Check yourself: can you protect the company from cyber attacks?
Recently, an international information security competition was held in Samara. VolgaCTF
. Vladimir Dryukov, director of Solar JSOC's cyber attack and monitoring center, told the competition participants about three real attacks and asked how they could be identified. Check if you can answer correctly.
Below is a transcript of Vladimir’s speech, but for those who want to watch the uncensored and uncut version (including listeners' answers), here’s a video:
So, a word to Vladimir:
I want to tell a few stories from our lives. Most of them, I will tell from the end - that is, starting with what it was for the incident. And you try to figure out how this attack could be seen at the start, what would you, as a defender of the company, have done so that the actions of the attackers hit your radar.
I hope this will help you in the future when you become professional pentesters and work at Positive Technologies, Digital Security or with us. You will know how the monitoring center sees such attacks, how it reacts to them, and - who knows - maybe this will help you bypass the defense, achieve your goal and show the customer that he is not as invulnerable as he thought. Here we go?
3r3179. Task number 1. This service is both dangerous and difficult, and at first glance it seems not to be seen 3r3182.
The story began with the fact that the head of the information security service of one company came to us and said: 3r-3214.
“Guys, I have some kind of strange nonsense going on. There are four cars that start to reboot spontaneously, fall out of the blue screen - in general, some sort of nonsense is happening. Let's ponder. "
When the guys from the Forsenziki group arrived at the site, it turned out that the security logs on all the machines were cleaned - there are so many activities that the security magazine rotates quickly (overwrites). The Master File Table also failed to find anything interesting - the fragmentation is strong, the data is quickly overwritten. Nevertheless, we managed to find something in the system journal: about four times a day, the it_helpdesk service appears on these four machines, does something unknown (there is no security log, as we remember) and disappears.
Our head fornsici has a facial expression like this:
Began to understand further, and it turned out that the service it_helpdesk - actually renamed PSExec.
3r3138. Utilities, such as Telnet, and remote management programs, such as Symantec’s PC Anywhere, allow you to run programs on remote systems, but they are not so easy to install because you also need to install client software on remote systems you need to install. access.
PsExec is a lightweight version of Telnet. It allows you to perform processes in remote systems, using all the capabilities of an interactive interface for console applications, and without the need to manually install client software. The main advantage of PsExec is the ability to invoke the interactive command line interface on remote systems and run such tools as IpConfig remotely. This is the only way to display information about the remote system on the local computer screen.
After checking the system logs on other machines, we saw that not 4 workstations were involved, but 2? plus another 19 servers, including one critical server. We talked with IT specialists and found out that they have nothing to do with this, they have no such subsystem. They began to dig further, and then a rather curious and rarely occurring thing was discovered - DNS-tunneling, which was used by the malware program, which is responsible for communicating with the botnet's control center.
3r3138. DNS tunneling is a technique that allows you to send arbitrary traffic (in fact, raise the tunnel) on top of the DNS protocol. It can be used, for example, in order to get full-fledged access to the Internet from a point where DNS name resolution is allowed.
DNS tunneling cannot be denied by simple firewall rules, while allowing the rest of the DNS traffic. This is due to the fact that DNS tunnel traffic and legitimate DNS queries are indistinguishable. DNS tunneling can be detected by request rate (if the traffic through the tunnel is large), as well as by more sophisticated methods using intrusion detection systems.
The malicious code got into the organization through mail, spread across the infrastructure, and interacted with the C & C server through a DNS tunnel. Therefore, the ban on interaction with the Internet, which stood in the server segment, did not work.
On one of the critical servers, there was a keylogger who automatically read passwords, and the malware tried to crawl further, receiving new user credentials, including dropping machines into the BSOD and reading the passwords of the administrators who were raising it.
What did it lead to? During the time that the malware was living in the infrastructure, a lot of records were compromised and, in addition, a large amount of other potentially sensitive data. During the investigation, we localized the scope of the attackers and ousted them from the network. The customer also received another four months of flour - it took to reload half of the machines and reissue all the passwords - from databases, records and so on. People with IT experience do not need to explain what a difficult story it is. But, nevertheless, everything ended well.
