More Related Content
Similar to Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are Detected
- 1. Braden Preston, ProductManager Worst Case Scenario: Being detected without knowing you are detected
- 2. Agenda Confidential and Proprietary2 What is Stealth? Why Stealth? The Hunting Ground: Pre- & Post-Compromise Hunt Cycle
- 3. Confidential and Proprietary3 Stealth stelTH/ noun 1.cautiousand surreptitious action or movement. Advanced adversaries are discovering and evading traditional defense. Key is to avoid detection from the sentient adversary.
- 4. Confidential and Proprietary4 Howdo you avoid detection from the adversary? No obvious and repeatable signatures Hide your presence from the adversary Covert operations and communications to avoid tipping your hand Low level access to the system
- 5. Stealth: Does ItMatter? Confidential & 5 For years attackers have looked for the defender Anti-debugging techniques Virtual machine detection Anti-virus detection Checking running processes on compromised systems New classes of malware specifically look for endpoint vendors Common red team tactics to easily detect host based detection and disable Many host agents are not hardened against a simple ‘net stop’ command
- 6. Stealth: What doesit accomplish? Pre-Compromise • Make Detection Cost Prohibitive – Increase the difficulty of automated detection – Force adversaries to employ their own manual hunt process • Find Indicators to Detect and Prevent – When the adversary feels undetected they conduct operations and expose indicators Post-Compromise • Get a Foothold on an Infected Device 6
- 7. The Hunting Ground:Critical assets protected Confidential & 7 The hunting ground reality: The hunting ground is compromised The hunting ground is a mix of mission critical assets You will be hunting on pre- and post-compromised systems
- 8. Confidential and Proprietary8 DeployingPre-Compromise Attacker can easily identify traditional security Automated checks for service names, hashes, etc. AV, VM, EDR all susceptible Manual check of the system Running processes and services Open network connection
- 9. Confidential and Proprietary9 DeployingPre-Compromise Attacker changes the attack plan Modify TTPs Disable protection Modify system to change the reported data (root kit)
- 10. Confidential and Proprietary10 DeployingPost Compromise Attacker can easily see traditional security installation Detect admin login Detect executable on disk Detect execution Follow-on attacker actions Stop the installation Pivot to another system (or many) Burn and run
- 11. The Endgame HuntCycle Confidential & 11
- 12. Confidential and Proprietary12 Summary BeStealthy: Avoid discovery by the adversary
- 13.
- 14. Confidential and Proprietary14 ThankYou! bpreston@endgame.com @simpleprodmgr
Editor's Notes
- #3 We’re an up and coming, VC backed, high impact cyber company. Funded by the leading investors in cyber security. Traditional defense technology has become ineffective against cyberattacks. We believe Offense is essential to eliminate adversaries from enterprise critical infrastructure. We believe it is better for our customers to be the hunter than the hunted, and so unlike any other company, Endgame Hunts. We are pioneering this strategy with methods and technologies developed for the IC/DOD to support their hunt for adversaries to our national interests in hostile cyber environments. We have adapted these technologies to automate the hunt for adversaries in government and enterprise networks. Segue Here are a few key facts that make Endgame the leader in offensive approach to protecting enterprise critical infrastructure.
- #8 HUNT CYCLE Survey – Identify and monitor key valuable assets critical to business operations The first step is to asses the organization to identify critical assets that the adversary would target within the enterprise network. Once you have identified the critical assets, deploy stealth sensors to monitor the key valuable systems.. The stealth operations enables evasion and tampering from the adversary, allowing you to remain hidden. At the end of this step, the security operator is equipped with a hunt map of the key critical assets and their current and historical network, process behaviors to get a holistic view of the environment. Secure – Secure the hunting ground to stop adversary movement within the enterprise network The next step is to secure the hunting ground. Once you begin monitoring the critical assets it is important to lock them down before you begin hunting. The key is to stop any lateral movement of the adversary to prevent them from accessing any other endpoints with the network. Once the hunting ground is secured, you can employ techniques to detect the sentient adversary. Detect – Pursue the advanced adversary by discovering attacker techniques Step 3 is to detect the adversary in the enterprise network In the detect step you are detecting . It is crucial to not just rely on known indicators of compromise but also detect never-before-seen malware. This can be achieved by focusing on advanced attacker techniques employed in the environment to gain access to critical infrastructure. Fast and automated detection of these techniques significantly reduces the dwell time of the adversary within the network from days to just hours. Respond – Develop an intelligent response strategy to eradicate the adversary. Once the adversary techniques are detected, the security operator needs to craft an appropriate and precise response strategy to eradicate their presence in the network. The response actions can vary from observing the adversary and learning their tactics to suspending them to prevent further damage and loss. This intelligent response needs to enabled in a scalable fashion to address all critical assets infected and minimize business disruption.
- #9 .
- #10 .
- #11 .
- #12 HUNT CYCLE Survey – Identify and monitor key valuable assets critical to business operations The first step is to asses the organization to identify critical assets that the adversary would target within the enterprise network. Once you have identified the critical assets, deploy stealth sensors to monitor the key valuable systems.. The stealth operations enables evasion and tampering from the adversary, allowing you to remain hidden. At the end of this step, the security operator is equipped with a hunt map of the key critical assets and their current and historical network, process behaviors to get a holistic view of the environment. Secure – Secure the hunting ground to stop adversary movement within the enterprise network The next step is to secure the hunting ground. Once you begin monitoring the critical assets it is important to lock them down before you begin hunting. The key is to stop any lateral movement of the adversary to prevent them from accessing any other endpoints with the network. Once the hunting ground is secured, you can employ techniques to detect the sentient adversary. Detect – Pursue the advanced adversary by discovering attacker techniques Step 3 is to detect the adversary in the enterprise network In the detect step you are detecting . It is crucial to not just rely on known indicators of compromise but also detect never-before-seen malware. This can be achieved by focusing on advanced attacker techniques employed in the environment to gain access to critical infrastructure. Fast and automated detection of these techniques significantly reduces the dwell time of the adversary within the network from days to just hours. Respond – Develop an intelligent response strategy to eradicate the adversary. Once the adversary techniques are detected, the security operator needs to craft an appropriate and precise response strategy to eradicate their presence in the network. The response actions can vary from observing the adversary and learning their tactics to suspending them to prevent further damage and loss. This intelligent response needs to enabled in a scalable fashion to address all critical assets infected and minimize business disruption.
- #13 .