Seriously? You Want Me To Believe Cyber-Spies Want My Data

good afternoon everyone we'll get started welcome again to today's event our next speaker is ten brothers let me speaking on seriously you expect me to believe cyber spies want my David really really all right thank you so this is not a vendor talk I do work for mandiant however this is not Mandy and endorsed talk the only reason I use the mandiant slide is because in case you notice we did sponsors the reason why we sponsored be sizes we're high ring so if you are looking for a job in the information security specifically incident response and investigation then you know go to our website if you can't find where the job postings are I don't want you anyway

so it is what it is right so uh so that's the end of the Mandy and stuff like I said this is not endorsed by mandiant this is my my talk etc right so I'm assuming if you're here you've probably heard something about China or somebody this is not a talk that says china's evil china is you know after all of our stuff every hacking problem is not China however China is definitely doing some interesting things now I don't know I just had up for those of you who didn't bother to read the New York Times this morning it was disclosed this morning there's a five-page article basically outing the fact that Stuxnet was written by the United States okay

now those of us who have classifications and stuff have known this for a while but now it's public so we can talk about it the reason I mentioned is is because this is kind of the crux of my talk right I'm going to focus on some technical stuff here show you some real logs some real activity by folks that are doing this on a day-to-day basis but there's really a second point to my talk today and that's specifically that if you as an information security professional think security equals stand up a firewall run ideas look at some logs and run the antivirus you need to go choose a new profession okay because think about the ramifications of this

right so the fact that Stuxnet has been unequivocally outed right and who here doesn't think that flame was us okay I don't know that one for a fact but sure seems awful suspicious right the bottom line here is that what when Stuxnet hit we had what some code errors in Stuxnet that caused it to spread outside of what it was supposed to so if we now have it absolutely being declared and the UN just announced some interesting things which I haven't had a chance to dig into yet bait Lee just tweeted sounds like there's some really potential interesting ramifications a flame that are flying right now we'll all get to read about this evening but bottom line

is if you don't think that other countries are going to jump on this even if it's only China Russia the US right what have you if you don't think this sort of information is going to induce every other country to jump on board you're crazy right and so what's inevitable e going to happen is we're going to get a bunch of people and they're not going to be targeting your company but what's going to happen is going to there's going to be some crappy code and it's going to get loose outside of the target that it was made for and you as an information security professional at mom-and-pop business are going to have to be dealing with the

fallout from this our world is progressing and changing and so we as information security professionals have to be keeping tabs on this kind of stuff and that's really the subtext of what I want to talk about today so when I say that when I tell somebody that my day job is chasing Chinese spies look let me first put out there if you had told me that's what I was going to be doing five years ago I'd have first laughed in your face and then to told you you were smoking something okay I mean I really do get how crazy this sounds okay and inevitably people ask me to have two questions right one why in the world

would country acts want my data all right I'm going to come back to that question secondly if they're doing it then why am I not seeing it that's the focus of today although I will come back to the first question as well so the reason why we are not seeing it or you are probably not seeing it is not because it's not happening but because you just simply aren't looking in the right places and don't understand necessarily what to look for hopefully I'll help a little bit with that because what we're we were at kind of right now as an industry is there is a relatively small handful of information security folks that are kind of in the know right

that understand how this stuff works right and know what to look for those guys are having good luck combating this stuff unfortunately the other ninety eight plus percent of us who are doing this aren't privy to that yet and that's what I'm hoping to help a little bit with today okay so if we think about traditional situ so command and control right malware your botnet that sort of thing the way it works right is it's typically encrypted it's using lots of times non-standard ports right if you think about a lot of the malware and the botnets that are going it's relatively easy for us to pick out why because it doesn't look like normal traffic so the

bad guys and this is not just the state guys by the way also the really high-end cybercrime guy use the same techniques the same core techniques and the bottom line is blend in with the traffic and i'll show you how that looks here right so the first generation of command and control that we've observed for these guys and by the way all the logs and the stuff that i'm going to show you are real I have anonymized them to protect the not so innocent they are not mandiant clients you know everybody needs a hobby mine is you know infiltrating command and control infrastructure nation-states you know go figure um so these are real incidents against real but you know

