Saturday, December 19, 2015

What does "Getting to the left of Kill Chain" look like?

I call it intelligence --forward looking information based on currently known facts.  Others call
it Early Warning, Indications and Warning, proactive, or simply, intelligence. No matter what you call it, t
his is what "Getting to the Left of Kill Chain" looks like.  The best intelligence should stop attacks before they occur.  And this is one example of early warning mechanisms that we (Wapack Labs) send to our Red Sky Alliance members and Wapack Labs subscribers.  

This is the a CIW (Cyber Indications and Warning) Malicious Email Digest. 

     EMAIL HASH:0dca67606a345811dff801b6b0678fd6445ad8467b7e5ef23affc54a398f4085
     DETECTION DATE:2015-12-16 12:29:24
     SENDER:"Tobias B" -
     SUBJECT LINE: Bestellung 96149
     DETECTIONS:F-Secure - Trojan-Downloader:W97M/Dridex.R, Fortinet - WM/Agent!tr

This report tells an operator which email account is being targeted, by what, and how well detected it already is

This report is a bit dated.. detected 12/16 at 12:29 but it'll do for now.  

     It was targeting one email address: TO:
     FROM:  TobiasB -
     SUBJECT LINE:  Bestellung 96149

Each of the italicized indicators can be seen by watching packets on the network. If they can be seen, they can be stopped. So drop them in your favorite network security system and count the drops. 

But what happens when you're not running network defenses? This alert offers host based detection options as well. This the, becomes a case study in why we practice defense in depth... or Kill Chain if you prefer. 

The line: "F-Secure - Trojan-Downloader:W97M/Dridex.R,Fortinet - WM/Agent!tr” show that two different AV vendors were able to see it on the computer. If the network defenses miss it, then one of these two antivirus applications will see it. Sadly, if you don’t have one of these two, you’re stuck. The AV detections also have clues on how to triage the malware.  It may or may not be Dridex with one specific and one generic detection, but we can say with high confidence it's a MS Word macro document from the "W97M" and "WM" abbreviations.

The upside? This didn't come from the target. We capture hundreds of sources of these things on a daily basis, and as of yesterday, have over 22 million indicators that we query on a regular basis looking for signs of to-be malfeasance... and we drop those signs in the Red Sky Alliance portal. In fact, as soon as I publish this report, I'll be sending a victim notification to the Healthcare ISAC. We don't normally pay attention to the Healthcare sector, but this is one of those cases where professional courtesy demands it. 

So beyond the healthcare industry, there's a high probability that our capture and notification may have saved this company at least one new infection. At least that's the hope right? 

Don't have a subscription? Pay attention to Threat Recon and our CMS. I know, it's a pain in the neck to have to find two sites.. we'll have them consolidated soon. In the mean time, bear with us. We post the indicators and sharable reports there. 

It just started snowing up here. First of the season! 

It looks like we may have a white Christmas after all. 
Merry Christmas (or Happy Holidays if you prefer)