Reducing cyber risks in the era of digital transformation

Transcription

1 Reducing cyber risks in the era of digital transformation Sergey Soldatov Head of Security Operations Center, R&D Security Services

2 WHO AM I? Since 2016: Head of SOC at Kaspersky lab Internal SOC Commercial MDR* services : Chief manager at RN-Inform Rosneft security services insourcing : TNK-BP Group IT security integration into business and IT operations Security controls in IT projects Security operations : Software developer at RIPN BMSTU graduate CISA, CISSP Speaker, writer, participant, volunteer * Managed Detection and Response

3 THE ERA OF DIGITAL TRANSFORMATION More dependent on IT Environment Corporate perspective More business risks in IT Raise of IT security Attacker perspective Motivation Higher attack complexity And COST Business models Processes and organization Intelligence and preparation Research Professionalism

4 ATTACKER PERSPECTIVE Pentest-like Offensive certified hackers Outsourced service Profitable business Based on cutting edge research and approaches

5 ATTACKER PERSPECTIVE Pentest-like Offensive certified hackers Outsourced service Profitable business Based on cutting edge research and approaches * Tactics, techniques and procedures Classics Anti-forensics Multi-stage Modernity spirit: File less & Malware less Living off the land Bring your own land Off-the-shelf attack simulation toolsets New mysterious TTP*

6 LIVING OFF THE LAND Malware-less Use of built-in OS tools In-memory only (file-less) Maximum use of context knowledge (make no anomalies): Use tools that are already used Use protocols that are already used Don t talk when the net is quiet

7 BRING YOUR OWN LAND When PowerShell is not an option All requited functionality is part of specially created PE Malicious code is run in legitimate process memory no suspicious parentchild relationship, no artefacts on disk Available in off-the-shelf adversary emulation tools (Cobalt strike)

8 AVAILABLE TOOLSETS Commercially supported and maintained Very difficult attribution Disguise capabilities: False attribution Benign activity

9 ATTACKER ALWAYS ATTACKS THE WEAKEST LINK

10 AND CYBER WEAPON FOR ALL! The resources of the attacker are limitless! Prevention Detection à Threat hunting Response

11 1% OF ATTACKS 90% OF DAMAGE Average loss from a single targeted attack Large enterprises SMB $ 84K $ 2,54M Risk level 70% 29% 1% Known threats Unknown threats Sophisticated threats APT Targeted attacks * According to Kaspersky lab and B2B international research Enterprise information security. Average damage from single targeted attack, including direct losses and indirect costs of restoration after the attack.

12 THREAT LANDSCAPE OUTRO Layers: By approach: Prevent à Detect à Hunt By technology: Entities à Behavior à Statistics à ML à DL By Kill Chain: Pre-breach à Post-breach By decision maker: Sensor à Cloud à Human By media: Endpoint à Network Cycles: Threat intel à Detect à Practice à Threat intel Hunt à Detect à Hunt

13 LAYERS

14 APPROACH LAYERS: PREVENT à DETECT à HUNT If possible automatically prevent Prevent Detect Find Prevention systems Detection systems Threat hunting ~100% known evil <100% known evil unknown evil Automatic Automatic + Check Manual Degree of uncertainty Protection Detection & response

15 THREAT HUNTING Cyber threat hunting is the practice of searching iteratively through data to detect advanced threats that evade traditional security solutions. 15

16 PROTECTION STRATEGY WAYS OF RETREAT

17 DETECT LAYERS: ANTI-MALWARE & SANDBOX Advantages Disadvantages Endpoint AM-engine (AM) Real environment Real user activity Unlimited processing time Performance Limitations Big impact from True Positive Sandbox (SB) No performance limitations Low impact from True Positive Artificial environment Emulated user activity (required actions may not be fulfilled) Limited processing time Different technologies works with different effectiveness and efficiency against different attacks AM and SB complement each other to better cumulative detection rate

18 DETECT LAYERS: DAVID BIANCO'S PYRAMID OF PAIN AM-signature TTP-based detect IoC, IoA Human Analyst required Commodity Prevention/Detection tools capabilities (can be done automatically)