again I just want to couple disclaimers there so most of this traffic especially this first generation of command and control we saw was all done via web especially ssl right so again let's let's dispense with the the hype and let's look at some of this stuff alright so here's an example of a reach out by a fox that's got a malicious back door on it to a command and control server right so what we've got hopefully that's large enough for folks to read there so what we've got here is this get and again i changed the URL but same type of thing right get dub dub dub dot real MSNBC news.com slash I is start H TM what's I

is start H DM default I ask page for windows server 2003 so you stand up a 2003 box you run you know install iis on it and until you put content on that server the default page is I is start that HTM you go look at your proxy logs you are going to see a lot of potential activity 2i is legitimate even sometimes right then we've got this but look at this does this look like a user agent you've ever seen start filing away some of these sorts of things but how how many of you are mining in your detection systems looking for user agents detecting malicious activity anybody I know a few people are

probably can't say alright so let's go down here a little bit farther and you notice it's a pretty plain looking page a matter of fact if I go over here I took that page and let's just bring it up in a browser so there we go so that's what the page looks like in my browser straightforward but look a little closer on that page does anybody tell me what this is what's that you know bracket dash dash indicate in an HTML 5 comma comment right what does that look like to you anybody base64 so let's pop open a little command prompt here run a some Python import the choice of doing live demos base64 so let's print base64 dot

be 64 decode and then copy this out whoops if I can click ctrl C

that base64 decode zaz continued right what you're looking at is an honest-to-goodness command and control server and an infected you know about it post you know with the back door reaching out to that stage one command and control server and the reason why you're not detecting that is simple right they're relying on the fact that you're a very busy network guy you know security person you've got all of these snort signatures loaded so that's going to you know you're using the bleeding edge right not going to detect it right anybody can go get snort anybody can go stand this stuff up and see what signatures are going to be detected alright everybody with me so far by the

way forgot questions as we're going don't hesitate it's patrick here no Patrick oh man my designated tech ler isn't here it's all good let's look at another one so here's another example right this is a different back door family right that that our bad guys are using so again this is going out to this case again I anonymized it but it was a similar type of thing challenger elementary org because again the folks that are trying to infiltrate your network absolutely get that you use tools like websites that have lists of acceptable places to go and not to go right and so the real packet that I anonymize this from right was actually for a legitimate school and there was an

image that they're calling but notice that we've got some inconsistencies here right so globe dot jpg and then look at the the header down here we've got gif 89 right and actually if you do some checking on that user agent that user agent books closed but it's not actually a legitimate user agent again right and what's happening here is this is again a stage one command and control I explain that in a second this is an IP address that's embedded in this fake image sitting on a legitimate server that's going to go out your web sense back door pulls this decodes this IP address and reaches out to the stage to command and control okay does anybody have any start

signatures are going to trigger on this sites those groups in the no no right because this isn't in our normal stuff it's not that we can't write signatures for this you just have to know to look for it right so that's that's part of the trick all right so I'll keep going unless anybody throws out some questions here so those are some examples of command and control activity now the bad guys though aren't content to rest and interestingly enough and I unfortunately just because we we only have an hour today right so i can't give you you know years worth of of learning on these some of these particular groups in an hour right it's just not possible but China

in particular who's one of the front runners on this and I know I'm not proving that yet that's all fine but and it doesn't have anything to do the Chinese IP addresses I promise but the bottom line is there to you in classes now for other countries and the reason why they're doing those classes because they've gone on to a new level of capability so it's you know earning them brownie points so to speak by teaching say Russia and some of it and it is a lot of countries besides just China okay China just happens to be the most prolific at the moment and so they've revamped this so now a newer trend that we've seen especially over the last six

months which is kind of cool is they've taken a lot of this off-the-shelf software web shells right web shells have been around for years right forever and if you don't understand what a web shell is basically the concept behind a web shell is you take the web shells code drop it on a server and then you connect to the web shell running on the legitimate server typically it's a server on your edge right so it's got internet facing and then you use that to pivot into the environment right web shells have been around forever but you start to combine some web shell technology with miniport drivers and you got some cool stuff so a miniport driver

is kind of a stub driver and the way a miniport driver works is it tells the operating system I want this type of activity and it allows literally you to run and look for data on a port that is otherwise bound to a different application so in this case you run a miniport driver that binds to port 80 and 443 the miniport driver is getting that before shunting it over and lots of times they can cause the stuff to not even bother showing up in your logs all right sir so is the original process in

