Here we go again with the 'Breach of the Week'... This time it is potentially larger than Target, which is the largest known retail breach to date with over 110 million affected accounts. It just happened a year ago ;-/.
So what does the Information Technology and Information Security community do about all these breaches?
We are at a crossroads in Information Security as an industry. Products are not helping you and clearly not a magic bullet and compliance efforts like PCI obviously are not saving you either.
What we have here is a people problem. The problem is simply the people and the lack of understanding how to do Information Security engineering. Some are better than others, but clearly management does not make security engineering a priority. It's a lack of leadership, vision and the obvious problem facing our industry with all the breaches in the past 12 months. Use the information already available and look for it in your environment. Why is this so hard?
Say hello to "The Malware Management Framework". It should be every CIO, ISO, CSO, CISO and InfoSec managers new mission statement.
Case in point. The Target breach was analyzed and a report published by iSight Partners with all the details needed to detect BlackPoS/Kaptoxa for any retail business, it was released... Jan 14, 2014. That was EIGHT months ago! So any retail business with IT and InfoSec people and good leadership surely would take this information and make it a priority to check their PoS systems for any sign of PoS P0wnage. Sadly, not.
Enter Home Depot, now a confirmed breach, the size and impact yet to be understood and by the very same malware that hit Target last year. Everything Home Depot needed was at their fingertips, published, available to their leadership to step up and avoid the cluster F$@! that hit Target... As BSides Austin shirts stated on the back, "Don't be a Target"!
So where did Home Depot, the 2nd largest retailer in the US go wrong? Where did every retailer with PoS systems large enough to have an IT and InfoSec staff go wrong? Where do most companies go wrong?
They were not practicing Malware Management. We are all familiar with Vulnerability Management, it's in compliance requirements, but Malware Management? Yes, it's basically the same thing, look at alerts, descriptions, reports and analysis from the vendors, researchers Blogs and Conferences on malware instead of vulnerabilities. The information you can glean is golden and will save your ASSets.
Below I have included many well known APT, PoS and even a NIX and Mac malware analysis that EVERY single InfoSec and IT team should use to start their very own Malware Management Program. Using the "Malware Management Framework" will help you to discover malware, or validate you're malware free. If you do find something new and unknown, like we did with the WinNTI malware in June 2012, 10 months prior to the Kaspersky report was published, you should publish, release or Blog your details about your malware artifacts that will benefit everyone.
Case Study:
The malware associated with a breach where I previously worked is proof Malware Management works. We used data from published malware reports and analysis to tweak our tools. Initially using a script tweaked to look for the malware artifacts in locations APT was know to reside, we found the malware artifacts. This allowed us to catch the intruder in the act and block them from getting any information. Looking at the logs for the affected systems we were able to see some items were not enabled or properly configured and then able to tweak our logging to better detect Malwarian behavior. This led us to produce the "Windows Logging Cheat Sheet" (link below), a direct result of our Malware Management efforts. We have made this information available to everyone for FREE so people may improve their People and Process components of their Information Security programs. It works, you just need management to allocate a few resources to actually 'Fix It' as a Wendy Nather's indicated we need more of in her recent Blog (Idoneous Security) and she is dead right.
The "Malware Reporting Standard" that we propose everyone adopt will become obvious as you read through the various vendor malware analysis reports. What lacks in these reports is a consistent way to report malware artifacts, also called Indicators of Compromise (IOC). If creators of malware analysis reports used the Malware Reporting Standard, we would have more consistent reports and easier time consuming and using the valuable artifacts. The best examples of this format is SecurelList Virus Description details and oddly, US-CERT BackOff malware alert:
If The Home Depot leadership had any clue how to do effective Information Security, they would have avoided this breach. Clearly Home Depot is lacking at security engineering and not using the information from the recent breaches to ask themselves "Are we a Target?, should we prepare ourselves for a similar incident?". They could have avoided what could be over (just guessing) 200 million lost accounts, only time will tell. But, we do know this is going to cost them a small fortune, MUCH more than improving their security engineering would have cost. Target has spent $146 million USD to date on their breach!
