The document discusses lessons learned from a cyber attack on IDT Corporation. It describes how the attackers were able to exploit vulnerabilities like missing patches and disabled firewalls to gain access and steal credentials. This attack highlighted the need for greater visibility, detection, and automated response capabilities. The document contrasts the slow, manual incident response process with a new approach using security automation and tight integration between tools to enable investigation and containment in seconds rather than hours or days.

1. SECURE OPERATIONS IN
THE CLOUD
LESSONS LEARNED FROM AN ATTACK THE WORLD WAS NOT READY FOR
Golan Ben-Oni, CIO
IDT Corporation

2. QUOTE FROM OUR SAGES
• “Every single thing that a person sees or hears, is an instruction …” -Ba’al
Shemtov

3. WHO IS IDT?
FOUNDED
1990
EMPLOYEES
1400
INDUSTRY
Telecom
OPERATIONS
20 countries
IDT corporation (NYSE: IDT) is a
multinational conglomerate
headquartered in Newark, New Jersey with
operations primarily in the following
industries:
• Telecommunications
• Energy and Oil
• Banking and Finance
• Media and Entertainment
• Pharmaceuticals
• Education

4. THE SECURITY CHALLENGE
• Security is becoming increasingly challenging as new threat actors
emerge and increase in numbers. The number of successful attacks
against organizations have increased, despite an increase in spending.
• Customer Data is being leaked, Scripts and Television Series are being
stolen, and Intellectual Property is walking out of open windows.
• Recent attacks has caused immense damage and the challenges are
great.
• We are told: “Just keep us out of the New York Times …”

5. PRIMARY REASONS FOR WHERE WE ARE TODAY
• Increase in sophistication of attacks – including the release of state sponsored tools into the open
market.
• Costs of attack vs. defense
• Lack of Security Subject Matter Experts
• Poorly integrated components of the environment
• Lack of Visibility and Poor Response Times

6. IS WHAT WE’VE BEEN TOLD TO DO REALLY WORKING?
• Security Hygiene:
• Keeping Software Up-To-Date
• Following Best Practices
• Keeping Users informed about Safe Browsing
• “It must be User Error…”
• People are the weakest link
• Keeping users informed and properly trained
• (Demand that we turn every employee into
Security Subject Matter Experts)

7. CHALLENGES IN SECURITY
• In order to meet the demand of strong defenses, we met with and discussed the challenge with the N.S.A.
who simply recommended “deploy three of everything…”
• We spent years evaluating, deploying, and testing security technologies – summarizing findings, efficacy rates,
false positives between vendors.
• In 2013, we realized that although we addressed an important visibility gap, we had not yet addressed an
important need around orchestration and automation.
• On average, it was taking us between 30-45 minutes to address important alerts that were arriving into our
Security Operations Center.
• At the same time, the Verizon Breach Report began identifying that breaches of customer data were occurring
in a moments time, with over 40% occurring in minutes.
• The standard approach of human-action oriented response was a bit like bringing a knife to a gunfight –
attackers began utilizing automation themselves and we were too slow to respond.

8. THE ILLUSIVE SILVER BULLET
• With hundreds of new security startups appearing regularly, there still is no silver bullet in security.
• Deploying a layered defense and following best practices is important to do, but sometimes you can do
everything you believe is correct, and still have a security breach.
• Attackers will find the weakest link in your environment and enter there.
• What is most important here is to be in a regular cycle of improvement and learning.

9. WALK THROUGH THE EVENTS OF APRIL 29TH, 2017.
• Attackers researched and cased the background of a contractor via social networks, determining who
they were, what they did, and their working hours.
• Reverse Engineered NSA Exploit Tools that were released just a couple weeks earlier.
• Attack took place during the one day the contractor did not work (a Saturday).
• For the attack to have been successful, several issues needed to have been present:
• Firewall , including local host firewall was DISABLED.
• Found a system that was missing MS17-010 a critical Microsoft Patch that would have prevented the use of NSA
Tools DOUBLE-PULSAR and ETERNAL BLUE.
• In-Memory process level injection attack that leveraged FILELESS Malware – standard AV did not detect this.

10. STAGES OF ATTACK
• Disabling of Firewall leveraging an previously unknown exploit of the users Cable Modem
• Unauthenticated remote access to local system leveraging NSA exploit tool - ETERNAL BLUE.
• Process injection into LSASS.EXE (a protected Windows Process responsible for user session and
authentication).
• Injection Communicated with C&C and downloaded Credential Theft Module which stole credentials from the
Windows Environment and Web Browsers
• Attempt to move laterally (since VPN was down at the time, this was not possible).
• Ransomware Encryption (file-less variant based on CRY-128) in order to cover tracks.

