Written By Keith Wilson
Traditionally, the climax to a story ends with the hero saving the day. I will save you the anticipation by telling you now that this is not the case with this tale. If you are looking for a happy ending for our large retail company who has fallen victim, I can assure you that in the following paragraphs, it does not happen.
In part one of this series, we discussed the first step of the cyber kill chain, reconnaissance. Specifically, we discussed passive reconnaissance – gathering information about our target from indirect sources. In many attacks, you’ll also see active reconnaissance – active port scans of your network. With StealthWatch, we give you the ability to see these scans. More importantly, with Network Secure Event Logging (NSEL) data provided by Palo Alto and Cisco firewalls, we are able to tell you whether the traffic was permitted or denied.
In part two, we continued to climb the kill chain to the weaponization phase in which the information from the reconnaissance phase turns into a crafted attack. There is no way for organizations to defend this phase since it is completed outside of their influence.
In part three, we covered delivery of malware and the initial infection in which we showed how social engineering can be used to circumvent security technology. The best prevention for social engineering attempts has usually proven to be user education. You can’t patch your people.
Finally, in the last installment we talked command, control and pivot in which we discussed the C&C channel being opened back to the attacker, spreading the control the attacker has on the target network. This is where StealthWatch excels in detecting anomalous behavior. Hosts that start scanning the network will trigger a high concern index alarm followed by a scanner talking alarm.
In this final segment, we are going to look at the hoarding and exfiltration phase of the cyber kill chain. As you will see, this is when data is gathered and staged before being removed from the network.
Hoarding and Exfiltration
I’ve been sitting on their servers for weeks now. I currently have a high level of access to at least four servers storing credit card data. Luckily, I found a server that also contains personnel records for the company’s HR department. A social security number can be worth a lot more than a credit card number to me.
I’ve been storing a majority of the data on Jenny’s laptop, which I still maintain control of. However, I have also found several other laptops that leave the corporate office that I am staging the data on as well. This allows me to make the attack less noticeable. It also allows me to continue running the attack if the malware is discovered on one of the laptops.
Each night, my malware checks the SSID of the laptop it is installed on. If it is outside of the corporate network, data begins to upload. This bypasses all perimeter security devices.
My attack and exfiltration of data continues for nearly six months before I lose communication with my infected machines.
The Takeaway
The sad fact is that the majority of advanced attacks like this are reported by a third party, whether it be law enforcement or the credit card companies. Too many of these attacks are not caught until after the kill chain has been completed.
StealthWatch is able to detect advanced attacks like this during several phases of the kill chain. One of the most important being data hoarding alarms. StealthWatch has the ability to detect a user that is downloading more data internally than they normally do which can be a signal to your security team to look at the forensic flow data contained in StealthWatch to see who that host has talked to and how were they talking.
This is powerful data that can help any security team mobilize before they are getting a call from an outside source to report a breach. With the right tools, data and procedures, this attack could have been stopped before any sensitive data was lost.