cylanceguard€¦ · cylanceguard tier comparison 24x7 threat hunting email alerts mobile alerts...
TRANSCRIPT
CylanceGUARD™ Threat Hunting Intelligence Briefing
Jason Bevis
VP, Global MDR, ThreatZERO™, & International
Services
Dave Cundiff
Sr Director, CylanceGUARD
SafeHarbor
The information in this presentation is confidential and proprietary to Cylance® and may not
be disclosed without the permission of Cylance. This presentation is not subject to your license
agreement or any other service or subscription agreement with Cylance. Cylance has no
obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein.
This document, or any related presentation and Cylance's strategy and possible future
development, product, and/or platform direction and functionality are all subject to change
and may be changed by Cylance at any time for any reason without notice. The information
on this document is not a commitment, promise, or legal obligation to deliver any material,
code, or functionality. This document is for informational purposes and may not be incorporated
into a contract. Cylance assumes no responsibility for errors or omissions in this document.
SafeHarbor
AGENDA
Intelligence and Methodology-based Processes
How MITRE is used to protect against multiple APT
CylanceGUARD:
MTTD (Mean Time to Discovery) and
MTTR (Mean Time to Response)
What It Means for Your Teams:
Benefits of CylanceGUARD’s Unified Threat Hunting,
Detection, and Response Approach
What is CylanceGUARD
▪ A 24X7 managed detection and response offering
▪ Transparent portal interaction
▪ Mobile flexibility
▪ A solution to handled sophisticated and evolving attacks, alert
fatigue, and our customers skill or resource gaps
▪ A combination of several technologies and skilled resources to
provide our customers a managed solution for prevention
C Y L A N C E G U A R D
Analyst and
Threat Hunters
▪ Analyzes and prioritizes
▪ Automates analyst and incident
engagement
▪ Proactive alerting at the fingertips
▪ Context to streamline investigation
▪ Customer interaction with triage and
response
▪ Skilled Cylance Hunting Experts
▪ Prevent zero-day threats
Threat Validation and Triage
Mobile Warning and Interaction
Optics and Visibility
CylanceGUARD Components
ThreatZERO
▪ Prevention Expertise
▪ Prevent 99.9% of software
related threats
MOBILE
WARNING
ONGOING
PREVENTION
VALIDATE
& TRIAGECylance GUARD
Portal
24x7
User Interaction
USER PORTAL
ThreatZERO
Triage
Mobile
Hunting
What is Needed
MOBILITY
▪ We are concerned busy security analysts won’t
see alerts due to the volume of email the receive.
▪ We don’t expect our customers to sit glued to a
monitor 24X7X365.
▪ Our customers don’t have that kind of time.
MOBILE
WARNING
WORKFLOW
VISIBILITY
VISIBILITY
Time is of the essence. Need to eliminate
where an alert is sent but no one responds.
CylanceGUARD Tier Comparison
24x7 Threat Hunting
Email Alerts
Mobile Alerts and Escalation
ManagementProactive Threat Hunting 24X7
(Alert, Intelligence, and
Methodology Hunting)
Proactive Outreach for
Critical Alerts
Quarterly Prevention Review
(Ongoing review with
Cylance experts)
CylanceGUARD Reports
(Monthly Reports on Activity
and Threat Landscape)
Access to GUARD Analysts
(Incident Response
Guidance and Strategy)
CylanceGUARD
Standard
CylanceGUARD
Advanced
CylanceGUARD provides a foundation.
CylanceGUARD Advanced is a
comprehensive solution that meets an
organization needs for threat hunting.
Both offerings leverage the pre-execution
abilities of CylancePROTECT and the
post-execution of monitoring and blocking
associated with CylanceOPTICS.
ThreatZERO Configuration
and Assurance (Including
Cylance Product On-boarding)
Defined SLAs for Critical
Alerts
CylanceGUARD
Threat Hunting Maturity
The SANS Institute identifies a threat hunting maturity model as follows:
LEVEL 0
INITIAL▪ An organization relies primarily on automated reporting.
▪ Does little or no routine data collection.
LEVEL 1
MINIMAL▪ An organization incorporates threat intelligence indicator searches.
▪ Has a moderate or high level of routine data collection.
LEVEL 2
PROCEDURAL▪ An organization follows analysis procedures created by others.
▪ Has a high or very high level of routine data collection.
LEVEL 3
INNOVATIVE▪ An organization creates new data analysis procedures.
▪ Has a high or very high level of routine data collection.
LEVEL 4
LEADING▪ An organization automates the majority of successful data analysis procedures.
▪ Has a high or very high level of routine data collection.
