Wednesday, December 9, 2015

Current APT threat

This is the harvest of a month of APT detection on our firewall.
Guess it was worth our money, but not entirely...

As you can see in the far right column,  most threats are directed at me (Guy Schellens), which actually makes sense.  An administrator is more likely to have elevated privileges so the damage an infection (eg. cryptolocker) causes is much bigger.  Keep using locked down accounts,  avoid working as an administrator on your computer.
For network admins,  limit the rights of your users to what they really need, so a user who opens one of the files in this list will cause minimal damage.

All the documents contain malicious macrocode which contains an executable. Don't want to find out what Joe or Valerie had in store for me...

Even scarier is the next table.

It contains zero day APTs again targeted at me.  Zero day means this threat was unknown at the moment it was sent to me.  The APT detection sends these files to a service in the cloud, which runs some tests on the suspicious file in a virtual machine.  Note there are APTs which can detect they run in a virtual environment and will not do their evil actions because they suspect being in a lab environment...

You see the file was allowed further into our network, so the files weren't blocked because the examination can take a while... This means I and another colleague  got these files in our mailbox!  The  file invoice_latest_reminder.doc was allowed on 2015-11-10 15:11:34  but was blocked 2 hours later when it was mailed again to me.  By then the firewall manufacturer had put the file signature in their database so all customers are warned for this file.

It is still very, very important to educate end users how to identify these threats, because as you saw, those files are only blocked when the firewall is sure the content is malicious.

Take care guys!

No comments:

Post a Comment