Download Customer Profile

Overview

When a zero-day threat hit a major U.S. web retailer in a drive-by attack, the web retailer needed to discover when, where and how the attackers struck to keep its thousands of systems protected from repeat attacks and to make sure it didn’t spread. Knowing that traditional AV prevention and detection tools wouldn’t be sufficient, it turned to the network forensics capabilities of its Solera DS 3200 appliance.

Challenge

Since zero-day threats exploit vulnerabilities that are not yet known or that are unpublished, they have the ability to slip through most traditional defenses undetected. Once inside the network perimeters, these threats often operate with stealth to remain undetected as they steal information and wreak havoc on their targets. Fortunately for this web retailer, it had in place a content-specific analyzer that combines aggressive capture heuristics and deep packet inspection to provide in-depth analysis of suspicious network activity.

After the attack made its way past the web retailer’s perimeter security defenses, their FireEye™ Malware Protection System spotted a questionable executable come across the network. It grabbed the executable and then ran it in a protected, virtual sandbox environment to analyze its behavior. It discovered that it was a keylogger with the ability to send captured data outside the boundaries of the network. Still, with that information, the web retailer didn’t know the extent of the attack. How had it made it past its defenses? Where did it enter the network? Had other machines been hit? What could it to do to prevent further attacks? Those answers came with the total network packet capture and artifact reconstruction capabilities of its Solera DS 3200 network forensics appliance.

Solution

The first thing the web retailer needed to discover was the starting point for the breach that led to the user’s machine getting infected. This required root cause analysis using its network forensics appliance from Solera Networks. “Root cause analysis lets you determine the full scope of a threat,” says the Chief Security Officer. “You need the full scope in order to completely contain a threat. It provides the attribution you need to find who might be at fault in case there ends up being some type of legal action. Lastly, it gives you targeted and definitive remediation for the issue. All of these are key to reducing the impact of an attack on an organization.”

Fundamental to root cause analysis and discovering the full scope of an event is being able to perform full data capture and recording of all network traffic. “Network forensics with full packet capture provides you much more detailed information than what logs can provide,” says the Incident Response Analyst. “With a complete recording of network traffic you can follow exactly what happened between that machine and the rest of the network. Unlike logs, which just give you a sense of what sites a person visited, network forensics lets you replay the complete history and delivers actual files from the raw packet data. It basically gives you a complete reenactment or video of the crime scene that you can methodically go through to pinpoint exactly when, how and what happened.”

For the web retailer, that’s exactly what the Solera DS appliance provided. It pinpointed when, what and how the zero-day breach occurred. It not only traced the point of origin back to a compromised website, but it was able to re-create the events that occurred. It showed that while on break, one of the retailer’s customer representatives was simply surfing the web, following a fairly innocuous search that led him to a website that had been breached by an iframe injection. While on the site, the customer representative simply passed his cursor over an image—without clicking on it—and without him knowing it the site downloaded a set of Java scripts and a jar file to his computer. The downloaded Java files subsequently executed and then downloaded and installed the keylogger malware.

Results

With the root cause information provided by the Solera DS appliance, the customer was able to quickly remediate and minimize the potential impacts of the zero-day threat. First, it enabled them to completely identify what the threat looked like so they could remove it from the infected computer and determine if it had infiltrated other parts of the network. It also allowed the customer to discover the origin of the compromised website, thereby allowing the company to block all of its users’ access to it. Lastly, it uncovered the vulnerability in the user’s computer that allowed the drive-by attack to even occur.

Even though the attack was of the zero-day variety, it took advantage of a known vulnerability in an older version of Java that existed on the breached machine. That same vulnerability existed on nearly all of the web retailer’s thousands of other systems. Without the root cause knowledge provided by the Solera DS appliance, the company wouldn’t have realized how exposed all of its machines were to this threat. As a result, the company immediately updated all of its systems to the latest version of Java to completely eliminate the vulnerability and protect itself from a repeat of this specific attack, as well as protect it from a wide variety of other malware that could exploit that vulnerability.

“Just because you stop one attack doesn’t mean that you’ve fixed the core problem,” the Incident Response Analyst says. “Unless you know the full scope of an issue, you can’t know if you’ve fully remediated it or protected from it. By using root cause analysis from Solera Networks, we were able to pinpoint how the exploit occurred, understand the full scope of the problem, and completely prevent that exploit from ever happening again in the future.”