SC Magazine Best Security team 2015 finalists

SC Magazine have recently announced the finalists for their 2015 awards.  Among them is our security team. We are shortlisted for the ‘Best Security Team’ award!


I don’t actually know how many teams entered, but fell strongly that we have a great team and have achieved some excellent work across our business this year.

The process involved us having to respond to various questions covering areas like how well we have got buy in for security at executive level and across the business and some key projects we have delivered.  We also received some excellent feedback from our CEO, CIO and CFO so this no doubt helped our cause and demonstrated how we have worked to get some strong executive buy in for security.

The full list of finalists can be found here;

I should likely also mention the guys at FireEye who suggested we should apply for this having worked closely with us and seen some of our achievements over the last year!

I’ll let you all know if we win, but I think this is a great achievement for our team and we have highlighted how security really can become an integral part of the business.


Computing Summit – Enterprise Security and Risk Management 2014 part 2

Protecting against phishing and social engineering techniques – Neil Thacker – Websense

90% of all attacks begin with email – phishing / spear phishing.  Spear phishing is the most common vector into companies.

Success = Talent + Luck.

In spear phishing – Talent = making the email seem as real as possible.  Luck = someone clicking on it and the malware or similar running / user clicks link.

Take away points;

People and Process;

–          Limit the information you share about yourself online

–          Verify all messages with links and attachments

–          “Catch of the day” gameification program


–          Link email and web events in real-time

–          Real-time user education at point-of-click

–          Measure and phish at risk employees… with permission


Useful link for people to see if a link they have been sent may be malicious;


Securing Mobile – The new enterprise desktop

Presentation by Entrust

Mobile and traditional ‘desktop’ worlds are colliding.

People have multiple identities across devices and systems, both personal and work.

Huge numbers of people using personal, BYOD, devices to access corporate systems.

Growing mobile and ‘always on’ workforce.

–          Sensitive information now travels outside of the office to the home, car, gym, anywhere

One breach leads to..

–          A successful attack on one identity has the potential to open the door to all other identities; social engineering, same or similar passwords used etc.

Mobile – A unique blend of security and usability;

–          Mobile devices have powerful features built in that organisations can leverage

o   Application sandbox

o   Crypto

o   Biometrics

o   Secure elements

–          Users want to carry them – always in hand, always connected, convenient, support work / personal balance

–          The good – Applications signed and vetted, applications sandboxed, GPS, Bluetooth, biometrics and cryptography

–          The bad – Malware in apps, apps can view other data such as SMS etc, jailbroken devices, insecure logons (e.g. simple pins, finger print smudges, weak biometrics etc.)


Mobile Smart Credential Concept (Entrust product) – phone used for physical and logical access – Physical access to building, logical access to systems, digital signatures, encryption, cloud, vpn, out of band alerts to confirm transactions.

.Mobile – a catalyst for change.

Talk was pretty much a product sales pitch, but a few interesting points.


Redefining Network Security: Detecting and preventing Advanced Persistent Threats

Presentation by Paloalto

Another one starting with the attack kill chain;

–          Breach perimeter

o   Initial compromise

–          Deliver Malware

o   Deliver malware and communicate with attacker

–          Endpoint operations

o   Move laterally and infect additional hosts

–          Exfiltrate data

o   Steal intellectual property

Prevent attacks by stopping one step in the kill-chain.

Attackers disguise attacks in other traffic – specially crafted UPD packets, DNS, https, skype traffic (e.g. customised encryption, port hoping etc.).  Many ways to hide and exfiltrate data, it’s not always obvious, or obviously malicious traffic.  We focus heavily on web / email / known bad traffic, but are we looking in the right places? Are we missing data leaving via less obvious or assumed OK channels?

Requirements – Detect and Prevent

Detect unknown threats, prevent all known

–          Automatically detect unknown threats and makes them known.  Prevent all known threats – they are known after all so there should be little excuse for missing these!

Prevent across all networks – provide consistent security across the environment

–          Prevents threats at; internet edge, data centre edge, between VMs in the DC, between mobile devices and core systems etc.

Closed-loop protections

–          Closed feedback loop creates shared protections for all systems in your environment, and ideally all customers via sharing in the cloud.

Talk became a product overview of the Palo Alto solution, but the above points are I think relevant generally.


Computing Summit – Enterprise Security and Risk Management 2014 part 1

I attended the Computing magazine Enterprise Security and Risk Management summit a while ago and thought I should share some of the notes I made during the day.

As always these are pretty raw notes that I took on the day.

