Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1© Mandiant, a FireEye Company. All rights reserved.© Mandiant, a FireEye Company. All rights reserved.
Know before others...
2© Mandiant, a FireEye Company. All rights reserved.
Agenda
 Background: Threat landscape
 Methodology : Evolution of In...
3© Mandiant, a FireEye Company. All rights reserved.© Mandiant, a FireEye Company. All rights reserved.
3
THREAT LANDSCAPE...
4© Mandiant, a FireEye Company. All rights reserved.
4
It’s a “who,” not
a “what”
There is a human at a keyboard
Highly ta...
5© Mandiant, a FireEye Company. All rights reserved.
Gain Initial Access
Into Target
Strengthen Position
within Target
Ste...
6© Mandiant, a FireEye Company. All rights reserved.
6
TIME FROM INITIAL COMPROMISE TO DISCOVERY
416
243 229 205
2011 2012...
7© Mandiant, a FireEye Company. All rights reserved.© Mandiant, a FireEye Company. All rights reserved.
METHODOLOGY
Evolut...
8© Mandiant, a FireEye Company. All rights reserved.
History of DFIR (Digital Forensic and Incident Response)
Disk
Forensi...
9© Mandiant, a FireEye Company. All rights reserved.
1st Generation (1995-) : Disk Forensics
 What to analyze
- File Syst...
10© Mandiant, a FireEye Company. All rights reserved.
1st Generation (1995-) : Disk Forensics (cont.)
 Pros
- Data recove...
11© Mandiant, a FireEye Company. All rights reserved.
2nd Generation (2005-) : Memory Forensics
 What to analyze
- Memory...
12© Mandiant, a FireEye Company. All rights reserved.
2nd Generation (2005-) : Memory Forensics (cont.)
 Pros
- No busine...
13© Mandiant, a FireEye Company. All rights reserved.
3rd Generation (2010-) : Live Response
 What to analyze
- File Syst...
14© Mandiant, a FireEye Company. All rights reserved.
3rd Generation (2010-) : Live Response (cont.)
 Pros
- No business ...
15© Mandiant, a FireEye Company. All rights reserved.
3rd Generation (2010-) : Network Forensics
 What to analyze
- Full ...
16© Mandiant, a FireEye Company. All rights reserved.
3rd Generation (2010-) : Network Forensics (cont.)
 Pros
- No busin...
17© Mandiant, a FireEye Company. All rights reserved.
Traditional Incident Response Process
Identify System Collect Data A...
18© Mandiant, a FireEye Company. All rights reserved.
Breadcrumb Trail
 Incidents rarely have a simple, linear trail of e...
19© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Phishing Campaigns
Compromised Hosts
Accessed Hosts
Hos...
20© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Phishing Campaigns
Compromised Hosts
Accessed Hosts
?
?...
21© Mandiant, a FireEye Company. All rights reserved.
 Can’t wait for an alarm to go off before
investigating
 Intellige...
22© Mandiant, a FireEye Company. All rights reserved.
2
• Red Teaming and Penetration Testing
• ICS Security Assessment
• ...
23© Mandiant, a FireEye Company. All rights reserved.
AM I PREPARED?AM I AT RISK? AM I COMPROMISED? I AM BREACHED! PREPARE...
24© Mandiant, a FireEye Company. All rights reserved.
25© Mandiant, a FireEye Company. All rights reserved.
26© Mandiant, a FireEye Company. All rights reserved.
27© Mandiant, a FireEye Company. All rights reserved.
28© Mandiant, a FireEye Company. All rights reserved.
29© Mandiant, a FireEye Company. All rights reserved.© Mandiant, a FireEye Company. All rights reserved.
TECHNOLOGY
How MA...
30© Mandiant, a FireEye Company. All rights reserved.
Investigative Cycle
 Indicators Of Compromise (IOC)
 Host inspecti...
31© Mandiant, a FireEye Company. All rights reserved.
Indicators Of Compromise (IOCs)
 Indicator Of Compromise
 Way of d...
32© Mandiant, a FireEye Company. All rights reserved.
Network : Attacker Monitoring & Forensics
 Network visibility
 Int...
33© Mandiant, a FireEye Company. All rights reserved.
Network : Architecture
Mandiant VPN tunnel
Internet
Perimeter
Firewa...
34© Mandiant, a FireEye Company. All rights reserved.
Endpoint : Hunting & Live Response
 Host visibility
 Agent / contr...
35© Mandiant, a FireEye Company. All rights reserved.
Endpoint : Architecture
MIR Controller #nMIR Controller #1
VPN Users...
36© Mandiant, a FireEye Company. All rights reserved.
Big data : Finding Needle & Analysis
 Network, endpoint, applicatio...
37© Mandiant, a FireEye Company. All rights reserved.© Mandiant, a FireEye Company. All rights reserved.
TOOLS OF THE TRAD...
38© Mandiant, a FireEye Company. All rights reserved.
End-point Visibility – Sweeping the Environment
39© Mandiant, a FireEye Company. All rights reserved.
Find One.
IOC matches are verified by
analysts by extracting suspect...
40© Mandiant, a FireEye Company. All rights reserved.
Find One. Then Find Them All.
An initial lead converted to an
IOC ca...
41© Mandiant, a FireEye Company. All rights reserved.
Regional Threats
Indicators of Compromise (IOC) used
during a Compro...
42© Mandiant, a FireEye Company. All rights reserved.
Tracking Attackers With Network Sensors
Network sensors enable
near ...
43© Mandiant, a FireEye Company. All rights reserved.© Mandiant, a FireEye Company. All rights reserved.
TO GAIN MORE INSI...
Upcoming SlideShare
Loading in …5
×

