Targeted Attacks are well-thought-out efforts combined with tuned pieces of software specifically engineered to penetrate your best security efforts. Detecting targeted attacks often requires a solution that evolves as the contagion changes. Bad actors can spend weeks working with phishing attacks and other methods in an attempt to infect your internal users in order to learn about your internal resources and defense mechanisms.
Once inside, the infection that was custom-written to learn about your internal resources will collect data and phone home to botnet servers using SSL connections, encrypted DNS messages, or some other seemingly innocuous method. Almost nothing will question their ‘outbound,’ Internet-headed intentions. Over time, these infections can set up camps involving often dozens of other infected internal hosts. Working together, the combined efforts of the different malware enables them to upload details about your network, which allows the teams behind the infection to plot how to steal your confidential information – slowly and methodically.
Low and Slow Activities
Since these low and slow insurgencies are careful not to draw attention to themselves, security monitors need to compare current traffic patterns to baselines. Filters are used to narrow in on specific behaviors and thresholds are set, which can trigger events that lead to notifications.
One piece of malware that was given the name FrameworkPOS by security researchers and known for the Home Depot credit card breach has a new variant. It still involves scraping memory, but how the data is exfiltrated has changed; this new variant uses Domain Name System (DNS).
Retail companies such as Target and Home Depot which rely on POS (Point of Sale) systems have become a target for credit card hackers. Sally Beauty Supply was also recently impacted by POS malware, when 260,000 credit cards numbers were heisted. From an interview given by a Sally Beauty IT Technician to krebsonsecurity, the malware used was identified as the FrameworkPOS variant, exfiltrating credit card information using encoded DNS queries.
Detecting Targeted Attacks
Plixer’s research and development team monitors, analyzes, and discovers the latest methods used by bad actors to illegally exfiltrate corporate assets. We frequently share these findings with the general public through our blogs, tradeshows, and speaking events.
The Scrutinizer system and the FlowPro Defender are used to learn how the most important assets on the internal network communicate. Proprietary techniques are then employed to look for the signs of a miscreant. Monitors include:
- Observation of odd DNS communications within as NXDomain and TXT messages
- Reaching out to domains with known bad reputations
- Attempting to communicate with hosts that the system has been restricted from
- Odd connection behaviors observed after correlating a series of events
Once a sensor is triggered, Threat Indexes rise. If a threshold is reached, a notification is sent and if necessary, action can be scripted.
Since Scrutinizer warehouses all of the communication details passing over the network, insight into the history of the infection is ensured. Research into the behavior of the infection and how it spread leads to the speediest clean-ups and recoveries. Give us a call if you would like to learn more about detected targeted attacks.