Blog.

Acalvio Threat Labs Shamoon is one of the critical threats that has been able to penetrate traditional defenses successfully not once, twice, but thrice – in 2012, 2016 and 2017.  The main purpose of Shamoon Threat Actor was the destruction of the endpoint computers by wiping the Master Boot Record (MBR), rendering them unusable.  If malware infects the end point, the effect is limited only to the infected end point.  Since Shamoon can spread across the internal network, the scope of it’s destruction is not limited to the infected endpoint, but can affect machines in the same subnet. Shamoon erased data on 75% of Aramco’s corporate PCs[1]. The first section of this blog covers an in-depth technical analysis of the lateral movement technique used by Shamoon. Since Shamoon has been able to penetrate the traditional defenses multiple time, the second section discusses a detection architecture that can be used to detect catastrophic attack like Shamoon.

In days gone past (and arguable in the current timeline we occupy) I would simply launch from the existing machine like an Olympic diver off the high board and go about my merry way for an “industrial average” of 200 days or thereabouts before ANYONE even knows or detects my presence. That’s 200 days of us, in your systems, harvesting data, reviewing files, modifying data sets, exfiltration anything and everything we need. That’s akin to having a team of security professionals doing a penetration test against your systems for over 6 months… However the rules are about to change, and the future IS looking a lot bleaker for the attackers. The honeypot is back…with a vengeance and a whole slew of new tools it’s about to unveil. No longer does the honeypot sit on your network looking like a beacon in the darkness, no longer does the honeypot come in one or two different flavors that an attacker knows by heart, no longer does the honeypot have too may open ports, or too few, or is set up with Windows 7 when your enterprise runs 8… The honeypots we now have are nasty, deceptive and are out for revenge. They are not really honeypots, those would be considered static, it’s a simple vessel for holding something…the new tools have taken a leaf (or in the case of Acalvio they’ve borrowed a whole Dionaea muscipula) out of Mother natures rulebook and have gone to the SEALS BUD/S school. This new deceptive technology is the equivalent of electronic camouflage. From the outset, even before being introduced to the eventual environment it WILL protect it knows the industries it’s working in. It understands the differences between healthcare and financial systems, it knows that a Windows 7 machine looks different than a Windows 8 system, it also knows that a developer machine looks like a more inviting target than a regular desk bound office person. The deceptive system also knows that it takes a lot more than an open Telnet port to entice a nibble from the attacker, this is why it is able to deploy multiple types of lures scattered throughout the enterprise from Registry entries that mimic elevated user accounts, to files on shares, to folders on systems. It can deploy these in a manner that not only blends into your enterprise but also doesn’t interfere with it. It also understands what good behavior is as it’s learning on the fly from your SIEM/Log systems. This technology that is protecting your environment knows and adapts its defenses based on a number of algorithmic formulas that are updated to reflect the ever-changing attack landscape. It understands that the currency of the attacker is data and that too much of it in the wrong place will cause the attacker to quietly remove themselves from the situation, however with the right FTP server, PeopleSoft, Oracle or SAP instance the attacker can be led along a series of avenues that both mask the valuable data the corporation is trying to protect as well as allows for enterprises or government entities to better understand the attack patterns of what is simply now an adversary trapped in a polymorphic maze. Now, at this point any seasoned attacker (be they automated or human) has run sufficient checks against all their target systems to validate their configuration, their architecture and if they are real, fake or possibly an elaborate emulation. This is where the art of deception has taken on a new life. Initial interactions with any of the lures (be they simple files, folders, FTP instances all the way up to fully blown server instances) have been tuned to such an extent that any number of known validation checks will pass…even on the more complex systems. Taking notes from Mother Nature and the last 100 years of camouflage research we can conclude  humans do not decode visual and technical information as efficiently as we think we do. A broken pattern, or a confusion of depth and flatness caused by illusory shadows, or just a subtle blending of information can make the visible invisible. This technique is applied to the electronic ream in a manner that allows for those lures to appear “real” and pass all the validation checks, therefore our attacker continues along OUR chosen path. It is worth noting at this point that our attacker has already tripped several alarms within the enterprise, from the time they accessed the stored and cached credentials on their initial compromised PC, one of our lures, to checking on the file server for industry specific files (ours were blended into the report server output folder) through to the several FTP and Telnet sessions they opened. Let alone the attacker is currently working their way through one of our full deceptions in full view of the enterprise security team. The one are we have to acknowledge is that deception and camouflage have two purposes: Hiding the real systems and data Core/key data stores Critical systems that can’t be secured Edge system in foreign countries Critical machines Applications Showing the false systems and data. Hosts Services etc.

