Discovering Threats by Monitoring Behaviors on Endpoints
Size: px
Start display at page:

Download "Discovering Threats by Monitoring Behaviors on Endpoints"

Transcription

1 Discovering Threats by Monitoring Behaviors on Endpoints Michael Kemmerer Cybersecurity Engineer, The MITRE Corporation Approved for Public Release; Distribution Unlimited. Case Number

2 2 Introduction Michael Kemmerer Work Senior Cybersecurity Engineer at The MITRE Corporation EIC - network and endpoint sensor integration and analytic platform development Splunk Deployed 3 distributed Splunk instances Developed numerous custom Splunk apps Co-authored technical guidance on deploying Splunk for a US Government Agency Education M.S. in Engineering Management, Cybersecurity focus from UMBC B.S. in Electrical Engineering from Lehigh University.

3 3 Adversaries on Endpoints The Problem

4 4 The Problem Adversaries Blend In Adversaries, post-exploit, can look very similar to normal users 1 Commonly used tools often look for the exploit or compliance and aren t very effective at finding the operating adversary 2 Adversaries hide or masquerade their tools to blend in to the operating environment Advanced adversaries are on the network an average of 243 days before being detected Chan et al. Effect of Malicious Synchronization. National University of Singapore. ~chanmc/papers/herd2.pdf 2 - Salem & Stolfo. Masquerade Attack Detection Using a Search-Behavior Modeling Approach. Columbia University. cucs pdf 3 - Mandiant, Threat Landscape, Photo Credits to Habib M henni

5 The Problem Perimeter-Centric Defenses 5 The adversary uses legitimate means of communication through the infrastructure for command and control Adversary An/- malware Intrusion Detec/on System (IDS) Firewall 2. Ini/al access, C2 Network Monitoring Owned Worksta/on Servers, Worksta/ons An/- malware File Server Domain Controller

6 Technique Matrix 6 Persistence Privilege Escala/on Creden/al Access Host Enumera/on Defense Evasion Lateral Movement Command and Control Exfiltra/on Exploita/on of Common protocol, New service Creden/al dumping Process enumera/on SoNware packing RDP Normal C&C channel vulnerability follows standard Modify exis/ng service DLL Proxying Service file permissions weakness Service registry permissions weakness Hypervisor Rookit DLL path hijacking Stored file User interac/on Service enumera/on Masquerading Network sniffing Local network config DLL Injec/on Local network connec/ons DLL loading Windows admin shares Common protocol, non- Alternate data channel (C$, ADMIN$) standard Windows shared webroot Remote vulnerability Commonly used protocol on non- standard port Communica/ons encrypted Exfiltra/on over other network medium Exfiltra/on over physical medium Winlogon Helper DLL Path intercep/on Window enumera/on Standard protocols Logon scripts Communica/ons are obfuscated Encrypted separately Path Intercep/on Modifica/on of shortcuts Account enumera/on Obfuscated payload Applica/on deployment sonware Distributed communica/ons Compressed separately Registry run keys / Startup folder addi/on Edi/ng of default handlers Group enumera/on Indicator removal Taint shared content Mul/ple protocols combined Data staged Modifica/on of shortcuts Scheduled task Owner/user enumera/on Indicator blocking Access to remote services with valid creden/als Automated or scripted data exfiltra/on MBR / BIOS rootkit Legi/mate Creden/als Opera/ng system enumera/on Pass the hash Size limits Edi/ng of default handlers Scheduled task Security sonware enumera/on File system enumera/on Scheduled transfer Source: ATT&CK Technique Matrix: The MITRE Corporation.

7 7 Detecting the Adversary The Experiment

8 Our MITRE 8 MITRE is exploring methods to detect the cyber-adversary operating within the enterprise network. Our experiment demonstrates that novel end-point sensing can be used to detect the adversary operating on enterprise infrastructure.

9 Summary of the Experiment 9 Develops sensors and analytics that can detect advanced cyber-adversaries that aren t detected by traditional tools Conducts Cyber-Games to test our results Is an experiment testing a sensing methodology that may lead to advances in cyberincident detection

10 Our Objective 10 The experiment focuses on finding the adversary post exploit Recon Deliver Control Maintain Weaponize Exploit Execute Cyber Kill Chain: Intelligence-Driven Computer Network Defense by Eric Hutchins, Michael Cloppert and Dr. Rohan Amin - Lockheed Martin

11 We Have a Living Lab 11 Our entire site participates Corporate-owned computers Environment of homogenous Windows desktops Several users doing everything! ( , writing documents, coding, web surfing, etc.)

