This document discusses the presenter's testing of various EDR and EPP solutions using three malware samples. Key findings include:
1) Many solutions failed to detect infections, even those detected by the presenter's IPS. Detection was weakest for "fileless" Kovter and morphing Dridex malware.
2) Solutions provided inadequate details to fully remediate infections. The presenter's own LOG-MD tool outperformed EDR solutions in revealing infection artifacts.
3) Based on the results, the presenter recommends that EDR tools integrate capabilities to remotely run third-party tools like LOG-MD for more thorough investigations. Simpler consoles are also needed to distribute workload across security
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Many organizations and managed security providers are starting to move from SIEM, Security Information and Event Management, to EDR, Endpoint Detection and Response. The problem is this may not be the best decision for your organization. These technologies are similar but fundamentally different. This presentation also shares innovating ways to use your SIEM to catch the bad guys as well as learn some simple tricks for easing the burden of SIEM management.
Cybersecurity Awareness Training Presentation v1.3DallasHaselhorst
This free cybersecurity awareness training slide deck is meant to be used by organizations and end users to educate them on ways to avoid scams and attacks and become more security aware. This slide deck is based on version 1.3 of our wildly popular slide deck we originally released as open-source in September 2019. In just over 6 months, it was downloaded thousands of times and in over 150 countries!
On our website, you will also find several other related goodies. For example, we have worksheets free and downloadable worksheets referenced in the training. We have a free cybersecurity quiz that is based directly off of this material so anyone can test their awareness knowledge. We even have a downloadable 'certificate of completion' for this training, which allows attendees to fill-in their name and date so they can then print it out to show others (or even their employer) that they are now more cyber aware.
https://www.treetopsecurity.com/cat
We also have a video/webinar presentation of this material if you would like to share it with others.
https://www.treetopsecurity.com/cat#video
Want to take this content and present it in your own community? Fantastic! You may download this slide deck as editable content. This allows you to make changes and present it at your local library, business events, co-working spaces, schools, etc. The latest version is always available on our website as a Microsoft PowerPoint presentation (.pptx) or using ‘Make a Copy’ in Google Slides.
https://www.treetopsecurity.com/slides
In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system.
You have more to secure than ever before. A data breach can happen to any organization, and it's a growing concern among companies both large and small. Take a look at these best practices and see if any of these have gotten lost as you consider your 2017 plan.
Passwords associated with hash keys, such as MD5, SHA, WHIRLPOOL, RipeMD, etc.
Hashes are one-way functions —mathematical operation that is easy to perform, but very difficult to reverse engineer.
Hash functions turns readable data into a random string of fixed length size.
Hashes do not allow someone to decrypt data with a specific key, as standard encryption protocols allow.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour October 2020
By:
Aunshul Rege, Associate Professor, Temple University, @prof_rege
Rachel Bleiman, PhD Student/NSF Graduate Research Assistant, Temple University, @rab1928
This presentation from the MITRE ATT&CKcon Power Hour session on October 9, 2020, explores the application of the MITRE ATT&CK® and PRE-ATT&CK matrices in cybercrime education and research. Specifically, Rege and Bleiman demonstrate the mapping of the PRE-ATT&CK matrix to social engineering case studies as an experiential learning project in an upper-level cybercrime liberal arts course. It thus allows students to understand the alignment process of threat intelligence to the PRE-ATT&CK framework and also learn about its usefulness/limitations. The talk also discusses the mapping of the ATT&CK matrix, tactics, techniques, software, and groups for two cybercrime datasets created by collating publicly disclosed incidents: (i) critical infrastructure ransomware (CIRW) incidents, and (ii) social engineering (SE) incidents. For the CIRW dataset, 39% of the strains mapped onto the ATT&CK software. For the SE dataset, 49% of the groups and 65% of the techniques map on to the MITRE framework. This helps the researchers identify the framework's usefulness/limitations and also helps our datasets connect to richer information that may not otherwise be available in the publicly disclosed incidents.
Many organizations and managed security providers are starting to move from SIEM, Security Information and Event Management, to EDR, Endpoint Detection and Response. The problem is this may not be the best decision for your organization. These technologies are similar but fundamentally different. This presentation also shares innovating ways to use your SIEM to catch the bad guys as well as learn some simple tricks for easing the burden of SIEM management.
Cybersecurity Awareness Training Presentation v1.3DallasHaselhorst
This free cybersecurity awareness training slide deck is meant to be used by organizations and end users to educate them on ways to avoid scams and attacks and become more security aware. This slide deck is based on version 1.3 of our wildly popular slide deck we originally released as open-source in September 2019. In just over 6 months, it was downloaded thousands of times and in over 150 countries!
