SlideShare a Scribd company logo
Copyright © FireEye, Inc. All rights reserved.1
NO EASY BREACH
DERBYCON 2016 #NOEASYBREACH
Matt Dunwoody @matthewdunwoody
Nick Carr @itsreallynick
Copyright © FireEye, Inc. All rights reserved.2
How It All Started
• 1 average spearphishing email
• 1 failed client remediation
• 1 very determined nation state
• Attacker’s mission not impacted by ongoing remediation
measures
• 2 attacker objectives:
• Steal email of targeted VIPs
• Monitor security team, response & detection efforts
FUN FACT: This was APT29
Copyright © FireEye, Inc. All rights reserved.3
Several Months Later…
• The Aftermath
• Four person Mandiant team
• Over 1,039 compromised systems
• Over 1,000 unique malware samples
• Over 1,000 different unique C2 domains / IPs
• Over 50,000 email communications stolen
• Including scripts & tools: 7,000+ attacker files
• How did they pull it off?
• Fast-paced intrusion
• Very stealthy
• Rapidly changing tactics
• Employed advanced attack techniques
Copyright © FireEye, Inc. All rights reserved.4
Challenge 1: Fast-Paced Attacker
• Attacker infected 10 systems per day with
primary backdoor family
• Especially when provoked (maintained baseline foothold)
• Accessed hundreds of systems for recon and
credential theft
• Removed tools and forensic artifacts to hide
activity
• Deployed additional backdoor families
• Continued to steal data every week
Copyright © FireEye, Inc. All rights reserved.5
Our Response: Triaged Where Possible
• Moved from typical Live Response analysis to
abbreviated triage
• Brief analysis leveraging known attacker TTPs
• Developed indicators to assist triage
• Partially automated the analysis process
• Some activity not unique enough to sig
• Focused on:
• Lateral movement
• Walking back up the chain
• Pivoting, recon, new tools or backdoors
• Signs of data theft
• Deviation from typical attacker activity
FAST-PACED ATTACKER
Copyright © FireEye, Inc. All rights reserved.6
Our Response: Streamlined Documentation
• Typical LR reports and timelines took too much time
• Still needed to document findings
• Compressed notes from systems into brief,
standardized text blocks
• Malware and attacker tools on the system
• Persistence mechanisms
• Periods of attacker activity and significant
timestamps
• Source of activity
• Documented significant findings
• New TTPs
• Data theft
FAST-PACED ATTACKER
Copyright © FireEye, Inc. All rights reserved.7
Lesson Learned: Be Fast and Flexible
• Be willing to change normal practices
and disregard official methodologies
when they’re not working
• Make the most of outside help - accept
the limitations of your circumstances and
do what you can to maximize your
chances of success
FAST-PACED ATTACKER
Copyright © FireEye, Inc. All rights reserved.8
Challenge 2: Stealthy Attacker
• Attacker using counter forensic techniques to hide
endpoint and network activity
• Endpoint: secure deletion, impressive OPSEC (pack up and
move), 90% doctrine
• Network: compromised third party websites & social media
C2, altered communication scheme + strong crypto,
embraced SSL
• The odds were stacked against us
• Unable to use Mandiant network sensors and signatures
• Existing devices inconsistently-deployed and coverage spotty
• “Rolling remediation” actions showed our hand so attacker
knew which evasion tactics were working
Copyright © FireEye, Inc. All rights reserved.9
• Attacker considered every detail
• Mass activity to obscure the real target
• More evident in recent campaigns
• Widespread phishing with a prioritized target list
• They might even want the first system to be caught
• Data theft using only legitimate US-based services,
complicating any law enforcement response
• Gmail, Google Drive using APIs
• OneDrive
• Monitored Us
• Targeted the IR operations throughout the compromise
• Were we onto them and how much time did they have left?
