Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck


Published on

Presentation from the North Texas ISSA July 2015 Lunch and Learn meeting: Advanced Threat Hunting

  • Be the first to comment

  • Be the first to like this

Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck

  1. 1. ©2014  Bit9.  All  Rights  Reserved     Advanced  Threat  Hun/ng:     Iden%fy  and  Track  Zero-­‐Day  A3acks   Infiltra%ng  Your  Organiza%on           Jus/n  Falck,  Technical  Product  Manager  –  Carbon  Black   Bit9  +  Carbon  Black     July  16th,  2015  
  2. 2.   Background     Threat  Landscape     Advanced  Threats   •  What  are  they?   •  Zero-­‐Days   •  Why  Advanced  Threats  might  not  be  what  you  think  they  are   •  Living  off  the  Land  (“Outsider-­‐Insider”)     Hun/ng   •  What  do  you  hunt?   •  How  do  you  hunt?   •  RelaQonships  MaTer!     Wrap-­‐Up  &  Takeaways   Agenda  
  3. 3. Quick  Background  Check     2007  –  2013:  Central  Intelligence  Agency     2013  –  2015:  Goldman  Sachs     Threat  Management  Center  -­‐  Irving,  TX     2015  –  Present:  Bit9  +  Carbon  Black     Technical  Product  Manager  -­‐  CB  
  4. 4. The  Evolving  Threat  Landscape   Criminal  Enterprises   •  Broad-­‐based  and   targeted  aTacks   •  Financially   moQvated   •  Geang  more   sophisQcated   Hac/vists   •  Targeted  and   destrucQve   aTacks   •  Unpredictable   moQvaQons   •  Generally  less   sophisQcated   Na/on-­‐States   •  Targeted  and     mulQ-­‐stage  aTacks     •  MoQvated  by   informaQon  and  IP   •  Highly   sophisQcated,   limitless  resources  
  5. 5. Proof  of  Effec/veness  
  6. 6. Endless  Stream  of  Data  Breaches   Source:  InformaQon  is  BeauQful,,  January  2015  
  8. 8. Opportunis=c  threats  sell  our  computers.     Goal:  breadth  of  access.       “Advanced”  threats  sell  our  data.       Goal:    precision  of  access.
  9. 9. Tradi/onal  Defenses  Were  Designed  for  Opp.  AZacks   OPPORTUNISTIC  ADVANCED   Goal  for  aTacker  is  to   compromise  as  few   endpoints  as  possible   Goal  for  aTacker  is  to   compromise  as  many     endpoints  as  possible   Hosts  Compromised   Time   Hosts  Compromised   Time   DETECTION  THRESHOLD   DETECTION  THRESHOLD   Signature   available   Signature   available  (if  ever)  
  10. 10. “Zero-­‐Days”     “Zero-­‐Day”  is  a  term  typically  used  to  refer  to  two  different  scenarios:   •  Zero-­‐Day  Vulnerability:  vulnerability  is  unknown  or  fix/patch  is  not  yet   available   –  “Non-­‐Pub”:  exploit  an  unknown  vulnerability   •  Zero-­‐Day  Malware:  malware  that  is  unknown;  signatures  are  not   available  
  11. 11. So  how  “advanced”   are  the  techniques  and   payloads  being  used?  
  12. 12. “The (Target) malware utilized is ABSOLUTELY UNSOPHISTICATED and UNINTERESTING” -McAfee Business Week, March 13, 2014
  13. 13. But  once  they’re  in…   However  they  get  in,  we  need  to  find  them!   Faster  detec/on  means:   • Shorter  dwell  Qme   • Smaller  scope  for  your  incident  response   • Less  damage  to  your  business     What  do  they  do  once  they’re  in?  
  14. 14. They  oben  “Live  off  the  Land”  (and  blend  in)  