On our website, you will also find several other related goodies. For example, we have worksheets free and downloadable worksheets referenced in the training. We have a free cybersecurity quiz that is based directly off of this material so anyone can test their awareness knowledge. We even have a downloadable 'certificate of completion' for this training, which allows attendees to fill-in their name and date so they can then print it out to show others (or even their employer) that they are now more cyber aware.
https://www.treetopsecurity.com/cat
We also have a video/webinar presentation of this material if you would like to share it with others.
https://www.treetopsecurity.com/cat#video
Want to take this content and present it in your own community? Fantastic! You may download this slide deck as editable content. This allows you to make changes and present it at your local library, business events, co-working spaces, schools, etc. The latest version is always available on our website as a Microsoft PowerPoint presentation (.pptx) or using ‘Make a Copy’ in Google Slides.
https://www.treetopsecurity.com/slides
In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system.
You have more to secure than ever before. A data breach can happen to any organization, and it's a growing concern among companies both large and small. Take a look at these best practices and see if any of these have gotten lost as you consider your 2017 plan.
Passwords associated with hash keys, such as MD5, SHA, WHIRLPOOL, RipeMD, etc.
Hashes are one-way functions —mathematical operation that is easy to perform, but very difficult to reverse engineer.
Hash functions turns readable data into a random string of fixed length size.
Hashes do not allow someone to decrypt data with a specific key, as standard encryption protocols allow.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour October 2020
By:
Aunshul Rege, Associate Professor, Temple University, @prof_rege
Rachel Bleiman, PhD Student/NSF Graduate Research Assistant, Temple University, @rab1928
This presentation from the MITRE ATT&CKcon Power Hour session on October 9, 2020, explores the application of the MITRE ATT&CK® and PRE-ATT&CK matrices in cybercrime education and research. Specifically, Rege and Bleiman demonstrate the mapping of the PRE-ATT&CK matrix to social engineering case studies as an experiential learning project in an upper-level cybercrime liberal arts course. It thus allows students to understand the alignment process of threat intelligence to the PRE-ATT&CK framework and also learn about its usefulness/limitations. The talk also discusses the mapping of the ATT&CK matrix, tactics, techniques, software, and groups for two cybercrime datasets created by collating publicly disclosed incidents: (i) critical infrastructure ransomware (CIRW) incidents, and (ii) social engineering (SE) incidents. For the CIRW dataset, 39% of the strains mapped onto the ATT&CK software. For the SE dataset, 49% of the groups and 65% of the techniques map on to the MITRE framework. This helps the researchers identify the framework's usefulness/limitations and also helps our datasets connect to richer information that may not otherwise be available in the publicly disclosed incidents.
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
Can we really detect advanced attacks? This session walks through 4 published attacks to point out what we can learn and detect using malware management, some cheat sheets and Security 101. LOG-MD, FILE-MD, Malware Archaeology
When your security tools fail you, and what you can do about it. This discusses actual tool fail backgrounds, what failed and what you can do to detect and/or mitigate the issues(s) another way
HackerHurricane
MalwareArchaeology
Malware Archaeology
LOG-MD
Malware Archaeology
LOG-MD
Are Malware Sandboxes as good as manual malware analysis?
A look at some samples sent through automated malware sandboxes vs. manaul analysis
Windows IR made easier and faster Find the head of the snake using Logs, AutoRuns, Large Registry Keys, Locked Files, IP/WhoIs and Netflow
Malware Archaeology
LOG-MD
BSidesNOLA
LOG-MD
Malware Archaeology
MalwareArchaeology.com
Email is the #1 way we get pwned, so how do they keep getting by our defenses and what can we do about it
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
Slide briefly describes various av mechanisms, how they actually work, where any file signature is stored etc. And finally discusses av bypassing techniques.
Hackers already knows these techniques but do we know these ? These are just few techniques but there are many.
Related document can be found at
http://www.scribd.com/doc/176058721/Anti-Virus-Mechanism-and-Anti-Virus-Bypassing-Techniques
A look at the types malicious artifacts from Advanced and Commodity attacks, what unique artifacts to look for and how logging caught them for a Windows environment and how LOG-MD can help.
MalwareArchaeology.com
LOG-MD.com
Incident Response Fails – What we see with our clients, and their fails. As Incident Responders, what do we see as Incident Responders that you can do to be better prepared, reduce your incident costs, get answers faster and reduce the cost of an IR Firm if needed.
