True digital crime E01Pt04: Response

Cont’d from Part 3

The Twins

They called themselves “T1” and “T2”. The many-times-repeated family story centered on their grandfather. One day he arrived at the house with twin t-shirts. One tee had T1 and the other tee had T2 on the front. And then the nicknames just stuck through school and beyond. While T1 and T2 were highly similar people, they recognized early on that they had a true left-brain right-brain difference in their thinking. And while some might see that as a divide, it actually brought them together on problem-solving.

Pat didn’t surprise them when asking for a double shift — their specialty. T1 went high. T2 went low.

T1

T1 used data coming in from T2 and others to put together the high-level picture and action plan. T1 followed the breadcrumb trail back to a series of phishing emails produced by certain employees. T1 soon recognized that they were unwilling victims. In fact, their personal credentials were part of a previous data leak. Attackers reused the passwords from the leak on the respective corporate email accounts. They kept trying until they got “in”.

The attackers infected all phished computers with a self-replicating coin miner that spread through the network in a matter of hours. Internal emails fanned out to phish other users, including one IT Administrator. That IT admin’s machine was compromised with custom malware and used to move laterally to different servers. The team discovered a custom python backdoor on that IT admin’s system. Not surprisingly, they also discovered a custom backdoor on infected servers. The backdoor facilitated persistence on the network and the attackers used it to monitor and expand their activities.

T2

T2 started by identifying infected machines… and noted that the local antivirus was not detecting the malware. T2’s first strategy was to briefly isolate a small set of infected machines… remediate… then watch for lateral movement and re-infection. With that data in hand, T2 created a Detection Strategy (or in ReaQta, abbreviated to “DeStra”). 

T2’s second step was to develop a playbook to clean up infected remote employee computers. Of course, this had additional complications. Their connections to the C2 could not be severed. And, like a boomerang, the remote-working VPN was also a facilitator of re-infection. 

Like an orchestra conductor, T2 deployed the ReaQta playbook of sequenced actions to briefly isolate and remediate systems. On the retail façade side of things, it was barely noticeable. The big weekend sale probably helped. There were brief moments of eye-rolling at the registers when a “System Busy” box appeared for a few seconds then disappeared. Most people – employees and customers – just figured that the system was being overloaded by transactions. 

After 16 hours, T1 and T2 wrapped and reported to Pat. Then they bounced out the door. They couldn’t agree on what to order in for dinner. As they exited, they already were down to three options. They settled on all three dishes to ensure leftovers. Pat grinned.

Pat

24 hours after receiving the client’s call… Pat convened a project review meeting with the client. Pat opened the meeting with a big smile and said, “I have good news!”