Going Back in Time: Investigating Threats Retroactively

Thursday, March 30, 2017

 

Welcome back to reducing detection time from months to minutes. In the first post in this series, we showed how metadata holds the power to quickly disarm one of the most effective cyberattack methods in the attackers’ arsenal – phishing

But what about detecting threats in the past?

You’ve read the headlines: Ransomware Hits. Data Stolen. E-mails Hacked.

Perhaps a high-profile organization in your industry was compromised, had to report the breach, and a new zero-day exploit is uncovered. No sooner do you get the details about the event when you get a phone call from the CEO, asking, “Has this happened to us?” 

Can you say with certainty whether you’ve been affected by the exploit in the past, or not?

Faced with an urgent detection dilemma, it’s natural to turn to threat intel to get details. However, it's nearly impossible to operationalize your threat intel to investigate retroactively. Yet this is exactly what must happen. Because the dirty truth about threat intelligence is that by the time the details are published, attackers have already been using the tactic for a while.

When you get intel about a new tactic, how can you apply that intel quickly? And specifically, how can you apply it historically to understand if you've been compromised?

The answer (again) is metadata.

Rich metadata allows you to apply new threat intelligence and indicators of compromise to all traffic – including historical traffic – to determine if the organization is affected by the threat. 

Still have doubts?

Metadata in Action

Let’s look at some threat intel using Fidelis Network to see how easy it is to apply the hash and perform a backward search to identify any incidents occurring in the environment that we are unaware of. Fidelis Network creates and stores a hash of all objects crossing the wire, including attachments and compressed files, plus executable files and all file types, such as Word files, JavaScript, Flash, Swift files, Java JAR files.)

Referencing a report containing intel (in this case, the FBI Cyber Bulletin) about newly identified malware, we obtain a list of hashes for malicious files observed in the campaign.

Image1
Figure 1. FBI Cyber Bulletin: Identification of Locky Ransomware

 

Using a hashtag from the threat intelligence report, we plug in the hash, select a timeframe and run a search against all metadata stored by Fidelis Collector. Within seconds, you will know with absolute confidence whether this malware has impacted your environment. Searches of 90 to 120 days of metadata deliver results in minutes.

Image2
Figure 2. Hash Search Against Stored Metadata


It’s that simple. 

Here, the results show us that multiple events have occurred. A quick examination reveals the attacks happened over email. And, if the attacks happened via the web, it would have been found in the same manner. 

 Image3

Figure 3. Results Returned from Seven Day Search of Metadata

Now, with clear eyes on the events within the environment and context around those events, all that’s left is to start the incident investigation and response process.

Image4
Figure 4. Metadata Facilitates Incident Investigation and Response

With Fidelis Network, not only can threat intelligence be applied backwards, it can also be applied to future traffic. It’s a simple matter to create a custom rule for the hash fingerprint to operationalize the threat intel. When an event matching the intel occurs in the future, you’ll automatically get an alert.

 Image5

Figure 5. Custom Policy to Operationalize Threat Intelligence

Without metadata, it’s all but impossible to apply threat intelligence to the past. You can basically forget about identifying – let alone resolving – the incident.

Sure, you can cut and paste snippets of intel from various threat intelligence feeds. But how time-consuming and error-prone is that?

With metadata, applying new threat intelligence to historical data takes only a few clicks. You can detect and resolve both new threats and past compromises in minutes. Not only will it enable you to confidently answer the question, “Are we safe?” the next time the CEO asks, it will equip you to detect attacks other solutions can't even see.

The choice is yours, but we’d go with the metadata.

Did you know Fidelis automates the collection, analysis and storage of your network data so it’s ready for you to investigate immediately? The rich metadata that Fidelis Network captures about every session on your network makes it possible to investigate suspected incidents in seconds – and gives you answers to questions that were previously impossible to know.

Ready to do impossible things with metadata? Read our white paper, Talk Metadata To Me: How to Decode Your Network’s Deepest and Darkest Secrets and contact Fidelis today.

This is part two of a three-part blog series about using metadata to reduce detection time.

 

-- Fidelis Cybersecurity Vice President of Threat Research Hardik Modi