it's loaded in a normal map up starting with windows server 2003 Microsoft provided support for many port drivers if you go look at your if you pull up a typical windows box they like windows 7 you will typically see say you're running vmware vmware uses miniport drivers to hook the physical driver for your virtual machines on most VPN clients use miniport drivers to hook the the neck for the the virtual they're using that technology yes yep at show is listening on port 80 would just be the web server typically yes that's right and then it can pull out the data that it wants and literally not pass it on to you know if it's so desires and usually

they're not even bothering with rootkits because we're not looking for this stuff because that's you know we're all still we all and I include myself in this right it's easy for us to fall into these mentalities where I understand the bad guy right he's some you know buddy that sinneth works out of his mother's basement you know that old hacker image and the world is continuing to move right and that's what we've got to keep track of we can't assume that it's the same thing over and over now I've actually got a demo on this I can do but I didn't fire it up today just because I realized that we're probably not going to happen on time but if we have some

time I'll hop back to that so I've installed this on on a windows 2003 virtual machine and and condemnable that but the beauty of this stuff is is again that simply it just works with our existing environments and we're so you're too looking for it right because we don't know that we just pass this stuff right over right so let's talk about our existing detection a little bit so here is a snort alert and you'll notice i put in red here some garbage anybody tell me what that is unicode because snort and most of our tools here in the United States work on a ski the rest of the planet does not work on esky

literally but again we not been progressive enough we as an industry to keep pushing the fact that we've got to be looking at look what happens when I take that exact same alert right so let me pop that guy up so here's the original here's the alert right oops let me pull up actually here's the original that I had right so XP command shell at apt so you're you're the security guy right you look at this and this looks like some sequel but you don't actually see anything overly concerning looking in there right we can scroll through and again this this comes from a real situation so they were looking through and you know it did so here's the XP

command shell but in this case the organization that had this alert triggered pass this off as they thought it was one of their legitimate sequel applications that was communicating right and indeed you know yeah you know and part of it right we're all got 15,000 things on our plates so again right so looks like garbage but now I popped that same so this is an ASCII editor but now I go over here to a Unicode text editor I can click Ghosh this is just a free one and I pop that same thing open and now look what I've got same exact alert if you're the security person you see it the second way versus the first way are

you going to be a little more concerned you're an English company and you're seeing non-english characters going to and from your servers you know China or whoever aside that's going to raise some flags to you right so that's purely a tool issue right that we're not seeing that make it to the right on here everybody still with me

alright so similar and now in unicode obviously looks a little little more concerning okay so we see them use a lot of mullet you know publicly available stuff so of course why in the world used publicly available some poison ivy is hands down the most popular rat that they use remote access trojan why in the world would they use poison ivy it works right source codes available so that all i got to do is maybe modify it a little bit so it doesn't trip baby all right because that's pretty straightforward and these are a bunch of tools you know that we've observed a XPS x is one of those simple tools for I it's a web

she'll write cache dump get hashes ghost rat go strap we're seeing they've recompiled and are using against max because again source codes readily available ji-suk dump dumps credentials we're gonna see some of this in a minute poke ms gina h tran is a tool for passing a lot of this data out right so publicly accessible tools right they already exist and in a lot of cases we're using them right we use pw dump who here is not legitimately used pw dunk for some sort of security audit or other purposes in your environment almost all of us are going to have right because pw dump is an incredibly useful tool right for if you want to check what

the passwords look like etc so we'll see these tools pop up but because we recognize them as commodity malware we don't stop to go further and think about who might actually be using it it's much easier for pass off because if I'm thinking a nation-state wants me then what's my first thought right so i'm going to movies etc I'm think oh they're gonna they got some cool sexy off why why use cool sexy stuff when the stuff we all have access and here's the beauty part from my opinion is because this stuff is all rather than available we can easily build signatures for it right so you can go out later pull these tools and create your own signatures to

start looking for a lot of the stuff but I'd be willing to bet most of your tools don't have detections right now for that or if they do you tend to pass them off right so let's look at a log as it's always cooler to look at a log so let me just preface this a second so I mentioned earlier stage 1 stage 2 command and control so the way this works is most common way that they do this is spearfishing right so what will happen is you guys will do like a press release and I'll talk about some of the reasons why you get might get targeted in bed but there's lots of readily

