Jessica Payne Microsoft Global Incident Response and Recovery Anatomy of the Attack – How...
-
Upload
patrick-gallagher -
Category
Documents
-
view
219 -
download
0
Transcript of Jessica Payne Microsoft Global Incident Response and Recovery Anatomy of the Attack – How...
Spark the future.
Jessica PayneMicrosoft Global Incident Response and Recovery
Anatomy of the Attack – How Cybersecurity Investigations Actually Work
WIN433
Welcome to the worst day of your life
The Phone call
Contoso CISO
This is the FIB. We noticed your server at x.x.x.x is communicating with a server associated with a malicious actor. Good luck with that.
. . .
Typical customer reaction
Television Cybersecurity
• Takes 45 minutes (without commercials)• You see the attack• They immediately notice the compromise• Investigators are in general omnipotent • Has guns• Has a non-natural hair colored goth girl. Always.
Statistics (source: 2014/13 Verizon Reports+SIR)• Only 9% spot own compromise (sometimes by
accident) • Majority spotted by external party• Attacker is on network an average of 200+ days
before detection• 75% use stolen credentials – tracking your own
people is hard• Self remediation pretty much impossible (you’ll see
why)
Access: Users and Workstations
Power: Domain Controllers
Data: Servers and Applications
Typical Attack
1.Bad guy targets workstations with malware
2.User is compromised, Bad guy elevates privilege and harvests credentials.
3.Bad guy starts “credentials crabwalk”
4.Bad guy finds host with domain privileged credentials, steals, and elevates privileges
5.Bad guy owns network, can do what he wants.
Modern malware
win32k.sys
----packet-->
Special just for you IP
<----packets!--
SuperLegitService.exe
Bob the non-admin
FIB Provided information
FIB FLASH FIB Liason Alert
#NC-1701FIB has obtained information that the actor known as APT2005 “Rapid Rhino” has begun attacks against the kitty litter industry vector.
Technical Details : ChriKit is a first generation Trojan that has full remote shell capabilities and credential theft toolsets. Traffic is beaconed over typical HTTP/HTTPs ports with minimal identifying strings. The Trojan is installed as a service, where the name varies.
So what do we know?• Malicious host that was being beaconed to (C2
server) • Potential threat family • Through proxy/firewall logs we have identified host
that was beaconing
The Incident Response tools we wish we had
(Those are time machines)
What fancy tools do y’all use?
• WOLF – internal tool to gather data• Autoruns – gathers ASEPs to indicate malware
persistence • Event Logs• USN Change Journal – file system level details
Dramatic Pause
First do no harm
• If you have a suspected compromise GET HELP
Band-Aids don’t fix bullet holes• Don’t play whackamole – malware has sleeps• Holistic diagnosis and recovery are needed in a
targeted compromise. You will not find it all with basic tools and firewall logs. Engage a professional.
• A full compromise means a full recovery• More data is more knowledge – but don’t be
overwhelmed • Don’t rely on tools, this is part art as well as science.
Know what is normal, know that persistence can be unexpected – Powershell profiles, etc.
The investigation
Jessica Payne
Real live malware
Real live malware
Real live malware
Real live malware
TipsDO - search on file hashesDO NOT – submit files to Virus Total for analysisDO NOT – ping or use DNS lookupDO – Get professional helpDO – Submit the sample to us (tagged as DHA if you suspect)https://www.microsoft.com/security/portal/submission/submit.aspx DO – Send us telemetry!DO – Get Professional help!
Using Sigcheck to collect hash
Using Virus Total URL search
Using Virus Total hash search
Using Virus Total URL search
Pretty much undetectable evil
Jessica Payne
Monitoring strategies • Make sure you have the right logs enabled (this
is trickier than it sounds)• Central collection of logs is huge• Firewalls are also huge (critical) – from a
logging perspective but also blocking. • Powershell. Lock it up, upgrade it and monitor
it.• Sysmon • Good news in Windows 10! • Advanced Threat Analytics – it can detect some
of this.
Defense strategies
• Credential Theft Mitigations• Network and Application Segmentation
(Firewalls, Applocker, RemoteApp)• EMET against initial compromise• Well implemented Cloud solutions
actually can help (not just a sales pitch.) • Unlike TV, not guns.
Questions?
http://aka.ms/jessica@jepayneMSFT
Complete your session evaluation on My Ignite for your chance to win one of many daily prizes.
Continue your Ignite learning pathVisit Microsoft Virtual Academy for free online training visit https://www.microsoftvirtualacademy.com
Visit Channel 9 to access a wide range of Microsoft training and event recordings https://channel9.msdn.com/
Head to the TechNet Eval Centre to download trials of the latest
Microsoft products http://Microsoft.com/en-us/evalcenter/
© 2015 Microsoft Corporation. All rights reserved.Microsoft, Windows and other product names are or may be registered
trademarks and/or trademarks in the U.S. and/or other countries.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY,
AS TO THE INFORMATION IN THIS PRESENTATION.