BONUS SLIDE: Even More OPSEC
he looks cozy
Copyright © FireEye, Inc. All rights reserved.10
Our Response: Found Clues in the Ruble
• Maximized the utility of trace forensic artifacts
• Some attacker behavior recovered from sdelete
• File path regex for artifacts
• Everything from AAA.AAA to ZZZ.ZZZ
• Entry Modified timestamp typically indicated when
sdelete occurred
• EULA Accept registry key for each Sysinternals tool
• Searched for new sdelete usage
• Prefetch entries for some operations (e.g., RAR)
included deleted items in Accessed Files
STEALTHYATTACKER
FUN FACT: Now it’s built-in!
Copyright © FireEye, Inc. All rights reserved.11
Our Response: Made the Best of What We Had
• Learned and leveraged client’s network tools
• Embraced the varying technology across
business units
• Took time and patience to filter out the
network noise
• Searched for every new system by timeframe
• Searched activity between sets of infected hosts
• Automated where possible
• Developed dashboards
STEALTHYATTACKER
Copyright © FireEye, Inc. All rights reserved.12
Our Response: Made the Best of What We Had
• Found the helpful but forgotten alerts
• SMB transfer of UPX-packed files
• Extracted fields we wanted
• Signature combinations solved mysteries
• Schtasks.exe usage by UUID
• SMB writes to System32
• Network time preserved when other
timestamps could not be trusted
STEALTHYATTACKER
signature=MSRPC_SuspiciousEncryption
event_info="UUID=86d35949-83c9-4044-b424-
db363231fd0c*”
src_ip="10.*" dest_ip="10.*”
( dest_port=49154 OR dest_port=49155
)
FUN FACT: This was our initial
discovery of HAMMERTOSS
Copyright © FireEye, Inc. All rights reserved.13
Our Response: Made New Shiny Things
• Deployed additional budget-friendly
open source tech
• Found ways to apply our methodology
• Connected to our incident tracker
• Sparklines for time + volume of activity
• Prioritized host analysis based on traffic
• Smashed and grabbed before the wipe!
STEALTHYATTACKER
host_10
host_9
host_8
host_7
host_6
host_5
host_4
host_3
host_2
host_1
Copyright © FireEye, Inc. All rights reserved.14
Lesson Learned: Improve Visibility and Don’t Stop Looking
• Map attacker activity to potential data sources and
use everything available to minimize blind spots
• Give your team access to existing tools outside of
their normal process
• Consider deploying additional technology
• Network time provides reliable chronology
despite host-based timestomping
• Combat IR fatigue by automating high-confidence
(and boring stuff)
• Once an attacker is found, fight to maintain line-of-
sight
STEALTHYATTACKER
Copyright © FireEye, Inc. All rights reserved.15
Challenge 3: Rapidly-Evolving Tactics
• New and updated backdoors
• 7 distinct backdoor families
• SEADADDY went through 3 version updates
• Seven unique persistence mechanisms
• Registry run key, .LNK files, services, WMI, named scheduled
tasks, hijacking scheduled tasks, over-writing legitimate files
• Cycled persistence techniques regularly
• Minimal re-use of metadata commonly tracked and shared as
indicators
• Malware MD5, file name, file size, and C2 unique to each
system
• Attacker didn’t need to re-use compromised accounts
FUN FACT: On current case,
APT29 used unique UAC
bypass & persistence that was
first posted online days before
Copyright © FireEye, Inc. All rights reserved.16
Our Response: Maintained Eye Contact
• Fought to keep network visibility on all malware families
• Backdoor version 1: could see it, sig it, and decode it
PHPSESSID = base64( zlib( aes( BACKDOOR C2 ) ) )
• Backdoor version 2: lost ability to decode it
Cookie{2,7} = customb64( zlib( rc4( aes( BACKDOOR C2 ) ) ) )
• Backdoor version 3: lost ability to sig it
random_split( Cookie{2,7} = customb64( zlib( rc4( aes( BACKDOOR C2 ) ) ) )
• Wrapped in SSL: lost ability to see it
… at first
RAPIDLY-EVOLVING TACTICS
FUN FACT: This was SEADADDY
certificate email SSL cipher start stop
