Tanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018

Similar documents
What are we going to talk about today?

Tanium Incident Response User Guide

SentinelOne Technical Brief

Tanium Trace User Guide. Version 2.2.0

Tanium Trace User Guide. Version 1.2.6

SentinelOne Technical Brief

DATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.

AMP for Endpoints & Threat Grid

ForeScout CounterACT. Configuration Guide. Version 2.2

Carbon Black QRadar App User Guide

CounterACT IOC Scanner Plugin

CYBER THREAT HUNTING DETECT ADVANCED THREATS HIDING IN YOUR NETWORK. A guide to the most effective methods.

RSA INCIDENT RESPONSE SERVICES

RSA INCIDENT RESPONSE SERVICES

Incident Scale

ForeScout Extended Module for Carbon Black

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

SandBlast Agent FAQ Check Point Software Technologies Ltd. All rights reserved P. 1. [Internal Use] for Check Point employees

FastResponder: New Open Source weapon to detect and understand a large scale compromise

Cisco Advanced Malware Protection (AMP) for Endpoints Security Testing

Qualys Indication of Compromise

McAfee Advanced Threat Defense

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Bromium: Virtualization-Based Security

Reduce the Breach Detection Gap to Minutes. What is Forensic State Analysis (FSA)?

Tanium For Endpoint Security

Russ McRee Bryan Casper

Seceon s Open Threat Management software

CounterACT Check Point Threat Prevention Module

Novetta Cyber Analytics

Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

RSA ECAT DETECT, ANALYZE, RESPOND!

Enhanced Threat Detection, Investigation, and Response

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

Compare Security Analytics Solutions

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

Enterprise Ransomware Mitigations

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

THE ACCENTURE CYBER DEFENSE SOLUTION

Next Generation Endpoint Security Confused?

esendpoint Next-gen endpoint threat detection and response

Incident Response Agility: Leverage the Past and Present into the Future

McAfee Endpoint Threat Defense and Response Family

Essentials to creating your own Security Posture using Splunk Enterprise

PRODUCT OVERVIEW. Extend your security intelligence from local network to global cyberspace

Forensics for Cybersecurity. Pete Dedes, CCE, GCFA, GCIH

Integrated, Intelligence driven Cyber Threat Hunting

Reducing the Cost of Incident Response

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

Notes: Describe the architecture of your product. Please provide also which Database technology is used for case management and evidence management.

Traditional Security Solutions Have Reached Their Limit

Assessing Your Incident Response Capabilities Do You Have What it Takes?

<Partner Name> RSA NETWITNESS Intel Feeds Implementation Guide. Kaspersky Threat Feed Service. <Partner Product>

: Administration of Symantec Endpoint Protection 14 Exam

Security. Made Smarter.

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

McAfee Investigator Product Guide

Windows Forensics Advanced

Symantec Advanced Threat Protection: Endpoint

Threat Detection and Response. Deployment Guide

A YEAR OF PURPLE. By Ryan Shepherd


SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

SIEM Solutions from McAfee

Operationalizing your Security Data. Presenter: Lee Imrey Splunk, Security Market Specialist

Burning Down the Haystack. Tim Frazier Senior Security Engineer

USING SPLUNK ADAPTIVE RESPONSE

Resolving Security s Biggest Productivity Killer

AppDefense Cb Defense Configuration Guide. AppDefense Appendix Cb Defense Integration Configuration Guide

GRR Rapid Response. An exercise in failing to replace yourself with a small script.

Get Armoured Against Endpoint Attacks. Singtel Business. Managed Defense Endpoint Services Threat Detection and Response (ETDR)

(Re)Investigating PowerShell Attacks

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Targeted Attack Protection: A Review of Endgame s Endpoint Security Platform

AppDefense Getting Started. VMware AppDefense

Infoblox Dossier User Guide

Chapter 7 Forensic Duplication

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

Client Health Key Features Datasheet. Client Health Key Features Datasheet

USM Anywhere AlienApps Guide

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

CloudSOC and Security.cloud for Microsoft Office 365

IBM services and technology solutions for supporting GDPR program

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

CRYPTTECH. Cost-effective log management for security and forensic analysis, ensuring compliance with mandates and storage regulations

Advanced Threat Hunting:

Carbon Black PCI Compliance Mapping Checklist

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

CNIT 121: Computer Forensics. 9 Network Evidence

Sourcefire Network Security Analytics: Finding the Needle in the Haystack

Maximizing IT Security with Configuration Management WHITE PAPER

Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9

Fidelis Overview. 15 August 2016 ISC2 Cyber Defense Forum

Transcription:

Tanium Endpoint Detection and Response (ISC)² East Bay Chapter Training Day July 13, 2018

$> WhoamI 11 Years of Security Experience Multiple Verticals (Technology, Industrial, Healthcare, Biotech) 9 Years in Incident Response / Consulting Worked for 3 of the largest IR Consulting firms in the US Personally responded to over 150 active incidents in over 10 countries Several high profile / public data breach investigations Primary expertise in Digital Forensics, APT mitigation, Threat Intelligence Education: BS, University of Central Florida Certifications: SANS: GCFA, GCIH, GREM CISSP 2017 Tanium. All rights reserved. 2