Threat Hunting Types
Traditional Threat Management
Triggering events from products
such as CylancePROTECT and
CylanceOPTICS generating an alert
to be followed up on by a
CylanceGUARD analyst
ALERT
Internal and External Threat Data
The practice of gathered recent
intelligence from multiple internal and
external sources to identify new
campaigns and trigger a manual or
automated hunt
INTELLIGENCE
Process Based Hunting
CylanceOPTICS is leveraged to
continually review and search
across the environment. This is
conducted using a standard
methodology and backend analysis
technology to hunt threats
METHODOLOGY
Alert Based Hunting Framework
▪ CylancePROTECT® alerting (AI model, memdef, script control)
▪ 100 core CylanceOPTICS™ rules in the console
▪ 150+ custom rules used for CylanceGUARD and IR
▪ ATT&CK
▪ Contextual rules using ATT&CK TTPs and Framework
▪ APT 3 and APT 29 Use cases
▪ Prioritization of hunting and investigation
A L E R T - B A S E D H U N T I N G
Common Intelligence Hunting Sources
CONSULTING ON THE GROUND
IOCs/TTPs(+2000) IR engagements
THREAT RESEARCH
IOCs/TTPs
INTERNAL RESEARCH
CylanceGUARD
INTERNAL REPOSITORY OF
GOOD AND BAD SOFTWAREVirusTotal / Machine Learning Models
COMMUNITY-SHARED
INTELBlogs / Twitter / Git / Communities
RED TEAM
ADVERSARY SIMULATIONAPT 3 or APT 29 simulation / objectives
GIT Repository Intelligence Example
Ex: OS = windows AND dir extension = :(docm|dotm|xlm|xltm|xla|pptm|potm|ppsm|sldm)
▪ Perform visualization stacking on the names
▪ Look for potentially malicious macro files based on low frequency
Ex: OS = windows AND type = eventspowershell AND script_block = (hidden AND bypass AND (nop OR noninteractive OR noprofile))
HUNT THROUGH
DATA
5
RESEARCH
external intelligence GIT
repositories
1
COLLECT
artifacts from hosts
2
HUNT
for hits across the customer
based on new intelligence
3 4
PERFORM
additional level of
artifact collection
Multiple Intel Sources
Base 64
$s=New-Obj
PowerShell
Cobalt Strike
Encoded
Command
1. Incident Response engagement
2. Optics rule for Cobalt Strike initially applied
3. Hit on the rule as attacker tried to run their
software
4. Results in a triple base 64 encoded file
with GZIP and complied code
5. Threat Research does analysis of the
files obtained
6. Results in new rules
7. Results in several additional customer in
healthcare and other verticals targeted
Multiple Intel Source Mapping
INCIDENT RESPONSE
Custom Compiled Python
THREAT RESEARCH
RESULTS:
Identified similar activity in other customers
Taking Methodology
MITRE
ATT&CK
MATRIX
1. What do we know?
2. How is data compressed?
3. How is data encrypted?
4. What is allowed out of this enterprise from
a size limit and won’t raise flags?
5. What protocols are allowed outbound?
6. What methods allow exfiltration within this
organization?
7. Is there a scheduled transfer?
More Exfil Methodology
Methodology Package Deploy Analysis
APT32 Suspicious msmpeng
WINDOWS – SUSPICIOUS FILES
Common Threat Actor Staging Directories Damerau-Levenshtein Analysis
EXE Stacking Large Files Macro Stacking
Recent Files Stacking Suspicious System32 TXT File Stacking
Methodology Looking at the Archives
Attack Group Examples
APT29 APT28 APT32
Well organized and competent
group. Classified in 2008 as an
APT and believed to be Russian
State sponsored.
Russian State sponsored group
targeting political and military
targets. Highly skilled writing 0-day
exploitation malware.
First mentioned publicly in 2010.
Extremely adaptable, and
persistent even when identified.
Leverages a large assortment of
legitimate software.
APT29 Targeted Countries
North AmericaUnited States
Europe
Ireland
Belgium
Spain
Portugal
Czech Republic
Hungary
Luxembourg
Romania
Africa
Uganda
Asia Pacific
Azerbijan
Georgia
Kazakhstan
Kyrgystan
Ukraine
Uzbekistan
South America
None yet identified
Middle EastTurkey
APT29Industries Targeted and Motives
▪ Russian State Sponsored
▪ Cyber Espionage and data exfiltration
TARGETS
▪ Defense
▪ Government Agencies
▪ International Organizations
APT29 Coverage
Leveraging CylancePROTECT and
CylanceOPTICS provides
CylanceGUARD with the ability to
cover the totality of the APT29
techniques through a defense in
depth approach. While these
techniques are shown to be covered
by individual protection mechanisms
of the product, there is ample
overlap in the coverage.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Initial Access
Instrumentation
Lateral Movement
Persistence
Privilege Escalation
Protocol
APT29 Coverage by Protection Type
Protect Refract CAE No Coverage
Leveraging the full
functionality of Cylance
Products provides
complete coverage.
