SANS 2019 CTI Summit Keynote

Transcript

1. ONE, TWO, SKIP A FEW (THOUSAND) Mega-Scale Incident Response

2. WHOAMI • Matt Bromiley • SANS Instructor (FOR572/FOR508) • Incident

   Responder, Threat Researcher, Hacker of all sorts • Based in Dallas, TX • Somewhat of a foodie

3. A CASE STUDY IN ENTERPRISE BREACHES

4. A CASE STUDY IN ENTERPRISE BREACHES 4 • Major global

   corporation • 600+ stores • Campaign spanned nine months in 2017 • Attackers refined card-scraping malware as necessary • Re-deployed to capture terminals that were offline

5. A CASE STUDY IN ENTERPRISE BREACHES 5

6. A CASE STUDY IN ENTERPRISE BREACHES 6

7. A CASE STUDY IN ENTERPRISE BREACHES 7 APAC EU NA

8. A CASE STUDY IN ENTERPRISE BREACHES 8 APAC EU NA

9. A CASE STUDY IN ENTERPRISE BREACHES 9 APAC EU NA

   <redacted> Service Account <8-char alphanum password> Administrator <7-char alpha password>

10. 1 A CASE STUDY IN ENTERPRISE BREACHES - - -

    - - - - - - - - - - - - - - - - - - - fwnmc /Create /SC HOURLY /TN “fwnmc” /RU “ “ /TR “ shell32.dll ShellExecuteA Schtasks.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run fwnmc - - - - - - - - - - - - - - - - - - - - - - Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

11. 1 A CASE STUDY IN ENTERPRISE BREACHES Persistence Priv. Escalation

    Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery C:\documents and settings\all users\application data\serwvdrv32.exe C:\documents and settings\all users\application data\msascui32.exe C:\documents and settings\all users\application data\perfhost32.exe C:\documents and settings\all users\application data\ovftool32.exe C:\documents and settings\all users\application data\atiapfxx32.exe C:\documents and settings\all users\application data\igfxem32.exe C:\documents and settings\all users\application data\gfxuiex32.exe C:\documents and settings\all users\application data\authhost32.exe C:\documents and settings\all users\application data\userinit32.exe C:\documents and settings\all users\application data\rpcping32.exe C:\documents and settings\all users\application data\wowreg32.exe C:\documents and settings\all users\application data\auditpol32.exe C:\documents and settings\all users\application data\faswin.exe C:\documents and settings\all users\application data\igfxtray32.exe C:\documents and settings\all users\application data\igfxext32.exe C:\documents and settings\all users\application data\vssadmin32.exe C:\documents and settings\all users\application data\openssl32.exe C:\documents and settings\all users\application data\asioins32.exe C:\documents and settings\all users\application data\ebhost32.exe C:\documents and settings\all users\application data\smarts32.exe C:\documents and settings\all users\application data\wmi32.exe C:\documents and settings\all users\application data\clientmngr32.exe

12. 1 A CASE STUDY IN ENTERPRISE BREACHES C:\Users\Administrator\Desktop\weekly schedule manual.pdf

    C:\Users\Administrator\Desktop\store intranet manual.pdf C:\Users\Administrator\Desktop\e-mail passworld changing.pdf C:\Users\Administrator\Desktop\new timeclock.pdf C:\Users\Administrator\Desktop\macau ipos manual_06302014.pdf C:\Users\Administrator\Desktop\mexico ipos manual.pdf C:\Users\Administrator\Desktop\mexico pos manual.pdf C:\Users\Administrator\Desktop\el salvador pos manual.pdf C:\Users\Administrator\Desktop\costa rica pos manual.pdf C:\Users\Administrator\Desktop\chile pos manual _ updated 10-24-2013.pdf C:\Users\Administrator\Desktop\panama pos manual _ updated nov2013.pdf C:\Users\Administrator\Desktop\test store pos manual _091013.pdf C:\Users\Administrator\Desktop\net pos manual 070513.pdf C:\Users\Administrator\Desktop\canada fpos manual.pdf C:\Users\Administrator\Desktop\fpos manual_v1.9.12.pdf Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

