SlideShare a Scribd company logo

Exploring the Defender's Advantage

How to protect, detect, and respond to your threats. This is an MSP centric talk exploring how to detect, protect, and respond to cyber security threats. We first walk through the cyber defense matrix, explore what security intelligence needs to be and emphasize the concepts with two case studies of BlackCat.

1 of 36
Download to read offline
© 2023 ConnectWise. All rights reserved.
Exploring the Defenders Advantage
How To Protect, Detect, and Respond to Your Threats
Raffael Marty & Bryson Medlock
February 2023
© 2023 ConnectWise. All rights reserved.
LEFT OF BOOM BOOM RIGHT OF BOOM
RECONNAISSANCE
RESOURCE DEVELOPMENT
INITIAL ACCESS
EXECUTION
PERSISTENCE
PRIVILEGE ESCALATION
DEFENSE EVASION
CREDENTIAL ACCESS
DISCOVERY
LATERAL MOVEMENT
COLLECTION
COMMAND AND CONTROL
EXFILTRATION
IMPACT
IDENTIFY PROTECT DETECT RESPOND RECOVER
ASSUME BREACH
MITRE ATT&CK TACTICS
NIST FUNCTIONAL AREAS
FOR CYBER RESILIENCE
Deriving value
from Red and
Purple Teaming
Presented by:
John Strand
Exploring the
Defenders Advantage
Presented by:
Raffael Marty +
Bryson Medlock
© 2023 ConnectWise. All rights reserved.
Exploring The Defenders Advantage
• The Defender’s Tools of the Trade
• Individual Tools Don’t Cut It - We Need Intelligence
• BlackCat Case-Study – The Need for Intelligence
© 2023 ConnectWise. All rights reserved.
Speakers
• 25 years in cybersecurity
• Investor and Advisory | LED Tinkerer | Zen Student
• Chief Research and Intelligence Officer @ Forcepoint
• Head of Security Analytics @ Sophos
• Founder @ Loggly – the first logging as a service platform
• Chief Security Strategist @ Splunk
• Head of Content @ ArcSight
• 10+ years in IT (mostly Linux sysadmin)
• 10+ years in cybersecurity
• Lead Trainer for the Alert Logic SOC
• Trained L2+L3 Linux Sysadmins at HostGator
• Creator/Organizer of CTFs
Raffael Marty
General Manager Cybersecurity @ ConnectWise
Bryson Medlock
Threat Intelligence Evangelist @ ConnectWise
© 2023 ConnectWise. All rights reserved.
IDENTIFY PROTECT DETECT RESPOND RECOVER
NIST FUNCTIONAL AREAS FOR CYBER RESILIENCE
• Not one product covers all areas – one needs multiple solutions to get comprehensive security coverage
Defender Tools – Many Needs
Devices
AV, EPP, FIM, HIPS,
Whitelisting, Patch Mgmt,
Email security
EPP, UEBA, SIEM, Email Security
EP Response (EDR, MDR),
EP Forensics
Applications
RASP, WAF, ZT App
Access, CASB, SSPM
Source Code Compromise, App IDS,
SIEM,CASB, SSPM
SSPM
Networks
FW, IPS, UTM, Microseg,
ESG, SWG, SASE, ZTNA,
DNS, VPN
DDoS Detection, Net Traffic Analysis,
UEBA, SIEM, DNS
DDoS Response, NW
Forensics, SASE
Data
Encryption, Tokenization,
DLP, DRM, DBAM, Email
security
Dark Web Scanning, Data Behavior
Analytics, SIEM
DRM, Breach Response
Users
Security Awareness
Training, MFA
Insider Threat, UEBA, SIEM
© 2023 ConnectWise. All rights reserved.
IDENTIFY PROTECT DETECT RESPOND RECOVER
NIST FUNCTIONAL AREAS FOR CYBER RESILIENCE
Defender Tools – Considerations
Devices
AV, EPP, FIM, HIPS,
Whitelisting, Patch Mgmt,
Email security
EPP, UEBA, SIEM, Email Security
EP Response (EDR, MDR),
EP Forensics
Applications
RASP, WAF, ZT App
Access, CASB, SSPM
Source Code Compromise, App IDS,
SIEM,CASB, SSPM
SSPM
Networks
FW, IPS, UTM, Microseg,
ESG, SWG, SASE, ZTNA,
DNS, VPN
DDoS Detection, Net Traffic Analysis,
UEBA, SIEM, DNS
DDoS Response, NW
Forensics, SASE
Data
Encryption, Tokenization,
DLP, DRM, DBAM, Email
security
Dark Web Scanning, Data Behavior
Analytics, SIEM
DRM, Breach Response
Users
Security Awareness
Training, MFA
Insider Threat, UEBA, SIEM
• All operating systems
• On-prem, cloud, IoT
• On-prem and SaaS
• Covering BYOD
• Dealing with alert monitoring
and false positives
• What data?
• MFA across all applications
(on-prem, cloud, SaaS)

