Recent news concerning the China-based group APT10 has brought the issue of securing supply chains to the fore. The group targeted companies in at least 10 industrialized nations, including Japan, Switzerland and the UK, for intellectual property and other sensitive information through their managed IT service providers (MSPs).
But once the client organization has achieved sufficient control of the supply chain, what are the best tools to use to look for potential attacks and unusual activity?
The APT10 attacks are believed to have used malware known as Red Leaves. While it is a relatively new malware variant, it is strongly derived from older types, namely PlugX, which has been heavily researched among the cyber security industry. Red Leaves’ does not represent a new advancement in malware capability as it uses simple techniques that are well-known and have been used for many years. For example, it uses code injection techniques to host the malware within legitimate processes – a technique that is easy to spot with any good Endpoint Detection and Response (EDR) software with memory analysis capabilities. It also involves anomalous process execution trees and the loading of illegitimate DLLs and would, in many cases, involve anomalous persistence mechanisms, all of which can be spotted with effective use of good EDR software.
Once an initial foothold on a network has been obtained, an attacker will generally seek to conduct internal reconnaissance and move laterally. Tracking the abuse of common administrative tools such as plink, pscp, powershell and WMI is also a powerful source of data to hunt with and can quickly unveil advanced attackers. Using basic techniques to perform anomaly detection, such as least frequency analysis, can help quickly sift through large volumes of data to spot potentially malicious activity along with enrichment of data where necessary, such as automatic verification of digital signatures and correlation with software repositories and threat sources such as VirusTotal, to spot previously unseen executable files. Additionally, using techniques like machine learning, network and log data sources can be used to provide further insight to help detect reconnaissance or lateral movement. This is done by continually recording the subtle actions that threat actors are unable to avoid when conducting an attack and detecting user accounts or IP addresses that move outside of their usual usage profiles.
Having attack detection either in-house or through a cyber security provider is now a must for organizations of any size in this digital age. But detection cannot be limited to an organization’s immediate business. With attackers using any and all methods and routes at their disposal, a holistic security view must be taken. What has become apparent from the APT10 attacks is that organizations have to mandate high security standards not just from themselves but also from their suppliers if they do not want to see their security investment undermined by trivial security mistakes. At the same time, third parties that can demonstrably step up their own security profile will become preferred and will undoubtedly have a higher chance of winning contracts.
Categories