root@domain1.com TLS_DHE_RSA_WITH_AES_256_CBC_SHA
10/14/15
14:13:00
10/15/15
00:14:37
support@vendor.com TLS_RSA_WITH_3DES_EDE_CBC_SHA
10/14/15
16:13:29
10/14/15
16:13:29
root@domain2.com TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
10/13/15
13:30:17
10/14/15
03:14:04
admin@example.com TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
10/11/15
13:02:21
10/12/15
10:58:59
Finding attacker SSL usage using Bro’s ssl.log
Copyright © FireEye, Inc. All rights reserved.17
Our Response: Prioritized the Unknown
• Spent time analyzing systems with unknown activity
• The most interesting systems were the ones
accessed but we didn’t know what they did
• Limited analysis on systems with known and consistent
attacker tactics
• While not useful as standalone indicators, tracked
breach data to prioritize discovered systems
• Identified common forensic artifacts between
systems with shared C2
RAPIDLY-EVOLVING TACTICS
Copyright © FireEye, Inc. All rights reserved.18
Our Response: Continually Improved Indicators
• Created indicators for every stage of attack lifecycle
• All seven persistence mechanisms, recon, lateral movement, and data theft
• Methodology IOCs helped identify systems without known malware
• Reverse engineered every backdoor revision & updated indicators
• Maintained a list of high-confidence indicators to focus new IOC development
• Developed flexible & resilient indicators
• Provided high-fidelity matches across versions, regardless of morphing
• Used imports and exports, size ranges, section names, compile times, and
other consistent attributes
RAPIDLY-EVOLVING TACTICS
Copyright © FireEye, Inc. All rights reserved.19
Our Response: Continually Improved Indicators
RAPIDLY-EVOLVING TACTICS
• Automated analysis of backdoor for
comparison and configuration extraction;
enterprise-wide search of process memory
• Indicators based on packaging and delivery
• Import hashes, size, section names,
artifacts of wrapper execution everywhere
possible
• Adapted file system IOC+regex to
process handles, prefetch, and event
logs
• Identified malware staged for SMB transfer
obfuscated-
backdoor.py
PyInstaller /
Py2Exe
UPX-packed
...transferred
laterally
Copyright © FireEye, Inc. All rights reserved.20
Lesson Learned: Find It, Refine It, Re-Find It
• Enhance and test your best indicators even when
they’re working
• Track what the attacker can change before you lose
visibility of their activity
• Don’t let technical data fall through the cracks, even
when visibility is good and the details have marginal
value as indicators
RAPIDLY-EVOLVING TACTICS
Copyright © FireEye, Inc. All rights reserved.21
Challenge 4: Advanced Attack Techniques
• Windows Management Instrumentation (WMI)
• Attacker used WMI to persist backdoors
• Embedded backdoor files and PowerShell scripts in WMI repo
• Used WMI to steal credentials from remote systems
• Configured WMI to extract and execute backdoors months in the
future, to evade remediation
• Attacker leveraged PowerShell
• Stealthy backdoors
• PowerShell scripts like Invoke-Mimikatz evaded A/V detection
• Excellent WMI integration
• Kerberos
• Attacker used Kerberos ticket attacks, which made tracking lateral
movement difficult
Copyright © FireEye, Inc. All rights reserved.22
Our Response: Tackled Attacker WMI Usage
• Searched for WMI persistence
• Manually parsed from objects.data strings on endpoints
• Ran script across the environment to identify persistence
• Colleagues developed custom MIR audit to allow for sweeping
• Identified evidence of attacker code in WMI repo
• Attacker embedded PowerShell code in WMI class properties to execute on remote system
• Identified class and property names and code in objects.data strings
• Searched contents of CIM repo at scale
• Parsed out embedded scripts and malware
• The repo was a poorly documented, complex structure, so parsing was difficult and manual