Recommended

Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...MITRE ATT&CK
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookMITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 

More Related Content

What's hot

Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust ModelYash
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)Molfar
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeamDan Vasile
 
misp-training.pdf
misp-training.pdfmisp-training.pdf
misp-training.pdf9905234521
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 

What's hot (20)

Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust Model
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 
What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeam
 
misp-training.pdf
misp-training.pdfmisp-training.pdf
misp-training.pdf
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 

Similar to Exploring the Defender's Advantage

Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...James Anderson
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XPrime Infoserv
 
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca BarbaEvolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca BarbaAngeloluca Barba
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?Ulf Mattsson
 
Marlabs cyber threat management
Marlabs cyber threat managementMarlabs cyber threat management
Marlabs cyber threat managementRajendra Menon
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsThe Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsOurCrowd
 
Cyber security providers adopt strategic defences
Cyber security providers adopt strategic defences Cyber security providers adopt strategic defences
Cyber security providers adopt strategic defences Markit
 
Cyber Security: A Hands on review
Cyber Security: A Hands on reviewCyber Security: A Hands on review
Cyber Security: A Hands on reviewMiltonBiswas8
 
Information Security
Information SecurityInformation Security
Information SecurityMohit8780
 
Cybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfCybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfJazmine Brown
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationE.S.G. JR. Consulting, Inc.
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationKen Flott
 
Firewalls And Infrastructure Security
Firewalls And Infrastructure SecurityFirewalls And Infrastructure Security
Firewalls And Infrastructure SecurityBrooke Curtis
 
Webinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von BaggenstosWebinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von BaggenstosJenniferMete1
 
CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETTravarsaPrivateLimit
 
8 Top Cybersecurity Tools.pdf
8 Top Cybersecurity Tools.pdf8 Top Cybersecurity Tools.pdf
8 Top Cybersecurity Tools.pdfMetaorange
 
Top reasons why Endpoint Security should move to Cloud | Sysfore
Top reasons why Endpoint Security should move to Cloud | SysforeTop reasons why Endpoint Security should move to Cloud | Sysfore
Top reasons why Endpoint Security should move to Cloud | SysforeSysfore Technologies
 
Zymr Cybersecurity
Zymr Cybersecurity Zymr Cybersecurity
Zymr Cybersecurity Zymr Cloud
 
Cyber Security Services & Solutions - Zymr
Cyber Security Services & Solutions - ZymrCyber Security Services & Solutions - Zymr
Cyber Security Services & Solutions - ZymrZYMR, INC.
 

Similar to Exploring the Defender's Advantage (20)

Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield X
 
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca BarbaEvolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?
 