Risk assessment and data classification is key to understanding which data must be secured, and how.  This is however challenging as the goal posts constantly move.  For example is the most sensitive data that which would have the greatest financial impact if lost, or would it be that which is most confidential.  Time is often a factor, for example a charity has stated that it’s systems being down have a much greater impact over Christmas rather than during the school holidays; another example is a sales organisation, when a large deal is imminent the data is hugely valuable and sensitive, as soon as the deal is done, the data is public.

Prioritising which data must be protected, and when is key to enabling an intelligent, risk based approach to security.

For me this is such an obvious premise.  Without data classification most DLP type tools are of limited value.  Yes they can look for obvious things like a credit card number of specific keywords / phrases, but they will miss most things your business considers of value unless you tell them what is of value by classifying it!  This is an area many companies seem to fail on, yet classification is critical to enable appropriate handling and controls to be implemented around your data.

Panel discussion: Effective information security risk management – making the business case for investment.

Focus on how to engage and communicate at board level.

Ensure the board understands risk and regulations etc.

Understanding the culture of the organisation and the primary concerns of the board are key.  The need for and benefits of security can then be sold to the board in terms of how it will protect / drive / benefit the business and better enable it to achieve its key goals.

Ensure there is a balance between security and usability.  Security must enable the business goals in a secure manner, not hinder them in the name of being secure.

Security must understand the business;

–          What is the impact to the business from potential issues / threats if they are realised?

–          What is the impact to usability / customer experience / profit etc. of implementing controls to remove / mitigate / reduce the risk

–          What is the environment the business operates in, use examples of similar businesses or businesses in similar business sectors who have been breached or who have implemented similar security controls

Education and awareness are also key, IT may be able to implement security controls and monitoring, but security and working securely is everyone’s responsibility within the organisation.

Brief comments on supply chain management / security.  For medium to large suppliers, contracts are key, for very small suppliers contracts are important, but working more collaboratively is likely more important as they will not be set up for large complex corporate contracts.  Fostering long term relationships works better and will provide better outcomes than changing every year just to save cost – this long term approach develops trusted relationships with partners who understand your business.


Information Security Transformation – Matt Denny, Marks and Spencer

Historically M&S was very security focused, but in the traditional castle around all the data.  This often made it very hard for people to do their jobs.  As an example when he stated staff in the stores couldn’t access the M&S website as it wasn’t approved by security!

Built out a team of experts, some in security and some with a strong retail focus.  Worked hard to ensure security is appropriate across the business – what do we really need to protect, how should we enable the business?

Focus on quietening the noise – dealing with issues that hinder peoples work, so conversations with the board weren’t about the issues people complained about.

Driven a culture of accountability and ownership.  Current DR manager and PCI / compliance manager had not previous experience in those specific areas.  Asked what they needed, training etc. then made accountable once they had what they need.

Some key take away points;

–          Know your business needs

–          Build strategy, communicate and live by it

–          Implement an SDLC and take application security seriously

–          Identity and application management doesn’t have to be hard

–          Invest in your people…. Invest in your people…..

–          Work with people, not companies

–          Trust no-one – check and verify

Message Matt presented to the M&S board on infosec security for the next year;

–          Prepare for the worst

o   Know your weaknesses

o   Be able to detect the attacks

o   Practice your response

–          Stay ahead of the bad guys

o   Research and learn

o   Invest in your people

o   Innovate and deploy effective tech

–          Get more from what you have

o   Use as much functionality as you can

o   Legacy can still be king!


Also of note – First security awareness to whole business was a simple video about staying safe online at home as well as work.  General focus on staying safe online; if someone can create a safe Facebook password, they can create a safe work one!

Great talk highlighting how important it is to get the right message to the board, and how simple this message, plus security awareness can be.

Understand your business, the key drivers, invest in people and ensure you get your message to the board in language they care about.


RSA Security Summit London April 2014 – Digital Fraud; Setting the Scene

Presentation by Stephen Nicholas from Deloitte titled;

Digital Fraud; Setting the Scene

Where consumers lead..

–          94% UK consumers have shopped online in the past year

–          16% year on year growth in online spend

–          UK supermarket 10% of online revenue directly through mobile app

–          83% UK consumers have banked online in the last year

–          £91bn online card spend in 2013

…Fraudsters follow

–          Identity theft and account take over

–          Card not present

–          False refund claims

–          Finance and credit card applications

–          2 in 3 organisations believe the risk of digital fraud has increased in the past 2 years

–          41% of organisations have experienced digital fraud attacks


What is driving this?