HackerHurricane
Malware Archaeology
MalwareArchaeology
LOG-MD
Similar to EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED? (20)
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Climate Impact of Software Testing at Nordic Testing Days
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
1. EDR, ETDR, Next Gen AV
is all the rage,
so why am I ENRAGED?
Michael Gough – Founder
MalwareArchaeology.com
IMFSecurity.com
MalwareArchaeology.com
Looks like Tod Beardsley
(Fellow Austinite
Rapid7)
2. Who am I
• Blue Team Defender Ninja, Malware Archaeologist, Logoholic
• I love “properly” configured logs – they tell us Who, What, Where,
When and hopefully How
Creator of
“Windows Logging Cheat Sheet”
“Windows File Auditing Cheat Sheet”
“Windows Registry Auditing Cheat Sheet”
“Windows Splunk Logging Cheat Sheet”
“Windows PowerShell Logging Cheat Sheet”
“Malware Management Framework”
• Co-Creator of “Log-MD” – Log Malicious Discovery Tool
– With @Boettcherpwned – Brakeing Down Security PodCast
• @HackerHurricane also my Blog
MalwareArchaeology.com
3. Why are we here?
• Anti-Virus is not cutting it
• Actually AV provides me a lot
• Alerts me to large campaigns, hours or days later,
old stuff and infected USB drives
MalwareArchaeology.com
4. Why are we here?
• AV’s lack of being able to catch today’s threats
• But also because logging was inadequate in Windows until
3 years ago (2014) when Process Command Line logging
was added
• This lack of good logging and details left an opportunity for
vendors to create tools that captured Command Line (ETL)
Logs and join them with other details, like Intel, and
behavior
• Many of the EDR tools use command line logging as a major
component into what is going on with the endpoint
MalwareArchaeology.com
5. Why are we here?
• We evaluated a bunch of EDR solutions
• We had some VERY surprising findings
• Found and opened bugs with several vendors, yup
we got by them
– Are you shocked?
• We only used 3 malware sample types
– Only ONE vendor solution caught all 3
• We were surprised at what gave us the most
artifact details, it wasn’t even close
• Here is what we found and you should know
MalwareArchaeology.com
6. Our Malware Samples
• Kovter
– Some call it “Fileless Malware” – Psst it’s not fileless
– Stored components in the registry
– Mshta used to launch javascript and calls PowerShell
• Dridex
– Uses valid MS signed binaries and side loads a bad Dll
from a directory in user space
– Morphs on each reboot, new binary and Dll hash
• Gozi
– Typical commodity malware
– Run key, files on disk, locked the binary when infected
MalwareArchaeology.com
7. Our Malware Samples
• Kovter gave us registry artifacts to test
detection, also PowerShell calling out to the
Internet
• Dridex gave us Dll side loading and morphing
malware to show who was relying on hash
lookups
• Gozi was typical commodity, but locked binary
that was a challenge to delete post infection
MalwareArchaeology.com
8. Our Malware Samples
• EDR Failed to detect or provide across the board
– AutoRuns
– Related Reg Keys
– Files other than binary that was caught
– Other related log data
• Scheduled Task
• Services
– Terrible 3rd party integration (e.g. VirusTotal)
• Basically all the details need to remediate
MalwareArchaeology.com
9. Our Baseline
• We have an IPS, it is surprisingly good
• The IPS alerted us to the system being
infected for all 3 samples
• But an IPS alert gives you no details about the
endpoint, so we have to investigate
• So we knew EDR needed to at least alert us
that something was up, hopefully with details
• When on or off the corporate network
MalwareArchaeology.com
11. Boring stuff first - Terms
Gartner and others defined these terms
MalwareArchaeology.com
ETDR – Endpoint Threat Detection & Response
EDR – Endpoint Threat Detection & Response
EPP – Endpoint Protection Platform
The term used 2 years ago
The term that will be used 2 years from now
#OVERHEARD - “AV + Randomly related shit”
The current term we will use
12. Boring stuff first - Terms
Next-Gen AV
• Might have evolved from
vendors trying to get the PCI
certification
• It is a dead term, or so
Gartner wants it to be
– So we agree to kill it, because
AV is AV
MalwareArchaeology.com
13. Endpoint Protection Platform (EPP)
Definition
End Point Protection Platforms (EPP) are enterprise security platforms that
protect PCs, mobile devices and server environments from malware, spyware,
rootkits, trojans and worms. Platforms may include technologies such as:
– signature based malware/spyware detection and removal
– personal firewalls
– host based intrusion prevention systems (HIPS)
– application whitelisting
– data protection (e.g. file encryption)
– malicious website blocking
– file reputation systems
– security management and reporting
• In short, EPP products typically employ a cocktail approach to protect
devices and servers from malware.
