 Tom here from Loan Systems. It is August 27, 2020. And we're going to be covering a new variant of Emote, Emotet, I think that's how you say it, attack that occurred on August 26 of 2020 and the tool stack we use to defend against this. I brought this up because there's people that are always looking for the solution. And also whatever solution you're using has context in that context. Frequently is time. So that is what we're using right now. This is the solution that we've put together that we find to be very effective. I'm going to talk to you about what worked, what didn't work, and why we use both Sentinel-1 and Huntress. Now, we're going to keep the narrower scope of this particular talk to those tools. And yes, I know defense in depth means there's a lot more than just the endpoint. We're going to focus though on what did happen, what got through. And when you're talking about defense in depth, of course, there were several layers that had to get through before this. The failure of a spam filter that led to an email, a specific phishing attack that was targeted at a particular user that was at our client and what they clicked on to get this. So there were user training can be improved, spam filtering can be improved, or, you know, as best you can. But this is still where it did land was at the endpoint, how we dealt with it, how we remediated it, what went wrong, what went right. And I want to talk a little bit about that process. And I'm also going to preface this again with we're not trying to bash in the Sentinel-1 product, but I will be mentioning that what it worked with and what it did miss and how Huntress caught this. So it's not going to be too long of a talk, but I just want to make sure that people don't think I'm looking for another product because of what did happen. Any of these products that use any type of heuristic analysis, even if they put the word AI, which is the fancy version of, we look at behaviors and try to map how something occurs. We're going to talk about how humans still have the edge right here in 2020 on that type of detection. Before we get started, can you click that like button and let's first feel like to learn more about me and my company head over to LawrenceSystems.com. If you'd like to hire a short project, there's a hires button right at the top. If you'd like to help keep this channel sponsor free and thank you to everyone who already has, there is a join button here for YouTube and a Patreon page. Your support is greatly appreciated. If you're looking for deals or discounts on products and services we offer on this channel, check out the affiliate links down below. They're in the description of all of our videos, including a link to our shirt store. We have a wide variety of shirts that we sell and new designs come out. Well, randomly. So check back frequently. And finally, our forums, forums.laurancesystems.com is where you can have a more in-depth discussion about this video and other tech topics you've seen on this channel. Now, back to our content. And we'll talk specifically about the products that we use. We are using the Sentinel-1 platform. Unite endpoint protection, detection, response, and remediation. And that sounds like, and where some people may have some challenge with this, that it overlaps with what Huntress does. But we use both products. And because we purchase through the SolarWinds and we use the SolarWinds stack for our overall defense, and yes, we have web filtering in there because that may come up as well as like, well, would this been stopped by certain amounts of web filtering? Well, no, it wasn't not in this particular case. But we do have Huntress on there in addition to having Sentinel-1 or Sentinel-1 and additional Huntress. We use both is what I'm trying to get at here. And why do we use both? Well, that's what I put together a little presentation to kind of walk you through what happened and the detection and response that we have here. So we'll start with something that was also found on this particular machine, because well, it's never just one thing, right? And this person was well, being difficult and clicking on everything and causing chaos. This is why you keep users without full privileges. This is also why you, you know, do a lot of user training. They're really an important aspect of your security awareness and what needs to be done. But yes, they will click on things that's always where the attacks occur. And this this is an attack stopped by Sentinel-1. So we have some type of document that was attempted to be opened from another email. And right away, we alert kill quarantine. So we stopped what this was doing. It's recognized as a high risk. It's, you know, reference, we have a virus total link classification download or mitigated. We can remediate by actually deleting the file. We can roll it back if we thought and, you know, undo this. But this is completely the system working as instructed. Like this is ideal. We are notifying us, the IT company of the threat. We can start investigating, figure out how that got there, ways we can keep it from ever getting this far. But the threat was mitigated. That's an important, important aspect. This was not mitigated. Now, this is where things get really tricky. And this is a very new variant of EMOTED that at the time, which was yesterday, wasn't even showing up in virus total. We were unable to find anything that really told us what it was, but we knew it was EMOTED. Please know it doesn't see EMOTED here. And we'll get to where and how we discovered what it was. But what this does do properly here in Sentinel-1 dashboard is go through and realize it's doing something suspicious. So it goes through, it looks at this file and says, all right, here's that file. That's the workstation that it's on. Risk level is not available because it seems like it's doing something suspicious. So we have our indicators over here, suspicious library loaded in the process memory, code injection, other process of memory, defensive agent techniques, privilege escalation, because this user was not privileged to do some of these things. But you can see it's walking through going, hey, this is really suspicious. And this is the next piece of it's trying to contact the servers that are on malicious lists as well. So here's, you know, this trying to reach out and do something that seems equally suspicious. And it's diving into this. It's looking for a scene on network one time, just so we're clear on what that actually means. This file tried to kick off more than once. I just grabbed one sample, but it was actually trying to run twice under the same name. Now, the other point that I have brought up before on this channel is when you're doing defense is making sure, and if you notice this is a local IP address, that is the gateway address and making sure that the end points and the computers on a network don't have direct firewall access. This also reached out to and tried to attack the firewall. Probably tried a bunch of default credentials if it got a connection. And it didn't because that's not the location of the firewall. And this machine doesn't have access because we would never want to access the firewall from that machine. So we've mitigated that, but you can see that it attempted it kept trying to make connections repeatedly to port 443, trying to talk to the gateway, probably to see if it could get around the blocks that were on it. So it's doing its poking and probing and trying to say, I need to talk to a command and control server to start doing more nefarious things. And once again, we've only got a severity level of low to medium on the file operations and network activity because they've seen it going suspicious places, but blocked it. System manipulation. All right, we're doing some manipulation, but all the other ones, antivirus, exploitation, general low, low, low, low, low, low all the way across the board. And it also is trying to manipulate and move a bunch of files under like system 32. One of them I highlighted in the middle here, I kind of cut off, but it was kelk.exe. It was trying to, you know, copy over a calculator file. And we can also, this is also from Sentinel-1, dive through any, you know, watching the files it tried to create and all the different respawns of this particular file where it created itself, tried to create itself and try to elevate permissions. This is, you know, just some reverse engineering of what was going on. Then through all this, even though it was being logged, it did write a registry key. It did gain a foothold, but wasn't really able to execute. And this is where we got the alert from Huntress. Now we got alerts from Sentinel-1. We knew something was going on, so we knew we had to take action. But this is that next step of what is it? The threat team at Huntress is really good. And they recognize this right away as EMOTET, worked with them. They go through samples. They're like, oh yeah, one of our threat hunters and I see threat hunters, not AI machines that look at this. Actual people were able to look at this and score one for human intervention for them going, yep, we know what this is. We understand what it is. It's definitely EMOTET and we flagged it and they come up with the remediation step. And it's, you can see, remediating EMOTET trick bots. So they're used to looking at this. So even though they've evolved it to avoid these heuristic systems and AI systems that look for it, Huntress, having the people that they have and looking at this day in and day out, they were able to right away identify this and notify us of the threat. Now, remediation. We immediately shut this off from the network. This is a feature that you have in Sentinel-1. You go in there and we can say, drop all connections. This computer is dead to the world and it creates an interesting thing when you do this with Sentinel-1 because it can only talk to Sentinel-1 that the computer is locked off from the rest of the network. We started examining the rest of the network. We looked because their entire network is running Sentinel-1. We examined connections. We did our entire investigation debrief that, yes, this came through phishing email. This was locked down to this computer. The lack of privileges meant it didn't go anywhere, but it did establish a foothold. So immediately this computer was removed first from the network, then physically from the network, wiped, reloaded, clean. They have a pretty standard set of software we load on there and away we go. Purge out any emails that may have been specific phishing emails. Suggest they buy a better spam filter because the company has opted not to get a good spam filter at all. They don't buy one through us, but hey, that's a different topic for a different day. But we also talked about user training. This was a suspicious email. Don't open that email again. If it sounds too good to be