Marlabs cyber threat management
Marlabs cyber threat managementMarlabs cyber threat management
Marlabs cyber threat management
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsThe Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for Investors
 
Cyber security providers adopt strategic defences
Cyber security providers adopt strategic defences Cyber security providers adopt strategic defences
Cyber security providers adopt strategic defences
 
Cyber Security: A Hands on review
Cyber Security: A Hands on reviewCyber Security: A Hands on review
Cyber Security: A Hands on review
 
Information Security
Information SecurityInformation Security
Information Security
 
Cybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfCybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdf
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
 
Firewalls And Infrastructure Security
Firewalls And Infrastructure SecurityFirewalls And Infrastructure Security
Firewalls And Infrastructure Security
 
Webinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von BaggenstosWebinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von Baggenstos
 
CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEET
 
8 Top Cybersecurity Tools.pdf
8 Top Cybersecurity Tools.pdf8 Top Cybersecurity Tools.pdf
8 Top Cybersecurity Tools.pdf
 
Top reasons why Endpoint Security should move to Cloud | Sysfore
Top reasons why Endpoint Security should move to Cloud | SysforeTop reasons why Endpoint Security should move to Cloud | Sysfore
Top reasons why Endpoint Security should move to Cloud | Sysfore
 
Zymr Cybersecurity
Zymr Cybersecurity Zymr Cybersecurity
Zymr Cybersecurity
 
Cyber Security Services & Solutions - Zymr
Cyber Security Services & Solutions - ZymrCyber Security Services & Solutions - Zymr
Cyber Security Services & Solutions - Zymr
 

More from Raffael Marty

Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR)An Overhyped Product Category With Ulti...Extended Detection and Response (XDR)An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security DataRaffael Marty
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Raffael Marty
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Raffael Marty
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AIRaffael Marty
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousRaffael Marty
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousRaffael Marty
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationRaffael Marty
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedRaffael Marty
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at ScaleRaffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big DataRaffael Marty
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data VisualizationRaffael Marty
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?Raffael Marty
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityRaffael Marty
 
Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for SecurityRaffael Marty
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?Raffael Marty
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxRaffael Marty
 

More from Raffael Marty (20)

Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR)An Overhyped Product Category With Ulti...Extended Detection and Response (XDR)An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AI
 
Security Chat 5.0
Security Chat 5.0Security Chat 5.0
Security Chat 5.0
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are Dangerous
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at Scale
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data Visualization
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for Security
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization Linux
 

Recently uploaded

Model Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfModel Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfgalfinprihardiputra0
 
Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...
Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...
Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...Prometix Pty Ltd
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Damar Juniarto
 
Biometrics Technology Intresting PPT
Biometrics Technology Intresting PPTBiometrics Technology Intresting PPT
Biometrics Technology Intresting PPTPraveenKumarThota7
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 

Recently uploaded (6)

Model Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfModel Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdf
 
Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...
Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...
Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023
 
Biometrics Technology Intresting PPT
Biometrics Technology Intresting PPTBiometrics Technology Intresting PPT
Biometrics Technology Intresting PPT
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 

