One of the more difficult questions that cyber security and cyber risk teams need to convey to their leadership is to answer the question of whether their organization is being targeted specifically by cyber attackers or just mass malware.
One obvious way to look at this question is to provide a break down of malware infections observed by the organization's security infrastructure (let's say FireEye, Sourcefire, Symantec EP) by the level of sophistication of malware. But, this doesn't work any more.
Why just looking at what malware infected your organization is not enough...
- The source code for many remote access trojans has been leaked to the Internet and could be used by anyone.
- In many cases, more advanced attackers will use generic RATs/etc. to blend in with the noise
- Since the take-down of Blackhole, mass malware infectors have had to get a lot more creative to make the most out of their infections. We often see remote access trojans being downloaded alongside credential-stealing / banking malware, presumably to offer some level of persistence
We were asked this question by an organization and have been given permission to share a sanitized version of the results. The trick was that we needed to answer the question quickly, and based off the systems that they already had deployed.
We thought that an interesting way to look at this would be to look at infection profiles across organizations, to see if specific (and high value) organizations might be targeted. To do this in the example below, we needed to be able to link FireEye infections to the organizations that were being targeted. We could then look for infections across different organizations.
FireEye malware infections--> Person targeted --> Their org vs. Their peers in other orgs
After making this correlation, we need to be able to visualize the results to see if we can identify any interesting activity. In comes Gephi, a fantastic graph open-source graph visualization tool that has been developed over several Google summers of code for solving problems exactly like this. Below is a video walk-through of how we answered this question
Another way to look at risk to your organization
At a high level, we organized the malware infection results in the following way:
- Risk rating (1-5)
- Downloaders (Upatre, Pony, etc) : 1-2
- More advanced mass malware (Zbot, Cyptolocker, etc) : 3
- Targeted attack tools (0-days, RATs) : 4-5
Each node in the graph represents a malware related event. The edges between nodes are where things get interesting.
- We set an edge weight of 2 for any malware infections that happened in the same division (e.g. Sales, Marketing, IT, Research). This groups malware by organization
- We set an edge weight of .5 for any identical malware infections (e.g. Zbot, PlugX) across different organizations. This draws divisions with similar malware infection profiles together
What we discovered was very interesting, and confirmed some of our suspicions. While some organizations, such as Sales are hit with a little of everything, three different divisions (Research, IT, and a product development division) contain a disproportionate amount of advanced malware infections, and not just that, SIMILAR advanced malware infection profiles.
This goes to show a high likelihood of these divisions being targeted specifically, and also offers some insight into how the attacks may have occurred. The research and product divisions are obviously high value targets- and it's possible that IT was either used as a launching point or to move laterally across the company after initial compromise. Either way, using techniques like this can help organizations determine where to spend their valuable resources and to uncover what parts of their organization may be under attack.
Post by Alex Watson, Founder, CEO 405labs
Former Senior Director of Security Research at Websense. CTO at BTS. Co-Founder of APX Labs. Over 10 years experience in the US Intelligence Community.