The content of the article
Jaila Balu has not yet had time to assume the post of CISO Avast, leaving a similar position in the telecom operator KPN, as she had to eliminate the consequences of a serious incident. Attackers were able to penetrate the perimeter by stealing a VPN account. We asked Jaila Ball about what the employees went through after the attack, and how CISO lives in the antivirus company.
– Tell us what the incident looked like from your point of view.
– I joined the company on October 1, 2019. And in the last week of September, when I was still at KPN, they called me from Avast and said that they were watching something strange. Of course, I asked again how strange. In our business, something strange always happens, especially when you look at the logs coming from everywhere. I was told that it was very similar to an attack.
We immediately called an external forensic contractor to send him the finds and to study them immediately. Then we raised the logs ourselves, trying to understand what had happened. And they found things there that they did not initially pay attention to.
To get the richest information, you need to look at the dashboards for each individual device instead of the combined logs in syslog and other places. This, of course, is a very painstaking work and generally inefficient way, which I hope to avoid in the future. But then we found discrepancies in the logs from Microsoft Analytics, from VPN, from firewalls and other services that work for us.
And the most unpleasant thing in such a situation is that you don’t know which one to believe. For example, you see something unusual, check with another log, decide that this is some kind of false positive, and you go on. And it was this clue that could lead you to the truth.
It’s like being in a futuristic forest from the Hunger Games, seeing four paths and not knowing what to take in order to achieve something and not die on the way. At first, for example, we chose the wrong one.
“Shouldn't SIEM work in just such cases?”
“Obviously not good enough, and I plan to replace ours.” But we had to notice the error earlier and find a correlation. But, when we were already examining the consequences, isolating the network, the picture gradually began to take shape.
The attacker was able to penetrate the perimeter through the VPN. Moreover, the profile that he used should not have existed: some time ago it was created to upload backups and had to be deactivated. But they didn’t do this – most likely by mistake, and not with an eye on the attack.
Nevertheless, the username and password that were required to enter were stolen. Two-factor authentication was not there, although in all other places we use 2FA.
– You tracked who and how used this connection?
– We found a user whose credentials were compromised and used to login to the VPN. At first, the attacker had only very low user privileges, but then, using Mimikatz or pass the hash (the Kerberos attack technique), the attackers gained domain admin rights. We saw replication requests on a domain controller. It was this action that triggered the alert from ATA (Advanced Threat Analytics), which attracted our attention. Unfortunately, we dismissed it as a false positive.
When we returned to this path and studied all timestamps, we were able to trace the entire course of the attack. Checkpoint logs clearly showed where they succeeded and where they could not get through. They didn’t get to the “crown diamonds”. But how can you be one hundred percent sure? No way! That is why we switched to a siege regime, turned off everything we could, and began to double-check everything.
And that is why they love me so much here now. But I had to come from the worst case scenario. Because there is no longer a second chance to fix software that can be signed with a compromised certificate. Therefore, we tracked the attack from the starting point (it was May 14-15, 2019), when there was the first login through this VPN, and decided not to trust anything that happened after that.
If it was possible to raise the rights of this particular user to the domain controller admin, then it turns out that nothing can be trusted at all. So everything that we released over the past six months had to be checked. Each release of each of our products is for all possible injection methods. And not once, but two. In general, another reason to love the security!
– Data, source codes and popular products owned by the antivirus company are probably a tidbit for many. And, I think, not only for criminals, but also special services …
– That is why at the very beginning of the incident we turned to our colleagues, including competing antivirus companies. We wanted to give them information that would help protect themselves from repeating this story. In my opinion, this is very important, and in the antivirus industry it does not happen often enough. The same telecom survives only because all operators face the same threats. When I was at KPN, for example, I caught an attack on Belgacom.
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the Xakep.ru community.
Join the Xakep.ru Community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of Xakep.ru