available contact information on your organization right you realize that email dresses are really easy to come by so starts with the Spearfish user clicks on the Spearfish installs the back door that's what we refer to as a stage one back door and basically what that stage one back door does is goes out to a stage one server which essentially you think of as a parking server right so based upon the particular version and they'll have compiled it fresh right for you for that particular run against you so it doesn't trip baby and stuff like that right so it doesn't have a known bad md5 these are simple to avoid right it'll go out might be a six-day interval

might be a month long interval you know could be every five minutes whatever interval it goes it goes out to the stage one command and control now when the bad guys ready to activate this right what they do is they just change that knows how that example I had had you they change that command so now it goes out retrieves that is starting at HTM or whatever particular that that's one of many techniques right but that in that example to point to an IP address where they download the stage to backdoor and begin live interaction and you'll see why I am confident this is live in just a second so the way I come up with this log file that I'm about to

show you is pretty straight forward so that same I is start not HTM that's sitting out there right once you know where those are art you can go pull it too there's no magic in this right you pull that you decode and now they are often a little more complicated than coding but if you figure out you've got a host here what you want to do is do some simple reversing on that back door that will help you figure out what that encoding is so now you can decode this if it's a little more complicated than say the business basics before the lots of times it isn't any more complicated than that and then they activate it now

you pull so that's what I do right and so you just pull this just like they do and so when the bad guy in this particular example he has this little tool that pops up right that he runs on his screen he types the command that he wants to run into it hit center what it does is it encodes it and writes that updated file out here this backdoor is just pulling it running the command sending the results back which he is then retrieving everybody with me so far pretty straightforward process it's really not that complicated and what we end up with is a log like this okay so what this is is I love the time stamps

in and I did it on'em eyes because again this was against a real organization and they don't really want to out in case they haven't been in the news although I know they know about it this particular case on so we've got a whole bunch of commands here so let's let's spend a little bit time looking on this because you also want to really understand how they move around because in most cases it's not how you've been told you know if you've taken you're a certified ethical hacker or something like that that is not how these guys work okay they're not running n map they don't need to as you'll see in a second so first thing you're doing

is they're they're getting in and they're doing a task list find data well that's actually them looking to see if their back door is running okay and then they do a task list V and they quit and then they come back now in this particular case I had some context on what was going on in this one right the user got you know clicked literally shortly before that 1038 because I happen to be monitoring the stage one command and control in this particular instance when the user first checked in I saw the new check-in right and then they immediately move so these timelines give us actually a pretty good representation of what's going on so the

first thing they do is they download this is their back door this de colon command is a command inside the back door to download so that's just simply saying download from xxx let the actual IP address right / tool / NWSA p agent dll into the temp directory so that xx xx in this case was a university computer ok so again it's going to be the websense this download is just an HTTP download you know kind of like you do if you did a double you get right from our Linux command line and then they run cmd.exe and they start looking around they're doing directory then they download RAR good old winrar they need they need there are tools then g-sec

dump that's a tool for dumping out credentials pw dump okay good old pw dumped same pw use BBD LOL back to our net view is pretty much what its name implies they run that view it shows the network connections from that host okay you'll see why in just a second psl all process lister okay so then they go down first thing he does is runs net view so we're on patient zero here right ho 0 that's just been popped they clicked on a spear fish ran the back door Oh bad guy once in their runs in that view think about your PC's right maybe you don't run Windows but most environments right you run windows box

you've got network drives map you've got connections out to different systems right so that shows that then they extract out pw dump then they run three commands that map out the entire network net group domayne computers / domain so that lists from Active Directory all of the computers in the domain that's a list of all the computers try these commands when you get back if you don't believe it that group domain users / domain so now we have a list of all the computers and we have a list of all the users net group domain controller / domain who needs nmap right think about the fact that in your environment Active Directory already knows everything about

your environment whether you realize it or not so in three commands they just mapped the entire network and we're what split plus 14 minutes and so are your detection and response mechanisms going to be catching this in 14 minutes maybe then they run a pw localhost right so if you've run pw dump then you know what that does is dumps the local cache okay in the local cache are the passwords usernames and hashes that have been used right so of course they run this through rainbow tables or whatever could write this isn't going to see these lists out right here they type them so they can see and sure enough they've got user Bob I did change the

