Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough

Artifacts Are for Archaeologists: Why Hunting for Malware Isn't Enough

Spoiler Alert: It's because attackers can (and do) abuse legitimate software, administrative tools, and scripting environments which are considered benign and not caught by traditional antivirus software. Since attackers can use legitimate software to conduct their nefarious behavior, how do you catch them? It’s simple: Look for the behavior.

LightCyber's Behavioral Attack Detection platform detects and highlights the network behaviors of attackers that have penetrated the perimeter. This provides visibility that allows security teams to locate and eradicate network intruders quickly, regardless of what tools the attackers are using to achieve their goals. With LightCyber's Network-to-Process Association technology, attacker behaviors can be tracked back to the exact process that originated the behavior.

We will discuss the top tools that have been detected and associated with attacker behavior inside of LightCyber customer environments, all of which are legitimate software. There will also be an overview of how LightCyber Magna works.

Mark Overholser has been a lifelong technology enthusiast, and made his passion his career. After working for many years at a multi-billion-dollar medical supply manufacturer and distributor using technology to achieve business goals, he started to wonder about what sorts of controls were in place to help make sure technology would only do good, not harm. One thing led to another, and he then was one of the first members of the new information security team. After working hard to grow the team and build the information security practice, he left to take a breather and now is working to help information security teams everywhere understand threats and get the most out of their defensive technologies.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough

