A good CISO always looks for ways to increase the skills of staff – in fact, it’s a necessity given the constantly changing threat landscape.
One way to flex the muscles of the threat hunting team might be to take a look at a blog this week from Jeff White of Palo Alto Networks’ Unit 42 threat intelligence team, who writes about how he investigated another in a long series of PowerShell attacks. Except this one was different.
So instead of being satisfied with figuring how it worked he went further and discovered the infrastructure behind the attack including 707 IP’s and 2,611 domains being utilized for malicious activity. White writes that he ended up finding “a collection of compromised websites, compromised registrar accounts used to spin up subdomains, domains used by malware DGAs (domain generation algorithms), phishing kits, carding forums, malware C2 sites, and a slew of other domains that revolve around criminal activity.”
That’s some useful intel for your organization, and, if you’re part of an intelligence sharing network, the kind of thing that will get Brownie points with colleagues.
White wasn’t available for an interview, but Christopher Budd, Unit 42’s senior threat communications manager, was able to talk for a few minutes.
“What Jeff did in essence was follow a hunch,” he said. “He saw something that looked a little bit off.”
In this case he started by finding URLs where PowerShell was able to download a payload, which led to discovering HTTP requests matching known patterns for a banking Trojan named Chthonic, which is a variant of the Zeus malware, and another Trojan named Nymaim. The majority of the malware came from four sites.
Using Maltego, a data mining tool that creates relationship graphs White was able to create a map showing over 700 IP addresses are shared between the four domains. These address lead to other sites hosting malware.
This summary simplifies his work (and it doesn’t indicate how long it took), but those who want a primer on how to do serious threat investigation, as well as how threat actors set up their infrastructure, it’s a good source.
White’s work began looking into an attack that leveraged PowerShell, a frequent target of threat actors. That begs the question of how to shut that door?
Defence in depth, says Budd. “A platform-based approach that applies multiple layers of protection is your best bet. If you just focus on securing PowerShell, all that effort — and it would take a lot of effort to close off what amounts to one vector — means you are not spending that effort on steps that could apply to other vectors at the same time. Especially for smaller shops.”