Advanced Threat Hunting:

Transcription

1 Advanced Threat Hunting: Identify and Track Adversaries Infiltrating Your Organization In Partnership with: Presented by: Randeep Gill Tony Shadrake Enterprise Security Engineer, Europe Regional Director, Europe 2014 Bit9. All Rights Reserved

2 The Evolving Threat Landscape Criminal Enterprises Broad-based and targeted attacks Financially motivated Getting more sophisticated Hactivists Targeted and destructive attacks Unpredictable motivations Generally less sophisticated Nation-States Targeted and multi-stage attacks Motivated by information and IP Highly sophisticated, endless resources

3 Endless Stream of Data Breaches Source: Information is Beautiful, Oct. 2014

4 The Problem: Advanced Threats = $$$ In 2020, enterprises will be in a state of continuous compromise % Days to discover* Discovered externally* There are two kinds of companies: those that have been breached and those that don t know it yet. $ 5.4 MILLION Average cost* CIO Fortune 100 company *Sources: Mandiant, Verizon

5 Endless Stream of News

6 The Network is Not the Target Organizations continue to spend a lot of money on network security solutions, but it s the endpoint that is the ultimate target of advanced threats and attacks. July 2014

7 THREAT MODEL: 1: OPPORTUNISTIC 2: NOT DON T OVERCOMPLICATE THE THREAT

8 Opportunistic threats sell our computers. Goal: breadth of access. Advanced threats sell our data. Goal: precision of access.

9 Traditional Defenses Were Designed for Opp. Attacks ADVANCED OPPORTUNISTIC Hosts Compromised Hosts Compromised Signature available DETECTION THRESHOLD Time Goal for attacker is to compromise as many endpoints as possible Signature available (if ever) DETECTION THRESHOLD Goal for attacker is to compromise as few endpoints as possible? Time

10 But once they re in However they get in, we need to find them! Faster detection means: Shorter dwell time Smaller scope for your incident response Less damage to your business What do they do once they re in?

11 They often Live off the Land (and blend in)

12 Living off the Land Living Off the Land: the attacker uses built-in tools so there are very few new executables. The attacker typically needs to do the following: Execute code: Crack/Dump/Guess/Obtain Valid Credentials» See this with Backoff POS Malware Copy Data: Utilize tools like robocopy, xcopy, cmd.exe to gather data Utilize known good tools for compression or use scripts Exfil Data: ftp.exe, net.exe, Visual Basic script to control IE for POSTing data Manipulate: Download something not malicious but that will trip up detection When Admin logs in, credentials, keystrokes, etc., are captured and used Persist: Compromise or Add more user and system accounts Login to backup servers, staging servers, less noticeable parts of your enterprise Create scheduled jobs that will run and re-add accounts, communicate out, etc.

13 Living off the Land (cont d) More Things to Consider: PowerShell is Powerful Execute from remote URL Basically anything you would ever want to write code for, you can do with powershell, so as an adversary, I can really do some damage (powersploit, etc) Use Internal C2 Sites: Use blog comments and/or wiki to give your stuff new commands so there is no outside communications Use Well-Known Social Sites: Twitter (bots) Dropbox Google Drive Facebook < Insert Social Site Here > Find hardcoded credentials, re-use same password across an enterprise, Single-Sign- On design flaws, etc

14 Target?

15 So, back to Hunting

16 Is Your Environment Like This?

17 Or This?

18 What do you Hunt? Do you know what you re looking for? Are you running vulnerable software? Is it likely to be compromised? Have you hardened your systems, have you reduced surface area? Do you have shared passwords, plain-text credentials, etc? If you have too much entropy or very few standards, hunting will be DIFFICULT Then again, it is rarely easy What do the bad guys need to do? Execute Communicate Grab Data Steal/Add Credentials Persist

19 Which comes first Detection or Collection? By prioritizing collection over detection you can: (1) HUNT MORE EFFECTIVELY!!! (2) Rapidly find root cause (3) Quickly & confidently reconstruct timelines (4) Accelerate Discovery (determine scope) (5) Benefit from hindsight (evolve)

20 Java exploitation Highlight As Opposed to Filter Endpoint Visibility Highlight detected activity within endpoint visibility to understand root cause and scope Proactive Traditional data detection collection also filters enables out you endpoint to see and visibility detect entire only showing attack individual processes events DETECTED DETECTED User visits website Is sent malicious Java applet Spawns first stage payload Spawns second stage payload Detection probability increases over time Injects code into Windows Explorer Investigations seek root cause Takes malicious actions Goal: Understand root cause

21 Expand Detection Beyond the Moment of Compromise Traditional Focus Only See Individual Detection Event Missed without continuous data collection You can t know what s bad ahead of time Abnormal Behavior Lateral Movement & User Accounts Exfiltration & Data Gathering Weeks to Months (Years)

22 Actionable Endpoint Visibility Events Most organizations only have a static view of their business and the data they manage to collect What s more actionable? Traditional IR view Events + Intelligence With no insight into known bad, how can they pick the needles out of their data collection haystack? Events + Intelligence + Prevalence Without understanding prevalence, how can they prioritize detection events to accelerate threat discovery? svchost.exe ran Events + Intelligence + Prevalence + Relationships Without maintaining the recorded relationships, how do they quickly scope any impacted endpoints and lateral movement?? svchost.exe was spawned by unsigned binary under Modern abnormal user account and made a network connection IR view

23 Hunting Tips 1 Collect the RIGHT Data Netflow data and firewall logs can help, but if you aren t seeing what is executing and what is changing on your systems, you will not have as much hunting success. You need to hunt where the adversaries live! 2 Analyze RELATIONSHIPS Relationships are key to being able to detect abnormal behavior. Sure, the adversary lives off the land, but they re still going to do unusual things with the existing tools available to them. 3 Incorporate Reputation and Classification Information When you re hunting, you should not have to spend time manually checking the reputation of a binary or website, as that greatly slows down your ability to continue to the hunt. Being able to quickly say things are known good, known Bad is key, as is the ability to say if it is part of a particular campaign or attack. 4 Automate as much as possible! When you know what is normal, you should be able to be alerted when activity occurs outside of what is normal. And you should be able to automate this. You should also automate reputation and classification information retrieval, and automate discovery.

24 Some Ideas Are abnormal user accounts being used? Do windows processes (lsass, svchost, csrss) have strange parents? Are IE, Acrobat, Word, Notepad, etc., spawning child processes? Are Office Applications making outbound connections? Is Java spawning command shells? Is cmd.exe running as system? Are user accounts being added locally? Are thousands of files being modified by a single process? Is ftp or robocopy being used? Are processes executing that don t have a.exe or.scr extension?

25 Back to the Basics Are you recording every command line used by net.exe and looking for abnormalities? Are you watching when PowerShell.exe is used? Are you mapping user account activity to hosts to look for abnormal logins? Are you. <INSERT LOTS OF STUFF TO DO HERE>

26 Response is the closest thing we have in IT to dogfighting - Bruce Schneier, Blackhat 2014 Keynote

27 Customer Case Study 2014 Bit9. All Rights Reserved

28 Case Study: Major Nordics Mobile Operator Environment 10,000 endpoints/2,500 servers Multi-platform: Win, Linux & MAC Security Challenges June 2014: Had a security incident that took down many machines Under constant attack from Advanced Malware targeting Exec machines Traditional AV on Endpoints. Needed better Detection and stronger Prevention capabilities to combat advanced threats that bypassed existing AV security defenses Intellectual property and customer data at risk Solution Bit9 + Carbon Black Deployed to 50 machines and instantly found many had been compromised This included the identification of malicious files, network activity by unusual processes, legitimate processes performing suspicious actions and more. Key Benefits Visibility into all endpoints and servers Real-time Detection + Incident Response in seconds *Time to Response* is key to identifying & isolating incidents quickly to avoid monetary losses and reputational damage

29 THANK YOU 2014 Bit9. All Rights Reserved