The document discusses the critical importance of endpoint security and emphasizes that the endpoint is the new perimeter for protecting networks. It highlights the prevalence of phishing attacks, training employees, and implementing key focus areas such as incident response and security infrastructure as crucial elements of cybersecurity strategy. Additionally, it covers advanced threats like macro phishing attacks and the necessity of continuous monitoring and detection through automated tools and threat simulations.

1. Company Confidential
Powered by
Activated Charcoal
Making Sense of Endpoint Data

2. Company Confidential
Greg Foss
Head of Global Security Operations
OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, Cyber APT

3. The Endpoint is the new Perimeter

4. Company Confidential
The easiest path into any network…

5. Company Confidential
Social Engineering
Nothing like a
little pretext to
get people to click
on your links…

6. Company Confidential
• Phishing
• 91% of ‘advanced’ attacks began with a phishing email
or similar social engineering tactics.
• http://www.infosecurity-magazine.com/view/29562/91-of-
apt-attacks-start-with-a-spearphishing-email/
• 2014 Metrics
• Average cost per breach => $3.5 million
• 15% Higher than the previous year
• http://www.ponemon.org/blog/ponemon-institute-
releases-2014-cost-of-data-breach-global-analysis

7. Company Confidential
Drive By Downloads, Malvertizing, and Watering Hole Attacks
Image Source:
https://blog.kaspersky.com/what-is-malvertising/5928/

8. Company Confidential

9. Company Confidential

10. Training is Critical to Success

11. Company Confidential
Key Focus Areas:
• Employees
Image Source:
http://www.cloudpro.co.uk/hr/5803/gov-offers-hr-workers-free-cyber-security-training

12. Company Confidential
End User Tips - Phishing

13. Company Confidential
All You Need is +

14. Company Confidential
Shortened
URL
Tracking

15. Testing and Validation

16. Company Confidential
Rogue Wi-Fi Network – Threat Simulation

17. Company Confidential
USB Drop – Training Exercise : Case Study

18. Company Confidential
Building a Believable Campaign
Use realistic files with somewhat realistic data
Staged approach to track file access and exploitation

19. Company Confidential
Profit
Send an email when the Macro is run…
Use a bogus email (unlike I did here) – I know, I know. Bad OpSec.

20. Company Confidential
Toolscalculator.exe

21. Company Confidential
“Nobody’s going to an an exe from some random USB” - Greg
Yep… They ran it...

22. Company Confidential
Now we have our foothold…
Fortunately they didn’t run this as an admin

23. Company Confidential

24. Company Confidential
Key Focus Areas:
• Employees
• IT Staff
• Roles and Responsibilities
• Incident Response Duties
• Configuration Monitoring
• Malware Removal
• Security Infrastructure

25. Company Confidential
Key Focus Areas:
• Employees
• IT Staff
• Security Staff
• Table Top and Red vs Blue Exercises
• Threat Simulation Leads to Process Improvement
• Announced vs Unannounced Simulations or Penetration Testing

26. Company Confidential
Purple Team FTW!
• Employees
• IT Staff
• Security Staff
• Table Top and Red vs Blue Exercises
• Threat Simulation Leads to Process Improvement
• Announced vs Unannounced Simulations or Penetration Testing

27. Company Confidential
Key Focus Areas:
• Employees
• IT Staff
• Security Staff
• Leadership

28. Company Confidential
Key Focus Areas:
• Employees
• IT Staff
• Security Staff
• Leadership
• Processes and Procedures

29. Continuous Monitoring and Detection

30. Company Confidential
Automating OSINT and Response
Domain Tools
Passive Total
VirusTotal
Cisco AMP ThreatGRID
Netflow / IDS
Firewalls
Proxy / DNS
Endpoint
SIEM
API Integration SecOps Infrastructure

31. Company Confidential

32. Company Confidential
Malware Beaconing

33. Company Confidential

34. Company Confidential
Malware Beaconing

35. Company Confidential
Correlate Network / Log Activity with Endpoint Data

36. Company Confidential
Macro Phishing Attacks
• Common
• Bypasses Most AV
• Heavily Obfuscated
• Newer attacks
targeting Office 365

37. Company Confidential
Macro Attack Detection

38. Company Confidential
Full Command Line Details

39. Company Confidential
Full Command Line Details

40. Company Confidential
Be Careful – Don’t Jump To Conclusions…

41. Company Confidential
Be Careful – Don’t Jump To Conclusions…

42. Centralized Logging and Event Management

43. Company Confidential

44. Company Confidential
Threat Feed Configuration

45. Company Confidential
Full Event Alerting

46. Company Confidential
Syslog Only

47. Company Confidential
Watchlist Configuration

48. Company Confidential
Carbon Black Event Forwarder
LogRhythm => Use LEEF Format
https://github.com/carbonblack/cb-event-forwarder

49. Dashboards and Investigations

50. Company Confidential

51. Company Confidential

52. Company Confidential
Long Tail Analysis
Strange activity can bubble to the surface when viewing the whole picture

53. Company Confidential

54. Company Confidential

55. Taking it a Step Further…

56. Company Confidential
Additional Integration
Alarming
Trigger on Specific Watch List Hits

57. Company Confidential
Additional Integration
Alarming
Admin Tracking

58. Company Confidential
Additional Integration
Alarming
Admin Tracking
Reporting

59. Company Confidential
Additional Integration
Alarming
Admin Tracking
Reporting
Automation
Perform Actions Based on Alarms Observed

60. Company Confidential
LogRhythmChallenge . com
Booth #600 #logrhythmchallenge

61. Company Confidential
Mini
Network
Monitor
Booth #600

62. Company Confidential
Thank You!
QUESTIONS?
Greg Foss
Greg . Foss [at] LogRhythm . com
@heinzarelli