A similar issue was pointed out in a December 2023 Apple report titled “The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase.” “The number of corporate data breaches in the U.S. is at an all-time high,” said MIT professor Stuart Madnick, author of the report. “Breaches in the first nine months of 2023 alone have already increased by nearly 20% compared to all of 2022. The trend is similar worldwide.”
Ransomware attacks are also increasingly aimed at data theft. According to Madnick, ransomware attacks today are more sophisticated and aggressive than ever before, and there will be more attacks in 2023 than ever before. It is also particularly concerning that while in the past they would simply encrypt data until a ransom was paid, now they are more likely to leak corporate and customer information. There are also more cases of targeting sensitive data from governments or medical facilities, emphasizing the importance of personal information.
In its ‘Cybersecurity Threat Analysis and Outlook’ published in December 2023, KISA selected the following four cybersecurity threats to watch in 2024: ▲Software supply chain attacks ▲Cyberattacks exploiting generative AI ▲Security threats to OT/ICS and IoT environments ▲Cyberthreats exploiting political/social issues. It also predicted that unpredictable breaches will occur in 2024 as attackers evolve to find new vulnerabilities. These domestic and international trends remind us that going forward, companies must move toward strengthening not only their security systems but also their overall security response systems and processes, and take a cautious approach to personal information protection.
Threat detection proactive, response proactive
According to the Personal Information Protection Act and the Credit Information Utilization and Protection Act, personal information processors of a certain size or larger must report a leak within 72 hours of the occurrence of the incident. The report includes the items and scale of the leaked information, as well as the time and circumstances of the leak, measures to minimize damage caused by the leak, and the results. In other words, work such as securing logs and evidence and confirming the leak path must be carried out promptly immediately after the incident occurs.
The longer the initial response is delayed, the greater the damage to the company and the greater the scale of the damage. For example, let’s look at the incident in January 2023 when Company A had a cyberattack that leaked personal information of about 300,000 customers. The analysis of the incident showed that the leak occurred 5 years ago and that the cause was the lack of Company A’s personal information protection measures and basic security management system. Ultimately, Company A was fined 6.8 billion won and a penalty of 27 million won.
The same goes for the hacking incident at Public Institution B that was reported earlier this year. Institution B did not recognize the hacking incident, which resulted in the leak of 1TB of data, until about a year after the hacking incident. The hacking group was confirmed to have infiltrated Institution B’s internal network in January 2021, and stole data for over a year from June 29 of that year to 2022. However, Institution B detected and blocked the hacking only in February 2024.
Personal information leaks are not only caused by external attacks. Insider threats are also a problem. According to the ‘2024 Cyber Security Priority Survey’ conducted by ITWorld and CIO Korea on domestic companies at the end of last year, malicious insider threats accounted for a significant 22.2% of the security threats that companies were most concerned about over the past year. In many cases, personal information leaks are caused by mistakes made by innocent insiders. According to the ‘Information Protection Status Survey (2019)’ conducted by the Ministry of Science and ICT, more than half of companies (76%) were most concerned about personal information leaks due to management errors. In addition, among personal information breach incidents experienced in the past, cases of ‘negligence in internal security management’ accounted for the largest proportion at 40%.
Four Conditions for Next-Generation NDR Solutions
The beginning and end of all threats are recorded in the network. Therefore, companies must proactively identify all abnormal signs occurring in the network, and in the event of an accident, they need to quickly secure the leak history and content details in order to quickly prepare follow-up measures. The NDR (Network Detection & Response) solution that analyzes network traffic to detect and respond to threats can fully support this. Gartner defines an NDR solution as one that has all four core functions of detection, hunting, forensics, and response, and among domestic solutions, Quadminer’s ‘Network Blackbox’ is the only one.
Network Black Box is a solution specialized in high-performance big data management and search based on full packet capture. It automates the entire process from full packet capture and collection to threat detection, hunting, forensics, and response based on four core systems: ▲ A distributed structure that stores all packets without loss in an ultra-high-speed, large-scale network environment; ▲ A system that creates a condition-specific DB to search for user-defined patterns at high speed; ▲ A system that analyzes and reassembles packets into original data and then indexes them in real time to fit the application; ▲ A scenario-centric attack detection system that proactively searches for advanced threats and abnormal signs using a threat hunting model based on supervised learning. It can further enhance internal network threat detection by checking not only traffic moving from the outside to the inside or from the inside to the outside (north-south) but also traffic moving from the inside to the inside (east-west).
