garrett schubert – emc corporation critical incident response center

24

Upload: gail

Post on 05-Jan-2016

200 views

Category:

Documents


0 download

DESCRIPTION

Malware\Host Analysis for Level 1 Analysts “Decrease exposure time from d etection to e radication”. Garrett Schubert – EMC Corporation Critical Incident Response Center Incident Response\Content Lead. Surgery on the front lines. The Adversary. Nation states. NATION STATE ACTORS. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Garrett Schubert – EMC Corporation Critical Incident Response Center
Page 2: Garrett Schubert – EMC Corporation Critical Incident Response Center

Malware\Host Analysis for Level 1 Analysts

“Decrease exposure time from detection to eradication”Garrett Schubert – EMC Corporation

Critical Incident Response Center

Incident Response\Content Lead

Page 3: Garrett Schubert – EMC Corporation Critical Incident Response Center

Surgery on the front lines

Page 4: Garrett Schubert – EMC Corporation Critical Incident Response Center
Page 5: Garrett Schubert – EMC Corporation Critical Incident Response Center

The Adversary

CRIMINALS

Unsophisticated, but noisy

Organized, sophisticated supply chains (PII, PCI, financial services, retail)

Organized crime

Petty criminals

NON-STATE ACTORS

Various reasons, including collaboration with the enemy

Political targets of opportunity, mass disruption, mercenary

Cyber-terrorists / Hacktivists

Insiders

NATION STATE ACTORS

Government, defense contractors, IP rich organizations, waterholes

Nation states

Page 6: Garrett Schubert – EMC Corporation Critical Incident Response Center

Attack Lifecycle (Kill Chain)

Reconnaissance Weaponize Delivery Exploitation Installation C2 Action

Research

& M

apping

the Targe

t

Create th

e Malw

are

Send to

targe

t

Compromise Host

Install B

ackdoor

Control th

e Device

Exfiltr

ate Data

*http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

Incident Response Team Maturity

Page 7: Garrett Schubert – EMC Corporation Critical Incident Response Center

- Eyes on Glass- Analysis- Forensic- Coordination- Remediation- Rule/Report Creation- Workflow Development

Advanced Tool & Tactics

Cyber Threat Intelligence

CIRT

Content Analytics

- Specific functions- Reduces “Scope Creep”- Focused workflow

CIRC 2009 Today

An Evolution

L1 L2 L3

Page 8: Garrett Schubert – EMC Corporation Critical Incident Response Center

Advanced Tool & Tactics

Cyber Threat Intelligence

CIRT

Content Analytics

Incident Monitoring & Response • Threat Indicator Portal (IOC’s)• Source Actor Attribution• Attack Sensing & Warning• Social Media• High Value Target (HVT)

• Eyes-On-Glass• End User Intake• Event Triage-Incident Command • Incident Containment• 24x7 Coverage

• Content Development• Integration• Scripting• Workflow• Rules/Reports

• Reverse Malware Engineering• Host & Network Forensic• Hunters• Cause & Origin Determination• Scripting & Integration

Page 9: Garrett Schubert – EMC Corporation Critical Incident Response Center
Page 10: Garrett Schubert – EMC Corporation Critical Incident Response Center

Low Quality - Black and White

Page 11: Garrett Schubert – EMC Corporation Critical Incident Response Center

Low Quality - Black and White

Page 12: Garrett Schubert – EMC Corporation Critical Incident Response Center

Where’s Waldo now?

Page 13: Garrett Schubert – EMC Corporation Critical Incident Response Center

The People

Page 14: Garrett Schubert – EMC Corporation Critical Incident Response Center

The Process

AV

Auth

WAF DLP

AD

WLAN

EP

URLFW

IPS

Data Enhancement

LocationIdentity

Division

Departm

ent

Data

Asset Value

Geo Info

Regulation CIRC IT

Threats

Incidents

GRC

Incident Workflow

Log and Packet data

HR

Legal

Eng.

Page 15: Garrett Schubert – EMC Corporation Critical Incident Response Center

The Tech

Page 16: Garrett Schubert – EMC Corporation Critical Incident Response Center

PlugX (Sogu) Use case• EMC CIRC received intelligence about a command

and control server.• The C2 server was identified as the call back station for

a PlugX RAT.

• MISSION: Identify impact to EMC and defend against all found threats

Page 17: Garrett Schubert – EMC Corporation Critical Incident Response Center

Network traffic

Page 18: Garrett Schubert – EMC Corporation Critical Incident Response Center

Find the malware from C2

Page 19: Garrett Schubert – EMC Corporation Critical Incident Response Center

Network Connection to Process

Page 20: Garrett Schubert – EMC Corporation Critical Incident Response Center

Scoping threat within Organization

Page 21: Garrett Schubert – EMC Corporation Critical Incident Response Center

Origination of malware – Root cause

Page 22: Garrett Schubert – EMC Corporation Critical Incident Response Center

Recommendations• Cyber Threat Intelligence

• Prioritize your intel!• Not all IoCs have the same threat

• Content Analytics• Get business\organizational context at alert• Don’t make the analyst query for data you know they need

• “Frontline” IR Analysts - CIRT• Level 1 analysts need the right tools• Stop training run books – THINK out of the box

• Malware Team - ATTA• Share\document TTP and pivot points of specific

campaigns

Page 23: Garrett Schubert – EMC Corporation Critical Incident Response Center

Questions?

Page 24: Garrett Schubert – EMC Corporation Critical Incident Response Center

The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him.

- Sun Tzu, The Art of War