The document describes an incident response case involving the compromise of a company's network. An attacker first gained access via a spear phishing email that exploited a vulnerable version of Adobe Acrobat. They then stole VPN credentials, allowing remote access from their home system. Over several weeks, the attacker performed reconnaissance and stole sensitive engineering data by modifying file permissions. The company's implementation of a SIEM tool helped identify the attacker's activities and multiple compromised accounts. An incident response team was brought in to fully eradicate the threat and secure the network.

1. CNIT 152:
Incident
Response
1 Real-World Incidents
Updated 8-19-2021

2. Events and Incidents
• Event
• Any observable occurrence in a system or
networ
k
• Incident
• Violation or threat of violation of security
policies, acceptable use policies, or standard
security practices

3. Incident Response
• Con
fi
rm whether an incident occurre
d
• Rapid detection and containmen
t
• Determine scop
e
• Prevent a disjointed, noncohesive respons
e
• Determine and promote facts and actual
informatio
n
• Minimize disruption to business and network
operations

4. Incident Response
• Minimize damage to the compromised
organizatio
n
• Restore normal operation
s
• Manage public perceptio
n
• Allow for legal action against perpetrator
s
• Educate senior managemen
t
• Enhance security posture against future
incidents

5. IR Teams
• Investigation tea
m
• Determines what has happened and performs
a damage assessmen
t
• Remediation tea
m
• Removes the attacker and enhances security
postur
e
• Public relations

6. Live Response
• Classical forensics was done post-morte
m
• On a hard disk imag
e
• Now mody analysis id performed on systems
that are powered on (live
)
• Including memory analysis to see running
processes, network connections, etc.

7. Case 1
Show Me the Money

8. Initial Compromise
• Early January: SQL injection vulnerability
exploited on server WEB
1
• In a DMZ belonging to a small business unit
purchased by the parent organization four years
prio
r
• Command execution on database server DB1, with
privileges of the SQL Server service (local
administrator
)
• Using xp_cmdshel
l
• Download malware and execute it on DB1

9. Escape DMZ
• Miscon
fi
guration in DMZ
fi
rewall allowed
malware to execute SQL commands on a
database server intDB
1
• Located within the corporate environment

10. Recon
• Attacker spent weeks performing
reconnaissance of corporate environmen
t
• For
fi
rst week, attacker used SQL injectio
n
• Then the attacker implanted a backdoo
r
• Extracted and cracked password hash for local
administrator account on intDB
1
• Now the attacker has local admin on most
systems

11. Lockheed
-Martin
Kill Chain

12. Mitre ATT&CK v9

13. Exploit Domain Controller
• Installed keylogger malwar
e
• Obtained password hashes from multiple
systems for administrator account
s
• Including hashes from the Domain Controller

14. Mid-February
• More than 20 backdoors, spanning three distinct
malware familie
s
• We'll call the primary backdoor family BKDOO
R
• Custom malware creation ki
t
• Allowed attacker to modify binaries to avoid
antivirus detection

15. BKDOOR
• Full control of victim syste
m
• File upload and downloa
d
• Tunnel Remote Desktop Protocol traf
fi
c into the
environmen
t
• Proxy network traf
fi
c between backdoor
s
• Encrypts command-and-control (C2) traf
fi
c with
RC4 "C2 data
"
• Persistence through "DLL search-order
hijacking"

16. PROXY Malware Family
• Redirected connections to destination address
speci
fi
ed in its con
fi
guration
fi
l
e
• Can also accept original destination address
from the BKDOOR malware

17. BKDNS Malware Family
• Tunneled C2 traf
fi
c through DNS queries and
response
s
• A backup system, not used during this
investigatio
n
• Used on both Windows and Linux systems

18. Late March
• Attacker stole data multiple time
s
• Took usernames and password
s
• Network architecture and IT informatio
n
• Information about
fi
nancial systems and how
fi
nancial data was handled

19. Stealing Financial Data
• Outbound FTP connection to an attacker-
controlled FTP serve
r
• Also used a backdoor to send
fi
nancial data to
C2 serve
r
• Compressed the data as ZIP, RAR or CAB
fi
les

20. Jump Server
• Gateway into restricted
fi
nancial environment

21. PCI Data
• Payment Card Industry dat
a
• Magnetic stripe has two track
s
• Track 1 & Track 2 (similar data
)
• CVV/CVV2 number used to verify physical
possession of the car
d
• Not all merchants collect the CVV/CVV2 number

22. Compromise JMPSRV
• Gained access with stolen domain administrator
password (two-factor authentication not used
)
• Transferred reconnaissance tools to JMPSR
V
• Begin reconnaissance of restricted
fi
nancial
environmen
t
• Took password hashes from RAM on JMPSRV

23. Recon
• Next two months
fi
ndin
g
• Systems that processed or stored cardholder
informatio
n
• Systems with direct Internet connection
s
• Stole documents that described the
infrastructure