  15. 15. Living  off  the  Land   Living  Off  the  Land:  the  aZacker  uses  built-­‐in  tools  so  there  are  very  few   new  executables.    The  aZacker  typically  needs  to  do  the  following:     •  Execute  code:   –  Crack/Dump/Guess/Obtain  Valid  CredenQals   »  See  this  with  Backoff  POS  Malware   •  Copy  Data:   –  UQlize  tools  like  robocopy,  xcopy,  cmd.exe  to  gather  data   –  UQlize  “known  good”  tools  for  compression  or  use  scripts   •  Exfil  Data:   –  mp.exe,  net.exe,  Visual  Basic  script  to  control  IE  for  POSTing  data   •  Manipulate:   –  Download  something  not  malicious  but  that  will  trip  up  detecQon   –  When  Admin  logs  in,  credenQals,  keystrokes,  etc.,  are  captured  and  used   •  Persist:   –  Compromise  or  Add  more  user  and  system  accounts   –  Login  to  backup  servers,  staging  servers,  less  noQceable  parts  of  your  enterprise   –  Create  scheduled  jobs  that  will  run  and  re-­‐add  accounts,  communicate  out,  etc.  
  16. 16. Living  off  the  Land  (cont’d)     More  Things  to  Consider:   •  PowerShell  is  TOO  Powerful   –  Execute  from  remote  URL   –  Basically  anything  you  would  ever  want  to  write  code  for,  you  can  do  with  powershell,  so  as  an   adversary,  I  can  really  do  some  damage  (powersploit,  etc)   •  Use  Internal  C2  Sites:   –  Use  blog  comments  and/or  wiki  to  give  your  stuff  new  commands  so  there  is  no  outside   communicaQons   •  Use  Well-­‐Known  Social  Networking  and  File-­‐sharing  Sites:   –  TwiTer  (bots)   –  Dropbox   –  Google  Drive   –  Facebook   –  <  Insert  Social  Site  Here  >   •  Find  hardcoded  creden/als,  re-­‐use  same  password  across  an  enterprise,  Single-­‐Sign-­‐ On  design  flaws,  etc.    
  18. 18. So,  back  to  Hun/ng…  
  19. 19. Is  Your  Environment  Like  This?  
  20. 20. Or  This?  
  21. 21. What  do  you  Hunt?     Do  you  know  what  you’re  looking  for?    Do  they  have  to  be  advanced?   •  Are  you  running  vulnerable  somware?    Is  it  likely  to  be  compromised?   •  Have  you  hardened  your  systems,  have  you  reduced  surface  area?   •  Do  you  have  shared  passwords,  plain-­‐text  credenQals,  etc?   •  If  you  have  too  much  entropy  or  very  few  standards,  hunQng  will  be  DIFFICULT   •  Then  again,  it  is  rarely  “easy”       What  do  the  bad  guys  need  to  do?   •  Execute   •  Communicate   •  Grab  Data   •  Steal/Add  CredenQals   •  Persist  
  22. 22. Which comes first… Detection or Collection? By  priori=zing  collec=on  over  detec=on  you  can: (1)  HUNT  MORE  EFFECTIVELY!!! (2)  Rapidly  find  root  cause (3)  Quickly  &  confidently  reconstruct  =melines (4)  Accelerate  Discovery  (determine  scope) (5)  Benefit  from  hindsight  (evolve)
  23. 23. Some  Ideas…      §  Are  abnormal  user  accounts  being  used?   §  Do  windows  processes  (lsass,  svchost,  csrss)  have  strange  parents?   §  Are  IE,  Acrobat,  Word,  Notepad,  etc.,  spawning  child  processes?   §  Are  Office  Applica/ons  making  outbound  connec/ons?   §  Is  Java  spawning  command  shells?   §  Is  cmd.exe  running  as  system?   §  Are  user  accounts  being  added  locally?   §  Are  thousands  of  files  being  modified  by  a  single  process?   §  Is  bp  or  robocopy  being  used?   §  Are  processes  execu/ng  that  don’t  have  a  .exe  or  .scr  extension?  
  24. 24. Back  to  the  Basics…      §  Are  you  recording  every  command  line  used  by  net.exe  and  looking   for  abnormali/es?   §  Are  you  watching  when  PowerShell.exe  is  used?   §  Are  you  mapping  user  account  ac/vity  to  hosts  to  look  for   abnormal  logins?   §  Are  you  ….    <INSERT  LOTS  OF  STUFF  “TO  DO”  HERE>  