13. 1 A CASE STUDY IN ENTERPRISE BREACHES • Credential harvesting

    was performed by dumping and exfiltrating out the lsass.exe process. • LSASS (Local Security Authority Subsystem Service) is responsible for enforcing security policy. Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

14. 1 A CASE STUDY IN ENTERPRISE BREACHES ABEJV9BR.txt || ssui

    -- 92e410a36175598c594c1c9d489388ae sendspace.com/1536386390412830947557232395131730580430 lastdl -- 490878988 sendspace.com/1536144207411230950253419690163430583125 _ga -- GA1.2.1249074351.1490732055 sendspace.com/1600397313510430729976422018396230583125 _gat -- 1 sendspace.com/160052055270430583126422478442230583125 Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - - - [4:56:01 PM]:C:\Windows\addins\PSTools\psexec.exe \\10.230.28.13 -d -s -f -u \administrator -p <redacted> /c C:\Intel\ag.exe Connecting to 10.230.28.13...Starting PSEXESVC service on 10.230.28.13... Connecting with PsExec service on 10.230.28.13... Copying C:\Intel\ag.exe to 10.230.28.13... Starting C:\Intel\ag.exe on 10.230.28.13... ag.exe started on 10.230.28.13 with process ID 7744. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - - -

15. 1 A CASE STUDY IN ENTERPRISE BREACHES Persistence Priv. Escalation

    Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

16. 1 A CASE STUDY IN ENTERPRISE BREACHES Persistence Priv. Escalation

    Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

17. 1 A CASE STUDY IN ENTERPRISE BREACHES - - -

    - - - - - - - - - - - 010200032700L05175ee612.99 010200032700L05ddc2d7e5.sha64 010106032700L057d352977.n9 010106032700L05adffa944.n9 012906032700L050acbff99.99 012906032700L057d1c6381.sha64 123108070600L02948dfec4.n9 010109016700L01b12fc210.f9 010109070600L022cb6ac94.f9 102417037600L03f5fbba13.sha64 102417045600L039f08eb45.sha64 102517012600L041c5e1597.n9 102517026100L026f93d9c5.n9 112317044900L059f67c2ed.f9 - - - - - - - - - - - - Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

18. 1 A CASE STUDY IN ENTERPRISE BREACHES C:\Users\Administrator\Desktop\WR.zip C:\Users\Administrator\Desktop\Desktop1.zip C:\Users\Administrator\Desktop\P92.zip

    C:\Users\Administrator\Desktop\Asia.zip C:\Users\Administrator\Desktop\P98.zip C:\Users\Administrator\Desktop\RW.zip C:\Users\Administrator\Desktop\123211.zip C:\Users\Administrator\Desktop\P136.zip Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

19. LET’S TALK ABOUT DETECTION

20. LET’S TALK ABOUT DETECTION

21. LET’S TALK ABOUT PROCESS

22. SIX-STEP INCIDENT RESPONSE PROCESS Preparation Scoping Containment/Intelligence Development Eradication/Remediation Recovery

    Lessons Learned

23. SIX-STEP INCIDENT RESPONSE PROCESS Preparation Scoping Containment/Intelligence Development Eradication/Remediation Recovery

    Lessons Learned Dwell Time Time to Contain Time to Remediate

24. SIX-STEP INCIDENT RESPONSE PROCESS

25. IS IT WORKING?

26. IS IR WORKING?

27. FINDING HOPE

28. PILLARS OF MEGA-SCALE IR VISIBILITY DETECTION INTEGRATION & AUTOMATION INTELLIGENCE

    COLLABORATION

29. PILLARS OF MEGA-SCALE IR VISIBILITY DETECTION COLLABORATION INTELLIGENCE INTEGRATION &

    AUTOMATION Your goal an in IR is to achieve these things!