11. THE 4 STAGES OF THE ATTACK
3
Lateral Movement attempts
(using Credentials: This can
impact even patched
systems, as it did in Petya /
NotPetya)
2
Credential Theft
(Browser History, Browser
Credentials and Windows
Credentials)
1
Exploitation and
Injection using
Eternal Blue /
Double Pulsar
4
Ransomware
(All else fails, cover
tracks)

12. VISIBILITY
• Here, visibility of the attack was critical. IDT leveraged an
EDR tool, which we have deployed throughout our
environment, both at Amazon and within the Enterprise.
• EDR records all events on the endpoints, including file
activity changes, network connections, registry
modifications, process injection, and authentication
activity.
• It is critical to record events because we can never be
certain that our defenses will be 100% effective
• We don’t know ahead of time what will become
important for analysis, and future defense so we record
all events.
• History is streamed live into a Hardened Amazon instance
for analytics and secure offline storage.

13. MINIMIZING THE RISK
• Record Everything on the Endpoints
• Understand Attack Patterns and Methods
• Improve Detection, Prevention and Response
• Create alerts for exploits and behaviors (including NSA exploit tools)
• Immediate Isolation of impacted hosts (real-time)

14. UNDERSTANDING THE DATA
• IDT worked with over a several dozen researchers before coming to a deep understanding of the activity
that took place.
• IDT understood that this activity was one of the first hit with this attack and most of the IP addresses
involved in the attack were not yet registered on any threat intelligence feed after speaking to dozens
more.
• IDT shared the information of the attack directly with its Security Vendors and Service Providers in order
to bring additional visibility to the issue.
• IDT felt that this method of attack would become wide-spread, and in short order, WannaCry, Petya and
Not-Petya variants leveraged similar tools and capabilities throughout the world.

15. CLOUD SECURITY; HOW IT IS DIFFERENT – BETTER
• Software Defined Networking and Software Defined Security – allows you to effect changes in the
environment within seconds via API Integrations, Orchestration and Automation.
• Configuration Auditing Tools that examine configurations directly.
• Cloud Security vendors keep software updated for you, lowering requirements around management
and software update lifecycles.

16. WHAT WAS LIFE LIKE PRIOR TO SECURITY
AUTOMATION?
• SIEM Correlation - Minutes
• Initiate investigation - Minutes
• Contain - Minutes
• Search, Investigate, Pivot – Minutes / Hours
• Building context - Minutes / Hours
• Triage - Minutes / Hours / Days
• Remediation - Minutes / Hours / Days
• Reports and Auditing – Hours / Days
• Learns from Events / Incident and Improves Logic - Hours / Days

17. FOLLOWING TIGHT INTEGRATION USING AUTOMATION
• Initiate automated investigation from alert received – Seconds
(Splunk + WildFire)
• Automatic Containment – Seconds
(Hexadite + Palo Alto + AWS)
• Automated Search, Investigate, Pivot – Seconds / Minutes
(Splunk Splunk and Splunk again)
• Automated Building of context - Seconds / Minutes
(Hexadite + Secdo + Splunk)
• Automated Triage - Seconds / Minutes
(Splunk + Hexadite )
• Automated Remediation – Seconds
(Hexadite + Splunk + Palo Alto + Secdo + AWS)
• Automated Reports generation and full audit trail – Seconds
(Hexadite + Splunk)
• Automated Iterative Improvement from prior Events / Incident and Improves Logic - Seconds
(Hexadite)

18. TRADITIONAL VS. AUTOMATED IR
Traditional IR
Automated IR
Min. Hr. Hr. or Days
Sec. Min. Sec.
Mean Time to Initiate
Mean Time to Validate
Mean Time to Contain

19. TRADITIONAL (MANUAL) IR Total Time
9 Hours
WildFire Alert
Received in SIEM
Locate the
Downloaded File
Analyze Suspicious
Host’s Processes
Analyze Persistency
Methods
10 Min. 32 Min. 3.5 Hr. 8.0 Hr.
14 Min. 1.2 Hr. +Days
Follow Leads
Isolate Suspicious
Host Manually
Find Evidence for
File Execution
Initiate Forensics
Imaging
2 Hr.
2.3 Hr.
Analyze Splunk
for Network Activity
7.0 Hr.
Analyze Recently
Created Files
8.5 Hr.
Analyze Drivers
And Services
Generate
Leads
9.0 Hr.

20. Total Time
1.5 Minutes
Splunk Receives
WILDFIRE Alert
Search Host for Malicious
Activity
Collect Open Connections
Generate
Leads
Analyze All Running
Processes
Analyze Installed Services
and Drivers
Analyze Recently
Created Files
Analyze Persistency Methods
Analyze Network Logs
Analyze Authentication Logs
1 Sec.
18 Sec.
49 Sec.
1.5 Min.
7 Sec.
24 Sec.
+Min.
Follow Leads
Isolate Suspicious
Host with Palo Alto App
Terminate
Process
1.3 Min.
Alert User about his Host
being Investigated
Analyze WildFire Behavioral
Report via WF API
Search Behavioral Report
within Suspicious Host
Quarantine
Files
Collect Running Processes
Collect Recently Created Files
Collect Persistency Methods
Collect Authentication Logs
Collect Network Logs
Automated IR

21. TAKEAWAYS
• Visibility and Speed to Resolution is Key
• Security Automation is Achievable
• Automation is the only way we can stay ahead of the emerging threat landscape