• Willi Ballenthin, Matt Graeber and Claudiu Teodorescu made repo parsers (after the
investigation was completed)
ADVANCED ATTACK TECHNIQUES
Copyright © FireEye, Inc. All rights reserved.23
Our Response: Tackled Attacker WMI Usage
ADVANCED ATTACK TECHNIQUES
Copyright © FireEye, Inc. All rights reserved.24
Our Response: Increased PowerShell Visibility
• Upgraded the environment to PowerShell 3.0 and enabled
logging
• Logging captured input/output, variable initialization, etc.
• Captured entire functions of PS scripts, attacker commands, script output,
etc.
• Wrote indicators based on observed attacker activity
• Identified lateral movement, unique backdoors, credential theft, data theft,
recon, persistence creation, etc.
• Turned attacker PowerShell usage from a threat to a benefit
• Logging and IOCs made finding and analyzing attacker activity much easier
ADVANCED ATTACK TECHNIQUES
FUN FACT: There’s now a blog post and
my script block logging parser on GitHub
Copyright © FireEye, Inc. All rights reserved.25
Our Response: Increased PowerShell Visibility
ADVANCED ATTACK TECHNIQUES
Copyright © FireEye, Inc. All rights reserved.26
Our Response: Addressed Ticket Attacks
• Worked around Kerberos attacks
• Swept for Invoke-Mimikatz PTT usage in PS logs to identify pivot systems
• Swept for other indicators of lateral movement to identify destination systems
• Looked for remote Kerberos logons around the time of attacker activity
• Developed indicators
• Based on research by Sean Metcalf at adsecurity.org
• Developed late in the investigation
• Extremely high-fidelity
ADVANCED ATTACK TECHNIQUES
Copyright © FireEye, Inc. All rights reserved.27
Our Response: Addressed Ticket Attacks
ADVANCED ATTACK TECHNIQUES
Event ID 4624 Event ID 4672
Event ID 4634
Copyright © FireEye, Inc. All rights reserved.28
BONUS SLIDE: Even More WMI + PS
Copyright © FireEye, Inc. All rights reserved.29
BONUS SLIDE: Even More WMI + PS
FUN FACT: We saw the attacker test
this backdoor before deployment
Copyright © FireEye, Inc. All rights reserved.30
Lesson Learned: Turn Weakness Into Strength
RAPIDLY-EVOLVING TACTICS
• Use attackers’ strengths against them
• Unique attacks make for high-fidelity indicators
• Identify the activity
• Develop indicators
• Increase visibility at scale
• Automate detection
• Create an alerting system, if possible
Copyright © FireEye, Inc. All rights reserved.31
• Backdoor used TOR hidden services to provide secure, discrete remote
access
• Used Meek plugin to hide traffic
• Forwarded TOR traffic to ports:
• 3389 – Remote Desktop
• 139 – Netbios
• 445 – SMB
• Modified registry to enable RDP
• “Sticky-keys” to provide unauthenticated, privileged console access
BONUS SLIDE: TOR backdoor (just because it’s cool)
FUN FACT: This was first deployed 3 hours before remediation
Copyright © FireEye, Inc. All rights reserved.32
BONUS SLIDE: TOR backdoor (just because it’s cool)
Copyright © FireEye, Inc. All rights reserved.33
BONUS SLIDE: TOR backdoor (just because it’s cool)
Client Endpoint
APT29
(actual image)
TOR network
Meekreflector
.appspot.com
Mail.google.com
Google Cloud
SSL HTTP TOR TOR
Copyright © FireEye, Inc. All rights reserved.34
If You’ve Learned Nothing Else Today…
SUPER IMPRESSIVE CONCLUSION SLIDE
• You must match or exceed the attacker’s pace
• You must match or exceed the attacker’s visibility
• You must match or exceed the attacker’s development
• You must match or exceed the attacker’s advanced techniques
• You must match or exceed the attacker’s intensity.
Copyright © FireEye, Inc. All rights reserved.35
“True happiness incident response is a
life of continual self-improvement.
The greater the struggle, the more
enriching the experience is for your life.”
Copyright © FireEye, Inc. All rights reserved.36
THANK YOU
QUESTIONS?
DERBYCON 2016 #NOEASYBREACH
Matt Dunwoody @matthewdunwoody
Nick Carr @itsreallynick

