From the daily archives: "Thursday, February 4, 2010"

I’m reading this story and I quote

Last year, for example, an unidentified defense contractor discovered 100 compromised systems on its network, and found that the intruders had been inside since at least 2007.

Hopefully now they’ve come to realize that monitoring your network, as in the traffic patterns, rates, etc. is very important too.  In the past I know I’ve looked at a graph of traffic, say email messages over a 24 hour period, and when compared to previous data, it seemed very high.  Due to the change in trend data that I was able to see visually I investigated further and found that indeed there was a problem.

Many entities don’t discover a breach until someone from law enforcement tells them. By then, it’s too late.

In 2008, Mandiant investigated a breach at a law firm that was representing a client in a lawsuit related to China. The attackers were in the firm’s network for a year before the firm learned from law enforcement that it been hacked. By then, the intruders harvested thousands of e-mails and attachments from mail servers. They also had access to every other server, desktop workstation and laptop on the firm’s network.

That is sad, the tools exist so that companies can detect and stop this type of thing in house. If you have something that is very important to your organization then put an air gap between it and the rest of your network.  In other words don’t connect it to your network, isolate it completely.  While that makes it more difficult to use, what is the loss to your organization if the information leaves your company?

Stolen e-mail messages and documents are collected and stored on a staging server inside the company’s network before being encrypted with custom algorithms and compressed into an .rar file. The files are then siphoned out in small random bursts generally via normal protocols with spoofed headers to disguise the activity. In the case of the Google hack, the attackers used an SSL port but a custom protocol.

All applications should be forced to use a proxy, otherwise the applications should not be allowed to enter or leave your network.  I learned a while ago while taking the SANS Hacker Techniques and Incident Handling class I learned about a tool that lets you craft ping packets.  While that is not amazing, what I did not know at the time was that ping packets (icmp echo/reply) can contain a payload, i.e. data.  In other words, if I had the motivation I could write a script that could take the data I want to smuggle out of a network and get it out all via ping.  It would take a while, but it would work.  Egress filtering, is a must.  The first rule set of a firewall should be deny all.  Only open up what is absolutely required, and only to a limited set of devices.  APT requires defense in depth and more.  :)