Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SANS 2019 CTI Summit Keynote

bromiley
January 23, 2019
Technology
1
84

SANS 2019 CTI Summit Keynote

It's 2019. Cyber attacks have no sign of slowing down, nation states are ramping up old groups while bringing new soldiers to the battlefield, and there's little - if any - consequences for those who launch these attacks. To make matters worse, we have annoyances like ransomware and O365 compromises running around, which are keeping our IR teams distracted. Sometimes it feels like there's no solution in sight.

It's time to confront the problem head on - it's time to start moving faster than our attackers. In this talk, let's examine how to bring the six-step incident response process to the _entire_ organization - at scale, and at warp speed. Let's also examine critical gaps in IR processes that are allowing attackers to remain inside the environment, preventing your IR team from ever reaching the remediation and recovery steps. It's time to kick the attacker out, once and for all.

bromiley

January 23, 2019
Tweet

More Decks by bromiley

See All by bromiley
Purple Packets - BSides Austin 2019
bromiley
0
280
I Got 99 Email Problems, and Spearphishing Ain't One
bromiley
0
92
Event Logs? What Event Logs?
bromiley
0
41
Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years
bromiley
0
180
Going Right to the Data, Part 2: An Advanced Look at MS SQL Forensic Analysis
bromiley
0
73
Database Forensics without the Database
bromiley
0
4.6k
Cache Me If You Can!
bromiley
1
440
Beef Up Your DFIR Toolbox with Elasticsearch
bromiley
0
230
NoSQL Forensics: What to do with (No)ARTIFACTS
bromiley
2
400

Other Decks in Technology

See All in Technology
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
2
230
The Rise of LLMOps
asei
9
1.8k
AI前提のサービス運用ってなんだろう?
ryuichi1208
8
1.4k
Making your applications cross-environment - OSCG 2024 NA
salaboy
0
200
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
140
DynamoDB でスロットリングが発生したとき/when_throttling_occurs_in_dynamodb_short
emiki
0
270
TypeScript、上達の瞬間
sadnessojisan
48
14k
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
10
1.3k
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
29
13k
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
あなたの知らない Function.prototype.toString() の世界
mizdra
PRO
2
380
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
540

Featured

See All Featured
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Code Reviewing Like a Champion
maltzj
520
39k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
Site-Speed That Sticks
csswizardry
0
33
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Bash Introduction
62gerente
608
210k
A Philosophy of Restraint
colly
203
16k
Why Our Code Smells
bkeepers
PRO
334
57k
Designing for humans not robots
tammielis
250
25k
The Cost Of JavaScript in 2023
addyosmani
45
6.8k

Transcript

  1. ONE, TWO, SKIP A FEW (THOUSAND) Mega-Scale Incident Response

  2. WHOAMI • Matt Bromiley • SANS Instructor (FOR572/FOR508) • Incident

    Responder, Threat Researcher, Hacker of all sorts • Based in Dallas, TX • Somewhat of a foodie

  3. A CASE STUDY IN ENTERPRISE BREACHES

  4. A CASE STUDY IN ENTERPRISE BREACHES 4 • Major global

    corporation • 600+ stores • Campaign spanned nine months in 2017 • Attackers refined card-scraping malware as necessary • Re-deployed to capture terminals that were offline

  5. A CASE STUDY IN ENTERPRISE BREACHES 5

  6. A CASE STUDY IN ENTERPRISE BREACHES 6

  7. A CASE STUDY IN ENTERPRISE BREACHES 7 APAC EU NA

  8. A CASE STUDY IN ENTERPRISE BREACHES 8 APAC EU NA

  9. A CASE STUDY IN ENTERPRISE BREACHES 9 APAC EU NA

    <redacted> Service Account <8-char alphanum password> Administrator <7-char alpha password>

  10. 1 A CASE STUDY IN ENTERPRISE BREACHES - - -

    - - - - - - - - - - - - - - - - - - - fwnmc /Create /SC HOURLY /TN “fwnmc” /RU “ “ /TR “ shell32.dll ShellExecuteA Schtasks.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run fwnmc - - - - - - - - - - - - - - - - - - - - - - Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

  11. 1 A CASE STUDY IN ENTERPRISE BREACHES Persistence Priv. Escalation

    Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery C:\documents and settings\all users\application data\serwvdrv32.exe C:\documents and settings\all users\application data\msascui32.exe C:\documents and settings\all users\application data\perfhost32.exe C:\documents and settings\all users\application data\ovftool32.exe C:\documents and settings\all users\application data\atiapfxx32.exe C:\documents and settings\all users\application data\igfxem32.exe C:\documents and settings\all users\application data\gfxuiex32.exe C:\documents and settings\all users\application data\authhost32.exe C:\documents and settings\all users\application data\userinit32.exe C:\documents and settings\all users\application data\rpcping32.exe C:\documents and settings\all users\application data\wowreg32.exe C:\documents and settings\all users\application data\auditpol32.exe C:\documents and settings\all users\application data\faswin.exe C:\documents and settings\all users\application data\igfxtray32.exe C:\documents and settings\all users\application data\igfxext32.exe C:\documents and settings\all users\application data\vssadmin32.exe C:\documents and settings\all users\application data\openssl32.exe C:\documents and settings\all users\application data\asioins32.exe C:\documents and settings\all users\application data\ebhost32.exe C:\documents and settings\all users\application data\smarts32.exe C:\documents and settings\all users\application data\wmi32.exe C:\documents and settings\all users\application data\clientmngr32.exe