North AmericaUnited States
Canada
EuropeBelarus
Belgium
Bulgaria
France
Germany
Hungary
Montenegro
Netherlands
Poland
Romania
Slovakia
Spain
Sweden
Switzerland
United
Kingdom
AfricaNone yet identified
Asia Pacific
Afghanistan
Armenia
China
Georgia
Japan
Kazakhstan
Latvia
Malaysia
Mongolia
South Korea
Tajikistan
UkraineSouth AmericaBrazil
Middle EastIran
Turkey
APT28 Targeted Countries
APT28Industries Targeted and Motives
▪ Russian State Sponsored
▪ Espionage and political manipulation
TARGETS
▪ Aerospace
▪ Cybersecurity
▪ Defense
▪ Embassies
▪ Government
▪ Hospitality
▪ International Organizations
▪ Media
0% 20% 40% 60% 80% 100%
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Hijacking
Information
Initial Access
Lateral Movement
Media
Media
Persistence
Privilege Escalation
Removable Media
APT28 Coverage by Protection Type
Protect Refract CAE
APT28 Coverage
Given APT28’s proficiency with 0-
Day malware writing, the use of a
mathematical model with a high
degree of maturity, and a
significant number of dimensions
assessed in conjunction with a
highly adaptable EDR provides
the best chance of success.
Complete coverage of the
techniques used by APT28
through defense in depth
North AmericaUnited States
EuropeGermany
AfricaNone Yet identified
Asia Pacific
China
Australia
Philippines
Vietnam
South America
None yet identified
Middle EastNone yet identified
APT32 Targeted Countries
APT32Industries Targeted and Motives
▪ Vietnam State Sponsored
▪ Espionage
TARGETS
▪ Administration
▪ Communication
▪ Financial Services
▪ Government
▪ High-Tech
▪ International Organizations
▪ Legal Services
▪ Manufacturing
▪ Media
▪ Military
▪ Naval
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Discovery
Execution
Exfiltration
Information
Initial Access
Instrumentation
Lateral Movement
Persistence
Privilege Escalation
Protocol
APT32 Coverage by Protection Type
Protect Refract CAE
APT32 Coverage
With APT32’s ability to adapt and
leverage a multitude of legitimate
tools, the ability to cover
endpoints with multiple layers of
protection is almost required to
combat this type of threat.
Defense in depth coverage
for a highly adaptable
adversary.
CylanceGUARD Alert Workflow
Detection and Response
Alert Initiated, Triage Begins
Cylance Products Generate Event
Response Sent, or Action Taken
Once CylancePROTECT and CylanceOPTICS are
tuned according to CylanceGUARD requirements, the
products will generate events used to correlate and
provide context for Analysts to triage and review.
Based upon the agreement between Cylance and the
Customer during onboarding, depending on the type of
events in an alert Cylance Analysts can perform
actions within PROTECT and OPTICS on behalf of the
customer or provide detailed response information for
the customer to take action.
Initial triage of alerts will begin within 90 minutes of
alert generation for CylanceGUARD Advanced
customers. This commitment is possible thanks to the
filtering orchestration built into CylanceGUARD for
classifying events as triggers, observational, or
whitelisted.
Incident Response Initiated
Alert Closed
If a critical alert requires incident response, the
CylanceGUARD team will work with any chosen IR
team, be that 3rd party, Internal, or Cylance Consulting,
to make the IR team more efficient and get you back
to Production ready as quickly as possible.
The entire workflow can be followed from Open to
Close within the CylanceGUARD console. Once all
actions have been taken the alert will be closed but
preserved for later review.
Benefits of CylanceGUARD
▪ Prevention First Approach
▪ Disrupts the Kill chain
▪ MDR/ EDR are Reactive by Nature
▪ Transparency of Activity
▪ Event Reduction Efficacy and Visibility into
the Workflow
▪ Clear Knowledge of MTTD (Mean Time to
Discovery) and MTTR (Mean Time to
Response)
▪ Mobile Application Security Convenience
▪ Orchestration Capability
▪ Customer specific workflow
▪ Event reduction to focus on critical alerts
▪ Package Deployment
▪ Advanced Threat Hunting
▪ Intelligence
▪ Methodology
Questions
Answers
© 2 0 1 9 C y l a n c e I n c . A l l R i g h t s R e s e r v e d .