SlideShare une entreprise Scribd logo

Threat Hunting - Moving from the ad hoc to the formal

Priyanka Aash
Priyanka Aash

In order to effectively defend your organization, you must think about the offensive strategy as well. But before we get ahead of ourselves let’s talk briefly about the building blocks of a good offense. First is an architecture that is built around a security policy that is aligned with the business risk. Risk must be understood and a cookie cutter approach must be avoided here because again every organization is different and so are their risks.

Technologie
1  sur  27
Incident Response and Threat Hunting Sachin Deodhar SpiderLabs Incident Response & Readiness at Trustwave
©2017 Trustwave Holdings, Inc. Cybercrime Motivations Why this problem is NOT going away • Trustwave Global Security Report research shows 1,425% Return on Investment • Estimated ROI for a one-month ransomware campaign • Based on Trustwave SpiderLabs research into underground markets • One example: $5,900 investment = $84,100 profit
©2017 Trustwave Holdings, Inc. Video – The Cybercrime Underground How it really works
©2017 Trustwave Holdings, Inc. BEST DEFENSE IS A GOOD OFFENSE Build on a solid foundation, but don’t rest on it. • This is a maturing model that requires progression from an investment of capital and resources. • Organizations need to maximize data collection from the beginning in order for Active Defense and Intelligence to be most effective. ARCHITECTURE PASSIVE DEFENSE ACTIVE DEFENSE INTELLIGENCE OFFENSE Security Policy, Systems Design, Network architecture, system maintenance address vulnerabilities. Examples: • Application • Database • Layering • Hardening • AD/DNS Added to design to provide defense or insight against threats without consistent human interaction. Examples: • IDS • Firewall • Endpoint Activities related to active monitoring for threats, responding to them, and providing that to the internal environment. Examples • SIEM • 24x7 SOC • IR • Pen Testing Collecting data, exploiting it into information, comparing competing intel, and producing actionable intelligence. Examples • Threat Hunting • Identity Hunting Legal countermeasures and self-defense actions against an adversary. Examples • C&C • Engaging Law Enforcement
©2017 Trustwave Holdings, Inc. THREAT DETECTION CONTINUUM Where are you….and where are your adversaries?
©2017 Trustwave Holdings, Inc. THE THREAT HUNT CHALLENGE Hunting 101 Evasion techniques still have patterns. Adversaries will continue to change their patterns and Threat hunting must do the same: 1) Adapt to changes in behaviors and learn how the adversaries work. An advanced adversary will target a system, upload code, create a C2 channel, and survive a reboot. Although the specific methods of doing this are always changing, the general behavior patterns are the same. 2) Watch all behaviors of the adversary, including known good, known bad and unknown or unclassified behaviors. Looking for anomalies that deviate from normal behavior can help detect unknown or previously unseen hostile activity. 3) Contain and control the damage by identifying attackers lateral movements and remove systems This is less about spotting malware and more about identifying hostile behavior and containing that behavior fast. Threat hunting is the intersection of cyber threat intelligence, analyst expertise, and artificial intelligence.
©2016 Trustwave Holdings, Inc. Incident Preparation, Detection & Response Program
©2017 Trustwave Holdings, Inc. Incident Readiness How will you prepare for the attacks? • Breach Assessments • Identity Hunting • Real-time response • Cyber Threat Intel • Forensics • Reverse engineering • Root Cause Analysis • Network Remediation • Application • Networks • Social Engineering • Red Team • Plan • Train • Test • Hunt Incident Readiness Program Penetration Testing Threat Hunting / MDR Incident Response • Incident Readiness is not a collection of products • Incident Readiness is an organized, holistic, and systematic approach designed to rapidly: – Prevent – Identify – Respond – Remediate
