Detecting and Remediating Against File Distribution Attacks

Posted by Kirby Kuehl   |   May 5, 2015

Enterprise teams have varying means to some degree, of how they “see” attacks. There is often incongruence between what events they can detect, what their intelligence means, and the potential impact of an attack. 

At CounterTack, we are developing new technologies to help customers better detect and understand their threat tolerance. We are innovating methods to help customers improve security response by contextualizing threat impact into actionable intelligence.

An example of this is our new capability of detecting lateral movement by threat actors across hosts, in a one-to-many model, as opposed to just simply looking at endpoint behaviors through a singular lens. We do this through deep correlation and analysis at-scale; we’ve developed a new frequency analysis table of files copied and/or executed across the enterprise. Why is this applicable?

Our Sentinel platform has the ability to determine the unique hash of all files created and/or executed and compare that hash to a large set of hashes from our knowledge libraries. The hash set then uses an impact score to determine known good and known bad files. This hash is now also temporarily stored in a frequency analysis table that tracks the distribution or execution of the same file across multiple hosts.

For an enterprise, a normal process like software updates and roll-outs can be monitored and tuned in Sentinel by adding the hashes of the files to Sentinel’s hash set through our REST API.

file_icon_downloadSentinel’s File distribution behavior analysis also monitors file distribution and execution of files with an unknown hash. These unknown hashes are also stored in a frequency analysis table that keeps track of file creation and execution events across endpoints.

This mechanism can be used to detect Shamoon-style attacks.  The Shamoon virus was used to attack oil and energy sector companies in 2012, affecting more than 30,000 endpoints. Shamoon would spread from an infected machine to other computers on the network and lie in wait for a detonation instruction. Once the detonation instruction was received, the virus compiled a list of files from specific locations on the system, uploaded them to the attacker, and subsequently erased them. Finally the virus overwrote the master boot record of each infected computer, making it unbootable, rendering the enterprise unable to react to the attack now that the data is gone.


Technical Details

Sentinel examines all of the events from all of the endpoints in your enterprise. To help identify file distribution behavior, Sentinel first examines all TCP inbound and outbound connections.

The process responsible for each TCP connection is uniquely identified and examined to see if the process is also responsible for writing any files to disk.

If the process involved in the TCP connection wrote any executable files to disk, the file's metadata is stored in a frequency analysis table. This frequency analysis table keeps track of each file, the endpoints that contain that file, and a link to the file activity event.

Sentinel’s frequency analysis examines the metadata for every new file or process.

When the threshold for file distribution is reached, which is user-definable, the file's metadata is checked against Sentinel’s Knowledge Library. If the impact of the file is considered known-good, the entry is removed from the frequency table.

If the impact is determined to be malicious, a classification for each endpoint containing the file is generated, along with additional information if the file was written to disk. If the file was also executed, Sentinel will alert the operator that they need to manage the event, consider it a threat actor as the threat impact score rises, and respond accordingly.


Topics: cybersecurity, Sentinel, CounterTack, EDR, endpoint detection and response, Shamoon, file distribution attacks, Kirby Kuehl, cyber attacks

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all