端點威脅態勢感知 endpoint threat situational awareness · where they might be in kill chain...
TRANSCRIPT
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL1
端點威脅態勢感知
Endpoint Threat Situational Awareness
Bernie Png – Senior Security Engineer, APJ
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL2
A Look Back at 2017
1111
Cloudbleed
TSA
Shadow Brokers
(NSA leak)
Cellebrite
Handbrake
WannaCry
DocuSign
OneLogin
Vault 7&8
(CIA leak)
198 Million Voter Records
NotPetya
Verizon
Virgin
America
BadRabbit
Equifax
SEC
Deloitte
Spectre
Meltdown
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL3
The Evolving Threat Landscape
MALWARE ATTACKS NON-MALWARE ATTACKS
KNOWN UNKNOWN RANSOM OBFUSCATED MEMORY MACROS REMOTE
LOGINPOWERSHELL
48%OF BREACHES USE
MALWARE
52%OF BREACHES ARE
NON-MALWARE
2017 Carbon Black Threat Report
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL4
Daily Attacks
AN ORGANIZATION WITH 10,000 ENDPOINTS IS SEEING APPROXIMATELY
1,000 ATTACKS PER DAY.
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL5
Source: RAND / Juniper
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL6
Ransom Money Paid to Attackers
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL7
Typical time-to-compromise
continues to be measured in
minutes, while time-to-
discovery remains in weeks or
months.Verizon Data Breach Report 2017
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL8
MEAN TIMETO IDENTIFY BREACH
BY ROOT CAUSE
MEAN TIMETO CONTAIN BREACH
BY ROOT CAUSE
Ponemon Institute 2017 Cost of Data Breach sponsored by IBM Study
214DAYS
77DAYS
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL9
Attackers have gotten smarter and more sophisticated
They have found ways to achieve their goals without deploying malware
This is a big change in the way attacks are conducted – and therefore the way you need to defend against them
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL10 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL10
<attack />
Attacker writes
malicious code
1 million
malware files
Zero-day arsenal
100 million
malware files
Raw malware
repositoryScreen out detected
files
Multiple AV engines @
99% effectiveness
√ Anti-signaturing
√ Anti-reverse eng
√ Anti-debugging
√ Anti-sandboxing
Specialized malware
compiler
1. The Adversary Automates
2. The Adversary Outsources
3. The Adversary Adapts
KNOWN
MALWARE
OBFUSCATED
MALWARE
SCRIPTING
ATTACKS POWERSHELL RANSOMWAREMEMORY
ATTACKS
REMOTE
LOGIN MACROSUNKNOWN
MALWARE
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL11 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL11
WHY THREAT HUNT?
PROACTIVELY STOP ATTACKS
OTHERWISE MISSED
EVERY ATTACK MAKES THE
NEXT ATTACK HARDER
01.
02.
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL12 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL12
SO, WHAT IS THREAT HUNTING…
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL13 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL13
THREAT HUNTING: THE LOW DOWN
WHAT IT IS?
• Proactive & iterative search for attacks
• Informed by knowledge of your environment
• Often hypothesis based
• Know the battlefield
WHAT IT IS NOT?
• Installing tools and waiting for alerts
• Simple indicators of compromise
• Incident Response & Forensics
• Acquiring or analyzing threat intel
Threat Intelligence
Network
Security Intelligence
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL14 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL14
Human Threat Hunter
Objectives > Hypotheses > Expertise
KEY BUILDING BLOCKS TO DRIVE THREAT HUNTING
Ref: The Who, What, Where, When, Why and How
of Effective Threat Hunting, SANS Feb 2016
Search & Visualisation
Enrichment
Data
Automation
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL15 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL15
DEVELOPING A STRATGEY
REDUCE
ATTACK
SURFACE
ROOT CAUSEESTBALISH
VISIBILITY
THREAT
HUNTING
INFORM CONTROLS
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL16 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL16
ATTACKS OFTEN “LIVE OFF THE LAND” (AND BLEND IN)
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL17 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL17
THE ATTACK CYCLE
Recon &
Weaponize
Stealth
Gaining
Access
Escalating
PrivilegesSystem
Browsing
Tool
Installation
Additional Discovery
Targets
Users
Web Apps
Vulnerabilities
Networks
ACCESS - ANALYSIS - STAGING- EXFILTRATION- PERSISTENCE
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL18 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL18
When you read about a attack/breach
When you encounter something odd
When conducting proactive SecOps
KNOWNING WHEN
TO HUNT?
