Check yourself: can you protect the company from cyber attacks?

    Recently, an international information security competition VolgaCTF was held in Samara . Vladimir Dryukov, director of Solar JSOC's cyber attack and monitoring center, told the competition participants about three real attacks and asked how they could be identified. Check if you can answer correctly.

    Below is a transcript of Vladimir’s speech, but for those who want to see the uncensored and uncut version (including listeners ’answers), here’s a video:

    So, a word to Vladimir:

    I would like to tell some stories from our life. Most of them, I will tell from the end - that is, starting with what it was for the incident. And you try to figure out how this attack could be seen at the start, what would you, as a defender of the company, have done so that the actions of the attackers hit your radar.

    I hope this will help you in the future when you become professional pentesters and work at Positive Technologies, Digital Security or with us. You will know how the monitoring center sees such attacks, how it reacts to them, and - who knows - maybe this will help you bypass the defense, achieve your goal and show the customer that he is not as invulnerable as he thought. Here we go?

    Task number 1. This service is both dangerous and difficult, and at first glance it seems not to be visible ...

    The story began with the fact that the head of the information security service of one company came to us and said:

    “Guys, I have some strange nonsense going on. There are four cars that start to reboot spontaneously, fall out of the blue screen - in general, some sort of nonsense happens. Let's ponder. "

    When the guys from the Forsenziki group arrived at the site, it turned out that the security logs on all the machines were cleaned - there are so many activities that the security magazine rotates quickly (overwrites). The Master File Table also failed to find anything interesting - the fragmentation is strong, the data is quickly overwritten. Nevertheless, we managed to find something in the system journal: about four times a day, the it_helpdesk service appears on these four machines, does something unknown (there is no security log, as we remember) and disappears.

    Our head fornsicks had a face like this:

    They began to sort out further, and it turned out that the it_helpdesk service was actually renamed PSExec.
    Utilities, such as Telnet, and remote management programs, such as Symantec’s PC Anywhere, can run on remote systems, but they are not as easy to install as you also need to install client software on remote systems that you need to install. access.

    PsExec is a lightweight version of Telnet. It allows you to perform processes in remote systems, using all the capabilities of an interactive interface for console applications, and without the need to manually install client software. The main advantage of PsExec is the ability to invoke the interactive command line interface on remote systems and launch tools such as IpConfig remotely. This is the only way to display local system information on the local computer.

    After checking the system logs on other machines, we saw that not 4 workstations were involved, but 20, plus another 19 servers, including one critical server. We talked with IT specialists and found out that they have nothing to do with this, they have no such subsystem. They started digging the case further, and then a rather curious and rarely occurring thing was discovered - DNS-tunneling, which was used by the VPO module responsible for communication with the botnet control center.
    DNS tunneling is a technique that allows you to send arbitrary traffic (in fact, raise the tunnel) on top of the DNS protocol. It can be used, for example, in order to get full access to the Internet from the point where DNS name resolution is allowed.

    DNS tunneling cannot be denied by simple firewall rules, while allowing the rest of the DNS traffic. This is due to the fact that DNS tunnel traffic and legitimate DNS queries are indistinguishable. DNS tunneling can be detected by request rate (if the traffic through the tunnel is large), as well as by more sophisticated methods using intrusion detection systems.

    The malicious code got into the organization through mail, spread across the infrastructure, and interacted with the C & C server through the DNS tunnel. Therefore, the prohibitions on interaction with the Internet, which stood in the server segment, did not work.

    On one of the critical servers was a keylogger, who automatically read passwords, and the malware tried to crawl further, receiving new user credentials, including dropping machines into the BSOD and reading the passwords of the administrators who were raising it.

    What did it lead to? During the time that the malware was living in the infrastructure, a lot of records were compromised and, in addition, a large amount of other potentially sensitive data. During the investigation, we localized the scope of the attackers and ousted them from the network. The customer also received another four months of flour - it took to reload half of the machines and reissue all the passwords - from databases, records and so on. People with IT experience do not need to explain how difficult this story is. But, nevertheless, everything ended well.

