On paper it sounds easy right? It is..
On New Years eve, I sent an Early Warning notification to the CIO of a company who was about to receive a targeted (we believe) email from an unknown attacker. None the less, the email appeared to be coming FROM a legitimate internal user, sent TO a legitimate internal user, and the subject line was "Purchase Order".
I've modified the sample to protect the victimized, but here's how the story goes.
- An malicious email was sent to look legitimate
- ...from an internal user to an internal users in a a company
- ...who works in industries known to be targeted for cyber espionage (high tech, aviation, space).
- ...the company isn't getting thousands of hits, they received one email. And that one email had a piece of malware attached that is recognized only by a few AV vendors --and none of them is theirs.
- They use Watchguard. We gave them network indicators that they can push into their Watchguard system. I'm assuming they have a Watchguard admin that's certified on the management of the system.
- We gave them meta data about the malware... enough to identify it in their network.
- They can go directly to the users mailbox (.pst) from their Exchange Server.
- If all else fails, call us. We work with some great partners that can find it for them.