Reverse Deception: Organized Cyber Threat Counter-Exploitation (116 page)

Processing Collected Intelligence

Now that we have analyzed both the host- and network-based activity for each example in the previous section, we need to identify which one has the potential to be the biggest threat, and whether each is targeted or opportunistic. What intelligence do we have on each malicious sample?

Example: MD5 of 18eb6c84d31b5d57b3919b3867daa770

For this example, we’ve gained the following intelligence:

Threat type
Multipurpose bot/Trojan (well-known, high-profile threat, SpyEye or Zeus)

Host behavior
Minimal and stealthy

Network behavior
Minimal and time-based (requires more than five minutes in a sandbox)

This threat surrounds one of three of the highest ranked crimeware kits available today and should be addressed as soon as possible. These tools are used primarily by organized criminals who target both small and large enterprises. They target specific financial and other related system files. Additionally, this threat allows the victim to be used as a proxy.

Example: MD5 of 70cb444bf78da9c8ecf029639e0fb199

For this example, we’ve gained the following intelligence:

Threat type
IRC-based bot (easily detected via IRC usage)

Host behavior
Loud and noisy

Network behavior
Enough data collected in the first round of analysis helped identify the CnC servers, and they are well-known abused/malicious servers

This threat surrounds an older family of crimeware that uses easily detectable techniques both at the host and over the network. This threat is lesser on the scale of threats than the previous example, and should be handed off to your incident responder staff, rather than the cyber counterintelligence group.

Determining Available Engagement Tactics

We have determined the differences between each threat and now need to identify which options are available to prevent any further infections and/or continued hemorrhaging of your network.

Typically, you have the following standard options with the commonly found enterprise security tools and devices located within and across an enterprise:

Firewall rules

Host IDS/IPS and network IDS/IPS rules

Custom host-based rules and policies to identify whether specific folders are created on a host

The following are some advanced tactics you might employ:

Load the executable within a live honeynet/honeypot (sandbox?).

Interact with the infected host in a secure portion of the network and analyze how access to the system is being used.

Implement content staging by loading various types of documents onto the infected systems, and see which files are wrapped up and shipped out (what is of interest to the active threat).