The first step in most engagements is either a response to a known compromise, or the start of a search through a network for signs of a compromise, targeted attack or Advanced Persistent Threat (APT). No malware is completely invisible, so activity will show up in at least two out of the three sources of evidence we analyse to find evidence of targeted attacks/APT: Hosts, Network Traffic, and Logs.
Examining hosts allows us to find many clues which will help our investigation of the attack. It may enable us to identify traces of the malware used in the intrusion. We do this by distributing a script to either a selected group of machines or to all machines on a network, then querying those machines whenever a user logs on. The script will collect data relating to files in certain locations, to registry keys, processes, and running services and a variety of other 'Indicators of Compromise'. Automated checks against known signatures in combination with manual analysis of the data allow us to spot machines which show evidence of malware.
Analysing network traffic is the most labour intensive way to gather evidence, but can also be the most rewarding. We passively monitor all network traffic at a key point (or points) on the network, such as an Internet gateway; and analyse incoming and outgoing packets of data, searching for anomalies which would suggest the presence of malware communicating with remote computers. We have a range of proprietary tools which can flag suspicious behaviour, while a team of skilled human analysts look in depth at the alerts to gain a full understanding of the nature of the activity observed. Capturing network traffic may reveal exactly how the attacker is stealing an organisation's data and which data is being targeted. Learning this will help us to understand the intent and methodology of the attacker.
There is a wealth of information stored in logs which, while it may not allow us to identify attacks, can be used to support host and network investigations. It may also reveal the full extent of the attacker’s activities, in a way which the other two investigative methods cannot match. We can process and analyse logs from any part of the network, and the greater the time period of logs that is available to us, the better. Analysing logs against Context's extensive signature set is an important part of the investigation process and a key part of the Detect phase.
Context offers two services which focus on the detection of sophisticated targeted attacks or APTs. First, the Network Compromise Assessment (NCA) which monitors network traffic for a number of weeks in order to identify malicious activity. Next, our ongoing managed service aimed at detecting new attacks over the long term, Targeted Attack Detection Service (TADS).