Download Managed Network Anomaly Detection

Service Definition
Security Network Anamoly
Detection Service
Table of Contents
1 INTRODUCTION............................................................................................................................................................. 2
2 SERVICE OFFERINGS – THREAT ANALYTICS .......................................................................................................... 2
2.1
SOLUTION PURPOSE ................................................................................................................................................................. 2
2.2
HOW IT WORKS......................................................................................................................................................................... 2
3 INSTALLATION AND CONFIGURATION ..................................................................................................................... 4
3.1
ENVIRONMENTAL REQUIREMENTS AND INSTALLATION .......................................................................................................... 4
3.2
INSTALLATION ........................................................................................................................................................................... 4
3.3
EASY TO SCALE .......................................................................................................................................................................... 5
3.4
INITIAL CONFIGURATION .......................................................................................................................................................... 5
4 THREAT ANALYTICS SERVICE ................................................................................................................................... 5
4.1
SERVICE LEVEL........................................................................................................................................................................... 5
4.2
SYSTEM TUNING ....................................................................................................................................................................... 6
4.3
THREAT ADVISORY .................................................................................................................................................................... 6
5 THREAT INVESTIGATION AND REMEDIATION SERVICE [OPTIONAL] .................................................................. 6
5.1
PREREQUISITES ......................................................................................................................................................................... 6
5.2
COVERAGE LIMITATIONS .......................................................................................................................................................... 6
6 ANALYST DEEP DIVE [OPTIONAL] ............................................................................................................................. 6
7 TECHNICAL SUPPORT AND MONITORING................................................................................................................ 7
8 SERVICE EXCLUSIONS ................................................................................................................................................ 7
9 PHYSICAL APPLIANCE FAILURE ............................................................................................................................... 7
10
SYNOTEK’S REMEDIATION RULES OF ENGAGEMENT ................................................................................... 7
11
POINTS OF CONTACT – GENERAL SUPPORT .................................................................................................. 8
APPENDIX A ..................................................................................................................................................................... 9
APPENDIX B ................................................................................................................................................................... 16
1
INTRODUCTION
This Service Definition is subject to all terms and conditions of the Service Order to which it was attached. This Service Definition
describes and contains additional terms that apply to Synoptek’s Security Network Anomaly Detection Service (the “Service”).
The service definitions found herein reflect Companies standards at the time the Service Order(s) was issued. Company
reserves the right to change any particular standard herein to reflect the current company’s best practices or industry standards
at its sole discretion with or without notice.
SERVICE OFFERINGS – THREAT ANALYTICS
2
Synoptek’s Security Services are design to defend and minimize your attack surface. Our Security Services include threat
detection, investigation, remediation, and reporting. Our Security personnel will continue to advise on ever changing threats and
recommended actions.
As a network-based solution, Synoptek's Threat Analytics Service couples a physical monitoring device on your network with
Synoptek’s cyber-security staff to iteratively learns your pattern of life for every network, device and individual user, correlating
this information in order to spot subtle deviations that indicate in-progress threats.
Key Features:





2.1
Detection of emerging cyber-attacks using sophisticated self-leaning mathematics
Signature-free probabilistic approaches allow detection of anomalies and abnormal behaviors
Real-time alerts as threats arise
Powerful visualization platform enables analysis of internal and external threats
Network appliance plugs directly into infrastructure and does not require software roll-out
SOLUTION PURPOSE
Our team of threat analysts are analyzing the behavioral statistics continuously in detection of threats for our customers. They
quickly hone in on the root cause and severity of detected anomalies, formulate findings into actionable insight and predict
whether any anomalous network behavior is significant enough to cause alarm. Synoptek Threat Analysts can detect anomalies
within customer networks, including previously unknown “zero-days” and, provide visibility of emerging threats. This shortens the
time it takes for containment of threats and limits the extremity and cost of an attack when (not if) it occurs.
2.2
HOW IT WORKS
Synoptek utilizes a Cyber Intelligence Platform (CIP), which is a network solution for detecting and investigating emerging cyberattacks that have evaded network border defenses. By applying advanced mathematics to model behaviors in your enterprise,
CIP is an advanced monitoring solution that detects anomalies in your organization’s complex computer and user activities. CIP’s
2017 Synoptek Cloud Assessment Planning – Service Definition
P a g e |2
Legal Notice: The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception,
review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited
by law and may subject them to criminal or civil liability.
mathematical approaches do not require signatures or rules and so can detect emerging ‘unknown unknown’ attacks that have
not been seen before.
