Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
•
2 j'aime•437 vues
Presentation from the North Texas ISSA July 2015 Lunch and Learn meeting: Advanced Threat Hunting
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (20)
Similaire à Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Similaire à Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck (20)
Plus de North Texas Chapter of the ISSA
Plus de North Texas Chapter of the ISSA (20)
Dernier
Dernier (15)
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
- 1. ©2014 Bit9. All Rights Reserved Advanced Threat Hun/ng: Iden%fy and Track Zero-‐Day A3acks Infiltra%ng Your Organiza%on Jus/n Falck, Technical Product Manager – Carbon Black Bit9 + Carbon Black July 16th, 2015
- 2. Background Threat Landscape Advanced Threats • What are they? • Zero-‐Days • Why Advanced Threats might not be what you think they are • Living off the Land (“Outsider-‐Insider”) Hun/ng • What do you hunt? • How do you hunt? • RelaQonships MaTer! Wrap-‐Up & Takeaways Agenda
- 3. Quick Background Check www.linkedin.com/in/jus/nfalck jfalck@bit9.com 2007 – 2013: Central Intelligence Agency 2013 – 2015: Goldman Sachs Threat Management Center -‐ Irving, TX 2015 – Present: Bit9 + Carbon Black Technical Product Manager -‐ CB
- 4. The Evolving Threat Landscape Criminal Enterprises • Broad-‐based and targeted aTacks • Financially moQvated • Geang more sophisQcated Hac/vists • Targeted and destrucQve aTacks • Unpredictable moQvaQons • Generally less sophisQcated Na/on-‐States • Targeted and mulQ-‐stage aTacks • MoQvated by informaQon and IP • Highly sophisQcated, limitless resources
- 6. Endless Stream of Data Breaches Source: InformaQon is BeauQful, www.informaQonisbeauQful.net, January 2015
- 7. DON’T OVERCOMPLICATE THE THREAT THREAT MODEL: 1: OPPORTUNISTIC 2: NOT
- 8. Opportunis=c threats sell our computers. Goal: breadth of access. “Advanced” threats sell our data. Goal: precision of access.
- 9. Tradi/onal Defenses Were Designed for Opp. AZacks OPPORTUNISTIC ADVANCED Goal for aTacker is to compromise as few endpoints as possible Goal for aTacker is to compromise as many endpoints as possible Hosts Compromised Time Hosts Compromised Time DETECTION THRESHOLD DETECTION THRESHOLD Signature available Signature available (if ever)
- 10. “Zero-‐Days” “Zero-‐Day” is a term typically used to refer to two different scenarios: • Zero-‐Day Vulnerability: vulnerability is unknown or fix/patch is not yet available – “Non-‐Pub”: exploit an unknown vulnerability • Zero-‐Day Malware: malware that is unknown; signatures are not available
- 11. So how “advanced” are the techniques and payloads being used?
- 12. “The (Target) malware utilized is ABSOLUTELY UNSOPHISTICATED and UNINTERESTING” -McAfee Business Week, March 13, 2014
- 13. But once they’re in… However they get in, we need to find them! Faster detec/on means: • Shorter dwell Qme • Smaller scope for your incident response • Less damage to your business What do they do once they’re in?
- 14. They oben “Live off the Land” (and blend in)
- 15. Living off the Land Living Off the Land: the aZacker uses built-‐in tools so there are very few new executables. The aZacker typically needs to do the following: • Execute code: – Crack/Dump/Guess/Obtain Valid CredenQals » See this with Backoff POS Malware • Copy Data: – UQlize tools like robocopy, xcopy, cmd.exe to gather data – UQlize “known good” tools for compression or use scripts • Exfil Data: – mp.exe, net.exe, Visual Basic script to control IE for POSTing data • Manipulate: – Download something not malicious but that will trip up detecQon – When Admin logs in, credenQals, keystrokes, etc., are captured and used • Persist: – Compromise or Add more user and system accounts – Login to backup servers, staging servers, less noQceable parts of your enterprise – Create scheduled jobs that will run and re-‐add accounts, communicate out, etc.
- 16. Living off the Land (cont’d) More Things to Consider: • PowerShell is TOO Powerful – Execute from remote URL – Basically anything you would ever want to write code for, you can do with powershell, so as an adversary, I can really do some damage (powersploit, etc) • Use Internal C2 Sites: – Use blog comments and/or wiki to give your stuff new commands so there is no outside communicaQons • Use Well-‐Known Social Networking and File-‐sharing Sites: – TwiTer (bots) – Dropbox – Google Drive – Facebook – < Insert Social Site Here > • Find hardcoded creden/als, re-‐use same password across an enterprise, Single-‐Sign-‐ On design flaws, etc.
