端點威脅態勢感知 endpoint threat situational awareness · where they might be in kill chain...

I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL1

端點威脅態勢感知

Endpoint Threat Situational Awareness

Bernie Png – Senior Security Engineer, APJ


A Look Back at 2017

1111

Cloudbleed

TSA

Shadow Brokers

(NSA leak)

Cellebrite

Handbrake

WannaCry

DocuSign

OneLogin

Vault 7&8

(CIA leak)

198 Million Voter Records

NotPetya

Verizon

Virgin

America

BadRabbit

Equifax

SEC

Deloitte

Spectre

Meltdown

JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC


The Evolving Threat Landscape

MALWARE ATTACKS NON-MALWARE ATTACKS

KNOWN UNKNOWN RANSOM OBFUSCATED MEMORY MACROS REMOTE

LOGINPOWERSHELL

48%OF BREACHES USE

MALWARE

52%OF BREACHES ARE

NON-MALWARE

2017 Carbon Black Threat Report


Daily Attacks

AN ORGANIZATION WITH 10,000 ENDPOINTS IS SEEING APPROXIMATELY

1,000 ATTACKS PER DAY.


Source: RAND / Juniper


Ransom Money Paid to Attackers


Typical time-to-compromise

continues to be measured in

minutes, while time-to-

discovery remains in weeks or

months.Verizon Data Breach Report 2017


MEAN TIMETO IDENTIFY BREACH

BY ROOT CAUSE

MEAN TIMETO CONTAIN BREACH

BY ROOT CAUSE

Ponemon Institute 2017 Cost of Data Breach sponsored by IBM Study

214DAYS

77DAYS


Attackers have gotten smarter and more sophisticated

They have found ways to achieve their goals without deploying malware

This is a big change in the way attacks are conducted – and therefore the way you need to defend against them

I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL10 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL10

<attack />

Attacker writes

malicious code

1 million

malware files

Zero-day arsenal

100 million

malware files

Raw malware

repositoryScreen out detected

files

Multiple AV engines @

99% effectiveness

√ Anti-signaturing

√ Anti-reverse eng

√ Anti-debugging

√ Anti-sandboxing

Specialized malware

compiler

1. The Adversary Automates

2. The Adversary Outsources

3. The Adversary Adapts

KNOWN

MALWARE

OBFUSCATED

MALWARE

SCRIPTING

ATTACKS POWERSHELL RANSOMWAREMEMORY

ATTACKS

REMOTE

LOGIN MACROSUNKNOWN

MALWARE


WHY THREAT HUNT?

PROACTIVELY STOP ATTACKS

OTHERWISE MISSED

EVERY ATTACK MAKES THE

NEXT ATTACK HARDER

01.

02.


SO, WHAT IS THREAT HUNTING…


THREAT HUNTING: THE LOW DOWN

WHAT IT IS?

• Proactive & iterative search for attacks

• Informed by knowledge of your environment

• Often hypothesis based

• Know the battlefield

WHAT IT IS NOT?

• Installing tools and waiting for alerts

• Simple indicators of compromise

• Incident Response & Forensics

• Acquiring or analyzing threat intel

Threat Intelligence

Network

Security Intelligence


Human Threat Hunter

Objectives > Hypotheses > Expertise

KEY BUILDING BLOCKS TO DRIVE THREAT HUNTING

Ref: The Who, What, Where, When, Why and How

of Effective Threat Hunting, SANS Feb 2016

Search & Visualisation

Enrichment

Data

Automation


DEVELOPING A STRATGEY

REDUCE

ATTACK

SURFACE

ROOT CAUSEESTBALISH

VISIBILITY

THREAT

HUNTING

INFORM CONTROLS


ATTACKS OFTEN “LIVE OFF THE LAND” (AND BLEND IN)


THE ATTACK CYCLE

Recon &

Weaponize

Stealth

Gaining

Access

Escalating

PrivilegesSystem

Browsing

Tool

Installation

Additional Discovery

Targets

Users

Web Apps

Vulnerabilities

Networks

ACCESS - ANALYSIS - STAGING- EXFILTRATION- PERSISTENCE


When you read about a attack/breach

When you encounter something odd

When conducting proactive SecOps

KNOWNING WHEN

TO HUNT?

