Go back

How Network Teams Can Be Prepared for the Homeland Security Malware Warning

May 4, 2017

The National Cybersecurity and Communications Integration Center (NCCIC) issued a warning last week regarding an emerging sophisticated campaign targeting key sectors including information technology, energy, healthcare and public health, communications, and critical manufacturing.

Network security The threat, which has been occurring since at least May of 2016, appears to leverage stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems.

According to the report, “Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.” The primary, and perhaps most unique, implant observed in this campaign is the REDLEAVES malware. The REDLEAVES implant consists of three parts: an executable, a loader, and the implant shellcode. The REDLEAVES implant is a remote administration Trojan (RAT) that is built in Visual C++ and makes heavy use of thread generation during its execution. The implant contains a number of functions typical of RATs, including system enumeration and creating a remote shell back to the C2.

It’s an ominous warning from the Department of Homeland Security and one that network teams should take seriously. As noted in the warning issued by the NCCIC, successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.

There are steps that network teams should be taking to ensure that risk is limited and that any potential attacks can be solved in short time. Specifically, the NCCIC notes that all teams should “complete and maintain network and system documentation to aid in timely incident response.”

As with any attack, visibility into the network is critical, and the faster a network engineer can create a real-time view of the network, the quicker any attack can be mitigated. Dynamic Maps are a key advantage for any organization facing a network threat, as the ability to understand which areas of the network are under attack can save valuable analysis hours.

To take it a step further, most network teams rely on static playbooks when troubleshooting a network attack, perhaps even using the guide provided by the NCCIC in its recent warning. Referencing those documents can be useful, but it also takes time and can’t be automated. Implementing Executable Runbooks can ensure that network engineers are prepared to troubleshoot at the first sign of an attack, again saving costly downtime.

Finally, when security attacks happen in real-time, network and security teams may not be prepared to mitigate the threat. Either they’re busy with other cases or the attack has not simply presented itself as a priority. By enabling the creation and diagnosis of the attack path – triggered from systems like a Security Information and Event Management (SIEM) solution– network engineers can visualize and gain insights into the malicious traffic at the time of the attack. This result? More complete and accurate information to defend the network.

The latest warning from the Department of Homeland Security is a reminder that networks are constantly under threat, and that being equipped with the right tools can ensure that you are prepared for these situations.

For more information on the NCCIC warning here are the full details. To learn more about network automation and dynamic mapping, check out our recent discussion with Move, Inc. on network challenges and the right tools to use.