With the Malware Management Framework we found a previously unknown APT 10 months prior to being published by Kaspersky and Home Depot could have 100% avoided their breach using this same methodology. Only 6 log events were needed to catch the Target and Home Depot breaches from a Windows log events! If only they were any good at security engineering and practicing Malware Management could this have been avoided.
This is a teaching moment for Information Security professionals worldwide, not just those that are currently under attack with Point of Sale systems and credit Cards, but for whatever is next, whatever is already there in YOUR environment!
Start practicing Malware Management before it is too late and you are the next Target or Home Depot.
#InfoSec #HackerHurricane #MalwareManagement #Breach
RESOURCES:
Below are some items to help you start using the Malware Management Framework.
Linux:
IptabLes/IptabLex (Rootkit)
- http://blog.malwaremustdie.org/2014/06/mmd-0025-2014-itw-infection-of-elf.html
- http://storage.pardot.com/9892/121392/TA_DDos_Binary___Bot_IptabLes_v6_US.pdf
MAC:
Kyle and Stan (Win & MAC)(Rootkit)
OSXGetShell (Rootkit)
WINDOWS:
BackOff (PoS)
- https://www.us-cert.gov/ncas/alerts/TA14-212A
- http://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-backoff-targets-us/
- http://www.invincea.com/2014/09/analysis-of-backoff-pos-malware-gripping-the-retail-sector-reveals-lack-of-sophistication-in-malware/
CryptoLocker (RansomWare)
- http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware
- https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24786/en_US/McAfee_Labs_Threat_Advisory_Ransom_Cryptolocker.pdf
Chewbacca (PoS)
Dexter/Project Hook (PoS)
BlackPoS/Kaptoxa (PoS)
- http://www.securitycurrent.com/resources/files/KAPTOXA-Point-of-Sale-Compromise.pdf
- http://blogs.mcafee.com/mcafee-labs/analyzing-the-target-point-of-sale-malware
- https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24927/en_US/McAfee_Labs_Threat_Advisory_EPOS_Data_Theft.pdf
- http://securityintelligence.com/target-data-breach-kaptoxa-pos-malware/
Red October (State Sponsored)
- http://securelist.com/analysis/publications/36740/red-october-diplomatic-cyber-attacksinvestigation/
- http://securelist.com/analysis/36830/red-october-detailed-malware-description-1-first-stage-of-attack/
SysPrep/Cryptbase.dll (Privilege Escalation)
The Snake/ Uroburos (State Sponsored)
- http://info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf
- http://www.viruslist.com/sp/analysis?pubid=207271262
WinNTI (Discovered by us in June 2012 using this methodology)(APT)
Mandiant APT1 (APT)
Shady Rat (Rootkit)
Duqu (APT)
- http://www.kaspersky.com/about/press/major_malware_outbreaks/duqu
- http://www.secureworks.com/cyber-threat-intelligence/threats/duqu/
- http://www.symantec.com/outbreak/?id=stuxnet
Stuxnet (State Sponsored)
- http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
- http://www.codeproject.com/Articles/246545/Stuxnet-Malware-Analysis-Paper
- http://www.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf
- https://www.mandiant.com/blog/stuxnet-memory-analysis-ioc-creation/
Gameover Zeus (Financial)
Zeus/SpyEye (Financial)
Gauss (APT)
Mini-Flame (APT)
SkyWiper/Flame (APT)
- http://securelist.com/blog/incidents/34216/full-analysis-of-flames-command-control-servers-27/
- http://www.academia.edu/2394954/Flame_Malware_Analysis
- http://securelist.com/blog/incidents/33002/flame-replication-via-windows-update-mitm-proxy-server-18/
- http://www.crysys.hu/skywiper/skywiper.pdf
ZeroAccess (Rootkit)
- http://nakedsecurity.sophos.com/zeroaccess2/
- http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2
Shamoon (Destructive)
- http://securelist.com/blog/incidents/57854/shamoon-the-wiper-copycats-at-work/
- http://securelist.com/blog/incidents/57784/shamoon-the-wiper-further-details-part-ii/
Wiper (Destructive)