true, probably is. And away we go. We're back to a replace clean running system. Now, besides all the debrief of how not to have this happen again, I just want to point out the importance of defense and depth. So could this event stop by a spam filter? Yeah, hopefully maybe, but that's still a layer of defense, not your only defense. Should this event stop by Sentinel-1? Well, Sentinel-1 does stop a lot and we really like the product, but occasionally things evolve, threats happen. And that's why our kind of catch all at the endpoint level where we know this is going to be happening is going to be, yes, we have Huntress on there, which is just essentially a system to notify us. And I'm going to be doing a future review of Huntress. I have a previous review of Huntress. You can, I'll link to below, but it's still a great product. We still use it here in 2020. And it's kind of that extra little notification. And it's just having that extra that in case something gets through, in case some of these heuristic things fail, I know Huntress's human intervention that they have seized this in real time. They see this at scale. So having humans set essentially, you know, at the ready, the same reason we are also part of that human defense at the ready that is looking for these actively responding and shutting things down and making these decisions. Because occasionally, and we also occasionally get false positives, where something's detected that would have disrupted user work. That's why someone still has to be there. You can't just set it and forget it with any of this. This is where my team takes over. We make decisions. The Huntress team is a level up to make decisions on their side. And we can make an informed decision of what we need to do. So I thought this debrief might be a little bit interesting. This is kind of the process we follow when we do this and how we mitigate and how we remediate. And of course, we suggest that this user get more training because the reality is user training is very important. But still, we know people click on things. And now this person's been made aware that they need to be extra careful that this was pretty much a targeted, you know, was a broad fishing. It was in spear fishing where they know exactly it was broad fishing on something that people would click on. And this is all part of the defense in depth stack that you work out for your clients and why we use the tools we use here in 2020. At some previous date, you can probably hear me talking about difference tools in some future date. I don't know. Maybe I'll be talking about different tools. Maybe I'll keep talking about these tools. We always are evaluating, looking at what worked and what didn't. I don't see this as a complete failure on the side of Sentinel-1. But of course, I would be rethinking this if Sentinel-1 didn't even notify me of it. That would be a different story. So far, we've been really happy with Sentinel-1's detection of these things. But I also am very aware of the fact that as these threats evolve, as these threats change, it is a real, you know, back and forth game of the people that write these viruses, detecting these systems, testing against them, and seeing how much they can get. They realize first strike is very important that getting this out there and mass attacking these companies is really important because as soon as this gets into all these different defense systems, raise awareness, virus total, signatures created for these, they have to evolve again before they can send out the next wave of attacks. So this is still the overall defense of how things are going. But still, I find it really interesting and we're trying to keep all these systems safe, which is always a challenge. But you know, this is what we do and kind of what happens when I'm not just making YouTube videos on other random things that I post on this channel. This is the other side of our business of managing client security, watching for threats and mitigating those threats and making sure that nothing got through on your network. And of course, as I stated, we scan their network, nothing else happened. We found no evidence of it. And the lack of privileges that user had didn't allow them to use it as a pivot to dig deeper, not to mention the command and control stuff didn't get out because the IPs were blocked. So, you know, no data was exfiltrated and it was really narrow scope listed to this particular computer. So hopefully you found this interesting. Comments, questions, concerns, head over to my forums or leave some questions below. All right, thanks. And thank you for making it to the end of the video. If you liked this video, please give it a thumbs up. If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon if you'd like YouTube to notify you when new videos come out. If you'd like to hire us, head over to LawrenceSystems.com, fill out our contact page and let us know what we can help you with and what projects you like us to work together on. If you want to carry on the discussion, head over to Forums.LauranceSystems.com where we can carry on the discussion about this video, other videos, or other tech topics in general, even suggestions for new videos that are accepted right there on our forums, which are free. Also, if you'd like to help the channel in other ways, head over to our affiliate page. We have a lot of great tech offers for you. And once again, thanks for watching and see you next time.