name of the user it wasn't actually Bob again I didn't want to then they stop the antivirus you know let's pesky antivirus yes question you're talking about them possibly using a rainbow table but according to those time stamps you're talking less than two minutes later they're logging in as Wow yep that's right they're running on their computer right you've got the rainbow tip so remember the content so bad guys sitting here typing this when he typed type 127 that caused that list that he dumped to come up on his screen in his computer boom you run those through and remember you don't have to have the massive rainbow table you have a small one so all he needs one to start with

okay and I may be but but think about what they're trying to do they want to avoid detection and oh yes yeah they don't want to run that local though because that's you're going you know as a security professional that if you're worth a you know bag of beans you've installed detection to pick up brute-forcing yeah oh sure that's true yeah I don't know for a fact that they ran rainbow tables yes could have just run John the Ripper could have run you know whatever tool but the bottom line is we know for a fact that here at 1055 they were successfully logging in that's the bottom line and what he's then doing here is he's he downloads the back door

which he downloaded earlier if you'll recall at he's busy he forgot he got distracted then he starts doing a net you so i renamed the computer names so they are sequential but they all have the dash XP right and we do that in our environment right and what does that force so it's easier to administer with our naming conventions or what other common things we do in our environments we name them based on geographical office locations org and not to say don't do those you just want to be cognizant as a security professional right that that helps you and them that's all right the thing is they got a list of computers anyway so really it

doesn't matter because you know when that those lists come up and what are they using for this user they're using user Bob T so here what we did what happens is PC one two and three where were those pcs those were in the net view so essentially what just happened here dropped onto pc zero net view who is it connected to pull the local user names and hashes what are the chances one of those is going to work on one of those computers you're using right and then we move to pc 2 and we do it again pw dump rinse and repeat right so what happens is drops on runs but remember now from a detection standpoint he's

using legitimate user credentials pc00 too right pc00 1003 that was a legitimate login no brute forcing no illegitimate login attempts pull it from local cache use it to the computers that they're connected to rinse and repeat so we started out so here he installs his back door sets up the NW PS agent make sure he's got his parameters and then he starts it up so he's got back door in a couple runs a process list or make sure everything's going pw dump against pc 14 right rinse and repeat then we get down here and now he wants to know a list of the members from domain admins because that might be useful accounts to target

he's pulling his tools down on some additional boxes and then here at 12 22 so we came in at ten thirty eight now we're at 12 22 pc six i named these sequentially so by the time he's hit the sixth box which is under two hours we're about 15 minutes shy of two hours into this attack he's got what what do you somebody goes with this is he right EPO admin what is that in the environment it's a local admin baked into all of our images on all of our machines so that we can push antivirus updates is there some irony there right so he's using that local admin account and from here on out

he uses that and in particular look where he goes for number seven dash dcg and wonder what that is domain controller so now we're still seven minutes shy of two hours from initial click on the Spearfish and this individual whoever it may be right has a list of all computers has dumped the entire Active Directory domain has all users of passwords so I'm not saying this as fun this is a real live log right I have thousands of these I am not kidding thousands right and it's simple process this is not advanced stuff and actually it's a playbook right it's literally these guys do this same thing over and over and over I'd be willing to bet

these are the junior dudes all right that are assigned to this did you have a question sir oh sorry yeah so it's interesting to me that they don't rename any of the standard tools so for example you could do software restrictions on something like pwm sure it might slow them down it would slow them down Ahnold however remember this is a live person behind notice how he kept doing task lists and stuff like that you do see them hitting environments where they've done that and they'll see what you've done and then they'll change it so the right looking when they download right see this download notice when they download it they give it a name locally

that's not necessarily it doesn't have to be the same name as remote and you'll see this a little bit right it's a good thought the key though there I like where you're going in that this is the important thing is to understand the methodology because this is not magic right it isn't this is absolutely detectable you just have to know how to look for it right and the key thing here I wanted to stress at this point is again we r sub two hours in and most environments that and I get to work with lots of organizations with some really you know great reputations and I really challenge you to think about will your detection and response mechanisms right