Exploring the Defender's Advantage

  • 1. © 2023 ConnectWise. All rights reserved. Exploring the Defenders Advantage How To Protect, Detect, and Respond to Your Threats Raffael Marty & Bryson Medlock February 2023
  • 2. © 2023 ConnectWise. All rights reserved. LEFT OF BOOM BOOM RIGHT OF BOOM RECONNAISSANCE RESOURCE DEVELOPMENT INITIAL ACCESS EXECUTION PERSISTENCE PRIVILEGE ESCALATION DEFENSE EVASION CREDENTIAL ACCESS DISCOVERY LATERAL MOVEMENT COLLECTION COMMAND AND CONTROL EXFILTRATION IMPACT IDENTIFY PROTECT DETECT RESPOND RECOVER ASSUME BREACH MITRE ATT&CK TACTICS NIST FUNCTIONAL AREAS FOR CYBER RESILIENCE Deriving value from Red and Purple Teaming Presented by: John Strand Exploring the Defenders Advantage Presented by: Raffael Marty + Bryson Medlock
  • 3. © 2023 ConnectWise. All rights reserved. Exploring The Defenders Advantage • The Defender’s Tools of the Trade • Individual Tools Don’t Cut It - We Need Intelligence • BlackCat Case-Study – The Need for Intelligence
  • 4. © 2023 ConnectWise. All rights reserved. Speakers • 25 years in cybersecurity • Investor and Advisory | LED Tinkerer | Zen Student • Chief Research and Intelligence Officer @ Forcepoint • Head of Security Analytics @ Sophos • Founder @ Loggly – the first logging as a service platform • Chief Security Strategist @ Splunk • Head of Content @ ArcSight • 10+ years in IT (mostly Linux sysadmin) • 10+ years in cybersecurity • Lead Trainer for the Alert Logic SOC • Trained L2+L3 Linux Sysadmins at HostGator • Creator/Organizer of CTFs Raffael Marty General Manager Cybersecurity @ ConnectWise Bryson Medlock Threat Intelligence Evangelist @ ConnectWise
  • 5. © 2023 ConnectWise. All rights reserved. IDENTIFY PROTECT DETECT RESPOND RECOVER NIST FUNCTIONAL AREAS FOR CYBER RESILIENCE • Not one product covers all areas – one needs multiple solutions to get comprehensive security coverage Defender Tools – Many Needs Devices AV, EPP, FIM, HIPS, Whitelisting, Patch Mgmt, Email security EPP, UEBA, SIEM, Email Security EP Response (EDR, MDR), EP Forensics Applications RASP, WAF, ZT App Access, CASB, SSPM Source Code Compromise, App IDS, SIEM,CASB, SSPM SSPM Networks FW, IPS, UTM, Microseg, ESG, SWG, SASE, ZTNA, DNS, VPN DDoS Detection, Net Traffic Analysis, UEBA, SIEM, DNS DDoS Response, NW Forensics, SASE Data Encryption, Tokenization, DLP, DRM, DBAM, Email security Dark Web Scanning, Data Behavior Analytics, SIEM DRM, Breach Response Users Security Awareness Training, MFA Insider Threat, UEBA, SIEM
  • 6. © 2023 ConnectWise. All rights reserved. IDENTIFY PROTECT DETECT RESPOND RECOVER NIST FUNCTIONAL AREAS FOR CYBER RESILIENCE Defender Tools – Considerations Devices AV, EPP, FIM, HIPS, Whitelisting, Patch Mgmt, Email security EPP, UEBA, SIEM, Email Security EP Response (EDR, MDR), EP Forensics Applications RASP, WAF, ZT App Access, CASB, SSPM Source Code Compromise, App IDS, SIEM,CASB, SSPM SSPM Networks FW, IPS, UTM, Microseg, ESG, SWG, SASE, ZTNA, DNS, VPN DDoS Detection, Net Traffic Analysis, UEBA, SIEM, DNS DDoS Response, NW Forensics, SASE Data Encryption, Tokenization, DLP, DRM, DBAM, Email security Dark Web Scanning, Data Behavior Analytics, SIEM DRM, Breach Response Users Security Awareness Training, MFA Insider Threat, UEBA, SIEM • All operating systems • On-prem, cloud, IoT • On-prem and SaaS • Covering BYOD • Dealing with alert monitoring and false positives • What data? • MFA across all applications (on-prem, cloud, SaaS)
  • 7. © 2023 ConnectWise. All rights reserved. IDENTIFY PROTECT DETECT RESPOND RECOVER NIST FUNCTIONAL AREAS FOR CYBER RESILIENCE Defender Tools – Can We Simplify? Devices EDR Patch Management Email Security EDR Email Security EDR Applications CASB SSPM CASB SSPM SSPM Networks FW IPS IDS Data Encryption Email security Dark Web Scanning Users Sec Awareness Training MFA What about fail-saves (both capability failures and human error)? Use your RMM?
