Threat Intelligence Collaboration—An African perspective: Detect '18 Presentation Series | Anomali

Threat Intelligence Collaboration—An African Perspective: Detect ‘18 Presentation Series

 

There Is Strength in Numbers and Threat Intel Collaboration

Defending against cyber adversaries has become a team sport, with the need for strong, trusting, relationships, and collaborative initiatives at the forefront. This was put to the test when two African banks worked together to stop a cybercrime actor in its tracks, during a cash-out operation that was in progress. This is the story of how detection, incident response, threat intelligence, and forensic investigations seamlessly worked together to stop the bad guys from getting to the gold.

Watch this on-demand presentation, given by Andrew De Lange, Solutions Consultant from Anomali.

You might not be able to tell, but I'm not from around here.

I'm from South Africa.

My name is Andrew De Lange, my history is 15 years in cybersecurity-- within the banking industry.

I built two cybersecurity threat intelligence programs for two banks-- the two big banks in South Africa.

And yeah, so I mean, before I start, let's talk about where I'm from so Africa.

Understand a bit about Africa-- it's the-- it's the second largest and most populous continent on the planet.

It's considered to be probably the oldest inhabited territory on Earth.

And with the human species originating from the continent, it's been referred to as the breadbasket of humanity.

And it's no country.

It's actually a continent.

And funny enough, that's Africa right there.

The other one was South America.

Now I live there in South Africa and just going back and talking a little bit about where I come from and just some of the magic from where I am.

That's Cape Town.

It's one of the most beautiful places you'll probably ever visit.

Some of the majestic things that you will see in my country are in some of these images, and I would highly recommend that if you ever do get the opportunity to visit Africa, please do so.

Now I'm not here to talk about Africa.

Just to give you guys an idea of what's happening in South Africa and in financial services where I'm from is that we've really embraced, in financial services and banking, we've really embraced a sharing and collaboration.

I've had the privilege to see and meet different people that are trying to both threat intelligence, collaboration, models and things like that.

And one thing that I can say about South Africa and about Africa, in general, is that we really have embraced it.

We've all come together, and we've figured out ways to build trust between individuals and organizations and things like that-- so just to make it a bit easier.

It's always a one to one relationship.

Now if we look at kind of what's going on in South Africa, now I'd like to refer to the hacktivism type stuff as the noise.

So there's a lot of noise that happens in South Africa and in Africa, in general.

And then we do see some of it making the news.

Now if we go a little bit deeper and try to focus a little bit more on things that are more valuable to us, as cybersecurity practitioners.

Now we've also seen some attacks against some of our critical infrastructure.

I mean, there's been attacks against the airport systems.

There's been attacks against E-Toll-- our toll systems as well.

So we are definitely on the map for the cybercriminals.

We're definitely being targeted.

It's one of those things.

But now where I'm from, in financial services, that's definitely one of the biggest places where we see activity, which is in cybercrime.

Now we can see banks being breached and hacked for multiple millions of rands, which is not a lot in dollars.

But if we translate it back to our currency, it's quite significant.

And we face threat actors and cybercriminals from very, very high up in the food chain.

I mean, this is an incident that happened in South Africa to one of the banks there as well.

It was the Yakuza family that was involved in the attack over there.

I didn't come here to give slides and talk about-- and give people slides to read.

But I am here to tell the story of an active incident and how we handled the incident from the banking sector where I work and how we came together and basically stopped the bad guys in their tracks.

So what happened in our incident-- and this is an interactive session, please.

At any point in time if you have any questions, please do ask them.

What happened was we saw some activity happening in one of our countries within Africa where we were managing systems and a suspicious file did pop up.

So what happened was we placed the file in the Anomaly sandbox, and we did see that it flagged as a malicious file.

If you've ever been part of an instant response or attack monitoring situation, this is this is more often than not.

It doesn't raise a red flag because it's just a malicious file.

It's a commodity piece of malware.

But in this instance, what happened was we saw that the file actually installs a global keyboard hook on the systems that were affected-- on the one system and we found it to be infected on.

Now what does that mean?

So that means, to my eyes, it means that is a keylogger that lives on my network.

So what we did from there-- and this is where the collaboration started happening.

Before we even knew we had an incident on our hands, we took the indicators from the file that we found, and we pushed it into on into our collaboration in our trusted circles.

So what does that mean is that even before there was an incident that we were not chasing down, a day later, our trusted circle members immediately had the opportunity to go and find the indicator on their own networks.

Now, luckily for them, they didn't find anything, and we didn't make too much of it because we thought, well, this is basically just a normal financial malware keylogger.

We just missed it.

Our detection just missed it, and we should maybe just delete the file and go about our day.

But what was interesting was that in our collaboration community, we obviously have different skill sets of people from different banks, different sectors.

One of the gentlemen that was in our trusted circle, he's very well versed in reverse engineering of malware.

So he basically came and said, let me have a look at the file and see what I can kind of extract from that.

Now him being very skilled, we didn't have a skilled person to do reverse engineering of malware.

We just passed the file onto him and said, yes, please go ahead and see what you can find out.

And what he found was that the file actually didn't beacon out anywhere.

So you've got a keylogger sitting on the network, but it's not passing keystrokes anywhere.

So what is it doing?

It's actually dumping keystrokes on the network, and someone is retrieving that.

So we all of a sudden said, oh, hang on, now it's becoming a bit more interesting.

So the trusted circle members assisted by reversing the malware for us, and we didn't find the beacon.

The keystrokes are being dumped.

Now what we then did was we said, OK, well, we should definitely start killing this malware all across the network where we can.

And that's exactly what we did.

So we killed the malware, and we scrubbed the entire network for the keylogger files, the dump files, to try and move them to secure location where we can kind of analyze how long these files have been living on the network and normal incidence response type stuff where you look at the history of the file and kind of trying to determine the dwell time of the attack on the network.

So that's what we did.

And what we then also found was that the EDR tool.

Then when we burned the hash to not for the farmer to work anymore.

Our EDR tool picked up that there was now all of a sudden activity around the file.

So the attacker is still on the network.

He is now testing why is my keylogger file-- why is my keystroker not logging keystrokes to the network anymore.

And all of a sudden, it's like, well, now we understand.

We've got an active attacker on the network, and we are chasing them down.

So now all of the sudden, it becomes really interesting for us because we've got the person on the network.

We know this.

And we're sitting in a room trying to figure out, well, how else have we've been compromised?

And we get a message from the team that's sitting in country.

Now you have to understand that they are in a completely different country within Africa, so we are communicating with them back and forth.

Well, what, are you guys seeing?

We're busy doing this side.

They sent us a file-- a WhatsApp-- message with a video file saying we've got a problem.

Someone is controlling the computer.

So we play the file.

And I don't know if anyone was here for the previous gentleman's talk on an attacker or from Visa, but what we saw was all of the sudden, we are seeing the attacker on the network actually logging in from a remote location and going through customer information, trying to find high-value targets to change banking details change cell phone numbers to do one-time PIN transactions and things like that.

So all of the sudden, these guys sitting in the other country are saying to us, well, what do we what are we supposed to do?

Because we see someone controlling the computer, and it's not us.

So then obviously, we went full instant response mode, and we basically locked down the entire network.

What does that incident look like?

Now that incident ran for about a week, a week and a half.

And as the threat intelligence analyst, what my job is and what the job of the threat intelligence analyst team is supposed to be doing is we are running support for incident response.

Incident response and forensics are busy collecting all this data.

And if you've ever been part of an active incident, you'd understand that there's piles and piles of data that can just fall into the fray.

How do you make sure that you keep track of everything?

Now I obviously now work for Anomaly.

So and the reason I do that the reason I work for Anomaly.

Now is because I was using the platform quite extensively to the point where I've become the poster boy for Anomaly in Africa.

And they said, well, why don't you just come work for us and just represent the Anomaly?

And that's where I am today.

So this is what the incident looked like for us.

Is there a laser pointer on this or not?

So if I can explain to you what you're looking at is this is the incident that I've explained to you right after we've done all the forensic collection, right after we've understood or tried to best understand what we were dealing with, this is what the incident looks like.

So I'm going to try and explain every single dot for you.

Now what we did figure out was that the attacker had compromised one system.

All right, and basically he set up camp on that staging server right there.

So as you can see from everything that moves around that staging server, the attacker was quite busy.

So that file that we see on the left-hand side there was the key logger file, which we initially found.

So when we initially found the file, all of those systems, all of those systems living around that follow over there and including those ones sitting in the middle, they were all passing keystrokes.

So what that meant was that the attacker was basically logging keystrokes from all different user accounts-- be there administrative accounts, normal user accounts, local admin accounts.

And we were kind of seeing that happening, and we had to kind of figure out, well, what else is happening on this network of ours?

Now I don't know if you guys are familiar with the Sticky Keys bypass.