The Old Way of Performing Incident Response The Traditional Approach Doesn t Scale One of the security tools detects something IDS signature, A/V hit, Threat Intelligence alert Reactive Approach Image the entire disk and/or dump memory This takes a huge amount of time / Huge amount of data to analyze 8-10 hours as most laptops are at least 500GB Add another 12 hours for indexing with popular forensics tools Very effective, but not scalable for large incidents 2017 Tanium. All rights reserved. 3

It s Time to Re-think the Problem Statement What Data is essential for Enterprise-scale incident response? 2017 Tanium. All rights reserved. 4

Matt Swann, https://github.com/swannman/ircapabilities

Logistics Lab environment URL Lab environment credentials Handouts Slides Lab supplements 2017 Tanium. All rights reserved. 6

Class outline Tanium Platform Overview Tanium Threat Response Workflow Hands on Labs 2017 Tanium. All rights reserved. 7

Tanium Platform Overview Reviewing the basics

Tanium 101 Reviewing the basics Sensors Saved questions Actions 2017 Tanium. All rights reserved. 9

What s a sensor? Ask a question across all endpoints Search or collect data Live artifacts native to the system Evidence preserved by Tanium components (Index, Trace) Combine and stack common results for outlier analysis 2017 Tanium. All rights reserved. 10

Sensors can collect broad, unfiltered data List all loaded DLLs and their paths and hashes 2017 Tanium. All rights reserved. 11

Or they can take parameters to find specific items Find any file on disk starting with the name java 2017 Tanium. All rights reserved. 12

You can drill down on results to ask follow-up questions 2017 Tanium. All rights reserved. 13

Compound questions combine output from multiple sensors 2017 Tanium. All rights reserved. 14

Tanium provides several tools to help you discover sensors 2017 Tanium. All rights reserved. 15

Saved Questions collect data over time 2017 Tanium. All rights reserved. 16

Dashboards group together saved questions 2017 Tanium. All rights reserved. 17

What s an action? Change the state of a system Distribute a package of files and run a command Can target system(s) from any set of question results Can run once, or recur over time 2017 Tanium. All rights reserved. 18

Common actions for Threat Response workflows Quarantine host (isolate on the network) Launch IR Gatherer Kill process Edit registry Edit hosts file Patch system 2017 Tanium. All rights reserved. 19

Training Lab: Practicing Basic Questions Use Ask a Question in Interact to discover sensors and complete this lab Practicing basic sensor questions 1. What operating systems are present in the demo environment? 2. What is the IP address of hostname AlphaPC? 3. Do any systems have Google Chrome as an installed application? What version? 4. Who is the last logged in user on client-1? 5. How many systems are listening for connections on port 3389? What are their hostnames? 2017 Tanium. All rights reserved. 20

Threat Response Workflow

Tanium Threat Response overview Monitor and Alert Detect Apply threat data and continuously monitor and alert on malicious activity Interact Build customized dashboards from Threat Response and other Tanium content 2017 Tanium. All rights reserved. 22

Tanium Threat Response overview Monitor and Alert Detect Apply threat data and continuously monitor and alert on malicious activity Interact Build customized dashboards from Threat Response and other Tanium content Hunt and Investigate Trace Accelerate single-host & enterprise investigations with rapid collection and analysis of forensic data. Live Response & IR Gatherer Collect memory, file system metadata, event logs, and other raw forensic evidence. 2017 Tanium. All rights reserved. 23

Tanium Threat Response overview Monitor and Alert Detect Apply threat data and continuously monitor and alert on malicious activity Interact Build customized dashboards from Threat Response and other Tanium content Remediate Interact Use Threat Response and Core Tanium actions to contain and resolve incidents. Hunt and Investigate Trace Accelerate single-host & enterprise investigations with rapid collection and analysis of forensic data. Live Response & IR Gatherer Collect memory, file system metadata, event logs, and other raw forensic evidence. Take corrective steps to reduce the risk of re-compromise. 2017 Tanium. All rights reserved. 24

Tanium Threat Response overview Monitor and Alert Detect Apply threat data and continuously monitor and alert on malicious activity Interact Build customized dashboards from Threat Response and other Tanium content Remediate Interact Connect & APIs Instrument Tanium and send data to other security platforms Use Threat Response and Core Tanium actions to contain and resolve incidents. Hunt and Investigate Trace Accelerate single-host & enterprise investigations with rapid collection and analysis of forensic data. Live Response & IR Gatherer Collect memory, file system metadata, event logs, and other raw forensic evidence. Take corrective steps to reduce the risk of re-compromise. 2017 Tanium. All rights reserved. 25

Tanium Threat Response Sources of evidence Incident Response Index Trace Recorder Current State Active processes, network connections, loaded files, inmemory artifacts Data at Rest Files on disk, registry entries, logs, caches and other OS artifacts Historical Data Telemetry of process, network, file, registry, security, and driver events 26 2017 Tanium. All rights reserved. 26

