Artifacts Are for Archaeologists: Why Hunting for Malware Isn't Enough
Spoiler Alert: It's because attackers can (and do) abuse legitimate software, administrative tools, and scripting environments which are considered benign and not caught by traditional antivirus software. Since attackers can use legitimate software to conduct their nefarious behavior, how do you catch them? It’s simple: Look for the behavior.
LightCyber's Behavioral Attack Detection platform detects and highlights the network behaviors of attackers that have penetrated the perimeter. This provides visibility that allows security teams to locate and eradicate network intruders quickly, regardless of what tools the attackers are using to achieve their goals. With LightCyber's Network-to-Process Association technology, attacker behaviors can be tracked back to the exact process that originated the behavior.
We will discuss the top tools that have been detected and associated with attacker behavior inside of LightCyber customer environments, all of which are legitimate software. There will also be an overview of how LightCyber Magna works.
Mark Overholser has been a lifelong technology enthusiast, and made his passion his career. After working for many years at a multi-billion-dollar medical supply manufacturer and distributor using technology to achieve business goals, he started to wonder about what sorts of controls were in place to help make sure technology would only do good, not harm. One thing led to another, and he then was one of the first members of the new information security team. After working hard to grow the team and build the information security practice, he left to take a breather and now is working to help information security teams everywhere understand threats and get the most out of their defensive technologies.
20. @NTXISSA #NTXISSACSC4
Current Limitations
Known Bad
Traditional Security
§ Signatures, IoC’s, Packet Signatures,
Domains, Sandbox Activity
§ Block, or Miss
§ Necessary, Not Sufficient
What’s Needed
§ Learn What is Good [Baseline]
§ Detect What Isn’t [Anomaly]
§ Catch What Slips Through the
Cracks of Traditional Security
Problems:
• Too Many False Alarms / False Positives
• Missed Variants / False Negatives
• Only Detect Malware-Based Attacks
Learned Good
Benefits:
• Eliminates Zero-Day Exploit Dilemma
• Hundreds of Opportunities to Detect
• Applicable to All Techniques & Stages
What’s Needed?
Agents &
Signatures
Agentless &
Signature-less
34. @NTXISSA #NTXISSACSC4
Reporting: Alert Activity, Triage Activity
& SLA, Asset View, and More
LightCyber Magna Attack Detection Report
Reporting Period: 1/0/1900 1/0/1900
Number of days 1
Total Alerts for Period 0
Average #Alerts per day 0.00
Total Alerts handled 5
Unverified average handling time (days) 2.54
Suspicious average handling time (days) 10.78
Confirmed average handling time (days) 12.47
0
0.5
1
1.5
2
2.5
3
3.5
Alerts Triage and Handling
Suspicious
Unverified
1
1.5
2
2.5
3
3.5
Alert Types and Categories
C&C
20%
Exfilt
10%
Lateral
10%
Malware
20%
Recon
40%
Alerts Categories
45%
11%
33%
11%
Alerts Handling & Accuracy
Relevant and Handled
Whitelisted
Ignored
Still Open
0.0
2.0
4.0
6.0
8.0
10.0
12.0
14.0
16.0
18.0
Normal Resolved Whitelisted Normal Archived
Confirmed Suspicious Unverified
Alert Handling Time (days)
arnold
jenny
40%
60%
Alert Handling by Analyst
arnold
jenny
38. @NTXISSA #NTXISSACSC4@NTXISSA #NTXISSACSC4
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – October 7-8, 2016 38
Thank you