Monday, April 28, 2014

IE Zero-Day as a Use Case

Recently, a new Internet Explorer zero-day exploit, discovered by FireEye, was discussed on the FireEye blog ( The exploit was also acknowledged by Microsoft. According to the FireEye blog: “The APT group responsible for this exploit has been the first group to have access to a select number of browser-based 0-day exploits (e.g. IE, Firefox, and Flash) in the past. They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”

All versions of Internet Explorer since IE6 appear to be vulnerable to this exploit, which represents more than 25% of the browser market world-wide. That amounts to a large number of vulnerable systems. The exploit and associated malware are still under investigation, but attackers do appear to be exploiting the vulnerability for the purpose of targeted attacks. This presents us with an interesting and illustrative security operations use case.

Many security professionals will arrive to work Monday (if not sooner) with some variant of the following question from management: “Does this affect us?”. Let’s break this high-level question down into more specific questions and take a look at how an organization might answer this question from management.

First, the organization will need to answer the question, “Are we vulnerable to this exploit?”. Since this particular exploit affects all versions of Internet Explorer since IE6 and most organizations run Internet Explorer, the answer to this question is most likely: yes.

After determining that they are vulnerable, the organization will need to answer the question, “What is the relevant time window for this investigation?”. Unfortunately, as of the writing of this blog post, there are few details around any attacks for which this exploit may have been used. Because of this, there is no obvious time window to use here -- a challenge encountered fairly frequently in security operations. As a rule of thumb, the organization may want to choose a reasonable time basis for its investigation -- perhaps the past 30 days. This can be adjusted as appropriate based on any new information that becomes available.

Next, the organization will need to answer the question, “Has this exploit been used to attack us?”. The organization will need check with its network or end-point alerting technology vendors to determine if any signatures or other detection capabilities exist that may have detected the exploit as it traversed the wire.  If so, those logs will need to be searched thoroughly.  Since the community’s awareness of this exploit is so new, there may be nothing helpful here -- another challenge that sometimes occurs in security operations. If that is the case, the organization may need to work with peer and partner organizations to identify what the exploit might look like going across the wire. Network forensics can then be performed to find the exploit in the network traffic data itself, provided the traffic has been captured appropriately.

Independent of whether or not the organization is able to determine if the exploit has been seen on its network, the organization still needs to answer the question, “Do we have any compromised machines as a result of this?”. The organization will need to perform network forensics and search for relevant Indicators of Compromise (IOCs), such as the lateral movement and command and control (C2) activity mentioned in the FireEye blog post. These IOCs can provide valuable insight into whether or not an organization has been compromised by informing the organization of any signs of post-infection activity on their network. These attacks are still under investigation, necessitating organizations staying in close contact with peer organizations, information sharing groups, partners, and vendors in order to obtain and leverage reliable IOCs as soon as they become available. Once reliable IOCs are obtained, the organization should search for them in the end-point data and network traffic data as appropriate.

If an organization has determined that it has been attacked, the question then becomes, “How can we contain and remediate this attack?”. The organization should follow its incident response process as appropriate. Containment and remediation suggestions from the FireEye blog post and Microsoft may also be helpful here. Of course, regular updates will need to be communicated to management and other important stakeholders to ensure that all relevant parties are aware of the progress of the investigation.

Once all required questions have been answered, the organization should look to any lessons that can be learned. In my experience, some organizations will, unfortunately, have a difficult time answering management’s original question.  The reasons why this is the case should be used to improve capabilities for the next incident. Some organizations will not have the appropriate network forensics technology in place to provide the data of record required to research this activity. Others will not have taken the time to build the required relationships with peer organizations, information sharing groups, partners, and vendors. Still others will not have the appropriate process or the right people with the requisite level of knowledge required for this investigation.

Whatever situation an organization finds itself in, my hope is that any attacks leveraging the new IE zero-day exploit are found quickly, contained, and remediated before too much damage has been done. This zero-day exploit provides us with a good, illustrative security operations use case that we can use to learn from, grow through, and improve our security operations programs.

No comments:

Post a Comment