24. Naming Convention
• 90 systems processed or stored
fi
nancial
informatio
n
• PROC_FIN01, PROC_FIN02, STOR_FIN01,
STOR_FIN02, etc
.
• None connected directly to the Interne
t
• Attacker sent data through JMPSRV and MAIL to
get out

25. Proxy Connections

26. Testing Methods
• Put Sysinternals "PsSuite" on PROC_FIN0
1
• Used pslist to see running processe
s
• Dumped RAM from multiple processe
s
• Created a RAR archive and transferred it ou
t
• Trying to
fi
nd processes that contained
cardholder data

27. Cardharvest
• Two days later, attacker installed a custom binary
named "cardharvest.exe" onto PROC_FIN0
1
• Searched process RAM for Track 2 data every
15 second
s
• Hashed the data to prevent duplicate collectio
n
• Encrypted it using RC4 and a hard-coded static
ke
y
• Saved it to a local
fi
le

28. Three Months
• Over the next three month
s
• Attacker stole millions of cardholder data
record
s
• From all 90
fi
nancial systems

29. Detection
• After ten months of exploitatio
n
• A system administrator noticed that MAIL was
communicating with a server in a foreign
country over port 8
0
• Triage showed that there was a compromis
e
• Initiated incident response

30. Incident Response
• Team travelled to client locatio
n
• Immediate containment pla
n
• Comprehensive incident investigatio
n
• Eradication event to remove all traces of the
attacke
r
• Less than two months for complete IR

31. Investigation Team

32. Remediation Team

33. Case 2
Certi
fi
cate of Authenticity

34. Initial Compromise
• In mid-May, attacker sent 100 spear-phishing
email
s
• Targets chosen because of business
relationship to speakers at an industry
conferenc
e
• Most had local administrator privilege
s
• None had domain administrator privileges

35. Malicious PDF
• One recipient, Bob, opened the attachment with
a vulnerable version of Adobe Acroba
t
• Exploit installed GHoST RAT (Remote Access
Trojan
)
• Attacker gained control of BOBSYS01 from the
C2 server

36. VPN Compromise
• Two days later, attacker performed
reconnaissance on BOBSYS0
1
• Bob was an enginee
r
• Had VPN software that used a machine
certi
fi
cate, username, and passwor
d
• Obtained and cracked local administrator
password has
h
• Used mimikatz.exe to extract Bob's password
and VPN machine certi
fi
cate

37. The Attacker Obtained
• No longer needs Bob's syste
m
• Attacker can now VPN in from any system

38. HOME3
• Less than one week late
r
• Attacker connected via VPN from a system
named HOME
3
• Used RDP but ended the session by closing the
window instead of logging ou
t
• Caused an event to be logged in the Security
event lo
g
• Capturing attacker's host name and IP
address (from Texas)

39. Recon
• Attacker spent the next 2 weeks performing
reconnaissanc
e
• Mapped network shares and directory listing
s
• Installed keylogger
s
• Accessed email through Outlook Web Access
(OWA) with stolen credentials

40. SENS1
• Two weeks later, attacker started accessing
business-critical data from a share on
fi
le server
SENS
1
• Sensitive engineering data for a new produc
t
• Access Control Lists (ACLs) restricted this data
to engineers working on the projec
t
• But the attacker had local administrator
access and modi
fi
ed the ACLs to gain access

41. Next Four Weeks
• Attacker sporadically stole dat
a
• Created encrypted RAR
fi
le
s
• Renamed them to CAB
fi
le
s
• Uploaded to an attacker-controlled FTP serve
r
• Then deleted RAR
fi
le and ran Windows
defragmentation utilit
y
• In an attempt to cover tracks

42. SIEM
• Two weeks after the attacker began stealing
dat
a
• Company started evaluating a new Security
Information and Event Management (SIEM)
utilit
y
• Included VPN logs in the data set
s
• SIEM showed Bob logging in from multiple
systems and IP addresses simultaneously on
multiple days

43. Chasing Attacker
• Security staff disabled Bob's accoun
t
• Attacker started using another account, Mary'
s
• SIEM quickly discovered malicious use of
Mary's accoun
t
• Initiated incident response and called IR
specialists in

44. Real IR
• Identify IP addresses attacker used to VPN fro
m
• GHoST RAT was sending beacons to one of
those same IP
s
• This led to discovery of compromise on
BOBSYS0
1
• Comprehensive eradication event performed
two weeks after IR initiated

45. OWA Access
• Two days after the eradication even
t
• SIEM detected one of attacker's IP addresses
attempting access to OWA, with multiple user
account
s
• Even though company had changed all
passwords during the eradication event, not all
users had actually changed their password
s
• A second enterprise-level password change
disabled all accounts that failed to change
passwords within 24 hours

47. Attack Lifecycle