©2017 Trustwave Holdings, Inc. Incident Readiness Program • An Incident Readiness Program prepares corporations to respond to the inevitable attacks • A Managed IRP provides a 24/7 global expert response, ready to respond on the client’s behalf • Flexible IRP hours allow guaranteed ROI – IR Retainers should be more than an insurance policy • 4 hour remote SLA – 24 hour onsite SLA (If required) • Programs are customized to client requirements • Long-term partnerships allow for improved capabilities and cooperation over time • Dedicated consultants enable intimate corporate knowledge but supported by a global team of experts Preparedness with Guaranteed Coverage
©2017 Trustwave Holdings, Inc. IRP – Project Phases Flexible program, catered to the Client’s needs •Current state of readiness and develop roadmap to IR maturityReadiness & Detection Assessment •Map roles & responsibilities for various emergenciesIncident Response Plan •IR, computer forensics, & malware analysis coursesIR Team Development & Training •Instructor led situational group exercisesTable Top Exercises •Clandestine Darknet research for client specific intel (aka. Targeted threat research)Identity Hunting •Live fire exercises to test IR capabilityAttack Simulation / Cyber wargames •Endpoint & Traffic analysis to identify active network threatsProactive Threat Hunting •24/7 team of global experts ready to respond on a moment’s noticeIR Retainer
©2017 Trustwave Holdings, Inc. Breach Assessment Threat Hunting • 1 – 3 month engagement to identify any malicious activity on your network • Security best practices support an annual threat hunt to identify unknown attackers inside the network • Mergers & Acquisitions: Connecting to any unknown network requires a Breach Assessment • Threat hunt focuses on endpoints, network log data, and memory analytics – powered by SpiderLabs cyber threat intelligence • Immediate visibility and threat hunting across all global endpoints leveraging threat intel, behavioral analytics, and AI. • Partnered with industry-leading EDR technologies, CounterTack and Carbon Black Answer the essential question: Is your network compromised?
©2017 Trustwave Holdings, Inc. Managed Detection and Response Comprehensive endpoint visibility, every action tracked, immediate IR & Remediation Constant visibility & threat hunting for countless endpoints across the globe All system activity tracked, automated AI hunting, real time IR and remediation Immediate threat intel generation and enterprise threat hunting capability
©2017 Trustwave Holdings, Inc. Speed Matters • Every second an attacker is on your network, he is looking to move laterally and capture your golden secrets • No retainer in place – Provider selection, contract negotiations, NDA, payment, travel time – Average time to respond 8 days • IRP retainer in place – Expert (SpiderLabs?) responder on-call 24/7 – 4 hour remote / 24 hour onsite global SLA • MDR + Retainer – Constant proactive threat hunting – Immediate remote IR – many steps automated – Analysis occurs concurrent to responder travel time – Response & remediation time is minutes, not days Detection to remediation time essential to impact reduction 0 1 2 3 4 5 6 7 8 9 No Retainer Retainer MDR + Retainer Time to Respond Time to Respond
©2016 Trustwave Holdings, Inc. Advanced Breach Detection & Response – Case Study
Strictly confidential – Do not distribute18 Layered Detection and Response Day In the Life KEY’S TO SUCCESS: 1. The Right People 2. Standard Processes 3. Leveraged Technology Threat Manager Threat Analyst Threat Analyst Threat Analyst Threat Analyst Advanced Analysis / Response Advanced Analysis / Response Tier 3 • Console Monitoring • Take action • 5-7 minutes on average per alert • Deep investigation • Tuning and mitigation • 30 minutes on average per alert • Malware reverser • Data pivot and trend • Industry alert • Threat hunting Tier 1 Tier 2 Network Hunter Endpoint Hunter Malware Hunter Threat Intel