–          Few deterrents or penalties

  • Few convictions / prosecutions
  • Stolen funds rarely recovered

–          Sophistication and scale

  • Record volumes of attacks
  • Agility from fraudsters, responding to change and controls

–          Low barriers to entry

  • Commoditised supply chain
  • All components available as a service

Fraud supply chain and business model is very mature with services, support, secure sites for buying and selling etc. all readily available.


What does this mean?

–          Loss of goods

–          Financial losses

  • £301 million 2013 UK fraud losses on remote card spend.
  • £41 million (Reported) 2013 online banking fraud losses.  Note – this is just the ‘reported’ (admitted to) amount. It is likely that the real number is a lot higher.
  • £105 million online losses suffered by retailers in 2013

–          Brand damage

–          Cost of security

–          Rejected business

–          Deterred business

  • 1 in 3 consumer stop doing business with those responsible
  • 73% of digital fraud affecting organisations ability to deliver new digital content / services


What are organisations doing?

–          92% view investment in fraud controls as a priority

  • But are we really investing in security and fraud?
  • What are your challenges in getting funding from the board? Examples include;
    • High costs
    • Unclear RTO
    • Organisation
    • Unsure on solutions
    • Impact


Final thoughts;

–          Do you know your threat landscape?

–          Do you know your controls – what is in place, how well is it working?

–          Would you know if you are attacked / breached?

–          Do you have understood action plans ready for then there is an attack or breach?

Basically cyber crime / cyber fraud is getting more sophisticated, more organised and more frequent.  However while businesses appear to be aware of the issues and there are known, very large costs associated with this, most businesses are not yet making the changes to combat this.

How do we get better board and business engagement?


RSA Security Summit London April 2014 – InTh3Wild – The current state of cybercrime

Talk by Nick Edwards of RSA around the current state of cyber-crime titled;

InTh3Wild – The current state of cybercrime


1.       As the world goes mobile, cybercrime will follow

Stats and facts around mobile;

2007 – Apple introduces iPone, Google unveils Android OS

2013 – Jan – Apple hits 40 billion downloads, May – Apple hits 50 billion downloads

2012 – Android malware explodes

1 billion android devices shipped by 2018

1 million android devices currently activated / day

86% of all Android malware is repackaged versions of legitimate apps with malicious payloads

Focus of mobile malware; eCommerce, Online banking, Online trading.

–          Much of the effort is around harvesting credentials rather than trying to commit fraud via the mobile app – likely due to the limited functionality of many mobile apps

2012 – 300 million mobile bankers.

2013 – 530 million mobile bankers

71% of organisations allow their users to use their own mobile devices for company business

–          Even if you’re using a container technology could credentials be stolen?

–          What could be harvested from ‘screen scraping;?

Games are also a common app used for attacks;

–          Angry birds in space had over 150 million downloads in the first two weeks

–          Only requires a very low percentage of people to install a malicious version for the malicious user to have access to many compromised devices.

Phishing / SMSishing – SMS spoofing and phishing such as sending texts that look like they come from your bank.

SMS sniffers that sniff and send your SMS details to the criminal

Voice – recent android Trojan can record phone calls – these have 2 purposes, harvesting information, and using your voice to fool biometric systems that rely on voice.

2.       Hactivism

Political messages and defacements

DDoS and other malicious activities ‘for hire’

Trying to make hactivism legitimate – e.g. Anonymous creadet US ‘we the people’ petition to make DDoS a valid form of protest

Many different organisations such as Syrian Electronic Army (SEA), Anonymous, …

News sites as well as businesses are often targets

3.       Account takeover

Identity theft

Take over of online accounts such as twitter, facebook

Tools readily available for identity theft such as components or the Zeus plugin.

–          Can alert when users of compromised machines try to log onto banking sites and perform transactions etc. in real time

–          Keeps records of users history so they can answer questions around user behavior etc if prompted by customer services.

Security tools need to catch up with this to start dealing with these attacks that occur in real time

4.       Fraud as a Service

Cybercriminals increase effectiveness of fraud offerings

Ransomeware – scare tactics around crime and child porn etc. to extort money from users

Ransomeware – encrypts parts of or the entire computer and requires ransom to decrypt

Call centre service – fake call centres set up to call customers with compromised machines – set up locally so they sound correct and have knowledge of the local banks etc.

Analytics – crimeware now has the ability to provide ‘big data’ type analytics around its use, distribution, numbers of infected machines etc.