  • 8. © 2023 ConnectWise. All rights reserved. Threat Intel • Over 10 Products • Disconnected • Duplicate Alerts • Duplicate Policy Configuration • MSPs Will Have To Manage, No 3rd Party Provider • What about SIEM? ü Single Interface ü Better Detection (Correlation) ü Lower False Positives ü External Intelligence ü Environmental Context q Only Covers Detection q Needs Data Inputs • Could Be Coupled With SOAR Context Defender Tools – Let’s Take Inventory
  • 9. © 2023 ConnectWise. All rights reserved. Intelligence != Public Threat Intelligence Feeds The Need for Intelligence – Taking a Step Back • Strategic Intelligence: Non-technical, risk-based intelligence on a business level. Informs business related decisions. • Tactical Intelligence: Details of threat actor tactics, techniques, and procedures (TTPs). • Operational Intelligence: Actionable information about specific incoming attack. • Technical Intelligence: Technical threat indicators (e.g., malware hashes, C2 IP addresses, etc.).
  • 10. © 2023 ConnectWise. All rights reserved. Intelligence Pros Cons Source Indicators of Compromise (IOCs) Ease of use and broad availability Hard to find industry / customer relevant IOCs, high false positives, change over time, always reactive Public threat feeds Move from event-based to risk-based Intelligence – A Different View TTPs Not specific to individual attacks / attackers / malware No common exchange format, except maybe sigma? Mitre ATT&CK, Sigma, other? Leading Indicators – left of boom risk Move threat detection left in kill-chain, independent of specific attack Hard to collect, hard to define the causation Environment specific logs and threat hunting Anomalies / Environment Specific Insights Good predictors Hard to scale across all your customers In-house, contextual information across each customer, threat hunting
  • 11. © 2023 ConnectWise. All rights reserved. Risk-focused System • Risk drives access decisions in a ZTNA environment • Risk can drive automatic (or semi-automatic) responses Subject Resources Policy Enforcement Point(s) access Analytics Engine can access? access request Policy Decision Point risk decision Policy Engine Risk informed policy decision From Defense to Automated Protection
  • 12. © 2023 ConnectWise. All rights reserved. BlackCat Case-Study 1 Compromised Credentials – Manufacturing Company
  • 13. © 2023 ConnectWise. All rights reserved. T1003 OS Credential Dumping T1007 System Services Discovery T1018 Remote System Discovery T1020 Automated Exfiltration T1021 Remote Services T1030 Data Transfer Size Limits T1036 Masquerading T1039 Data from Network Shared Drive T1041 Exfiltration over C2 Channel T1046 Network Service Discovery T1047 Windows Mgmt. Instrumentation T1048 Exfiltration over Alternate Protocol T1053 Scheduled Task / Job T1057 Process Discovery T1059 Command & Scripting Interpreter T1069 Permission Groups Discovery T1070 Indicator Removal on Host T1071 Application Layer Protocol T1074 Data Staged T1078 Valid Accounts T1082 System Information Discovery T1087 Account Discovery T1106 Native API T1119 Automated Collection T1133 External Remote Services T1134 Access Token Manipulation T1135 Network Share Discovery T1190 Exploit Public- Facing Application T1219 Remote Access Software T1482 Domain Trust Discovery T1485 Data Destruction T1486 Data Encrypted for Impact T1489 Service Stop T1490 Inhibit System Recovery T1498 Network Denial of Service T1505 Server Software Component T1537 Transfer Data to Cloud Account T1548 Abuse Elevation Control Mechanism T1552 Unsecured Credentials T1555 Credentials from Password Stores T1560 Archive Collected Data T1562 Impair Defenses T1567 Exfiltration over Web Services T1569 System Services T1570 Lateral Tool Transfer T1572 Protocol Tunneling T1573 Encrypted Channel Devices Applications Networks Data Users DETECT RESPOND
