The AlertIt is the morning of Monday, 23 September, 2010 and Susan, the CISO for a large DoD agency, is starting her day at the office. In her inbox she finds an email notification from one of her cyber intelligence analysts describing a previously unseen zero-day attack campaign. As Susan reads through the report she realizes that her organization fits the target group for this campaign and she starts to get worried. She thinks, “Are we a victim of this attack and we don’t even know it yet?” The organization hasn’t had any security issues recently, but this zero-day vulnerability wouldn’t be detected by their current security tools (firewall, SIEM, IPS, endpoint protection). Acting on this worry, Susan forwards the threat alert email to her most senior network security analyst, Jim. She tells Jim that their organization fits within the campaign’s target group and she wants to know if there is any evidence of an intrusion based on the provided attack details. She says this is high priority and she needs answers ASAP. Jim is already overwhelmed by alerts, receiving an average of 20 critical alerts per day that need investigation. This alert, however, comes directly from the CISO and needs attention. Hopefully the investigation doesn’t take long and he can look at his other critical alerts.
Day OneAfter reviewing the campaign details, Jim thinks about how his existing security infrastructure helps protect him in this situation. He has the following technologies in place:
- Leading Intrusion Detection System (IDS)
- Leading Security Incident and Event Manager (SIEM)
- Leading security analytics and forensics package
- Sampled NetFlow collector
- Layered DNS
- HTTP web proxy
- This is a zero-day in Internet Explorer that drops previously unseen malware, so all signature-based tools (anti-virus, anti-malware, IDS, IPS, and endpoint protection) will be ineffective.
- The traffic is HTTP over port 443, both of which are allowed by the organization’s firewalls.
- If this attack is successful then an attacker can execute remote code and gain the same user rights as the current user. The attacker can then enumerate the network and move laterally.