Security Analytics& Response Orchestration

Security Analytics

Enorasys Security Analytics helps government department detect and stop sophisticated espionage attack

The Brief

The client is a government department within an EU country that handles some of the most sensitive data for defining and enacting national policy. The department is situated within two sites; both highly secure from physical attacks and regularly welcome some of the most senior national and international governmental figures for meetings and presentations. The department has a small IT team that are all security cleared to deal with routine systems and application management but are not considered a dedicated InfoSec team. Following a change of senior leadership within the department, it was decided that information security processes needed to be strengthened and the department contacted Encode to instigate a review and then strengthen both technological controls and processes.

How we helped

A highly sensitive government department contracted Encode to help it proactively detect and prevent cyber-attacks. Within the first week of the engagement, Encode’s Enorasys Security Analytics platform alerted its Security Operation Centre that an endpoint device was showing signs of compromise. Encode’s Cyber Incident Response Team began a process of isolating the endpoint and conducting a detailed forensic investigation which discovered a sophisticated and custom written cyber-attack tool had been installed on the laptop of a senior member of the department.

The tool was recording local audio conversation and keystrokes, effectively bugging senior individuals within the government department and sending these conversations to a server in another country. Through in-depth analysis, it was discovered that the attack had been on-going for nearly 11 months and had evaded detection by traditional and up to date anti-virus and next generation firewall products installed within the department. Following discovery and interdiction of the breach, the government department has suffered from no further successful attacks and has used Encode consulting services to further improve security processes and help raise security awareness through additional staff training.

What We Did

As part of the initial engagement, Encode evaluated and strengthened the departments’ access controls and deployed probes on the network to begin the process of benchmarking its systems and patterns of the traffic flow across the organisation and its staff. This data was then fed into Enorasys, a Security Analytics platform hosted within Encode’s Security Operation Centre that is designed from the ground up to detect early compromise by understanding the “attack logic” and exploitation path of advanced threats. Enorasys evaluates relevant activity and through a unique combination of pattern detection with activity profiling and external/environment-specific context, assigns risk scores to users, nodes and corresponding activity attributes.

Within two days of the Enorasys platform going live, it detected a correlation of factors that suggested a particular endpoint may have been compromised. This alert was passed to the Encode Cyber Incident Response Team (CIRT) which began a forensic investigation. The suspected endpoint was a laptop used by a senior member of the government department who regularly handled highly sensitive material. With the laptop still powered on, the CIRT began by disconnecting it from the Wi-Fi network and then created images of the active memory, BIOS and hard disk to investigate the cause of the anomalous activity the endpoint was exhibiting.

Through the forensics process it was discovered that the laptop had been infected with a cyber-attack tool that had gone unnoticed by the installed and updated anti-virus software through sophisticated rootkit and evasion techniques. The tool matched no known signature and was believed to have been custom written to avoid traditional signature-based detection methods. Through further study, it was determined that the tool was actively recording all audio conversation using the Laptop built-in microphone and sending these recordings to a fake ‘hobby’ website along with full keystroke transcripts of everything typed on the keyboard.  The sophisticated malware was designed to be as unobtrusive as possible and had a number of additional features such as the ability to transfer via USB stick which was not turned on but lying dormant within its coding.  As the command and control website the tool was communicating with was outside of the national border, the CIRT was unable to ascertain the identity of the attacker. However, it is suspected that a state sponsored group was involved due to a number of artefacts uncovered during the forensic investigation. Encode did a full sweep of all end-point devices, servers and removable media within the organisation and found that no other systems were infected and the network showed no other signs of similar types of attack.

  • ENCODE - Game Changers

    Dec 22 2015 - 16:29

In Conclusion

Following the detection and eradication of the cyber-attack, Encode continued its ongoing security analytics service for the government department which has had no successful breaches against it to this point. From the investigation, it was determined that the remote attack tool had been conducting its espionage activities for approximately 11 months prior to its discovery by Enorasys and removal by the Encode CIRT.   With help from Encode’s consulting services, the government department has now strengthened its operational security processes. This includes the instigation of new policies for securing the laptops of senior staff along with ongoing security awareness courses to help educate staff on the risks and proper behaviour for dealing with instances of phishing and unsolicited email.