Finding the hidden attacker in your network

Imagine the following scenario: you are the CIO of an organization and receive a phone call from an external party, informing you that suspicious traffic has been observed between your company network and a remote server. The incident response turns up that an attacker has been present in your network for over 6 months, and has had a free reign in moving through all the end-points and data that it deemed interesting. Apparently, your up-to-date security measures did not detect the presence of this attacker.

This is a real-life scenario that we have encountered in many forms over the past years when helping clients in their incident response. Often, 0-day exploits and advanced malware are involved, that do not trigger existing security measures like anti-virus or an Intrusion Detection System. So how do you actually detect such (often advanced) attacks?

Due diligence for your IT infrastructure

One of the hardest things is that the attacks we are discussing here, are not detected by most traditional detection measures. Secondly, once an attacker has gained sufficient access, he will often be able to use existing user accounts to move further through your network. This type of legitimately looking behavior is even harder to detect or prevent against (your actual users still need to be able to work, right?).

A proven approach here is to investigate your IT infrastructure for traces of a breach, without having any indications of such a breach. Although this is much harder to do than when you have an actual indicator of an ongoing attack, you could perform a due diligence type of analysis where you look for traces of advanced attacks. What is essential in such an approach is to have the knowledge and experience present that go beyond your existing prevention and detection measures. Specifically, you are looking for a team of experienced incident responders and forensic analysts that know what types of traces and behavior they have to look for. In addition, the team should have access to the latest intelligence on past and current threats and modus operandi.

Fox-IT Compromise Assessment

Fox-IT’s Compromise Assessment service is used to thoroughly analyze an organization’s IT infrastructure for traces that might indicate a past or ongoing compromise of systems and/or data. Typically, the assessment involves the forensic analysis of a wide variety of data sources, being network traffic, system / application logs and end point behavior. The threats that are relevant to your organization will determine the scope and focus of the assessment.

The assessment itself consists of three parallel tracks:

  • Network forensics
  • Log file forensics
  • End-point forensics

Each track may require the deployment of some technology in the infrastructure under investigation, such as devices for network traffic recording and analysis (probes) and digital forensic analysis software. Each track consists of a combination of automated analysis and human expertise. By applying Fox-IT’s world-class threat intelligence, combined with the years of experience of our incident response and forensics team, we are able to add a unique layer of expertise on top of our automated analyses.

The focus is mostly on catching lateral movement of an attacker through the network, while also catching low-hanging fruit like malware infections or other less targeted attacks.

A typical compromise assessment will take between 5 and 7 weeks. The first few weeks are spent by deploying network probes and other data collectors that will record relevant data for a couple of weeks. This data, along with other relevant information (forensic disk images, log files, etc.), will then be analyzed by a team of Fox-IT experts. This usually takes around 2 to 3 weeks of full-time work, optionally executed on-site at the client. The Fox-IT experts will work closely with the client’s IT staff, to follow up on leads and indications of malicious activity that come up during the assessment.

Results and benefits

The main result of a compromise assessment is obviously an answer to the question whether traces were found of a past or ongoing breach. However, the benefits of performing a compromise assessment extend beyond just this one question. By gathering so much forensic information, analyzing it and discussing results with your IT staff, Fox-IT experts will get an insight into various aspects of your IT security. The final report will therefore also contain recommendations in the fields of general security, preventive, detective and responsive/readiness measures. The recommendations are structured according to the SANS Critical Security Controls.

A compromise assessment can also quite easily be extended by adding forensic readiness and/or security maturity assessments. That way, an organization can use the compromise assessment as a starting point in designing a new IT security strategy or in validating and strengthening an existing one.

Contact and more information

If you are interested in a compromise assessment and would like to further discuss the possibilities for your organization, please contact Kevin Jonkers via e-mail or by phone +31 (0) 15 284 79 99.