Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST...
Transcript of Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST...
![Page 1: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/1.jpg)
1 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Monthly Cyber Threat Briefing September 2015
![Page 2: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/2.jpg)
2 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Presenters/Agenda
• Majed Oweis: Team Lead, US-CERT • Thomas Skybakmoen: Research Vice President, NSS Labs, Inc.
• Tawfiq Shah: Senior Threat Intelligence Analyst, Armor • Aaron Shelmire: Senior Security Researcher, Threatstream
• Dennis Palmer: Senior Security Analyst, HITRUST
• Q&A Session
![Page 3: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/3.jpg)
3 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
NCCIC/US-CERT REPORT
![Page 4: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/4.jpg)
4 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Joint Analysis Report (JAR)-15-20098: A Look at the PlugX Malware • Remote Access Trojan (RAT) used by APT actors to infiltrate U.S.
Government, various industries and sectors. • The JAR describes changes to the RAT observed over the past year and
provides a comprehensive list of indicators of compromise (IOCs). • Variants of PlugX were used to exfiltrate large quantities of PII. • Gains significant control of infected hosts to include:
– Remote access – Full control of system services – Keystroke logging
![Page 5: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/5.jpg)
5 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Observations Over the Past Year • No significant changes to the PlugX underlying framework. • Focus of refinement:
– Feature enhancements – for example, P2P PlugX permits communication with 16 C2 servers and allows P2P communication between infected hosts.
– Produce more packed variants that use the legacy unpacking process
– Use executables signed by well-known vendors to avoid host-based IDS and AV.
![Page 6: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/6.jpg)
6 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
JAR-15-20098 is on the US-CERT Portal at: • PDF: https://portal.us-cert.gov/member/libraryV3/main.cfm?action=9&returnAction=17&cf=2&st=20098&libid=565702
• STIX (IOCs): https://portal.us-cert.gov/member/libraryV3/main.cfm?action=9&returnAction=17&cf=2&st=20098&libid=565065
![Page 7: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/7.jpg)
7 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Questions? Comments? Contact US-CERT at: • Email: [email protected] • Phone: 1-888-282-0870 • Website: www.us-cert.gov
Contact CISCP at: [email protected]
![Page 8: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/8.jpg)
8 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
NSS LABS REPORT
![Page 9: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/9.jpg)
9 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Threat Capabilities Report • NSS observed an increase in command and control activity in the Asia-Pacific region in the month of August compared to the month of July.
• Exploits and attack campaigns primarily targeted Adobe and Internet Explorer.
• Java and Silverlight attacks continued to decline in August. • The majority of attacks continued to focus on popular enterprise operating systems such as Windows 7 SP1 (80%) and Windows XP SP3 (9%).
![Page 10: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/10.jpg)
10 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Top Targeted Applications and Operating Systems
Application/OS Combination Windows 7 SP1 Windows Vista SP1 Windows XP SP3
Adobe Flash Player 10.0.32.18 • • •
Adobe Flash Player 10.2.152.26 • • •
Adobe Flash Player 11.1.102.62 • • •
Adobe Flash Player 11.4 •
Adobe Flash Player 17.0.0.188 •
Adobe Flash Player 9.0.289 • • •
Adobe Reader 8.1.1 • • •
Internet Explorer 7 • •
Internet Explorer 8 •
Internet Explorer 9 • • •
![Page 11: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/11.jpg)
11 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Data from August 2015 - NSS Labs
China, 2.1% Hong Kong,
0.5%
Iceland, 0.5% Italy, 0.6% Korea, 0.7%
Netherland, 0.5%
Romania, 2.1%
Russia, 39.5%
Ukraine, 2.6%
United States, 51.1%
Action: While not feasible to remove access to popular domains in the United States, removing access to e.g. Russia and other countries might be, however.
Top Origin of Threats
![Page 12: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/12.jpg)
12 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Top Command and Control Hosting by Geo Country Rank
United States 1
China 2
Japan 3
Germany 4
South Korea 5
United Kingdom 6
Netherlands 7
France 8
Brazil 9
Portugal 10
Data from August 2015 - NSS Labs
![Page 13: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/13.jpg)
13 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
C&C Server Locations & Callback Ports 10 commonly used command and control (C&C) server locations in combination with 10 commonly used callback ports
Action: Track C&C port behavior to limit data breaches. Data from August 2015 - NSS Labs
Country/Port 80 443 6666 8008 8080 82 8800 3599 118 40017 Brazil • • China • • • • • • France • • • Germany • • • Japan • • • Netherlands • • Portugal • South Korea • • • United Kingdom • • • United States • • • • • • •
![Page 14: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/14.jpg)
14 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Data from August 2015 - NSS Labs
CAWS: All Threats
![Page 15: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/15.jpg)
15 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Data from August 2015 - NSS Labs
CAWS: Top 3 Vendors
![Page 16: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/16.jpg)
16 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Data from August 2015 - NSS Labs
CAWS: Top 5 Applications
![Page 17: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/17.jpg)
17 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Data from August 2015 - NSS Labs
CAWS: Top 10 Applications (Detailed)
![Page 18: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/18.jpg)
18 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
ARMOR REPORT
![Page 19: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/19.jpg)
19 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Top Vulnerability Exploits in August and September
ACTION: • Keep a proactive stand on known vulnerability trends.
