Ondrej Krehel, CEO & Founder of LIFARS is recognized world-wide for his Digital Forensic expertise and Ethical Hacking. He actively participates in many high-profile engagements around the world whereby his proprietary methodology is leveraged to achieve the most rapid root-cause analysis and remediation. This Interview With Ondrej Krehel is the third part in the four-part series. So, stay tuned for more! If you missed previous parts, you can read the Part 1 here and Part 2 here.
Note: Originally published in NEXTECH magazine and republished with the kind permission of Mr. Martin Drobny.
NXT: How does such an attack occur? Is it possible that the company will not even find out it had been hacked?
Ondrej Krehel: Yes, it is possible. It can happen due to the lack of monitoring and assessment of log records. A company can think that their security is sufficient because they do not have any incidents. Speaking from my experience, if somebody claims to have zero knowledge about a security incident in their company, I can tell that in 99% of cases, they have insufficient monitoring. The incidents have happened, they just don’t know about them.
Targeted attacks occur in several phases. The first one is comprised of researching every accessible piece of information about the target. OSINT (Open source Intelligence) is used for this purpose. This information is then utilized to prepare a primary attack, which is often phishing or spear phishing. They create a highly personalized e-mail that can look very persuasive and trustworthy and may give the impression that it originated from a colleague or employer. Its aim is to raise the probability that the targeted person will download the attachment, run it on his computer, thus installing malware on it. The attacker uses information acquired during the first phase to choose malware that will work on the targeted infrastructure.
Afterward, the exploitation phase and malware installation phase follow. This happens if the victim believes the content of the e-mail and runs the attachment. For instance, it can be an excel spreadsheet with a malicious macro. Macro is basically a small program contained in an excel table and after it is enabled, it downloads malicious code, for example Remote Access/Administration Tool (RAT), which gives the attacker total control over the victim’s computer. The attacker can then propagate across the internal network, escalate privileges, avoid detection, acquire and exfiltrate data, or perform additional attacks. Statistics show that the average detection time for a cyber incident (or system intrusion) is 150 days. This statistic is from the energetics industry, which has the most positive numbers regarding this issue. It takes approximately 190 days for public administration to detect the intrusion, 217 days for the education sector, and 255 days for the healthcare sector.
NXT: How does it look in practice if some company orders your services – whether for forensic analysis or incident response?
Ondrej Krehel: It can be handled in two ways. The company can prepay hours through a retainer that ensures reaction times through SLA. The second option is our ad hoc solution for incident response and forensic analysis in the case of an emergency. We recommend our Incident Response Retainer which ensures prioritized incident response and associated services.
If the company does not use these prepaid hours on incident response, they can use them on some of our proactive services, for instance, penetration testing, threat hunting, security audits, and many others. Moreover, when an organization prepays a retainer, we also perform an initial security analysis for our client, and we evaluate their readiness for a security incident response. Afterward, we show them how to improve their technical security controls and processes. This enables us to get to know their infrastructure better and allows us to prepare for future incident responses in cooperation with them.
In the case of malware infection, we are ready to write vaccines for the client that will enable quick and global mitigation of the incident. We have created such a vaccine for global mitigation of the banking trojan Dridex. It is available on our GitHub.