Open Season: Hunting Adversaries with Polarity and HYAS

Community Tech Tuesdays Aug 28, 2020

This is a recording of Community Tech Tuesday, where you’ll hear from Polarity and our integration partner, HYAS. We go light on slideware so we can focus on live product demo and Q&A. It’s a great way to see how Polarity and HYAS can help you to see the story in your data with Augmented Reality overlaying contextual information as you work, giving you the right data at the right time to make informed decisions and take action with speed. You can watch the video or read the transcript below to learn more, and try the Polarity-HYAS Integration here.

As always, our story today begins with our make believe company - AcmeCorp. We like to think we are a fairly mature company when it comes to our security posture. Truth is, here -- just like anywhere else, we have our blind spots, there are chinks in our armor and mistakes inevitably occur.

This story today really kicks off when “Joe” opens an email from what he thinks is his friend “Angela”. All of the filters we have at our mail gateway - and protections at our perimeter - all go out the window with split tunneling.

Nevertheless - Joe calls the helpdesk and reports his symptoms to the helpdesk analyst who quickly takes down all the pertinent information and assures Joe that we will work on it for him and give it our utmost attention.

Now, as in most operations, here at AcmeCorp - the first thing our helpdesk analysts procedure says to do is to validate that the system is patched, any affected software is up to date, and that the AV defs and EDR are all up to date. As you probably guessed - of course they are.

Right now we know we need to escalate this to tier 2 because it is beyond the helpdesk call operator’s scope. But before we leave the helpdesk, the operator makes a quick annotation in Polarity regarding Joe’s IP address at the time of the event’s escalation - so that if anyone else in the entire organization sees his IP address, they will know that it is in a current investigation and has been escalated to InfoSec. A simple keystroke will bring up the Polarity Annotation screen and allow me to create an “entity” - anything that I want to have brought to my - or any of my organization's attention to. The annotation is the data I want to “recall” whenever it is displayed -- anywhere, on anyone’s screen.

Following incident escalation, the real hunting season begins - this is where we have a whole new set of tier’s and handoffs, as well as different tools and different responsibilities. Everything we are about to walk through in most cases is some amalgamation of different roles, or even a single person. This is what I meant when I was referring to Data Awareness - contextual relevance of all of the data as it's displayed on any screen - leveraging the power of all of our tools as we work linearly.

So now that we have an event that’s been escalated as an incident, let's look at what we have. So, Joe said he sent the email as an attachment to the Phishing box.

As a Tier 2 analyst, I have access to a few additional tools - AlienVault and ReversingLabs in particular. If you were able to join us for our last Community Tech Tuesday, you would have seen that we added the ability to switch through integrations right on the overlay screen. You can have all of your tools set as you work, or switch tools on and off as mode and needs shift throughout your day. I am going to switch AlienVault and ReversingLabs on now with a simple toggle switch on each.

So far, I have been using Polarity in on-demand mode only. This means that Polarity only reads what I ask it to. Now, I am going to switch over to Highlight mode. This mode allows Polarity's computer-vision to see everything on my screen and provide color highlights on pertinent information, right on my screen.

Let’s go take a look at what we can find. Unpacking the email, all kinds of stuff looks wonky here. Broken english, questionable use of punctuation, etc. Looking deeper into the headers we see that we have a return path that does not match the Reply-To. Hmmm… Don't seem to know anything about this particular source email, but let's keep unpacking the email and chasing the rabbit into the hole.

So, now we are going to want to see if we can identify the file attachment. So a simple md5sum shows us what we may or may not know about the file attachment. Uh oh - yup. It's bad - in fact it's really bad in a lot of ways. I am working as a second tier - and I know already this is going to need some real attention when it comes to remediating and un-doing the potential level of damage this type of file can create. This should probably be forked over to our malware analysis team to really unpack and reverse what this thing is doing.

But before I escalate - let me go back through the case notes and be sure I quarantine the host in question that has the initial infection. By using a phantom playbook, I can quarantine the endpoint - as well as put a copy of the malware/ransomware in question in a file vault for further reversing if need be. I also see in our Splunk logs there have been downloads to this IP address of a different hash that we have not blocked.

At this point, we need to escalate to Tier 3. We need to be sure we don't have any other exposure, and perhaps we should start working through attribution. We have now successfully worked through containment - but let's be sure we have all of the loose ends tied up.

Now when the Tier 3 analyst looks into the data, they have all of the tools that the other levels have used, but they also have higher precision, higher quality tools at their disposal. Let's click on HYAS Insight, and start combing through what we know. I can see all of the annotations, as well as the comments from the prior escalations - giving me total data recall. I know what our collective intelligence is on all of these data points. Couple that with my high precision data awareness from HYAS, I can start working further along.

What we know to this point:

  • Malware/ransomware was installed on a single workstation.
  • That workstation is now quarantined.
  • We need to move into a higher level of mitigation by blocking the hash or hashes we have identified.
  • We have not identified if this is a random attack of opportunity, or if it is a threat actor targeting us specifically.

At the Tier 3 point, we need to be sure that we have blocking controls in place for the IPs, domains, and file hashes involved. We need to be sure that we lift the workstation off of quarantine, and nuke it from high orbit or put it in a controlled area for observation.

This is where HYAS really starts to shine for us as we walk back through the headers of the email - the return path email in question is a known threat actor with records showing as recently as 6/15. The second hash in question - the one the initial dropper brought to the party is indeed ransomware.

The IP address the ransomware came from has a device ID associated with it -- thank goodness Splunk Enterprise didn't return any associations with that device ID on our network. That would mean that we had potentially had them running full amok on our network. This is where the fidelity of the HYAS data really shows its mettle, a device ID is like having a MAC address or a SIM card ID, and we can see that this device ID was not returned from Splunk. That said - we will be sure we put it into our device filters at the access layer.

Pivoting out to HYAS, I can drill into attribution of the actual threat actor, and other data points that have been seen in use in their nefarious campaigns.

The power of Data Awareness and Data Recall throughout this entire demonstration illustrates the power of both Polarity and HYAS Insight. Security work will never be completely done, but we can feel comfortable reporting to our Senior management that we have this well in hand - by leveraging all of the power of these tools - it's Open Season - lets go hunting!

What Next?

Try the Polarity-HYAS Integration.

See Polarity for yourself by getting early access to Polarity’s Community Edition. To learn more, tune into our next Community Tech Tuesday.