Gigamon Deep Observability Pipeline

Supercharge your observability tools with actionable network-level intelligence to realize the transformational promise of the cloud.

LEARN MORE

CLOUD VISIBILITY

DATA CENTER VISIBILITY

NETWORK SECURITY

TRAFFIC INTELLIGENCE

From the Core to the Cloud, See it All

Simplify, secure and scale your hybrid cloud infrastructure to accelerate digital innovation.

CLOUD VISIBILITY

DATA CENTER VISIBILITY

NETWORK SECURITY

INDUSTRY

A Thriving Partner Ecosystem

Gigamon reseller and integration partners design, implement and optimize best-of-breed and validated joint solutions.

FIND A PARTNER

NOT A PARTNER?

ALREADY A PARTNER?

Proven Support and Services

Our global support team is committed to creating experiences of unmatched quality, scalability and efficiency.

OVERVIEW

GET SUPPORT

VÜE COMMUNITY

voice of the customer

Gigamon serves the world's more demanding enterprises and public sector agencies, enabling them to harness actionable network-level intelligence to amplify the power of their cloud, security and observability tools.

CUSTOMERS

cegedim

Cegedim.cloud

Improves cloud infrastructure and visibility

 

Five9

Five9

Delivers Cloud-Powered Contact Center Excellence

DoD

Department of Defense

Confidently feeds different tool sets in the physical and virtual world.

 

Resource Library

Your one-stop hub to explore content resources and stay current on the latest in how to amplify the power of your cloud, security and observability tools.

RESOURCES

def-guide

Achieve Hybrid Cloud Observability

Strengthen visibility and security.

deep observability

Observability is Key to Transformation

Unleash cloud potential with deep observability.

ebook

Deep Observability eBook

Take your security and observability tools to a whole new level.

WHY GIGAMON

Gigamon offers an advanced deep observability pipeline that harnesses actionable network-level intelligence to amplify the power of your cloud, security and observability tools.

LEARN MORE

IN THE NEWS

COMPANY INFORMATION

Deep Observability

Unseen Threats Can Lurk in Your Midst

Deep observability exposes previously unseen threats.

GPTW

Join the Team

Become a part of the OneGigamon team. Search for your next opportunity.

SHARE
Security / January 12, 2017

What’s to Learn from the DHS and FBI Joint Analysis Report on the DNC Hack?

Simon Gibson, Fellow Security Architect | Gigamon Simon Gibson  

On December 29, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a Joint Analysis Report (JAR) entitled “Grizzly Steppe – Russian Malicious Cyber Activity.”

The report, which provides an analysis of the hack on the Democratic National Committee by the Russian advanced persistent threat groups, sends a clear message to professionals who are responsible for the defense of private networks. And the U.S. government does a nice job of sending the signals we use to manage our defensive posture. Where the intelligence falls short is in truly providing any meaningful link to Russia, but perhaps that’s because they’re concerned about disclosing their methods or sources. Whatever the case, any intelligence briefing that begins with a disclaimer should be taken at face value.

Nevertheless, I found it refreshing to see a concise document explaining the tactics, techniques, and procedures (TTPs) that the offense relies on to infect their targets. Some of my key takeaways include:

  1. Username and password alone are not sufficient. Not for the DNC. Not for .mil. Not for anyone.
  2. Badness can arrive over email.
  3. To be successful, bad guys need to know how you work. They will conduct reconnaissance—and you will probably not catch it.
  4. Beware of links using URL shorteners. This is not a panacea so don’t get cocky just beware.
  5. The playbook you must learn, live, and defeat:
    1. APT29 delivered malware to the political party’s systems,
    2. established persistence,
    3. escalated privileges,
    4. enumerated active directory accounts,
    5. and exfiltrated email from several accounts through encrypted connections
    6. back through operational infrastructure.
  6. It’s not rocket science. Simple cyber hygiene steps listed on pages 8-11 can help reduce risk and give defenders the upper hand over attackers.

Many more specific details were also provided within the report. For instance, we learned that the primary means used to attack the victim was spear phishing. In fact, it proved to be so easy for the Russians that the tactic was used again and again.

It’s also important to note that the adversary has “infrastructure”—just as defenders do. The point: Even serious nation state actors have machines that attackers use as a sort of “home base” where they keep tools, scripts, code, etc.; where they package up malware; and where the operators chat and host their IRC servers; where their git repository of malware lives, etc. All of that “infrastructure” is just like the jump boxes and VMware boxes normal companies use.

In other words, everyone has the same problem sets—but it’s discipline that will set defenders apart from attackers. So every time you may feel tempted to skimp or take a shortcut (e.g., How many times have you had coworkers make mistakes and take down parts of the network?), just remember that you are much closer to the adversary than you might think and that the adversary is involved in the same sort of thought process. Don’t forget what sets you apart.

Further, the TTPs go on to outline the use of links to droppers that “evade detection.” Their droppers, command-and-control (C2) and credential-harvesting domains look realistic, or are shortened URLs.

For example, these two URLs both look similar, but:

If the .org URL looks good and if the campaign is “highly targeted” and the Web page content appears accurate, most people won’t hesitate to enter their username and password. Or fill out forms about their habits. Or be easily socially engineered into sharing critical information about their environment. But as the report shows, it’s good to be aware that anytime we are asked to fill out a survey, enter a username or password, or divulge anything anonymously via a Web form, we should understand exactly the reason we’re entering the information as well as who is asking for it.

The report continues by revealing that not only do our adversaries use bogus domains like the .org in the previous example, but they “used domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spear phishing emails.” Here, the authors are signaling that .edu, .org, .gov, and .mil sites may have weak security and may have been compromised and used to host droppers. I can say from experience that it’s very hard to defend from a legitimate site that’s been compromised and is being used as part of an attack.

They go on to explain exactly how the DNC hack went down:

At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.

As the report explains, the attack was conducted again using spear phishing and, instead of dropping malware, they ran a simple credential-harvesting attack. They probably put up a page that looked exactly like Microsoft Office 360 and the victim entered his username and password.

Again, key to staying safe is awareness and preparation. We can all learn from this report. And we can all do this!

Happy New Year, everyone.

  • © Gigamon 2024
Back to top