Targeted Attacks are well-thought-out efforts combined with tuned pieces of software specifically engineered to penetrate your best security efforts. Detecting targeted attacks often requires a solution that evolves as the contagion changes.  Bad actors can spend weeks working with phishing attacks and other methods in an attempt to infect your internal users in order to learn about your internal resources and defense mechanisms.

Phone Home

Once inside, the infection that was custom-written to learn about your internal resources will collect data and phone home to botnet servers using SSL connections, encrypted DNS messages, or some other seemingly innocuous method. Almost nothing will question their ‘outbound,’ Internet-headed intentions. Over time, these infections can set up camps involving often dozens of other infected internal hosts. Working together, the combined efforts of the different malware enables them to upload details about your network, which allows the teams behind the infection to plot how to steal your confidential information – slowly and methodically.

malware setting up base camps

Low and Slow Activities

Since these low and slow insurgencies are careful not to draw attention to themselves, security monitors need to compare current traffic patterns to baselines. Filters are used to narrow in on specific behaviors and thresholds are set, which can trigger events that lead to notifications.

One piece of malware that was given the name FrameworkPOS by security researchers and known for the Home Depot credit card breach has a new variant. It still involves scraping memory, but how the data is exfiltrated has changed; this new variant uses Domain Name System (DNS).

Retail companies such as Target and Home Depot which rely on POS (Point of Sale) systems have become a target for credit card hackers. Sally Beauty Supply was also recently impacted by POS malware, when 260,000 credit cards numbers were heisted. From an interview given by a Sally Beauty IT Technician to krebsonsecurity, the malware used was identified as the FrameworkPOS variant, exfiltrating credit card information using encoded DNS queries.

Detecting Targeted Attacks

Plixer’s research and development team monitors, analyzes, and discovers the latest methods used by bad actors to illegally exfiltrate corporate assets. We frequently share these findings with the general public through our blogs, tradeshows, and speaking events.

The Scrutinizer system and the FlowPro Defender are used to learn how the most important assets on the internal network communicate. Proprietary techniques are then employed to look for the signs of a miscreant. Monitors include:

  • Observation of odd DNS communications within as NXDomain and TXT messages
  • Reaching out to domains with known bad reputations
  • Attempting to communicate with hosts that the system has been restricted from
  • Odd connection behaviors observed after correlating a series of events

Once a sensor is triggered, Threat Indexes rise. If a threshold is reached, a notification is sent and if necessary, action can be scripted.

Since Scrutinizer warehouses all of the communication details passing over the network, insight into the history of the infection is ensured. Research into the behavior of the infection and how it spread leads to the speediest clean-ups and recoveries. Give us a call if you would like to learn more about detected targeted attacks.

Mike Patterson author pic

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related