Incident handling of intrusions related to cyber espionage operations is a complex and challenging task. As a national CERT with a unique national early warning detection system, NSM NorCERT has detected and responded to incidents that vary from traditional incident response and abuse handling to counter-intelligence operations. Based on some real-world examples, this talk will be about incident handling of cyber espionage intrusions. What are the most common pitfalls and how can companies be better prepared?

1. SINTEF ICT
The Honeynet Project Workshop 2015
1
Marie Moe, Ph. D., Researcher at SINTEF
Incident handling of cyber espionage

2. SINTEF ICT
• Threats and trends
• Case studies with examples from real incidents
• Incident handling
2
Agenda

3. SINTEF ICT 3
About me
§ Research scientist at SINTEF
§ Associate Professor II at HiG (20%)
§ MSc in Mathematics
§ PhD in Information Security
§ GIAC certified Incident Handler
§ Previously working for NSM NorCERT
PHOTO: ROBERT MCPHERSON, Aftenposten

4. SINTEF ICT
Espionage
Sabotage
Financial crime
Pranks
Crisis / War
Political protests
4
Society in general
National security
Chaotic actors
Advanced Persistent Threats

5. SINTEF ICT 5
Espionage trends
• Modern espionage is most effectively
conducted through network
operations
• Significant amounts of information
stolen
• Russia and China are the most active
nation states behind network
operations against Norway
Source:
https://forsvaret.no/ForsvaretDocuments/FOKUS2
015-­‐endelig.pdf

6. SINTEF ICT
How do they compromise our systems?
6
• Spear phishing
• Often contains predictable elements
• Targeting information often available online
• Watering hole/strategic web compromise
• User profiling and whitelisting of targets
• Harder to detect and more difficult to handle than spear phishing
• Credentials harvesting
• Using compromised accounts for new spear phishing
• Direct access to mail and systems without leaving traces
• Known vulnerabilities
• Zero-­‐days may be used against high priority targets
• Physical delivery rarely used

7. SINTEF ICT
How do they compromise our systems?

8. SINTEF ICTSINTEF ICT
Case A: Industrial espionage

9. SINTEF ICTSINTEF ICT 9
https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-­‐china-­‐chopper-­‐report.pdf

10. SINTEF ICT
• NorCERT was contacted by a company that discovered that they were compromised
• Detected at the exfiltration stage
• Data ready for exfil was filling up the disk on the Exchange server!
• Large files that appeared to be image files (.jpg), but these were in fact password protected
RAR-­‐files
• The exfiltration was carried out via HTTP GET-­‐requests
• NorCERT coordinated incident response with the victim and performed forensic
analysis
• The initial attack vector was found to be a vulnerability in ColdFusion which gave the
attackers the ability to upload a ”China chopper” webshell
• The password for the RAR-­‐files was eventually found and the company could get a clear idea
of the amount of intellectual property that was lost..

11. SINTEF ICTSINTEF ICT
Case B: Spear phishing against the energy sector

12. 12
http://www.scmagazineuk.com/hundreds-­‐of-­‐norwegian-­‐energy-­‐companies-­‐hit-­‐by-­‐cyber-­‐attacks/article/368539/

16. SINTEF ICTSINTEF ICT
Case C: APT C&C proxy server in Norway

17. 17
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

18. SINTEF ICT
HTRAN report (Aug. 2011)
http://www.secureworks.com/research/threats/htran

19. SINTEF ICT 19

20. SINTEF ICT
Incident Handling of cyber espionage
• Know your assets!
• Common reaction to incidents:
“We don’t have anything of value”
“We don’t understand why this happened to us”

21. SINTEF ICT
The incident response lifecycle
NIST SP 800-61, Revision 2

22. SINTEF ICT
Preparation
IT Operations/maintenance
Clear understanding of network and systems
Access control and segmentation
Quick updating and patching
What about cloud services? Are you in control?
IT Security
Control and monitor network traffic
Detection team that look for intruders and abnormalities
Threat intelligence
Contingency planning
Clear areas of responsibility
Escalation routines, contact information
Guidelines for incident handling
The contingency plan should be rehearsed!

23. SINTEF ICT
Detection and Analysis
Your IDS needs to be constantly updated with the latest threat intel!
Logging enables detection and scoping of an incident!
• Traffic logs
– Web traffic logs
– Proxy logs w/ SSL-­‐inspection
– Netflow
– DNS logging / Passive DNS
– Web access logs on your own web servers
• Authentication logs
• Administration logs
• Security logs
• E-­‐mail logs

24. SINTEF ICT
Containment, Eradication and Recovery
You detected or got informed that you have been a victim of cyber espionage…
What to do now?
Selection of strategy:
• Protect and forget
• Watchful waiting, possible honeypot operation?

25. SINTEF ICT
Clean up after compromise
• Plan and execute clean ups in a controlled fashion!
– Hire a MSSP if you lack the necessary know-­‐how
• Establish necessary logging and monitoring/IDS
• Isolate compromised systems from the network
• Secure memory dump and disc image of compromised systems
• Reinstall clean back ups
• Change all passwords!
• Evaluation of the incident handling
– Identification of lessons learned
– Update contingency plans
– Case studies are very useful for training

26. SINTEF ICT
The ”Cyber Kill Chain”
• Lockheed Martin: 7 stages/states of an ”APT-­‐style” incident
• If the attacker fails in one of the stages the compromise will not succeed!
• Detection and response should be implemented for each stage
● What can the organization handle themselves?
● Where is collaboration or outsourcing required?
● Risks and costs increase for each stage
● Timeline: hours or days from successful exploitation
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-­‐White-­‐Paper-­‐Intel-­‐Driven-­‐Defense.pdf
Recon Weaponize Deliver Exploit Install C2 Action

27. SINTEF ICT
Guidelines for incident handling
• NSM has published a guide for
incident handling of cyber
espionage
– Can be downloaded at
https://www.nsm.stat.no/globalas
sets/dokumenter/temahefter/apt
_2014.pdf (only in Norwegian)
• Overview of logging that
should be in place
• What information to submit to
NorCERT if you want their
assistance

28. SINTEF ICTSINTEF ICT
Thank you!
marie.moe@sintef.no
@MarieGMoe
@SINTEF_Infosec