Enterprise‐Grade Incident Management: Responding to the ...€¦ · Find evil & solve crime...
Transcript of Enterprise‐Grade Incident Management: Responding to the ...€¦ · Find evil & solve crime...
Enterprise‐Grade Incident Management: Responding to the Persistent Threat
Dave Merkel
Vice President, Products
David Ross Principal Consultant
Overview
Who is MANDIANT? What is Enterprise IR? The IR Process... The Threats We BaIle Case Studies: Advanced Persistent Threat (APT) BaIling APT Across a Global Enterprise Evolving IR to Scale for Large Enterprises Scoping Techniques via ProacQve Deployments Final Thoughts
Who is MANDIANT?
Engineers, consultants, authors, instructors & security experts
Chased bad guys aIacking the Fortune 500, govt. contractors, and mulQ‐naQonal banks
Find evil & solve crime through our products & services.
Intrusion Categories
Level 3
Advanced Persistent Threat (APT) Focused A8ack
Level 1
Worms, Warez, Spam, etc. Individuals
Level 2
Personal IdenDfying InformaDon (PII) Focused Group Smash & Dash
Defense Industrial Base (DIB) Government Agencies Global Financial OrganizaQons Industry SupporQng Government IniQaQves
R&D Raw Materials
Indiscriminate Internet Users
Incident Management Process
Prepare Initiate Collect Analyze
& Minimize
Present Resolve EVENT
Electronic Evidence Theft of intellectual property Responding to subpoenas Evidence preservation and collection
for litigation Evidence analysis
Information Security Incident response Identifying indicators of compromise Discovering other compromised
systems Identifying compromised data
Investigations
Internal investigations Digital forensics Acceptable use / resource
abuse investigations Key employee departures
Advanced Persistent Threat (APT)
Mo#va#on Espionage
PoliQcal
Power
Goals Gain foothold
Maintain access
Exfiltrate sensiQve data
April 10, 2008
Ini#al A5ack Vector Spear phishing Low Hanging Fruit
Foothold Techniques Stealthy backdoors CredenQal compromise
How the APT Differs From Other AIacks
MoQvaQon & Tenacity
Their goal is occupaQon Persistent access to network resources
PoliQcal insight Future use / fear / deterrent
Technology
Custom Malware No sustainable signatures
Malware recompiled days before installaQon Constant feature addiQons
VPN Subversion Encrypted tunnels
OrganizaQon & OrchestraQon
Division of labor Malware change management
They escalate only as necessary Countermeasures increase aIack sophisQcaQon
Tackling the APT in the Enterprise is HARD!
Employ valid credenQals for lateral movement
Possess comprehensive understanding of target network topology Obviates need to scan for targets Protects them from “tripping” internal alarms
Frequently modify binaries to avoid detecQon via MD5 checksum
AIackers are hiding in plain‐sight Data exfiltraQon paIerns UQlizing naQve OS behavior
Leveraging various IP blocks to avoid filtering & detecQon
Dropping “sleeper” backdoors for future use
If you’re not ready to anQcipate the aIacker, you’re not ready to remediate
Get “in front” of the APT
Improve visibility You can’t fight what you can’t see
Improve response Qme They move fast; we need to move faster
Extend response coverage They can be anywhere; so must we Patrol your network
TreaQng this as another incident WON’T work! We’re the NYPD, not the NYFD
Evolving IR to Scale for Large Enterprises
Methods Pros Cons
Reac#ve Dep
loym
ent
1. Trusted tool kits 2. Stand alone, single host
collecQon 3. Sed, awk, grep, perl, etc.
1. Cheap
2. Fast to modify tools
1. Clunky & bulky
2. Expensive to visit each host 3. Difficult to correlate data 4. Inhibits scaled scoping
techniques
Proa
c#ve Dep
loym
ent
1. Agent/Server concept 2. One collects, the other
organizes
1. Enables faster response 2. Easier to correlate data 3. Collect from mulQple hosts
simultaneously 4. Cast a broad net 5. Enables various scoping
techniques
1. Problems with trust of the toolkit
2. Added levels of complexity 3. Adding new capabiliQes in the
agent takes more Qme
Scoping Techniques Via ProacQve Deployments
Technique #1: Collect now, ask quesQons later
Pros Most similar to current methodology Simplifies required agent technology Enables subsequent invesQgaQons without revisiQng the host
Cons Provides a "smear shot" of the host (not a snapshot) Processes & staffing may not scale to support data analysis
Scoping Techniques Via ProacQve Deployments
Technique #1: Collect now, ask quesQons later
Pros Most similar to current methodology Simplifies required agent technology Enables subsequent invesQgaQons without revisiQng the host
Cons Provides a "smear shot" of the host (not a snapshot) Processes & staffing may not scale to support data analysis
Technique #2: Please answer the following quesQons
Pros Allows "wider" (but not necessarily deeper) data collecQon
Cons Provides a "blur shot" of the host (not even a "smear shot") More advanced agent technology required Subsequent interrogaQon require subsequent agent communicaQon
Scoping Techniques Via ProacQve Deployments
Technique #1: Collect now, ask quesQons later
Pros Most similar to current methodology Simplifies required agent technology Enables subsequent invesQgaQons without revisiQng the host
Cons Provides a "smear shot" of the host (not a snapshot) Processes & staffing may not scale to support data analysis
Technique #2: Please answer the following quesQons Technique #3: Will the infected host please rise?
Pros Allows "wider" (but not necessarily deeper) data collecQon
Cons Provides a "blur shot" of the host (not even a "smear shot") More advanced agent technology required Subsequent interrogaQon require subsequent agent communicaQon
Pros Searching on granular indicators quickly scopes most likely targets Scales very well: limited data can be handled by small(er) staffing
Cons Granular indicators could lend towards false posiQves Even more advanced agent technology required No further resoluQon into the host
Techniques Requirements
Look for technologies blending all three (3) techniques:
Ability to pose specific or general quesQons to a varying # of hosts
Employs trusted endpoint agents to interrogate
UQlizes disparate collecQon points to reduce analyQcal latency
Allows mulQple responders to work collaboraQvely
Applies forensically sound acquisiQon & audit techniques
Supports intelligent network bandwidth management
The Long Haul
Things will get worse before they get beIer:
Their skills will improve as your defenses improve
Don’t remediate unQl you are ready to anQcipate
Stop thinking about this as a single, isolated incident
NYPD not NYFD
DC Headquarters 675 North Washington Street Suite 210 Alexandria, VA 22314 USA 703‐683‐3141
Dave Merkel Vice President, Products
David Ross Principal Consultant