    So the question is: how was it possible to identify this attack and catch the cybercriminal’s hand?

    The answer to the first task
    Во-первых, как вы помните, заражение затронуло критичный сервер. Если на таком хосте запускается новая, неизвестная ранее служба, это инцидент очень высокой степени критичности. Такого происходить не должно. Если вы хотя бы мониторите службы, которые запускаются на критичных серверах, одно это поможет выявить подобную атаку на ранней стадии и не дать ей развиться.

    Во-вторых, не стоит пренебрегать и информацией с самых базовых средств защиты. PSExec неплохо детектируется антивирусами, но маркируется не как вредоносное ПО, а как Remote Admin Tool или Hacking Tool. Если внимательно смотреть в логи антивируса, можно вовремя увидеть срабатывание и принять соответствующие меры.

    Task number 2. Terrible tales

    A large bank, a woman works in the financial service and has access to the AWP of the CBD.
    ARM KBR - automated workplace of the client of the Bank of Russia. It is a software solution for secure information exchange with the Bank of Russia, including sending payment orders, bank flights, etc.

    This financial officer brought a flash drive with a file called Skazki_dlya_bolshih_i_malenkih.pdf.exe to work. She had a little daughter, and the woman wanted to print a children's book at work, which she downloaded from the Internet. The extension of the .pdf.exe file did not seem suspicious to her, and even then, when she launched the file, the usual pdf opened.

    The woman opened the book and went home. But the .exe extension, of course, was not random. Behind him was the Remo Admin Tool, who sat down at the workstation and entrenched himself there in the system processes for more than a year.

    How do such malware work? First of all, make screenshots of the screen about 15 times per minute. In a separate file, they add the data received from the keylogger - logins and passwords, correspondence in the mail, instant messengers and much more. Having connected the client, we quickly noticed the infected host and cleaned out the virus from the network.

    Question: how was it possible to detect "invisible" malware, not detected by the antivirus?

    The answer to the second problem
    Во-первых, вредоносное ПО, как правило, что-то делает в файловой системе, меняет записи реестра – словом, как-то загружается в систему. Это можно отследить, если мониторить хост на уровне логов, которые пишет сама операционная система, – security логи, запуск процессов, изменение реестра.

    Во-вторых, важно помнить, что такой вредонос не живет автономно, он обязательно куда-то стучится. Часто у рабочих станций в сети доступ в интернет идет только через прокси, поэтому если машина пытается стучаться куда-то напрямую, это серьезный инцидент, с которым надо разбираться.

    Task number 3. "Bloody warez"

    The system administrator had to compare and “glue” together a 2 .xml file. He went a simple way - typed in the search engine "download xml merger without registration and sms." The official site of the developer of this utility was in 3rd place in the issuance, and in the first two - file sharing. There the administrator and downloaded the program.

    As you probably already guessed, a good, high-quality privilege elevation module was built into the “free” utility. He demolished the anti-virus agent on the machine and created a file with the same name instead. So the malware hung on the machine, periodically contacting the control center.

    The worst thing was that the IT administrator is the king of the castle, he has access everywhere. From his machine, the virus can reach any host or server. The malware crawled over the network through domain sharepoint, trying to get to the car of the main financier. At that moment, she was caught by the tail, and the story was extinguished.

    Question: how to detect such an attack on the machine privileged user?

    The answer to the third problem
    Опять-таки, можно слушать трафик, пытаясь поймать вредонос «с поличным» – в момент запроса к C&C-серверу. Однако если в компании нет NGFW, IDS, системы анализа сетевого трафика или SIEM, которая выловит из трафика хоть что-то ценное, слушать его можно до бесконечности.

    Эффективнее смотреть логи операционной системы, отправляя их в какую-то внешнюю систему. Пока вредоносное ПО удаляло антивирусный агент, оно не могло очистить файл аудита, поэтому в логах, переданных на внешней системе, точно останется информация об удалении антивирусного агента или как минимум о самом факте очистки аудита. После этого логи на самой машине будут пустыми, и следов уже не найти.

    Also popular now: