©2014  Bit9.  All  Rights  Reserved  

 Advanced  Threat  Hun/ng:    Iden%fy  and  Track  Zero-­‐Day  A3acks  Infiltra%ng  Your  Organiza%on          Jus/n  Falck,  Technical  Product  Manager  –  Carbon  Black  Bit9  +  Carbon  Black    July  16th,  2015  

  Background    Threat  Landscape    Advanced  Threats  •  What  are  they?  •  Zero-­‐Days  •  Why  Advanced  Threats  might  not  be  what  you  think  they  are  •  Living  off  the  Land  (“Outsider-­‐Insider”)    Hun/ng  •  What  do  you  hunt?  •  How  do  you  hunt?  •  RelaQonships  MaTer!  

  Wrap-­‐Up  &  Takeaways  

Agenda  

Quick  Background  Check  

www.linkedin.com/in/jus/nfalck  jfalck@bit9.com  

  2007  –  2013:  Central  Intelligence  Agency  

  2013  –  2015:  Goldman  Sachs    Threat  Management  Center  -­‐  Irving,  TX  

  2015  –  Present:  Bit9  +  Carbon  Black    Technical  Product  Manager  -­‐  CB  

The  Evolving  Threat  Landscape  

Criminal  Enterprises  •  Broad-­‐based  and  targeted  aTacks  •  Financially  moQvated  •  Geang  more  sophisQcated  

Hac/vists  •  Targeted  and  destrucQve  aTacks  •  Unpredictable  moQvaQons  •  Generally  less  sophisQcated  

Na/on-­‐States  •  Targeted  and    mulQ-­‐stage  aTacks    • MoQvated  by  informaQon  and  IP  •  Highly  sophisQcated,  limitless  resources  

Cyber  Terrorism  •  Targeted  and    highly  visible  aTacks  •  Financial,  destrucQve,  inQmidaQng    •  Varied  sophisQcaQon  

Proof  of  Effec/veness  

Endless  Stream  of  Data  Breaches  

Source:  InformaQon  is  BeauQful,  www.informaQonisbeauQful.net,  January  2015  

DON’T  OVERCOMPLICATE  THE  THREAT  

THREAT  MODEL: 1:  OPPORTUNISTIC 2:  NOT

Opportunis=c  threats  sell  our  computers.      Goal:  breadth  of  access.

      “Advanced”  threats  sell  our  data.      Goal:    precision  of  access.

Tradi/onal  Defenses  Were  Designed  for  Opp.  AZacks  OPP

ORT

UNISTIC  

ADVA

NCE

D  

Goal  for  aTacker  is  to  compromise  as  few  endpoints  as  possible  

Goal  for  aTacker  is  to  compromise  as  many    endpoints  as  possible  

Hosts  C

omprom

ised

 

Time  

Hosts  C

omprom

ised

 

Time  

DETECTION  THRESHOLD  

DETECTION  THRESHOLD  

Signature  available  

Signature  available  (if  ever)  

“Zero-­‐Days”    “Zero-­‐Day”  is  a  term  typically  used  to  refer  to  two  different  scenarios:  •  Zero-­‐Day  Vulnerability:  vulnerability  is  unknown  or  fix/patch  is  not  yet  available  –  “Non-­‐Pub”:  exploit  an  unknown  vulnerability  

•  Zero-­‐Day  Malware:  malware  that  is  unknown;  signatures  are  not  available  

So  how  “advanced”  are  the  techniques  and  payloads  being  used?  

“The (Target) malware utilized is ABSOLUTELY UNSOPHISTICATED and UNINTERESTING” -McAfee

Business Week, March 13, 2014

But  once  they’re  in…  

However  they  get  in,  we  need  to  find  them!  Faster  detec/on  means:  • Shorter  dwell  Qme  • Smaller  scope  for  your  incident  response  • Less  damage  to  your  business    

What  do  they  do  once  they’re  in?  

