced capabilities to include malware analysis, cyber CI analysis, memory collection/analysis, reverse engineering, and custom tool development

Enterprise IR & ForensicsWhat capabilities are needed? What skillsets are required

on the team?

MEMORY ANALYSIS FUZZY HASHING

COMBINATION NETWORK/HOST AD-HOC

• WinDD – capture memory• Dump and analyze contents

• Enterprise level IR – comparison of files recovered from multiple systems confirms 1, 3, and 4 are closely related

• Network-based utilities• SIM/IDS/FCTC/Proxy/Network forensics

• Response and volatile data utilities • Open source/Custom (BEEP)

• Host-based forensics utilities• Commercial/Open source/Custom utilities

• Immediate ad-hoc support available• Code/application/OS review

• Hook vulnerable functions and monitor calls

• Correct calls prior to exploitation

• Configurable to send alerts

• Baseline and analyze enterprise traffic• Monitor and baseline traffic

• Identify and report anomalous traffic

a

f

x a a

b dy e

fz f

1 2 3 4

Binaries

OS version

PID & PPID

PWD

DLL & image path

Window title

Modules loaded

Open handles

Create and exit time

Sockets

Enterprise IR & Forensics Tools

Utilities and Methodology: Custom and Commercial

Conclusion• Provided you a brief overview of current attack

methodologies and how our current defense-in-depth

security practices are failing

• Upgrading defenses and processes are essential

– Moving from signature based IDS to intelligence IPS systems

– Developing comprehensive awareness training to include testing

• Properly preparing for the inevitable compromise

– Building sufficient IR teams with the right skill set and equipment

– Having situational awareness of your network and collecting data

that can be used during an incident response

QUESTIONS