Wednesday, February 12, 2014

Granular Indicators

This week, Kaspersky Lab unveiled its research on the Careto APT malware (aka "The Mask"). The analysis was presented at Kaspersky's Security Analysis Summit, and a detailed, 65-page report entitled "Unveiling 'Careto' - The Masked APT" was also released. There has already been much discussion and analysis of this report, and I will not recycle what has already been discussed in other forums. Instead, I would like to highlight something regarding the indicators of compromise (IOCs) used in the various attacks.

If we look at the IOCs used in the attacks and detailed in the Kaspersky Lab report, we see that many of the IOCs are incredibly granular. For example, the URLs used as part of the exploit, payload delivery, callback, and command and control (C2) phases of the attacks are extremely specific and very detailed. The level of specificity and detail goes right down to the last character of the URL in many cases. This is, in its essence, an example of attackers "Moving up the Stack". In this example, the difference between "routine noise" and a successful exploit/compromise lives deep inside the packet. This subtle difference can only be identified by exploiting layer 7 enriched meta-data, and the ability to differentiate here can result in rapid detection and response versus staying compromised for months on end.

The information security community seems to be in agreement that Careto was written and weaponized by sophisticated attackers. Does your network forensics technology allow you to move up the stack with the attackers? If not, how will you identify sophisticated malicious code intrusions perpetrated by attackers who have expertise in "Moving up the Stack"?

No comments:

Post a Comment