CIP is delivered as an appliance that takes passive feeds of raw network traffic from the centers of your networks. Once
connected, the platform immediately begins using a range of mathematical approaches to create numerous models of behavior
for each individual user, network, and machine. CIP produces Network Anomalies with a computed threat probability.
CIP’s self-learning mathematics initially take 4-6 weeks to become effective and continue to learn on an ongoing basis constantly updating as the organization evolves.
Creating powerful ‘pattern of life’ models of every individual and
device on your network allows CIP to detect even subtle shifts in
data access behaviors, communications or use of technology. This
may indicate that an individual’s credentials have been stolen and
their device compromised, or that a disaffected person is acting
maliciously.
Examples such as network reconnaissance, traversal, unexpected
downloads from unusual internet domains, intranet or file system
cloning, sensitive data logins from a new device and location,
unusual applications and protocols, or a change in pattern of
information uploading are all detectable through mathematical
modeling. These activities may be worthy of investigation if they
represent a significant departure from normal behavior.
2017 Synoptek Cloud Assessment Planning – Service Definition
P a g e |3
Legal Notice: The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception,
review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited
by law and may subject them to criminal or civil liability.
3
INSTALLATION AND CONFIGURATION
3.1
ENVIRONMENTAL REQUIREMENTS AND INSTALLATION
CIP consumes raw network traffic, collected by either:
•
port spanning your existing network equipment
•
inserting/re-using an inline network tap
•
accessing any existing repositories of network data
For most customers a single appliance takes up 3U of rack space per physical location.
3.2
INSTALLATION
Synoptek installation can be scheduled to be performed within a 4-hour service window and is non-disruptive to your
systems.
2017 Synoptek Cloud Assessment Planning – Service Definition
P a g e |4
Legal Notice: The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception,
review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited
by law and may subject them to criminal or civil liability.
3.3
EASY TO SCALE
A single CIP appliance can take multiple inputs of network traffic and cover up to tens of thousands of individual
machines, depending on peak traffic volumes. Multiple CIP appliances can cluster to cover geographically distributed
networks, eliminating the need to move large volumes of data around your network.
3.4
INITIAL CONFIGURATION
CIP’s self-learning capabilities initially take 4-6 weeks to become effective and continue to learn on an ongoing basis constantly updating as the organization evolves. The first weekly Threat Indication Report will be delivered within 15
business days from the date of installation. Initial reports will have a low signal to noise ratio, or low percentage of actual
versus perceived threat. Ongoing tuning, which is included in the service, will progressively provide improvement in report
data quality.
4
THREAT ANALYTICS SERVICE
Synoptek’s Threat Analysts are experts in defense, intelligence and interpreting suspicious activities around probable
threats. This process includes analyzing traffic entering, leaving as well as within your network. Threat analysis of this kind
is often like finding a needle in a hay stack and requires skills and understanding far beyond the normal abilities of most
network professionals. No automated technology can achieve the accuracy, thus our service couples great tools with the
insight of experienced threat analysts.
Our manual threat intelligence service involves analyzing the Network Anomalies from the CIP and investigating the high
probability anomalies that may be indicative of a threat. For every high-probability anomaly detected, our analysts draw on
their expertise, external sources of intelligence and the context of the network before presenting an informed and
considered explanation of the threats faced. Investigative work is delivered in two ways: a) a comprehensive weekly
Threat Indication Report (see Appendix A) of discovered threats classified and scored in terms of severity (see Appendix
B), in conjunction to recommended actions; and b) notification of incident alerts that are high-probability anomalies
following our P2 SLA.
4.1
SERVICE LEVEL
Synoptek will continuously monitor for threat indicators as presented by the CIP. Threat indicators will be assessed, and
categorized into three levels of severity. The most severe threats are categorized with the moniker “Board Level
Advisory” (BLA), and for those Synoptek will gather and document the necessary context and activity logs required to
build the weekly Threat Indication Reports (See below). See Appendix B for Threat Indicator levels and definitions.
