Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached

579 views

Published on

"Advanced cyber threat actors are penetrating networks in ways that fly below the radar of existing information security technologies, creating hidden network threats.
Your IT and IT security personnel may not know if your organization has been compromised, and lack the specialized intelligence, tools and expertise required to determine the answer. No matter the industry, whether you are in banking, healthcare or even retail, compliance can be affected due to payment card breaches or from other sensitive data being leaked due to a compromised network.
Learn how and why the right hunting technology and threat intelligence can illuminate the complete threat context and determine next steps to help you engage and resist the adversary.

  • Be the first to comment

  • Be the first to like this

MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached

  1. 1. 1 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Seeing the Unseen: Detecting the Advanced Persistent Threat
  2. 2. 2 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: • Submit questions at any time in the Questions tab • Check the Attachments tab for related resources • Please rate today’s presentation Housekeeping Notes **Reminder, audio will be played through your computer speakers. If you cannot hear, please contact BrightTalk support.
  3. 3. 3 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Seeing the Unseen: Detecting the Advanced Persistent Threat
  4. 4. 4 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: > Threat hunting, what it is, what it’s not, and numbers > Stories from the field > Recommendations and summary > Questions Agenda
  5. 5. 5 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Threat Hunting what it is, what it’s not, and numbers
  6. 6. 6 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: 1. Ponemon Institute’s 2014 State of Endpoint Risk Report 2. SecureWorks Counter Threat Unit, Special Ops Division 65% say attacks are evading detection1 Only 24% were alerted by their endpoint technologies1 66% of breach notifications come from a third party2 46% of breaches are found by accident1 33% discover breaches two years after the incident1 Adversaries are operating in environments undetected for weeks, months, or even years Advanced Threat Actors are Evading Detection 100% SecureWorks engagement where adversaries “lived off the land” in some capacity2
  7. 7. 7 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: Advanced Persistent Threats seldom hide in obvious places Not Always High Value Targets • In flat networks (most networks), the high value assets like sensitive file and database servers are also reachable from the HR, admin and night watchman’s computers. Asset Management Issues • Decommissioned systems that were never turned off • Attack surface blind spots Systems Outside Your Control • Remote access from personal systems/devices Covering Your Connectivity • Infection placement where traffic is not monitored (small offices, etc.)
  8. 8. 8 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: More Organizations are Seeking Greater Visibility FBI CONTACT YOU MAY ALREADY BE BREACHED COMPETITION HAS BEEN BREACHED BASELINE OF NEW ENVIRONMENT AQUIRING ANOTHER ENTITY NEW BUSINESS PARTNERS NEW LEADERSHIP NEW BASELINE ASSESSMENT UNDERSTAND WHERE WEAKNESSES ARE ORGANIZATIONAL CHANGE NEW TECHNOLOGY NEW GLOBAL OPERATIONS
  9. 9. 9 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: Hunting Must Answer These Questions How do I get them out? Which systems have been compromised? How do I best repair the damage quickly? What did they take? How do I prevent them from getting back in? How did they get in? Have I been compromised? Are they still in my network? Who are they? Help!?!
  10. 10. 10 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: Provide an analysis of where vulnerabilities are in your network and how to mitigate them Provide a high confidence in answering whether your organization is compromised Hunting Ultimate Goals
  11. 11. 11 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: One and done Sales Pitch A rigid “one size fits all” playbook What Hunting is NOT Just TechnologyAlways bad news
  12. 12. 12 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: Apply Context Draw Conclusions Formulate Guidance Analyze Investigate What a Hunting Provider Must Do Analysis and active investigation Deploy hunting technology across network and hosts Collect data from client environment Apply intelligence TIMS Threat Intelligence Management System
  13. 13. 13 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: The Process Detect the presence of sophisticated threat actors. Inspect networks and hosts for traces of compromise. Determine right steps to mitigate the threat. Security Consultant uses expertise and CTU intelligence to enrich with total attack context. Investigate threat indicators Proprietary tools provide deep visibility to detect attacker presence in networks and hosts. Deploy hunting technology If an adversary is found in an environment we will initiate an Incident Response engagement. Adversary found Incident response
  14. 14. 14 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: Threat Intelligence Gathering Strategic relationships Honeypots CTU Investigations Sinkholes Underground Communications Public & Private Feeds C2 Monitoring Cyber Threat Intelligence Website Scraping Social Media Incident ResponseMSS client event data Malware Analysis
  15. 15. 15 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: • Endpoint – Ability to capture and search indicators at the host level – Ability to correlate host and network activity • Network Traffic Analysis – Flow – IDS – PCAP – Advanced Malware Protection • Advanced Log Analysis – Proxy – Firewall – DNS – Remote access – Webmail and other public facing servers Cross View Analysis Processes Kernel Objects File System Memory Registry Process Network Users Scheduled Tasks
  16. 16. 16 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: Project Overview Enhance Protections Cyber Incident Response Deploy Hunting Technology Investigate Threat Indicators Eradicate Threats Network Hosts Logs Malware Analysis AssuranceBreach Goal: Wide scope + deep analysis
  17. 17. 17 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: Project Overview Enhance Protections Cyber Incident Response Deploy Hunting Technology Investigate Threat Indicators Eradicate Threats Network Hosts Logs Malware Analysis Threat Group Intel AssuranceBreach Goal: Wide scope + deep analysis
