NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
Artifacts Are for Archaeologists: Why Hunting for Malware Isn't Enough Spoiler Alert: It's because attackers can (and do) abuse legitimate software, administrative tools, and scripting environments which are considered benign and not caught by traditional antivirus software. Since attackers can use legitimate software to conduct their nefarious behavior, how do you catch them? It’s simple: Look for the behavior. LightCyber's Behavioral Attack Detection platform detects and highlights the network behaviors of attackers that have penetrated the perimeter. This provides visibility that allows security teams to locate and eradicate network intruders quickly, regardless of what tools the attackers are using to achieve their goals. With LightCyber's Network-to-Process Association technology, attacker behaviors can be tracked back to the exact process that originated the behavior. We will discuss the top tools that have been detected and associated with attacker behavior inside of LightCyber customer environments, all of which are legitimate software. There will also be an overview of how LightCyber Magna works. Mark Overholser has been a lifelong technology enthusiast, and made his passion his career. After working for many years at a multi-billion-dollar medical supply manufacturer and distributor using technology to achieve business goals, he started to wonder about what sorts of controls were in place to help make sure technology would only do good, not harm. One thing led to another, and he then was one of the first members of the new information security team. After working hard to grow the team and build the information security practice, he left to take a breather and now is working to help information security teams everywhere understand threats and get the most out of their defensive technologies.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (17)
Similar to NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
Similar to NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough (20)
More from North Texas Chapter of the ISSA
More from North Texas Chapter of the ISSA (20)
Recently uploaded
Recently uploaded (20)
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
- 4. @NTXISSA #NTXISSACSC4 Crypting Services • “Crypting” can be used to obfuscate malware until AV does not detect it • Upload malware • Malware encrypted/re-encoded and scanned against all known AV • Process repeats until all AV fails to detect the malware • Brian Krebs has a good article on crypters • (https://krebsonsecurity.com/2014/05/antivirus- is-dead-long-live-antivirus/) NTX ISSA Cyber Security Conference – October 7-8, 2016 4
- 7. @NTXISSA #NTXISSACSC4 TargetedAttacks Outside the Network Intrusion (Seconds – Minutes) Intrusion Active Breach (Hours - Weeks) Establish Backdoor Recon & Lateral Movement Data Exfiltration Inside the Network Attacker compromises a client or server in the network 2 Attacker performs reconnaissance and moves laterally to find valuable data 3 Attacker steals data by uploading or transferring files
- 8. @NTXISSA #NTXISSACSC4 Insider Attacks Recon & Lateral Movement Abuse of User Rights Data Exfiltration Employee is upset by demotion; decides to steal data and quit job 2 Employee accesses many file shares including rarely accessed file shares 3 Employee uses other user’s credentials and exfiltrates a large volume of data IT Assets at Risk • Databases and file servers are considered the most vulnerable to insider attacks SOURCE: LinkedIn Group - Insider Threat Report sponsored by LightCyber File Server Insider Sensitive Data
- 14. @NTXISSA #NTXISSACSC4 Networking and Hacking Tools • Attackers use well- known tools to map the network, probe clients, and monitor activity • NCrack, Mimikatz, and Windows Credential Editor can be used to steal user credentials • Some tools are native OS utilities
- 16. @NTXISSA #NTXISSACSC4 Remote Desktop Tools • Remote desktop tools are: • Used for C&C and lateral movement • Also indicative of risky user behavior
- 20. @NTXISSA #NTXISSACSC4 Current Limitations Known Bad Traditional Security § Signatures, IoC’s, Packet Signatures, Domains, Sandbox Activity § Block, or Miss § Necessary, Not Sufficient What’s Needed § Learn What is Good [Baseline] § Detect What Isn’t [Anomaly] § Catch What Slips Through the Cracks of Traditional Security Problems: • Too Many False Alarms / False Positives • Missed Variants / False Negatives • Only Detect Malware-Based Attacks Learned Good Benefits: • Eliminates Zero-Day Exploit Dilemma • Hundreds of Opportunities to Detect • Applicable to All Techniques & Stages What’s Needed? Agents & Signatures Agentless & Signature-less
