Case-Example
Case 1. Famous Retailer Data Breach
Case Overview
The Target Corporation is an American retailing company, founded in 1902 and headquartered in Minneapolis, Minnesota. It’s the second largest discount retailer in the United States. Target operates 1,916 stores in the United States, and also began operations in Canada in March of 2013. In December 2013, a data breach of Target’s systems effected up to 110 million customers. The attackers stole around 110 million customers’ PII. They had all the IDS/IPS and stuff and were PCI-DSS compliant.
Case 2. Watering Hole Attack
Case Overview
Watering hole is an attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected [1].
July, 2012. Several high-profile institutions (financial and tech sectors) were victimized by a watering hole attack.
Layout
Step 1. Stake out watering hole
Insert an iframe that redirects users to a 0-day malware download (Trojan Gh0st RAT).
Case 3. Phishing against Google and Facebook
Case Overview
In summary, according to the US attorney’s office for the Southern District of New York, scammers stole over $100 million from Facebook and Google in a creative way. Basically, they e-mailed the tech giants and asked for it. The scheme that included setting up a fake business and sending phishing e-mails to employees of Facebook and Google. The scheme ultimately duped those multi-million dollar companies out of more than a hundred million in total between 2013 and 2015.
Case 4. SANS Mock Case
Case Overview
Arya Stark gets an email presumably from Direwolf with an attachment. It looks suspicious and she forwards it to the Security.
Environment
Winterfell Server Network (192.168.10.0/24) consisting of DNS (192.168.10.230) Centos7 with bind ns1.winterfell.local and Mail server (192.168.10.140) mail.winterfell.local, Centos7 with Postfix and Dovecot.
Winterfell Desktop Network (192.168.11.0/24), having IPs: 192.168.11.101, 192.168.11.102, 192.168.11.103, 192.168.11.104, 192.168.11.105. 192.168.11.105 is Security’s IP. All desktops have Win7 SP1 with MOffice 2010 installed. For the machine to be vulnerable for the below attack steps, Windows Firewall should be disabled and macro turned on for Office Docs (Trust Center > Trust Center Settings > Macro Settings). Also, PsExec requires the DWORD called LocalAccountTokenFilterPolicy in the registry under
Case 5. IBM Example
Case Overview
Arya Stark gets an email presumably from Direwolf with an attachment. It looks suspicious and she forwards it to the Security.
Identify possible threats. Identify attack vectors: Website hosting malicious content waiting for a vulnerable browser. This can be countered with: Qradar, McAfee ePolicy Orchestrator, Next generation firewall.
In Qradar we have several alerts: Malicious URL detected, three possible DDoS and OAS denied access and continued preceded by file infected.
Case 6. Home Depot PoS Attack
Case Overview
This attack started from stealing credentials from a vendor, using them to install malware on around 7500 self-checkout POS terminals and then stealing data. Went unnoticed for 5 months (April - Septemper 2014) and grabbed the data from 56 million credit and debit cards (useful for identity theft) and 53 million emails (useful for phishing). Investigation started on September, 2nd and on 8th indicated that the system was breached. They also offered free credit services to affected customers who use their payment card as early as April of 2014, and apologized for the data breach.
Case 7. Atlanta Ransomware Attack
Case Overview
22 March, 2018 the City of Atlanta suffered from a ransomware attack. Many devices at City Hall were shutdown. SamSam Ransomware was to blame. Demanded $51000 and the city refused. Shutdown the main devices for 5 days. Many of the operations returned to the traditional handwriting 😊. Atlanta disabled WiFi at the airport up until the 2nd of April.
Timeline
22 March, 2018 - ransomware strikes.
May - online water bill payment restored.
Case 8. Kaseya Supply Chain Ransomware Attack
Case Overview
Timeline
Lessons Learned
References
[1] Kaseya Supply Chain Ransomware Attack - Technical Analysis of the REvil Payload
[2] Case updates and general informaiton.
A Study in Black
Someone has violated corporate policy by watching porn using the corp PC.
Do you have the authority?
What are the expected results?
Some prohibited internet traffic. Check network logs of an application layer firewall 🔥 or content filter (any gateway between the suspect and the network), filter them out. But the user was smart enough to use VPN. What’s then? Application layer firewall only sees application traffic, it is not aware of TCPs, Shudipis and etc. Read this article about TCP/IP stack to understand better why application layer firewalls won’t see anything other than what’s on top.
Case 1. IP Theft Linux Investigation
Nearly all IP (intellectual property) are recreated by a competitor. Investigate the development machine
Potential data exfiltration.
netstat -lpeanutshows that there are two dhcp clients running, one using unusual port and user:
ps aux | grep 40500orps aux | grep dhclientshows the running processes and sometimes commands used to run them. This suspicious client was run from/tmpfolder:
ls -la /tmp/to see the file that was launched. But nothing there. Seems that the file was deleted after being launched:
