Saturday, January 02, 2016

More "Getting to the left of Kill Chain"

Getting to the left of Kill Chain has been a theme for the last several months. We're doing this today for a small group of companies. We're not a big data shop, but, Wapack Labs collect an enormous number of individualized, primary sources information --all selected by our analysts to provide specific kinds of information. Primary means that nobody has previously analyzed the data. We're seeing it first hand, untouched.  The data is from sources OUTSIDE of the company.  When we pull it, we check it against everything we know to be bad. When there's a 'hit', we pull the meta data and create a database entry (see above).  We also get information about what a company is using to protect themselves.  Then, we compare the two.

On paper it sounds easy right? It is..

On New Years eve, I sent an Early Warning notification to the CIO of a company who was about to receive a targeted (we believe) email from an unknown attacker. None the less, the email appeared to be coming FROM a legitimate internal user, sent TO a legitimate internal user, and the subject line was "Purchase Order".

I've modified the sample to protect the victimized, but here's how the story goes.

In the example, Purchasing agent "Lew" sent "TargetEmployee" an email with an attachment. The attachment is recognized as bad by our internal processes. We assign the email a hash value and dump a report to an analyst to verify.

In this case, the malware was detected by Qihoo-360, Icarus, Sophos, and Jiangmin.

The company however, doesn't use any of these vendors. 

AND... this company manufactures high tech stuff --for the Aviation, Maritime, and Space industries. This is a supply chain company, and their chosen vendor doesn't recognize this malware as a threat.  

My assessment? Likely targeted, possibly espionage focused. Here's why...
  • An malicious email was sent to look legitimate 
  • ...from an internal user to an internal users in a a company 
  • ...who works in industries known to be targeted for cyber espionage (high tech, aviation, space).
  • ...the company isn't getting thousands of hits, they received one email. And that one email had a piece of malware attached that is recognized only by a few AV vendors --and none of them is theirs.
And, we (hopefully) notified them before the breach.

So what can a company do with this information:  Depending on their configuration, the company has options, although based on what we know about them, only a few. In this case, the company has access control, but no real defense in-depth to speak of.. Access control and Watchguard (potentially UTMs, we don't know).

Here's what I told them:
  • They use Watchguard. We gave them network indicators that they can push into their Watchguard system. I'm assuming they have a Watchguard admin that's certified on the management of the system.
  • We gave them meta data about the malware... enough to identify it in their network.
  • They can go directly to the users mailbox (.pst) from their Exchange Server. 
  • If all else fails, call us. We work with some great partners that can find it for them. 
So pay attention folks. 2016 is going to be transformative. It's not perfect, and I can guarantee we won't get it right the first time, but if you're looking for ways to get ahead of the problem, drop me a note at If you can't do it yourself, we can refer you o someone who can do it for you. 

Have a great weekend!