  • 14. © 2023 ConnectWise. All rights reserved.
  • 15. © 2023 ConnectWise. All rights reserved. Timeline Manufacturing company 1st day – Cisco AnyConnect VPN account test 7th day – VPN connected, RDP as different user, view Task Manager 8th day - VPN Login 8th day - RDP traffic to an unmonitored host 8th day - Couple hours later - ransomware spreading from unmonitored host via SMB
  • 16. © 2023 ConnectWise. All rights reserved. Event Logs Cleared • wevtutil.exe cl {event log} • CW SIEM signature: process.args:(("wevtutil.exe" OR "wevtutil") AND ("cl" OR "clear-log"))
  • 17. © 2023 ConnectWise. All rights reserved. Event Logs Cleared - Sigma title: Suspicious Eventlog Clear or Configuration Change detection: selection_wevtutil: Image|endswith: 'wevtutil.exe’ CommandLine|contains: - 'clear-log ' # clears specified log - ' cl ' # short version of 'clear-log’ - 'set-log ' # modifies config of specified log. - ' sl ' # short version of 'set-log’ - 'lfn:' # change log file location and name https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml
  • 18. © 2023 ConnectWise. All rights reserved. Shadow Volume Deletion • process.command_line: "cmd" /c "vssadmin.exe Delete Shadows /all /quiet” • CW SIEM Signature: • process.executable:"vssadmin.exe" AND process.command_line.text:("delete shadows" AND "all") • Sigma: • title: Shadow Copies Deletion Using Operating Systems Utilities • https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_wi n_shadow_copies_deletion.yml (69 lines)
  • 19. © 2023 ConnectWise. All rights reserved. Crypter Running via WMI • process.command_line: wmic /node:”REDACTED" process call create "C:UsersFqq09.exe --access-token <REDACTED 32 bit token>” • CW SIEM Signature: • process.args:("wmic" AND "node") AND process.command_line.text:"process call create" AND NOT process.args:("ltsvc" OR "Agent_Installer.msi")
  • 20. © 2023 ConnectWise. All rights reserved. Crypter Running via WMI - Sigma title: WMI Reconnaissance List Remote Services detection: selection_img: - Image|endswith: 'WMIC.exe’ - OriginalFileName: 'wmic.exe’ selection_cli: CommandLine|contains|all: - '/node:’ - 'service’ condition: all of selection* https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml
  • 21. © 2023 ConnectWise. All rights reserved. BlackCat Case-Study 2 Compromised Credentials – Law Office
  • 22. © 2023 ConnectWise. All rights reserved. T1003 OS Credential Dumping T1007 System Services Discovery T1018 Remote System Discovery T1020 Automated Exfiltration T1021 Remote Services T1030 Data Transfer Size Limits T1036 Masquerading T1039 Data from Network Shared Drive T1041 Exfiltration over C2 Channel T1046 Network Service Discovery T1047 Windows Mgmt. Instrumentation T1048 Exfiltration over Alternate Protocol T1053 Scheduled Task / Job T1057 Process Discovery T1059 Command & Scripting Interpreter T1069 Permission Groups Discovery T1070 Indicator Removal on Host T1071 Application Layer Protocol T1074 Data Staged T1078 Valid Accounts T1082 System Information Discovery T1087 Account Discovery T1106 Native API T1119 Automated Collection T1133 External Remote Services T1134 Access Token Manipulation T1135 Network Share Discovery T1190 Exploit Public- Facing Application T1219 Remote Access Software T1482 Domain Trust Discovery T1485 Data Destruction T1486 Data Encrypted for Impact T1489 Service Stop T1490 Inhibit System Recovery T1498 Network Denial of Service T1505 Server Software Component T1537 Transfer Data to Cloud Account T1548 Abuse Elevation Control Mechanism T1552 Unsecured Credentials T1555 Credentials from Password Stores T1560 Archive Collected Data T1562 Impair Defenses T1567 Exfiltration over Web Services T1569 System Services T1570 Lateral Tool Transfer T1572 Protocol Tunneling T1573 Encrypted Channel Devices Applications Networks Data Users DETECT RESPOND
  • 23. © 2023 ConnectWise. All rights reserved.
