re-attack: Request to our OCA endpoint security vendors


Forrest Hare
 

OCA Team,

 

It has been two months since I sent out the below e-mail soliciting support from our end point security members to help with the ontology project.  Unfortunately, the response has not been sufficient for us to be able to make progress on our efforts to ontologically model our use case.  To reiterate, we are looking for some sample data representative of what we would observe in our systems in the case of a spear phishing attack and resultant malware infection.  The sample data/files need to be accompanied by a “decoder ring” of some sorts so that we can understand what the elements in the file represent and then be able to map those to the ontological framework.  See below for more details.

 

We CANNOT proceed without your help.

 

Ian Featherstone has set up a meeting for the Ontology project on Monday afternoon.  We will try to work with whatever we have at that meeting so feel free to bring sample data or questions.

 

Thank you,

Forrest

 

Forrest B. Hare, PhD

Founder

Summit Knowledge Solutions, LLC, SDVOSB

571-419-0084

forrest@...

https://sks.ai

The information contained in this e-mail and any attachments from Summit Knowledge Solutions ("SKS") may contain sensitive and/or proprietary information, and is intended only for the named recipient to whom it was originally addressed. If you are not the intended recipient, any disclosure, distribution, or copying of this e-mail or its attachments is strictly prohibited.   If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the e-mail and any attachments.

 

 

From: Hare, Forrest B. <Forrest.B.Hare@...>
Sent: Friday, April 8, 2022 3:06 PM
To: 'oca-pgb@...' <oca-pgb@...>
Cc: Featherstone, Ian <Ian.Featherstone@...>; Hare, Forrest B. <Forrest.B.Hare@...>
Subject: Request to our endpoint security vendors

 

OCA Team,

 

We are at a bit of a sticking point in our ontology use case development for the OCA ontology project.  What we could really use right now are some sample files containing some sample data that would be appropriate according to the use case.  These would most likely be something that our end-point security vendors are working with so we are asking for your help specifically.  As a reminder, the full use case is located here:

https://github.com/opencybersecurityalliance/documentation/blob/master/Architecture%20Documents/UseCases.md

 

For the ontology use case however, we are ONLY focusing on the infection and detection stages in the overall use case.  Very specifically, we are modeling the portion from the scenario pasted below at the bottom of this e-mail.

 

With that in mind, we are in need of some representative files that would contain the data that would be passed around in the system as described below.  For example, we would appreciate some sample data that would exemplify the signatures, etc., that would be discovered in the scan.

 

Please DO NOT respond to the distro list if you have questions on the scenario.  Please respond directly to me and Ian.

 

Thank you,

Forrest

 

Scenario details----

 

Of note – but very much going on in the background - as Bob turns on his computer, Bob’s endpoint protection software starts up and checks for any new updates from the software manufacturer. A small set of signatures have been published overnight. Unknown to Bob, the signatures are installed in the background, ensuring that Bob’s computer is protected from the latest known malware attacks. The software also checks in with Bob’s corporate network asking a similar question, “Are there any new blocks we need to know about?” the software asks the corporate library of rules. No new rules are downloaded as no filters, blocks, proxy rules or firewall rules have been created in the last 16 hours.

Our story continues with Bob - He is eager to follow up on a project so he does not notice that the “from” name is "Alice", but it is not displaying as it typically would. He clicks anyways, as he is looking forward to the next step in a project.

Bob opens the e-mail to see “I found this link that I think will help us with our project, talk soon” – followed by a URL.

Of course Bob clicks the link, and this is what we call a phishing – or in the case of a specific user, a focused “spear phishing” attack.

The web site Bob accesses contains a zero-day cyber vulnerability. Bob did not catch it, his e-mail system’s filter did not, and now Bob’s endpoint software has to take over.

The link that Bob clicked opened up a few interesting tidbits, but it did not seem very apropos to Bob and Alice’s project. He ignored the rest of the site, realizing – too late – that this sounded like one of those examples from his security awareness training. “I probably should not have clicked that,” Bob thought. He looked again at the tempting e-mail and saw that while it had Alice’s first name, it did not include a last name. And he hovered his mouse over the URL and realized, “...not a good site... uhoh.”

Bob hasn’t seen anything else strange, he only clicked a link and realized quickly that it was off topic – he closed the screen so fast, at this point Bob’s fears dwell and he goes about his coffee – and his day.

In the background, however, the damage was done in a split second. Bob’s computer saw Bob click a link

·         he initiated it, and Bob’s computer’s policies allow him to install software. The software installed itself and after setting a timer to “go off” in 4 hours, the bad program went dormant.

Malware was installed immediately as Bob clicked the URL – it all happened as the web page loaded.

Bob’s endpoint protection software scanned the new program that was downloaded in the background

·         the software scans all files coming and going on Bob’s computer.

When the new program starts to run, the virus software compares the digital signature, the certificate used to sign it, and the name, size and date on the program to its database of known malware attacks.

The new program does not match the database. The endpoint software flags it as a new, unsafe program.

Many people in Bob’s company are business and mission focused – they are not savvy IT people. Because alerts have created a lot of extra calls and support costs, this security event – unknown software – does not pop up on Bob’s computer.

Instead the endpoint software sends an alert to the corporate logging tools.

 

 

 

Forrest B. Hare, PhD, CISSP

SAIC Fellow

Solution Developer | Cyberspace Operations
571-419-0084 | 
forrest.b.hare@...

saic.com |@SAICinc

SAIC®

https://www.saic.com/jadc2

 

The information contained in this e-mail and any attachments from Science Applications International Corporation ("SAIC") may contain confidential and/or proprietary information, and is intended only for the named recipient to whom it was originally addressed. If you are not the intended recipient, any disclosure, distribution, or copying of this e-mail or its attachments is strictly prohibited.   If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the e-mail and any attachments.

Join oca@lists.oasis-open-projects.org to automatically receive all group messages.