![Page 1: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/1.jpg)
MT 36 Detecting Evasive
ThreatsNetwork Edition
![Page 2: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/2.jpg)
Events
Opportunistic 85.7%
Exploits 12.3%
Ransomware - 1.2%
Targeted - .5%
FakeAV - .3%
A lot going on in the world
![Page 3: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/3.jpg)
![Page 4: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/4.jpg)
Motives vary
![Page 5: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/5.jpg)
Motives vary
![Page 6: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/6.jpg)
Motives vary
![Page 7: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/7.jpg)
What industry verticals are victims?
46%
19%
12%
8%
4%
4%4%
4%
Targeted Intrusion Victims by Industry Vertical
Manufacturing
Technology Provider
Education
Other Services
Retail
Business Services
Media
Misc. Financial
Source: Targeted Threat Responses Jan 2015 – Sept 2015
![Page 8: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/8.jpg)
Threat groups
• Known Tools (Infrastructure)• Known Targets (pre-Compromise) & Victims (post-Compromise)• Known Techniques & Procedures (Capability)• Known Identity
Candidate Threat
Groups
![Page 9: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/9.jpg)
TG-0416 Vertical Hopscotch
Vertical
Healthcare
Government
Technology Providers
Manufacturing
Financial
Membership Organizations
H2
2011
H1 H2
2012
H1 H2
2013
H1 H2
2014
H1 H2
2015
H1
![Page 10: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/10.jpg)
How are threat groups entering networks?
29%
29%
29%
14%
Targeted Intrusion Access Vector
Phishing
Credential Abuse
Scan & Exploit
Web Exploit
Source: Targeted Threat Responses Jan 2015 – Sept 2015
![Page 11: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/11.jpg)
Phishing…everyday occurrence
![Page 12: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/12.jpg)
Watch your webmail…spear phishing to corporate and personal mail
From: XXXXXXXX XXXXXXXX [mailto:[email protected]]Sent: XXXXXXX, XXXXXXXX ##, 201X 11:01 PMTo: XXXXXXXX, XXXXXXXXSubject: Internal Security Survey
Dear all,Key target is finding and exploring company internal security problems in 201X.Download the report: http://<company web domain>/download/survey.pdfplease fill the report and send to [email protected] tomorrow morning.
IT Department
![Page 13: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/13.jpg)
1. Adversary identifies websites known or suspected to be visited by designated target
2. Identified sites are probed for vulnerability
3. Adversary places exploits on one or more sites where it is likely to be accessed by targets4. Users visit malicious website
5. Exploits are attempted against visitors. Delivery is often filtered by IP or other characteristics
6. Initial foothold malware is delivered to the victim
Site
s of In
tere
stUser Visits
CompromisedSite
Exploit used to deliver initial
foothold malware
Strategic Web Compromise (SWC)
Identify Vulnerable Site & Place
Exploit
![Page 14: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/14.jpg)
Scans website for available vulnerabilities
Deploys chinachopper shell
Adversary can now try to escalate privileges, dump passwords and move laterally in internal network
Identifies Struts with unpatched vulnerabilities
Exploiting weakness
![Page 15: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/15.jpg)
• Exploitation of architecture and configuration vulnerabilities – just as effective– just as devastating– harder to detect
• Use available tools instead of malware– Steal credentials– Use existing administration tools
• Malware removed after initial intrusion compromises credentials
Credential abuse
![Page 16: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/16.jpg)
No malware? No Problem
TG-0416
![Page 17: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/17.jpg)
“Transport rule found on server that blind copies any messages with ?CMS?, ?pw?, ?pwd?, ?pass? or ?password? in the body or subject of an email on server XYZ to email account [email protected]”
Living off the Land
![Page 18: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/18.jpg)
Current State of Affairs
How victims learned of targeted intrusions across their organizations:
60% Third party detected adversary tradecraft
28%12%
Notified by law enforcement or government entity
Staff discovered threat actor activity
Source: Targeted Threat Responses Jan 2015 – Sept 2015
50%In half of of targeted intrusions, the entry point of the threat actors was undetermined
100%In all intrusions, threat actors “lived off the land” using stolen credentials and native tools to achieve their mission
![Page 19: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/19.jpg)
• Next Generation Toolsets provide only limited value. Tools need to be updated with the latest Threat intelligence, continually monitored, and run by trained professionals.
The industry’s definition of defeat is different from our adversary's definition of winning.