For all Threat Indicators, Synoptek will deliver once-weekly Threat Indication Reports (see Appendix A) providing the
necessary context and activity data required to investigate such threats. Notification will be provided in writing to the
customer’s designated alert contact.
2017 Synoptek Cloud Assessment Planning – Service Definition
P a g e |5
Legal Notice: The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception,
review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited
by law and may subject them to criminal or civil liability.
4.2
SYSTEM TUNING
Synoptek is responsible for detecting network anomalies and sorting out the bad traffic patterns from among the vast false
positive bad traffic patterns that show up on our screens hourly. As a result, Synoptek has its interests aligned with those
of its clients to reduce false positives and increase the signal to noise ratio of potential threats. An initial 4-6 weeks of
tuning are required before the system becomes effective. Ongoing tuning, which is included in the service, will
progressively provide improvement in report data quality.
4.3
THREAT ADVISORY
This service includes a monthly recurring information security review meeting. In this meeting, Synoptek will lead a review
of the prior month’s threats, discuss any new threat vectors, and recommended changes to systems or policies. This will
be conducted via a monthly conference call.
5
THREAT INVESTIGATION AND REMEDIATION SERVICE [OPTIONAL]
In this service, Synoptek will open a ticket for each Threat Indicator raised from the Threat Analytics Service. Threat
Indicators of BLA will be opened as a service ticket with an initial priority of P2. All other Threat Indicators will be opened
as a service ticket with an initial priority of P3. Service ticket investigation and remediation work will be performed in
accordance with the Synoptek Managed Services SLA. Service Ticket priority levels may change during the course of
Synoptek’s investigation.
5.1
PREREQUISITES
The Threat Investigation and Remediation Service requires both the Threat Analytics Service and the Core Infrastructure
Management Service.
5.2
COVERAGE LIMITATIONS
This service includes investigation for all Threat Indicators except for this categorize as Security Policy Advisory (SPA).
This service includes unlimited remediation as a result of the aforementioned investigations with the except that
remediation resulting from BLA Threat Indicators is limited to 4 hours each.
6
ANALYST DEEP DIVE [OPTIONAL]
With this additional service, a Synoptek analyst will spend additional time within your environment. This Synoptek Analyst
will take a deeper inside look at the range of anomalous threat indicators and providing richer insight during the weekly
Threat Intelligence Report. This service can double as a means to address incident response, whereby your Synoptek
Analyst can be leveraged to investigate and remediate the greatest of threats facing your organization, as evidenced by
the Network Anomaly Detection Service. Requires Threat Investigation and Remediation Service (See Above).
2017 Synoptek Cloud Assessment Planning – Service Definition
P a g e |6
Legal Notice: The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception,
review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited
by law and may subject them to criminal or civil liability.
7
TECHNICAL SUPPORT AND MONITORING
Synoptek will provide support for troubleshooting and resolution for the CIP server that will be monitored by Synoptek’s
Security Services Team. In addition, a web-based ticketing system to support tickets, track, and provide correspondence
for any support related issue. All communication will be handled through the Ticket System.
Synoptek will remediate issues related to the CIP server, identified either via monitoring and notification, or those initiated
through contacting the Service Desk. In both cases, a service ticket will be created and prioritized based on severity. The
service desk will attempt to resolve the issue remotely, escalating to level 2, then level 3 engineers as required. If the
issue cannot be resolved remotely, a field technician will be dispatched.
8
SERVICE EXCLUSIONS
Synoptek’s Network Anomaly Security Service is an excellent addition to an organization’s strategy of defense in depth.
Some threat attack users and systems in ways that may not immediately present any detectable network traffic. As a
result, this service alone cannot detect all threats and is best used in conjunction with a SEIM, DNS filter, and other
protective measures. Not all threats create anomalous network activity and thus will not be detected and reported.
Furthermore, this service differs from a threat prevention service in that it is meant to detect the threats that manage to
bypass your other security systems and protective barriers. While this service cannot prevent any intrusion, its utility is in
early detection, investigation, and remediation.
Note that while access to the CIP is limited to Synoptek staff, it may be presented to customer staff in monthly threat
advisories as well as when presenting critical threat information.