The majority of today’s breaches are comprised of sophisticated multi-stage attacks.  The stages of such attacks can best be described by a “Cyber Kill Chain”, which breaks down cyber intrusions into the following steps:  Recon  → Weaponize → Deliver → Exploit → Install → Command & Control → Action.   Most inline or endpoint protection products have the capability to detect one of the stages of an attack, but lack the ability to analyze the entire activity chain.  This prevents security operations teams from seeing the full context of the attack. If one were to allow the attack to be played out completely, one can learn more about these threat actors, making it easier to stop future attacks. In this blog, I will demonstrate this using a case study of a common attack. This particular attack was stopped by a perimeter based device.  Based upon the analysis of the attack, we will discuss internal security weaknesses in organizations.  I will then discuss one of the recommended approach for analyzing a multi-stage attack that is aimed at identification and remediation of the internal weak links in an organization. Figure 1 shows a file titled “Verify.pdf”, which was stopped by an email filtering solution.  Since there is a mismatch between the comment, which shows as Bank of America,  and the email address, which shows as kolumbus.fi, the file is declared as malicious and is quarantined. Figure 1 –   Malicious attachment detected by Email Filtering Solutions. When the attached PDF file is dissected, as shown in figure 2,  it can be seen that the file is a making an HTTP request: Figure 2.0.  HTTP request inside the PDF If we do a quick search for the domain,  as shown in figure 3, it is malicious and is detected by one vendor Trustwave. Figure 3 – Virustotal Detection of the Embedded URL link However, if we check for the endpoint detection of the pdf file, as per VirusTotal figure 4, it evades 53 endpoint protection products. Figure 4.0 Virus Total Score for the File Based upon this quick analysis of the stopped threat, it can be observed that even though the threat got stopped, there are many internal weak links in an organization: Detection of the  malicious pdf downloader (as shown in figure 4.0 ) at the end point is missing. If the malicious pdf downloader would have been able to reach the end point via some other delivery mechanism it would have infected the organization. Detection of the malicious communication (as  shown figure 3.0 ) by the network inspection devices is almost non-existent, since true targeted attacks will contain a fresh, previously unknown C&C server that is not in any known blacklist. One of key indicators to detect the threat is a mismatch of comment in the email address,  which is  “Bank of America” and email address “kt1448@kolumbus.fi”.   If the descriptor (Bank of America) was missing, then the same attack might have been able to reach the endpoint via email. So the detection algorithm to stop the attack can be bypassed by a variation of the attack. These weak links can be exploited by other threat actors attack who leverage slight variants of it. Given that majority of breaches these days involve multi stage attacks, the recommended architecture for the analysis of the multi stage threat, will be to have a threat analysis platform which allows execution and analysis of every stage of a threat. In order to determine if an entity is malicious, besides using analysis algorithms, Threat Analysis platform must also leverage time-independent correlations, which gives an ability to correlate the events which happened before or after in a virtualized network, to classify an entity as malicious. In this way, each malicious entity which was part of the threat gets detected. Identification of every malicious entity  of the  threat will allow  an organization to capture all the malicious indicators involved in a multi stage attacks, and not just the initial stages. This can then can be used to strengthen internal defenses in a more robust and comprehensive manner.

