Lesson 4 of 5
In Progress

Targeted Email

An End User reports receiving a suspicious email. The email contains an Excel attachment.

Email Header

Incident Narrative

An APT adversary has launched an email campaign against the Organization. This campaign included two waves:

  1. An email regarding Nuclear Radiation, containing a weaponized (Flash) Excel document
  2. An email purporting to be an INDUSTRY-SPECIFIC news letter, with a link to an INDUSTRY-THEMED wordpress blog

One employee, Ms. Jane Doe, reported the Excel email, after she opened it. Her computer was compromised and is beaconing to BARFOO.COM, an APT-site. She claims not to have opened it though. Five other employees have received the exact same email, three opened it and are also compromised. Two are out of the office today.

The second email, which has not been reported to security, went to 10 people. 5 have opened it. Three more will open it within in 15 minutes. The malware is the same, a GH0ST RAT variant. It also reports to BARFOO.com. There is a lot of HTTPS traffic between one of those systems and BARFEW.

Received: (qmail 2936 invoked from network); 17 Mar 2011 14:54:06 -0000
Received: from mail-iw0-f195.google.com (HELO mail-iw0-f195.google.com) (209.85.214.195)
  by XXXXXXXXXXXXXXXXXXX 17 Mar 2011 14:54:06 -0000
Received: by iwn19 with SMTP id 19so678003iwn.6
        for XXXXXXXXXXXXX; Thu, 17 Mar 2011 07:54:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:date:message-id:subject:from:to
         :content-type;
        bh=0xRgb5+/fvZxd0/qwfyRCbJDcn6ChfzZlNrsKyAv2wc=;
        b=qGVeBRR/w/6570uTsq5FFwodcGrtx2AfEjO99oW5dvgXV3mfqxhCy5Z2tEJDNOyMUx
         ptroBCJneuZvbzhbieQ+AszVNPj5iK/R74AhWrOX7Qi2bd8zYXlPquoRLsOPA/tjtiO0
         whvjpmP9PZoa0/bqKEYNXoiWY8aCvIqdTr+O0=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type;
        b=ad7u5tW0S8k16ETcmnMIxdWUwZdK5ImqIlb1/DJkhSycWu99llJVQEhx1E9flh6IPc
         ie6Ed9DNccVoWoKyHWby/9ZImkDKRvt3tx4gNB/0azF/PAh71ZNRdZbHGiKNiAjETmC0
         FyijnpVHFkwVMerRhj03F7VyQCCQR/hLU0uec=
MIME-Version: 1.0
Received: by 10.43.49.10 with SMTP id uy10mr1977189icb.407.1300373646197; Thu,
 17 Mar 2011 07:54:06 -0700 (PDT)
Received: by 10.231.166.139 with HTTP; Thu, 17 Mar 2011 07:54:06 -0700 (PDT)
Date: Thu, 17 Mar 2011 10:54:06 -0400
Message-ID: 
Subject: Japan Nuclear Radiation Leakage and Vulnerability Analysis
From: Merrie Sasaki 
To: XXXXXXXXXXX
Content-Type: multipart/mixed; boundary=”bcaec529952141c4e3049eaed56e”  

Hidden Incident Details

  • Fifteen other employees (16 total) received either that email or a second email about an industry-specific newsletter

  • Same email sender sent all 16 emails

  • One email attack used XLS attachment, with embedded flash 0-day

    • Antivirus does not detect anything, but it is malicious

  • One email used a link, to an INDUSTRY-THEMED wordpress blog, which delivers a recent java exploit

Incident Objectives

  1. Is there identification of email indicators?

  2. Is there a search for other emails

  3. Is there the ability and effort, in-house or external, to examine an Excel doc?

  4. How does the team know if any additional emails were received?

  5. How does the team determine who opened the Excel?

  6. How does the team determine who clicked the link?

  7. How historical is that review?

  8. What if an additional email is sent three days from now?

Closing Questions (to the participant group)

These questions are also in the Participant Brief.

How did the Team’s ability to respond during the TTX compare to your expectations at the start?

Were there any short-term changes that can be done to improve your response capability?

What could be done to reduce the breach exposure time?”

Closing Questions

•How did the Team’s ability to respond during the TTX compare to your expectations at the start?
•Are there any short-term changes that can be done to improve your response capability?
•What could be done to reduce the breach exposure time? •