19 THE CONCEPT OF HUNT (DETECTOR, RULE) Post-exploit Recon Exploit Privileges escalation Lateral movement Covering tracks C&C TECHNIQUES EXAMPLE: Run untrusted code with whitelisted tool (rundll32,regsvr32,mshta,odbcconf,etc) Office app spawns cmd/powershell/etc Access to paste service from non-browsers Internal recon

20 REAL ATTACK (SIMPLIFIED) 1-day.rtf exploit odbcconf execute winword start download start Cobaltstrike beacon mshta wecloud[.]biz/m11.xls powershell AppData\Roaming\46961.txt (.dll) start regsvr32 cmd execute.hta start start decode,store,start del start cmd download, execute start powershell powershell start execute execute download drop download save start wecloud[.]biz/d.doc AppData\Roaming\22682.doc open winword wecloud[.]biz/p1.sqlite3 AppData\Roaming\6F633FD53B9B6C.txt (sct) wecloud[.]biz/mail/changelog.txt start base-64 PS drop AppData\Roaming\rad7EF08.tmp

21 TTP-BASED DETECTS 1-day.rtf exploit odbcconf executing_hta_via_com winword download executing_with_nonexecutable_extension start execute start mshta decode,store,start wecloud[.]biz/m11.xls powershell AppData\Roaming\46961.txt (.dll) cmd download wecloud[.]biz/d.doc AppData\Roaming\22682.doc execute suspicious_powershell_cmdline_downloading.hta save start powershell open start start suspicious_powershell_cmd_or_script_spawning download winword wecloud[.]biz/p1.sqlite3 drop proxying_arbitrary_code_execution_through_trusted_binaries del AppData\Roaming\6F633FD53B9B6C.txt (sct) start cmd start execute suspicious_powershell_cmdline_general_obfuscation regsvr32 download, execute application_whitelisting_bypass_via_regsvr32 AV_engine_inexact_detect start execute wecloud[.]biz/mail/changelog.txt drop AppData\Roaming\rad7EF08.tmp Cobaltstrike beacon start powershell start base-64 PS

22 MITRE ATT&CK: ADVERSARIAL TACTICS, TECHNIQUES & COMMON KNOWLEDGE

23 ATTACK KILL CHAIN

24 ATTACK LIFECYCLE Observable attacker activity Fast Passive Stealthy Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Actions on objective Months Minutes Years Pre-breach Breach Post-breach Time 24

25 ATTACK KILL CHAIN COVERAGE: PRE-BREACH AND POST-BREACH SCENARIOS Currently Previously Breach! Operational security (SOC) Prevention security controls Threat hunting Incident response Time Pre-breach Post-breach

26 POST-BREACH: MITRE ATT&CK COVERAGE Consumer: the most appropriate way to assess EDR/MDR Vendor/Provider: Selfassessment for current capabilities and improvement planning

27 MEDIA COVERAGE Deliver Exploit Initial access Persistence Privilege escalation Defense evasion Credential access Discovery Lateral movement Execution Collection Exfiltration Command and Control Endpoint Network

28 LEVELS OF DECISION MAKING Adjust product detection logic ü Sensor detects ü Process behavior ü OS events Data Sensors (Event sources) Human analyst work, Threat hunting: ü Check behavior hypotheses about attacker ü Situational awareness ü Investigate borderline cases ü Overall process improvement Macro correlation, TTP-based detection logic: ü All TTP knowledge: ü Internal research ü MITRE ATT&CK ü Security assessment/red teaming ü Incident response practice ü Monitoring practice Micro correlation on sensor level: ü All sensor detection technologies ü Reputation (cloud) Cloud Products

29 CYCLES

30 THREAT INTELLIGENCE CYCLE FOR CONSTANT IMPROVEMENT Auto-detection data, Emulation data, KSN-statistics Threat-centric Products Research infrastructure Threat Intelligence Threats Targets Threat Research Target-centric Services Operational practice 30

31 SECURITY OPERATIONS CYCLE (SIMPLIFIED) Detection scenarios Detection Events, Raw data Threat Intelligence MSSP scope: Particular customer GOV/LEA scope: Country, Industry Investigation Practical knowledge, IoC, IoA Remediation Lessons learned Incident details 31

