One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 2421791 |
| Date de publication | 2021-03-02 11:00:00 (vue: 2021-03-02 12:05:30) |
| Titre | Stories from the SOC – Beaconing Activity |
| Texte |
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Executive Summary
Beaconing analysis is one of the most effective methods for threat hunting on your network. In the world of malware, beaconing is the act of sending regular communications from an infected host to an attacker-controlled host to communicate that the infected host malware is alive and ready for instructions. It is often one of the first indications of a botnet malware infection, so it’s important to spot the beaconing behavior before the infected host can expose data or launch an attack.
The investigation began in response to an Alarm triggered by outgoing TCP traffic to an IP address that was flagged by the AT&T Alien Labs Open Threat Exchange (OTX) as associated with foreign advanced persistent threat (APT) activity and malware communications. The team conduct a further review of this IP address using additional open source intelligence (OSINT) sources and verified that the destination IP address had been involved in malicious activity and was considered a high threat. Due to the quick response time of our team in starting the Investigation, the customer was able to isolate the infected asset and perform remediation before the malware caused any further infection on their network.
Investigation
Initial Alarm Review
The initial alarm came from an Event showing TCP traffic to a known malicious IP address coming from one of the customer’s internal assets. This IP address was correlated with malicious activity that had been found in OTX and from pulses created by AT&T Alien Labs, the threat intelligence team at AT&T Cybersecurity, monitoring active threats. Further review of the customer’s system showed possible beaconing activity had begun recently and was actively being blocked by their Intrusion Protection System, preventing further communications with the malicious IP address.
Expanded Investigation
Once this beaconing activity was discovered, the team conducted a 30-day review of the customer’s entire environment to look for signs of further intrusion. The original IP address was then analyzed using a variety of OSINT sources to gather related IOCs and other IP addresses that would indicate further intrusion had occurred. This review showed that no other assets had traffic involving the malicious IP address or other IOCs related to the APT, and that no other assets were exhibiting beaconing activity or lateral movement.
Response
The customer complimented the work of the team, citing that due to the quick response and phone calls, they were able to identify and isolate the infected system before any further damage was done. This allowed them to perform a more in-depth investigation without fear of missing other underlying activity that would have been difficult to correlate on their own. The customer stated that they were very happy with the service and feel much more at ease knowing that the AT&T SOC has eyes on their network 24/7/365. This also led the customer to upgrade their storage tier from 3TB to 6TB so we could monitor more of their environment.
 |
| Envoyé | Oui |
| Condensat | the the this 24/7/365 3tb 6tb able act active actively activity additional address addresses advanced alarm alien alive allowed also analysis analyst analyzed any apt asset assets associated at&t attack attacker beaconing been before began begun behavior being blocked blog botnet calls came can caused citing coming communicate communications complimented conduct conducted considered controlled correlate correlated could created customer customer’s customers cybersecurity damage data day depth describes destination detection difficult discovered done due ease effective entire environment event exchange executive exhibiting expanded expose eyes fear feel first flagged foreign found from further gather had happy has have high host hunting identify important incident indicate indications infected infection initial instructions intelligence internal intrusion investigation investigations involved involving iocs isolate it’s knowing known labs lateral launch led look malicious malware managed methods missing monitor monitoring more most movement much network occurred often once one open original osint other otx outgoing own perform persistent phone possible preventing protection pulses quick ready real recent recently regular related remediation reported response review security sending series service showed showing signs soc source sources spot starting stated storage stories summary system tcp team them then threat threats tier time traffic triggered underlying upgrade using variety verified very without work world would your |
| Tags | Malware Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.