TestDrive

Cryptowall protection with NSX Security MITRE ATT&CK Framework

Updated on

The next step is to inspect the NSX Network Detection and Response (NDR) campaign. NSX NDR identifies threat movements in your network perimeter (North-South) as well as attacks, that move laterally (East-West). It provides you with a visualization of the entire attack, including a complete campaign blueprint and detailed threat timeline.

A Campaign is correlated set of incidents that affect one or more workload over a period. It provides the visibility of entire cycle with the list of compromised hosts and threats detected along with their timeline of attacks.

Let’s start the investigation of the attack from the NDR console, to review the threat events. 

Part A: Investigate - Network Detection and Response Campaign Overview

You can now observe that we've detected and correlated more than just the DGA anomaly on the acme database workload. We've detected a malicious file downloads on three different workloads and a series of other threat events. The various incidents are classified according to the different phases of the MITRE ATT&CK framework.

Under the Campaign, you’ll find details and an interactive graphical blueprint for that campaign.

  • View the THREATS widget (1) for current threats that NSX NDR has detected. The severity of threat is color-coded Red for High, Yellow for Medium, and Blue for Low.
  • View the HOSTS widget (2) to see current hosts affected. The severity of threat is color-coded the same as threats. Note: The host is defined as any device with an IP address, not a hypervisor in this context.
  • View the Attack Stages widget (top right) to find the current campaign attack stages mapped with the MITRE ATT&CK framework. Mouse hover on the each attack stage to view detailed information of each attack stage.

Campaign blueprint Widget

View the Campaign blueprint widget for an interactive graphical representation of the campaign.

  • The NDR campaign blueprint maps each threat detection along with techniques for greater understanding of key events in the campaign.
  • Drag the icons with your mouse to match the placement of icons suggested as above.

Campaigns -> Hosts

The Hosts tab (1) displays a list of hosts affected with threat information so you can observe the latest activity for attack stages.

Part B: Investigate - Exploitation and Command & Control

The Timeline view shows the threats detected by NSX Network Detection and Response in Threat Cards.

  • Click Timeline (1). Each threat cards under timeline have a host that is connected to a threat, calculated Threat Score, Threat Name, Class and other actions.
  • Select Sort by Earliest (by start time)(2) to arrange the threat cards in the sequence of attacks with their timeline.
  • Observe the timeline on each threat card, event date and time and IP address.
  • Expand the icon to view the related evidence summary about the threat, as shown in the following table. To better understand the threat, not the evidence of malware identified and overview of how the malware behaved.

Network Interactions and Network IOCs

  • Expand Magnitude EK (1). Magnitude exploits various java and adobe flash vulnerabilities to compromise the victim's computer in order to install malware. This was also detected from the VDI desktop.
  • Click on Network Interactions and Network IOCs IP address (3) to get additional context. We can also click on the detector, in this case an IDPS signature (2), to learn more about this detection.
  • Click on the IP address (192.168.100.32) of the affected workload. We can see that this is associated with the VDI-03 desktop.

Malicious File Download

Expand the Malicious File Download event and click on the file name Cryptowall.zip (1) to get additional context. You can see that this file has been identified as containing the cryptowall ransomware and has performed suspicious Geo-location queries.

Cryptowall is a ransomware malware that encrypts files on an infected computer using and demands a ransom in exchange for a decryption key. Cryptowall is usually spread by spam and phishing emails, malicious ads, hacked websites, or other malware and uses a Trojan horse to deliver the malicious payload.

Click on the Analyst Report to find more details.

Detected Events

Above events are sequentially detected in the VDI Desktop where the attacker attempted Initial Exploitation in to the environment.

Cryptowall & DGA Activity

Expand Cryptowall (1) and DGA Activity (2) to see that we've observed command and control activity associated with cryptowall and this has also been detected by means of an IDPS signature.

Part C: Investigate - Lateral Movement and Data Exfiltration

After gaining initial access, Attackers use lateral movement to gain access to additional systems, escalate privileges and ex-filtrate sensitive data. Lets review the Lateral movement and Data Exfiltration events detected by NDR.

Lateral movement and Data Exfiltration

  • Expand Anomalous Psexec Interaction (1) that was followed by the detection of an anomalous interaction between our VDI desktop and another workload in our environment.This activity was mapped to the lateral movement technique of the MITRE Attack Framework and was used by the malicious actor to pivot the attack from the VDI desktop to the target workload with the IP address of Acme-App-02 VM.
  • Expand Anomalous Psexec Interaction (2) that was followed by the detection of an anomalous interaction between our VDI desktop and another workload in our environment.
  • Expand the Malicious File Download (3) event and click on the file name to get additional context. You can see that this file has been identified as containing the cryptowall ransomware and has performed suspicious Geo-location queries.
  • Expand the DGA Activity (4). We have detected the Domain generation algorithm anomaly that we looked at earlier from the discovery and planning view in NSX This is the atomic event we started our investigation.This indicates that suspicious domains used by malware were running on our infected machine

Use of Windows Remote Task Scheduling

The next phase of the attack is where the attacker used windows remote task scheduling to pivot the attack once more and target another workload in our environment the production database VM.

Credential Harvesting using Kerberos

  • Click on the Expand icon (1) to find more details.
  • Around the same time we observed an attempt at credential harvesting using Kerberos (2) ticket granting tickets initiated from acme-app02 VM to acme-db02 workload.
  • On the workload we saw additional remote task scheduling (3) after that followed by the same domain generation algorithm, empire agent and cryptowall detection.

Detect DNSCAT use on the network

  • Scroll down to see same set of Command and Control activities, detected in the acme-db02 (192.168.20.51) VM similar to acme-app02 (192.168.20.11).

Finally we detected the use of DNSCAT on the network indicating exfiltration of data from the prod acme-db workload. This was confirmed by means of three distinct IDPS signatures. As we have analyzed the campaign and reviewed all the intrusion events, we can now review the IDS/IPS & DFW rules to reduce the attack surface and to mitigate the risk of intrusions in the production environment.

Navigate back to NSX Manager. We will proceed further to learn about NSX Intelligence  Micro-Segmentation Rule Recommendations.

Previous Article Application and Network Traffic Visibility with NSX Intelligence & NTA
Next Article Micro-segmentation with NSX Intelligence Rule Recommendations