In Carbon Black’s Quarterly Incident Response Threat Report (QIRTR), some of the world’s leading incident response (IR) professionals reported seeing an uptick in lateral movement, counter incident response, and island-hopping attacks from motivated nation-states. In the case study below, Kroll notes how it uses Cb Response to remediate a cryptomining attack.
One day in early summer, a healthcare company noticed something troubling: An abnormally high volume of network traffic was inflicting downtime at several store locations. At first they thought it was an external attack — like a distributed denial of service — and legacy antivirus was unable to identify the threat. The finding from their ISP was even more troubling: the traffic was coming from the inside.
At this point they called in Kroll, which immediately installed Cb Response to gain visibility into the network. They saw that infected machines were causing a “traffic jam” because they were continuously scanning to find others to infect. Kroll also identified malware known as WannaMine trying to enlist as much computing power as possible to mine cryptocurrency.
Kroll has a long history working with these sorts of attacks. It used Carbon Black to run relevant queries, cross-check systems for suspicious behaviors and search running processes for cryptomining algorithms. Rather than imaging all 500 systems in the network, it could prioritize — using Carbon Black to identify the systems most likely to have permitted the malware’s initial entry. The data told Kroll the attacker had embedded code within PowerShell commands to obtain credentials using a variant of Mimikatz, run the miner and then spread itself via the WMI and SMB protocols. Two persistence mechanisms were also used: a WMI event consumer and scheduled tasks. The attackers might have been low-level cryptominers, but they were using high-level malware techniques made available, in part, by nation-state actors who employ standard Windows tools and protocols to evade traditional security defenses.
To remediate and recover from this attack, Kroll used Cb Live Response to surgically terminate the malicious PowerShell processes and remove the persistence mechanisms. Scripting against the Cb Live Response API meant that Kroll could do this across all affected systems quickly. Within days, as the Carbon Black deployment was completed, Kroll’s IR team restored network performance. The traffic let up and the coast was clear for business to return to normal.
Interested in learning more how you can put incident response best practices into use? At Cb Connect 2018 you’ll have the opportunity to connect with other like-minded security users and build your resume while you become Carbon Black Certified. Becoming Carbon Black Certified for Cb Defense, Cb Protection and/or Cb Response gives you the opportunity to: Earn continuing professional education (CPE) credits through (ISC)2, Strengthen your knowledge of the product, Continue to develop your skills in information. Learn more here.