The Internal Signs of Compromise

1,015 views

Published on

Do you know the internal signs of a compromise? This deck takes you through the process our Mandiant services teams go through to help discover if an organization has been compromised. You can also view the full webinar here: https://www.brighttalk.com/webcast/10703/187133?utm_source=SS

Published in: Technology
  • Be the first to comment

The Internal Signs of Compromise

  1. 1. 1© Mandiant, a FireEye Company. All rights reserved.© Mandiant, a FireEye Company. All rights reserved. Know before others…Do you know the internal signs of a compromise? Methodology, Technology, and Services Stuart Davis, Mandiant Director
  2. 2. 2© Mandiant, a FireEye Company. All rights reserved. Agenda  Background: Threat landscape  Methodology : Evolution of Incident Response  Technology : How MANDIANT finds Evil  Services : What MANDIANT can provide
  3. 3. 3© Mandiant, a FireEye Company. All rights reserved.© Mandiant, a FireEye Company. All rights reserved. 3 THREAT LANDSCAPE Evolution of Incident Response
  4. 4. 4© Mandiant, a FireEye Company. All rights reserved. 4 It’s a “who,” not a “what” There is a human at a keyboard Highly tailored and customized attacks Targeted specifically at you They are professional, organized and well funded Escalate sophistication of tactics as needed Relentlessly focused on their objective If you kick them out they will return They have specific objectives Their goal is long-term occupation Persistence tools and tactics ensure ongoing access EVOLVING THREAT LANDSCAPE
  5. 5. 5© Mandiant, a FireEye Company. All rights reserved. Gain Initial Access Into Target Strengthen Position within Target Steal Valid User Credentials Identify Target Data Package and Steal Target Data Establish Foothold Escalate Privileges Internal Recon Complete Mission Initial Compromise Move Laterally Maintain Presence ANATOMY OF A TARGETED ATTACK 6
  6. 6. 6© Mandiant, a FireEye Company. All rights reserved. 6 TIME FROM INITIAL COMPROMISE TO DISCOVERY 416 243 229 205 2011 2012 2013 2014 Source: Mandiant M-Trends 2015 The longest time we detected attackers had been present in the victim’s environment was 2,982 days (over 8 years). Median number of days that threat groups were present on a victim’s network before detection
  7. 7. 7© Mandiant, a FireEye Company. All rights reserved.© Mandiant, a FireEye Company. All rights reserved. METHODOLOGY Evolution of Incident Response
  8. 8. 8© Mandiant, a FireEye Company. All rights reserved. History of DFIR (Digital Forensic and Incident Response) Disk Forensics1995 Memory Forensics2005 • Live Response • Network Forensics 2010
  9. 9. 9© Mandiant, a FireEye Company. All rights reserved. 1st Generation (1995-) : Disk Forensics  What to analyze - File System: Full Disk / Eventlogs / Prefetch / Registry Hives / Brower History / Scheduled Task / etc.  How to analyze - Shutdown system, Un-mount disk - Connect to Write blocker > Make disk image - Analyze with tools  Tools to use - The Sleuth Kit & Autopsy (Open Source) - Guidance EnCase - AccessData FTK - X-Ways
  10. 10. 10© Mandiant, a FireEye Company. All rights reserved. 1st Generation (1995-) : Disk Forensics (cont.)  Pros - Data recover (Carving) - Law Enforcement  Cons - Business impact : Shutdown System - Difficult to collect : Disk Encryption, RAID, NAS, Cloud - Dead artifacts : No Live Data in the memory - Scale : Disk by disk  Cost-effectiveness - 1 disk for 1 week - JPY 1,500,000 / disk - Up to 100 hosts (100 weeks = 2 years?)
  11. 11. 11© Mandiant, a FireEye Company. All rights reserved. 2nd Generation (2005-) : Memory Forensics  What to analyze - Memory : Process / Driver / Handles / Network Connection / etc.  How to analyze - Mount external USB or Network Drive - Dump Physical Memory - Analyze with tools  Tools - Volatility (Open Source) - Mandiant Redline (Free)
  12. 12. 12© Mandiant, a FireEye Company. All rights reserved. 2nd Generation (2005-) : Memory Forensics (cont.)  Pros - No business impact - Live Data Acquisition  Cons - Limited Raw Disk Access - Scale : Host by host  Cost-effectiveness - 1 memory dump for half week - $8K USD / host (Forensics specialist needed) - Up to 100 hosts (50 weeks = 1 years?)
