Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SANS 2019 CTI Summit Keynote

bromiley
January 23, 2019

SANS 2019 CTI Summit Keynote

It's 2019. Cyber attacks have no sign of slowing down, nation states are ramping up old groups while bringing new soldiers to the battlefield, and there's little - if any - consequences for those who launch these attacks. To make matters worse, we have annoyances like ransomware and O365 compromises running around, which are keeping our IR teams distracted. Sometimes it feels like there's no solution in sight.

It's time to confront the problem head on - it's time to start moving faster than our attackers. In this talk, let's examine how to bring the six-step incident response process to the _entire_ organization - at scale, and at warp speed. Let's also examine critical gaps in IR processes that are allowing attackers to remain inside the environment, preventing your IR team from ever reaching the remediation and recovery steps. It's time to kick the attacker out, once and for all.

bromiley

January 23, 2019
Tweet

More Decks by bromiley

Other Decks in Technology

Transcript

  1. WHOAMI • Matt Bromiley • SANS Instructor (FOR572/FOR508) • Incident

    Responder, Threat Researcher, Hacker of all sorts • Based in Dallas, TX • Somewhat of a foodie
  2. A CASE STUDY IN ENTERPRISE BREACHES 4 • Major global

    corporation • 600+ stores • Campaign spanned nine months in 2017 • Attackers refined card-scraping malware as necessary • Re-deployed to capture terminals that were offline
  3. A CASE STUDY IN ENTERPRISE BREACHES 9 APAC EU NA

    <redacted> Service Account <8-char alphanum password> Administrator <7-char alpha password>
  4. 1 A CASE STUDY IN ENTERPRISE BREACHES - - -

    - - - - - - - - - - - - - - - - - - - fwnmc /Create /SC HOURLY /TN “fwnmc” /RU “ “ /TR “ shell32.dll ShellExecuteA Schtasks.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run fwnmc - - - - - - - - - - - - - - - - - - - - - - Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery
  5. 1 A CASE STUDY IN ENTERPRISE BREACHES Persistence Priv. Escalation

    Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery C:\documents and settings\all users\application data\serwvdrv32.exe C:\documents and settings\all users\application data\msascui32.exe C:\documents and settings\all users\application data\perfhost32.exe C:\documents and settings\all users\application data\ovftool32.exe C:\documents and settings\all users\application data\atiapfxx32.exe C:\documents and settings\all users\application data\igfxem32.exe C:\documents and settings\all users\application data\gfxuiex32.exe C:\documents and settings\all users\application data\authhost32.exe C:\documents and settings\all users\application data\userinit32.exe C:\documents and settings\all users\application data\rpcping32.exe C:\documents and settings\all users\application data\wowreg32.exe C:\documents and settings\all users\application data\auditpol32.exe C:\documents and settings\all users\application data\faswin.exe C:\documents and settings\all users\application data\igfxtray32.exe C:\documents and settings\all users\application data\igfxext32.exe C:\documents and settings\all users\application data\vssadmin32.exe C:\documents and settings\all users\application data\openssl32.exe C:\documents and settings\all users\application data\asioins32.exe C:\documents and settings\all users\application data\ebhost32.exe C:\documents and settings\all users\application data\smarts32.exe C:\documents and settings\all users\application data\wmi32.exe C:\documents and settings\all users\application data\clientmngr32.exe
  6. 1 A CASE STUDY IN ENTERPRISE BREACHES C:\Users\Administrator\Desktop\weekly schedule manual.pdf

    C:\Users\Administrator\Desktop\store intranet manual.pdf C:\Users\Administrator\Desktop\e-mail passworld changing.pdf C:\Users\Administrator\Desktop\new timeclock.pdf C:\Users\Administrator\Desktop\macau ipos manual_06302014.pdf C:\Users\Administrator\Desktop\mexico ipos manual.pdf C:\Users\Administrator\Desktop\mexico pos manual.pdf C:\Users\Administrator\Desktop\el salvador pos manual.pdf C:\Users\Administrator\Desktop\costa rica pos manual.pdf C:\Users\Administrator\Desktop\chile pos manual _ updated 10-24-2013.pdf C:\Users\Administrator\Desktop\panama pos manual _ updated nov2013.pdf C:\Users\Administrator\Desktop\test store pos manual _091013.pdf C:\Users\Administrator\Desktop\net pos manual 070513.pdf C:\Users\Administrator\Desktop\canada fpos manual.pdf C:\Users\Administrator\Desktop\fpos manual_v1.9.12.pdf Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery
  7. 1 A CASE STUDY IN ENTERPRISE BREACHES • Credential harvesting

    was performed by dumping and exfiltrating out the lsass.exe process. • LSASS (Local Security Authority Subsystem Service) is responsible for enforcing security policy. Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery
  8. 1 A CASE STUDY IN ENTERPRISE BREACHES ABEJV9BR.txt || ssui

