Throughout the history of mankind, ingenuity and determination have played outsized roles in the advancement of civilization. Were it not for the tenacity and dedication of Nikola Tesla, for example, we would not be enjoying the convenience of alternating current (AC) electricity. Alexander Hamilton, a penniless orphan born out of wedlock, came to the United States from the Caribbean as a young man and went on to become one of our Founding Fathers who created the central banking system and U.S. Coast Guard.
These men personified the English proverb, “Where there’s a will, there’s a way,” at its grandest. Yet we all show determination in some way, shape or form day to day. It’s how we get straight As or achieve some other personal best. And — for better or worse — it also happens to be a motivating factor for getting what we want.
Dinner with David Bowie or Nikola Tesla? Answer: David Bowie as Nikola Tesla!
So what does this have to do with cyber security? Well, a lot, actually. Many threat actors are driven by money and have the will or determination to do whatever it takes to get their hands on it — mostly via illicit means (ransomware). Inside a company’s own walls, employees — in doing whatever it takes to get the job done — may use IT systems and processes without department approval (shadow IT), inviting risk into the corporate environment without even realizing it. And then there are users who simply want to do whatever it takes to pass the time at work.
I’d like to explore this last case and the effect it has on an organization.
Once Upon a Time in the Workplace
Our story begins with a routine investigation of an adware or potentially unwanted program (PUP) on an endpoint. Although these types of alerts are not directly “malicious,” they do hijack your web usage to try and monetize your browsing experience. These actions can include injecting advertisements, installing browser toolbars and hijacking your searches. Typically, we’re able to identify this behavior quickly, remove the PUP and move on.
But in this particular case, we saw a behavior that we don’t see regularly: this PUP downloaded a download manager called “DownloadManagerNow.” Given that we don’t see this very often, we wanted to dig a bit deeper to understand what was happening and why. Is it another “free” software bundle that includes a download manager to install an advertisement-laced toolbar? Did the user knowingly download the download manager for a specific purpose?
We wanted answers. And to get at them, we needed to understand the sequence of events:
Act 1 – Investigation
We investigated the triggering application for the download, in this case Internet Explorer. Obviously, the web browser didn’t download the PUP on its own; something external told it to do so. Lo and behold, we found a process called psiphon3.exe. Now, we’re getting somewhere!
Act 2 – Will, Meet Way
Using EDR data, we searched across the entire endpoint landscape and found three other hosts that registered this application. Time to figure out what this psiphon3.exe is and its purpose. Using Google as our first resource, we identified this application as a VPN tunneling software. According to its website, it’s meant to allow the user to surf the internet anonymously and to avoid censorship so that you can “get to the content you want, whenever you want, wherever you want it.” It even went as far as to say the application is a “circumvention tool”! (Will, meet way.)
Act 3 – The Why
Now that we know the “what,” we needed to figure out the “why.” Using data from the firewall logs, we were able to understand the traffic patterns. In looking at the bytes sent/received, an inordinate amount of data was being downloaded — to the tune of 20GB in two hours!
Armed with this information, the local IT team went to investigate, discovering that employees wanted to pass time in the office by streaming movies. These users recognized that the IT security team placed restrictions on web browsing from corporate assets on the corporate network. With little to no regard for the unintended consequences of their actions, the employees used a circumvention tool to get what they want.
Fortunately, this incident was fairly innocuous and able to be remedied rather quickly, but the consequences could have been much worse. This tool opened unfettered and untraceable access from the internet into the corporate environment and vice versa!
Moral of the Story
I offer this real-life scenario as a reminder that technology is not the panacea to all our cyber security problems. Technology + people + continuous process is necessary. Take note of the word “continuous.” In our industry, you cannot “set it and forget it.” It’s absolutely essential that we constantly monitor and tweak our detection and response methods and adjust these as threats evolve — whether these are intentional or unintentional.
Until next month, keep fighting the good fight.