• Remediating vulnerabilities removes you from the threat actor’s target list.
![Page 20: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/20.jpg)
20 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Top Attacker Groups for the Last 30 Days NAME HITS
DD4BC 180
Anonymous 159
GhostSec 46
The Impact Team 22
Lizard Squad 15
Xumuxu 8
Cyber-Berkut 7
Islamic State Hacking Division 6
APT28 Pawn Storm - Tsar Team 5
LulzSec 4
ACTION: Focus threat intelligence on identifying top threat actors and their associated TTPs.
Some of the attack techniques employed
New threat actor identified
![Page 21: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/21.jpg)
21 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Top Malicious C2s Seen in the Last 30 Days NAME HITS
118[.]170[.]130[.]207 26
188[.]118[.]2[.]26 26
46[.]109[.]168[.]179 24
81[.]183[.]56[.]217 22
61[.]160[.]213[.]32 19
61[.]160[.]213[.]38 16
62[.]109[.]9[.]60 11
61[.]160[.]213[.]33 10
43[.]229[.]53[.]77 9
115[.]231[.]222[.]40 8
94[.]102[.]49[.]102 8
114[.]44[.]192[.]128 7
221[.]235[.]188[.]210 7
216[.]243[.]31[.]2 6
112[.]21[.]198[.]28 6
ACTION: Establish honey pots to help fingerprint malicious C2s and proactively block them from your environment.
![Page 22: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/22.jpg)
22 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Tor-Based Attacks on the Rise Research in the wild shows a steady increase in SQL injection and distributed denial-of-service attacks as well as vulnerability reconnaissance activity via the Tor-anonymizing service.
Tor, which gives users the ability to mask their identity and location via layers of anonymity, was the platform for some 150,000 attacks and malicious events throughout the US alone so far this year. Most attacks using Tor were waged against IT and communications technology companies, which were hit by more than 300,000 events so far this year, followed by the manufacturing sector, with nearly 250,000 malicious events. Financial services firms (around 160,000), the education sector (more than 100,000), and retail and healthcare providers (under 100,000) were also the victims of malicious Tor-based activity. Read more: http://www.darkreading.com/perimeter/ibm-advises-businesses-to-block-tor/d/d-id/1321910
ACTION: Establish and maintain alerts with threat intelligence providers/subscriptions to block Tor exit nodes. For an example of Tor exit nodes: https://www.dan.me.uk/torlist/
![Page 23: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/23.jpg)
23 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
unpt Taidoor Related APT Incident: unpt Taidoor Related APT unpt Taidoor associated indicators:
MD5: ECA0EF705D148FF105DBAF40CE9D1D5E
This is most likely a maliciously implanted DLL, which current antiviruses cannot detect. This executable DLL contains the hex content, "31 32 37 2E 30 2E 30 2E 31 00 00 00 00 00 00 00 01 00 00 00 26 26 00 00 3C 00 00 00 2F 00 00 00 4D 6F 7A 69 6C 6C 61 2F 34 2E 30.“
This malware has exclusively been previously observed in Taidoor related malware MD5: AE80F056B8C38873AB1251C454ED1FE9, which was documented in Taiwan. Related targeting was found in CNFI CONTACTS Excel Exploit. Taidoor connects to the C2 domain unpt.defultname.com with the URL http://unpt.defultname.com:443/
This domain is hosted on a server in Brazil.
ACTION: Ensure network security sensors have the appropriate signatures to detect for Taidoor indicators.
ACTION: When creating NIDS signatures, have your threat intelligence team keep an eye for malware variants.
![Page 24: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/24.jpg)
24 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
BRUTPOS POINT-OF-SALE MALWARE TARGETS MAJOR HEALTHCARE PROVIDER, AUTOMOBILE MANUFACTURER, AND POS VENDOR IN THE UNITED STATES
Incident: BrutPOS Point-of-Sale Malware
This incident details indicators associated with a Point-Of-Sale (POS) malware campaign targeting large POS vendors as well as healthcare, manufacturing, and hospitality sectors within the USA. BrutPOS exploits a vulnerability within the remote desktop protocol over port 3389 to gain access to the target system, and then utilizes brute force password-cracking techniques against the victim’s POS terminal in order to access and harvest customer information.
In some instances, the Ramnit worm has been observed as the initial infection vector which then downloads the BrutPOS executable.
Command and control addresses for the malware include the following which are not active currently, but may be useful for analysis of historical data or potential future activity:
62.109.16.195 62.113.208.37 92.63.99.157 82.146.34.22
Some malware samples were observed utilizing the same IP address for downloading executable files as well as uploading harvested information, but this is not always the case.
