When is the next MANDIANT webinar?
MANDIANT State of the Hack - Using Known Good to Find Evil featuring Bit9 will be on Thursday, January 14, 2010 at 2:00 p.m. Eastern time.
If APT uses the same DLL names as legitimate system DLL’s, how do they make sure their software calls the right DLL?
The attackers don’t use the exact same file name instead, they create an additional file with a very similar name. For example, suppose there were a legitimate system file named foo.dll. The attacker could add his malware in a file named foo32.dll. Windows File Protection won’t fix it, because foo32.dll is not on the list of things that Windows File Protection is supposed to care about. Then, the attacker just changes a service registry key, and the evil foo32.dll runs instead of the good foo.dll.
So what can we do to protect ourselves against the APT?
It all revolves around the ability to know when you have a problem. If you have 100% coverage for network security monitoring, AND you also have the ability to do pervasive, deep host-based detection, that means you are postured to succeed in combating the APT. Our most successful clients combine the ability to gather good intelligence and the ability to conduct investigations quickly and at large scale.
Are APT intruders using organization-specific exfiltration tactics, or is it almost always compressed files going out over a standard port (80/443)?
We can’t comment publicly on specific cases, but it’s generally true that the APT intruders tend to use similar tactics and procedures at different targets. Encrypting and compressing data before exfiltrating it is a pretty well-known and widely-used technique, even in non-APT intrusions (think, card data).
As for what port they use, the pie charts in the presentation were focused on the backdoor malware rather than the data exfiltration, which tends to be more interactive. So I wouldn’t apply those statistics, necessarily, to the exfiltration steps.
What are some of the more interesting APT responses you’ve encountered when remediation was attempted… and failed?
We have seen situations where the victim jumped into remediation too soon – as we say, outside the “strike zone”. In those instances, the attacker recognized the organization’s attempts to remove them from the network. The attacker was able to thwart those efforts by regaining access to the victim network through an undetected backdoor. The net effect was that the attacker’s presence on the victim network was prolonged rather than eradicated.
For tips on remediating the APT, check out our best practices.
Any advice on open source intelligence forums?
In battling the APT, you can never be too knowledgeable, so if you can find good intel, it can help. The most successful defenders have infrastructure in place to make immediate use of new intelligence – for example, they can quickly load new network-based indicators of compromise into their network security monitoring systems, rather than having to wait for a vendor to do it for them.
When responding to the APT, would it be acceptable to pull the Internet connection at perimeter so you can perform analysis without the fear of the attacker making further changes?
Removing yourself from the Internet is part of any remediation plan, if you’re going for a technical knockout that’s more effective than a bunch of daily fire drills, would require at some point removing yourself from the Internet to carry out your remediation plan.
So, when is the right time to do that? Not at the onset, when you have no idea what the Indicators of Compromise (IOCs) are. You need to wait until you’re able to detect evil reliably and audit if your remediation was successful.
We recommend that you don’t immediately unplug yourself from the Internet, unless your business doesn’t allow you to operate in any state of compromise whatsoever. But, if you have the time to prepare remediation with tact and elegance, spend the extra week (or two, or four) to fully understand the scope of the compromise before you act.
Here’s why: if you have 45 backdoors on your network, and you only remove 44, you’re still compromised the minute you turn the Internet back on. Another problem: if you manageto remove all 45 backdoors but the attackers are still just logging in to your VPN, using your valid credentials, your remediation will be just as ineffective.
In order to win, you have to change – in concert, across all business lines -- passphrases that are being used, and get all the backdoors off the network. The best way to do that is to unplug from the Internet at the same time you do a new password rollout and get rid of all the backdoors.
When are we going to see an upgrade to Red Curtain that looks at MFT date discrepancies?
We’re not planning that feature for Red Curtain at this time, partially because Red Curtain just uses regular file system access routines and doesn’t parse the MFT. (And remember, Red Curtain wasn’t made to be forensically sound, so run it on a working copy if you’re concerned about that.)
However, we have added $FILENAME timestamp gathering to a MANDIANT Intelligent Response agent that we expect to release in the next couple of months.
