NOTE: This blog is being posted on behalf of Alex Cox, Principal Research Analyst on the RSA FirstWatch team. To read more of the FirstWatch team's blogs you can visit their RSA Speaking of Security blog page: http://blogs.rsa.com/author/rsa-first-watch-team/
As is the case in most of these situations, RSA FirstWatch begins analysis of such threats as soon as they are discovered, and this threat is no different.
One of the things that the team did in regards to PDF exploits was to profile the most common methods and techniques for PDF-based exploitation and document them. These techniques were then developed into a FlexParser for the RSA Live (aka NetWitness Live) library.
The good news is that the Adobe Zero-Day uses a common “Open” action when exploiting the target workstation and this is detected forensically on the wire using our parser. While this particular action is not always malicious, it’s unusual enough that it’s worthwhile to look for it in your network traffic on a regular basis.
To detect this attack (and others like it, zero-day or otherwise), use the following pivot in Security Analytics, or NetWitness Investigator:
risk.info = “pdf with open action”
....which will be displayed as follows in the RSA Security Analytics “Investigation” view or in NetWitness Investigator:
If we then reconstruct the session we get additional details:
For RSA Live (aka NetWitness Live) customers that want to make sure they have this parser loaded, please look for the following in your RSA Live subscription:
In the name of responsible disclosure, we can’t release additional details on the exploit at this time, but this detection offers a generic way for our customers to inspect suspicious PDFs in lieu of a patch from Adobe and/or additional public indicators.
- Alex Cox, Principal Research Analyst, RSA FirstWatch