  1. 1. @NTXISSA #NTXISSACSC4 Artifacts Are for Archaeologists: Why Hunting For Malware Isn’t Enough Mark Overholser Consulting Engineer LightCyber, Inc. October 7, 2016
  2. 2. @NTXISSA #NTXISSACSC4 Agenda Today’s Breach Detection Gap Threats: Malware, Risky Behavior, Insiders & Advanced Attacks Top Cyber Weapons Signature vs. Behavior-based Attack Detection LightCyber Magna Behavioral Attack Detection
  3. 3. @NTXISSA #NTXISSACSC4 99% of post-intrusion behaviors such as reconnaissance and lateral movement do not originate from malware. Breach Detection Gap 146 days Is the median length that attackers are present on a victim’s network before detection SOURCE: 2016 LightCyber Cyber Weapons Report, M-Trends 2016 Threat Report, Verizon Data Breach Investigations Report Most Organizations Focus on Malware and External Attacks Most Organizations Cannot Find Breaches on Their Own But Cannot Detect Attackers in Their Network
  4. 4. @NTXISSA #NTXISSACSC4 Crypting Services • “Crypting” can be used to obfuscate malware until AV does not detect it • Upload malware • Malware encrypted/re-encoded and scanned against all known AV • Process repeats until all AV fails to detect the malware • Brian Krebs has a good article on crypters • (https://krebsonsecurity.com/2014/05/antivirus- is-dead-long-live-antivirus/) NTX ISSA Cyber Security Conference – October 7-8, 2016 4
  5. 5. 5 © 2016 LightCyber - Confidential Most Organizations Focus Only on Malware
  6. 6. 6 Threats Analyzed for Cyber Weapons Research: Targeted Attacks, Insider Attacks, Risky Behavior, and Malware
  7. 7. @NTXISSA #NTXISSACSC4 TargetedAttacks Outside the Network Intrusion (Seconds – Minutes) Intrusion Active Breach (Hours - Weeks) Establish Backdoor Recon & Lateral Movement Data Exfiltration Inside the Network  Attacker compromises a client or server in the network 2 Attacker performs reconnaissance and moves laterally to find valuable data 3 Attacker steals data by uploading or transferring files
  8. 8. @NTXISSA #NTXISSACSC4 Insider Attacks Recon & Lateral Movement Abuse of User Rights Data Exfiltration  Employee is upset by demotion; decides to steal data and quit job 2 Employee accesses many file shares including rarely accessed file shares 3 Employee uses other user’s credentials and exfiltrates a large volume of data IT Assets at Risk • Databases and file servers are considered the most vulnerable to insider attacks SOURCE: LinkedIn Group - Insider Threat Report sponsored by LightCyber File Server Insider Sensitive Data
  9. 9. @NTXISSA #NTXISSACSC4 Risky Behavior 2User credentials for service account shared by multiple admins Remote desktop access from home 3Access to high-risk websites High Risk Website Home Desktop Internet Data Breach Incidents SOURCE: 2016 Verizon: Data Breach Investigations Report User Remote DesktopIT Admin IT Admin Miscellaneous errors, such as misconfiguration, misdelivery, and other errors, accounted for the highest number of data breaches in 2015 ‘With all of the hubris and bravado in the InfoSec world, one proclamation we usually don’t hear is “Our employees NEVER make mistakes.”’
  10. 10. @NTXISSA #NTXISSACSC4 Malware Ransomware Attack Laptop File Servers Malicious Website 2Infected client contacts command and control server and receives a unique cryptographic key User downloads ransomware from a website or opens a malicious email attachment3Ransomware encrypts data on the local client 4Ransomware encrypts data on network drives Infected Email Command & Control Internet
  11. 11. @NTXISSA #NTXISSACSC4 Cyber Weapons Research Findings Based on Anonymized Alert Data and Network to Process Association (N2PA) Technology From LightCyber Customers
  12. 12. @NTXISSA #NTXISSACSC4 Top Attack Behaviors • Reconnaissance was the most common attack behavior • Reconnaissance is an iterative process of trial and error as attackers search for valuable assets
  13. 13. @NTXISSA #NTXISSACSC4 Cyber Weapons Used in Phases of an Attack
  14. 14. @NTXISSA #NTXISSACSC4 Networking and Hacking Tools • Attackers use well- known tools to map the network, probe clients, and monitor activity • NCrack, Mimikatz, and Windows Credential Editor can be used to steal user credentials • Some tools are native OS utilities
  15. 15. @NTXISSA #NTXISSACSC4 Admin Tools • Attackers use a variety of command line shells, including native OS utilities • Admin tools are used for lateral movement as well as recon and exfiltration
  16. 16. @NTXISSA #NTXISSACSC4 Remote Desktop Tools • Remote desktop tools are: • Used for C&C and lateral movement • Also indicative of risky user behavior
  17. 17. @NTXISSA #NTXISSACSC4 Malware • 28% of suspicious processes associated with alerts were either malware or riskware • 1% of east-west threats originated from malware
  18. 18. @NTXISSA #NTXISSACSC4 Major Findings 70%+ of malware was only detected on a single site, revealing targeted & polymorphic variants Attackers often use “benign” apps, native OS tools and web browsers to conduct attacks Companies that only look for malware will miss attackers that are already in the network
  19. 19. 19 Signature vs. Behavior- based Attack Detection
  20. 20. @NTXISSA #NTXISSACSC4 Current Limitations Known Bad Traditional Security § Signatures, IoC’s, Packet Signatures, Domains, Sandbox Activity § Block, or Miss § Necessary, Not Sufficient What’s Needed § Learn What is Good [Baseline] § Detect What Isn’t [Anomaly] § Catch What Slips Through the Cracks of Traditional Security Problems: • Too Many False Alarms / False Positives • Missed Variants / False Negatives • Only Detect Malware-Based Attacks Learned Good Benefits: • Eliminates Zero-Day Exploit Dilemma • Hundreds of Opportunities to Detect • Applicable to All Techniques & Stages What’s Needed? Agents & Signatures Agentless & Signature-less
  21. 21. @NTXISSA #NTXISSACSC4 Behavioral Attack Detection: Optimal Data Context
  22. 22. LightCyber Magna Platform Using Behavioral Analytics to Find Attacks & Malware on Your Network
  23. 23. @NTXISSA #NTXISSACSC4 Behavioral Attack Detection Magna Platform Overview • Network-Centric Detection • Agentless & Signature-less • Post-Intrusion: NTA/UEBA Differentiation • Most Accurate & Efficient: Proven & Measured Success • Broadest Context: Network + Endpoint + User • Broadest Attack Coverage with Integrated Remediation Verticals Served • Finance & Insurance • Public Sector • Retail, Healthcare, Legal • Service Providers • Media, Technology, & More Operations Overview • US HQ - CA • EMEA HQ - Amsterdam • IL HQ - Ramat Gan • Customers World-Wide MAGNA About LightCyber
  24. 24. @NTXISSA #NTXISSACSC4 Profiling, Detection, Investigation, & Remediation Behavioral Profiling - Network-Centric Endpoint and User Profiling Attack Detection - Anomalous Attack Behavior Across the Attack Lifecycle Automated Investigation - Network, User, & Process Association + Cloud Integrated Remediation - Block Attackers with NGFW, NAC, or Lock Accounts with AD
  25. 25. @NTXISSA #NTXISSACSC4 SIEM Evolving IT Security Investment Needs Lockheed Martin: Cyber Kill Chain Active Attack Phase (Weeks – Months) Intrusion Attempt Phase (Seconds – Minutes) Sandboxing Stateful FW IPS / IDS Network AV Damage Security Expenditure Incident Response (Weeks – Months) Breach Detection Gap
  26. 26. @NTXISSA #NTXISSACSC4 LightCyber Magna Platform Network Traffic Endpoints HQ / DC MAGNADETECTOR TAP / SPAN Core Switch MAGNA UI MAGNAPATHFINDER Remote Office MAGNAPROBE TAP / SPAN Switch MAGNAMASTER Email & Reports SIEMRemediation
  27. 27. @NTXISSA #NTXISSACSC4 LightCyber Magna Security Use Cases LightCyber Magna provides accurate and efficient security visibility into attacks and attackers in your network. Security Visibility Encompasses:Malware Risky Behaviors Insider Attacks Targeted Attacks LOWER RELATIVE RISK HIGHER
  28. 28. @NTXISSA #NTXISSACSC4 LightCyber Delivers Unbeatably Accurate Results Source: http://lightcyber.com/lower-security-alerts-metrics/ Most IT security teams can’t keep up with the deluge of security alerts 62% ACROSS ALL ALERTS 99% ACROSS MAGNA’S AUTOMATED “CONFIRMED ATTACK” CATEGORY LIGHTCYBER ACCURACY
  29. 29. @NTXISSA #NTXISSACSC4 Malware Example Magna Detects: • Active Command & Control channel • Malware Infection • No signs of internal spreading • Likely opportunistic, not (yet) targeted Detection Pattern: • C&C • Malware • (No East-West)
  30. 30. @NTXISSA #NTXISSACSC4 Risky Behavior Example Magna Detects: • RDP to > 20 Workstations • Likely non-malicious Internal activity since there is no association with other malicious findings Detection Pattern: • Credential Abuse • Not Linked to Exfil or Other
  31. 31. @NTXISSA #NTXISSACSC4 Insider Attack Example Detection Pattern: • Credential Abuse • Linked to Exfil or Other Findings Magna Detects: • Suspicious access to file shares • Exfiltration • This Correlation indicates likely Insider Attack
  32. 32. @NTXISSA #NTXISSACSC4 Targeted Attack Example Magna Detects: • Anomalous file with known Threat Intelligence • Recon • Lateral Movement • Exfiltration • This Correlation Indicates Targeted Attack Detection Pattern: • Multiple Correlated Findings • North-South + East-West
  33. 33. @NTXISSA #NTXISSACSC4 User, Entity; Network + Endpoint Magna Detects: • Anomalous Network Activity • Anomalous and Malicious Processes on the Endpoint • Anomalous User Activity Magna Correlates: • User • Entity • Network • Process • Endpoint
  34. 34. @NTXISSA #NTXISSACSC4 Reporting: Alert Activity, Triage Activity & SLA, Asset View, and More LightCyber Magna Attack Detection Report Reporting Period: 1/0/1900 1/0/1900 Number of days 1 Total Alerts for Period 0 Average #Alerts per day 0.00 Total Alerts handled 5 Unverified average handling time (days) 2.54 Suspicious average handling time (days) 10.78 Confirmed average handling time (days) 12.47 0 0.5 1 1.5 2 2.5 3 3.5 Alerts Triage and Handling Suspicious Unverified 1 1.5 2 2.5 3 3.5 Alert Types and Categories C&C 20% Exfilt 10% Lateral 10% Malware 20% Recon 40% Alerts Categories 45% 11% 33% 11% Alerts Handling & Accuracy Relevant and Handled Whitelisted Ignored Still Open 0.0 2.0 4.0 6.0 8.0 10.0 12.0 14.0 16.0 18.0 Normal Resolved Whitelisted Normal Archived Confirmed Suspicious Unverified Alert Handling Time (days) arnold jenny 40% 60% Alert Handling by Analyst arnold jenny
  35. 35. @NTXISSA #NTXISSACSC4 LightCyber Ecosystem Integration Endpoints HQ / DC MAGNAPATHFINDER MAGNADETECTOR MAGNAMASTER Core Switch MAGNA UIRemediation SIEM Network Packet Broker IAM & Policy Mgmt
  36. 36. @NTXISSA #NTXISSACSC4 Magna in the Security Ecosystem: Integrated Remediation Terminate Malicious Files (MFT) Block Malicious Domains with NGFW Isolate Infected Machines With NGFW Isolate Infected Machines with NAC Lock Compromised Active Directory Reset Compromised AD Passwords Knock The Attacker Back Out Of Your Network Magna Enables You To AD AD X
  37. 37. @NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016 37
  38. 38. @NTXISSA #NTXISSACSC4@NTXISSA #NTXISSACSC4 The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) NTX ISSA Cyber Security Conference – October 7-8, 2016 38 Thank you