More Related Content

What's hot

How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
Will Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Chris Gates
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
Christopher Korban
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
Jorge Orchilles
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
enigma0x3
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
MITRE ATT&CK
 

What's hot (20)

How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
 

Similar to No Easy Breach DerbyCon 2016

2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
APNIC
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
SBWebinars
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
SensePost
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
Mayur Nanotkar
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
Brandon Arvanaghi
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Rishabha Garg
 
Real life hacking101
Real life hacking101Real life hacking101
Real life hacking101
Florent Batard
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
Spyglass Security
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Rohan Raj
 
001 - Get acquainted with the AWS platform -- hide01.ir.pptx
001 - Get acquainted with the AWS platform  --  hide01.ir.pptx001 - Get acquainted with the AWS platform  --  hide01.ir.pptx
001 - Get acquainted with the AWS platform -- hide01.ir.pptx
nitinscribd
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
David Rowe
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
Joshua Prince
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
Abdul Khan
 
Network sec 1
Network sec 1Network sec 1
Network sec 1
Jasleen Kaur
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
newbie2019
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
ShivamSharma909
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
ShivamSharma909
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
Flaskdata.io
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Falgun Rathod
 

Similar to No Easy Breach DerbyCon 2016 (20)

2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Real life hacking101
Real life hacking101Real life hacking101
Real life hacking101
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
001 - Get acquainted with the AWS platform -- hide01.ir.pptx
001 - Get acquainted with the AWS platform  --  hide01.ir.pptx001 - Get acquainted with the AWS platform  --  hide01.ir.pptx
001 - Get acquainted with the AWS platform -- hide01.ir.pptx
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
 
Network sec 1
Network sec 1Network sec 1
Network sec 1
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 

Recently uploaded

Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
GNAMBIKARAO
 
Decentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and EsportsDecentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and Esports
Federico Ast
 
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call GirlsBangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
narwatsonia7
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
dtagbe
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 
KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
Emre Gündoğdu
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 

Recently uploaded (13)

Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
 
Decentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and EsportsDecentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and Esports
 
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call GirlsBangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 
KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 