allow you to catch and respond to this breach in two hours if you can you're you're among a rare few now how are we doing on time here is that what yes these are 23 out that's right this is during the middle of the day so again that's why right so this is legitimate user activity well except that a user shouldn't be run in pwm but what do we do when we set up that local admin because it's the mac because nobody's going to find that right we turn off logging on it because it's too noisy and our lot we do all of these things and the bad guys just simply are using those against us right that's why

we're not seeing it lots of interesting things in here in interest of time I'm not going to you know belabor all of this but they do a lot of just really unusual like ping dash n one right which is when i type ping i type ping you know on linux that pings until i hit you know control c on windows it's for pings right you know I just I can't not see this without thinking about you know the yeah hunt for red october one ping only right you know and it's little things like this that leads you to conclude that they're running this from a playbook right so we've got more activity here again now notice they're

really using abusing this this EPO admin again they're doing some more stuff here with back doors anything else notable there nope so let me jump down here a couple other things i want to show now this is a run earlier on that same day against another host and they use a couple different tools here which is why i wanted to point this one out one is this entity and the other is mapi so the first thing to do is this NT t NT t is past the hash tool so obviously they wanted to use whatever this user but they didn't crack it for whatever reason so okay we gotta we gotta escalate and use our pass

the hash tool and then this map is a really cool tool for extracting email so here what we're doing is they run this map e against this exchange server they are pulling this user's email for this date why they're targeting that user that date I don't know but they were so they extract that and then they go down here and they write it up right and the reason we're pretty confident that they love R ours is because especially for big transfers if you detect the RAR transmission in progress and cut it off the raw data whatever was in that even partial rock can still be extracted whereas if you've got say a zip file and

you break it in the middle say you see exfil going on X filtration going on you cut it off they're screwed they can't get the data out of a partial zip it's got to be complete for the extraction to work right what they're doing here dash HP means to encrypt it and to encrypt the file names and here's their password it's what we call finger walk one two three bang at pound they love to use the finger walk passwords and well but again we'll see but look what they're doing right so now they move it out so there goes the email right and this task list so HTT actually runs in the background that's why they're doing this task list

okay and then once done they clean up after themselves okay so here they go to add somebody to to check the administrators group see why I'm confident this is not an automated attack alright and we'll see some more of this in a minute then they're pulling a tool down here for attacking sequel servers so this is a brute force tool and what this is doing is it's trying to break into this list of this is a text file with a list of sequel servers this is the account name that they're trying to use sa right which is the system administrator password for ms SQL with this text file of passwords and sure enough they get in sequel ad they

install a backdoor notice what they set for the backdoor password again the finger wat passwords right and they do some more stuff with that again I won't in interest of time go into all of that because again this is rinsing and repeating here's another tool that they have for retrieving email there's more activity just looking for the the high points here do you have nothing hugely interesting so now we get into some serious exfil so this is actually a different organization but and again I change the names of the directories here but the directory names that they were using were very similar and i would i would ask you to think about the documents that you store on your

computer the naming conventions that you use to organize do what explain in most cases exactly what that date is that's how they find it it's as simple as that der right and so here again we've got can't type spell information right and so then I go oh I need he quotes nope that didn't work and then he realized he had misspelled it but when he corrected it he misspelled it in another place right and so then he kills all right I gotta look at that so it backs up a directory then he realizes the right name he progresses down and sure enough you know he eventually finds the documents that he's looking for okay and

the document names are often all you need right I can tell you that there have been at least one instance where looking at these logs at two a.m. in the morning I've caught because what I and other folks have done is passed these logs to the FBI to the bureau so you know they can go notify these poor folks but the bottom line here right is that this data really tells the story lots of times all by itself so again they are it all up so this is again this is a download here the different slightly different variation this win SVR is just winrar renamed RAR dot exe notice that their roaring it up is a WMV file it's a

