5 INDICATORS OF ENDPOINT EVIL

WHITE PAPERS

1 www.EventTracker.com

With so much focus on security these days, it’s easy to imagine that IT departments are winning the battle against malware and other threats. But all too often, a lack of focus on certain areas of the network may actually lead to a decrease in an organization’s security posture, and an increase in risk.The endpoint is one such area. Endpoints not only have the ability to reach beyond the protective layers of internal security – they’re allowed to do so. End user behaviors such as working from outside the office, connecting to unsecured WiFi networks, visiting potentially dangerous websites, and opening email with malicious attachments or links, all make endpoints a particularly vulnerable attack vector with access to your organization’s network.

According to a recent Ponemon report1, 80 percent of organizations are encountering web-borne malware attacks. Sixty-five percent have experienced rootkit attacks and 55 percent have encountered spear phishing. This is a frequent occurrence.

When malware and endpoints mix, the attack doesn’t stop with a single infected machine. Rather, that first infection turns the machine into what is commonly known as a beachhead. From there, malware is designed to spread laterally throughout your network, in an effort to maximize the chances of obtaining valuable credentials or data.

Although your thoughts might immediately go to attack mitigation and prevention, most organizations (according to the Ponemon study - 70 percent) have difficulty enforcing endpoint security policies. Rather, detection is a key aspect of any strategy. The best approach is to use the endpoint as a sensor, collecting state information, understanding what behavior is normal, and identifying what isn’t.

In this whitepaper, we focus on five trouble indicators, each of which provides additional context around what to look for on your endpoints:1. Rogue processes2. Evidence of persistence3. Suspicious traffic4. Activity and user-role mismatches5. Unusual OS artifacts

5 INDICATORS OF ENDPOINT EVIL

www.EventTracker.com

What should you look for? What tools can you use to identify and gather intelligence around the malicious code that might be lurking within your endpoints?Indicator #1: Rogue ProcessesSuccessful attackers depend on their malware to go undetected. Malicious remote administration tools (RATs) are designed to provide access to the command prompt, file system, registry, hardware, remote control, and more, with the purpose of providing many ways to find, extract, hold hostage, or destroy your organization’s critical information. If RATs were easy to find, the attack wouldn’t stand a chance – so attackers use several methods to obfuscate their presence.

Evil Methods• The process looks good … on the surface. The process name (such as explorer.exe) is right, but the parent process, logon user, or file path is incorrect. Don’t look at only the process in question, but also at the process that started it. If that process is not standard, it could indicate that the child process is a rogue process. Another method that attackers use is a clever misspelling of the file name. For example, a rogue file might be named scvhost.exe instead of svchost.exe – a spelling that is so close you would probably need to compare file names to confirm the misspelling.

• Suspicious DLL execution. Dynamic Link Libraries (DLLs) contain modular code to help support a main application. Attackers often take advantage of the fact that parts of the core Windows OS heavily utilize DLLs: rundll32.exe. Known as a command line utility program, rundll32.exe is responsible for running DLLs by invoking a function that is exported from a specific

16-bit or 32-bit DLL module. svchost.exe. Svchost is a generic Windows OS program that hosts approved Windows services. Malicious applications can be formed as DLLs specifically

made to work with svchost.exe and trick it into running them. Other legitimate processes. The use of DLLs is common, so rogue DLLs can also be loaded into an otherwise benign application.

• Rootkits. These are nasty stuff. By definition, they take advantage of administrative (root) access, embed themselves into an OS, and then intelligently evade detection. Regardless of the tactic used, the goal of rogue processes is to make the process look legitimate, or to use a legitimate process to launch a malicious DLL, making it more difficult to identify and track via the security log.

5 INDICATORS OF ENDPOINT EVIL

www.EventTracker.com

Detecting Rogue ProcessesIdeally, you have a centralized way to collect relevant process information across your network and automatically identify rogue processes – capabilities that are available via solutions like EventTracker. Here is the type of analysis needed to catch rogue processes:

• Analyze event ID 4688. This event is generated each time a new process is created.The event provides relevant information that you can use to identify rogue processes.As Figure 1 shows, this information includes the name of the user account that launched the process, the date and time the program started, the process ID, the parent (creator) process ID, and the full path of the process executable.

Note: Although this event shows the Creator Process ID, there is no associated name or a full path to that process, which is an important piece in determining whether a process is rogue. The parent (creator) process can be determined by manually searching for an earlier 4688 event with a New Process ID that matches this Creator Process ID value.

After enabling Audit process events via Group Policy, your endpoints will log a massive number of events, so although this is a valuable way to get information, you’ll also need to wade through a sea of data. Furthermore, the event is not generated when DLLs are loaded, only when new processes are started. So if the rogue process is a DLL hiding in a file such as svchost.exe, the event logs won’t contain any clue that it was invoked. However, after you identify something amiss on a given machine, memory forensics tools such as those from the Volatility Foundation can help provide further forensics detail when DLLs are injected or rootkits installed.

5 INDICATORS OF ENDPOINT EVIL

www.EventTracker.com

• Check for unsigned code/Malware and viruses are often attached to legitimate executables from known or somewhat known entities. Program files that are signed declare the publisher and confirms that has not been modified by an attacker. Since unsigned files don’t have this assurance, unsigned code might indicate potential malware – you just can’t tell. Note that Windows 8 and earlier default to allowing unsigned code to run. Several tools can audit and analyze running processes on a machine. Although not enterprise-caliber tools, these can be useful in tracking down issues on a per-machine basis:

– FireEye Redline – Microsoft Sigcheck – Didier Stevens Authenticode tools

• Check programs against the National Software Reference Library (NSRL). This library (available at http://www.nsrl.nist.gov) is a joint effort between the U.S. Department of Homeland Security, federal, state, and local law enforcement, and the National Institute of Standards and Technology (NIST). These agencies collect software from various sources and incorporate file profiles into a reference library used in the investigation of crimes involving computers.

The trick to detecting rogue processes is to know what should and should not be running on your Windows endpoints. If you’re using a golden image, this exercise should be relatively simple: compare the running processes with a known list. But if every machine is somewhat different, you might need to start with a basic list of what should be running and then use the methods here to detect what falls out of the norm.

Detecting Rogue Processes with EventTrackerEven with the appropriate auditing policies turned on, a fair amount of detective work is needed to compile a complete picture of which processes are running, and whether or not they are rogue processes. EventTracker’s sensor collects pertinent information – including process, file, creator, hash, and signer details – and intelligently present it as a single event, as shown in Figure 2. This approach creates centralized details that are easily available for security information and event management (SIEM) solutions to digest and act on.

5 INDICATORS OF ENDPOINT EVIL

T

www.EventTracker.com

5 INDICATORS OF ENDPOINT EVIL

This is just a preview. To read the entire document, please click here.http://www.eventtracker.com/whitepapers/5-indicators-of-endpoint-evil/

Address: 8815 Centre Park Drive, Suite 300-AColumbia, MD 21045U.S. Toll Free: 877.333.1433Tel: (+1) 410.953.6776Fax: (+1) 410.953.6780Email: sales@eventtracker.com