Strictly confidential – Do not distribute19 SpiderLabs Cyber Threat Intelligence The Real secret Sauce Trustwave Threat Intelligence SL-PT: CREATE • OSX Skype Backdoor (12/16) • Bopup Server Remote Buffer Overflow (11/16) • Linux Kernel Bypass Technique (3/16) SL-RES: ANALYZE • Malware family discoveries: Punkey, Alina, Backoff… • Exploit Kit Tracking: RIG, Neutrino, Angler, etc. • Global Botnet Tracking: Conficker, ZeroAccess, etc SL-IR: INVESTIGATE • Deep dive breach investigations yield libraries of IoC’s • Actor tracking &attribution: Carbanak (2016-17) • Threat briefs and community education SL-TO: ASSIMILATE • External and internal Threat intel assimilation: Cymru, CB, Homeland Security, Virus Total, Emerging Threats, etc • Telco Partnerships • Continual hunting and triage response
Strictly confidential – Do not distribute20 Response & Hunting in Action – Case Study Customer: 150+ luxury hotels, Next-Gen Firewalls, Threat Prevention, MDR, IRP, Endpoint protection, strong & layered security Tier 1 Alert - Excessive login attempts lead to Admin Accounts lockout Tier 2 Escalation – Log/ MDR review identify lateral movement and active malware Tier 3 Escalation - Reservation agent socially engineered to open malicious Word document. Attacker escalated privileges, shutdown antivirus, enabled RDP and targeted customer PII and payment card data. Remediation – Backdoors closed & security recommendations implemented MDR Hunting - Attack profile generated. Carbanak attribution, hunt for IoC’s identified dozens of attacker backdoors Enterprise Hunting: Intel fueled threat hunt across MSS enterprise. Multiple attempts identified, all attacks stopped at initial stages. Threat Brief helped external victims identify compromise
©2017 Trustwave Holdings, Inc. CARBANAK – TIMELINE OF MAJOR EVENTS A short but impactful history 2013-2015: Great Bank Heist June 2016: Russia Arrests 50 July 2016: Oracle / Micros Attack Q2 2016 - Present: Operation Grand Mars
©2016 Trustwave Holdings, Inc. Optional: How Trustwave SpiderLabs identified Russian Cyber Mafia and inspired a major international federal investigation
©2017 Trustwave Holdings, Inc. INFILTRATION • Email from Adam Kronz (adamkroz@rbx.email ) • Accompanied by direct phone call to reservation agent • Back-story researched via social media • Used fictitious company URL and website • Microsoft Word attachment contains malicious macros and downloads evil .vbs scripts Beyond Spear-Phishing
©2017 Trustwave Holdings, Inc. GOOGLE CLOUD ENABLED MALWARE INTERACTION • Malware configurations, scripts, and attack parameters updated on-the-fly via Google Docs • Extremely difficult to block http traffic to the public cloud • Google and Pastebin cloud receive exfiltration data • Bot status and remote control monitored via Google Dynamic updates with no direct attacker interaction
©2017 Trustwave Holdings, Inc. LINKS TO CARBANAK • Retrieves Anunak named config file • IFOBS banking module remain in this malware variation • Known command and control servers: – 148.251.18.75 – 95.215.46.221 – 95.215.46.229 – 95.215.46.234 – 81.17.28.124 Clear connections across attack campaigns
©2017 Trustwave Holdings, Inc. LEGITIMATE DIGITAL CERTIFICATES • Binary digital signatures are designed to verify legitimacy of binaries • July 2016 - Carbanak acquired proper certificates for their malware from Comodo • 2 Russian shell companies were used: Forsajt Ynvest & Grand Mars Digital certificates industry in question
©2017 Trustwave Holdings, Inc. ATTRIBUTION INVESTIGATION 304 Malicious Carbanak Domains registered to williamdanielson@yahoo.com & 1066569215 or 1066549216 US or Chinese contact numbers cubehost.biz registered under same contact numbers to Artyom Tveritinov of Perm, Russia Cubehost.biz is linked to Russian security firm "InfoKube". Infokube.ru was registered to atveritinov@gmail.com. Artyom Tveritinov is the CEO
©2017 Trustwave Holdings, Inc. INFOKUBE STILL OPEN FOR BUSINESS • InfoKube has officially denied all involvement with the Carbanak attacks • CEO Artyom Tveritinov has deleted all social media accounts Probably a good idea to vet your security provider…
©2017 Trustwave Holdings, Inc. Operation Grand Mars – Links to Report Link to the Operation Grand Mars report referenced in this presentation: https://www2.trustwave.com/Operation-Grand-Mars.html
THANK YOU