9
PHYSICAL APPLIANCE FAILURE
In the event of an appliance failure, the following shall apply:




10
If a replacement or software reinstallation is required, Synoptek will assist the customer in restoring their
configurations and data from their backups;
During an installation’s outage it will not be able to monitor the customer’s network for anomalous behaviors and
TIR’s will not be generated;
Synoptek’s lead time to provide a replacement is between 24 – 48 hours from verification that a
replacement/repair is required; and
The difference between replacement/repair verification and the replacement appliance delivery is 10 business
days.
SYNOTEK’S REMEDIATION RULES OF ENGAGEMENT
Synoptek believes in having clear rules of engagement. Where Synoptek is responsible for remediation of security
incidents, Synoptek will act to remediate in close coordination with Client’s staff and only with Client’s explicit
permission. However, when Synoptek believes that the integrity, confidentiality or availability of client’s data or IT
infrastructure is in immediate jeopardy, Synoptek is authorized to perform Emergency Remediation without awaiting
2017 Synoptek Cloud Assessment Planning – Service Definition
P a g e |7
Legal Notice: The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception,
review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited
by law and may subject them to criminal or civil liability.
Client’s permission. Such Emergency Remediation can include turning off user access to services, stopping applications,
or quarantining systems or devices. These Emergency Remediation actions may result in cessation of access of
production systems from Client’s staff and customers.
Examples of incidents requiring Emergency Remediation include, but are not limited to any of the following:






11
Device(s) are found to have Backdoor(s) installed;
Device(s) are found to be included in a botnet or is considered to be a bot;
Device(s) are detected and confirmed as having been compromised through some technical means and requires
offline remediation;
Device(s) are found to have malware installed but native Anti-Virus is unable to remove infection; or
Device(s) are found to have been infected by a rootkit
User account credentials compromised
POINTS OF CONTACT – GENERAL SUPPORT
Email: [email protected]
Telephone: +44 0808 189 3465
2017 Synoptek Cloud Assessment Planning – Service Definition
P a g e |8
Legal Notice: The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception,
review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited
by law and may subject them to criminal or civil liability.
APPENDIX A
Sample Threat Intelligence Report
2017 Synoptek Cloud Assessment Planning – Service Definition
P a g e |9
Legal Notice: The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception,
review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited
by law and may subject them to criminal or civil liability.
COMMERCIAL IN CONFIDENCE. NOT TO BE DISTRIBUTED EXCEPT TO THE LISTED RECIPIENTS.
Threat Intelligence Report
Prepared For:
Report Reference:
Synoptek Analyst:
Holdings Inc. CIO
HLDG-2014-10-31
John Smith
Synoptek Threat Analyst
Period Covered:
October, 29 2016
2017 Synoptek Cloud Assessment Planning – Service Definition
P a g e | 10
Legal Notice: The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception,
review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited
by law and may subject them to criminal or civil liability.
Executive Summary
The Cyber Intelligence Platform (CIP) detected multiple anomalous behaviors within the Holdings Inc. network
over this reporting period.
Synoptek has observed a number of highly suspicious behaviors from a single
workstation in the Holdings Inc. head office. The behaviors, when combined, bear
strong similarity to a remote adversary actively controlling the workstation as a pivot
point to push additional malicious files into the business, to run encrypted tunnels inside
the Holdings Inc. network and to login, at will, to other vulnerable devices and data
stores internally. This is a significant incident that we recommend be investigated
immediately; whilst the workstation could belong to a systems administrator, it should
still be forensically reviewed to check that the workstation is not compromised.
The CIP also observed activity relating to alternative currency trading, where a Holdings
Inc. machine regularly carried out Bitcoin ‘mining’, a method whereby in exchange for
alternative currencies, the computer gives away its processing power to a third party.
Synoptek alerted on this activity due to the detection of an unusual application protocol.
Other communications observed from this device, when correlated with this, strongly
suggest the machine may have been enrolled into a botnet where a cyber-attacker
controls a number of other computers. There is a clear risk to the enterprise if a
Holdings Inc. computer is indeed under the control of a cyber-attacker, and Holdings
Inc. should investigate as a priority in order to clear what may be a serious infection.
Finally, five Holdings Inc. devices have been detected connecting to rare sites that most
likely form part of a wider campaign, and downloading a piece of malware designed to
install further malicious components and browser extensions onto the target machine.
