Forensic Investigators Track Times Attack Step By Step

By Robert Westervelt
February 01, 2013 9:40 AM ET

Page 2 of 2

Most cybercriminals begin their attack targeting the low-hanging fruit, Bejtlich said. Sophisticated methods are not necessarily needed to gain access to systems and files being targeted.

"These cases start out with the simplest thing you can do to get in the enterprise," Bejtlich said. "Once the adversary senses that you have found them and you start to kick them out, they switch to other tactics and they escalate to a better command and control, stealthier persistence and so forth."

It took a warning to alert the Times that something was amiss. The Times reporters were advised by an official with the Chinese government that there would be consequences if the stories were published. The Times reached out to its Internet service provider, AT&T, which indicated that it saw signs of network traffic that came from a Chinese threat group being tracked by its security researchers. The forensics team was then brought in to determine if a breach had occurred and eradicate any signs of cybercriminal activity on the network.

The attack on the Times and reportedly The Wall Street Journal as well, demonstrates the need for IT teams to monitor systems closely and have a rapid incident response plan when a potential problem is spotted, Bejtlich said. At the Times, the attackers moved throughout the company's systems, eventually gaining access to a domain controller containing the passwords of every employee of the company.

Bejtlich said rapid detection and response is important to contain and control the scope of the problem. Network segmentation is important to hinder an attacker's ability to move throughout corporate systems using legitimate account credentials. A third best practice is to have credentials that are not static, he said. Rather than using an employee's account credentials for IT assistance, temporary passwords can be used by IT administrators to remotely access employee computers.

"If you are monitoring your activity and you see people jumping from computer to computer, that is not consistent with normal business activity," Bejtlich said. "If you can detect that quickly and then contain it you can keep the bad guy from accomplishing his mission."

PUBLISHED FEB. 1, 2013

<< Previous | 1 | 2

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	Head-To-Head: Symantec Vs. McAfee In Endpoint Protection McAfee and Symantec are archrivals with a firm grip on the North American security market. CRN pits both vendors' endpoint security products against each other and names a winner.
	The 8 Steps Behind The Massive $45M Cyber Bank Heist More than $45 million was stolen from banks in the U.S. and 19 other countries in a scheme that law enforcement is calling an international conspiracy to drain millions from bank accounts using stolen debit cards and PIN numbers. Here's how they did it.
	Name Of The Game: Top 10 States For Identity Theft A Federal Trade Commission report provides statistics on identity theft and fraud complaints in 2012. Learn which state has the dubious distinction of having the most victims.
	More Slide Shows