Another major worldwide event (The Olympics) sabotaged by Cyber Security Threats
Are the hackers solely responsible or can some blame be laid at the so-called IT experts who are responsible for the Olympics infrastructure?
The blog below shows yet again the simplicity of the Tools Techniques and Procedures (TTP) used by hackers. We use the word simple as information available in the public forum shows the hacking and malware techniques used are commonly available in many “teach yourself hacking” books found on Amazon.
Counterveil`s Security Monitoring (Managed Detection & Response) have capabilities to detect and remediate the security Tools Techniques and Procedures (TTP’s ), which caught the Olympics infrastructure of guard. Our Blue Team training is also available to teach our customers and freelance trainee analysts on how to detect these types of TTP`s using Enterprise Grade Common Security Monitoring Tools, such as ArcSight, Qrader, and Splunk.
Here is a break down of some indicators and how Counterveil could have detected and remediated these attacks before systems outages occurred:
• Initial Malware infection, dropper, or final stage malware execution. We would detect unknown Process detection and triage, making use of orchestration processes to interrogate the binary process further. Counterveil’s use of automation could have been used to perform malware analysis and automated remediation could have been used for the containment of the rogue processes.
• The persistence techniques used by the hackers and their malware tools are easily detected and remediated making use of our orchestration triage processes to interrogate changes to the file system, registry and memory address space.
• The hackers use of keylogging software would have been detected by our orchestration processes interrogating the use of drivers or other process or DLL injection into either userland processes or the kernel.
• The hackers use of Windows VSS to delete shadow files and change policy and configuration settings is a clear sign of intrusion easily detected in Windows event logs which are corrilated with all the other information in Counterveil’s MDR suite.
• The hackers use of lateral movement TTP`s using PSEXEC or WMI is easily detected in Windows 4688 and invoke command auditing event logs. Counterveil’s baseline trend analysis of account usage would have also detect the duplicate, and unusual use of user accounts (hijacked credentials) by the PSEXEC process, the WMI command or the Net.exe (netuse) commands.
A lot of these techniques can be found by very simple triage analysis without the need for statically machine learning, or making use of orchestration tools to perform follow-up triage data analysis. These indicators are plain to see in Windows event logs assuming the correct auditing policy is in place. A decent correlation or alerting tool can be used to join these disjoined indicator events together to highlight the issue to security analysts so action could be taken.
Counterveil’s detection, orchestrated triage and automation (MDR) tool suite would have found the hack with no human interaction and stopped it.
Counterveil offers penetration testing specifically designed to test your security through simulated attacks on your organization. We provide substantial evidence of vulnerabilities and recommendations for effective countermeasures. Give Counterveil a try!