Google Maps and an understanding of human nature were the tools a cunning threat actor needed to help break into a U.S. defence contractor.
This was one of the tales of lessons learned that incident responders recalled during a panel discussion this week at the annual OpenText World conference. It went like this:
The unnamed company had a “bulletproof” network, according to Aaron Goldstein, director of incident response at Arete Advisors. But somehow a threat actor got in. Goldstein had to find out how.
“It turned out after a long investigation that the threat actor tried to break in directly and that did not work,” he said. What they did was look on Google Maps for what was close by the company and found a restaurant across the street. The threat actor assumed employees ate there, so they compromised the restaurant’s IT network. Then they sent an email with a malicious attachment purporting to be a menu offering lunch specials.
All it took was at least one employee to open the attachment and the threat actor was able to launch an attack.
While the classic watering hole attack “caused a lot of harm,” Goldstein admitted that “it was pretty impressive they were able to pull something like that off.”
Lesson: Better awareness training and email filtering would have helped lower the odds of this attack succeeding, he said.
Brian Draper, senior incident response analyst at the U.S. Cybersecurity and Infrastructure Security Agency recalled being called to help a medical supply firm complaining of “weird activity throughout their network.” Complicating the investigation was that firm had offices around the world.
“I went through some server event logs and kept seeing the administrator account doing things,” Draper recalled, although the system administrator wasn’t in the office at the time.
“Found out they had an old Win2000 server domain they had migrated from years before that had been sitting in Iraq” that was still running. “It wasn’t being patched. Nobody even knew it was there.”
The old domain controller had been compromised. Unfortunately, it was still trusted by the new domain controller.
Lessons: Make sure decommissioned devices are turned off, and know everything that’s on your infrastructure.
“Attackers are going to look for anything they can get to,” Draper said. “They only have to get into one system. And then they can move to the next system, and the next. And before you know it they have a strong network presence.”
That last lesson was echoed by Goldstein’s experience over the years. Many victim organizations suffer from not knowing what hardware, software and data they have, he said, let alone all their security controls. “They might have a pretty good and secure core network, but they’re completely ignoring systems in the cloud or containers or their (application) dev systems. And oftentimes these overlooked systems are the ones threat actors gain access to and use that as a launching pad into the rest of their network. That’s something I see quite often, unfortunately.”
Data classification before a breach is vital if an organization hopes to understand what information has been copied in an attack, Goldstein added. “In some cases I’ve worked on I’ve lost two or three days of investigating time while a client reviews data stolen by the threat actor. Often a threat actor will give you a sample of the data that they’ve stolen … but it can take days to figure out where that data was stolen from. So being able to map out file shares, database applications and the user connectivity may not be a fun process. But if you do know where that data resides it makes your risk assessment of the incident response so much easier.”
Panelist Trevin Mowery, an OpenText lead solutions consultant, noted this is why the first stage of an incident response plan — preparation — is vital.
Another lesson Mowery passed on from his experience relates to ransomware: If your organization feels it has to pay up, make sure all tools used by the attacker have first been removed. “You got to make sure you close the door before you kick them out,” he said.
Otherwise, the attacker will be back.