    -- 92e410a36175598c594c1c9d489388ae sendspace.com/1536386390412830947557232395131730580430 lastdl -- 490878988 sendspace.com/1536144207411230950253419690163430583125 _ga -- GA1.2.1249074351.1490732055 sendspace.com/1600397313510430729976422018396230583125 _gat -- 1 sendspace.com/160052055270430583126422478442230583125 Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - - - [4:56:01 PM]:C:\Windows\addins\PSTools\psexec.exe \\10.230.28.13 -d -s -f -u \administrator -p <redacted> /c C:\Intel\ag.exe Connecting to 10.230.28.13...Starting PSEXESVC service on 10.230.28.13... Connecting with PsExec service on 10.230.28.13... Copying C:\Intel\ag.exe to 10.230.28.13... Starting C:\Intel\ag.exe on 10.230.28.13... ag.exe started on 10.230.28.13 with process ID 7744. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - - -
  9. 1 A CASE STUDY IN ENTERPRISE BREACHES Persistence Priv. Escalation

    Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery
  10. 1 A CASE STUDY IN ENTERPRISE BREACHES Persistence Priv. Escalation

    Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery
  11. 1 A CASE STUDY IN ENTERPRISE BREACHES - - -

    - - - - - - - - - - - 010200032700L05175ee612.99 010200032700L05ddc2d7e5.sha64 010106032700L057d352977.n9 010106032700L05adffa944.n9 012906032700L050acbff99.99 012906032700L057d1c6381.sha64 123108070600L02948dfec4.n9 010109016700L01b12fc210.f9 010109070600L022cb6ac94.f9 102417037600L03f5fbba13.sha64 102417045600L039f08eb45.sha64 102517012600L041c5e1597.n9 102517026100L026f93d9c5.n9 112317044900L059f67c2ed.f9 - - - - - - - - - - - - Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery
  12. 1 A CASE STUDY IN ENTERPRISE BREACHES C:\Users\Administrator\Desktop\WR.zip C:\Users\Administrator\Desktop\Desktop1.zip C:\Users\Administrator\Desktop\P92.zip

    C:\Users\Administrator\Desktop\Asia.zip C:\Users\Administrator\Desktop\P98.zip C:\Users\Administrator\Desktop\RW.zip C:\Users\Administrator\Desktop\123211.zip C:\Users\Administrator\Desktop\P136.zip Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery
  13. PILLARS OF MEGA-SCALE IR VISIBILITY DETECTION COLLABORATION INTELLIGENCE INTEGRATION &

    AUTOMATION Your goal an in IR is to achieve these things!
  14. VISIBILITY VISIBILITY IS ESSENTIAL FOR SUCCESSFUL INCIDENT RESPONSE WITHOUT IT,

    HOW CAN YOU EXPECT TO ANSWER WHAT? WHERE? WHEN? HOW?
  15. SLIDING SCALE OF HOST VISIBILITY I need to validate alerts

    I need to scale investigation Scoping Containment/ Intelligence Development
  16. VISIBILITY (HOST) Velociraptor • Improvement on GRR • Endpoint agent

    that provides on- demand access • Written to be faster, more tolerant of network issues • Command-line agent interaction https://docs.velociraptor.velocidex.com/blog/html/index.html
  17. VISIBILITY (HOST) sysmon • Part of the Sysinternals suite •

    Endpoint visibility via logging • Allows you to pipe key events to a central location • Customizable/easily deployable https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
  18. VISIBILITY (HOST) osquery • Created by Facebook • Endpoint visibility

    • Allows you to treat your environment like a database • Ask questions that you cannot ask elsewhere https://osquery.io/
  19. SLIDING SCALE OF NETWORK VISIBILITY Data Privacy We need to

    investigate Scoping Containment/ Intelligence Development
  20. VISIBILITY (NETWORK) NetFlow • You are already generating it! •

    Capture it, use it • Profile your network, find traffic flows • Combine with host data to true 100% visibility
  21. VISIBILITY (NETWORK) Zeek (formerly Bro) • Protocol-aware • Throughput capable

    • Allows for signatures • Allows you to treat your environment like a database • Ask questions that you cannot ask elsewhere https://www.zeek.org/
  22. DETECTION At enterprise scales, you cannot be expected to detect

    things manually Learn to write detections – push them using the aforementioned tools. https://virustotal.github.io/yara/ https://suricata-ids.org/
  23. COLLABORATION TheHive • Allows for individual case management and collaboration

    • You can assign tasks, roles, responsibilities. • Track case metrics • Automatically enrich/enhance data https://thehive-project.org/
  24. INTELLIGENCE External threat intelligence tells you what’s going on in

    the world Internal threat intelligence tells you what’s going on in your world
  25. INTELLIGENCE (+ AUTOMATION/INTEGRATION) TheHive + Cortex • Ingests observables, automatically

    performs lookups • Allows for integration into multiple tools, such as MISP • Customizable https://thehive-project.org/
  26. AUTOMATION & INTEGRATION Make all of the above talk to

    each other. Leave the boring stuff to the computers.
  27. KEY TAKEWAYS (1) At a certain point, realize you need

    tools. At a certain point, realize you need people. Make your tools and your people talk to each other.
  28. KEY TAKEWAYS (2) Write detections – you will find things

    about your environment you didn’t know. Deploy detections and let them do their job. Build your in-house knowledge. It will prevent you from making mistakes.