Case Studies and Impact

As in Table 8.1, in this section we present two additional real-world incidents and the event predictions identified by Virtual Product for these incidents as examples of its positive impact on the incident response process.

Example 1. One of our customers, whom we will call Alice, has an important server that is protected by many network security products, as shown in Table 8.10. What value is FirewallB providing? Let us imagine that FirewallB is not deployed. Alice observes several suspicious events output from the deployed products. FirewallA detects an HTTP beacon from the HiKit exploit kit and the proxy also detects visits to suspicious websites.

Product Event Description Seen Indicators (security events) Proxy Suspicious connection

FirewallA WebVPN Authentication Rejected FirewallA WebVPN session created

FirewallA WebVPN session terminated FirewallA WebVPN session deleted FirewallA WebVPN session started

FirewallA WebVPN Authentication success FirewallA SSL handshake completed FirewallA Teardown TCP connection FirewallA TCP connection

FirewallA Session disconnected

IPS SQL Query in HTTP Request

IPS RookIE/1.0 malicious user-agent string IPS Angler exploit kit exploit download attempt IPS Known malicious user agent - mozilla IPS HiKit initial HTTP beacon

IPS TeamViewer remote administration tool outbound connection attempt Router Flow session close

Top Predicted Primary Indicators FirewallB Windows Executable FirewallB Malicious File

FirewallB SQL Injection Attempt FirewallB Phishing Webpage FirewallB RIG Exploit Kit FirewallB Windows DLL

FirewallB Heartbleed Malformed OpenSSL Heartbeat

FirewallB Microsoft Indexing Service UTF-7 Cross-Site Scripting Vulnerability FirewallB Microsoft IIS HTR Request Parsing Buffer Overflow Vulnerability FirewallB /etc/passwd Access Attempt

Table 8.10: Virtual Product correctly predicts that FirewallB would have detected an incident, and 10 of its top 11 predicted alerts coincide with the one that actually occurred, yielding a clearer picture of the artifacts involved in the attack and the vulnerabilities used. The incorrect prediction is shown in strikeout font.

Product Event Description Seen Indicators (security events) Firewall Bad TCP Header length

Firewall P2P Outbound GNUTella client request Firewall wu-ftp bad file completion attempt Firewall DNS zone transfer via TCP detected

Firewall SNMP possible reconnaissance, private access udp Firewall ICMP PATH MTU denial of service attempt Firewall FTP format string attempt

Firewall SMTP expn root Firewall SMTP vrfy root

Firewall Server netcat (nc.exe) attempt

Firewall philboard admin.asp auth bypass attempt Firewall SSLv2 Challenge Length overflow attempt Firewall OpenSSL KEY ARG buffer overflow attempt

Firewall proxystylesheet arbitrary arbitrary command attempt Firewall Oracle ONE JSP src-code disclosure attempt

Firewall JBoss admin-console access

Firewall RevSlider information disclosure attempt Firewall Accellion FTA arbitrary file read attempt Firewall Apache Tomcat directory traversal attempt Firewall Apache non-SSL conn. to SSL port DoS attempt Firewall Windows NAT helper components tcp DoS attempt Firewall Multiple SQL injection attempts

Firewall Bash CGI environment variable inject attempt Firewall Suspicious .tk dns query

Firewall Suspicious .pw dns query

Firewall ColdFusion admin interface access attempt Firewall Windows Terminal server RDP attempt Firewall Suspicious DNS request for 360safe.com Gateway Connectra Request Accepted

Gateway ICMP: Timestamp Request Gateway Possible IP spoof

Router Admin Authentication Failed Top Predicted Primary Indicators

AV CVE-2012-4933 ZENWorks Asset Mgmt Exploit AV Post-Compromise PHP Shell Command Execution

AV CVE-2015-1635 OS attack, HTTP.sys Remote Code Execution Exploit Table 8.11: An attack on a webserver is obviously underway, but was it successful? Virtual Product correctly predicts, with 99.9% confidence, that not only a deployed AV product would detect attacks on the machine, but predict successful infection of the system.

Product Event Description Seen Indicators (security events)

Firewall Microsoft Windows 98 User-Agent string Firewall SMTP: Attempted response buffer overflow Windows Encrypted data recovery policy was changed.

Windows A cryptographic self test was performed.

Windows Cryptographic operation.

Windows MSI Installer Windows Key file operation.

Windows A logon was attempted using explicit credentials.

Windows An attempt was made to reset an account’s password.

Windows Special privileges assigned to new logon.

Windows System audit policy was changed.

Windows A user account was changed.

Windows A security-enabled local group was changed.

Windows An account failed to logon

Proxy TCP Cache Miss: Non-Cacheable Object Gateway Connectra Request Accepted

Top Predicted Primary Indicators AV Bloodhound.Exploit.170

Table 8.12: There are indications of possible ransomware activity, but how did the attack appear on the machine in the first place? Virtual Product correctly indicates that a malicious spreadsheet (detected as Bloodhound.Exploit.170) was at fault, a method by which the Locky RansomWare has been known to propagate.

No incident was generated by these security products, indicating that without the evidence from FirewallB, the remaining events are insufficiently threatening to warrant attention.

Based on evidence from the “virtual” FirewallB, however, Alice finds that there is likely an incident, with 95% confidence.

To further understand the cause of the potential incident, Alice takes a deeper look at FirewallB’s predicted events, which include malicious Windows executables, SQL injection attempts, a visit to a phishing webpage, and attacks on several recognized vulnerabilities.

This additional telemetry gives Alice clarity on the used avenues of attack, which she can use to prioritize patching updates to prevent a recurrence of the attack. It also suggests possible data leaks through SQL injection and visits to phishing websites, enabling Alice to take action that could prevent a serious data breach.

For this particular incident, 11 events were triggered by the actual FirewallB product, and we list the top 11 reconstructed events identified by Virtual Product. These predictions are prioritized by dividing the events’ reconstructed instance count by the average instance count for that event, which is akin to TF-IDF normalization in statistical language model. In actual deployment, Virtual Product users can customize its confidence thresholds based on whether they wish Virtual Product to provide only highly confident event reconstructions or a broader list that is more likely to include erroneous predictions, but that may include valuable information that would otherwise have been suppressed.

Example 2. In some cases, while existing security events may make it quite obvious that an attack has taken place, they may leave a vital question unanswered, Was the attack successful?. This is a vital question, since most webservers are constantly exposed to attacks, and yet most attacks do not succeed in compromising the machine, both because the machine is often not vulnerable to the attempted attack, and because the network devices that report attack events are often able to block them. Table 8.11 illustrates such an example, in which Virtual Product is able to determine that an AV product would have detected a serious incident with 99.9% probability. The reconstructed AV events further indicate that

the attack is very likely to have been successful, and they give further insight into the nature of the predicted attack.

Example 3. Virtual Product is often able to provide context that outlines appropriate remediative and preventative actions. In the product events seen in Table 8.12, an observant analyst may see hints of a possible Ransomware attack, but the initial method of attack is not clear. Virtual Product correctly indicates that a malicious spreadsheet was at fault, a method by which the Locky Ransomware has been known to propagate, and therefore, reveals a possible social engineering campaign that the company’s security department should investigate.

As is evident in these three case studies, and in the case study shown in Table 8.1, Virtual Producthelps security analyst by providing context that helps them answer vital questions, such as: Is this machine compromised or just displaying unusual behavior? Was the attack that I see on this machine successful? How should I go about cleaning up this infected machine? How can I prevent a recurrence of a similar attack on this or other machines in my environment? By answering these questions for MSSP customers, Virtual Product significantly facilitates the security analyst’s core tasks.