Synoptek observed follow-on network communication that strongly suggests the
malware installed successfully and avoided anti-virus detection on the internal machine.
The CIP detected some of the devices requesting to download suspicious software from
two websites: one of these pieces of software is able to track the user’s mouse clicks,
while the other is capable of stealing information about browsing activity and history.
This may represent a serious threat to corporate data and user privacy, and should be
looked into further.
2017 Synoptek Cloud Assessment Planning – Service Definition
P a g e | 11
Legal Notice: The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception,
review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited
by law and may subject them to criminal or civil liability.
Incident Summary
1.
Holdings Inc. client device observed triggering a number of significantly suspect behaviors. This device is possibly
compromised and under external control, or is possibly being used by Holdings Inc. as a systems administration/security
research device (in this case, it may still be compromised).
2.
Synoptek detected the ‘Clevermining’ BitCoin protocol employed on a Holdings Inc. client machine. The activity may have
been user-initiated, but the client may have been compromised and enrolled into a botnet. This is a significant security
incident and should be investigated as a priority. Synoptek also detected additional peer-to-peer communications from this
device. The combination of the two events warrants further investigation as it is likely the device is conducting mining as
part of botnet tasking.
3.
Synoptek detected connections to hostnames which have been rarely accessed from the Holdings Inc. network. Further
investigation revealed that a large number of Holdings Inc. hosts have downloaded a malicious Google Chrome installer
which installs a cocktail of malware, adware and spyware. There are strong indications that this malware has been
successfully installed on multiple hosts and Synoptek recommends further investigation to ensure the threat can be
eradicated from within the Holdings Inc. network. As the malware downloads and installs multiple other components,
additional malware might be running on the Holdings Inc. network over time.
Incident Details
1.
Holdings Inc. device hosted on IP 10.254.1.124 is exhibiting a number of behaviors that suggest it is likely compromised.
We recommend security personnel conduct follow-up investigation, including host-based checks to understand why
these communications have occurred. If there is no obvious business requirement for the behaviors, then we
recommend that the device be isolated from all networks as soon as is practical.
a.
2014-10-25 12:22
Synoptek observed a suspicious download of Java from a domain that has only been in existence since August 14
2015.
Source IP: 10.254.1.124
Source port: 57827
HTTP request: xxx.xxx[.]com/dmgris/JavaPlatformSESetup-20722211.exe
The Holdings Inc. border defense proxy subsequently allowed this file to be downloaded.
The domain xxx.xxx[.]com was registered via a privacy protection service operating out of
2017 Synoptek Cloud Assessment Planning – Service Definition
P a g e | 12
Legal Notice: The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception,
review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited
by law and may subject them to criminal or civil liability.
Panama. Security researches have previously identified this domain serving malware and other
potentially unwanted programs.
b.
Approximately 2 minutes later (2015-10-25 between 12:24:03 and 12:24:14) a unique user-agent string was used
to access file download sites from the same Holdings Inc. device (IP 10.254.1.124).
User-Agent string:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
No other Holdings Inc. clients have used this user-agent before or since – and all related communications
from the probably infected Holdings Inc. client was with file download sites of dubious reputations.
c.
Four days later, 2014-10-29 08:48, DCIP detects the device on Holdings Inc. IP 10.254.1.124 port scanning
10.254.1.153. The CIP has also detected port scans against other devices in the subnet from this IP. As
an example, from PCAP analysis, UDP scans are being performed by presenting a RADIUS packet to an
IP/PORT combination looking for a response back from a listening service.
Review of the device’s behavior within the CIP reveals it has been observed probing and using
common ports often used to facilitate lateral movement within an internal network i.e. internal
Remote Desktop Protocol and SSH ports.
d.
The CIP highlights SSH sessions from the same Holdings Inc. workstation to the following internal clients over five
days:
 10.254.4.54:22
 10.254.4.46:22
 10.254.4.51:22
 10.254.4.39:22
e.
Furthermore, the device was observed establishing remote desktop (RDP) connections into the Holdings Inc. Web
Proxy on IP 10.16.11.130:3389. Some of these were sizeable sessions. There was also RDP to other
devices in the Holdings Inc. network.
f.
2.
