Spark the future.

Jessica PayneMicrosoft Global Incident Response and Recovery

Anatomy of the Attack – How Cybersecurity Investigations Actually Work

WIN433

Welcome to the worst day of your life

The Phone call

Contoso CISO

This is the FIB. We noticed your server at x.x.x.x is communicating with a server associated with a malicious actor. Good luck with that.

. . .

Typical customer reaction

Television Cybersecurity

• Takes 45 minutes (without commercials)• You see the attack• They immediately notice the compromise• Investigators are in general omnipotent • Has guns• Has a non-natural hair colored goth girl. Always.

Statistics (source: 2014/13 Verizon Reports+SIR)• Only 9% spot own compromise (sometimes by

accident) • Majority spotted by external party• Attacker is on network an average of 200+ days

before detection• 75% use stolen credentials – tracking your own

people is hard• Self remediation pretty much impossible (you’ll see

why)

Access: Users and Workstations

Power: Domain Controllers

Data: Servers and Applications

Typical Attack

1.Bad guy targets workstations with malware

2.User is compromised, Bad guy elevates privilege and harvests credentials.

3.Bad guy starts “credentials crabwalk”

4.Bad guy finds host with domain privileged credentials, steals, and elevates privileges

5.Bad guy owns network, can do what he wants.

Modern malware

win32k.sys

----packet-->

Special just for you IP

<----packets!--

SuperLegitService.exe

Bob the non-admin

FIB Provided information

FIB FLASH FIB Liason Alert

#NC-1701FIB has obtained information that the actor known as APT2005 “Rapid Rhino” has begun attacks against the kitty litter industry vector.

Technical Details : ChriKit is a first generation Trojan that has full remote shell capabilities and credential theft toolsets. Traffic is beaconed over typical HTTP/HTTPs ports with minimal identifying strings. The Trojan is installed as a service, where the name varies.

So what do we know?• Malicious host that was being beaconed to (C2

server) • Potential threat family • Through proxy/firewall logs we have identified host

that was beaconing

The Incident Response tools we wish we had

(Those are time machines)

What fancy tools do y’all use?

• WOLF – internal tool to gather data• Autoruns – gathers ASEPs to indicate malware

persistence • Event Logs• USN Change Journal – file system level details

Dramatic Pause

First do no harm

• If you have a suspected compromise GET HELP

Band-Aids don’t fix bullet holes• Don’t play whackamole – malware has sleeps• Holistic diagnosis and recovery are needed in a

targeted compromise. You will not find it all with basic tools and firewall logs. Engage a professional.

• A full compromise means a full recovery• More data is more knowledge – but don’t be

overwhelmed • Don’t rely on tools, this is part art as well as science.

Know what is normal, know that persistence can be unexpected – Powershell profiles, etc.

The investigation

Jessica Payne

Real live malware

Real live malware

Real live malware

Real live malware

TipsDO - search on file hashesDO NOT – submit files to Virus Total for analysisDO NOT – ping or use DNS lookupDO – Get professional helpDO – Submit the sample to us (tagged as DHA if you suspect)https://www.microsoft.com/security/portal/submission/submit.aspx DO – Send us telemetry!DO – Get Professional help!

Using Sigcheck to collect hash

Using Virus Total URL search

Using Virus Total hash search

Using Virus Total URL search

Pretty much undetectable evil

Jessica Payne

Monitoring strategies • Make sure you have the right logs enabled (this

is trickier than it sounds)• Central collection of logs is huge• Firewalls are also huge (critical) – from a

logging perspective but also blocking. • Powershell. Lock it up, upgrade it and monitor

it.• Sysmon • Good news in Windows 10! • Advanced Threat Analytics – it can detect some

of this.

Defense strategies

• Credential Theft Mitigations• Network and Application Segmentation

(Firewalls, Applocker, RemoteApp)• EMET against initial compromise• Well implemented Cloud solutions

actually can help (not just a sales pitch.) • Unlike TV, not guns.

Questions?

http://aka.ms/jessica@jepayneMSFT

Complete your session evaluation on My Ignite for your chance to win one of many daily prizes.

Continue your Ignite learning pathVisit Microsoft Virtual Academy for free online training visit https://www.microsoftvirtualacademy.com

Visit Channel 9 to access a wide range of Microsoft training and event recordings https://channel9.msdn.com/

Head to the TechNet Eval Centre to download trials of the latest

Microsoft products http://Microsoft.com/en-us/evalcenter/

© 2015 Microsoft Corporation. All rights reserved.Microsoft, Windows and other product names are or may be registered

trademarks and/or trademarks in the U.S. and/or other countries.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY,

AS TO THE INFORMATION IN THIS PRESENTATION.