The following MD5 file hashes are associated with the malware:
60C16D8596063F6EE0EAE579F201AE04 95B13CD79621931288BD8A8614C8483F F36889F30B62A7524BAFC766ED78B329 4AED6A5897E9030F09F13F3C51668E92 FADDBF92AB35E7C3194AF4E7A689897C
For additional technical details, please view the report at https://dsimg.ubm-us.net/envelope/364363/391603/MATI%20DeepSight%20Intelligence%20Report%20-%20SYMC%20-%20300195.pdf
![Page 25: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/25.jpg)
25 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
62.109.16.195
ACTION: Leverage relationship mapping tools to fingerprint threat actor’s footsteps.
![Page 26: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/26.jpg)
26 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Social Media Hacks
ACTION: Verify your professional network contacts.
![Page 27: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/27.jpg)
27 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
THREATSTREAM REPORT
![Page 28: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/28.jpg)
28 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Pirpi Threat Actors
• Tools – PirpiLite -> Pirpi – CTT/CTX – Orthrus – Pirpi Xmailer – Pirpi Exploit
Framework -> Scanbox
– MANY custom tools
• TTPs – Phishes
• Monthly Pattern – Heavy use of 0-
days
• Summary – CVE-2014-1776 – CVE-2015-3113 – CVE-2015-5119 – a/k/a APT3,
Gothic Panda, TG-0110
![Page 29: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/29.jpg)
29 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Pirpi Infiltration of Tools
• GUI connection via Pirpi • Copy Base64 text into Notepad • Save .eml • Double Click – Opens Mail client • Save tools run via cmd.exe
![Page 30: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/30.jpg)
30 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Infiltration of Tools – l2t
![Page 31: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/31.jpg)
31 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Infiltration of Tools – l2t
UserAssist Notepad + Mail Client – semi-rare History for .eml file – extremely rare
![Page 32: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/32.jpg)
32 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Lateral Movement via CTT/CTX
• Normal Windows Lateral Movement: – Security event log – User Profile creation
• Using 3rd party access tools leave less evidence behind
![Page 33: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/33.jpg)
33 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
CTT evidence
![Page 34: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/34.jpg)
34 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
CTT evidence - PreFetch
CTT Prefetch New CMD prefetch
![Page 35: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/35.jpg)
35 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
CTT evidence – AppCrash Errors
Lots of AppCrash errors
![Page 36: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/36.jpg)
36 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Beyond the Indicator – Lateral Movement: Beyond the Norm
https://hitrustctx.threatstream.com/tip/1245
![Page 37: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/37.jpg)
37 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
HITRUST CSF CONTROLS
![Page 38: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/38.jpg)
38 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Common attack vectors related to HITRUST CSF Controls • CSF Control for Vulnerability Patching (Top Exploits)
– Control Reference: *10.m Control of technical vulnerabilities • Control Text: Timely information about technical vulnerabilities of systems being used
shall be obtained; the organization's exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk
• Implementation Requirement: Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within Appropriate, timely action shall be taken in response to the identification of potential technical vulnerabilities. Once a potential technical vulnerability has been identified, the organization shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls.
![Page 39: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/39.jpg)
39 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
• CSF Control for network segmentation (Command and Control)
– Control Reference: 01.i Policy on the use of Network Services • Control Text: Users shall only be provided with access to internal and
external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied for users and equipment.
• Implementation Requirement: The organization shall specify the networks and services to which users are authorized access. (default deny on firewall/acl)
Common attack vectors related to HITRUST CSF Controls
![Page 40: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/40.jpg)
40 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Common attack vectors related to HITRUST CSF Controls • CSF Control for Phishing (password/credential compromise)
– Control Reference: 01.f Password Use • Control Text: Users shall be made aware of their responsibilities for maintaining
effective access controls and shall be required to follow good security practices in the selection and use of passwords and security of equipment
• Implementation Requirement: Users are made aware of the organization’s password policies and requirements to keep passwords confidential, select quality passwords, use unique passwords, not provide their password to any one for any reason, and change passwords when there is suspected compromise.
![Page 41: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/41.jpg)
41 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Common attack vectors related to HITRUST CSF Controls (CERT/CISCP Slide) • CSF Control for Dropper tools dropping basic Backdoors / RATs
– Control Reference: 09.j Controls Against Malicious Code • Control Text: Detection, prevention, and recovery controls shall be
implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.
• Implementation Requirement: Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.
![Page 42: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/42.jpg)
42 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Q&A SESSION
![Page 43: Monthly Cyber Threat Briefing - HITRUST€¦ · 3 855.HITRUST (855.448.7878) © 2015 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT](https://reader033.fdocuments.in/reader033/viewer/2022043008/5f989a1569de9877f57c8f24/html5/thumbnails/43.jpg)
43 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net
© 2015 HITRUST Alliance. All Rights Reserved.
Visit www.HITRUSTAlliance.net for more information
To view our latest documents, visit the Content Spotlight