Incident Response content searches native sources of evidence Registry keys & values File metadata Network connections Loaded DLLs ShimCache Prefetch Processes UserAssist entries Mutexes MBR boot code Tanium Incident Response Content WMI consumers Handles Logon sessions MFT entries Loaded drivers Event log entries 2017 Tanium. All rights reserved. 27

Index provides full-disk search for file metadata File hashes MD5: fc5e038d38a57032085441e7fe7010b0 SHA1: 6adfb183a4a2c94a2f92dab5ade762a47889a5a1 SHA256: 936a185caaa266bb9cbe981e9e05cb78cd732b0b3... File name and path C:\temp\salary.xlsx Tanium Index File magic number 4D 5A 00 02 File timestamps Created: 2015-05-09 10:09:43 Modified: 2015-05-09 10:20:01 2017 Tanium. All rights reserved. 28

Trace continuously records historical data Filesystem events User & process context Type of event (Create, Delete, Rename, Write) Process execution User context Command line & parent Hash Time created & terminated Driver loads User & process context Path Hash Digital signature Registry events User & process context Type of event (key created, key deleted, value set, value deleted) Tanium Trace Recorder Network connections Type of connection Remote & local port and IP DNS query and response User & process context Security events Based on OS audit policy Logon / logoff, policy change, account and group changes, etc. 2017 Tanium. All rights reserved. 29

Detection and alerting Introducing Tanium Detect 3.0

Detection methods Signals Indicators and Rules Reputation 2017 Tanium. All rights reserved. 31

Basic navigation Detect homepage and alerts Filter by Computer Name Match Details (artifact in an alert) Label Intel Name Status Unresolved In Progress Resolved 2017 Tanium. All rights reserved. 32

Signals

Signals Continuously monitor endpoint activity using Trace Detect any combination of file, process, network, or registry events Issue alerts to the Tanium console within seconds of a signal match process.path ends with 'certutil.exe' AND (process.command_line contains '- decode' OR process.command_line contains '-urlcache') file.operation is create AND (file.path ends with '.vbs' OR file.path ends with '.ps1') and process.path contains 'winword.exe' 2017 Tanium. All rights reserved. 34

What s in a signal alert? 2017 Tanium. All rights reserved. 35

Investigating a signal alert in Trace 1 2 3 Signal alerts are linked to the corresponding process instance in Trace, allowing you to easily pivot into the complete forensic history around an event. 2017 Tanium. All rights reserved. 36

Investigating with Trace Overview

Tanium Trace Key Components Recorder: Continuously preserve endpoint activity via kernel-level monitoring Sensors: Search Trace data across all systems via Ask a question Workbench: Web UI for investigation tasks (single-host and enterprise) 2017 Tanium. All rights reserved. 38

What does Trace record? Windows and Linux Process execution User context Command line Parent command line Hash Time created & terminated File system User & process context Type of event (Create, Delete, Rename, Write) Registry (Windows-only) User & process context Type of event (key created, key deleted, value set, value deleted) Network Connection Type of connection event Remote & local port and IP User & process context DNS (Server 2012R2 / Win8.1 & later) Queried domain Response IP Initiating process Security Based on current audit policy Can include: logon, logoff, lockout, auth. policy change, account and group changes Driver load User & process context Path Hash Digital signature 2017 Tanium. All rights reserved. 39

Single-host analysis workflow Connect to system Search for your leads Analyze process details Pivot and scope Live system Saved snapshot Automatic drill-down from Detect Browse timeline Filter by time & date Filter by event data Use timeline & tree visualizations Transfer files Save evidence Search the enterprise Generate IOCs for Detect Generate policies for Protect 2017 Tanium. All rights reserved. 40

Lab: Investigating an Office Macro Attack Open the Trace snapshot for client-1: Trace Saved Evidence Snapshots 1. What processes did EXCEL.EXE launch (aside from Z4U8K1S8.EXE)? 2. What was the purpose of the certutil.exe command? What did it do? Do not use a live connection for this lab. 3. After initiating a command shell, what commands did the attacker execute? Search for process Z4U8K1S8.EXE drill down and pivot from there to answer the following questions 4. What was the file name of the original malicious Excel document that led to the infection? 2017 Tanium. All rights reserved. 41

Answers What processes did EXCEL.EXE launch (aside from Z4U8K1S8.EXE)? 2017 Tanium. All rights reserved. 42

Answers What was the purpose of the certutil.exe command? What did it do? The macro launched "certutil.exe" to extract the malware payload, "Z4U8K1S8.EXE", from temporary file "T1U3H6N7.TXT" 2017 Tanium. All rights reserved. 43

Answers After Z4U8K1S8.EXE initiated a command shell, what commands did the attacker execute? 2017 Tanium. All rights reserved. 44

Answers Search File events for ".xls" files created by outlook.exe (in Excel ancestry) What was the file name of the original malicious Excel document that led to the infection? 2017 Tanium. All rights reserved. 45

Next steps What didn t we cover today?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback