Friday, June 18, 2010

For Google, DNS log analysis essential in Aurora attack investigation

A Google employee clicked on a malicious link in an instant message, setting off a series of events that resulted in the infiltration of Google's network for months and the ability to steal data from a variety of the search engine giant's systems.

Heather Adkins, information security manager at Google, shed a few details about the Google Aurora attack disclosed by the company in January. The attacks, which targeted Google and about 20 other companies, were an advanced persistent threat, a carefully planned attack by an organized group of cybercriminals to infiltrate and steal data for a long period of time without being detected. Speaking to a packed conference venue onTuesday at the Forum of Incident Response and Security Teams (FIRST) Conference 2010, Adkins explained how the company set up an incident response team, conducted its investigation and carefully analyzed mountains of DNS data to trace and determine the scope of the attack.

Adkins said only a few of the stages that the attackers undertook were unique. Most of the stages, from carrying out the social engineering attack to exploiting the zero-day vulnerability in Internet Explorer 6, were very common.

"It may not take a highly complex operation to infiltrate your network," Adkins said. "It's not really a question of how hard each stage was; it's a question of the skill required, the availability of the tools and the difficulty of the technique."

The Google APT operation began with reconnaissance work. Specific Google employees were targeted. The attackers gathered as much information as they could, gleaning much of the data posted by employees on Facebook, Twitter, LinkedIn and other social networks. The cybercriminals then used a dynamic DNS provider to set up a Web server hosting a phony photo website. The Google employee received a link from a person they trusted and clicked on it, sending them to the malicious website, which instantly downloaded malware on their computer.

"These are not massive botnets that are targeted at the entire Internet for whoever stumbles upon them," Adkins said. "It's spread very thinly against targeted systems and the infrastructure that supports them is very small."

Adkins said the malware itself was not particularly sophisticated. The cybercriminals set up a connection through a secure tunnel to the victim's machine and used the employee's credentials to gain access to other Google servers. The attackers can use a variety of methods to steal data, from the pass-the-hash technique, a toolkit designed to read Windows credentials stored in local memory, to saved passwords in remote desktop and keyloggers to record the victim's keystrokes. Once they gained super-user privileges, they installed a backdoor onto the server to view and steal files and attempt to stealthily gain access to other systems.

Adkins said the kind of digital impersonation employed in the Google Aurora attack is difficult to detect. A security technology that Adkins declined to identify alerted the security team to the infiltration, setting the stage for the lengthy investigation.

Systems forensics, event logs and malware analysis is where Google found the most benefit, Adkins said. In the period after Google discovered the infiltration, the security team had become so sensitive that it had to be careful not to over analyze every single anomaly.

"You commonly won't realize it's an APT until you do some triage work," she said.

After analyzing the MD5 signature of the malware, no one seemed to know about it, shedding the first clue that something was wrong. The security team also found the use of a hard coded DNS server. When the attackers conducted reconnaissance, they performed DNS queries, data which was useful in the investigation, Adkins said.

The team searched for hosts and the DNS queries, building a picture of the scope of the attack. Concentrated DNS queries in a specific place represented invasive operations, she said. Most traffic mainly reaches out to common sites. A warning sign is when traffic is detected going to a new website that was recently registered and no one had visited before.

"DNS query logs may be the only method you have to find new generations of malware," she said. "The adversary will need to reach other systems to install that malware. We often look for the big [anomalies], but we have to monitor for the subtle too." ...

via For Google, DNS log analysis essential in Aurora attack investigation.

No comments: