 |
The RSA IR team deals with APT actors on a daily basis on networks of various sizes. Regardless of the size of the network, or the number of advanced actors we find in them, one thing is paramount to both us and our customers during investigations: the ability to quickly scope severity of the intrusion. Achieving this goal requires the best possible visibility, and the right tools that are flexible enough to allow our analysts to hunt for artifacts both from the network and endpoint perspective. RSA IR uses two flagship products to achieve this goal. Security Analytics (SA) provides our team complete network traffic visibility and allows us to identify malicious traffic based on the smallest behavioral anomalies exhibited by malware. In addition, RSA IR uses the Enterprise Compromise Assessment Tool (ECAT) to gain complete visibility on endpoints. ECAT is purely a behavior-based scanner that can quickly identify anomalies at the endpoints. However, it is also flexible enough to allow for ingestion of Yara signatures, thus giving RSA IR the ability to automatically mark malicious files based on signatures created both prior and during the investigation. Additionally, ECAT allows our analysts to quickly triage systems of interest to more fully understand the extent of malicious activity at the endpoints. In this case study the RSA IR team opens a window into how our team investigates a typical APT intrusion more thoroughly and quickly than using standard forensic methodologies, by using ECAT and SA. Despite the small size of this network, we found presence of multiple APT actors and several types of Trojans. Some of the Trojans were digitally signed files with no AV detection at the time of the investigation. Due to the length of the intrusion, we also found remnants of inactive or deleted Trojans. The full document can be found here: RSA IR Case Study. The post An APT Case Study appeared first on Speaking of Security - The RSA Blog and Podcast. |