32 OFF-TOPIC: WHAT IS TI AND FOR WHOM IT MATTERS Tactical level Operational level Strategic level IT Roles Tasks Problems Value of TI Network operation center (NOC) Security operations center (SOC) Infrastructure operations (IT) IR Team SOC Team CISO CIO Feed indicators to security products Monitor, triage Patch vulnerable systems Remediate Determine details of attacks Hunt for additional breaches Allocate resources Communicate to executives Bad indicators cause FP Too many alerts to investigate (+ FN) Difficult to prioritize patches Time-consuming to reconstruct attack from initial indicators Difficult to identify additional breaches No clear priorities for investment Executives don t understand tech Source: John Friedman, Mark Bouchard, CISSP. Definitive Guide to Cyber Threat Intelligence. CyberEdge Group, LLC, 2015 Validate and prioritize indicators Prioritize alerts Prioritize patches Provide context to reconstruct attack quickly Provide data for threat hunting Priorities based on risks and likely attacks Explain adversary in terms of impact

33 INCIDENT RESPONSE IN MDR* Initial response Investigation Remediation Monitoring/Threat hunting team Begin Threat research team Incident response team * Managed Detection and Response End

34 INCIDENT RESPONSE IN MDR Initial response Investigation Remediation Monitoring/Threat hunting team Begin Monitoring & threat hunting operations Continuous remediation efficiency control Suspicious activity detected Live response Incident response team Threat research team Remediation can be automatically provided Automatic product detection/ remediation End

35 INCIDENT RESPONSE IN MDR Initial response Investigation Remediation Monitoring/Threat hunting team Begin Monitoring & threat hunting operations Continuous remediation efficiency control Additional IoC/IoA discovered Suspicious activity detected Live response Incident response team Deeper investigation required Forensics Malware analysis Threat research team Automatic remediation possible Automatic product detection/ remediation End

36 INCIDENT RESPONSE IN MDR Initial response Investigation Remediation Monitoring/Threat hunting team Begin Monitoring & threat hunting operations Continuous improvement Continuous monitoring of remediation efficiency Additional IoC/IoA discovered Suspicious activity detected Live response Incident response team Deeper investigation required Forensics Malware analysis Manual remediation required Incident response Lessons learned Threat research team End

37 INCIDENT RESPONSE IN MDR Initial response Investigation Remediation Monitoring/Threat hunting team Begin Monitoring & threat hunting operations Continuous improvement Continuous remediation efficiency control Continuous monitoring of remediation efficiency Additional IoC/IoA discovered Suspicious activity detected Live response Incident response team Deeper investigation required Forensics Malware analysis Manual remediation required Incident response Lessons learned Threat research team Remediation can be automatically provided Automatic remediation possible Automatic product detection/ remediation End

38 ADVERSARY EMULATION FOR SECURITY OPERATIONS ( RED TEAMING ) Goal: Assessment of Blue team operational efficiency and training Threat Intelligence driven Leaks, spear-phishing, insiders, etc. Report artifacts for Blue team evaluation Detailed stage by stage attack description With timestamps, tools IoCs & IoAs TTPs Optionally followed with workshop With KL Blue team threat hunters (temporary Purple) 38

39 RESEARCH AS OPERATIONS Digital forensics lab Escalation for manual DFIR Detection logic adaptation, manual threat hunting Semi-automatic DF SOC 2 nd tier Escalation for customer specific SOC 1 st tier Global Emergency and Response Team Escalation for threat detection in products Threat Research TTP-based detection logic Sensor data MDR provider cloud Products TTP-based detection logic development SOC Research Detect in product: prevention or detection Targeted Attack Research Group Escalation for threat detection in products Assess products & operational efficiency Security Assessment

40 THE END: THE IDEA OF CYBER-IMMUNITY If somebody planned to breach your systems, it will definitely happen If we eradicated them, they will come again - they never give up Do not rely solely on the perimeter and automatic detection/protection Chances to detect after the breach are much higher Prioritization on the material risk is the basis of success Never relax: silence is a scary sound assume breach, search, hunt

41 THANK YOU VERY MUCH! Sergey Soldatov, CISA, CISSP Head of SOC, R&D Security Services, Kaspersky lab