2014 – sneak peak;

–          More sophisticated mobile malware

–          Generic malware for advanced attacks

–          Bitcoin’s popularity / demand for stealing

  • Digital currencies and issues with them to become more prevalent

–          Trojans get more sophisticated

–          More breaches

Mobile is huge, criminals continue to become more organised and sophisticated with very low barriers to entry into the market.

Security must catch up!



RSA Security Summit London April 2014 – Keynote 2

The second keynote today was given by Dave Martin, VP & Chief Security Officer – EMC.

Tales From The Front Lines: Actionable Strategies for An Intelligence-Driven Security Program

This was a pretty good talk, covering at a high level a lot of topics;

The gap continues to widen!

–          Business wants faster, more agile, cheaper

  • But ‘keep us safe’
  • IT is not the only partner
  • IT is having an identity crisis (business can launch IT systems vis SaaS / PaaS etc without needing traditional IT involvement)
  • IT foundations are shaky

–          Technology change is relentless

  • Mobile, cloud, big data
  • Platforms, M&A

–          Changing compliance and standards

  • Privacy
  • Critical infrastructure

–          Attackers are getting smarter, sharing

  • Better and sharing than companies / law enforcement especially across geographic and political boarders
  • Training each other
  • Sold and free tools

Complexity will be the rule

–          Software defined Networks, data centres, everything!

–          Mobile really will be first – Pervasive access to everything, from everywhere, from everything

–          BYO… Device, Network, Data, Analytics, … Security

–          Commercial internet of things – everything from printers to vending machines want wired or wireless network and internet access.

Big is going to get bigger!

–          If you are not there already data is going to get big

  • Are you ready for this?

–          Traffic volume is going to get big

  • Can you build a big enough gateway?
  • Can you afford the internal bandwidth?
  • Will you see the traffic?
    • Will you be able to analyse and understand it??

You may hear that bandwidth is cheap, but can we scale it enough?

Monitoring and securing large bandwidth is not cheap – do your security and monitoring devices scale enough?

Can you really analyse and understand all the traffic?

What is normal?

What is abnormal / malicious?

How much traffic circumvents the main business gateways?  User with 3/4g modems, users working on their own devices connecting to cloud services?


The ‘Kill Chain’ now has a bad ending;

–          Recovering from a disruptive attack will mean going far beyond traditional resiliency

–          They will know your DR; failover is not enough!

–          How will you rebuild, restore when;

  • Your primary and DR is gone
  • 75% of your endpoints
  • DNS? AD?
  • Data is corrupted / compromised and this corruption is replicated to the DR copies


Ways to stay ahead..

Or maybe how not to drown!

Establish core tenets;

–          Traditional weapons are not going to work

  • Don’t be the cavalry, those are tanks

–          Raise the bar and don’t make it easy

–          Prevention in small doses, detection is key

–          What gives you visibility; makes you stronger (collect and analyse data)

–          When you detect, response is key (strong incident response process)

Be thoughtful and surgical;

–          Think closely about control decisions

  • What other behaviours are you encouraging or creating?
  • Are they worse than the original risk?
  • Carrots are more effective than sticks!

–          One size doesn’t fit all

  • Don’t boil the ocean
  • Perfection is a lost cause
  • How can we have the largest risk impact?
  • Target high value assets
    • Consider People, Process, Data, Geography
  • Largest population

Communicate and Educate;

–          Be transparent – let people know WHY

–          Make it personal

–          Do it often and with data

–          Business relationships

  • Change in the C suite
  • Power is shifting

Use leverage;

–          Our security teams are not growing!

  • ‘Trojan horse’ security projects;
    • SSO
    • Asset management
    • Change management
  • Embrace change- Make sure we are involved in defining requirements and design of new areas such as;
    • Automation
    • Mobility
    • Software defined
      • Networks
      • Data Centre

Areas of Focus;


–          Provisioning and onboarding

–          Role management

–          Map identity and log streams

–          Profiling; map users to

  • Devices
  • Applications
  • Systems
  • Behaviours


–          DLP isn’t the final word

–          Consider data bankruptcy

–          Focus on visibility and analytics

  • High value asset
  • Point of creation or storage
  • Visibility at the large endpoint

–          Contain where possible – mobile and virtual

–          Leverage master data management programs

  • Define data owners and criticality

–          Evaluate data categorisation technology

Customer Experience

–          They have many choices and security isn’t on their list

  • Offer enterprise versions of consumer services

–          Can you trade experience for visibility?