So the question is: how was it possible to identify this attack and catch the cybercriminal’s hand?
The answer to the first problem 3r3208.
First, as you remember, the infection has affected a critical server. If a new, previously unknown service is started on such a host, this is an incident of a very high degree of severity. This should not happen. If you at least monitor services that run on critical servers, this alone will help to identify such an attack at an early stage and prevent it from developing.
Secondly, we should not neglect the information from the most basic means of protection. PSExec is well detected by antivirus, but is marked not as malware, but as Remote Admin Tool or Hacking Tool. If you carefully look into the logs of the antivirus, you can see the response in time and take appropriate measures.
3r3179. Task number 2. The terrible tale
A big bank, a woman works in the financial service and has access to the AWP of the CBD.
3r3138. ARM KBR is an automated workplace for a client of the Bank of Russia. It is a software solution for secure information exchange with the Bank of Russia, including sending payment orders, bank flights, etc.
This employee of the financial service brought to work a USB flash drive with a file called Skazki_dlya_bolshih_i_malenkih.pdf.exe. She had a little daughter, and the woman wanted to print a children's book at work, which she downloaded from the Internet. The extension of the .pdf.exe file did not seem suspicious to her, and even then, when she ran the file, the usual pdf opened.
The woman opened the book and went home. But the .exe extension, of course, was not random. Behind him was the Remo Admin Tool, who sat down at the workstation and entrenched himself there in the system processes for more than a year.
How do such malware work? First of all, make screenshots of the screen about 15 times per minute. In a separate file, they add the data received from the keylogger - logins and passwords, correspondence in the mail, instant messengers and much more. Having connected the client, we quickly noticed the infected host and cleaned out the virus from the network.
Question: how was it possible to detect "invisible" malware, which was not detected by the antivirus?
The answer to the second problem is 3r3r208.
First, malware, as a rule, does something in the file system, changes registry entries — in a word, it is somehow loaded into the system. This can be traced if you monitor the host at the level of logs that the operating system itself writes - security logs, running processes, modifying the registry.
Secondly, it is important to remember that such a malware does not live autonomously, it will definitely knock somewhere. Often, workstations on the network access the Internet only through a proxy, so if a machine tries to knock somewhere directly, this is a serious incident that needs to be dealt with.
3r3179. Task number 3. "Bloody warez"
The system administrator needed to compare 2 .xml files. He went a simple way - typed in a search engine "download xml merger without registration and sms." The official site of the developer of this utility was in 3rd place in the issuance, and in the first two - file sharing. There the administrator and downloaded the program.
As you probably already guessed, a good, high-quality privilege elevation module was built into the “free” utility. He demolished the anti-virus agent on the machine and created a file with the same name instead. So the malware hung on the machine, periodically contacting the control center.
The worst thing was that the IT administrator is the king of the castle, he has access everywhere. From his machine, the virus can reach any host or server. The malware crawled across the network through domain sharepoint, trying to get to the car of the main financier. At that moment, she was caught by the tail, and the story was extinguished.
Question: how to detect such an attack on the machine privileged user?
The answer to the third problem 3r3208.
Again, you can listen to traffic, trying to catch the malware "red-handed" - at the time of the request to the C & C server. However, if the company does not have NGFW, IDS, a network traffic analysis system or SIEM that catches anything valuable from the traffic, you can listen to it endlessly.
It is more efficient to watch the operating system logs by sending them to some external system. While the malware was removing the anti-virus agent, it could not clear the audit file, so the logs transmitted on the external system will accurately contain information about the removal of the anti-virus agent or at least about the very fact that the audit was cleared. After that, the logs on the machine will be empty, and no traces will be found.
It may be interesting
Pleasant data, significant and magnificent plan, as offer great stuff with smart thoughts and ideas, bunches of incredible data and motivation, the two of which I need, on account of offer such an accommodating data here.
Situs QQ Online