- 17. In Other Words… THEY ARE NOW INSIDERS! BETTER DEFENSE AGAINST THIS… LEADS TO BETTER DEFENSE AGAINST TRUE INSIDERS!
- 18. So, back to Hun/ng…
- 19. Is Your Environment Like This?
- 20. Or This?
- 21. What do you Hunt? Do you know what you’re looking for? Do they have to be advanced? • Are you running vulnerable somware? Is it likely to be compromised? • Have you hardened your systems, have you reduced surface area? • Do you have shared passwords, plain-‐text credenQals, etc? • If you have too much entropy or very few standards, hunQng will be DIFFICULT • Then again, it is rarely “easy” What do the bad guys need to do? • Execute • Communicate • Grab Data • Steal/Add CredenQals • Persist
- 22. Which comes first… Detection or Collection? By priori=zing collec=on over detec=on you can: (1) HUNT MORE EFFECTIVELY!!! (2) Rapidly find root cause (3) Quickly & confidently reconstruct =melines (4) Accelerate Discovery (determine scope) (5) Benefit from hindsight (evolve)
- 23. Some Ideas… § Are abnormal user accounts being used? § Do windows processes (lsass, svchost, csrss) have strange parents? § Are IE, Acrobat, Word, Notepad, etc., spawning child processes? § Are Office Applica/ons making outbound connec/ons? § Is Java spawning command shells? § Is cmd.exe running as system? § Are user accounts being added locally? § Are thousands of files being modified by a single process? § Is bp or robocopy being used? § Are processes execu/ng that don’t have a .exe or .scr extension?
- 24. Back to the Basics… § Are you recording every command line used by net.exe and looking for abnormali/es? § Are you watching when PowerShell.exe is used? § Are you mapping user account ac/vity to hosts to look for abnormal logins? § Are you …. <INSERT LOTS OF STUFF “TO DO” HERE>
- 25. “Response is the closest thing we have in IT to dogfigh/ng” -‐ Bruce Schneier, Blackhat 2014 Keynote
- 26. Time is the dominant parameter. The pilot who goes through the OODA cycle in the shortest time prevails because his opponent is caught responding to situations that have already changed. Col John Boyd 1966 Observe Orient Decide Act
- 27. Modern IR view Ac/onable Endpoint Visibility Tradi/onal IR view Events + Intelligence With no insight into known bad, how can they pick the needles out of their data collecQon haystack? Events + Intelligence + Prevalence Without understanding prevalence, how can they prioriQze detecQon events to accelerate threat discovery? Events + Intelligence + Prevalence + Rela/onships Without maintaining the recorded relaQonships, how do they quickly scope any impacted endpoints and lateral movement? Events Most organizaQons only have a staQc view of their business and the data they manage to collect What’s more ac/onable? ? svchost.exe ran svchost.exe was spawned by unsigned binary under abnormal user account and made a network connecQon
- 28. The very nature of threat hun%ng requires the human element In IT, we hire staff to support technology In security opera%ons, we buy technology to support staff Invest in tools that enable humans to make quick decisions
- 29. 1 2 3 Hun/ng Tips Collect the RIGHT Data Neslow data and firewall logs can help, but if you aren’t seeing what is execuQng and what is changing on your systems, you will not have as much hunQng success. You need to hunt where the adversaries live! Incorporate Reputa/on and Classifica/on Informa/on When you’re hunQng, you should not have to spend Qme manually checking the reputaQon of a binary or website, as that greatly slows down your ability to conQnue to the hunt. Being able to quickly say things are known good, known Bad is key, as is the ability to say if it is part of a parQcular campaign or aTack. Analyze RELATIONSHIPS RelaQonships are key to being able to detect abnormal behavior. Sure, the adversary lives off the land, but they’re sQll going to do unusual things with the exisQng tools available to them. 4 Automate as much as possible! When you know what is normal, you should be able to be alerted when acQvity occurs outside of what is normal. And you should be able to automate this. You should also automate reputaQon and classificaQon informaQon retrieval, and automate discovery.
- 30. TAKE-‐AWAYS
- 31. Take-‐Aways Think about how you might hunt advanced threats Can internal tools be used against you? Do you have proper context? Can you tell the FBI whether or not you’ve seen the IOCs they just sent you? Compare current behavior vs. older methods vs. “next-‐ gen” Enable your humans to do some hunQng Are you focused on root cause?
- 32. Thank You! jfalck@bit9.com www.linkedin.com/in/jus/nfalck