![Page 20: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/20.jpg)
XLSTrojan
Comfoo Trojan
Sajdela Trojan
Chinese Infostealer Blue Butterfly Lingbo
Dynamer
Targeted-CG
Orsam
Leouncia
Huntah
Poison Ivy
Bifrose
Hupigon
PcClient
gh0st
Wkysol
ZWShell
Mswab
Mirage
Wykcores
Hydraq
Whitewell
Werchan
Foxjmp
Sanshell
Lostmin
Pirp
httpBrowser
And many more…
Malware doesn’t matter…the adversaries simply don’t care
骑驴找马
![Page 21: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/21.jpg)
![Page 22: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/22.jpg)
• Endpoint security controls fail– AV fails– Whitelisting fails– Novel malware persistence mechanisms
› DLL Side Loading› DLL Search Order Hijack› Binary modification
– Memory based exploits– Rootkits– Even exploitation of the security software itself!
• Network controls fail– Encrypted binary protocols over HTTP– Use of common ports and protocols– Frequently burning infrastructure– Use of public services for C2 and exfil
• Log analysis detections fail
• Mobile Machine Learning Clouds of Advanced Malware Protection fail too!
But I have a magic mobile machine learning cloud of advanced malware protection
![Page 23: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/23.jpg)
![Page 24: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/24.jpg)
![Page 25: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/25.jpg)
Adaptable Persistent Threat
• Not a thing, a who
• Think project management…– Adversary has already planned for most
common defenses and responses– Setbacks trigger planning or strategy shifts, not
abandon
• Plan to fail…– History teaches us that controls fail– Endpoint controls fail– Network controls fail– Log and SIEM analytics fail
![Page 26: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/26.jpg)
![Page 27: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/27.jpg)
How do we win?
![Page 28: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/28.jpg)
Reduce time to detect advanced threat actor activity and reduce effort to respondto their operations
![Page 29: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/29.jpg)
Lots of oppourtunity
We win by disrupting the threat actors before they complete their mission of data exfiltration
~1 month before data loss begins
~2 weeks to data exfiltration
~6 weeks before the threat actors win
![Page 30: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/30.jpg)
![Page 31: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/31.jpg)
I.N.T.E.L.L.I.G.E.N.C.E.
![Page 32: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/32.jpg)
![Page 33: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/33.jpg)
Architecture Affects Visibility
627732;10Mar2015;3:58:15;a.a.a.a;log;vpnroute;;External;inbound;VPN-1 & FireWall-1;;chkma;Network;4;{00000000-0000-0000-0000-000000000000};EPC RULE;MSTerminalServices;x.x.x.17;y.y.y.136;tcp;;;;;3389;2913;;;IKE;ESP: 3DES + MD5 + DEFLATE;x.x.x.17;;;ACMEAPT_Access;VPN-1;VPN;;;;;;;;;;;;;;;;;compromisedusername;;;;;;;;;{11111111-1111-1111-1111-111111111111};IKE;ESP: AES-128 + MD5;38.109.75.18;;;ACMEAPT_Internal;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
![Page 34: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/34.jpg)
![Page 35: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/35.jpg)
How do you win?(The first 6 hours)
• Prevent the exploit
• Detect the malware execution
• Prevent or Monitor the malware execution
![Page 36: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/36.jpg)
Detect potential danger early
![Page 37: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/37.jpg)
DNS Telemetry
Internal name server
.com Root name server
foo.com authoritative name server
Request: A record evil.foo.com
Request: NS record foo.com
Request: A record evil.foo.com
NS Response
A Record Response
A Record
Response
![Page 38: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/38.jpg)
IDS/IPS strategic and tactical detection
![Page 39: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/39.jpg)
How do you win?(The first 6 hours)
• Credential use
• Lateral movement technique
• Execution
![Page 40: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/40.jpg)
06zz.yy:28:01.727 06zz.yy:28:04.703 6 192.168.x.y 0 17 192.168.a.b 2048 1 0 4 24006zz.yy:28:01.759 06zz.yy:28:04.735 16 192.168.a.b 0 6 192.168.x.y 0 1 0 4 24006zz.yy:28:14.199 06zz.yy:28:14.359 6 192.168.x.y 56639 17 192.168.a.b 445 6 6 7 145606zz.yy:28:14.231 06zz.yy:28:14.359 16 192.168.a.b 445 6 192.168.x.y 56639 6 2 5 119806zz.yy:28:16.611 06zz.yy:28:17.667 6 192.168.x.y 56640 17 192.168.a.b 80 6 2 3 20006zz.yy:28:16.643 06zz.yy:28:17.699 16 192.168.a.b 80 6 192.168.x.y 56640 6 4 3 12006zz.yy:28:44.258 06zz.yy:29:23.330 16 192.168.a.b 445 6 192.168.x.y 56644 6 2 128 1073506zz.yy:28:44.258 06zz.yy:29:23.522 6 192.168.x.y 56644 17 192.168.a.b 445 6 2 221 27406606zz.yy:29:56.517 06zz.yy:29:56.837 6 192.168.x.y 56644 17 192.168.a.b 445 6 0 6 111506zz.yy:29:56.549 06zz.yy:29:56.645 16 192.168.a.b 445 6 192.168.x.y 56644 6 0 5 94806zz.yy:30:13.845 06zz.yy:30:13.909 6 192.168.x.y 56644 17 192.168.a.b 445 6 4 3 26406zz.yy:30:13.877 06zz.yy:30:13.909 16 192.168.a.b 445 6 192.168.x.y 56644 6 0 2 224
Internal netflow: What lateral movement looks like
![Page 41: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/41.jpg)
How do you win?