  • 24. © 2023 ConnectWise. All rights reserved. First Alert • Lateral Movement first observed from decommissioned Windows 7 system pulled out of a closet • No EDR or any other monitoring
  • 25. © 2023 ConnectWise. All rights reserved. Crypter Deployed
  • 26. © 2023 ConnectWise. All rights reserved. Crypter Deployed
  • 27. © 2023 ConnectWise. All rights reserved. CW Control Commands • 7z2107-x64.exe • MEGAsyncSetup64.exe • GetProcesses • GetSoftware • StopService – WRSVC (Webroot) [FAILED] • Msg Administrator – “Hello <REDACTED>! We stolen from your network <REDACTED>gb sensitive data. If you don't want leak your data please contact us. Follow Instruction in readme file” • RemotePC.exe
  • 28. © 2023 ConnectWise. All rights reserved. Full Timeline Unclear • Lateral Movement first observed from decommissioned Windows 7 system pulled out of a closet • No EDR or any other monitoring • CW SIEM owned (not p0wned!), but not deployed • Incident Support investigation: • Five different CW Control accounts used • All were shutdown by CW Scammer Hammer • Mimikatz found • Koadicis found • One Admin Login: • Data 7zip’d • Megasync installed • Putty.exe • Megaxyn uninstalled
  • 29. © 2023 ConnectWise. All rights reserved. Visibility is Key • Case 1 • TA found system w/o Sysmon and used it for staging • System logs were cleared, limited forensics on that one system • Firewall logs were key • Case 2 • EDR only, but not everywhere • Decommissioned Windows 7 system in closet w/o any EDR or other security tools likely point of Initial Access • No SIEM, logs were cleared, severely limited forensics
  • 30. © 2023 ConnectWise. All rights reserved. Building Detections Easy Mode
  • 31. © 2023 ConnectWise. All rights reserved. BlackCat [CRU][Windows] Reg add to "HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Run" [T1047] Windows Management Instrumentation
  • 32. © 2023 ConnectWise. All rights reserved. Don’t Reinvent the Wheel – Detection Rules Exist • MITRE CAR • https://car.mitre.org/ • SIGMA • https://github.com/SigmaHQ/sigma • Elastic Detection Rules • https://github.com/elastic/detection-rules Make sure you have the right data triggering these rules
  • 33. © 2023 ConnectWise. All rights reserved. Example - T1003 OS Credential Dumping • NTDSUtil • MITRE CAR pseudocode: • files = search File:Create ntds_dump = filter files where ( file_name = "ntds.dit" and image_path = "*ntdsutil.exe") output ntds_dump • Sigma • title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) • https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/p roc_creation_win_ntdsutil_usage.yml • Elastic: • (process.pe.original_file_name == "ntdsutil.exe" and process.args : "create*full*") or • CW SIEM • [CRU][Windows] Dump Active Directory Database with NTDSUtil • process.command_line.text:(("ntdsutil" OR "ntdsutil.exe") AND ("ac i ntds" OR "activate instance ntds") AND "ifm" AND "create full")
  • 34. © 2023 ConnectWise. All rights reserved. Defender’s Advantage - Takeaways 1. Know what you protect - deploy an asset management program 2. Central place to collect logs / data (SIEM) 1. Make sure you have the right tools to collect all relevant data 2. Think about defense in-depth to cover ‘single layer failures’ 3. Collect contextual information (assets, users, etc) 3. Relevant and actionable intelligence - not just a TI feed 4. Drive detections into automated protection (ZTA, etc.) 5. Leverage your RMM to assist your security tools
  • 35. © 2023 ConnectWise. All rights reserved. The premier cybersecurity conference for MSPs interested in creating new revenue streams, securing clients, and seeing the latest cyber innovation first hand. June 5-7, 2023 | Gaylord Palms Resort + Convention Center Learn more at connectwise.com/secure
  • 36. © 2023 ConnectWise. All rights reserved. Thank You @raffaelmarty @ConnectWiseCRU connectwise.com/cybersecurity