arch.simplicable.com
MalwareArchaeology.com
#OVERHEARD - “AV + Randomly related shit”
14. Endpoint Protection Platform (EPP)
Definition
• Gartner
– An endpoint protection platform (EPP) is a
solution that converges endpoint device security
functionality into a single product that delivers
antivirus, anti-spyware, personal firewall,
application control and other styles of host
intrusion prevention (for example, behavioral
blocking) capabilities into a single and cohesive
solution…
MalwareArchaeology.com
#OVERHEARD - “AV + Randomly related shit”
15. The EPP Magic Quadrant
MalwareArchaeology.com
The typical
AV Suites
Errrr…
Platforms
The up and
coming EDR
solutions
16. How I felt after weeks of testing
MalwareArchaeology.com
EDR VENDORS HIT
18. But all EDR/EPP are NOT created equal
• We need some sort of term(s) to separate out
all these solutions because they vary in
primary features
• After a long discussion with my Gartner friend
Dr. Anton Chuvakin, changing the terms is not
a good idea
• So we will just add to them to make it easier
for everyone
MalwareArchaeology.com
19. Improved Terms
• Use these two as they are current and the future
– EDR and EPP
• We will add extensions so that we can break up
the solutions into logical functions
– EDR – Preventative
– EDR – Detective and Information
– EDR – IR or Incident Response
– EPP – Has a Platform currently (Traditional AV)
– EPP – Eco Systems – Mixes network with endpoint
MalwareArchaeology.com
20. EDR - Preventative
• Focuses on Prevention
• Would be what we call Next Gen AV
• May provide detective alerts
• May provide some IR details
• But really these are the “set and forget” easier
to use solutions
MalwareArchaeology.com
21. Examples of EDR - P
• Primarily Prevention
MalwareArchaeology.com
22. EDR - Detective
• Focus is on detection
• Little or no prevention (yet)
• May provide some additional information
• May provide some IR details
– But not what we need, too much normal noise
• These solutions are evolving into EDR – P
• I honestly do not see a need or reason for these
MalwareArchaeology.com
23. Examples of EDR - D
• Primarily Detective and Information
MalwareArchaeology.com
24. EDR - IR
• Focus is on Response
• Hunting capabilities
• Detective capabilities
• Little or no prevention
• Provides a lot of details
– Too many really, LOTS of normal noise, hard to find the bad
– But not enough for remediation
• These solutions are really for hunting for additional
systems with artifacts you find with say, LOG-MD
MalwareArchaeology.com
25. Examples of EDR - IR
• Primarily IR Hunting
MalwareArchaeology.com
26. EPP - Eco Systems
• These are total solutions
• Yes, Platforms
• Endpoint
• Web Gateway
• Network
• Email
• Etc.
MalwareArchaeology.com
27. Examples of EPP – Eco Systems
• Covering the endpoint, network, web, email
MalwareArchaeology.com
29. What did we expect?
• Some decent results
• We expected many or most of the solutions to
catch what our IPS caught as that is what we
would measure against, our baseline
• If the IPS caught something and alerted us to
“HEY! Look at that system!!!”
• Then EDR should do the same
• And give us all kinds of details…
MalwareArchaeology.com
30. And what we were treated to
after weeks of testing…
MalwareArchaeology.com
31. What we tested
• We did NOT test the following:
– Eco Systems – we were not going to do a forklift
upgrade and go all out on Cisco AMP, RSA ECAT, or
Mandiant/FireEye
– EPP – We did not test the typical AV with all the bells
and whistles
– Sandbox solutions – We know this would provide a lot
of detail of what malware does on infection, but we
have LOG-MD and with roughly 30% of malware that
detects sandboxes, we opted not to go this route
– Any Managed Service Providers
MalwareArchaeology.com
32. What we tested
• EDR – Preventative solutions (NG-AV)
• EDR – Detective and Information solutions
• EDR – Incident Response solutions
• The typical up and coming EDR solutions that
InfoSec would own and manage
MalwareArchaeology.com
33. How we tested
• First thing we did was analyze the infection
using ;-)
• So we knew all the details we wanted and
needed to remediate a system and to
compare against what EDR could provide us
• We tested 3 conditions
1. User initiated – Pre-Infection
2. Already infected – Post Infection
3. Bad actor pushed and wait for reboot
MalwareArchaeology.com
35. How did they do?
• Most did OK with Pre-Infection conditions
• Meaning when a user opened a Word Doc that
called wscript and/or PowerShell, this condition
was caught
• What about systems that were already infected?