Recommandé

Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
Brencil Kaimba
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
mohamed nasri
 

Recommandé

Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
Brencil Kaimba
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
mohamed nasri
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
Priyanka Aash
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Sqrrl
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
n|u - The Open Security Community
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber Security
Steppa Cyber Security
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
Erik Taavila
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
Mark Arena
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Intergen
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Empired
 

Contenu connexe

Tendances

Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 

Tendances (20)

What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
 
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber Security
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 

Similaire à Threat Hunting - Moving from the ad hoc to the formal

Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Intergen
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Empired
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Resilient Systems
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
Jim Kaplan CIA CFE
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
Norm Barber
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 

Similaire à Threat Hunting - Moving from the ad hoc to the formal (20)

Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
RMS Security Breakfast
RMS Security BreakfastRMS Security Breakfast
RMS Security Breakfast
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
"Navigate the MDR Marketplace Like a Pro!"
"Navigate the MDR Marketplace Like a Pro!" "Navigate the MDR Marketplace Like a Pro!"
"Navigate the MDR Marketplace Like a Pro!"
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
 
Security Operations and Response
Security Operations and ResponseSecurity Operations and Response
Security Operations and Response
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
 
SecurityOperations
SecurityOperationsSecurityOperations
SecurityOperations
 
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
 

Plus de Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

Plus de Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Dernier

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Threat Hunting - Moving from the ad hoc to the formal