Detected threats are usually investigated according to the 6-W principle. By utilizing the content extraction and restoration function of the network black box, these questions can be clearly answered based on definitive evidence. The network black box not only restores and extracts emails, bulletin boards, search and chat records, but also saves files moved on the network such as web pages, documents, images, executable files, compressed files, and videos and audios, so it is very helpful in securing evidence. In particular, the strength of the network black box is that even if the threat actor deletes the content or file, it can be restored during the forensic process.
Network Black Box Case Study #1. Insider Threat Detection
How much collecting network full packet information and utilizing organized metadata can help in responding to real security threats, and how the network black box (hereinafter referred to as NBB) works, is demonstrated through a practical use case.Detection → Analysis → Confirmation → Response‘ Let’s look at it in four steps.
scenario
An internal user (192.168.30.102) with malicious intent performed RDP access using an administrator PC account that has access and management authority to a file server where important data was stored, and collected sensitive data through the connected file server shared directory after successful login. In order to export the collected data externally, after logging in to SSL VPN using a personal account, an RDP login to an Internet PC capable of external communication was attempted to export the data to portal mail, but failed due to issues such as extension filtering. Afterwards, the collected sensitive data was successfully exported externally using a specific file transfer program.
1-1. Detection: Detection of abnormal traffic through SMB communication between the administrator PC and the file server
The first analysis in this case is the traffic attempting an abnormal connection from SMB. NBB detected a threat signature related to a suspicious SMB connection from the administrator PC (10.10.10.130) to the file server (10.10.20.108) (ET Potential SMB Brute-Force attempt response_2). A rule was set up to determine that a large number of random connections via SMB were a threat.
<그림 1>Looking at the figure, we can see that traffic communication has increased to 238MB, which is different from usual, along with random access attempts. We suspected that a specific file may have been moved in communication with the file server, so we searched for it using metadata and confirmed that the communication occurring in the file server is 90MB on average (<그림2>).
1-2. Detection: Detection of abnormal RDP long-term sessions such as RDP login from user PC to Internet-enabled PC and large file transfer
In addition to SMB traffic, there is another threat signal detected by NBB: an RDP session that lasted more than 2 hours (SuspiciousActivity_R2L_Session2Hour_TCP) (<그림 3>) We conducted additional analysis of internal behavior as the source IP was confirmed to be an internal IP normally assigned to the VPN, but it was difficult to establish a correlation as there was no history of IP duplication with the abnormal SMB traffic that occurred previously.
We additionally searched the destination IP for detailed analysis. We confirmed that an outbound packet of more than 100MB of data was sent from the destination IP (192.168.30.102) (DataUpload_100M_L2R) and a download to a specific external IP (QUADTI_L2R_TIDSTIP_AppHTTP_Download) were detected (<그림 4>).
It can be seen that communication traffic exceeding 100MB was attempted using the Send Anywhere web service, and that external downloads were attempted using the Rakuten file sharing service (<그림 5>).
2. Analysis: Analysis of external export attempts using Naver Mail and extraction of attached files
As a result of analyzing Naver Mail using the content search function, it was found that the user (192.168.30.102) attempted to send a large file through Naver Mail. However, <그림 6>As you can see from the checkbox, when restoring the ‘myfolder.7z’ file attached to the email, the capacity is confirmed as 0B. It is believed that the file transfer was not smooth due to a specific extension transfer control policy.
Also, it seems that they did not attempt any workarounds such as changing the file extension, as they only uploaded .zip and .7z without changing the extension. If you look at the detailed packet analysis history, you can see that they actually tried to send a large file named ‘my.zip’ from Naver Mail (<그림 7>).
3. Confirmation: Verify whether external leakage attempts were successful and actual data through metadata.
We judged that the large file leak using Naver Mail was a failure, so we conducted additional analysis using metadata search. It was found that additional large traffic communication occurred approximately 30 minutes after the attempted leak (<그림 8>), and confirmed that about 380MB of traffic was generated through send-anywhere.com. Judging from the response status code being 200, which means success, it was likely successful (<그림 9>).
In order to determine the exact circumstances of the leak, we attempted a detailed packet analysis. The compressed file was leaked through send-anywhere.com, and about 1GB of traffic was generated at the time. Also, the response value was printed as 200, and the body value at the bottom of the detailed packet printed “state”: “complete”, so we can guess that the leak through Send Anywhere was successful. (<그림 10>).
If you download the files included in the actual traffic through NBB, you can see that the compressed files contain many sensitive files, including confidential files.<그림 11>).
