Previous month:
November 2014
Next month:
January 2015

December 2014

In 2015, take #spearphishing seriously

SpearphishThis attack against a steel factory in Germany is frightening. The attackers reportedly gained access first to an office network via a targeted or "spear" phish and from this lauch point, to a production network, where they caused compromised systems to fail. These failures reportedly interfered with the normal, "controlled" shutdown of a blast furnace which caused “massive damage to the plant". 

This is a sobering example of just how extensive the damage from a targeted "spear phish" can be. Pre-911, I consulted for a F500 corporation on risk mitigation resulting from attacks against process control systems. One of the risks that we had identified at that time was the possibility that malicious, criminal, terrorist, or disgruntled insider actors could (remotely) gain access to systems that monitored or controlled manufacture and cause them to fail/overheat/explode. It's not at all comforting to read about an attack that's frighteningly similar to what we were then modeling as hypothetical.

Spearphishing poses serious risks for any organization, large or small.  It's hard or impossible for the average worker to imagine his corporate email can be used as a catalyst for (environmental) damage, systemic failure, injury or loss of life. Unfortunately, there's growing evidence that no one - in any organization - can afford be dismissive or ignore the spear phishing threat. 
 
To shore up your organization's spear phishing defenses,
  • Make a point of familiarizing your workers with how current events figure into spear phishing social engineering tactics. Develop an awareness campaign to teach workers how they can avoid being spearphished.
  • Spear phishing and often accompanying advanced persistent threat attacks seek ways to exploit compromised accounts to penetrate infrastructure, financial, or business critical networks from "office networks". Examine your network topology, data protection and user account management to see if further compartmentalization can limit or contain successful attacks.
Be - and think - safe this holiday season and throughout the New Year.
 

ISIT: A Template to Document Your DNS Investigations

Anuj Soni has written a fine post at the SANS Digital Forensics and Incident Response blog entitled  How to Track Your Malware Analysis Findings. In the post, Anuj asserts that a truly successful malware analysis requires "both a well-crafted process and detailed documentation of the journey through that process". This is a spot on observation and it applies  to investigations where documenting Internet identifier systems - domain names , Internet addresses, autonomous system numbers - is equally critical.

Anuj also mentions that "meticulous documentation allows you to easily retrace your analysis flow (particularly important if the work supports any litigation), and it facilitates information sharing so others can benefit from your analysis approach and results." These, too, are consistent with principles I've described in my Thought Paper on Domain Seizures and Takedowns.

ISIT_templateJust as Anuj has created template to record analysis details when performing malware analysis of Windows executables, so have I created an Identifier Systems Investigations Template (ISIT), in Word. These templates have sections for:

  • DNS and domain intel, including domain names of interest, class of abuse, name server and zone data of interest;

  • Domain name registration information from domain whois;

  • IP and ASN whois information; and

  • Reputation data for domains, addresses, MX records and hosted or attachment malware.

In some respects, these templates might be more useful as web forms, especially in circumstances where you're investigating lists of domains and have whois records, dig output, raw email messages, web page screenshots, or HTML for each of these. I've identified places where you might want to link or upload files of supporting data should you choose to make web forms.

In the same spirit of sharing and learning as Anuj offered, feel free to use this template and tailor to your own methology. Email me with suggestions and I'll try to update regularly.