  • 1. Incident Response and Threat Hunting Sachin Deodhar SpiderLabs Incident Response & Readiness at Trustwave
  • 2. ©2017 Trustwave Holdings, Inc. Cybercrime Motivations Why this problem is NOT going away • Trustwave Global Security Report research shows 1,425% Return on Investment • Estimated ROI for a one-month ransomware campaign • Based on Trustwave SpiderLabs research into underground markets • One example: $5,900 investment = $84,100 profit
  • 3. ©2017 Trustwave Holdings, Inc. Video – The Cybercrime Underground How it really works
  • 4. ©2017 Trustwave Holdings, Inc. BEST DEFENSE IS A GOOD OFFENSE Build on a solid foundation, but don’t rest on it. • This is a maturing model that requires progression from an investment of capital and resources. • Organizations need to maximize data collection from the beginning in order for Active Defense and Intelligence to be most effective. ARCHITECTURE PASSIVE DEFENSE ACTIVE DEFENSE INTELLIGENCE OFFENSE Security Policy, Systems Design, Network architecture, system maintenance address vulnerabilities. Examples: • Application • Database • Layering • Hardening • AD/DNS Added to design to provide defense or insight against threats without consistent human interaction. Examples: • IDS • Firewall • Endpoint Activities related to active monitoring for threats, responding to them, and providing that to the internal environment. Examples • SIEM • 24x7 SOC • IR • Pen Testing Collecting data, exploiting it into information, comparing competing intel, and producing actionable intelligence. Examples • Threat Hunting • Identity Hunting Legal countermeasures and self-defense actions against an adversary. Examples • C&C • Engaging Law Enforcement
  • 5. ©2017 Trustwave Holdings, Inc. THREAT DETECTION CONTINUUM Where are you….and where are your adversaries?
  • 6. ©2017 Trustwave Holdings, Inc. THE THREAT HUNT CHALLENGE Hunting 101 Evasion techniques still have patterns. Adversaries will continue to change their patterns and Threat hunting must do the same: 1) Adapt to changes in behaviors and learn how the adversaries work. An advanced adversary will target a system, upload code, create a C2 channel, and survive a reboot. Although the specific methods of doing this are always changing, the general behavior patterns are the same. 2) Watch all behaviors of the adversary, including known good, known bad and unknown or unclassified behaviors. Looking for anomalies that deviate from normal behavior can help detect unknown or previously unseen hostile activity. 3) Contain and control the damage by identifying attackers lateral movements and remove systems This is less about spotting malware and more about identifying hostile behavior and containing that behavior fast. Threat hunting is the intersection of cyber threat intelligence, analyst expertise, and artificial intelligence.
  • 7. ©2016 Trustwave Holdings, Inc. Incident Preparation, Detection & Response Program
  • 8. ©2017 Trustwave Holdings, Inc. Incident Readiness How will you prepare for the attacks? • Breach Assessments • Identity Hunting • Real-time response • Cyber Threat Intel • Forensics • Reverse engineering • Root Cause Analysis • Network Remediation • Application • Networks • Social Engineering • Red Team • Plan • Train • Test • Hunt Incident Readiness Program Penetration Testing Threat Hunting / MDR Incident Response • Incident Readiness is not a collection of products • Incident Readiness is an organized, holistic, and systematic approach designed to rapidly: – Prevent – Identify – Respond – Remediate
  • 9. ©2017 Trustwave Holdings, Inc. Incident Readiness Program • An Incident Readiness Program prepares corporations to respond to the inevitable attacks • A Managed IRP provides a 24/7 global expert response, ready to respond on the client’s behalf • Flexible IRP hours allow guaranteed ROI – IR Retainers should be more than an insurance policy • 4 hour remote SLA – 24 hour onsite SLA (If required) • Programs are customized to client requirements • Long-term partnerships allow for improved capabilities and cooperation over time • Dedicated consultants enable intimate corporate knowledge but supported by a global team of experts Preparedness with Guaranteed Coverage
  • 10. ©2017 Trustwave Holdings, Inc. IRP – Project Phases Flexible program, catered to the Client’s needs •Current state of readiness and develop roadmap to IR maturityReadiness & Detection Assessment •Map roles & responsibilities for various emergenciesIncident Response Plan •IR, computer forensics, & malware analysis coursesIR Team Development & Training •Instructor led situational group exercisesTable Top Exercises •Clandestine Darknet research for client specific intel (aka. Targeted threat research)Identity Hunting •Live fire exercises to test IR capabilityAttack Simulation / Cyber wargames •Endpoint & Traffic analysis to identify active network threatsProactive Threat Hunting •24/7 team of global experts ready to respond on a moment’s noticeIR Retainer
  • 11. ©2017 Trustwave Holdings, Inc. Breach Assessment Threat Hunting • 1 – 3 month engagement to identify any malicious activity on your network • Security best practices support an annual threat hunt to identify unknown attackers inside the network • Mergers & Acquisitions: Connecting to any unknown network requires a Breach Assessment • Threat hunt focuses on endpoints, network log data, and memory analytics – powered by SpiderLabs cyber threat intelligence • Immediate visibility and threat hunting across all global endpoints leveraging threat intel, behavioral analytics, and AI. • Partnered with industry-leading EDR technologies, CounterTack and Carbon Black Answer the essential question: Is your network compromised?
  • 12. ©2017 Trustwave Holdings, Inc. Managed Detection and Response Comprehensive endpoint visibility, every action tracked, immediate IR & Remediation Constant visibility & threat hunting for countless endpoints across the globe All system activity tracked, automated AI hunting, real time IR and remediation Immediate threat intel generation and enterprise threat hunting capability