– Many missed the infection
• What about acting like a bad actor and dropping
the payload and waiting for it to load
– Many missed the infection
MalwareArchaeology.com
36. How did they do?
• Kovter was missed by several solutions
– When caught it was mshta calling PowerShell
• Dridex was missed by several solutions
– Side loading by a signed MS binary is an issue
– Morphing rendered hash lookups worthless
• Gozi was missed by a couple solutions
– This is typical commodity so VERY lame to miss
• Really??? IPS did better than EDR???
MalwareArchaeology.com
39. Expectations
• Check your expectations
• Build a set of requirements
• What do you REALLY need???
• Expect that you may not be satisfied
MalwareArchaeology.com
40. Test your SH*T
• I think their was shock, surprise and
bewilderment that our testing found the amount
of issues we did
• Do people actually test EDR???
• You REALLY need to test this stuff and decide for
yourself what works
• Your requirements are NOT our requirements
• Solutions will change and/or improve over time,
or not
MalwareArchaeology.com
Or we HOPE…
41. Suggested evaluation
• Determine what you REALLY need
– EDR – P
– EDR – D
– EDR – IR
– EPP
– EPP - Eco System
• Test only the solutions in the area you need
– Compare Apples to Apples
MalwareArchaeology.com
Pick one, skip this one
42. How to evaluate solutions
• Use malware you actually receive
– Or ask us or people that can give you good samples
• NEVER use samples from the vendor, they know
their stuff can catch it
• Use LOG-MD to evaluate your samples to
discover the artifacts you will use to evaluate the
solutions you select
• Create a short list of things you need or want
MalwareArchaeology.com
43. How to evaluate solutions
• How easy to use is the console / GUI
– Many are very difficult or complicated to use
– Tier 1 probably cannot use them so impacts your
staffing
• Do you expect them to provide all the details you
need to remediate?
– They all sucked at this - seriously
– You will know the system is infected and some details
– But not everything you need to remediate
– Which means you will need to investigate systems
that trigger alerts to obtain all remediation details
MalwareArchaeology.com
44. How to evaluate solutions
• Test the damn stuff
– You will be surprised
• What impact to your resources will it have
• Some are complete time sucks
– Is this really what you need or want?
• Shouldn’t this stuff save us time or at least
automate some tasks and gain some efficiency?
MalwareArchaeology.com
45. It’s all in the details
MalwareArchaeology.com
46. What surprised us
• My expectations were that I would get some
details more than AV or IPS gave us
– This file is bad and this IP is infected
• I expected that we would get some details to
help us know what infected the system and
how…
• I was soooo disappointed…
MalwareArchaeology.com
47. What surprised us
• Here is where I should bash the solutions at how
bad they were
• But I realized my expectations were based on
how good logging CAN be and how we do it
– The Windows Logging Cheat Sheet(s)
• Several of the tools are just fancy Log
Management type tools with details, Intel and
noise added
• And how good other tools we use that can push
out tools we have and like
MalwareArchaeology.com
48. What surprised us
• provided us details none of the
solutions could even come close to
– And WAY faster
• On a scale of 1-10
– EDR – IR
• 2-5
– 10 !!!
MalwareArchaeology.com
49. After Testing - My Top 10 Tools
1. Log Management
1. Of course with the “Windows Logging Cheat Sheet(s)”
2. Query the System
1. I LOVE BigFix, Tanium, Grrr, OSQuery, Investigator
3.
4. n/a
5. n/a
6. n/a
7. n/a
8. n/a
9. n/a
10. n/a – Maybe one that implements the changes I am about to
recommend
MalwareArchaeology.com
50. Recommendations to the Industry
• EDR – IR
– Need a console that allows us to run say………
LOG-MD or other tool(s) of your choice
– Not one by one, but automated on all the suspect
systems we want to obtain more details
• Simpler consoles to address Tier 1 staff
– Can have drill down for more detail
– But focus at Tier 1 so I can share some of the load
– Help me distribute the load across the team
MalwareArchaeology.com
51. Resources
LOG-MD.COM
• Websites
– Log-MD.com The tool
• The “Windows Logging Cheat Sheet(s)”
– MalwareArchaeology.com
• This presentation and others on SlideShare
– Search for MalwareArchaeology or LOG-MD
52. Questions?
LOG-MD.COM
You can find us at:
• Log-MD.com
• @HackerHurricane
• @Boettcherpwned
• MalwareArchaeology.com
• HackerHurricane.com (blog)