  13. 13. 13© Mandiant, a FireEye Company. All rights reserved. 3rd Generation (2010-) : Live Response  What to analyze - File System, Memory Forensics by remote  How to analyze - Server, Agent base - Execute a job in the Host by Agent and feed back the result to Server - Analyze the result with central tools  Tools - GRR (Open Source) - Guidance EnCase Enterprise - ManTech Active Defense
  14. 14. 14© Mandiant, a FireEye Company. All rights reserved. 3rd Generation (2010-) : Live Response (cont.)  Pros - No business impact - Enterprise Scale - Speed  Cons - No proactive detection - Lack of intelligence - Need extensive knowledge  Cost-effectiveness - Per Host License
  15. 15. 15© Mandiant, a FireEye Company. All rights reserved. 3rd Generation (2010-) : Network Forensics  What to analyze - Full packet / Session data / Protocol logs / Statistics  How to analyze - Packet Capture - Protocol Parsing - Analyze the result with central tools  Network Forensic Tools - Security Onion (Open Source) - BlueCoat Solera Networks - RSA Security Analytics (NetWitness)
  16. 16. 16© Mandiant, a FireEye Company. All rights reserved. 3rd Generation (2010-) : Network Forensics (cont.)  Pros - No business impact - Network Visibility  Cons - No visibility for encrypted traffic - No proactive detection - Lack of intelligence - Need extensive knowledge  Cost-effectiveness - Depends on traffic and storage
  17. 17. 17© Mandiant, a FireEye Company. All rights reserved. Traditional Incident Response Process Identify System Collect Data Analyze Data Report
  18. 18. 18© Mandiant, a FireEye Company. All rights reserved. Breadcrumb Trail  Incidents rarely have a simple, linear trail of evidence - Multiple “patient zero” hosts - Multiple pivot points for lateral movement - Forensic artifacts disappear over time - Noise from commodity malware
  19. 19. 19© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Phishing Campaigns Compromised Hosts Accessed Hosts Hosts with Non- Targeted Malware Scoping Incidents
  20. 20. 20© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Phishing Campaigns Compromised Hosts Accessed Hosts ? ? ? Scoping Incidents
  21. 21. 21© Mandiant, a FireEye Company. All rights reserved.  Can’t wait for an alarm to go off before investigating  Intelligence driven Hosts & Network Devices Gather Sources of Evidence ? Identify systems of interest, generate new leads Hunting
  22. 22. 22© Mandiant, a FireEye Company. All rights reserved. 2 • Red Teaming and Penetration Testing • ICS Security Assessment • Security Program Assessment (SPA) • Response Readiness Assessment (RRA) • Other strategic services • Compromise Assessment (CA) • Incident Response (IR) • Cyber Defense Center Development (CDC) • SOC/CIRT transformation • Incident Response Retainer • Education • Deployment & Integration AM I AT RISK? AM I PREPARED? AM I COMPROMISED? I AM BREACHED! PREPARE FOR FUTURE EVENTS? INCIDENT RESPONSE AND PREPAREDNESS CYCLE
  23. 23. 23© Mandiant, a FireEye Company. All rights reserved. AM I PREPARED?AM I AT RISK? AM I COMPROMISED? I AM BREACHED! PREPARE FOR FUTURE EVENTS DIFFERENTIATORS VALUE 2 COMPROMISE ASSESSMENT AM I COMPROMISED? COMPROMISE ASSESSMENT Evaluate your environment for the presence of targeted attacker activity using the same methods and technologies used during our incident investigations OUR APPROACH • Deploy network and host based inspection technology for comprehensiveness, efficiency, and scale • Apply intelligence from prior investigations and our own knowledge of attack group tools, tactics, and procedures to assess your environment • Analyze evidence and anomalous activity to confirm malicious activity • Summarize our findings and provide strategic recommendations based upon our observations during the engagement Understand the health of your network- whether or not you have been breached • Same technology used in all Mandiant investigations for comprehensiveness, efficiency, and scale • Leverage all of our Intel to search for signs of compromise across the environment • Pivot into Incident Response mode if targeted attacker activity is identified