They  oben  “Live  off  the  Land”  (and  blend  in)  

Living  off  the  Land  Living  Off  the  Land:  the  aZacker  uses  built-­‐in  tools  so  there  are  very  few  new  executables.    The  aZacker  typically  needs  to  do  the  following:    

•  Execute  code:  –  Crack/Dump/Guess/Obtain  Valid  CredenQals  

»  See  this  with  Backoff  POS  Malware  

•  Copy  Data:  –  UQlize  tools  like  robocopy,  xcopy,  cmd.exe  to  gather  data  –  UQlize  “known  good”  tools  for  compression  or  use  scripts  

•  Exfil  Data:  –  mp.exe,  net.exe,  Visual  Basic  script  to  control  IE  for  POSTing  data  

•  Manipulate:  –  Download  something  not  malicious  but  that  will  trip  up  detecQon  –  When  Admin  logs  in,  credenQals,  keystrokes,  etc.,  are  captured  and  used  

•  Persist:  –  Compromise  or  Add  more  user  and  system  accounts  –  Login  to  backup  servers,  staging  servers,  less  noQceable  parts  of  your  enterprise  –  Create  scheduled  jobs  that  will  run  and  re-­‐add  accounts,  communicate  out,  etc.  

Living  off  the  Land  (cont’d)    More  Things  to  Consider:  •  PowerShell  is  TOO  Powerful  –  Execute  from  remote  URL  –  Basically  anything  you  would  ever  want  to  write  code  for,  you  can  do  with  powershell,  so  as  an  

adversary,  I  can  really  do  some  damage  (powersploit,  etc)  

•  Use  Internal  C2  Sites:  –  Use  blog  comments  and/or  wiki  to  give  your  stuff  new  commands  so  there  is  no  outside  

communicaQons  

•  Use  Well-­‐Known  Social  Networking  and  File-­‐sharing  Sites:  –  TwiTer  (bots)  –  Dropbox  –  Google  Drive  –  Facebook  –  <  Insert  Social  Site  Here  >  

•  Find  hardcoded  creden/als,  re-­‐use  same  password  across  an  enterprise,  Single-­‐Sign-­‐On  design  flaws,  etc.  

 

In  Other  Words…  

THEY  ARE  NOW  INSIDERS!    BETTER  DEFENSE  AGAINST  THIS…      LEADS  TO  BETTER  DEFENSE  AGAINST  TRUE  INSIDERS!  

So,  back  to  Hun/ng…  

Is  Your  Environment  Like  This?  

Or  This?  

What  do  you  Hunt?  

  Do  you  know  what  you’re  looking  for?    Do  they  have  to  be  advanced?  •  Are  you  running  vulnerable  somware?    Is  it  likely  to  be  compromised?  •  Have  you  hardened  your  systems,  have  you  reduced  surface  area?  •  Do  you  have  shared  passwords,  plain-­‐text  credenQals,  etc?  •  If  you  have  too  much  entropy  or  very  few  standards,  hunQng  will  be  DIFFICULT  •  Then  again,  it  is  rarely  “easy”    

  What  do  the  bad  guys  need  to  do?  •  Execute  •  Communicate  •  Grab  Data  •  Steal/Add  CredenQals  •  Persist  

Which comes first… Detection or Collection?

By  priori=zing  collec=on  over  detec=on  you  can: (1)  HUNT  MORE  EFFECTIVELY!!! (2)  Rapidly  find  root  cause (3)  Quickly  &  confidently  reconstruct  =melines (4)  Accelerate  Discovery  (determine  scope) (5)  Benefit  from  hindsight  (evolve)

Some  Ideas…  

   §  Are  abnormal  user  accounts  being  used?  

§  Do  windows  processes  (lsass,  svchost,  csrss)  have  strange  parents?  §  Are  IE,  Acrobat,  Word,  Notepad,  etc.,  spawning  child  processes?  §  Are  Office  Applica/ons  making  outbound  connec/ons?  §  Is  Java  spawning  command  shells?  §  Is  cmd.exe  running  as  system?  §  Are  user  accounts  being  added  locally?  §  Are  thousands  of  files  being  modified  by  a  single  process?  §  Is  bp  or  robocopy  being  used?  §  Are  processes  execu/ng  that  don’t  have  a  .exe  or  .scr  extension?  

