Detecting techniques in the Orangeworm attack group
You work in a hospital that uses outdated and insecure technology. Despite how vocal you've been about the need to upgrade, your hospital uses older operating systems and often neglects to patch computers. You are concerned about the attack group Orangeworm stealing patient information to sell on the black market or to engage in corporate espionage. You are also concerned that the group will infect your network computers and use malware to control medical devices, such as MRI and X-ray machines.
Data required
- Endpoint data
- Microsoft: Windows event and security logs
- System log data
How to use Splunk software for this use case
Next steps
To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case:
- Ingesting command-line arguments from endpoint detection and response (EDR) technologies
- Having an incident response template or automation setup for quarantining a machine as quickly as possible to avoid lateral movement
Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:
- Changes in execution patterns: In a typical environment, most endpoint processes listed do not change their execution pattern. While assessing the results of these detections, the analysts should investigate the parent process that originated the execution.
- Unseen processes: Parent processes like Word.exe, Powerpoint.exe, or a process completely unseen before are the usual indicators of malicious activity.