The Internal Signs of Compromise

1© Mandiant, a FireEye Company. All rights reserved.© Mandiant, a FireEye Company. All rights reserved.
Know before others…Do you know
the internal signs of a compromise?
Methodology, Technology, and Services
Stuart Davis, Mandiant Director

2© Mandiant, a FireEye Company. All rights reserved.
Agenda
 Background: Threat landscape
 Methodology : Evolution of Incident Response
 Technology : How MANDIANT finds Evil
 Services : What MANDIANT can provide

3
THREAT LANDSCAPE
Evolution of Incident Response

4
It’s a “who,” not
a “what”
There is a human at a keyboard
Highly tailored and customized
attacks
Targeted specifically at you
They are professional,
organized and well
funded
Escalate sophistication of
tactics as needed
Relentlessly focused on
their objective
If you kick them out
they will return
They have specific objectives
Their goal is long-term
occupation
Persistence tools and tactics
ensure ongoing access
EVOLVING THREAT LANDSCAPE

Gain Initial Access
Into Target
Strengthen Position
within Target
Steal Valid User
Credentials
Identify Target Data
Package and Steal
Target Data
Establish
Foothold
Escalate
Privileges
Internal
Recon
Complete
Mission
Initial
Compromise
Move
Laterally
Maintain
Presence
ANATOMY OF A TARGETED ATTACK
6

6
TIME FROM INITIAL COMPROMISE TO DISCOVERY
416
243 229 205
2011 2012 2013 2014
Source: Mandiant M-Trends 2015
The longest time we detected attackers had been present in the victim’s
environment was 2,982 days (over 8 years).
Median number of days that threat
groups were present on a victim’s
network before detection

METHODOLOGY
Evolution of Incident Response

History of DFIR (Digital Forensic and Incident Response)
Disk
Forensics1995 Memory
Forensics2005
• Live
Response
• Network
Forensics
2010

1st Generation (1995-) : Disk Forensics
 What to analyze
- File System: Full Disk / Eventlogs / Prefetch / Registry Hives / Brower History / Scheduled Task / etc.
 How to analyze
- Shutdown system, Un-mount disk
- Connect to Write blocker > Make disk image
- Analyze with tools
 Tools to use
- The Sleuth Kit & Autopsy (Open Source)
- Guidance EnCase
- AccessData FTK
- X-Ways

1st Generation (1995-) : Disk Forensics (cont.)
 Pros
- Data recover (Carving)
- Law Enforcement
 Cons
- Business impact : Shutdown System
- Difficult to collect : Disk Encryption, RAID, NAS, Cloud
- Dead artifacts : No Live Data in the memory
- Scale : Disk by disk
 Cost-effectiveness
- 1 disk for 1 week
- JPY 1,500,000 / disk
- Up to 100 hosts (100 weeks = 2 years?)

2nd Generation (2005-) : Memory Forensics
 What to analyze
- Memory : Process / Driver / Handles / Network Connection / etc.
 How to analyze
- Mount external USB or Network Drive
- Dump Physical Memory
- Analyze with tools
 Tools
- Volatility (Open Source)
- Mandiant Redline (Free)

2nd Generation (2005-) : Memory Forensics (cont.)
 Pros
- No business impact
- Live Data Acquisition
 Cons
- Limited Raw Disk Access
- Scale : Host by host
- 1 memory dump for half week
- $8K USD / host (Forensics specialist needed)
- Up to 100 hosts (50 weeks = 1 years?)

3rd Generation (2010-) : Live Response
 What to analyze
- File System, Memory Forensics by remote
 How to analyze
- Server, Agent base
- Execute a job in the Host by Agent and feed back the result to Server
- Analyze the result with central tools
 Tools
- GRR (Open Source)
- Guidance EnCase Enterprise
- ManTech Active Defense

3rd Generation (2010-) : Live Response (cont.)
 Pros
- Enterprise Scale
- Speed
 Cons
- No proactive detection
- Lack of intelligence
- Need extensive knowledge
- Per Host License

3rd Generation (2010-) : Network Forensics
 What to analyze
- Full packet / Session data / Protocol logs / Statistics
 How to analyze
- Packet Capture
- Protocol Parsing
- Analyze the result with central tools
 Network Forensic Tools
- Security Onion (Open Source)
- BlueCoat Solera Networks
- RSA Security Analytics (NetWitness)

3rd Generation (2010-) : Network Forensics (cont.)
 Pros
- Network Visibility
 Cons
- No visibility for encrypted traffic
- No proactive detection
- Lack of intelligence
- Need extensive knowledge
- Depends on traffic and storage

Traditional Incident Response Process
Identify System Collect Data Analyze Data Report

Breadcrumb Trail
 Incidents rarely have a simple, linear trail of evidence
- Multiple “patient zero” hosts
- Multiple pivot points for lateral movement
- Forensic artifacts disappear over time
- Noise from commodity malware

19© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Phishing Campaigns
Compromised Hosts
Accessed Hosts
Hosts with Non-
Targeted Malware
Scoping Incidents

20© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Phishing Campaigns
Compromised Hosts
Accessed Hosts
?
?
?
Scoping Incidents

 Can’t wait for an alarm to go off before
investigating
 Intelligence driven
Hosts & Network
Devices
Gather
Sources of
Evidence
?
Identify systems of
interest, generate
new leads
Hunting

2
• Red Teaming and Penetration Testing
• ICS Security Assessment
• Security Program Assessment (SPA)
• Response Readiness Assessment (RRA)
• Other strategic services
• Compromise Assessment (CA)
• Incident Response (IR)
• Cyber Defense Center Development (CDC)
• SOC/CIRT transformation
• Incident Response Retainer
• Education
• Deployment & Integration
AM I AT RISK?
AM I PREPARED?
AM I COMPROMISED?
I AM BREACHED!
PREPARE FOR
FUTURE EVENTS?
INCIDENT RESPONSE AND PREPAREDNESS CYCLE

AM I PREPARED?AM I AT RISK? AM I COMPROMISED? I AM BREACHED! PREPARE FOR FUTURE EVENTS
DIFFERENTIATORS
VALUE
2
COMPROMISE ASSESSMENT
AM I COMPROMISED?
COMPROMISE ASSESSMENT
Evaluate your environment for the presence of targeted attacker activity
using the same methods and technologies used during our incident
investigations
OUR APPROACH
• Deploy network and host based inspection technology for
comprehensiveness, efficiency, and scale
• Apply intelligence from prior investigations and our own knowledge of
attack group tools, tactics, and procedures to assess your
environment
• Analyze evidence and anomalous activity to confirm malicious activity
• Summarize our findings and provide strategic recommendations
based upon our observations during the engagement
Understand the health of your network-
whether or not you have been breached
• Same technology used in all Mandiant
investigations for comprehensiveness,
efficiency, and scale
• Leverage all of our Intel to search for
signs of compromise across the
environment
• Pivot into Incident Response mode if
targeted attacker activity is identified

TECHNOLOGY
How MANDIANT finds Evil

Investigative Cycle
 Indicators Of Compromise (IOC)
 Host inspection (MIR)
 Network analysis (NTAP)
 Log analysis (TAP)
 Malware reverse engineering
 Threat Intelligence Analysis

Indicators Of Compromise (IOCs)
 Indicator Of Compromise
 Way of describing threat data like
- Malware
- Attacker Methodology
- Evidence of compromise or activity
 What Is An Indicator?
- MD5: Change Frequently
- File Names/Directories: Many Reused
- Registry Key Values: Many Reused
- Services With Wrong Service dll’s: Outliers
- IPs and Domain Names: Change Frequently

Network : Attacker Monitoring & Forensics
 Network visibility
 Internet egress points
 Decode traffic generated by known malware
 Reconstruct command-and-control activity
 Recover data theft
 Monitor All protocols (full packet capture)

Network : Architecture
Mandiant VPN tunnel
Internet
Perimeter
Firewall
Switch
Web Proxy
Internal
Network
Firewall
VPN Users
Mandiant
Mandiant Network Sensor
= Network SPAN/TAP
Servers, workstations, laptops
INTERNAL NETWORK

Endpoint : Hunting & Live Response
 Host visibility
 Agent / controller model
 Deploy to all Windows systems in environment
 Identify historical evidence of compromise
 Search all hosts for IOCs
 Conduct deep-dive analysis on systems of interest

Endpoint : Architecture
MIR Controller #nMIR Controller #1
VPN Users
Mandiant
Servers, workstations, laptops
INTERNAL NETWORK
= Mandiant Agent
Mutually authenticated SSL

Big data : Finding Needle & Analysis
 Network, endpoint, application events visibility
 Detect with Mandiant Threat Intelligence
 Source from Syslog, Windows Event Log, File, ODBC
 Communication Broker in customer environment
 Cloud-based; all technology managed

TOOLS OF THE TRADE
A TEAM of analysts enabled by MIR and NTAP

End-point Visibility – Sweeping the Environment

Find One.
IOC matches are verified by
analysts by extracting suspect
artifacts from end-points and/or
verifying network sensors for
corroborating evidence.

Find One. Then Find Them All.
An initial lead converted to an
IOC can yield quick results
across the entire estate.

Regional Threats
Indicators of Compromise (IOC) used
during a Compromise Assessment are
comprised of information from:
• Incident Response engagements
• Internal research
• Publicly available data
• Regional teams input
IOCs are updated continuously and
can be made client specific.

Tracking Attackers With Network Sensors
Network sensors enable
near real-time detection
of threats, capture of
identified malicious
traffic, and tracking of
attacker activity.

TO GAIN MORE INSIGHT WATCH THE WEBINAR HERE

The Internal Signs of Compromise

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à The Internal Signs of Compromise

Similaire à The Internal Signs of Compromise (20)

Plus de FireEye, Inc.

Plus de FireEye, Inc. (20)

Dernier

Dernier (20)

The Internal Signs of Compromise

Notes de l'éditeur