Initial Thoughts on The Hartford Breach: Using Pattern Recognition to Identify Outbreaks

The recent compromise at The Hartford Insurance Company highlights the fact that AV software by itself isn’t always an adequate defense—even for malware that has been in the wild for quite some time. It was reported that a W32-Qakbot variant was utilized in this attack—something that has been around since 2009.

Qakbot is a piece of malware that has Trojan functionality and spreads via network shares. After some basic research, it looks like Qakbot variants, once installed, reach out to external servers to download a payload providing the extended Trojan functionality, and then spread via network shares.

A simple AI Engine rule that looks for an outbound connection opening, followed quickly by network activity or port scanning activity on TCP ports 139 and 445 and/or UDP ports 137 and 138 from the same host would detect Qakbot as it attempts to spread throughout the network (as well as many other types of malware that follow the same activity pattern).

A SIEM solution with strong pattern recognition capabilities can provide a wider view rather than just focusing on how an exploit works or whether AV signatures will recognize the malicious files as they are scanned.

Automated advanced correlation rules can be written to alarm on the activity of the malware. A similar decentralized threat detection approach is outlined in one of my previous blog posts on SQL Injections.