Virus Attacks U.S. Drone Fleet and the Need for Rapid Detection and Response

As the U.S. armed services continue to expand the use of unmanned aircraft, the very real threat of an adversary infecting the command and control systems of such aircraft has moved down the continuum from science fiction to concerning reality.  That is because an October 7 Wired article revealed that the USAF base (at Creech Air Force Base in Nevada) that commands the U.S. drone fleet had been attacked.

The story of the attack (another article here) and the problems addressing the attack are a case study in why rapid detection and response should be an imperative for every organization under persistent attack or the advanced persistent threat.

How the Attack Spread.  It appears that the attack spread through the use of USB storage devices.  While these devices are normally banned for use on highly sensitive networks, the Wired story indicates that the drone crews use them frequently.  This is instructive as many so-called APT solutions do deep packet inspection on the wire and are easily evaded by attacks spread through removable devices.  Lesson: You have to have a solution that detects when an attack gets through the shields.

Time to Initial Discovery.  This question remains unanswered by the stories I have read, so there is no way to tell how long the attacks were on the machines before the attack was discovered.  The stories do say that it was discovered two weeks before the first story broke on October 7.  It also said that in spite of attempts to eradicate the attack, it was persisting two weeks later.  Lesson: You have to have a solution that detects attacks or even suspicious activity in real time.  Hence the term Rapid in Rapid Detection and Response.

Efficacy of Response.  Every article I read indicated that the IT security teams were unable to effectively eradicate the attack from the affected machines – the attack kept coming back.  This persisted even when antivirus vendor Kaspersky was brought into the process.  Eventually infected machines had to be wiped clean and completely restored.  Lesson: To have an effective response, you must have detailed, comprehensive, and actionable data.  Most tools may be able to locate the offending executable, but have no idea about the collateral damage done to the machine.  Contained in this collateral damage are the mechanisms used by well-written malware to persist in spite of the best efforts to remove it.

Let’s discuss how rapid detection and response should work.  And yes, I will use Triumfant as the standard – unapologetically.

First, Detection.  The attack was a key logging Trojan, so when it infiltrated a machine it performed a variety of tasks to install and begin execution.  The Triumfant agent would have seen the changes to the machine, including the primary damage and all of the associated collateral damage.  The initial infiltration would have triggered the Triumfant’s real-time analysis, so an administrator would have been alerted to the attack and provided detailed analysis within minutes of the infection.  Net result: infection to detection and analysis in minutes – not hours, days, or weeks.  And no human labor expended to perform the analysis. That meets the requirements of Rapid.

Now for the Response.  The analysis provided by Triumfant would show every persistent state attribute affected by the attack.  This information is used by Triumfant to build a remediation specific to that attack, and the remediation will stop the attack and repair all of the damage to the machine.  This remediation is also available with minutes of the infection – again, Rapid.  Because Triumfant sees all of the changes to the machine at the time of infiltration, it will see all of the components of the attack, including the mechanisms used to create persistence.  When the remediation repairs the damage, it will also remove those mechanisms and disable any ability to persist.  No need to re-image the machine or even restart the machine.  Infection to remediation in minutes.  Unfortunately, it appears that the team at Creech does not have the complete picture that Triumfant provides, so their attempts to kill the attack are clearly not disabling the persistence mechanism.

The completeness of the Triumfant analysis empowers other response actions. The data returned from the Triumfant analysis can be readily incorporated into a Triumfant filter, which in turn can be used to determine if the attack is on any other machine (this is doubtful because Triumfant would have detected the attack at time of infection).  The data is immediately actionable to the incident response/forensic teams to perform further research for attribution and other activities.  Triumfant is capable of generating a Syslog in CEF format so the SIEM tool of choice could have correlated the data with other logs.

With Triumfant, rapid detection and response translates into infection to remediation in minutes.  In contrast, the attack at Creech is now into 2+ weeks and countless hours have been lost chasing the attack, trying to kill it with no success, and ultimately re-imaging machines. In case we forget, we are at war and there are brave men and women in harm’s way.  If the attack at Creech meant that drone operations were impaired because the only way to stop this attack was to re-image critical machines, then the attack succeeded past the ability of logging keystrokes.

The idea of rapid detection and response is to detect attacks that get through perimeter and endpoint shield and provide actionable data to make a rapid response to stop the attack and repair affected machines.  This is not a capability limited to USAF drone command facilities.  This is any sensitive system whether it is DoD or Intelligence.  If you represent a commercial organization, you also have critical systems that must be secure and available.  While these systems are clearly not critical to national defense, are no less critical to your business and there is ample evidence of persistent attacks built for commercial espionage.

The need for rapid detection and response is not an option.