When you come across new research


EXECUTING AGAINST A PLAN

PREPARATIONHUNTING

REPORTINVESTIGATION

ADVERSARY

REMOVAL

- Determine Priorities

- Asset/Network Review

- What’s Normal

- Define a Scope

- Gather & Analyze

- Expand Investigation

- Kill Process

- Quarantine system

- Repair

- Executive Report

- Scope & Timeline

- Root Cause


THE HUNT PROCESS

20

STARTING

THE HUNT

REFINING

THE HUNT

ROOT CAUSE

ANALYSIS

RESPONSE CONTINUOUS

IMPROVEMENT

Search on suspicion

(ex: Powershell))

Filter out

legitimate activity

Deeper Investigation

(in seconds)

Find suspicious

activity

Discover

malicious activity

Scope the attack Remediate the

threat

Update defenses


MAKING THE NEXT ATTACK HARDER

2

1

Detect &

Respond

Successful

AttackPrevent

Many Attackers &

Attack Types

X

X



2

2

Many Attackers &

Attack Types

Detect &

Respond

Successful

AttackPrevent

X

XWE NEED TO FOCUS ON

WHAT’S HAPPENING EARLIER

IN THE ATTACK PROCESS



2

3

Many Attackers &

Attack Types

Detect &

Respond

Successful

AttackPrevent

X

X

VISBILITY



2

4

Many Attackers &

Attack Types

Detect &

Respond

Successful

AttackPreventROOT CAUSEVISIBILITY

X

X


TYPICAL DATA SOURCES

Attacker, known relay/C2 sites, infected sites, IOC,

attack/campaign intent and attribution

Where they went, who talked to whom, attack

transmitted, abnormal traffic, malware download

What process is running (malicious, abnormal, etc.)

Process owner, registry mods, attack/malware artifacts,

patching level, attack susceptibility

Access level, privileged users, likelihood of infection,

where they might be in kill chain

Threat intelligence

Network

Endpoint

Access/Identity

• Third-party threat intel

• Open-source blacklist

• Internal threat intelligence

• Endpoint

• Malware detection

• Application Assets

• DHCP

• OS logs

• Patching

• Active Directory

• LDAP

• CMDB

• Operating system

• Database

• VPN, AAA, SSO

• Firewall, IDS, IPS

• DNS

• Email

• Web proxy

• NetFlow

• Network


SOME IDEAS TO GET STARTED

• Command shells establishing network connections (WMI, CMD, PowerShell)?

• Remote server/network administration tools on non-administrator systems?

• Office documents invoking new processes or spawning command shells?

• Flash or Java spawning command shells?

Deviations in normal behavior of administrator accounts?

Creation of new accounts locally or on domain?

Windows processes (lsass, svchost, csrss) with strange parents?


CONTINUOUS RECORDING & CENTRALIZED STORAGE

2

7

• Find root cause

• Know impact of attack

• See attack patterns

• Understand full scope

• High performance

• Apply limitless threat intel

• 24/7 access to all activity

• Integrate with other data

CONTINUOUS RECORDING CENTRALIZED STORAGE

Copy of every executed binary

Network connections

File executions

File modifications

Cross-process events

Registry modifications

WATCH AND

RECORD

EVERYTHING

UNFILTERED REPUTATION PREVELANCE RELATIONSHIPSSCANNING


Add User to infected machine

Username

System IP

Address

Actions & Activities of

processes

Process in

Focus


Attacker covering their tracks

Lateral Movement


Different Endpoint

Mapping drive using the added

user credentials from the first

infected machine

Elevated User

Process in

Focus


THREAT HUNTING

KEY POINTS

Puts you on the front row seat

of the attack

Doesn’t have to “break the

bank” – requires the right data

Proactively and iteratively

searches for attacks

Makes a difference – stop

breaches, improves posture


www.CarbonBlack.com

端點威脅態勢感知 endpoint threat situational awareness · where they might be in kill chain...

Documents