Download DRAFT DRAFT DRAFT Terremark Worldwide (NASDAQ:TMRK) is a

DRAFT DRAFT DRAFT
Terremark Worldwide (NASDAQ:TMRK) is a provider of IT infrastructure services with
datacenters in the United States, Europe and Latin America. These datacenters are
networked from more than 160 global communication and internet carriers, allowing
Terremark to deliver to its clients (government, enterprise and Web 2.0 customers) a
comprehensive suite of managed IT solutions. These solutions including managed
hosting, co-location, network and security services. Terremark Secure Information
Services team (SiS) specializes in computer incident response and information security
consulting services for complex, large-scale, globally dispersed enterprises. .
Investigative Conclusions:
Terremark Secure Information Services (SIS) was retained by QinetiQ North America
(QNA) as an independent third party to examine Cyveillance’s (a wholly owned
subsidiary of QNA) systems and networks to determine if Cyveillance had been or is
currently compromised. If indicators of compromise were discovered, Terremark would
support Cyveillance and QNA with a full-scale incident response. The strategic approach
for the examination centered on network traffic evaluation to determine compromised
hosts. Equipment sent to Cyveillance continuously was collecting and monitoring the
network traffic, in fine-gain detail, by capturing the full details of each packet entering or
leaving the Cyveillance network.. Terremark SiS began not only the monitoring and
collecting of the network traffic but analysis of the packets captured starting on 22 July
2010 and completed on 10 August 2010. Traffic flows and the full packet captures have
been preserved as evidence to support our investigative findings and conclusions. Based
on the evidence collected and analyzed no hard factual data of Cyveillance being
compromised of could be identified by either our “live” traffic monitoring or the our
forensic review of the firewall logs
Background and Investigative Summary:
QNA was approached by several government agencies that had a concern that traffic seen
coming from the Cyveillance network was indicative of a potential compromise.
Subsequently Terremark was asked to provide an expert opinion in the form of an
‘intelligence risk assessment’ regarding the potential of a compromise at Cyveillance. If
such a compromise was discovered than Terremark would not only respond to the
incident but provide a detailed analysis on the threat, persistence mechanisms, and
capabilities, commonly referred to in cyber security terms as an Advanced Persistent
Threat (APT).
QNA was given information by the government agencies, who then passed that
information to Terremark. This technical information was a list of summarized network
traffic and became the starting point for Terremark’s investigation. The government
provided information list contained38 host representing the systems which the
government was concerned might have been potentially compromised and
communicating to unidentified internet hosts over a period of several months. The
government inquiry list was used to search Cyveillance logs for matched records. All
Terremark analysis was performed with a defined contextual consideration of needing to
contrast systems, their functions, what the government provided list indicated against
how Cyveillance interacts with malware, malicious sites, and as legitimate business
objectives. In support of the independent investigation, Cyveillance supplied Terremark
with network diagrams, description of services, assisted with onsite operational support
(e.g. connecting the equipment to the appropriate networks). Cyveillance also provided
access to a third party log aggregation service, SecureWorks.
Terremark compared the Cyveillance firewall and Intrusion Detection logs (hosted at
SecureWorks) with the government inquiry list to locate any matches as well as
determine the following:
 No exact matches were found.
 Based on time only, a single IP address consistently matched the
government list. However, none of the Cyveillance IP addresses matched.
Based on other factors, the IP address appears to be legitimate traffic from
authorized business processes and was provided to QNA for confirmation.
Several advanced analysis techniques were used to reduce the massive amount of traffic
data in a process known as ‘data reduction'. The ‘data reduction’ process removes as
much of the legitimate traffic, in as large a group as possible, using time, size, and pattern
matching. What remains after data reduction is usually suspect, however in the case of
Cyveillance the number of external hosts after data reduction were still in the thousands.
Terremark SiS went on to develop a set of criteria of what would be required for a largescale intrusion consisting of 28 or more compromised hosts and what would those
indicators look like. These indicators allow for the creation of additional different data
reduction techniques. Even with these additional steps, the government provided report
shows only a limited amount of sanitized detail which makes an exact match exceedingly
difficult. Even still some of the key data points that were continued to be examined were:
Excessive internal to external communications.
Traffic details indicating type, duration, and size.
. After monitoring, collecting, reviewing historic firewall and IDS logs, no information,
that we could identify, would explain the commonality or partial matching, except the
government inquiry list has the right time but wrong IP addresses or simply coincidence.
The matching IP addresses appear to be related to approved and authorized business
process activity known as “crawling” and therefore most likely a false positive. However
this finding requires additional confirmation that Terremark was unable to provide due to
time constraints.
This advanced analysis supports the live traffic analysis as well rudimentary firewall and
IDS log review to again conclude no hard evidence of compromise was able to be
determined within the time frame of the investigation. Only systems at Cyveillance that
were compromised were the following:
1. Cyveillance annalist’s systems that are highly prone to malware exposure
2. other systems intended to be compromised for either malware analysis
systems in the isolated Security Lab, which attempts to lure all threats including attacks
consistent with an APT.
In the absence of a detected large-scale threat and subsequent threat characterization,
Terremark provided recommendations for QNA’s consideration, all of which have the
goal of rapidly detecting suspect traffic and better network audits. The recommendations
include additional tools and techniques for greater assurance through full packets
captures and audit data known as ‘flow'. The use of such tools would endow Cyveillance
with the ability to inspect traffic against any future claim of compromise.