30. THIS FEELS FAMILIAR SOC IR Team

31. VISIBILITY

32. VISIBILITY VISIBILITY IS ESSENTIAL FOR SUCCESSFUL INCIDENT RESPONSE WITHOUT IT,

    HOW CAN YOU EXPECT TO ANSWER WHAT? WHERE? WHEN? HOW?

33. SLIDING SCALE OF HOST VISIBILITY HOST NETWORK

34. SLIDING SCALE OF HOST VISIBILITY HOST NETWORK

35. SLIDING SCALE OF HOST VISIBILITY I need to validate alerts

    I need to scale investigation Scoping Containment/ Intelligence Development

36. VISIBILITY (HOST) Velociraptor • Improvement on GRR • Endpoint agent

    that provides on- demand access • Written to be faster, more tolerant of network issues • Command-line agent interaction https://docs.velociraptor.velocidex.com/blog/html/index.html

37. VISIBILITY (HOST) PowerShell • Built into Windows – almost everywhere

    • Powerful scripting

38. VISIBILITY (HOST) sysmon • Part of the Sysinternals suite •

    Endpoint visibility via logging • Allows you to pipe key events to a central location • Customizable/easily deployable https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

39. VISIBILITY (HOST) osquery • Created by Facebook • Endpoint visibility

    • Allows you to treat your environment like a database • Ask questions that you cannot ask elsewhere https://osquery.io/

40. SLIDING SCALE OF NETWORK VISIBILITY Data Privacy We need to

    investigate Scoping Containment/ Intelligence Development

41. VISIBILITY (NETWORK) NetFlow • You are already generating it! •

    Capture it, use it • Profile your network, find traffic flows • Combine with host data to true 100% visibility

42. VISIBILITY (NETWORK) Zeek (formerly Bro) • Protocol-aware • Throughput capable

    • Allows for signatures • Allows you to treat your environment like a database • Ask questions that you cannot ask elsewhere https://www.zeek.org/

43. DETECTION

44. DETECTION At enterprise scales, you cannot be expected to detect

    things manually Learn to write detections – push them using the aforementioned tools. https://virustotal.github.io/yara/ https://suricata-ids.org/

45. COLLABORATION

46. COLLABORATION COLLABORATION IS THE DIVIDING LINE BETWEEN A GOOD TEAM

    AND AN UNSTOPPABLE TEAM.

47. COLLABORATION TheHive • Allows for individual case management and collaboration

    • You can assign tasks, roles, responsibilities. • Track case metrics • Automatically enrich/enhance data https://thehive-project.org/

48. INTELLIGENCE

49. INTELLIGENCE External threat intelligence tells you what’s going on in

    the world Internal threat intelligence tells you what’s going on in your world

50. INTELLIGENCE (+ AUTOMATION/INTEGRATION) TheHive + Cortex • Ingests observables, automatically

    performs lookups • Allows for integration into multiple tools, such as MISP • Customizable https://thehive-project.org/

51. AUTOMATION & INTEGRATION

52. AUTOMATION & INTEGRATION Make all of the above talk to

    each other. Leave the boring stuff to the computers.

53. AUTOMATION & INTEGRATION I’ve got two acronyms for you. ML

    AI

54. AUTOMATION & INTEGRATION The future is investigator empowerment, not tool

    enhancement.

55. TAKEAWAYS

56. DID I JUST IMPROVE MY SOC? Yes. That’s the point.

57. KEY TAKEWAYS (1) At a certain point, realize you need

    tools. At a certain point, realize you need people. Make your tools and your people talk to each other.

58. KEY TAKEWAYS (2) Write detections – you will find things

    about your environment you didn’t know. Deploy detections and let them do their job. Build your in-house knowledge. It will prevent you from making mistakes.

59. KEY TAKEWAYS (3) Empower your people and team. Your investment

    in them will pay off in them 100-fold.

60. THANK YOU @MBROMILEYDFIR