The PT Network Attack Discovery deep traffic analysis system , PT Sandbox sandbox , MaxPatrol 8 security monitoring system, MaxPatrol SIEM incident detection system and PT Industrial Security Incident Manager network traffic analysis system detect the activity of the tools that FireEye experts used to test the security of their clients … The tools fell into the hands of cybercriminals in a recent hacker attack .
Some of the stolen tools were already publicly available and very widespread, say experts at the Positive Technologies Information Security Center (PT Expert Security Center). Attackers use tools of this type to develop an attack inside the infrastructure, anchor it in it, and to organize a remote access channel. At the same time, the criminals take another tool into service in the first few days (and sometimes hours) after its appearance. For example, the Cobalt group began using CVE-2017-11882 in their attacks within 24 hours from the moment public information about this vulnerability appeared.
PT ESC experts analyzed the data published by FireEye employees to detect the use of their tools by attackers ( 34 rules for Snort1). Any activities targeted by these rules are automatically detected by the PT NAD traffic analysis system: the product detects three tools out of the box, and PT ESC experts have uploaded new detection rules to calculate the activity of the fourth tool. Thus, PT NAD users do not need to adapt and download rules from FireEye on their own. Technological networks (ICS networks) today are also targets for criminal hacker groups. Therefore, the necessary indicators for detecting the activity of these instruments have been added to PT ISIM.
In addition, FireEye has released a set of YARA rules to identify other security testing tools. PT ESC experts analyzed their effectiveness, identified the optimal set of rules with a minimum false positive level and added it to the PT Sandbox, which performs a comprehensive analysis of files in the infrastructure. These rules will allow PT Sandbox to detect the use of stolen tools based on the well-known Cobalt Strike, Rubeus and Impacket, as well as a number of highly specialized FireEye tools.
FireEye also published a list of vulnerabilities that its own red team employees use for penetration tests. The MaxPatrol 8 security control system will identify the vulnerabilities most applicable to software in Russian companies, which will help limit the effectiveness of FireEye tools. The exploitation of six vulnerabilities can be detected using PT NAD Network Traffic Analysis. The MaxPatrol SIEM incident detection system, using Windows event analysis, identifies the activity of the six most popular tools that are used in the vast majority of attacks aimed at complete compromise of infrastructure.
“ Most of the detection rules in MaxPatrol SIEM are not tied to specific groups and their tools ,” comments Anton Tyurin, head of expert services at PT Expert Security Center . – This means that with the help of one rule the system can detect the activity of several similar instruments at once. This approach allows us to cover a large amount of popular hacker software . “
“ ART groups are increasingly resorting to so-called supply chain attacks — hacking into organizations through their less secure suppliers or customers. The situation with FireEye was no exception , – comments Andrey Voitenko, director of product marketing at Positive Technologies . ” To protect against such threats, it is not enough to focus on preventing attacks and control only the perimeter, you need monitoring and in-depth analysis of what is happening inside the network, you need tools to identify threats in a timely manner .”