Finally, Synoptek reports that the user credential used to log into the presumed compromised box is normally
john.smith. During the reporting period this credential has been presented to the Holdings Inc. Active Directory
authorization platform more than any other across the enterprise.
Synoptek detected daily Bitcoin mining activity on a Holdings Inc. client machine. An example of the traffic can be seen
below:
2015-10-30
2017 Synoptek Cloud Assessment Planning – Service Definition
P a g e | 13
Legal Notice: The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception,
review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited
by law and may subject them to criminal or civil liability.
10.150.116.234:63603 connected over TCP using the STRATUM protocol to xxx.com hosted on
xx.xx.xx.xx:3333. This particular session lasted for just under an hour.
The activity occurs daily and Holdings Inc. security personnel may wish to understand how and when this activity
started, and in particular if this Holdings Inc. device has been enrolled into a botnet or if the mining activity was
being conducted by the user themselves.
3.
2015-08-28 19:24:31 UTC
Holdings Inc. host 10.1.70.23 · 10:bf:48:xx:xx:xx downloaded malware from rare domain hxxp://kyle.xxx[.]com.
The malware is a fake Chrome installer, which installs a cocktail of malware / spyware and unwanted applications
onto the machine.
Request:
hxxp://kyle.xxx[.]com/jRIEp5psT3NB1mysuwzdjtby7JBoGkgHenNSqd8OG6w6z9hXvTgZOTJu0r4IOwklNfJ
mfNBNFw0nSIMaZEJahC1tL1E94nuL8R9N9qVX-FwHjzqa7vdG202cFC6hmm61
Further investigation into this request identifies similar downloads from five Holdings Inc. hosts within the past two
weeks:
Date Time UTC
Host
Request
2015-10-24 19:24:30
10.1.70.23
· 10:bf:48:xx:xx:xx
kyle.xxx[.]com/jRIEp5psT3NB1mysuwzdjtby7JBoGkgHe
nNSqd8OG6w6z9hXvTgZOTJu0r4IOwklNfJmfNBNFw0
nSIMaZEJahC1tL1E94nuL8R9N9qVXFwHjzqa7vdG202cFC6hmm61
2015-10-25 22:17:35
10.1.60.118
· f4:6d:04:xx:xx:xx
kyle.xxx[.]com/[LongRandomData]
2015-10-26 06:46:19
10.1.70.49
· bc:ee:7b:xx:xx:xx
kyle.xxx[.]com/NlDvgEwEJsN58U7wWxxo6EQF5put09bX2BfLN9n7m0fQHObdj
cTQsG1hkWUcARjS4HZ03ueaWt06Nwilkv5bh4J0UF6j9HsY3gdiGMJzJdv5381rMJWt25J0y1Esr1
2015-10-27 06:32:40
10.1.70.120
· d8:50:e6:xx:xx:xx
kyle.xxx[.]com/FZyL62UtvuE0a62Vbafve5IdwGZ7iLr556NIkYgbrgsH6zNqar
rXhdVjwC_UFjFNebEck_6AwfdmD6Ncrjs9oeocLotVcMwZ6bgU2cufrS9sA2FHtpKehn_PIlPxc
B
2017 Synoptek Cloud Assessment Planning – Service Definition
P a g e | 14
Legal Notice: The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception,
review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited
by law and may subject them to criminal or civil liability.
2015-10-28 12:59:45
10.1.70.227
· 00:1f:e2:xx:xx:xx
kyle.xxx[.]com/pNQdJq6GuwUPGguzGRCB1kD6dp1ztz
jkWkB2WlDbMRczhHxQlmqMIqF6YBPs6bX3ksYOfledoxSDfpqQHo4jLsxs820S7mbx9rVs
9u-bA0r1scMsgdauzTfRgR5dWLK
Research into these downloads indicate successful installations connect back to a number of adware, malware
and toolbar domains and download additional payloads. These connections have also been identified from a
range of Holdings Inc. hosts.
2017 Synoptek Cloud Assessment Planning – Service Definition
P a g e | 15
Legal Notice: The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception,
review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited
by law and may subject them to criminal or civil liability.
APPENDIX B
Threat Indicator Levels and Definitions
2017 Synoptek Cloud Assessment Planning – Service Definition
P a g e | 16
Legal Notice: The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception,
review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited
by law and may subject them to criminal or civil liability.