  12. 1 A CASE STUDY IN ENTERPRISE BREACHES C:\Users\Administrator\Desktop\weekly schedule manual.pdf

    C:\Users\Administrator\Desktop\store intranet manual.pdf C:\Users\Administrator\Desktop\e-mail passworld changing.pdf C:\Users\Administrator\Desktop\new timeclock.pdf C:\Users\Administrator\Desktop\macau ipos manual_06302014.pdf C:\Users\Administrator\Desktop\mexico ipos manual.pdf C:\Users\Administrator\Desktop\mexico pos manual.pdf C:\Users\Administrator\Desktop\el salvador pos manual.pdf C:\Users\Administrator\Desktop\costa rica pos manual.pdf C:\Users\Administrator\Desktop\chile pos manual _ updated 10-24-2013.pdf C:\Users\Administrator\Desktop\panama pos manual _ updated nov2013.pdf C:\Users\Administrator\Desktop\test store pos manual _091013.pdf C:\Users\Administrator\Desktop\net pos manual 070513.pdf C:\Users\Administrator\Desktop\canada fpos manual.pdf C:\Users\Administrator\Desktop\fpos manual_v1.9.12.pdf Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

  13. 1 A CASE STUDY IN ENTERPRISE BREACHES • Credential harvesting

    was performed by dumping and exfiltrating out the lsass.exe process. • LSASS (Local Security Authority Subsystem Service) is responsible for enforcing security policy. Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

  14. 1 A CASE STUDY IN ENTERPRISE BREACHES ABEJV9BR.txt || ssui

    -- 92e410a36175598c594c1c9d489388ae sendspace.com/1536386390412830947557232395131730580430 lastdl -- 490878988 sendspace.com/1536144207411230950253419690163430583125 _ga -- GA1.2.1249074351.1490732055 sendspace.com/1600397313510430729976422018396230583125 _gat -- 1 sendspace.com/160052055270430583126422478442230583125 Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - - - [4:56:01 PM]:C:\Windows\addins\PSTools\psexec.exe \\10.230.28.13 -d -s -f -u \administrator -p <redacted> /c C:\Intel\ag.exe Connecting to 10.230.28.13...Starting PSEXESVC service on 10.230.28.13... Connecting with PsExec service on 10.230.28.13... Copying C:\Intel\ag.exe to 10.230.28.13... Starting C:\Intel\ag.exe on 10.230.28.13... ag.exe started on 10.230.28.13 with process ID 7744. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - - -

  15. 1 A CASE STUDY IN ENTERPRISE BREACHES Persistence Priv. Escalation

    Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

  16. 1 A CASE STUDY IN ENTERPRISE BREACHES Persistence Priv. Escalation

    Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

  17. 1 A CASE STUDY IN ENTERPRISE BREACHES - - -

    - - - - - - - - - - - 010200032700L05175ee612.99 010200032700L05ddc2d7e5.sha64 010106032700L057d352977.n9 010106032700L05adffa944.n9 012906032700L050acbff99.99 012906032700L057d1c6381.sha64 123108070600L02948dfec4.n9 010109016700L01b12fc210.f9 010109070600L022cb6ac94.f9 102417037600L03f5fbba13.sha64 102417045600L039f08eb45.sha64 102517012600L041c5e1597.n9 102517026100L026f93d9c5.n9 112317044900L059f67c2ed.f9 - - - - - - - - - - - - Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

  18. 1 A CASE STUDY IN ENTERPRISE BREACHES C:\Users\Administrator\Desktop\WR.zip C:\Users\Administrator\Desktop\Desktop1.zip C:\Users\Administrator\Desktop\P92.zip

    C:\Users\Administrator\Desktop\Asia.zip C:\Users\Administrator\Desktop\P98.zip C:\Users\Administrator\Desktop\RW.zip C:\Users\Administrator\Desktop\123211.zip C:\Users\Administrator\Desktop\P136.zip Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

  19. LET’S TALK ABOUT DETECTION

  20. LET’S TALK ABOUT DETECTION

  21. LET’S TALK ABOUT PROCESS

  22. SIX-STEP INCIDENT RESPONSE PROCESS Preparation Scoping Containment/Intelligence Development Eradication/Remediation Recovery

