Hunting for Indicators of Compromise

Similar documents
Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

RSA Security Anatomy of an Attack Lessons learned

Protecting against cyber threats and security breaches

All Information is derived from Mandiant consulting in a non-classified environment.

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Comprehensive Advanced Threat Defense

Critical Security Controls

Things To Do After You ve Been Hacked

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Persistence Mechanisms as Indicators of Compromise

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

Endpoint Threat Detection without the Pain

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

TrendsTM. an evolving threat

2012 Data Breach Investigations Report

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Overcoming PCI Compliance Challenges

Presented by Evan Sylvester, CISSP

Incident Response. Six Best Practices for Managing Cyber Breaches.

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Evolution Of Cyber Threats & Defense Approaches

Cisco Advanced Malware Protection for Endpoints

Developing Secure Software in the Age of Advanced Persistent Threats

An New Approach to Security. Chris Ellis McAfee Senior System Engineer

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Security Analytics The Beginning of the End(Point)

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

2010 Data Breach Investigations Report

Advanced Threats: The New World Order

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Modern Approach to Incident Response: Automated Response Architecture

Software that provides secure access to technology, everywhere.

Breaking the Cyber Attack Lifecycle

A Case for Managed Security

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Combating a new generation of cybercriminal with in-depth security monitoring

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Into the cybersecurity breach

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

How We're Getting Creamed

Performing Advanced Incident Response Interactive Exercise

The Future of the Advanced SOC

Cisco Advanced Malware Protection

Advanced Persistent Threats

Is security awareness a waste of time?

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

Information Security and Risk Management

24/7 Visibility into Advanced Malware on Networks and Endpoints

Enterprise Cybersecurity: Building an Effective Defense

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

Data Center security trends

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

After the Attack. The Transformation of EMC Security Operations

Speed Up Incident Response with Actionable Forensic Analytics

Why The Security You Bought Yesterday, Won t Save You Today

Marble & MobileIron Mobile App Risk Mitigation

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Security Controls Implementation Plan

Old Web Shells, New Tricks

Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats

Securing OS Legacy Systems Alexander Rau

Agenda , Palo Alto Networks. Confidential and Proprietary.

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Security Analytics for Smart Grid

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

Reference Architecture: Enterprise Security For The Cloud

Sygate Secure Enterprise and Alcatel

TAKING SECURITY TESTING TO THE NEXT LEVEL 5 MAY 2014 STAN HEGT

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

APT Advanced Persistent Threat Time to rethink?

Security & Threat Detection: Go Beyond Monitoring

RSA Security Analytics

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Penetration Testing: Lessons from the Field

5 Steps to Advanced Threat Protection

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Security A to Z the most important terms

Cyber Situational Awareness for Enterprise Security

The Next Generation Security Operations Center

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

Concierge SIEM Reporting Overview

Cisco Advanced Malware Protection for Endpoints

After the Attack: RSA's Security Operations Transformed

The Incident Response Playbook for Android and ios

Enterprise Cybersecurity: Building an Effective Defense

NASA Consolidated Active Directory Overview ( August 20, 2012 ) Les Chafin Infrastructure Engineering HPES

Incident Response 101: You ve been hacked, now what?

Transcription:

Hunting for Indicators of Compromise Lucas Zaichkowsky Mandiant Session ID: END-R31 Session Classification: Intermediate

Agenda Threat brief Defensive strategy overview Hunting for Indicators of Compromise Live incident response

Question 1 When an AV alert triggers on a host, what do you do? Re-image the system Run multiple AV products Other

Question 2 What question are you more interested in answering: Can a pen-tester get in? Is an attacker already in?

Question 3 Is it possible to stop a determined attacker? Yes No

We Have a Problem Nuisance Insiders Hacktivists Financial Criminals State-Sponsored Attacks are Opportunistic You are targeted because you are vulnerable Trusted Insider Steals Data Difficult to prevent, but attribution is possible Motivated by a Cause Determined, but not always sophisticated More Sophisticated Attacks Typically target information for financial gain Persistent and Targeted Attacks continue until targeted data is obtained

Self-Detection Is Rare 6% Self-Detection 94% External Entity Source: M-Trends 2012: An Evolving Threat, Mandiant, 27 Feb 2012 http://www.mandiant.com/resources/m-trends/

Detection Time: 416 Days Source: M-Trends 2012: An Evolving Threat, Mandiant, 27 Feb 2012 http://www.mandiant.com/resources/m-trends/

Anti-Virus Software Updated 100% Source: http://www.mandiant.com/threat-landscape/

Attackers Used Valid Accounts 100% Source: M-Trends 2012: An Evolving Threat, Mandiant, 27 Feb 2012 http://www.mandiant.com/resources/m-trends/

How do breaches occur? 81% Utilized some form of hacking 69% Incorporated malware 10% Involved physical attacks 7% Employed social tactics 5% Resulted from privilege misuse Source: 2012 Data Breach Investigations Report, Verizon, 29 Mar 2012 http://www.verizonbusiness.com/about/events/2012dbir/

Top three methods of propagation 80% Use of weak administrative credentials 15% Default hidden administrative shares 5% Remote access solution credential caching Source: 2012 Global Security Report, Trustwave, 7 Feb 2012 https://www.trustwave.com/global-security-report

How Orgs Are Compromised 99% 1% Proven methods that have worked for many years "What if" scenarios with emerging BYOD threats in the cloud

Anatomy of an Attack Attackers move methodically from system to system. They take steps along the way to ensure ongoing access.

