For the general public, Orange is best known for its fixed and mobile Internet access offers. But the telecom operator also has a more discreet entity whose mission is to hunt down and fight the most sophisticated hacker groups on the planet, on behalf of companies. Called Orange Cyberdefense, this division organizes the protection of its customers from the heights of La Défense, in a building of 6800 m2. It was inaugurated at the end of 2017 and brings together hundreds of cybersecurity experts in a series of alert and response centers (CERT), security operation centers (SOC). Engineers working in the field and monitoring networks 24/7. Orange
– The new building of the Cyberdefense division But the most surprising department of this little cyberarmée is certainly the “Laboratory of Epidemiology and Signal Intelligence” (LESI), an entity at the forefront of this fight against hackers and that 01net.com has could visit. Its mission: to identify the digital traces that the different groups of pirates have the habit to leave during their intrusions. In the jargon of computer security, this is called “compromise and monitoring indicators”.
Thanks to them, the security experts in the field will be able to detect the presence of cybercriminals and, above all, go back to the source of the infection. This is called the “patient zero”, the first machine that the attacker hacked, his gateway into the target organization. If we do not know it, it will be difficult to restore a perfectly healthy environment. “We provide our technical indicators to the engineers who will correlate them with the logs and network traffic of their client. If matches are proven, it’s probably because he has an attack. ” explains Marc Blanchard, a profiler and cyber-strategist at LESI.
– Marc Blanchard, profiler and cyber-strategist at Orange Cyberdefense The fruits of this laboratory’s research are disseminated several times a week in the form of bulletins called “Pulse”. They contain all sorts of information: cryptographic fingerprints of malicious files, malware signatures, command and control (C & C) server IP addresses, character strings, function calls, encryption keys, and so on. In short, all that can be related to the tools and the modes of operation used by the pirates. These data are then compared with those reported by the various computer equipment and networks: firewalls, proxies, detection probes, servers, routers, switches, etc.
The more accurate and “profiled” the indicators provided, the better the detection will be because the correlation with logs and network traffic will generate fewer false positives. For SOC engineers, this means less time wasted in unnecessary checks. When an organization is suddenly the victim of a cyberattack, it is of paramount importance because every minute counts.
“Incubators” to analyze the samples
But how are these indicators found? By hulling attacks and revealing their specificities. For this purpose, LESI research leaders have several tools at their disposal, starting with the “incubators”, execution environments that make it possible to know precisely what a sample of malware does without the latter realizing that is observed. “The machine must be as realistic as possible, with an email account, Internet access, files, and so on. But we do not use virtual machines, because the attackers we target are very sophisticated and can detect them ” , says a colleague of Marc Blanchard.
– Server rack to “incubate” malware GK
– A command and control server detected during a malware analysis Thanks to such a system, the researcher will be able to intercept external communications and identify the pirate’s C & C servers. Thanks to a software called “plesioscope”, it will also be able to focus on the frequency and the scale of the communications of a malware. Moreover, it will be able to monitor in real time the execution of the compiled code of the malware. It can also be analyzed in a functional way. Some software can even view all the modules of a malware in 3D form.
– Analysis of compiled code GK
– Functional code analysis in 3D GK
– The “plesioscope” analyzes the frequency and extent of malware communications To analyze wireless equipment, the LESI relies on another type of incubator, consisting of a Faraday cage in which a Wi-Fi access point is installed. This makes it possible, for example, to intercept all the connections of a smartphone without it being able to inadvertently connect with a surrounding 4G antenna. Sometimes, the researchers also integrate a small speaker that will simulate the typical sounds of a meeting, to cause the activation of a possible spyware. “At the level of experiments, we do not forbid anything. What matters is having the right idea at the right time. ” , they emphasize. GK
– Incubator for wireless equipment To find relevant indicators, researchers do not hesitate to visit the forums of Darknet to glean information. “What’s in it is interesting, especially to learn about cybercrime trends” , they explain. The collaboration with other teams is also very important, within the Orange group but also outside. In a spirit of teamwork.