  • 13. ©2017 Trustwave Holdings, Inc. Speed Matters • Every second an attacker is on your network, he is looking to move laterally and capture your golden secrets • No retainer in place – Provider selection, contract negotiations, NDA, payment, travel time – Average time to respond 8 days • IRP retainer in place – Expert (SpiderLabs?) responder on-call 24/7 – 4 hour remote / 24 hour onsite global SLA • MDR + Retainer – Constant proactive threat hunting – Immediate remote IR – many steps automated – Analysis occurs concurrent to responder travel time – Response & remediation time is minutes, not days Detection to remediation time essential to impact reduction 0 1 2 3 4 5 6 7 8 9 No Retainer Retainer MDR + Retainer Time to Respond Time to Respond
  • 14. ©2016 Trustwave Holdings, Inc. Advanced Breach Detection & Response – Case Study
  • 15. Strictly confidential – Do not distribute18 Layered Detection and Response Day In the Life KEY’S TO SUCCESS: 1. The Right People 2. Standard Processes 3. Leveraged Technology Threat Manager Threat Analyst Threat Analyst Threat Analyst Threat Analyst Advanced Analysis / Response Advanced Analysis / Response Tier 3 • Console Monitoring • Take action • 5-7 minutes on average per alert • Deep investigation • Tuning and mitigation • 30 minutes on average per alert • Malware reverser • Data pivot and trend • Industry alert • Threat hunting Tier 1 Tier 2 Network Hunter Endpoint Hunter Malware Hunter Threat Intel
  • 16. Strictly confidential – Do not distribute19 SpiderLabs Cyber Threat Intelligence The Real secret Sauce Trustwave Threat Intelligence SL-PT: CREATE • OSX Skype Backdoor (12/16) • Bopup Server Remote Buffer Overflow (11/16) • Linux Kernel Bypass Technique (3/16) SL-RES: ANALYZE • Malware family discoveries: Punkey, Alina, Backoff… • Exploit Kit Tracking: RIG, Neutrino, Angler, etc. • Global Botnet Tracking: Conficker, ZeroAccess, etc SL-IR: INVESTIGATE • Deep dive breach investigations yield libraries of IoC’s • Actor tracking &attribution: Carbanak (2016-17) • Threat briefs and community education SL-TO: ASSIMILATE • External and internal Threat intel assimilation: Cymru, CB, Homeland Security, Virus Total, Emerging Threats, etc • Telco Partnerships • Continual hunting and triage response
  • 17. Strictly confidential – Do not distribute20 Response & Hunting in Action – Case Study Customer: 150+ luxury hotels, Next-Gen Firewalls, Threat Prevention, MDR, IRP, Endpoint protection, strong & layered security Tier 1 Alert - Excessive login attempts lead to Admin Accounts lockout Tier 2 Escalation – Log/ MDR review identify lateral movement and active malware Tier 3 Escalation - Reservation agent socially engineered to open malicious Word document. Attacker escalated privileges, shutdown antivirus, enabled RDP and targeted customer PII and payment card data. Remediation – Backdoors closed & security recommendations implemented MDR Hunting - Attack profile generated. Carbanak attribution, hunt for IoC’s identified dozens of attacker backdoors Enterprise Hunting: Intel fueled threat hunt across MSS enterprise. Multiple attempts identified, all attacks stopped at initial stages. Threat Brief helped external victims identify compromise
  • 18. ©2017 Trustwave Holdings, Inc. CARBANAK – TIMELINE OF MAJOR EVENTS A short but impactful history 2013-2015: Great Bank Heist June 2016: Russia Arrests 50 July 2016: Oracle / Micros Attack Q2 2016 - Present: Operation Grand Mars
  • 19. ©2016 Trustwave Holdings, Inc. Optional: How Trustwave SpiderLabs identified Russian Cyber Mafia and inspired a major international federal investigation
  • 20. ©2017 Trustwave Holdings, Inc. INFILTRATION • Email from Adam Kronz (adamkroz@rbx.email ) • Accompanied by direct phone call to reservation agent • Back-story researched via social media • Used fictitious company URL and website • Microsoft Word attachment contains malicious macros and downloads evil .vbs scripts Beyond Spear-Phishing
  • 21. ©2017 Trustwave Holdings, Inc. GOOGLE CLOUD ENABLED MALWARE INTERACTION • Malware configurations, scripts, and attack parameters updated on-the-fly via Google Docs • Extremely difficult to block http traffic to the public cloud • Google and Pastebin cloud receive exfiltration data • Bot status and remote control monitored via Google Dynamic updates with no direct attacker interaction
  • 22. ©2017 Trustwave Holdings, Inc. LINKS TO CARBANAK • Retrieves Anunak named config file • IFOBS banking module remain in this malware variation • Known command and control servers: – 148.251.18.75 – 95.215.46.221 – 95.215.46.229 – 95.215.46.234 – 81.17.28.124 Clear connections across attack campaigns
  • 23. ©2017 Trustwave Holdings, Inc. LEGITIMATE DIGITAL CERTIFICATES • Binary digital signatures are designed to verify legitimacy of binaries • July 2016 - Carbanak acquired proper certificates for their malware from Comodo • 2 Russian shell companies were used: Forsajt Ynvest & Grand Mars Digital certificates industry in question
  • 24. ©2017 Trustwave Holdings, Inc. ATTRIBUTION INVESTIGATION 304 Malicious Carbanak Domains registered to williamdanielson@yahoo.com & 1066569215 or 1066549216 US or Chinese contact numbers cubehost.biz registered under same contact numbers to Artyom Tveritinov of Perm, Russia Cubehost.biz is linked to Russian security firm "InfoKube". Infokube.ru was registered to atveritinov@gmail.com. Artyom Tveritinov is the CEO
  • 25. ©2017 Trustwave Holdings, Inc. INFOKUBE STILL OPEN FOR BUSINESS • InfoKube has officially denied all involvement with the Carbanak attacks • CEO Artyom Tveritinov has deleted all social media accounts Probably a good idea to vet your security provider…
  • 26. ©2017 Trustwave Holdings, Inc. Operation Grand Mars – Links to Report Link to the Operation Grand Mars report referenced in this presentation: https://www2.trustwave.com/Operation-Grand-Mars.html