No Easy Breach DerbyCon 2016

  • 1. Copyright © FireEye, Inc. All rights reserved.1 NO EASY BREACH DERBYCON 2016 #NOEASYBREACH Matt Dunwoody @matthewdunwoody Nick Carr @itsreallynick
  • 2. Copyright © FireEye, Inc. All rights reserved.2 How It All Started • 1 average spearphishing email • 1 failed client remediation • 1 very determined nation state • Attacker’s mission not impacted by ongoing remediation measures • 2 attacker objectives: • Steal email of targeted VIPs • Monitor security team, response & detection efforts FUN FACT: This was APT29
  • 3. Copyright © FireEye, Inc. All rights reserved.3 Several Months Later… • The Aftermath • Four person Mandiant team • Over 1,039 compromised systems • Over 1,000 unique malware samples • Over 1,000 different unique C2 domains / IPs • Over 50,000 email communications stolen • Including scripts & tools: 7,000+ attacker files • How did they pull it off? • Fast-paced intrusion • Very stealthy • Rapidly changing tactics • Employed advanced attack techniques
  • 4. Copyright © FireEye, Inc. All rights reserved.4 Challenge 1: Fast-Paced Attacker • Attacker infected 10 systems per day with primary backdoor family • Especially when provoked (maintained baseline foothold) • Accessed hundreds of systems for recon and credential theft • Removed tools and forensic artifacts to hide activity • Deployed additional backdoor families • Continued to steal data every week
  • 5. Copyright © FireEye, Inc. All rights reserved.5 Our Response: Triaged Where Possible • Moved from typical Live Response analysis to abbreviated triage • Brief analysis leveraging known attacker TTPs • Developed indicators to assist triage • Partially automated the analysis process • Some activity not unique enough to sig • Focused on: • Lateral movement • Walking back up the chain • Pivoting, recon, new tools or backdoors • Signs of data theft • Deviation from typical attacker activity FAST-PACED ATTACKER
  • 6. Copyright © FireEye, Inc. All rights reserved.6 Our Response: Streamlined Documentation • Typical LR reports and timelines took too much time • Still needed to document findings • Compressed notes from systems into brief, standardized text blocks • Malware and attacker tools on the system • Persistence mechanisms • Periods of attacker activity and significant timestamps • Source of activity • Documented significant findings • New TTPs • Data theft FAST-PACED ATTACKER
  • 7. Copyright © FireEye, Inc. All rights reserved.7 Lesson Learned: Be Fast and Flexible • Be willing to change normal practices and disregard official methodologies when they’re not working • Make the most of outside help - accept the limitations of your circumstances and do what you can to maximize your chances of success FAST-PACED ATTACKER
  • 8. Copyright © FireEye, Inc. All rights reserved.8 Challenge 2: Stealthy Attacker • Attacker using counter forensic techniques to hide endpoint and network activity • Endpoint: secure deletion, impressive OPSEC (pack up and move), 90% doctrine • Network: compromised third party websites & social media C2, altered communication scheme + strong crypto, embraced SSL • The odds were stacked against us • Unable to use Mandiant network sensors and signatures • Existing devices inconsistently-deployed and coverage spotty • “Rolling remediation” actions showed our hand so attacker knew which evasion tactics were working
  • 9. Copyright © FireEye, Inc. All rights reserved.9 • Attacker considered every detail • Mass activity to obscure the real target • More evident in recent campaigns • Widespread phishing with a prioritized target list • They might even want the first system to be caught • Data theft using only legitimate US-based services, complicating any law enforcement response • Gmail, Google Drive using APIs • OneDrive • Monitored Us • Targeted the IR operations throughout the compromise • Were we onto them and how much time did they have left? BONUS SLIDE: Even More OPSEC he looks cozy
  • 10. Copyright © FireEye, Inc. All rights reserved.10 Our Response: Found Clues in the Ruble • Maximized the utility of trace forensic artifacts • Some attacker behavior recovered from sdelete • File path regex for artifacts • Everything from AAA.AAA to ZZZ.ZZZ • Entry Modified timestamp typically indicated when sdelete occurred • EULA Accept registry key for each Sysinternals tool • Searched for new sdelete usage • Prefetch entries for some operations (e.g., RAR) included deleted items in Accessed Files STEALTHYATTACKER FUN FACT: Now it’s built-in!
  • 11. Copyright © FireEye, Inc. All rights reserved.11 Our Response: Made the Best of What We Had • Learned and leveraged client’s network tools • Embraced the varying technology across business units • Took time and patience to filter out the network noise • Searched for every new system by timeframe • Searched activity between sets of infected hosts • Automated where possible • Developed dashboards STEALTHYATTACKER
  • 12. Copyright © FireEye, Inc. All rights reserved.12 Our Response: Made the Best of What We Had • Found the helpful but forgotten alerts • SMB transfer of UPX-packed files • Extracted fields we wanted • Signature combinations solved mysteries • Schtasks.exe usage by UUID • SMB writes to System32 • Network time preserved when other timestamps could not be trusted STEALTHYATTACKER signature=MSRPC_SuspiciousEncryption event_info="UUID=86d35949-83c9-4044-b424- db363231fd0c*” src_ip="10.*" dest_ip="10.*” ( dest_port=49154 OR dest_port=49155 ) FUN FACT: This was our initial discovery of HAMMERTOSS