What this ticket his bypass is if you press Shift a couple of times-- if you've got a locked computer-- Windows computer-- and you press Shift a couple of times on that, there's a little prompt that pops up.

So a tactic that attacker will use is he will replace that pop-up application that does pop up with a command prompt.

So when you have a locked computer in front of you and you just tap Shift five times, all of the sudden, you've got a command prompt that comes up and no longer Sticky Keys, which means now you've got terminal on that system.

And we did pick that up as well.

We were able to then determine was the entire scope of the incident, and that's what you're looking at right here.

So if we look at the off-range IP, what that meant was the off-range IP that sits on the right-hand side is where our attacker was basically doing the control from outside of the network.

He'd establish himself or herself within the network, compromised the network, and created a backdoor.

It wasn't anything super crazy or is anything sophisticated.

It was a simple application called AnyDesk.

I don't know if you guys have ever heard of AnyDesk before.

It's like remote AnyDesk-- so any AnyDesk is just or VNC.

You just install the application.

And basically, you can remote control any computer that you would like-- bearing in mind that you would need to punch a hole through a firewall.

But obviously, the firewall was quite open, so he was able to do so.

And he was happily sitting outside of the network and logging keystrokes and doing all kinds of interesting things.

We chased him down.

Now what we saw when we started burning all of this infrastructure in during our incident was that there was a significant ramp-up of cache out.

So even though we did figure out or even though we did catch this threat actor in his tracks by stopping a certain cache out process, we saw that there was massive activity in trying to get all the cache out as soon as possible because he understood now he's been compromised.

And it was basically cat and mouse.

We locked him down.

We managed to save the day.

And yeah, I mean, it was all smiles after that.

But one lesson that we did learn from this is that if we didn't have that collaboration and that community of ours that was working together, we would have never pass the keylogger file to someone within the community that had a specific skill.

We would have thought that it was commodity malware.

It was a keylogger because, in many instances, we deal with so many events.

We deal with so many pieces of malware or just viruses that land on the network.

It just it becomes the norm.

But luckily for us, we had this community, and the community came together.

And we basically defended a bank against something that could have been quite significant because what the forensics later pointed out was that even though the attacker was able to do cache outs in small amounts, they were going after a much bigger prize.

And we just managed to stop that right there.

So it's a really good story to tell.

And I feel privileged to be able to tell the story from our perspective in Africa.

We're just a small, little-- well, we're a big continent, but we're a smaller country.

And I feel that where I'm from, we do collaboration very well.

And I'm very privileged to be able to tell the story on this stage to everyone sitting in the room.

Now where does threat intelligence play a part?

So if we look at the there the Anomaly platform and the investigations part of the only platform that we've got these models that we can apply.

So we've got the kill chain.

We've got the diamond model, and we've got obviously the sticks model that we can kind of now use to-- now that we've had the incident, we can either take the information and just go about our day, or we can log the information down.

We have been compromised.

Now let's make the information work for us going forward.

If there's one message today is like one man's-- one man's detection or one man's breach is another man's defense.

If we didn't detect that, those observables, those methods, chances are that threat actor or that person that was doing those cache outs could have moved onto another bank and done the exact same thing by using the exact same tools because he was able to get those tools landed on the network.

But we, as a community, we burned the infrastructure completely within ourselves and across the entire community.

I've come to the end of my presentation.

And if there are a couple of things that I'd like for the room to take away is that we shouldn't let egos stand in the way of collaboration.

What I've seen many times before is that if you're dealing with a bunch of CISOs, if you're dealing with a bunch of management, if you're dealing with people that are in positions that don't understand the works-- the work that the analyst does, it can become difficult because they tend to have ideas of their own.

Now that moves me to my next point is that there is definite strength in numbers.

These numbers come in the form of community trust circles but vendors partners, and all these things kind of come together.

And we should trust each other enough that we defend against what's happening out there.

Now we can't be sitting on an island-- on our own little islands-- trying to defend against a massive threat that is-- and I don't know if you guys have seen the Intel 471 presentations.

But these attackers are communities of people.

They've got different skill set.

One guy is well versed in a specific programming language where the other one is not, and these guys just leverage information of each other.

And they work together.

And we should definitely be doing the same.

Otherwise, we will always fail-- always.

And then what I'd like to say is that management needs to empower their analysts to network with their peers.

Now more often than not, the analysts are-- they tend to be-- they tend to be introverts.

But if you put them in a room with another analyst and they start talking to each other, they completely nerd out, and they become friends.

