Who left the backdoor open?
By Trellix · March 28, 2022
In our recent report, In the Crosshairs: Companies and Nation-State Cyber Threats, over 800 IT decision makers from around the world were interviewed on their experiences with nation-state cyber attacks. One of the questions sought to understand if organizations can detect ‘leave behinds’ from nation-state actors. Surprisingly, almost 72 percent of the respondents were able to detect these ‘leave behinds’ but had low to medium confidence in determining their function or origins. When we talk about ‘leave behinds,’ what we mean are backdoors in the shape of malware, created accounts, scheduled tasks on compromised machines, added or altered registry settings or, toolkits used that were uploaded and distributed in the network. In a case we covered previously (Operation Harvest), we dealt with a long-term nation-state attacker in a victim’s network.
During the investigation, we isolated the network and monitored the incoming and outgoing traffic for any suspicious activity. Meanwhile applying the knowledge of the first discovered malware samples, reversing and dynamic analysis resulted in several indicators that were the input for SIEM/EDR/XDR to hunt for which systems in the network were showcasing these indicators. Some of the key systems were forensically researched (like a memory dump) and piece by piece evidence was discovered of used tooling and Command-and-Control servers including timestamps.
Mapping the findings out over the MITRE ATT&CK framework and comparing it to historical intelligence in our database revealed two candidates for the nation-state group behind the attack. Using again the MITRE ATT&CK framework of those two candidates, we were able to determine steps the actor might have taken, and we discovered more evidence we could clean up: created accounts, a few new versions of backdoors running in memory and additions to the Active Directory. Important was that after the clean-up actions, the specific network segment was actively monitored to keep an eye out for suspicious activities.
With DFIR DNA in my blood and some of the largest nation-state investigations under my belt, companies having a low to medium confidence to determine the function and origin of the files found was a surprise to me. With all the progress made in the security industry around technology such as EDR and XDR for example, why are we still struggling to detect the remnants of a cyberattack? I do understand that we won’t always have tools aware of the latest malware. Organizations are also faced with outdated tools and inexperienced talent or shortages of talent. Not everyone has the luxury of having dedicated and experienced reverse engineers, but detonation of the suspicious files in an isolated environment or sandboxing are long-term existing practices and technology. The question is rising: is the inability to determine who is responsible for a cyberattack due to a lack of experience/skills, a lack of time, a lack of technology, or improperly using the bought technology? My bet (and experience) would be a mix of those components. And to be fair and honest, it is not always easy to find these remnants or having the experience.
Often the information to detect the ‘leave behinds’ is there, but isolated. For example, in the case explained above, digital evidence parts were present in the EDR solution, some traces were found in the Active directory, and the mail-gateway had the spear-phishing emails, but no correlation was made between the events. This is where XDR comes into play as an important tool for organizations to determine attribution and mediate incidents. The Trellix XDR platform is an example of a product that removes the siloed traces and automatically aggregates and analyzes the events to derive at a critical alert that must be attended to. Living security is constantly monitoring across your control points during and after the attack to find malicious traces.
Sep 28, 2022
Trellix Empowers Next Generation of Cybersecurity Talent at Xpand Live
Sep 28, 2022
Trellix Accelerates Channel Success Through Unified Partner Program and Expanded Security Innovation Alliance
Sep 28, 2022
Trellix Expands XDR Platform to Transform Security Operations
Sep 26, 2022
60% of Cybersecurity Professionals Feel They Are Losing Ground Against Cybercriminals
Sep 21, 2022
Trellix Launches Advanced Research Center, Finds Estimated 350K Open-Source Projects at Risk to Supply Chain Vulnerability
By Britt Norwood · August 30, 2022
Our team understands the critical role organizations like AWS play in efforts to drive premium threat detection no matter a customer’s security architecture. We continuously look for partners with a similar desire to grow and innovate to relieve pain points for SecOps teams.
This blog is the third and final of a multi-part series focused on vulnerability discovery in a widely used access control system and describes our research journey from target acquisition all the way through exploitation, beginning with the vendor and product selection and a deep dive into the hardware hacking techniques.
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.