Suspicious Registry Keys and Requested files: A Threat Grid Case Study - Cisco Certifications

Threat Grid’s detections and indicators are created by the Research and Efficacy Team, or RET. The RET’s primary objective is to improve the detection rate of Threat Grid. As such we have to keep up with new malware campaigns and exploitation techniques. This often requires manual analysis of samples, which is an incredibly time-consuming process. As part of this duty, we must make use of automation tools to speed up our analysis. Threat Grid is chief among those tools, and we will be discussing an example where Threat Grid highlighted everything necessary to make a determination on a file.

The sample in question at first glance appears to have barely executed.  Threat Grid did convict the file, but not in the way or for the reasons we would expect. I dug into the sample in more detail to find out why.  A sample that is convicted due to static analysis only but exhibiting little dynamic behavior is indicative of evasive malware and warrants further examination by our team. To start off I checked into each indicator to determine, at the highest level, what has gone on.

Checking the AV indicator revealed that there were a great many hits on this file, and as such the chance of a false positive is low. The next three indicators triggered on the same two executables, both of which were placed in the AppData folder.

While the naming on the two files is odd and seemingly composed of arbitrary characters, it is far from enough to make a decision on the sample yet. However, the next three indicators again pertained to the same two executables, which supported the hypothesis that these oddly named files are malicious.

After all the indicators regarding the sample and its two created files, the next indicator in the list above is “DNS Query Returned Non-Existent Domain”. This can happen for primarily one of two reasons – the sample is either looking for command and control services that have either not yet been set up or have been already taken down, or the mere existence of the domain is being used as a signal to trigger an action, typically an abort or a proceed. With the abort option, the domain functions in essence as a killswitch; with the proceed option it is the opposite and the malware will “lay low” so as to not attract attention until the malware author or owner wants to activate it. Either way, this activity warrants further investigation of the sample – neither of these reasons are typically indicators of benign intent.

The remaining indicators on the report provided little additional info as the two executables were already suspicious enough to investigate.

The network section of the report was also of little use in this case, since as we mentioned above, the domain did not resolve, and so no important communications were established.

The process section can be incredibly useful but can easily overwhelm a user with the sheer amount of data available under each process. As such I typically do a first pass looking only at the names and number of processes and return later if applicable. In this case nothing stood out. I apply the same principle to the artifact section, where again nothing stood out besides the names of the two executables.

Proceeding to the Registry Activity section of the report proved to be very interesting. The sample created a rarely-used registry key with an executable path as its data. It was via review of Threat Grid analyses that we discovered this unusual and typically maliciously-used run key, and because of this discovery the system now flags such usage as suspicious via a Behavior Indicator created for that purpose.  As it turns out, the data points to one of the oddly named executables we saw earlier. This type of run key coupled with the suspicious features of the executable is indicative of malicious behavior.

Our experts say about Cisco Certification Exams

Moving Towards The Zero Trust Cybersecurity Framework - Cisco Certifications

The original Zero Trust model was conceived by Forrester, and leveraged by Google as part of their BeyondCorp initiative. Gartner has their framework called Continuous Adaptive Risk and Trust Assessment (aka. CARTA). These trust-centric approaches shift access decisions based on network topology to authorized users and devices.

The first step towards establishing trust-centric security should be an investigation and analysis of what your sensitive data is, where it lives, who accesses it, and who might like to steal it.

You should leverage the resources and technologies you already have in place to keep changes and costs to a minimum. Cisco Advanced Security Services has the expertise to help you with the analysis, strategy, design, pilot, and implementation. You’ll understand where your gaps exist against any trust-centric approach. We’ll help you address some in the first few weeks and create a 1-3 year plan for the rest leveraging the Cisco Trusted Access portfolio.

Zero Trust is a New Way to Look at Security

The specific use cases that must be addressed will often be different by organization. Before moving to the more complex use cases, consider these capabilities:

• Inventory of your hardware, software, patches, and network flows
• Identify and catalog your sensitive data and map how it flows between assets 
• Rank your top 50 pieces of sensitive data and understand where it resides
• Knowing your top risks (e.g. threats, brand image, fines, compliance)
• Who is after your data and how capable they are
• Authentication of your users, devices, and workloads
• Enterprise-wide policy with an automated rule base—as much as possible
• Segmentation
• Privilege escalation monitoring
• Continuously monitor and mitigate your trusted ecosystem

Start with the key use cases your organization must address first: contractors, East-West traffic, Continuous Diagnostics Mitigation (CDM), compliance. Prioritizing use cases will help you list the capabilities that will be required, including which products and services you’ll need. Adopting Zero Trust will help you secure your infrastructure, yet provide depth to your existing security architecture. Adhering to standards-based cybersecurity frameworks (CIS 20, NIST 800, ISO 27000 family) with Zero Trust provides a comprehensive safety net.

Be sure to review the Google BeyondCorp implementation of Zero Trust, which Duo Security productized (read their ebook). And how Gartner’s CARTA framework says to start two Zero Trust projects in 2019: [1] establishing software-defined perimeters for users accessing any app, on any device, in any location; and [2] implementing app micro-segmentation for workloads running across multicloud and on-premises data center infrastructures. You can download Gartner’s full report “Zero Trust is an Initial Step on the Roadmap to CARTA” here.

A few key steps you need for all of them include privilege escalation monitoring, integrity monitoring, watching out flows, app security, and more (out of scope for a short blog). So, don’t rely on any one of these frameworks to be the answer.

Ideally, after you work on the above, start discussing your plans to get moving to self identification and automation to reach the next Zero Trust maturity level.  Realize that cloud-based and containerized workload use cases aren’t going to wait, and thus, several parallel engagements will happen.

We titled this blog “Moving Towards The Zero Trust Cybersecurity Framework”, so, the first move is completing a workshop with Cisco Advanced Services. We’ll help you learn your key use cases, your gaps, and what you already have. Then, how to best address these gaps and prioritize your efforts. This end-to-end approach takes into consideration the core principles that make up Zero Trust to ensure you’ll achieve the desired outcomes:

1. Identify and catalog your sensitive data (later, at a metadata repository level)
2. Map the data flows of your sensitive data and store them
3. Architect your Zero Trust network based on data sources and the way they are used transactionally
4. Create your automated rule base and then later move to analyze the metadata and rules
5. Continuously monitor your trusted ecosystem by inspecting and logging the traffic, and updating rules based on behavioral analytics

Segmentation is a Key Part of Zero Trust

Cisco’s Security Segmentation advisory services (read this at-a-glance) will help you develop a strong strategy around security, compliance, and threat management. To be able to logically segment your infrastructure you need four key capabilities: (1) trusted identity, (2) isolation, (3) policy enforcement, and (4) visibility.

By combining the experience of Cisco Advanced Services with the portfolio of Cisco Trusted Access, we’ll evolve your cybersecurity maturity to a threat- and trust-centric approach. Reach out to our services account team so we can help.

Our experts say about Cisco Certification Exams