Cappuccino Chat - Episode 26 - Persistent Threat

welcome back to the channel this time we're going to talk about the fact that someone could be inside your computer right now and you wouldn't know it someone could be in your computer right now and you wouldn't even know it based upon the traditional endpoint security products that you may have installed your antivirus for instance so why is that well these new threats and when i say new i kind of mean for the small medium-sized business being new these kinds of threats have been around for a long time let's just say nation states governments terrorists that kind of thing have been doing this kind of thing for a long time it's now starting to trickle down into the small business realm probably for about the last year to two years what are these threats these are persistent threats now the reason they call them persistent threats is because they remain constant on your computer even after you may reboot it or shut it off and the reason that your typical antivirus and endpoint security products won't catch it is because well it's using windows programs against you so there's built-in features into windows that will allow this persistence activity to go on built-in tools like the you know powershell the dos prompt things of those things that have been around forever they can issue commands on those that will allow them to have that command and control functionality the persistence if you will throughout a reboot or a shutdown and your typical antivirus isn't going to stop those because it's built into windows it's a known good program it's just the commands that are being issued from it that are bad so how does something like this happen well it's not going to happen just because you go to a website or you install a legitimate program but what happens is you might get an email or could be a website pop-up with a link on it and you click on it so let's walk through a scenario just to kind of show a little bit how this might happen to your company so we've all gone about it and we've hired new employees so what do we do we we post the you know the request for a new position being opened up you know indeed zip recruiter those kinds of things on our own website social media and we get an email and the candidate in the email sounds like the match made in heaven they hit all the right notes they say all the right things and they've got a you know their resume attached to the email word document no big deal let's open it so we go to open it and it might come up with let's say a version issue maybe you don't have the right version um to open it you know click here to download it so you get a little skeptical maybe and so you don't do anything but you forward it maybe over to somebody else and they click on it and they get the same thing so you decide to you know what i want to open the the resume i'm gonna i'm gonna open it anyways well then you get a prompt and it looks very much like a microsoft prompt because it is it's going to enable some features within microsoft the macros and things of that nature to allow you to open this document well unfortunately by enabling those features and some people have them enabled by default a lot of those in the finance department things like that work with macros a lot with their excel spreadsheets and word documents just going back and forth on everything they have to work with so once you enable that though and you click on it you aren't going to get exactly what you want it's going to come up with some other kind of weird message and saying it can't do something so you'll of course just think that well it's not what it is maybe i'll reach back out to him have him resend it which of course you won't hear back from them but in clicking on it what has happened is you've given them that persistence so you basically launched a program that then allows them to at that moment in time your computer will phone home to them and they will connect up and then they will issue some commands over powershell or the like and gain persistence so at that point they may not do much else other than gain persistence they might wait to see what happens to see if it noticed or anything like that if it isn't over the next days weeks months years sometimes they will slowly and methodically look at your machine trying to find data of value data value could be any personal information maybe on your employees or clients that they could use to issue you know false identities it might be credit card transactions banking information passwords that are left in the open or maybe cached in your web browser because you know passwords are hard to remember so a lot of times we'll just let our web browser take care of that so they will grab these files they might grab data and they will actually upload this data to themselves slowly over time to try to not draw attention at some point they will start to try to move throughout your network and move from your computer out to other computers with on your network and even your server again they will do this slowly and methodically trying not to raise any alarms and gather as much data as possible once they're done to cover their tracks a lot of times what happens is they will then issue a ransomware attack on your machine or machines in order to cover their tracks because let's face it if our computer gets ransomed and encrypted we're going to do whatever it takes to try to get our data back so hopefully one of those things that you try to do is not pay the ransom by paying the rents on your funding their further efforts but hopefully we can restore or do something else to get that data back from your machine without paying the ransom so at that point though again all we're worried about is getting back to working so no one digs into what could have happened could have anything been stolen or anything like that a lot of times people say oh i clicked on this one email something will happen recently i went to a website there was a pop-up oh that must have been it nope it could have been something you got a week ago a month ago six months ago a year ago and it just now finally triggered so what can you do to fight this well we need different kind of endpoint security involved we need different perimeter security involved in all of this so that these kinds of attacks can't happen we can put what's called a persistent threat detector on your endpoints you can go with a manage detection and response system on those endpoints for even further protection which will not only protect your individual machine but when it does start to spread if that goes undetected it will detect that methodology of spreading from your computer to other computers and stop it there's also other ways to make this not as easy and not as viable to happen called application white listing and ring fencing this is where we're going to say hey word of course is allowed to open and do what it needs to do but there's no reason that word needs to now call powershell or launch an ftp service up to the web and upload my data those kinds of things can be stopped so that word can continue to do word processing for you but it's not going to be able to launch powershell or any other kind of attack these are all layered security approaches that can be done the application whitelisting and ring fencing along with the mdr product would give you the best availability to it within the persistent threat area so again these aren't things that will be easily noticed you might not even notice anybody on your machine you could periodically hear your fans spin up and go down just because they're doing some work your machine may become sluggish at times slow at times and then it's fast that could be a telltale sign that something is going on on your machine without your knowledge if you'd like more information about this or to talk about how we can help you protect your endpoints and network please give us a call