    Lessons Learned

  23. SIX-STEP INCIDENT RESPONSE PROCESS Preparation Scoping Containment/Intelligence Development Eradication/Remediation Recovery

    Lessons Learned Dwell Time Time to Contain Time to Remediate

  24. SIX-STEP INCIDENT RESPONSE PROCESS

  25. IS IT WORKING?

  26. IS IR WORKING?

  27. FINDING HOPE

  28. PILLARS OF MEGA-SCALE IR VISIBILITY DETECTION INTEGRATION & AUTOMATION INTELLIGENCE

    COLLABORATION

  29. PILLARS OF MEGA-SCALE IR VISIBILITY DETECTION COLLABORATION INTELLIGENCE INTEGRATION &

    AUTOMATION Your goal an in IR is to achieve these things!

  30. THIS FEELS FAMILIAR SOC IR Team

  31. VISIBILITY

  32. VISIBILITY VISIBILITY IS ESSENTIAL FOR SUCCESSFUL INCIDENT RESPONSE WITHOUT IT,

    HOW CAN YOU EXPECT TO ANSWER WHAT? WHERE? WHEN? HOW?

  33. SLIDING SCALE OF HOST VISIBILITY HOST NETWORK

  34. SLIDING SCALE OF HOST VISIBILITY HOST NETWORK

  35. SLIDING SCALE OF HOST VISIBILITY I need to validate alerts

    I need to scale investigation Scoping Containment/ Intelligence Development

  36. VISIBILITY (HOST) Velociraptor • Improvement on GRR • Endpoint agent

    that provides on- demand access • Written to be faster, more tolerant of network issues • Command-line agent interaction https://docs.velociraptor.velocidex.com/blog/html/index.html

  37. VISIBILITY (HOST) PowerShell • Built into Windows – almost everywhere

    • Powerful scripting

  38. VISIBILITY (HOST) sysmon • Part of the Sysinternals suite •

    Endpoint visibility via logging • Allows you to pipe key events to a central location • Customizable/easily deployable https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

  39. VISIBILITY (HOST) osquery • Created by Facebook • Endpoint visibility

    • Allows you to treat your environment like a database • Ask questions that you cannot ask elsewhere https://osquery.io/

  40. SLIDING SCALE OF NETWORK VISIBILITY Data Privacy We need to

    investigate Scoping Containment/ Intelligence Development

  41. VISIBILITY (NETWORK) NetFlow • You are already generating it! •

    Capture it, use it • Profile your network, find traffic flows • Combine with host data to true 100% visibility

  42. VISIBILITY (NETWORK) Zeek (formerly Bro) • Protocol-aware • Throughput capable

    • Allows for signatures • Allows you to treat your environment like a database • Ask questions that you cannot ask elsewhere https://www.zeek.org/

  43. DETECTION

  44. DETECTION At enterprise scales, you cannot be expected to detect

    things manually Learn to write detections – push them using the aforementioned tools. https://virustotal.github.io/yara/ https://suricata-ids.org/

  45. COLLABORATION

  46. COLLABORATION COLLABORATION IS THE DIVIDING LINE BETWEEN A GOOD TEAM

    AND AN UNSTOPPABLE TEAM.

  47. COLLABORATION TheHive • Allows for individual case management and collaboration

    • You can assign tasks, roles, responsibilities. • Track case metrics • Automatically enrich/enhance data https://thehive-project.org/

  48. INTELLIGENCE

  49. INTELLIGENCE External threat intelligence tells you what’s going on in

    the world Internal threat intelligence tells you what’s going on in your world

  50. INTELLIGENCE (+ AUTOMATION/INTEGRATION) TheHive + Cortex • Ingests observables, automatically

    performs lookups • Allows for integration into multiple tools, such as MISP • Customizable https://thehive-project.org/

  51. AUTOMATION & INTEGRATION

  52. AUTOMATION & INTEGRATION Make all of the above talk to

    each other. Leave the boring stuff to the computers.

  53. AUTOMATION & INTEGRATION I’ve got two acronyms for you. ML

    AI

  54. AUTOMATION & INTEGRATION The future is investigator empowerment, not tool

    enhancement.

  55. TAKEAWAYS

  56. DID I JUST IMPROVE MY SOC? Yes. That’s the point.

  57. KEY TAKEWAYS (1) At a certain point, realize you need

    tools. At a certain point, realize you need people. Make your tools and your people talk to each other.

  58. KEY TAKEWAYS (2) Write detections – you will find things

    about your environment you didn’t know. Deploy detections and let them do their job. Build your in-house knowledge. It will prevent you from making mistakes.

  59. KEY TAKEWAYS (3) Empower your people and team. Your investment

    in them will pay off in them 100-fold.

  60. THANK YOU @MBROMILEYDFIR