Smelling a RAT: Lesson Learned from Sophos

Is it me or does it seem that several times a week, an organization of significant size is reporting intrusion failures that put various IT assets at risk—whether it be customer credit card data, employee social security numbers, or in today’s example, renowned security firm. Sophos, discovered it’s server was compromised.

In this case they discovered a couple of unauthorized programs that were designed “to allow unauthorized remote access to information.” The type of program found were RATs (remote administration tools) which if they remained undetected could have seriously violated the security of Sophos’ partners. A RAT, of course is a tool hackers use to remotely vault the security walls by finding a log or a file (a server side virus) to implant and the get an unsuspecting dupe to click or open something you have repeatedly told them not to do. Bottom line, the rat doesn’t do damage in itself, but it gives complete control of your server or device to an outside influence (presumably for less than upstanding purposes!)…and it can multiply across your enterprise.

Like our post regarding Global Payments, the gist of this blog is not to point fingers and shout “you should have known better,” but analyze how the situation could have been avoided in the first place. That’s the driving issue with many of these breaches; they are completely preventable with a modicum of strategy and application.

A week or so ago, I introduced the concept of situational awareness. Now this concept is not exclusive to the cloud, but it seems to work best when correlating and managing from a virtual platform. The concept is SIEM, Log Management, Identity Management and other security solutions work great independently, but if you are not collectively correlating the information from each datapoint, you run the risk of missing the signs of a breach. And one of the benefits of cloud-based security is you typically benefit from best of brand enterprise grade solutions that would otherwise be too costly to implement on premise.

Take OSSEC as an intrusion detection system: it performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. And it is supported on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows.

BUT…and it’s a big but (which you can tell by use of bold capital letters!) Any intrusion system needs a powerful correlation engine to provide the proper context for the millions of intrusions (both harmless and less so). Some harmless events, based on your defined rules might be perfectly acceptable, but just like a medical diagnosis, one symptom in itself is not alarming. But when you put together all the symptoms from all the different independent systems, an entirely different story may emerge.

Again, I point to the cloud as a solution. Because logical correlation is between events from different sources, you want to make sure the solution already has thousands of built-in rules. Then on top of that foundation, you begin defining the specifications and priorities that makes your set-up and situation unique. Then you want to ensure you have cross correlation between your events and the various destination vulnerabilities. There are different levels of trustworthy sources-and that is unique to every enterprise.

Nonetheless, part of the best practices is to identify and prioritize these destinations so that when an event is correlated, it is properly graded and remediated or reported to the right escalation/action level. Lastly, you want to enforce Inventory Correlation between events and definition characteristics. Much like the destination vulnerabilities, each asset (web server, app server, devices etc…) also needs to be ranked. Again this allows a better analysis of all the traffic that comes in. You might have a different alert protocol for traffic that comes from a known supplier than an unknown event originating in Russia. The key is that without correlation, you are making decisions in isolation and therefore not necessarily seeing the entire story.

In tandem, this complex correlation strategy make it possible to detect complex attacks like RATs and immediately send automated alerts to your security incident handling team. And if your correlated rules dictate, quarantine the event, log, file so it can do little or no damage while you investigate the potential breach.

We realize it takes resources (budget and manpower) that you may not have to build these correlation matrices and create a powerful situational awareness strategy. And that’s all the more reason to consider security-as-a-service managed from the cloud which can give you the bandwidth to properly manage .

Just keep in mind, all a RAT needs is one small crumb of cheese and your server might as well be a fondue pot.

Before I sign off…I just wanted to invite our readers to an interesting online event on April 19. I will be hosting a webinar that delves into and dissects some of the most injurious IT threats and provide some cloud-based countermeasures. You can read more and register on the Webinars and Other Events tab above. I hope you will join me.

Kevin Nikkhoo