Dell SecureWorks published a very informative blog this week about a new type of malware they have appropriately labeled “Skeleton Key”. Our community manager quickly wrote a note of appreciation for setting a great example through disclosure and a quick mitigation strategy that every security professional should read. Between these two blog posts, detecting the malware and responding should be possible for any organization leveraging YARA rules in their detection solutions.

In this spirit, the UserInsight team wants to help you detect an attack before and after this malicious software is used. Between the malware used against Sony and this new malicious innovation, we can see three trends emerging:

  • Attackers are continually using malware as a tool in combination with interactive “hacker tools” to effectively operate within our networks
  • Malware developers are continuing to automate previously manual [yet highly common] techniques to use compromised credentials without any concern of being discovered by traditional detection tools.
  • We have to overestimate attackers' ability to innovate or we will continue to reactively mitigate their new techniques.

As I have previously discussed, more than half of the malicious actions that occur on our networks do not involve malware. In SecureWorks' excellent description of observed events surrounding Skeleton Key's operation, this fact was highly evident. If you want to detect an intruder's actions before and after the Skeleton Key DLLs would trigger your YARA-based alerts, you need effective detection for the use of stolen credentials on your network.

Pre-deployment

According to the post, Dell observed five key behaviors involving compromised credentials prior to the malware's deployment. To expand on one of Tod's points, this malware requires domain administrator credentials to install the software on your domain controller. This makes it even more challenging than exploiting the Kerberos vulnerability disclosed by Microsoft in late November. An intruder needs to remain undetected while successfully compromising your perimeter, learning your network, accessing multiple assets, and moving to a critical system on which a domain administrator's credentials can be obtained.Then, after all of these malicious activities, the domain controller needs to be accessed, followed by more uses of credentials:

Prior to logging off from the domain controller, the attacker takes a final action with the creds:

To contain one of these attacks early, it is essential that you have a solution like UserInsight that understands your users' typical behavior across all systems to which someone has access. From local accounts to unprivileged domain accounts to administrator impersonations, these established baselines are necessary for recognizing an intruder laterally moving through your network toward a domain controller on which Skeleton Key can be deployed. If you focus all of your detection efforts on the domain controller, you're providing intruders with a long-term testing ground in which to operate.

Post-deployment

If you recognize that you could miss the Skeleton Key deployment and don't want to rely on domain replication issues as your primary indicator of Skeleton Key's existence on a domain controller, the following statement demonstrates more detection challenges:

This is a perfect example of attackers taking advantage of the high level of noise on our networks to obscure their actions. It is likely that your user accounts are being legitimately used on multiple systems simultaneously, but it is unlikely to drastically deviate from established norms. For this reason, thorough anomaly detection for the activity of your network's entire user population is the only effective way to spot an intruder using the “skeleton key” password to quietly probe assets for valuable data. Additionally, if you leverage a series of decoys, or as we call them, "honey users", you may identify an intruder using the "skeleton key" to authenticate on the network. Don't wait until the data leaves your network. Focus on their earliest actions on your network to prevent it from ever getting that far.

To learn more about UserInsight and Rapid7's other solutions for detecting compromised credentials, check out our compromised credentials resource page and make sure to download our complimentary information toolkit. I expect you'll quickly see how it complements your malware detection solutions for comprehensive coverage of the indicators that an intruder is inside.