And then all of a sudden now, you've got your analyst and an analyst from another organization at the bank, another entity, and they immediately form this bond or this trust amongst each other.

And then that makes it easier for them to collaborate.

And I'd like to just leave you with one last thought before I go.

And if there are any questions.

Yeah, I hope-- I hope that-- I hope that the session was valuable in some way, shape, or form.

And I hope to see you in South Africa at some point.

Thank you.

[APPLAUSE] If there are any questions, I'd like to answer them now.

Yeah, hi.

I have a question on some collaboration and trust.

Are you seeing-- and of course, that's really part of Anomaly's business model.

But I'm just interested in your thoughts just because there seems to be a relatively low level of trust sometimes within Africa and the African countries and communities and between.

So I'm just very interested, particularly perhaps maybe in terms of what Anomaly is doing in terms of-- we need some of the collaboration we've seen elsewhere among the financial services right here in the US to [INAUDIBLE] working for [INAUDIBLE] just hear your thoughts on that.

Yeah, absolutely.

There's a reason that I've joined Anomaly, and the main reason for that is because in South Africa and within banking, we did form these communities.

And we were doing extremely well.

But now, if we take banking as an industry, it's a small-- it's a large industry.

But if you kind of scope it out to all of the other verticals that are out there, it's just one small piece of a puzzle.

So if we take what we've done in South Africa for the banking industry, one of the things-- and the main reasons that I am fortunate enough to now work for Anomaly and represent Anomaly and the ISEC model and everything that Anomaly represents in terms of community, trust, and circle and 3D intelligence within Africa-- we are definitely ramping things up.

So I mean, we've got-- we've got the sales guys, and the sales guys are going to sell.

And that's not my job.

I'm not there to sell anything I joined the company for one purpose and one purpose only, and that's to keep fostering relationships.

And I have to do that under a banner which I couldn't keep doing it on the small scale because if we want to-- if we want to, like you said, if we want to bring it out, I would have to be kind of agnostic from an industry vertical.

But I'd have to apply those same principles within things like telecommunications.

Because we would like to see telecommunications and banking work together as well because those guys see a whole bunch of interesting stuff which the banks would like to see and vice versa.

So I hope that answers your question.

All right.

Yeah?

Just curious about any hurdles, I guess, you had to go through when you approach your CISO and you say, look, I've got these things that I've found.

I want to start sharing them out across [INAUDIBLE]..

Was there a sort of panic, nervous response to that or were they pretty much receptive to it?

Yeah, look that's-- it goes from CISO to CISO.

When I was at the one specific bank, then the management structure was-- and that's part of my point-- it's like the management structure was different.

So if there was an-- if there was an incident or a problem, the analysts wanted to share the information across without going too deep into the details.

Because, to be honest, if you are-- if you are sharing an observable-- let's say, you're running around with your hair on fire internally.

Your community doesn't need to know that.

All they need to know is, hey, we've picked up this shell casing.

Someone fired a bullet.

Go and look on your own network.

They don't need to know that someone's actually doing cache our operations on the network.

So that's the one thing that-- that's the one thing that is up to the management discretion.

And that's one of the things that I would like to, as an analyst, and as a senior manager, which I eventually became within financial services, I really drove that message forward.

And I went to my CISO, and I said, look, what's your stance on sharing and collaboration?

And when I moved from one bank to the next, the second bank was very receptive to that thought and said, yes, go right ahead, as long as we don't implicate ourselves in any way, shape, or form.

And then if you put enough trust in your analysts, then I mean, it can go-- they can make a mistake.

But if you limit them to say, look, if you're going to share this, don't say why you're sharing it-- just share it.

Just say hey and that's where the Anomaly platform is-- it's kind of an excellent way because you can do it anonymously.

You can just upload an observable while you're busy fighting fires-- just upload the observable to the community to the trusted circle anonymously.

No one knows where it comes from.

But if they pick up something as well, you've helped them.

And it's basically, that's the message that we'd like to have is we should we should definitely be helping each other in this fight because, again, if we're going to be sitting on our own islands, we're going to fail.

We're going to continue to fail.

We're going to continue.

I mean, it's good for us, as cybersecurity practitioners, if we have these incidents because you never waste a good incident.

You make sure that you get funding.

You get you get budget when there's a problem.

But when it comes to collaboration, it comes down to who's managing, and we'd like to-- I suppose if you are running into those problems when you're trying to collaborate with management.

It's ego.

It's ego.

That's all it is.

All right, any other questions?

Thank you so much for your time.