    Be the first to comment

    Login to see the comments

  • MarcoVirecciFana

    Nov. 6, 2018

Artifacts Are for Archaeologists: Why Hunting for Malware Isn't Enough Spoiler Alert: It's because attackers can (and do) abuse legitimate software, administrative tools, and scripting environments which are considered benign and not caught by traditional antivirus software. Since attackers can use legitimate software to conduct their nefarious behavior, how do you catch them? It’s simple: Look for the behavior. LightCyber's Behavioral Attack Detection platform detects and highlights the network behaviors of attackers that have penetrated the perimeter. This provides visibility that allows security teams to locate and eradicate network intruders quickly, regardless of what tools the attackers are using to achieve their goals. With LightCyber's Network-to-Process Association technology, attacker behaviors can be tracked back to the exact process that originated the behavior. We will discuss the top tools that have been detected and associated with attacker behavior inside of LightCyber customer environments, all of which are legitimate software. There will also be an overview of how LightCyber Magna works. Mark Overholser has been a lifelong technology enthusiast, and made his passion his career. After working for many years at a multi-billion-dollar medical supply manufacturer and distributor using technology to achieve business goals, he started to wonder about what sorts of controls were in place to help make sure technology would only do good, not harm. One thing led to another, and he then was one of the first members of the new information security team. After working hard to grow the team and build the information security practice, he left to take a breather and now is working to help information security teams everywhere understand threats and get the most out of their defensive technologies.

Views

Total views

1,635

On Slideshare

0

From embeds

0

Number of embeds

1,098

Actions

Downloads

21

Shares

0

Comments

0

Likes

1

×