  • 13. Copyright © FireEye, Inc. All rights reserved.13 Our Response: Made New Shiny Things • Deployed additional budget-friendly open source tech • Found ways to apply our methodology • Connected to our incident tracker • Sparklines for time + volume of activity • Prioritized host analysis based on traffic • Smashed and grabbed before the wipe! STEALTHYATTACKER host_10 host_9 host_8 host_7 host_6 host_5 host_4 host_3 host_2 host_1
  • 14. Copyright © FireEye, Inc. All rights reserved.14 Lesson Learned: Improve Visibility and Don’t Stop Looking • Map attacker activity to potential data sources and use everything available to minimize blind spots • Give your team access to existing tools outside of their normal process • Consider deploying additional technology • Network time provides reliable chronology despite host-based timestomping • Combat IR fatigue by automating high-confidence (and boring stuff) • Once an attacker is found, fight to maintain line-of- sight STEALTHYATTACKER
  • 15. Copyright © FireEye, Inc. All rights reserved.15 Challenge 3: Rapidly-Evolving Tactics • New and updated backdoors • 7 distinct backdoor families • SEADADDY went through 3 version updates • Seven unique persistence mechanisms • Registry run key, .LNK files, services, WMI, named scheduled tasks, hijacking scheduled tasks, over-writing legitimate files • Cycled persistence techniques regularly • Minimal re-use of metadata commonly tracked and shared as indicators • Malware MD5, file name, file size, and C2 unique to each system • Attacker didn’t need to re-use compromised accounts FUN FACT: On current case, APT29 used unique UAC bypass & persistence that was first posted online days before
  • 16. Copyright © FireEye, Inc. All rights reserved.16 Our Response: Maintained Eye Contact • Fought to keep network visibility on all malware families • Backdoor version 1: could see it, sig it, and decode it PHPSESSID = base64( zlib( aes( BACKDOOR C2 ) ) ) • Backdoor version 2: lost ability to decode it Cookie{2,7} = customb64( zlib( rc4( aes( BACKDOOR C2 ) ) ) ) • Backdoor version 3: lost ability to sig it random_split( Cookie{2,7} = customb64( zlib( rc4( aes( BACKDOOR C2 ) ) ) ) • Wrapped in SSL: lost ability to see it … at first RAPIDLY-EVOLVING TACTICS FUN FACT: This was SEADADDY certificate email SSL cipher start stop root@domain1.com TLS_DHE_RSA_WITH_AES_256_CBC_SHA 10/14/15 14:13:00 10/15/15 00:14:37 support@vendor.com TLS_RSA_WITH_3DES_EDE_CBC_SHA 10/14/15 16:13:29 10/14/15 16:13:29 root@domain2.com TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 10/13/15 13:30:17 10/14/15 03:14:04 admin@example.com TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 10/11/15 13:02:21 10/12/15 10:58:59 Finding attacker SSL usage using Bro’s ssl.log
  • 17. Copyright © FireEye, Inc. All rights reserved.17 Our Response: Prioritized the Unknown • Spent time analyzing systems with unknown activity • The most interesting systems were the ones accessed but we didn’t know what they did • Limited analysis on systems with known and consistent attacker tactics • While not useful as standalone indicators, tracked breach data to prioritize discovered systems • Identified common forensic artifacts between systems with shared C2 RAPIDLY-EVOLVING TACTICS
  • 18. Copyright © FireEye, Inc. All rights reserved.18 Our Response: Continually Improved Indicators • Created indicators for every stage of attack lifecycle • All seven persistence mechanisms, recon, lateral movement, and data theft • Methodology IOCs helped identify systems without known malware • Reverse engineered every backdoor revision & updated indicators • Maintained a list of high-confidence indicators to focus new IOC development • Developed flexible & resilient indicators • Provided high-fidelity matches across versions, regardless of morphing • Used imports and exports, size ranges, section names, compile times, and other consistent attributes RAPIDLY-EVOLVING TACTICS
  • 19. Copyright © FireEye, Inc. All rights reserved.19 Our Response: Continually Improved Indicators RAPIDLY-EVOLVING TACTICS • Automated analysis of backdoor for comparison and configuration extraction; enterprise-wide search of process memory • Indicators based on packaging and delivery • Import hashes, size, section names, artifacts of wrapper execution everywhere possible • Adapted file system IOC+regex to process handles, prefetch, and event logs • Identified malware staged for SMB transfer obfuscated- backdoor.py PyInstaller / Py2Exe UPX-packed ...transferred laterally
  • 20. Copyright © FireEye, Inc. All rights reserved.20 Lesson Learned: Find It, Refine It, Re-Find It • Enhance and test your best indicators even when they’re working • Track what the attacker can change before you lose visibility of their activity • Don’t let technical data fall through the cracks, even when visibility is good and the details have marginal value as indicators RAPIDLY-EVOLVING TACTICS