–          Provide for safe, open access

–          Leverage SSO to better map identity


Supply chain and third party risk

–          Understand supply chains

–          Enforce contracted policies

  • Network Access Control

–          Reduce access

  • Virtual desktops
  • Review privilege

–          Third party risk services

Incident detection and response

–          Single UI and alerting for visibility – feed in data from controls, and add context

Resiliency and Recovery

–          Non traditional DDoS targets

–          Table top based on known attacks

Threat model based on existing Business impact analysis

These 2 keynotes were a great way to start the days presentations.


RSA Security Summit London April 2014 – Keynote 1

First keynote speech of the day, delivered by Brian Fitzgerald, VP RSA Marketing

Security Redefined: Managing risk and securing the business in the age of the third platform

1st platform – 1970s – mainframe / mini computer – Terminals – Very high level of IT control – Millions of users, thousands of apps.

2nd platform – 1990 – LAN / Internet, Client / Server – PC – High level of IT control – Hundreds of millions of users, tens of thousands of apps – IT controlled; Perimeter bound

3rd platform – 2010 – Mobile / Cloud / Big Data / social – Mobile devices – Low level of IT control (especially end points, and cloud hosted solutions) – Billions of users, millions of apps – User centric; Boundaryless


Increased complexity and less control increases the need for analytics and intelligence.  Moving more from control to governance.

A new security world – becoming increasingly difficult to secure infrastructure.

Must focus on what is persistent; ensure we have control and visibility of

  • People
  • Flow of data
  • Transactions

A new security approach is required;

–          Move from Prevention (signature based) to Detection (intelligence driven)

Intelligence is a game changer – much data that we do not consider ‘security data’ is or will become security data – key to identifying unusual behaviour in the environment.

RSA’s Focus Areas;

–          Advanced Security Operations; Detecting and stopping advanced threats

–          Identity and Access Management; Securing the interactions between people and information

–          Fraud and Risk Intelligence; Preventing online fraud and cybercrime

–          Governance, Risk and Compliance; Understanding and managing organisational risk

In short IT is becoming increasingly distributed and complex, while at the same time moving out of the direct traditional control of IT and Security.  We must move to improving our visibility and ability to analyse data, along with the incident response people and processes to back this up and deal with the inevitable breaches.


RSA Security Summit London April 2014 – Security Redefined

Today is a day out of the office at the RSA security summit in London.

The theme of the day is ‘Security Redefined’.

This is the concept of the ‘third platform’ of IT – billions of users, global locations, and many many devices accessing our systems.  We can no longer have the strong perimeter based security paradigm where we keep the ‘bad guys’ out, we need to have a security strategy based on detection and risk with the assumption that we can and will suffer compromises.

This is not a new concept, but it is good to hear the ‘security heavy weights’ (or larger less agile firms, take your pick 😉  ) in the industry talking about this.

As usual I’ll be summarising and commenting on the keynotes and other presentations I attend today.


Verizon 2014 data breach investigations report preview

At the recent RSA conference Verizon shared a brief preview of their upcoming 2014 Data Breach Investigations report;


Basically, the long and short if it is that attackers are getting better and quicker this 75% (or more) of attacks succeeding within days or less, and only 25% (or less) of the time do organisations discover the attack within a similar timeframe.

So attackers are getting into our networks very quickly and successfully, and we are still in general very bad at discovering the compromises until it is far too late.

This looks like a continuation of some of last years key messages, you will be breached, networks are so complex and pours, and applications still so very vulnerable.  Detection is key, having the ability to quickly spot, and act on, indicators of compromise (IOC).  Security must improve its detective and response capabilities;

Cyber Criminals keep getting better at what they do, the security is failing to keep pace.

What are your thoughts, how can we improve the situation?

One thing I often wonder about is the role of security in not only keeping up with the threat landscape and how to prevent (well reduce the likelihood of) breaches, and to ensure they are discovered, but to also communicate this to the wider IT and business teams.

How do we get the wider business and IT community to ‘get that security cannot be an afterthought’?

Across multiple different roles, much of my life seems to have been filled up with debates about what the minimum security requirements are, and what has to be down to scrape through regulatory audits.  The discussion should focus on what needs to be done to protect the data in our care.  Have you successfully moved this discussion on and changed a businesses culture to be focussed on how to deliver securely?

Some upcoming posts will cover both thoughts on how to deal with the evolving advanced threat landscape and advanced attacks, and also ways we can get security to have the right priority and focus – we don’t have to just deliver, we can deliver securely!