When you come across new research
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL19 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL19
EXECUTING AGAINST A PLAN
PREPARATIONHUNTING
REPORTINVESTIGATION
ADVERSARY
REMOVAL
- Determine Priorities
- Asset/Network Review
- What’s Normal
- Define a Scope
- Gather & Analyze
- Expand Investigation
- Kill Process
- Quarantine system
- Repair
- Executive Report
- Scope & Timeline
- Root Cause
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL20 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL20
THE HUNT PROCESS
20
STARTING
THE HUNT
REFINING
THE HUNT
ROOT CAUSE
ANALYSIS
RESPONSE CONTINUOUS
IMPROVEMENT
Search on suspicion
(ex: Powershell))
Filter out
legitimate activity
Deeper Investigation
(in seconds)
Find suspicious
activity
Discover
malicious activity
Scope the attack Remediate the
threat
Update defenses
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL21 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL21
MAKING THE NEXT ATTACK HARDER
2
1
Detect &
Respond
Successful
AttackPrevent
Many Attackers &
Attack Types
X
X
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL22 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL22
MAKING THE NEXT ATTACK HARDER
2
2
Many Attackers &
Attack Types
Detect &
Respond
Successful
AttackPrevent
X
XWE NEED TO FOCUS ON
WHAT’S HAPPENING EARLIER
IN THE ATTACK PROCESS
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL23 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL23
MAKING THE NEXT ATTACK HARDER
2
3
Many Attackers &
Attack Types
Detect &
Respond
Successful
AttackPrevent
X
X
VISBILITY
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL24 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL24
MAKING THE NEXT ATTACK HARDER
2
4
Many Attackers &
Attack Types
Detect &
Respond
Successful
AttackPreventROOT CAUSEVISIBILITY
X
X
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL25 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL25
TYPICAL DATA SOURCES
Attacker, known relay/C2 sites, infected sites, IOC,
attack/campaign intent and attribution
Where they went, who talked to whom, attack
transmitted, abnormal traffic, malware download
What process is running (malicious, abnormal, etc.)
Process owner, registry mods, attack/malware artifacts,
patching level, attack susceptibility
Access level, privileged users, likelihood of infection,
where they might be in kill chain
Threat intelligence
Network
Endpoint
Access/Identity
• Third-party threat intel
• Open-source blacklist
• Internal threat intelligence
• Endpoint
• Malware detection
• Application Assets
• DHCP
• OS logs
• Patching
• Active Directory
• LDAP
• CMDB
• Operating system
• Database
• VPN, AAA, SSO
• Firewall, IDS, IPS
• DNS
• Web proxy
• NetFlow
• Network
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL26 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL26
SOME IDEAS TO GET STARTED
• Command shells establishing network connections (WMI, CMD, PowerShell)?
• Remote server/network administration tools on non-administrator systems?
• Office documents invoking new processes or spawning command shells?
• Flash or Java spawning command shells?
Deviations in normal behavior of administrator accounts?
Creation of new accounts locally or on domain?
Windows processes (lsass, svchost, csrss) with strange parents?
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL27 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL27
CONTINUOUS RECORDING & CENTRALIZED STORAGE
2
7
• Find root cause
• Know impact of attack
• See attack patterns
• Understand full scope
• High performance
• Apply limitless threat intel
• 24/7 access to all activity
• Integrate with other data
CONTINUOUS RECORDING CENTRALIZED STORAGE
Copy of every executed binary
Network connections
File executions
File modifications
Cross-process events
Registry modifications
WATCH AND
RECORD
EVERYTHING
UNFILTERED REPUTATION PREVELANCE RELATIONSHIPSSCANNING
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL28 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL28
Add User to infected machine
Username
System IP
Address
Actions & Activities of
processes
Process in
Focus
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL29 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL29
Attacker covering their tracks
Lateral Movement
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL30 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL30
Different Endpoint
Mapping drive using the added
user credentials from the first
infected machine
Elevated User
Process in
Focus
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL31 I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL31
THREAT HUNTING
KEY POINTS
Puts you on the front row seat
of the attack
Doesn’t have to “break the
bank” – requires the right data
Proactively and iteratively
searches for attacks
Makes a difference – stop
breaches, improves posture
I © 2017 Carbon Black. All Rights Reserved. I CONFIDENTIAL32
www.CarbonBlack.com