Who left the backdoor open?
By Trellix · March 28, 2022
In our recent report, In the Crosshairs: Companies and Nation-State Cyber Threats, over 800 IT decision makers from around the world were interviewed on their experiences with nation-state cyber attacks. One of the questions sought to understand if organizations can detect ‘leave behinds’ from nation-state actors. Surprisingly, almost 72 percent of the respondents were able to detect these ‘leave behinds’ but had low to medium confidence in determining their function or origins. When we talk about ‘leave behinds,’ what we mean are backdoors in the shape of malware, created accounts, scheduled tasks on compromised machines, added or altered registry settings or, toolkits used that were uploaded and distributed in the network. In a case we covered previously (Operation Harvest), we dealt with a long-term nation-state attacker in a victim’s network.
During the investigation, we isolated the network and monitored the incoming and outgoing traffic for any suspicious activity. Meanwhile applying the knowledge of the first discovered malware samples, reversing and dynamic analysis resulted in several indicators that were the input for SIEM/EDR/XDR to hunt for which systems in the network were showcasing these indicators. Some of the key systems were forensically researched (like a memory dump) and piece by piece evidence was discovered of used tooling and Command-and-Control servers including timestamps.
Mapping the findings out over the MITRE ATT&CK framework and comparing it to historical intelligence in our database revealed two candidates for the nation-state group behind the attack. Using again the MITRE ATT&CK framework of those two candidates, we were able to determine steps the actor might have taken, and we discovered more evidence we could clean up: created accounts, a few new versions of backdoors running in memory and additions to the Active Directory. Important was that after the clean-up actions, the specific network segment was actively monitored to keep an eye out for suspicious activities.
With DFIR DNA in my blood and some of the largest nation-state investigations under my belt, companies having a low to medium confidence to determine the function and origin of the files found was a surprise to me. With all the progress made in the security industry around technology such as EDR and XDR for example, why are we still struggling to detect the remnants of a cyberattack? I do understand that we won’t always have tools aware of the latest malware. Organizations are also faced with outdated tools and inexperienced talent or shortages of talent. Not everyone has the luxury of having dedicated and experienced reverse engineers, but detonation of the suspicious files in an isolated environment or sandboxing are long-term existing practices and technology. The question is rising: is the inability to determine who is responsible for a cyberattack due to a lack of experience/skills, a lack of time, a lack of technology, or improperly using the bought technology? My bet (and experience) would be a mix of those components. And to be fair and honest, it is not always easy to find these remnants or having the experience.
Often the information to detect the ‘leave behinds’ is there, but isolated. For example, in the case explained above, digital evidence parts were present in the EDR solution, some traces were found in the Active directory, and the mail-gateway had the spear-phishing emails, but no correlation was made between the events. This is where XDR comes into play as an important tool for organizations to determine attribution and mediate incidents. The Trellix XDR platform is an example of a product that removes the siloed traces and automatically aggregates and analyzes the events to derive at a critical alert that must be attended to. Living security is constantly monitoring across your control points during and after the attack to find malicious traces.
Mar 15, 2023
Trustwave and Trellix Announce Strategic Partnership to Deliver Best-in-Class Managed Detection and Response to Protect Global Organizations
Feb 22, 2023
Trellix Finds LockBit Ransomware Gang Most Apt to Leak Stolen Data
Feb 8, 2023
Trellix Launches Xtend Global Channel Partner Program
Feb 6, 2023
President Biden Names Bryan Palma to National Security Telecommunications Advisory Committee
Jan 17, 2023
Trellix Endpoint Scores 100% Detection with Zero False Positives in Latest SE Labs Endpoint Security Test
The latest from our newsroom
The Bug Report – January 2023 Edition
By Jesse Chick · February 1, 2023
January began with a headache on a Sunday morning and, if you happen to be on the receiving end of this month's remote code excitement, it ended with one, too.
Cyberattacks Targeting Ukraine Increase at End of 2022
By Daksh Kapur, Tomer Shloman, Robert Venal and John Fokker · January 24, 2023
From malicious email and URLs to nation-state backed use of malware, cyberactivity continues to accompany kinetic military activity and social discontent.
Trellix to Lead the XDR Market
By Daniel Ramos · December 19, 2022
Recognition by the analytical firms and peer review programs in all the main XDR front-end components including EDR, NDR, SEG, CWWP, and DLP.
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.
Zero spam. Unsubscribe at any time.