back to article Inside Mandiant's biggest forensics breach battle: Is this Anthem?

Four researchers from American cybersecurity firm Mandiant have engaged in an eight-month epic battle against hackers behind one of the biggest breaches of this year. The quartet is not saying who the victim is, nor identifying the attackers. However, it is at the level of, and very-well could be, health insurers Anthem or …

  1. hexstr

    Amazing!

    "One of the big wins came with a simple upgrade. The team upgraded Python to version four which sported a better logging feature. That appeared to catch the enemy off guard and pierced their anonymity enough that they began to leave logs."

    Python 4.x.. and here I've been using 3.x like a sucker!

    1. thames

      Re: Amazing!

      It makes you wonder what else they got wrong in the article. I'm going to take a guess that the upgrade was to Python version 3.4, seeing as 3.5 only just came out. At least "3.4" has got a "4" in it somewhere.

      Come on El Reg, you're an IT news site. At least make an effort to learn what the current major versions are for the top programming languages used in the IT industry!

      1. Anonymous Coward
        Anonymous Coward

        Re: Amazing!

        It was powershell 3 -> 4.

    2. LDS Silver badge

      Re: Amazing!

      Well, I would have been caught off guard too on a platform running Python 4!

      BTW, why don't modify Python itself to track down attackers activities?

  2. Dadmin
    FAIL

    How much to hire security gurus these days?

    So, you've got four security gurus for 8 months, let's say 55 hours per week average and probably at $150+/hour, we'll just say $150/hour, but you and I both know this is very generous to the client. That's about $1M over the 8 month stint, give or take $50K.

    Let me take a wild stab in the dark and say this is much less than they paid 6 of their normal staff in a year. Considering most idiot companies forgo having a real security person on-board until they get hacked up the jacksie, and just ask the normal low-paid admins to "make us secure, guy." I would like to laugh and exclaim; "pay us good now, or pay us more later" only I'm one of the morons using this health company's services prior to the hack in question, so I'm not in that mood. Still, good for those guys billing the living shit out of their client and STILL not instilling trust in them, no matter how hard they try to hide their names; Target, Home Depot, Anthem Health, etc.

    Target cashiers continue to ask me to this day if I want to "save 5% by giving up your personal details to our next hack?" I pay cash and no thanks, asswipes. If you want to help your suckers, er customers, give EVERYONE 5% at the register, dickheads. Fucking corporations and the CEOs who mismanage them. Bugger them.

    1. Anonymous Coward
      Anonymous Coward

      Re: How much to hire security gurus these days?

      Agreed, but figure closer to $400/hr for Mandiant IR services, plus T&E costs for 8 months...

  3. Anonymous Coward
    Anonymous Coward

    Nice article, that sounds like a lot of fun to do, a bit like a good game of chess.

    I wonder would it not have been an option as a security person to bring your own firewall to a company and maybe block the C&C servers separately after using said box to do some packet inspection on a known infected machine first? There's probably a reason why not I'm just thinking aloud.

    1. Crazy Operations Guy

      These were internet-facing boxes, likely being accessed by their customers. They were using many, many C&C servers, so blocking one only meant that they'd pop on over to another seconds later. As for doing packet inspection, a lot of botnets transfer their data over https, and since these are very likely to be active servers, it'd be near impossible to find it. Since the attackers were custom writing malware, I'd think that they would've disguised the commands to look no different than what that machine normally sees.

  4. Will Godfrey Silver badge
    Unhappy

    That's it! I've decided.

    I don't want to be a big fish in a little pond, nor a little fish in a big pond. I'll stick to being a little fish in a little pond... and hope nobody notices.

    1. Mark 85 Silver badge

      Re: That's it! I've decided.

      A variation then of "keep your head down and wait for the shelling to stop... no point in being a target"? The catch is, everyone is a target. You may not have a red dot on your forehead now, but it's not "if" but "when".

      I do agree with you though... the smaller targets are probably being ignored for the big ones. Let's hope they don't run out of big targets for a bit.

    2. Crazy Operations Guy

      Re: That's it! I've decided.

      There are quite a large number of malicious folk that specifically target the small fish since they won't have dedicated security folk and even if they discovered the compromise, they'd likely just reformat the box and restore from backup rather than investigating and pressing charges. Until then, the attacker has a machine they can use as a C&C server that they can guarantee would have a high uptime.

  5. Anonymous Coward
    Anonymous Coward

    Can we get the slide deck or video of this presentation

    Sounds very cool cat and mouse forensics and defence

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021