Notes de l'éditeur

  1. Type of damage cause be Cyber threats include: Theft of identity, credit cards, intellectual property Spoofing transaction processes such as wire transfers or access credentials Business disruption from DDoS Criminal extortion Destruction (Saudi Aramco, Sony) Influence business decisions (Sony, OPM) Weapons proliferation (Stuxnet, Duqu, Flame) Criminal exploitation (Ashley Madison)
  2. In order to effectively defend your organization, you must think about the offensive strategy as well. But before we get ahead of ourselves let’s talk briefly about the building blocks of a good offense. First is an architecture that is built around a security policy that is aligned with the business risk. Risk must be understood and a cookie cutter approach must be avoided here because again every organization is different and so are their risks. Layering on that architecture is passive defense, which is where the traditional security products would reside and the key for this stage is minimal human interaction, but clearly without the set it and forget it mentality again reinforced by the security policy. Now we move on to being more proactive and actively defending. Utilizing a SIEM to help with data collection and presentation to a 24x7 monitoring team that is augmented with a incident response team to identify the areas of compromise, which include reverse engineering malware to identify how passive defenses and architecture did not detect the malware. Building off an active defense we must infuse everything with intelligence and begin to go on missions to find the threats that have circumvented all control’s and defenses thus far. These are the unkown or undetected threats, not simply the “missed” threats as many times perceived. There are two facets to hunting, identify the threat against your organization and identify threats in your organization. Both aspects must be covered. I’ll leave you with a good non-technical example of this, as a Atlanta Falcon fan and Atlantanian many of you probably witness the greatest comeback story from Tom Brady and the Patriots…...as amazing as that story is, the bigger question that all analysts were answering on Monday morning was, “How did the Falcon’s loose with that big of a lead?” Besides some amazing math and analysts that did calcuations to determine the probabilty of it happening it could be summarized best with “The Falcons forgot to play offense when they were up by 25pts.” So the question you should ask is, “Did you forget to play offense and have faith only in your defense?”
  3. So what types of services should a organization look at to be more offense. To understand this I want to walk through the threat continuum which highlights that when greater visibility is achieved so is greater analytics and investigation. What I see is typically companies start with compliance focused tools and services. There is low visibilty and investigation capabilities here, but it meets most regulatory requirements and shows their organizational maturity in security. As organizations mature they begin to invest in threat monitoring which would be part of the active defense category. This is the area of table steaks for threat detection, I would even consider this to be the minimum area to begin in a enterprise threat detection program. The area all organizations should be investing in or have a roadmap too is the green area and is focused on high visibility, analytics, and investigation. This is where Intelligence and Offense can increase your organizations threat detection and most importantly protection by leveraging security orchestration. Breaking down a few specifics in the green, we see there being two areas of threat hunting which would include a endpoint approach as well as a network based approach. It’s a 80-20 mix between the two of them. Also part of the hunting category is identity hunting which is comprised of actively looking for your adversaries via social media, forums, and the darkweb specifically. You must be actively seeking information that would allow you to better protect your organization. This is how you get proactive and don’t wait till they try to deploy that specially crafted compromise.
  4. The key challenges to threat hunting is that our adversaries are constantly changing their behavior, however there are patterns that we can be aware of and look for. We know that a attacker is going to target systems, upload code, create a command and control channel, and ensure they can survive a reboot. This is a consistent behavior we can include in our hunts. We then must look for anomalies that deviate from normal behavior, that is where tools like UEBA can be highly effective which can help detect unknown or previously unseen hostile activity and last we must look for lateral movements. And when we find infected systems, we remove them immediately. I included a summary checklist that we use when conducting hunts for our clients. Key here is that this is less about spotting malware and more about identifying hostile behavior and containing that behavior as quickly as possible.
  5. I’ve talked about active defense, offense, and now hunting, So the question that must be addressed is, how do we successfully hunt? First let’s break hunting down in two categories, automated and manual. So how do we get from manual to automated, because manual is expensive as well as time consuming. Manual hunting requires a high level of skills, which we know we are at a shortage in the market. Manual also isn’t scalable across all threats, many which are imminent. We want to automate the collection and presentation of the data to the greatest extent possible for the hunt. So looking at the Hunting Maturity Model, we first begin with basic automated alerting, which again comes from that compliance focused mentality and basic active defense. Then we incorporate threat intel indicators into our searches that move into data analyst procedures for the hunters that were previously created. Next if we identify a new threat that wasn’t previously covered we create new data analysis procedures. Once these 4 steps are complete we move onto automation, where we automate the majority of the successful data analysis and our hunters can focus in on the results. To recap, the key objectives to a successful hunt are focused goals, limiting the searches, constantly improving based on feedback, automating, and of course measuring your success.