Who left the backdoor open?

By Trellix · March 28, 2022

In our recent report, In the Crosshairs: Companies and Nation-State Cyber Threats, over 800 IT decision makers from around the world were interviewed on their experiences with nation-state cyber attacks. One of the questions sought to understand if organizations can detect ‘leave behinds’ from nation-state actors. Surprisingly, almost 72 percent of the respondents were able to detect these ‘leave behinds’ but had low to medium confidence in determining their function or origins. When we talk about ‘leave behinds,’ what we mean are backdoors in the shape of malware, created accounts, scheduled tasks on compromised machines, added or altered registry settings or, toolkits used that were uploaded and distributed in the network. In a case we covered previously (Operation Harvest), we dealt with a long-term nation-state attacker in a victim’s network.

During the investigation, we isolated the network and monitored the incoming and outgoing traffic for any suspicious activity. Meanwhile applying the knowledge of the first discovered malware samples, reversing and dynamic analysis resulted in several indicators that were the input for SIEM/EDR/XDR to hunt for which systems in the network were showcasing these indicators. Some of the key systems were forensically researched (like a memory dump) and piece by piece evidence was discovered of used tooling and Command-and-Control servers including timestamps.

Mapping the findings out over the MITRE ATT&CK framework and comparing it to historical intelligence in our database revealed two candidates for the nation-state group behind the attack. Using again the MITRE ATT&CK framework of those two candidates, we were able to determine steps the actor might have taken, and we discovered more evidence we could clean up: created accounts, a few new versions of backdoors running in memory and additions to the Active Directory. Important was that after the clean-up actions, the specific network segment was actively monitored to keep an eye out for suspicious activities.

With DFIR DNA in my blood and some of the largest nation-state investigations under my belt, companies having a low to medium confidence to determine the function and origin of the files found was a surprise to me. With all the progress made in the security industry around technology such as EDR and XDR for example, why are we still struggling to detect the remnants of a cyberattack? I do understand that we won’t always have tools aware of the latest malware. Organizations are also faced with outdated tools and inexperienced talent or shortages of talent. Not everyone has the luxury of having dedicated and experienced reverse engineers, but detonation of the suspicious files in an isolated environment or sandboxing are long-term existing practices and technology. The question is rising: is the inability to determine who is responsible for a cyberattack due to a lack of experience/skills, a lack of time, a lack of technology, or improperly using the bought technology? My bet (and experience) would be a mix of those components. And to be fair and honest, it is not always easy to find these remnants or having the experience.

Often the information to detect the ‘leave behinds’ is there, but isolated. For example, in the case explained above, digital evidence parts were present in the EDR solution, some traces were found in the Active directory, and the mail-gateway had the spear-phishing emails, but no correlation was made between the events. This is where XDR comes into play as an important tool for organizations to determine attribution and mediate incidents. The Trellix XDR platform is an example of a product that removes the siloed traces and automatically aggregates and analyzes the events to derive at a critical alert that must be attended to. Living security is constantly monitoring across your control points during and after the attack to find malicious traces.