Sunday, October 19, 2014

How external indicators can help investigators confirm an intrusion - A look at UPS

One of the worst things that we have noted recently is many companies complain when their domains and IP information shows up on blacklist. They are quick to contact you to get their entries removed but not so quick to take an in depth look at why they ended up on the blacklist in the first place.

One particular incident that comes to mind is the recent hacking that occurred at UPS store locations. About 10 days prior to the incident we started seeing UPS store locations on our blacklist. We did not know why they were showing up at first but it would become very clear much later. These host were attacking other third party entities and we started getting reports of all sorts of possible issues from port scans, spam, malware hosting, brute force attacks and other reports of malicious intent from the UPS store locations. At the time neither UPS or our organization realized what was occurring. All we noted was an uptick in activity from UPS store locations. Without hesitation we started seeing UPS and related domains showing up on blacklist and malware identification sites.

Keep in mind now that this was a full 10 days before UPS admitted that their store locations were compromised when we first noted the activity. We cannot go into the methodology we use to block or not block a domain but we can tell you that out of 174 data points we started seeing UPS on more and more our sources and our automated system finally blocked UPS domains once our threshold was met.

Immediately customers started complaining about not getting delivery notifications and not being able to access UPS resources. Many customers chose to unblock UPS not knowing that they were opening up themselves to additional threats. Some customers did not realize that farther attacks were coming. When the attacks came they were caught off guard.

This incident brought to light the problem that business owners are facing in securing their infrastructure. The balance between being able to function and being able to function during a security incident. Several of the companies that white listed UPS contacted us after the fact for information even though we have sent out an advisory prior that outlined the problem, and what was being done about it.

Predictive Algorithms

The key to knowing what is happening in advance of a threat is recognizing the symptoms. While we had no visibility into UPS directly as they are not a customer we did have visibility into 178+ other sources of information that yielded clues as to what was occurring. It seems that every time there is a breach there are certain tell-tale signs that are common. By looking for these signs we are able to easily make a determination on what the problem is at an organization that we don't have direct visibility into.

So what other companies in this space do similar things? One company that comes to mind is Cyveillance. Cyveillance is very good about scouring data sources and notifying you of information that pertains to your particular company or organization. What they are not good at is predictive analysis to determine what may happen. Cyveillance simply notifies you after the fact whereas we are notifying companies of activity prior to the issue becoming public. By noticing activity ahead of time we are able to notify the company much quicker as the indicators are coming in real-time into our intelligence platform.

One company that does have insight into predictive analysis would be Dell SecureWorks (DSW). DSW actually undertakes passive monitoring (similar to what we do) when they are alerted to an issue. They are very good at things like taking care of botnet issues, malware propagation and virus deconstruction. We do many of the same types of investigations but we do it based on data that we are able to access outside organizations. Our exact methods are not being disclosed but we will tell you that we utilize open source and do analysis on common elements such as domain names, IP addresses and MD5 hashes of suspected hackers, networks or files.

Getting notified of problems before there is an issue is what our system is designed to do. Utilizing open source software means anybody that knows how to extract entity information from feeds, build indexes on occurrences based on information of interest and creating alerting, analysis and forwarding technology to get the alerts in the hands of an analyst. The additional piece of this is providing feeds of information to your customers in which they can determine for themselves if something such as the number of news articles on a topic is high, or the number of external entities reporting problems from the companies address space has moved outside of their normal baseline.

We won't give you the secret's to how the system operates but we can tell you that it is operating based on some very unconventional analysis in advanced distributed and cloud computing environments specific to the task at hand.

So organizations we ask you to keep tabs on what others are reporting on your organization and try and understand why. There may be keys and clues to problems out there that you really should know about. Realize the the US Government contacted UPS first to alert them to an issue. The happened 9 days after UPS first appeared on our block list.


So understand that in the case of UPS we were correct to block them. We knew something wasn't quite right from the data that we were analyzing from our feeds. Before removing an entity from a blacklist make sure you understand the who, what, when, where and how they were put on the list in the first place. Without knowing these key indicators you can't really make an informed decision on the appropriate action to take. If all looks good you can take them off of your block list but make sure you understand the risk in doing so.


No comments:

Post a Comment