12 12 Endpoint Sensing Awareness of Host Activity

13 End-Point Awareness 13 Adversaries engage in similar behaviors as they execute their mission. Hyper-sensing of the desktop provides visibility into user behaviors We use a combination of COTS and custom sensors to monitor the desktop

14 14 Examples of Sensors Host-based sensors Anti-Virus: McAfee, Symantec Process monitoring: Sysinternals Sysmon, whitelisting tools Network monitoring: tshark Multi-faceted: Event tracing for Windows, CarbonBlack, HIPS Network sensors Signature-based: IDS/IPS Always-on: Netflows, PCAP On-demand functions Powershell Scripts

15 15 Process Monitoring Tool Provides details on processes Process chains provide context around system activity. Explorer.exe PID:345 cmd.exe PID:4922 Outlook.exe PID:5938 Acrobat.exe PID:6032 Chrome.exe PID:6034 Outlook.exe PID:5938 Acrobat.exe PID:6035 cmd.exe PID:6036

16 Host-Based Network Sensor 16 Metadata on Network Connections IP Addresses Ports Protocol information Message contents Profile process behavior identify covert channels Pivot Point Between Host and Network Data Process initiating connection PID, PPID

17 Analytics Advancing the State of the Art 17 Analytics based on publicly available tools, techniques, and procedures (TTP)

18 Analytics Sharing Means Caring 18 Tested, shareable analytics that are effective at finding adversary behavior are the output of the project.

19 Cyber Games Testing the Capabilities 19 Testing our sensing capabilities and analytics using a collection of TTPs Multiple games run throughout the year Cyber Games documents include analytic successes and failures for internal review

20 Analytic Development Cycle 20 What questions do we want to ask? What did we miss? Sensor Development (maybe) Blue Team Analytic Development Red Team Testing

21 21 Cyber Games Drive the Cycle and Analytic Improvement Multiple Users on a Workstation? Worked One User on Multiple Systems Sensor Used: McAfee Agent Analysis Development Operation Conducted

22 22 What Can I Do Right Now? By making small changes to your configuration, you can begin seeing more details

23 Monitoring for Credential Theft 23 Credential dumping Monitor c:\windows\system32\lsass.exe on 1 or 2 endpoints Don t block. Just see what programs are touching it Observe over time Begin to whitelist known programs (best if done by hash and/or signature information) Continue to add programs to the whitelist or filter in Splunk

24 24 Monitoring for Credential Theft Continued Offline techniques Monitor reading of the following registry locations: hklm\sam hklm\security hklm\system Saving of these locations can allow for offline retrieval of cached credentials (via secretsdump) Reference:

25 25 Monitoring for Persistence Files and Directories fschange (deprecated) Tasks Start menu startup directory.ini files Registry HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup Dozens more Other Techniques Registry shell spawning Extension hiding Active-X components Reference:

26 26 Monitoring for Persistence Continued Periodic and scripted scans Sysinternals autorunsc.exe Run periodically and search for changes using Splunk McAfee Asset Baseline Monitor (ABM) Monitor registry locations noted previously

27 27 Key TTPs To Be Aware Of Custom Backdoor Credential Dumping Net use Lateral Move Persistence Remote Desktop Custom Loader SSH Port Masquerade SSH Forwarding Domain Jumping Process Renaming Task Scheduling Malicious Script Deployment Service Overwrite RDP + Graphical Admin Tools

28 Lessons Learned 28 Our experiments validate that end-point sensing can be used to detect the cyber adversary Some information types are starting to emerge as highly valuable We continue to develop both analytics and new sensing abilities to better detect adversary behavior

29 29 Questions & Answers Michael Kemmerer

30 Learn, share and hack Security office hours: 11:00 AM 2: Everyday Geek out, share ideas with Enterprise Security developers Red Team / Blue Team - Challenge your skills and learn new tricks Mon-Wed: 3:00 PM 6:00 Community Lounge Thurs: 11:00 AM 2:00 PM Birds of a feather- Collaborate and brainstorm with security ninjas Thurs: 12:00 PM 1:00 Room 30

31 31 Backup Slides

32 Cyber Games Red Team 32 TTP Emulation Analytic Outcome Focused Worksta/on Worksta/on Red Team Sensor Collec/on Servers Target Server

33 Cyber Games Blue Team 33 Verify Detection Develop Analytic, Sensor Ideas Worksta/on Worksta/on Blue Team Red Team Sensor Collec/on Servers Target Server

34 Cyber Games White Team 34 White Team Develop Operation Plans Protect Environment Worksta/on Worksta/on Blue Team Red Team Sensor Collec/on Servers Target Server

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information