On Wednesday February 24th Novetta released Operation Blockbuster, a report that describes how a Novetta-led coalition of private industry partners Novetta’s Threat Research & Interdiction Group (TRIG), identified and interdicted the adversary behind the Sony Pictures attack. This effort is the culmination of more than a year of research and reverse engineering by many skilled professionals with the goal of devising ways to disrupt the tools and techniques of the threat actor group to collectively protect our customers. If you haven’t yet seen this report, there’s a friendly two-page executive summary at http://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Ex-Summary.pdf and the full report is at http://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf….
Advanced Methods to Detect Advanced Attacks: Unknown Service
This post is the tenth and last of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. In this final post, we’ll see a security solution capable of separating normal well-formed traffic from abnormal attacker traffic by looking at network data only. And we’ll see why that is useful. Joe: Hey Bob, 10.217.145.233 is sending a lot of traffic on port 80.Bob: So…web traffic. Why did that…
Advanced Methods to Detect Advanced Cyber Attacks: Two Degrees of Separation
This post is the ninth of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. Today we’re going to look at how to start playing Six Degrees of Kevin Bacon with network traffic for the purpose of efficiently executing a network security investigation. In the Computer Network Defense version of Six Degrees, we’re looking to link network hosts together based on who they’ve exchanged traffic with (vs. starring in…
Advanced Methods to Detect Advanced Cyber Attacks: Suspicious Admin Toolkits
This post is the eighth of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. Today we’ll look at a particular class of software tools used by attackers called Administration Toolkits. Oftentimes these toolkits enable remote system administration, and are called Remote Admin Toolkits. Sometimes, however, they are used more locally by attackers, so we’ll generally refer to these tools as Suspicious Admin Toolkits, or just admin…
Advanced Methods to Detect Advanced Cyber Attacks: Relay Finder
This post is the seventh of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. Today we’ll review a network traffic search technique that takes full advantage of the historic visibility and rapid querying capability of an advanced network traffic analysis system. This analytic is most relevant for large enterprises and law enforcement agencies that routinely search through large and potentially disparate volumes of network traffic during investigations,…
Advanced Methods to Detect Advanced Cyber Attacks: RDP Keyboard Layout
This post is the sixth of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. Today we cover the detection of anomalous Remote Desktop Protocol sessions. Remote Desktop Connection (RDC), formerly known as Terminal Services Client, is a Microsoft user application that enables a user to remotely log into a networked computer and interactively use the desktop interface as if they were sitting in front of the local machine….
Advanced Methods to Detect Advanced Cyber Attacks: Protocol Abuse
This post is the fifth of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. In today’s installment we cover the detection of covert communication channels created in breached networks by advanced attackers. Network intrusions happen – there’s no way around it. If an organization is connected to the internet and has users that read email, view websites, and like to click on things (who doesn’t?) eventually an attacker…
Advanced Methods to Detect Advanced Cyber Attacks: Port Scanners
This post is the fourth of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. In today’s installment we cover the discovery of slow randomized port scans. Port scans are an important part of an attacker’s active reconnaissance efforts because they reveal a lot of information about a target network. Software packages that enable port scanning, such as Nmap, are designed to probe hosts on a network for open…
Advanced Methods to Detect Advanced Cyber Attacks: HTTP(S) Exfiltration
This post is the third of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. In today’s installment we’ll cover data theft, or the successful “exfiltration” of valuable or sensitive information from a network. Undetected exfiltration is a very common end goal for network attackers and was the unfortunate outcome of many high profile breaches in 2014 (Target, Home Depot, etc.). Attackers target companies and organizations that have credit…
Advanced Methods to Detect Advanced Cyber Attacks: Distant Admin
This post is the second in a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. Joe: Hey Bob, were you in Belarus this morning? Bob: Um…nope. Are you feeling ok? Joe: So you didn’t, maybe, remote into the CRM server from a machine in Minsk? Bob: Definitely not. Joe: Maybe you forgot? Bob: … Joe: Ok then we have a problem. Today’s focus is on revealing unauthorized administrative access…