  18. 18. 18 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: Project Overview Enhance Protections Cyber Incident Response Deploy Hunting Technology Investigate Threat Indicators Eradicate Threats Network Hosts Logs Malware Analysis Threat Group Intel AssuranceBreach Goal: Wide scope + deep analysis
  19. 19. 19 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Stories from the field
  20. 20. 20 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: Third Party Intrusion http://static.businessinsider.com/image/552c1a81eab8ea3213187244/image.jpg
  21. 21. 21 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: • International defense contractor – Spans multiple verticals • Strong perimeter defenses with all the toys: – Malware sandboxing – IDS/IPS – Above-average logging – Firewalls with both ingress/egress filtering • Nascent endpoint monitoring program – Multiple endpoint monitoring technologies deployed – Some had no endpoint monitoring at all The victim
  22. 22. 22 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: • TG-0055 – History of targeted attacks against the victim – Quick, agile, objective-driven – Well-instrumented – Likely military-trained and funded • Tools – PlugX, HKDoor – full featured RATs – ChinaChopper web shell – ASPXSPY – WMIExec (similar to SysInternals psexec) – Windows Credential Editor (WCE) – gsecdump – Mimikatz – Nbtscan The Threat Actor
  23. 23. 23 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: The Network Domain A Domain B Third-Party
  24. 24. 24 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: What happened • AD logs uncovered pattern of audit failures in Domain A from a small, rural office that provided remote customer support. • IT in this remote office was outsourced to a local company. • Third-party was running multiple internet- accessible, EOL Windows servers. • Several systems managed by the third-party were misconfigured to bridge the local office network to Domain A. Domain A Domain B Third-Party
  25. 25. 25 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: What happened • AD logs uncovered pattern of audit failures in Domain A from a small, rural office that provided remote customer support. • IT in this remote office was outsourced to a local company. • Third-party was running multiple internet- accessible, EOL Windows servers. • Several systems managed by the third-party were misconfigured to bridge the local office network to Domain A. Domain A Domain B Third-Party
  26. 26. 26 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: Eviction Planning Example Remediation Steps Contacted law enforcement Deployed Red Cloak across environment Uploaded malware sample to AV vendor for custom definition Implemented 2FA for VPN Implemented 2FA for Web Mail Implemented 2FA for domain administrators Blocked all known and suspected malicious network indicators Quarantined affected systems Changed KRBTGT password Deployed KB2871997 (PtH mitigation patch) Disabled Citrix access Disabled VPN access Reset passwords globally (both domain and local) Removed trust with third-party networks Unpublished administrative applications from Citrix Depreciated EOL systems Reimaged affected systems
  27. 27. 27 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: Third Party Systems > Problems with these third-party systems: > No visibility with endpoint sensors > No network filtering between third-party network and Domain A > No logging requirements for the third-party > Analysis of the third-party systems generating audit failures in Domain A found evidence of malicious activity predating the Citrix exploitation. > Approximately a week and a half after the eviction activities, the adversary successfully re-entered the third-party environment. > Likely used existing HKDOOR backdoor > China Chopper web shell created > Attempted to scan the network for Domain A, but both the network bridge and domain trust had been removed > Ultimately – no evidence of lateral movement or persistence in Domain A or Domain B after eviction.
  28. 28. 28 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: Incident Metrics and Lessons Learned • A large budget does not equate to strong defenses • Adversaries adapt to the environment • Allies cannot be ultimately responsible for your safety Domain Time to Detection Third party (unmonitored) to Domain A 11 days Access to Domain A (monitored) 3 hours Time from identifying target data to exfiltration 14 hours Total incident duration 25 days
  29. 29. 29 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: It’s not always bad news (Case #2) Provide Leadership Security Assurance • Wanted to Provide Leadership a High Confidence Value of Whether or not there were any unknown adversaries in their network Opportunistic Threats Found • At the end of the engagement no targeted activity was found – however opportunistic threats were identified. Environment Could be Compromised • This Indicated that a advanced persistent threat could potentially gain access into the environment. Knowledge = Power Likely Attack Vectors • Through the Hunting engagement we provided most likely attack vectors a targeted threat could use including: • Spear-phishing • Web-based endpoint compromises
  30. 30. 30 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Recommendations and Summary
  31. 31. 31 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Classification: //SecureWorks/Confidential - Limited External Distribution: Tactical 1. 2FA is a must at any/all externally facing systems 2. Visibility of the endpoint is king (lots of ways to do this) 3. Segment networks 4. Make sure you are logging remote access systems (and check frequently for low hanging fruit) 5. Take back the admin creds 6. Maintain network awareness at all times Strategic 1) Have a plan • Make it as thorough as possible -Instrumentation, Logging, Analysis methodology 2) A plan without practice will fail at first contact 3) Know who to call 4) Be realistic with yourself Capabilities Needs (technology, skills, will power) 5) Who and why doesn’t matter if you can’t see it or respond to it anyway 6) Build your personal and professional network of allies and leverage them to get your leadership on board Recommendations
  32. 32. 32 Classification: //SecureWorks/Confidential - Limited External Distribution: Dell - Internal Use - Confidential Questions?

×