RSA shell crew investiagtion

I was recently asked to summarise and comment on the recent RSA investiagtion and published report into the the ‘shell crew’ attacks, so thought I’d share this;

The Shell Crew attacks investigated by RSA IR are a clear example of what is usually referred to APT (Advanced Persistent Threat) attacks. They were able to persist for considerable lengths of time in various enterprises, all the while covering their tracks, updating malware and backdoors.  During the time they were inside the various enterprises their aim was to exfiltrate as much data and intellectual property as possible.

They used a variety of techniques from phishing and spear phishing (extremely targeted phishing) to web application framework attacks to gain entry, and once inside used many techniques including;

–          Web shells

–          Lateral movement, making use of RDP, psexec, open network connections and job scheduling via the at command.

–          Code signing of backdoor malware so it installed without warnings

–          Utilising SETHC RDP backdoor

–          Proxy tools installed on servers to avoid corporate proxies

–          Proxy away malwae that connected out using stolen credentials

–          Falsifying time and date stamps on malicious files

Prior to the attacks there were length periods of reconnaissance of the businesses and their technical footprint.

Looking at the tools and techniques used it appears they predominantly attacked Windows based systems

The example detailed involved a hack of a web server running a vulnerable version of Adobe ColdFusion, where the vulnerability enabled directory traversal.  This enabled them to access the password file for ColdFusion, download it and crack it (likely with rainbow tables).  The next step was to download and install web shells, backdoor software and various password cracking and hashing tools onto the server.

Some take away points include;

  • Details of the exploit were      clearly captured in the web server logs – highlighting the need for      proper log correlation and alerting.
  • They logged into the web      server with the Admin password within 10 minutes of stealing the hash – 2-factor      authentication should be used for web accessible accounts where possible.       If passwords must be used, a large salt must be added to the hashes.
  • Once they were on this      server they quickly moved to control / access many other servers on the      compromised network.
  • Various ‘entrenchment      methods used to ensure their presence was hard to remove including;
    • They used various web       shells from simple one lines ones all the way to advanced ones with       trojan like capabilities. Web shells are malicious files written in web       scripting languages.  They have some benefits over trojans such as       being rarely detected by AV programs, run within the web server so blend       with other traffic and hard to block, and no need to beacon home.
    • Registering malicious       DLLs so that the commands they run were interpreted by the malicious DLL       making them harder to detect
    • Modifying the       System.Web.dll file (this is a       dll) enabling specifically crafted posts to the server that without a #       at the start would just result in a 404 page
    • Installation of       custom variants of the ‘Trojan.Derusbi’ malware.  This monitors all       open TCP ports on the server for a specific simple, but pseudo random,       handshake.  When it sees one it responds with a handshake.  The       remote user can then control the trojan with various obfuscated commands.        These include file traversal, starting / stopping processes,       uploading / downloading files, time stomping (deleting or modifying time       stamp related information on files – makes forensics more challenging),       opening reverse shells, locating and decrypting passwords stored in       browsers such as IE and Firefox.
    • Sethc backdoor –       replacing the setch exe with cmd or explorer, or making a registry change       to the setch entry.  If RDP is enabled, connecting, then pressing       SHIFT 5 times will then bring up CMD, explorer, or the debugger.
  • On top of this they also      downloaded a lot of other malicious files and ‘secondary tools’ including      many variants of the Derusbi trojan, notepad.exe (actually multi purpose      malware including proxy capabilities, time stomping, user impersonation,      Run As etc.), credential loggers etc.
  • The attack appears to      target Windows Server 2003, 2003r2 and XP variants. – ensure you are      using current versions of operating systems, and that they remain fully      patched
  • Obfuscation of code for the      various malware tools was heavily used.  While it is often not      complex to manually de-obfuscate the code, this technique helps malware      avoid detection by automated tools and also means the code / scripts don’t      look like they are code to the untrained eye if an admin or someone      stumbles across them.
  • Credential capture /      logging was attempted in various ways on compromised machines in the      estate including; Hash Dumping (grabbing hashes then likely using rainbow      tables to crack them), Keystroke logging, MSGINA (MS Graphical      Identification and Authentication – key part of MS logon process) man in      the middle, and hooking into authentication functions.

Overall this is a good, in depth report that really highlights both how easily an adversary can gain access to the corporate network, and how entrenched they can become across many servers in the network once they have a foothold.

Up to date, patched systems, defence in depth, and first rate logging, correlation and alerting are key factors in prevention and quick detection of breaches.

Detection and response are becoming increasingly important in a world where you will be compromised.