• Tactical and Strategic detection of webshells
![Page 42: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/42.jpg)
Internal netflow: What network exploration looks like06xx.yy:22:17.523 06xx.yy:22:17.523 6 192.168.x.y 60616 17 192.168.1.0 137 17 0 1 7806xx.yy:22:17.523 06xx.yy:22:17.523 6 192.168.x.y 60616 17 192.168.1.1 137 17 0 1 7806xx.yy:22:17.523 06xx.yy:22:17.523 6 192.168.x.y 60616 17 192.168.1.2 137 17 0 1 7806xx.yy:22:17.555 06xx.yy:22:17.555 6 192.168.x.y 60616 17 192.168.1.3 137 17 0 1 7806xx.yy:22:17.555 06xx.yy:22:17.555 6 192.168.x.y 60616 17 192.168.1.4 137 17 0 1 7806xx.yy:22:17.555 06xx.yy:22:17.555 6 192.168.x.y 60616 17 192.168.1.5 137 17 0 1 7806xx.yy:22:17.587 06xx.yy:22:17.587 6 192.168.x.y 60616 17 192.168.1.6 137 17 0 1 7806xx.yy:22:17.587 06xx.yy:22:17.587 6 192.168.x.y 60616 17 192.168.1.7 137 17 0 1 7806xx.yy:22:17.587 06xx.yy:22:17.587 6 192.168.x.y 60616 17 192.168.1.8 137 17 0 1 7806xx.yy:22:17.619 06xx.yy:22:17.619 6 192.168.x.y 60616 17 192.168.1.10 137 17 0 1 7806xx.yy:22:17.619 06xx.yy:22:17.619 6 192.168.x.y 60616 17 192.168.1.11 137 17 0 1 78
(more or less sequentially mapping the environment)
06xx.yy:42:45.159 06xx.yy:42:49.159 9 192.168.x.y 60616 0 192.168.253.78 137 17 0 1 7806xx.yy:42:45.159 06xx.yy:42:49.159 9 192.168.x.y 60616 0 192.168.253.79 137 17 0 1 7806xx.yy:42:45.167 06xx.yy:42:49.171 9 192.168.x.y 60616 0 192.168.253.80 137 17 0 1 7806xx.yy:42:45.179 06xx.yy:42:49.179 9 192.168.x.y 60616 0 192.168.253.81 137 17 0 1 7806xx.yy:42:45.191 06xx.yy:42:49.191 9 192.168.x.y 60616 0 192.168.253.82 137 17 0 1 7806xx.yy:42:47.063 06xx.yy:42:47.063 9 192.168.x.y 60616 0 192.168.253.255 137 17 0 1 78
Scanned ~65k IPs in rapid succession…
![Page 43: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/43.jpg)
How do you win?
• Without significant tripwires, data exfiltration of sensitive intellectual property occurred in 6 weeks
• With proper visibility, the threat actors could have been detected at least 6 different ways within the first 6 hours of the intrusion
![Page 44: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/44.jpg)
Placeholder:iSensor Slide Showing China Chopper Commands
![Page 45: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/45.jpg)
Exfil
• Top talkers
• Outbound flows
• Firewall/Proxy monitoring
![Page 46: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/46.jpg)
Redefine winning
![Page 47: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/47.jpg)
Redefine winning
![Page 48: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/48.jpg)
The optimal security continuum
Threat Intelligence
People Process
Technology
![Page 49: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/49.jpg)
Context to answer the questions that matter
What is it? Is it really a threat?Did it succeed? What happened next?
Who was behind it? What are their intentions?Did they achieve their objectives yet?
How did they get in, where are they, how do I get them out and prevent them from winning?
What should I do next?
Intelligence on threat actors
Ability to collect telemetry and apply that intelligencein the network and at the endpoint
Analytics beyond malware and signatures
![Page 50: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/50.jpg)
Who has the first question?
![Page 51: Detecting advanced and evasive threats on the network](https://reader031.vdocuments.site/reader031/viewer/2022021816/58a5df101a28abd14d8b5a63/html5/thumbnails/51.jpg)
Thanks!