Hello! Greetings from Acalvio!  We are joining the fight to keep our enterprises safe from malicious activity. While the problem is old, our approach is new and innovative.. read on! The IT industry has paralleled our traditional approach for defending physical assets – build perimeter defenses.  Walls, moats, doors, locks, identification, etc. are the motivation for the perimeter defenses that the security industry has spent its energy on.  Lately, the advent of ubiquitous mobile connectivity, proliferation of cloud services, advent of IoT,  and the quickening pace of IT change has made it clear that we cannot entirely depend on perimeter defenses. Furthermore, if any of the recent highly publicized security breaches are any indication, malicious activity is rampant. Studies tell us intruders are often active within the enterprise for as much as 200 days before they successfully exfiltrate data. Clearly we need a defense mechanism that takes into account the fact that malicious activity has already breached the perimeter. Well, in the physical world, we solve this by using motion sensors inside our buildings.  These catch successful penetrations of our perimeter defenses. We need Motion Sensors for our digital environments – to protect IT, IoT and so on. How do we build that? A natural instinct is to try to look for anomalies within the IT environment. Accomplishing this is a herculean task – we need to collect lots of event and log data, establish what is normal, and then what is left must be abnormal. Doing this at scale, with low false positives, is a very challenging task. The best efforts here can only yield a set of exceptions – potentially lots of them – and someone has to work through each of these to find the true anomalies. The effort it takes to sift through these “potential” alerts makes the exercise a rather futile one, and one quickly reaches the point of diminishing returns. Security Operations Centers are already inundated with signals. Sending more signals to process  is not the most desirable solution. There must be a better way! Can we invert the problem? Can we have the anomaly announce itself? Well fortunately, there is a way.  Deception.  Nature (flora, fauna) has used deception very effectively for millions of years for survival and self-preservation. And humans have used it in warfare for thousands of years – since the days of Sun Tzu. The first successful use of Deception in IT security that made an impression on me was by Cliff Stoll, an incredibly brilliant computer scientist at Lawrence Livermore National Lab, Berkeley in 1986, where Stoll used honey pots to trap Russian intruders. This has been depicted in dramatic detail in his book, Cuckoo’s Egg.  Since then, Deception (usually in the form of honeypots) has been used extensively to ensnare threats on the public internet. However, for corporate IT departments, Deception has seen application mainly in labs, and science experiments, and has not seen the light of the day in production scale deployments.  Why is this? Simply put, the first generation of deception technologies – which we call Deception 1.0 – were simply not designed for success in the corporate network.  Before the technology could be ready for widespread use, some key problems needed to be solved: 1. Automation – DevOps  for Deception Traditionally, the entire task of setting up, maintaining, and interpreting the results of honeypots fell on the administrator.  No tools existed to automate these complex tasks. 2. Authentic or forget it One of the age-old dictums is for spies to be able to blend into the territory they serve for them to be effective. The same is true here, decoys or deceptions need to be authentic and need to blend very naturally. 3. Staleness is the enemy of Deception. One thing we need to remember – attackers have no penalty for retrying. We can count on them doing that.  The consequence of this is that, over several attempts, attackers can map out all the Deceptions that are hosted within an enterprise. If they aren’t changing, from then on the Deceptions are relics – they will be avoided. 4. Scale and Density are critical The historic difficulties deploying deceptions means they are normally deployed in small numbers, limiting their effectiveness. To summarize, Deception 1.0 solutions established the potential. In order for them to be effective in Enterprise scale deployments, it needs to address the above systemic areas. This is precisely what we at Acalvio are doing with our Deception 2.0 solution. Calvio in Latin means Deception. At Acalvio, we are focused at delivering Active Deception solutions to address the needs of Advanced Threat Defense. We are excited to be launching innovative products based on patented technologies that can deliver timely and effective detection, are cost effective, and can be deployed at DevOps scale. I would like to thank you for your interest in Acalvio. Check back here, where I will keep you briefed of key developments on our front. Thank you. Ram, co-founder, CEO