  • 21. Copyright © FireEye, Inc. All rights reserved.21 Challenge 4: Advanced Attack Techniques • Windows Management Instrumentation (WMI) • Attacker used WMI to persist backdoors • Embedded backdoor files and PowerShell scripts in WMI repo • Used WMI to steal credentials from remote systems • Configured WMI to extract and execute backdoors months in the future, to evade remediation • Attacker leveraged PowerShell • Stealthy backdoors • PowerShell scripts like Invoke-Mimikatz evaded A/V detection • Excellent WMI integration • Kerberos • Attacker used Kerberos ticket attacks, which made tracking lateral movement difficult
  • 22. Copyright © FireEye, Inc. All rights reserved.22 Our Response: Tackled Attacker WMI Usage • Searched for WMI persistence • Manually parsed from objects.data strings on endpoints • Ran script across the environment to identify persistence • Colleagues developed custom MIR audit to allow for sweeping • Identified evidence of attacker code in WMI repo • Attacker embedded PowerShell code in WMI class properties to execute on remote system • Identified class and property names and code in objects.data strings • Searched contents of CIM repo at scale • Parsed out embedded scripts and malware • The repo was a poorly documented, complex structure, so parsing was difficult and manual • Willi Ballenthin, Matt Graeber and Claudiu Teodorescu made repo parsers (after the investigation was completed) ADVANCED ATTACK TECHNIQUES
  • 23. Copyright © FireEye, Inc. All rights reserved.23 Our Response: Tackled Attacker WMI Usage ADVANCED ATTACK TECHNIQUES
  • 24. Copyright © FireEye, Inc. All rights reserved.24 Our Response: Increased PowerShell Visibility • Upgraded the environment to PowerShell 3.0 and enabled logging • Logging captured input/output, variable initialization, etc. • Captured entire functions of PS scripts, attacker commands, script output, etc. • Wrote indicators based on observed attacker activity • Identified lateral movement, unique backdoors, credential theft, data theft, recon, persistence creation, etc. • Turned attacker PowerShell usage from a threat to a benefit • Logging and IOCs made finding and analyzing attacker activity much easier ADVANCED ATTACK TECHNIQUES FUN FACT: There’s now a blog post and my script block logging parser on GitHub
  • 25. Copyright © FireEye, Inc. All rights reserved.25 Our Response: Increased PowerShell Visibility ADVANCED ATTACK TECHNIQUES
  • 26. Copyright © FireEye, Inc. All rights reserved.26 Our Response: Addressed Ticket Attacks • Worked around Kerberos attacks • Swept for Invoke-Mimikatz PTT usage in PS logs to identify pivot systems • Swept for other indicators of lateral movement to identify destination systems • Looked for remote Kerberos logons around the time of attacker activity • Developed indicators • Based on research by Sean Metcalf at adsecurity.org • Developed late in the investigation • Extremely high-fidelity ADVANCED ATTACK TECHNIQUES
  • 27. Copyright © FireEye, Inc. All rights reserved.27 Our Response: Addressed Ticket Attacks ADVANCED ATTACK TECHNIQUES Event ID 4624 Event ID 4672 Event ID 4634
  • 28. Copyright © FireEye, Inc. All rights reserved.28 BONUS SLIDE: Even More WMI + PS
  • 29. Copyright © FireEye, Inc. All rights reserved.29 BONUS SLIDE: Even More WMI + PS FUN FACT: We saw the attacker test this backdoor before deployment
  • 30. Copyright © FireEye, Inc. All rights reserved.30 Lesson Learned: Turn Weakness Into Strength RAPIDLY-EVOLVING TACTICS • Use attackers’ strengths against them • Unique attacks make for high-fidelity indicators • Identify the activity • Develop indicators • Increase visibility at scale • Automate detection • Create an alerting system, if possible
  • 31. Copyright © FireEye, Inc. All rights reserved.31 • Backdoor used TOR hidden services to provide secure, discrete remote access • Used Meek plugin to hide traffic • Forwarded TOR traffic to ports: • 3389 – Remote Desktop • 139 – Netbios • 445 – SMB • Modified registry to enable RDP • “Sticky-keys” to provide unauthenticated, privileged console access BONUS SLIDE: TOR backdoor (just because it’s cool) FUN FACT: This was first deployed 3 hours before remediation
  • 32. Copyright © FireEye, Inc. All rights reserved.32 BONUS SLIDE: TOR backdoor (just because it’s cool)
  • 33. Copyright © FireEye, Inc. All rights reserved.33 BONUS SLIDE: TOR backdoor (just because it’s cool) Client Endpoint APT29 (actual image) TOR network Meekreflector .appspot.com Mail.google.com Google Cloud SSL HTTP TOR TOR
  • 34. Copyright © FireEye, Inc. All rights reserved.34 If You’ve Learned Nothing Else Today… SUPER IMPRESSIVE CONCLUSION SLIDE • You must match or exceed the attacker’s pace • You must match or exceed the attacker’s visibility • You must match or exceed the attacker’s development • You must match or exceed the attacker’s advanced techniques • You must match or exceed the attacker’s intensity.
  • 35. Copyright © FireEye, Inc. All rights reserved.35 “True happiness incident response is a life of continual self-improvement. The greater the struggle, the more enriching the experience is for your life.”
  • 36. Copyright © FireEye, Inc. All rights reserved.36 THANK YOU QUESTIONS? DERBYCON 2016 #NOEASYBREACH Matt Dunwoody @matthewdunwoody Nick Carr @itsreallynick