  24. 24. 24© Mandiant, a FireEye Company. All rights reserved.
  25. 25. 25© Mandiant, a FireEye Company. All rights reserved.
  26. 26. 26© Mandiant, a FireEye Company. All rights reserved.
  27. 27. 27© Mandiant, a FireEye Company. All rights reserved.
  28. 28. 28© Mandiant, a FireEye Company. All rights reserved.
  29. 29. 29© Mandiant, a FireEye Company. All rights reserved.© Mandiant, a FireEye Company. All rights reserved. TECHNOLOGY How MANDIANT finds Evil
  30. 30. 30© Mandiant, a FireEye Company. All rights reserved. Investigative Cycle  Indicators Of Compromise (IOC)  Host inspection (MIR)  Network analysis (NTAP)  Log analysis (TAP)  Malware reverse engineering  Threat Intelligence Analysis
  31. 31. 31© Mandiant, a FireEye Company. All rights reserved. Indicators Of Compromise (IOCs)  Indicator Of Compromise  Way of describing threat data like - Malware - Attacker Methodology - Evidence of compromise or activity  What Is An Indicator? - MD5: Change Frequently - File Names/Directories: Many Reused - Registry Key Values: Many Reused - Services With Wrong Service dll’s: Outliers - IPs and Domain Names: Change Frequently
  32. 32. 32© Mandiant, a FireEye Company. All rights reserved. Network : Attacker Monitoring & Forensics  Network visibility  Internet egress points  Decode traffic generated by known malware  Reconstruct command-and-control activity  Recover data theft  Monitor All protocols (full packet capture)
  33. 33. 33© Mandiant, a FireEye Company. All rights reserved. Network : Architecture Mandiant VPN tunnel Internet Perimeter Firewall Switch Web Proxy Internal Network Firewall VPN Users Mandiant Mandiant Network Sensor = Network SPAN/TAP Servers, workstations, laptops INTERNAL NETWORK
  34. 34. 34© Mandiant, a FireEye Company. All rights reserved. Endpoint : Hunting & Live Response  Host visibility  Agent / controller model  Deploy to all Windows systems in environment  Identify historical evidence of compromise  Search all hosts for IOCs  Conduct deep-dive analysis on systems of interest
  35. 35. 35© Mandiant, a FireEye Company. All rights reserved. Endpoint : Architecture MIR Controller #nMIR Controller #1 VPN Users Mandiant Servers, workstations, laptops INTERNAL NETWORK = Mandiant Agent Mutually authenticated SSL
  36. 36. 36© Mandiant, a FireEye Company. All rights reserved. Big data : Finding Needle & Analysis  Network, endpoint, application events visibility  Detect with Mandiant Threat Intelligence  Source from Syslog, Windows Event Log, File, ODBC  Communication Broker in customer environment  Cloud-based; all technology managed
  37. 37. 37© Mandiant, a FireEye Company. All rights reserved.© Mandiant, a FireEye Company. All rights reserved. TOOLS OF THE TRADE A TEAM of analysts enabled by MIR and NTAP
  38. 38. 38© Mandiant, a FireEye Company. All rights reserved. End-point Visibility – Sweeping the Environment
  39. 39. 39© Mandiant, a FireEye Company. All rights reserved. Find One. IOC matches are verified by analysts by extracting suspect artifacts from end-points and/or verifying network sensors for corroborating evidence.
  40. 40. 40© Mandiant, a FireEye Company. All rights reserved. Find One. Then Find Them All. An initial lead converted to an IOC can yield quick results across the entire estate.
  41. 41. 41© Mandiant, a FireEye Company. All rights reserved. Regional Threats Indicators of Compromise (IOC) used during a Compromise Assessment are comprised of information from: • Incident Response engagements • Internal research • Publicly available data • Regional teams input IOCs are updated continuously and can be made client specific.
  42. 42. 42© Mandiant, a FireEye Company. All rights reserved. Tracking Attackers With Network Sensors Network sensors enable near real-time detection of threats, capture of identified malicious traffic, and tracking of attacker activity.
  43. 43. 43© Mandiant, a FireEye Company. All rights reserved.© Mandiant, a FireEye Company. All rights reserved. TO GAIN MORE INSIGHT WATCH THE WEBINAR HERE

×