RAR file they're just using a WMV extension why because if you're monitoring at your edge and you see a stream of binary going and the file name for that binary is wmb are you going to be able to tell the difference between a streaming video file and a RAR file just looking at the binary data I don't I you know I'm sure there's probably somebody you can but it wouldn't be me again there's a password and then here's the here's the tool that passes that out okay so from what am I my points here that I want to get one think about what they're doing here okay so they got all of this in initial right those really

important stuff that enabled them to do everything else in under two hours from initial bridge really let that sink in okay secondly look at all of this stuff they do now I'm not going to read all of this right you guys get this but the bottom line here is I would suspect that your existing detection systems today would not have picked up any of this not because it can't be detected but because it's not what you're looking for right now okay and that's the thing what were they doing they were using legitimate credentials they only ended up installing six back doors but yet they were on 41 different boxes okay and what are our typical things we look for malware

right that's how we find the scope and event we wrote for malware but in this case looking for malware is only going to tell us a fraction of the story the actual data that was stolen came from a box that never got a back door installed on it okay so few things ki they're all of it was in less than four hours all right so then I've mentioned back that first question all right so of course the other big thing is why me China Russia country X they don't want anything to do with me well they may or may not they're definitely not attacking everybody i am not saying they're attacking everybody they are however

attacking thousands and thousands of companies okay and a lot of these companies are not big companies we have figured out a lot of the reasons why a different organizations have gotten hit one you have technology they want right and they want lots of technology i really suggest you read the five-year plan the China's five-year plan they spell out exactly what they're looking for if you make any technology on that list chances are good that you're a target right and they're going for whole industries right so last year China was very interested in fracking right which is a technique for extracting oil from shale right they hit every single company that had anything to do with

fracking every single company because they know how to google to write it might be that you do business with someone who is in a targeted industry it might be that you don't have anything they want but they use you to get into somebody they do okay you do business in China these guys are working as essentially what i would consider due diligence right if you go to say purchase or acquire a company what do you do the lawyers go in they check you know you check their books etc what these guys do they come in and harvest all your email so they can see what you're talking about right you do business with someone who does business

in technet or you're buying a selling right so are we screwed no all right we are not this is not the the sky is falling however as I mentioned at the beginning with that new york times article it's rapidly i would suggest that regardless of whether you actually are a target the chances are that you're going to your organization is going to be hit just as a fallout from you know the next version of flame gone bad right that had some code errors i mean that's why Stuxnet got out right it's because of some coding errors it was not supposed to leave Iran but it did because of some coding errors so countries ramping up right if the US is

doing it everybody's going to do it right so I would really suggest take another look a different approach than maybe are today examine your proxy logs most of this stuff is going via web there's definitely other ways they're doing it but far and above its majority is going out via web okay those unusual user agents repeated calls to default pages like IAS start HTM right you'll see maybe off by a little bit right by the rename slightly type directory queries that look legitimate right but are just when you actually compare it up it's off slightly those can be real keys lateral movements in your event logs so the cool thing is about that login activity so remember that came in on 0

they branched out to three machine from there they went to another within 6 pcs they had you know the keys to the kingdom right that activity is trackable if you look at your event logs I login locally if the keyboard event is different than a login across the network and so if you start looking at for login any baked in admin accounts especially those should be a regular occurrence for you to mine through and look for users logging in successfully not unsuccessfully but successfully within your own bart organization right you can look for those now using your existing tools don't just dismiss those known tools right so you're scanning through your AV logs you see up they use

pw dump dig a little deeper right confirm that that really was a legitimate person who should be running that tool or not right and use tools that are able to handle unicode we are in a global planet not everybody speaks English questions sir to ma would have to FA would have really slow this down wouldn't it to F a two-factor authentication this particular yes they have tools for bypassing to factor and in the case of EPO admin that's a service account can you can you GPO restrict that so it couldn't be used to login could I actually don't know the answer to that one that's it can you alright yeah so if if that service

doesn't have to run and have login authentication you could still have it have run as service credentials but they here's the thing right and I'm all about prevention don't get me wrong but here's the bottom line these guys will do whatever it takes we just saw the simplest run because it worked right they have tools like pass the hash that can bypass 25 exercise in this case they realize EPO admin they would have tried logging in it didn't work they just simply go on to another account I I can't think of a single instance of these logs where they've not found some sort of local admin that they could use within six computers right and and again what I

really recommend is focus on not that you don't want to do logical things to stop prevent right but I would really stress that you need to think about how do you detect them quickly right because all it takes is one gap around right we are never going to get all your users do not click on a spear fish right that's why they keep getting back in right and so they get in and they'll move around in that two to four hours right so one other thing I yeah don't have to be the only one time that's all good I'm just running you can I want to SMS or SCCM so that your