case study: a multinational conglomerate discovers and...
TRANSCRIPT
Case Study:
A Multinational Conglomerate Discovers and Shuts Down a Major APT
cybereason
2cybereason
The CustomerInternational conglomerate with several thousand employees and annual revenue
in the billions of dollars.
The ProblemThe security team could not find substantial evidence to confirm their suspicions
that a major hack had occurred.
The Bottom Line
The customer detected a sophisticated targeted attack and understood its various elements immediately after deploying Cybereason™.
After the attack was discovered, the customer removed the infected machines and rolled out a remediation plan in fewer than 10 hours.
The company eventually rolled out Cybereason as the main detection platform across all its business units.
BackgroundOften, early in the attack lifecycle, long before the CISO answers difficult questions like why
wasn’t this breach detected faster, security teams have a hunch that something is wrong.
They lack evidence, but know something is not quite right in their IT environment.
This was the case when a large multinational company approached Cybereason, suspecting
that they were under attack. The organization, which has annual revenue in the billions of
dollars, believed an outside entity had accessed large repositories of sensitive and
proprietary information, potentially compromising customer data and intellectual property.
However, the company only had a few vague indications that something was awry. Without
concrete evidence to use as a starting point for incident response, the security team was
preparing for a cold hunting exercise.
The security team decided to deploy Cybereason’s endpoint sensors to tens of thousands of
endpoints. They used Cybereason’s cloud-based server infrastructure to speed up
deployment. The deployment took a few hours, was seamless and the sensors immediately
started collecting and transmitting information in real time to the Cybereason’s centralized
Malop Hunting Engine. This occurred without impeding business operations or hindering
employee productivity.
cybereason 4
5cybereason
Detecting an ongoing malicious campaignThe Cybereason platform automatically detected the attack, confirming the company’s
suspicions. Indeed, their defense had been breached and they were in the midst of a major
attack that had started months earlier.
Cybereason had quickly discovered multiple indicators of malicious activity: code injection
into LSASS (Local Security Authority Subsystem Service) as part of credential theft, using
WMI (Windows Management Instrumentation) for lateral movement, running interactive
command shells and a preference for using suspicious but legitimate administration tools.
The security team used the platform’s investigation capabilities to get the complete attack
picture, providing them with a strong starting point as they analyzed the threat.
Figure 1: Cybereason shows code injection by cce.exe to lsass to carry out credential theft.
Malicious activity masked by using authentic toolsThe attackers had been able to infiltrate the company even though it had strong security
measures. For example, they had rigorous procedures for assigning administrator
credentials and had a robust cyber-security plan in place. However, even the most
sophisticated prevention measures will fail when pitted against a highly motivated attacker.
The security team, using the Cybereason platform, traced the initial endpoint penetration
executed by a malware known as “PlugX”, which had been delivered via socially engineered
phishing emails to gain access to the company’s network.
With that information, the security team used Cybereason’s platform to assemble a
complete attack story. The attack had the telltale signs of an APT. For instance, the hackers
used legitimate Microsoft tools to move around the organization.
Figure 2a: The Cybereason platform discovered that malware known as “PlugX” caused the initial endpoint penetration.
Figure 2b: The Plug X detection in Virus Total for the mso.dll �le.
7cybereason
Detecting the attacker’s deceptive techniquesHackers often use known tools because they won’t be flagged as malicious by antivirus
programs, allowing the attack to avoid detection and continue unimpeded.
The Cybereason platform, however, is designed to detect these tactics. It takes a
comprehensive view of an IT environment, and looks at all the activity occurring to
determine if seemingly benign actions have more malicious motives.
In this case, attackers were using Microsoft tools to carry out malicious activity. For
example, they used Netsh to get through the firewall, and native SQL utilities to dump
databases. They also used WMI to move from computer to computer in the organization.
With Cybereason, I can sleep at night“ ”- security team manager
8cybereason
Figure 3: Malicious mso.dll detection in the Cybereason platform.
Showing the attack story in real time, command by commandThe platform detected the attacker’s tactics: using WMI for lateral movement and stealing
administrative credentials to gain greater access. Using Cybereason, the security team was
able to show that the hackers used a customized RAT (remote access toolkit) to take control
of the target’s environment. With the RAT, they employed an interactive shell to run
commands. The security team used the platform to show what the hackers were doing as
they carried out their actions, including seeing the commands they typed. Judging by the
typos in the commands, a security analyst was even able to determine that the hackers
were not native English speakers. The security team expanded its search to all machines
that displayed this attack pattern.
9cybereason
Password changes are useless after hackers compromisea domain controllerUltimately, the security team found 12 compromised machines, including a domain
controller. This gave hackers access to all the user names and passwords the organization
used. The company had recently made all its employees change their passwords over fears
of the suspected breach. However, since the hackers controlled the organization's domain
controller, they still had access to the new passwords, making the change useless.
Ten hours after the initial discovery, the security team decided to remove the infected
machines from the network and wipe them. Next, they rolled out a remediation plan and
used the Cybereason platform to continue monitoring for other suspicious activity. However,
they detected no further malicious activities. The company decided to roll out Cybereason
across all its business units, making the platform its main method for monitoring, detecting
and responding to threats.
Figure 4: The attackers used legitimate tools to access the company’s internal network, which Cybereason detected.
The Bottom Line
The customer detected a sophisticated targeted attack and understood its various elements immediately after deploying Cybereason.
After the attack was discovered, the customer removed the infected machines and rolled out a remediation plan in fewer than 10 hours.
The company eventually rolled out Cybereason as the main detection platform across all its business units.
9Bear Case Study
Cybereason was founded in 2012 by a team of ex-military cybersecurity experts to revolutionize detection and response to cyber attacks. The Cybereason Malop Hunting Engine identifies signature and non-signature based attacks using big data, behavioral analytics, and machine learning. The Incident Response console provides security teams with an at-your-fingertip view of the complete attack story, including the attack’s timeline, root cause, adversarial activity and tools, inbound and outbound communication used by the hackers, as well as affected endpoints and users. This eliminates the need for manual investigation and radically reduces response time for security teams. The platform is available as an on premise solution or a cloud-based service. Cybereason is privately held and headquartered in Boston, MA with offices in Tel Aviv, Israel. © All Rights Reserved. Cybereason 2016
cybereason