The attack started with a phishing email; the attack compromised more that 2 000 systems, 50 000 emails.
How the attack took place:
1. fast-paced attacher
- 10-25 systems infected every day.
- the attacker steal information every day.
- develop indicators to aid triage.
- focus on : lateral movements, pivoting, recon, new tools or back-doors.
- streamlined documentation.
- be fast and flexible.
2. stealthy attacks
- used anti-forensics techniques to hide endpoint and network activity.
- altered communication scheme + strong crypto.
- mass activity to obscure the real target.
- data theft using only legitimate us-based services – gmail, google drives, one drive.
- maximize the utility of trace forensics artifacts.
- some attacker behavior recovered from sdelete.
- took time and patience to filter out the network noise.
- deployed additional open-source tech
- improve visibility and don’t stop looking.
- map attacker activity ti potential data sources.
- network times provides reliable chronology.
3. rapidly evolving tactics
- seven unique persistence mechanism.
- seven distinct back-door families.
- minimal re-use of meta-data commonly tracked and shared as indicator.
- fought to keep network visibility on all malware families.
- spent time analyzing system with unknown activity.
- create indicators for every stage of attack life-cycle.
- develop flexible & resilient indicators
- enhance and test your best indicators even when they’re working.
4. advanced attack techniques
- attacker leveraged PowerShell.
- used Windows Management Instrumentation.
- attacker used Kerberos tickets attacks which made tracking lateral movement difficult.
- searched for WMI persistence.
- identified evidence of attacker code in WMI repository.
- parsed out embedded scripts and malware.
- updated the environment to power shell 3.0 and enabled logging.
- turned attacker power shell usage from a threat to a benefit by logging and iocs to made findings attacker activity much easier.
- worked around Kerberos attacks: looked for remote Kerberos logons around the time of attacker activity.
The presentation was about 3 different vulnerabilities discovered by the kpn read team.
- vulnerability linked to the Java de-serialisation vulnerability.
- the kpn team did a java deserialization burp plug-in fork
- Citrix Netscaler
- Netscaler login vulnerabiilty
- reverse-engineering cryptography from binary
The idea was that the security industry are doing the same things over and over again, very often as a defender we build very static walls. So the presenter propose to an “active defense”:
Active defense is not about :
- hacking back
- about one technical solution
Active defense is about:
- have a range of solutions.
All the proposed solutions and demos are part of the advanced defense harbinger distribution which is a Linux distribution based on Ubuntu LTS that it comes with many tools aimed at active defense pre-installed and configured. Some demos of the following components:
- honey ports
- honey badger