  25. 25. “Response  is  the  closest   thing  we  have  in  IT  to   dogfigh/ng”   -­‐  Bruce  Schneier,  Blackhat  2014  Keynote    
  26. 26. Time is the dominant parameter. The pilot who goes through the OODA cycle in the shortest time prevails because his opponent is caught responding to situations that have already changed. Col John Boyd 1966  Observe    Orient    Decide    Act  
  27. 27. Modern       IR  view   Ac/onable  Endpoint  Visibility   Tradi/onal   IR  view   Events  +  Intelligence     With  no  insight  into  known  bad,  how  can  they  pick   the  needles  out  of  their  data  collecQon  haystack?     Events  +  Intelligence  +  Prevalence       Without  understanding  prevalence,  how  can  they   prioriQze  detecQon  events  to  accelerate  threat   discovery?   Events  +  Intelligence  +  Prevalence  +  Rela/onships     Without  maintaining  the  recorded  relaQonships,  how   do  they  quickly  scope  any  impacted  endpoints  and   lateral  movement?   Events     Most  organizaQons  only  have  a  staQc  view  of  their   business  and  the  data  they  manage  to  collect   What’s  more  ac/onable?   ?  svchost.exe  ran   svchost.exe  was  spawned  by   unsigned  binary  under  abnormal   user  account  and  made  a   network  connecQon  
  28. 28. The  very  nature  of  threat  hun%ng   requires  the  human  element   In  IT,  we  hire  staff  to     support  technology   In  security  opera%ons,     we  buy  technology  to   support  staff   Invest  in  tools  that  enable  humans  to  make  quick  decisions  
  29. 29. 1   2   3   Hun/ng  Tips   Collect  the  RIGHT  Data   Neslow  data  and  firewall  logs  can  help,  but  if  you  aren’t  seeing   what  is  execuQng  and  what  is  changing  on  your  systems,  you  will   not  have  as  much  hunQng  success.     You  need  to  hunt  where  the  adversaries  live!   Incorporate  Reputa/on  and  Classifica/on  Informa/on   When  you’re  hunQng,  you  should  not  have  to  spend  Qme  manually  checking  the     reputaQon  of  a  binary  or  website,  as  that  greatly  slows  down  your  ability  to     conQnue  to  the  hunt.    Being  able  to  quickly  say  things  are  known  good,  known     Bad  is  key,  as  is  the  ability  to  say  if  it  is  part  of  a  parQcular  campaign  or  aTack.   Analyze  RELATIONSHIPS   RelaQonships  are  key  to  being  able  to  detect  abnormal  behavior.     Sure,  the  adversary  lives  off  the  land,  but  they’re  sQll  going  to  do   unusual  things  with  the  exisQng  tools  available  to  them.     4   Automate  as  much  as  possible!   When  you  know  what  is  normal,  you  should  be  able  to  be  alerted  when  acQvity  occurs  outside   of  what  is  normal.    And  you  should  be  able  to  automate  this.    You  should  also  automate   reputaQon  and  classificaQon  informaQon  retrieval,  and  automate  discovery.    
  30. 30. TAKE-­‐AWAYS              
  31. 31. Take-­‐Aways    Think  about  how  you  might  hunt  advanced  threats    Can  internal  tools  be  used  against  you?    Do  you  have  proper  context?    Can  you  tell  the  FBI  whether  or  not  you’ve  seen  the  IOCs   they  just  sent  you?    Compare  current  behavior  vs.  older  methods  vs.  “next-­‐ gen”    Enable  your  humans  to  do  some  hunQng    Are  you  focused  on  root  cause?  
  32. 32. Thank  You!