4. Response: Additional analysis of endpoint logs for correlation and accurate analysis based on NBB anomaly detection
User PC analysis can also be performed to secure additional evidence and correlation. For example, by analyzing the administrator PC where the initial traffic occurred, the RDP login record from the user PC (10.10.10.128) can be identified at 10:44:24 AM on January 8, 2024 (<그림 12>) Considering that the time of access to the file server was 10:57:36 on January 8, 2024, it can be assumed that the user PC (10.10.10.128) accessed the file server (10.10.20.108) through the administrator PC (<그림 13>).
Since the user in question used a file transfer protocol path, it is judged that he or she accessed a file sharing directory configured in the system, not a general connection, and it can be confirmed that this is an abnormal behavior as he or she transferred a large amount of sensitive data such as ‘confidential’ and ‘confidential information’.<그림 14>) Evidence of VPN connection attempts can also be obtained through log analysis. If you are using an agent-based security solution, you can analyze the correlation of various data more effectively.
Since the user in question used a file transfer protocol path, it is judged that he or she accessed a file sharing directory configured in the system, not a general connection, and it can be confirmed that this is an abnormal behavior as he or she transferred a large amount of sensitive data such as ‘confidential’ and ‘confidential information’.<그림 14>) Evidence of VPN connection attempts can also be obtained through log analysis. If you are using an agent-based security solution, you can analyze the correlation of various data more effectively.
Network Black Box #2: Managing Security Blind Spots
Now let’s look at another case. Even for users who are excluded from data security solutions (DLP, DRM) or content management solutions (blocking harmful sites) due to the nature of their work, security management is necessary. How can we identify and analyze the behavior of users who are in the blind spot of security solutions due to various reasons (non-installation, non-supported OS, license, etc.) that occur in endpoint agents? NBB supports checking what data is included even if such users attempt to leak information, and preserves evidence of this for a long period of time. For example, let’s assume that a user uploads content to a personal blog while a rule is set that defines the act of uploading content to a commercial portal service such as Naver Blog as ‘abnormal content behavior’. NBB recognizes that the act is a policy-violating traffic. In this case, the file search function can be used to check packets that attempted to upload files from within to an external portal site. The packets include the upload method, application name, file type and name, and hash information (<그림 15>).
If you perform detailed packet analysis to secure evidence, you can determine that it is an upload attempt through Naver Blog Editor (platform.editor.naver.com) (<그림 16>) Even if the insider makes the post private after uploading the file, making it difficult to verify, NBB stores the packets at the time of upload, so the web screen can be reproduced as an HTML rendering page.
This record(<그림 17>) is clear evidence that the user leaks important information handled in the course of work to an outside party. In addition, you can obtain additional information about the information uploaded to the blog by the insider through searches on commercial portal services.<그림 18>).
Realizing ‘Explainable Security’ with Evidence Data
As confirmed in the previous case, NBB does not ‘estimate’ threats, but quickly and accurately analyzes threats based on actual traces left by cyber attackers or insiders. In particular, it can see greater synergy effects when linked with other security tools. The data collected/detected/analyzed by NBB can also be used as evidence for events detected by existing security tools, and NBB supplements threats that existing tools cannot detect.
NBB’s potential threat hunting is based on the MITRE ATT&CK framework and the TTP analysis of globally well-known threat groups such as UNC, APT, and FIN. In addition, Quadminer’s own threat hunting research institute H Lab allows hunting rules to be set according to various threat information from around the world as well as the latest trends in the domestic market, which is an undeniable advantage. NBB sorts confirmed threat attacks by progress rate and maps detected/discovered activities to TTPs for each threat group to easily visualize the time series of threats.
By introducing NBB, enterprises can simplify the complex and passive existing security operation system into an active analysis and detection system. The benefits obtained through this are diverse, including a rapid pre/post response system and an integrated monitoring environment. Above all, it is possible to extract/reproduce/analyze content and search metadata to understand the situation, thereby realizing eXplainable Security (XSec) for threats.
Today, the attack surface of enterprises is expanding due to the acceleration of digital transformation, the emergence of new technologies such as generative AI, and changes in the work environment, and the number of attempted and successful data thefts is rapidly increasing. There are still many cases of companies suffering serious damage from cybersecurity incidents. In order to effectively deal with increasingly sophisticated cyber threats, an explainable NDR solution based on definitive evidence is more necessary than ever.
*Choi Hyeong-seon is the Quadminer technology team leader.
editor@itworld.co.kr
Source: www.itworld.co.kr