Attack Demonstr ation

Why the Attackers Are Winning Most organizations are unprepared to detect and respond to targeted intrusions. Pervasive failures: Traditional defenses do not work Security tunnel vision on vulnerabilities & preventing victim zero Underdeveloped IR processes Human resource commitment

WARNING Stopping malware and 0-days is not a cure Attackers are not malware 0-day exploits are typically reserved for organizations that excell at vulnerability and patch management. No product can stop innovative human attackers In 1996, IBM Deep Blue beat Garry Kasparov at chess in the first game of a series in Philadelphia BUT Kasparov rebounded to claim the rest of the series fairly easily. Products are governed by a set of rules, attackers are not Attackers evolve as the need arises, altering tactics and increasing levels of sophistication

Technology Company 30,000 TOTAL SYSTEMS 63 COMPROMISED SYSTEMS 12 SYSTEMS HAD HACKING TOOLS OR BACKDOORS QTY TYPE OF BACKDOOR OR UTILITY 3 Proprietary only 9 Poison Ivy (Active Backdoor) 6 Windows Credential Editor (Credential Stealer) 9 PsExec (Admin Tool) 51 SYSTEMS HAD NO HACKING TOOLS OR BACKDOORS Source: M-Trends 2012: An Evolving Threat, Mandiant, 27 Feb 2012 http://www.mandiant.com/resources/m-trends/

High Tech Defense 6,000 TOTAL SYSTEMS 102 COMPROMISED SYSTEMS 56 SYSTEMS HAD HACKING TOOLS OR BACKDOORS QTY TYPE OF BACKDOOR OR UTILITY 16 Proprietary only 18 Gh0st (Active Backdoor) 3 ASPXSpy (Passive Backdoor) 7 GetHashes (Credential Stealer) 12 PsExec (Admin Tool) 46 SYSTEMS HAD NO HACKING TOOLS OR BACKDOORS Source: M-Trends 2012: An Evolving Threat, Mandiant, 27 Feb 2012 http://www.mandiant.com/resources/m-trends/

Financial Company 30,000 TOTAL SYSTEMS 63 COMPROMISED SYSTEMS 12 SYSTEMS HAD HACKING TOOLS OR BACKDOORS QTY TYPE OF BACKDOOR OR UTILITY 3 Proprietary only 9 Poison Ivy (Active Backdoor) 6 Windows Credential Editor (Credential Stealer) 9 PsExec (Admin Tool) 51 SYSTEMS HAD NO HACKING TOOLS OR BACKDOORS Source: M-Trends 2012: An Evolving Threat, Mandiant, 27 Feb 2012 http://www.mandiant.com/resources/m-trends/

There Is Hope

Defense Against the Dark Arts

Detection and Response Hunting for Indicators of Compromise (IOCs) is an effective way to combat advanced attackers. Secret Formula: 1. Document attacker tools and methodology (a.k.a. intelligence) 2. Use the intelligence to proactively hunt for attacker activity 3. Investigate incidents to increase intelligence & scope compromise 4. Remediate 5. Lather, rinse, repeat

Step 1: Document Intelligence Red and white stripes Beanie Long sleeves Blue pants Walking cane Smug grin

Indicators of Compromise Document attacker tools and methodology Network DNS, IP, and traffic protocol patterns Logfile entries Host forensic artifacts and live memory Metadata is efficient for hunting Analyze attacker tools to create highly effective IOCs IOC authoring is an art. Practice with a creative mindset http://www.openioc.org

Gh0st RAT Commu nity IOC Source: https://forums.mandiant.com/forum/general-7

Example Methodolo gy IOC

IOC Hunting Demonstr ation

Step 3: Investigate Incidents Start with what you know System, IP, DNS, user, timestamp, etc. Time lining What else happened? Look through anything with timestamps e.g., logs, files, registry Search for incident specific IOCs Exhibited patterns - e.g., working directories Hosts and accounts being used

Live IR 1. Quickly pull metadata from live hosts Automation is your friend 2. Investigate the data 3. Pull individual files and memory sections as needed from live hosts

Investigati ve Loop Using IOCs

Investigati on Demonstr ation

Step 4: Remediation 1. Identify all: Compromised hosts and accounts (user, service, all of AD, etc.) Active (beaconing) and passive (listening) backdoors Other entry points like web servers, VPN, & terminal services 2. Perform the following over a remediation weekend : Reset passwords Remove backdoors Fix vulnerable systems they re exploiting for access 3. Continue hunting for IOCs to ensure remediation worked and to identify when the attacker returns

Alert Handling Guideline Initial alert 1. Quarantine on network 2. Perform live IR to identify what happened and related activity Larger compromise 1. Scope completely 2. Remediate all at once

Freeware IOC authoring and searching Live IR Timelining Memory analysis http://www.mandiant.com/resources/downloads

Takeaways Are you compromised right now? Accept that attackers will maneuver past your defenses Hire or train people to hunt for IOCs and investigate alerts Invest in technologies to support those people

Questions? Lucas Zaichkowsky Lucas@Mandiant.com Twitter: @LucasErratus

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information