- 23. @NTXISSA #NTXISSACSC4 Behavioral Attack Detection Magna Platform Overview • Network-Centric Detection • Agentless & Signature-less • Post-Intrusion: NTA/UEBA Differentiation • Most Accurate & Efficient: Proven & Measured Success • Broadest Context: Network + Endpoint + User • Broadest Attack Coverage with Integrated Remediation Verticals Served • Finance & Insurance • Public Sector • Retail, Healthcare, Legal • Service Providers • Media, Technology, & More Operations Overview • US HQ - CA • EMEA HQ - Amsterdam • IL HQ - Ramat Gan • Customers World-Wide MAGNA About LightCyber
- 24. @NTXISSA #NTXISSACSC4 Profiling, Detection, Investigation, & Remediation Behavioral Profiling - Network-Centric Endpoint and User Profiling Attack Detection - Anomalous Attack Behavior Across the Attack Lifecycle Automated Investigation - Network, User, & Process Association + Cloud Integrated Remediation - Block Attackers with NGFW, NAC, or Lock Accounts with AD
- 25. @NTXISSA #NTXISSACSC4 SIEM Evolving IT Security Investment Needs Lockheed Martin: Cyber Kill Chain Active Attack Phase (Weeks – Months) Intrusion Attempt Phase (Seconds – Minutes) Sandboxing Stateful FW IPS / IDS Network AV Damage Security Expenditure Incident Response (Weeks – Months) Breach Detection Gap
- 28. @NTXISSA #NTXISSACSC4 LightCyber Delivers Unbeatably Accurate Results Source: http://lightcyber.com/lower-security-alerts-metrics/ Most IT security teams can’t keep up with the deluge of security alerts 62% ACROSS ALL ALERTS 99% ACROSS MAGNA’S AUTOMATED “CONFIRMED ATTACK” CATEGORY LIGHTCYBER ACCURACY
- 29. @NTXISSA #NTXISSACSC4 Malware Example Magna Detects: • Active Command & Control channel • Malware Infection • No signs of internal spreading • Likely opportunistic, not (yet) targeted Detection Pattern: • C&C • Malware • (No East-West)
- 30. @NTXISSA #NTXISSACSC4 Risky Behavior Example Magna Detects: • RDP to > 20 Workstations • Likely non-malicious Internal activity since there is no association with other malicious findings Detection Pattern: • Credential Abuse • Not Linked to Exfil or Other
- 31. @NTXISSA #NTXISSACSC4 Insider Attack Example Detection Pattern: • Credential Abuse • Linked to Exfil or Other Findings Magna Detects: • Suspicious access to file shares • Exfiltration • This Correlation indicates likely Insider Attack
- 32. @NTXISSA #NTXISSACSC4 Targeted Attack Example Magna Detects: • Anomalous file with known Threat Intelligence • Recon • Lateral Movement • Exfiltration • This Correlation Indicates Targeted Attack Detection Pattern: • Multiple Correlated Findings • North-South + East-West
- 33. @NTXISSA #NTXISSACSC4 User, Entity; Network + Endpoint Magna Detects: • Anomalous Network Activity • Anomalous and Malicious Processes on the Endpoint • Anomalous User Activity Magna Correlates: • User • Entity • Network • Process • Endpoint
- 34. @NTXISSA #NTXISSACSC4 Reporting: Alert Activity, Triage Activity & SLA, Asset View, and More LightCyber Magna Attack Detection Report Reporting Period: 1/0/1900 1/0/1900 Number of days 1 Total Alerts for Period 0 Average #Alerts per day 0.00 Total Alerts handled 5 Unverified average handling time (days) 2.54 Suspicious average handling time (days) 10.78 Confirmed average handling time (days) 12.47 0 0.5 1 1.5 2 2.5 3 3.5 Alerts Triage and Handling Suspicious Unverified 1 1.5 2 2.5 3 3.5 Alert Types and Categories C&C 20% Exfilt 10% Lateral 10% Malware 20% Recon 40% Alerts Categories 45% 11% 33% 11% Alerts Handling & Accuracy Relevant and Handled Whitelisted Ignored Still Open 0.0 2.0 4.0 6.0 8.0 10.0 12.0 14.0 16.0 18.0 Normal Resolved Whitelisted Normal Archived Confirmed Suspicious Unverified Alert Handling Time (days) arnold jenny 40% 60% Alert Handling by Analyst arnold jenny
- 35. @NTXISSA #NTXISSACSC4 LightCyber Ecosystem Integration Endpoints HQ / DC MAGNAPATHFINDER MAGNADETECTOR MAGNAMASTER Core Switch MAGNA UIRemediation SIEM Network Packet Broker IAM & Policy Mgmt
- 38. @NTXISSA #NTXISSACSC4@NTXISSA #NTXISSACSC4 The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) NTX ISSA Cyber Security Conference – October 7-8, 2016 38 Thank you