Omega: Breach Detection Technology

Prevailion Omega is an extension of our continuous breach monitoring and actionable compromise intelligence and builds on our ability to identify malware communications beaconing from an organization. It also provides a whole new set of data that is geared towards helping a security team diagnose and remediate systems that often appear as a black box without hours and hours of investigation.

One of the challenges we hear at Prevailion is that organizations continue to struggle with two complex problems: how to monitor your remote workforce assets for potential malware compromises to prevent corporate infection, and how to monitor your cloud deployments for malware that leverages their dynamic nature to hide their activity from security teams. Both of these problems were exacerbated as the world shifted to a global remote workforce in 2020.

Traditional security products, like antivirus, firewalls, endpoint detection and response, or managed detection and response, provide a layer of defense to an organization’s computing assets. Historically, when these assets were inside the organization’s perimeter walls – that is, in the office – organizations had a level of confidence that their devices were secure. At the very least, they could be confident that only the authorized user – the employee – was using the system.

When the world started working from home, all this changed. Now, an organization’s network perimeter is not only its corporate office, but the home offices of every single remote worker too. Subsequently, companies have given up control of which devices are adjacent to their network – I’m not aware of any company that will allow their employees to connect a SmartTV, IoT security camera, a couple video game consoles and the computers of their entire family to the corporate network. In essence, this and the associated security hygiene and risks are occurring daily, and they are introducing security challenges faced by today’s Security Operations Center that the majority of security tools were not meant to handle.

In addition, the explosion in remote workers also brought migration to more cloud-based apps as VPNs were too inefficient to deploy and did not extend security to the application itself. Business applications, which used to reside inside the organizational perimeter, moved to the cloud, and companies started provisioning remote desktops for employees to connect to and run their business applications. This growth was so explosive that in mid-2020 companies like Microsoft and Amazon were literally running out of server capacity in their Azure and AWS clouds. And cloud security as we all know comes with a large and unique set of security challenges – not the least of which is understanding your internet exposure, attack surface and recognizing when a cloud resource has been compromised.

While Omega provides you with visibility into your internally compromised assets, these two unsolved challenges are what Omega has been cleverly designed to address. We leverage our existing sensor network and command & control (C2) infiltration process, but then we take it to the next level by actually goading malware like Cobalt Strike, IcedID, LokiBot and a host of others to communicate with our systems. Modern malware frequently will collect and exfiltrate information from the victim system, things like operating system version, DNS domain name, the logged in user, passwords and email addresses. However, with Omega, Prevailion intercepts these communications to not only validate “Proof of Breach,” but to also provide security teams with actionable information to remediate the targeted asset.

By doing this, we can provide Continuous Breach Monitoring, by detecting when malware inside a corporate or remote worker’s network attempts to contact its command & control infrastructure. Imagine if, as part of your VPN connection security test (where companies frequently check for group policies, antivirus and MDR software, and that the computer is fully patched), you could also look up the user’s home IP address in a system and find out if that IP has been detected attempting to phone home to the bad actor. No managed solution or endpoint client can tell you if your employee’s teenager has malware on their laptop, or if their $20 IoT camera has been hacked. But Prevailion Knows, and we know that you wouldn’t want an employee on a compromised network connecting to the VPN into your company that could spark a massive infection or ransomware attack.

This is an example of the visibility Omega provides an organization, and how it can be used to uncover active malware infections in partner networks, supply chains and their remote workforce. The example below has been redacted to protect the privacy of the impacted organization, however, there is much to be learned from it.

{
“ip”: “[REDACTED IP ADDRESS]”,
“asn”: 7922,
“city”: “galesburg”,
“date”: “2021-06-01”,
“proto”: 6,
“state”: “illinois”,
“region”: “great lakes”,
“source”: “OMEGA”,
“carrier”: “comcast cable communications llc”,
“country”: “united states”,
“dst_port”: 80,
“country_code”: “us”,
“last_payload”: “[REDACTED BASE64 ENCODED PAYLOAD]”,
“organization”: “[REDACTED NAME OF A MEDIA BROADCASTING COMPANY]”,
“connection_type”: “cable”
}

On first inspection, this appears to be a random cable modem user with malware on their system – which is difficult for an organization to act on. However, because Omega emulates real attacker infrastructure, the malware is fooled into sending it data from the victim which allows us to identify it. The Base64 encoded payload, once decoded, looks like the following:

POST /rVHD5ekgqaXC7HvEXCImhkh.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)
Host: [REDACTED]
Content-Length: 178
Cache-Control: no-cache

The payload of the malware matches a known format for Qakbot, as seen in the screenshot below from the Any.run sandbox service:

Having compromise intelligence about companies you do business with, or are about to do business with, can be the difference between being a victim of a supply chain attack and escaping unscathed. A security team can now restrict access to their business applications or network to a legitimate partner company breached by a malicious actor. The example organization most likely doesn’t realize it has been breached, but the end result would be the same as consciously allowing bad actors into the network if left unchecked.

This technique also applies to securing your cloud deployments, and this is where a daily feed of Omega data comes in. This data is easily consumable by SIEM products, and is tuned to the organization, networks or IP ranges you define. If one of your assets shows up in the data feed, you now have proof that something isn’t right and can immediately begin an investigation.

The example below comes from Microsoft’s Azure cloud, but this problem is systemic across all major cloud providers:

{
“ip”: “[REDACTED IP ADDRESS]”,
“asn”: 8075,
“city”: “san jose”,
“date”: “2021-06-01”,
“proto”: 6,
“state”: “california”,
“region”: “southwest”,
“source”: “OMEGA”,
“carrier”: “microsoft corporation”,
“country”: “united states”,
“dst_port”: 80,
“country_code”: “us”,
“last_payload”: “[REDACTED BASE64 ENCODED PAYLOAD]”,
“organization”: “microsoft corporation”,
“connection_type”: “tx”
}

When the last payload is base64 decoded, the payload contains:

GET /wp-includes/wlwmanifest.xml HTTP/1.1
Host: [REDACTED]
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36
Content-Type: text/html
Content-Length: 2
Accept-Language: en-US,en;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Checking the redacted Host: header in VirusTotal indicates the virtual machine is attempting communication with a malicious command & control endpoint.

Every single day, a new company falls victim to ransomware, and we’ve already seen multiple supply chain attacks in the first half of 2021. It’s not a matter of if an organization will be breached, but when. Obtaining Proof of Breach early in the attack chain gives defenders time at the most critical stage of an attack to locate, isolate and evict attackers before they can carry out their scorched earth ransomware campaigns.

Nate Warfield – Chief Technology Officer