Back  to  the  Basics…  

   §  Are  you  recording  every  command  line  used  by  net.exe  and  looking  for  abnormali/es?  

§  Are  you  watching  when  PowerShell.exe  is  used?  §  Are  you  mapping  user  account  ac/vity  to  hosts  to  look  for  abnormal  logins?  

§  Are  you  ….    <INSERT  LOTS  OF  STUFF  “TO  DO”  HERE>  

“Response  is  the  closest  thing  we  have  in  IT  to  dogfigh/ng”  -­‐  Bruce  Schneier,  Blackhat  2014  Keynote    

Time is the dominant parameter. The pilot

who goes through the OODA cycle in the shortest time prevails

because his opponent is caught

responding to situations that have

already changed. Col John Boyd

1966  Observe   Orient   Decide   Act  

Modern      IR  view  

Ac/onable  Endpoint  Visibility  

Tradi/onal  IR  view  

Events  +  Intelligence    With  no  insight  into  known  bad,  how  can  they  pick  

the  needles  out  of  their  data  collecQon  haystack?    

Events  +  Intelligence  +  Prevalence      Without  understanding  prevalence,  how  can  they  

prioriQze  detecQon  events  to  accelerate  threat  discovery?  

Events  +  Intelligence  +  Prevalence  +  Rela/onships    Without  maintaining  the  recorded  relaQonships,  how  

do  they  quickly  scope  any  impacted  endpoints  and  lateral  movement?  

Events    Most  organizaQons  only  have  a  staQc  view  of  their  

business  and  the  data  they  manage  to  collect  What’s  more  ac/onable?  

?  svchost.exe  ran  svchost.exe  was  spawned  by  unsigned  binary  under  abnormal  user  account  and  made  a  network  connecQon  

The  very  nature  of  threat  hun%ng  requires  the  human  element  

In  IT,  we  hire  staff  to    support  technology  

In  security  opera%ons,    we  buy  technology  to  

support  staff  

Invest  in  tools  that  enable  humans  to  make  quick  decisions  

1  

2  

3  

Hun/ng  Tips  

Collect  the  RIGHT  Data  Neslow  data  and  firewall  logs  can  help,  but  if  you  aren’t  seeing  what  is  execuQng  and  what  is  changing  on  your  systems,  you  will  not  have  as  much  hunQng  success.    You  need  to  hunt  where  the  adversaries  live!  

Incorporate  Reputa/on  and  Classifica/on  Informa/on  When  you’re  hunQng,  you  should  not  have  to  spend  Qme  manually  checking  the    reputaQon  of  a  binary  or  website,  as  that  greatly  slows  down  your  ability  to    conQnue  to  the  hunt.    Being  able  to  quickly  say  things  are  known  good,  known    Bad  is  key,  as  is  the  ability  to  say  if  it  is  part  of  a  parQcular  campaign  or  aTack.  

Analyze  RELATIONSHIPS  RelaQonships  are  key  to  being  able  to  detect  abnormal  behavior.    Sure,  the  adversary  lives  off  the  land,  but  they’re  sQll  going  to  do  unusual  things  with  the  exisQng  tools  available  to  them.    

4   Automate  as  much  as  possible!  When  you  know  what  is  normal,  you  should  be  able  to  be  alerted  when  acQvity  occurs  outside  of  what  is  normal.    And  you  should  be  able  to  automate  this.    You  should  also  automate  reputaQon  and  classificaQon  informaQon  retrieval,  and  automate  discovery.    

TAKE-­‐AWAYS              

Take-­‐Aways  

 Think  about  how  you  might  hunt  advanced  threats   Can  internal  tools  be  used  against  you?   Do  you  have  proper  context?   Can  you  tell  the  FBI  whether  or  not  you’ve  seen  the  IOCs  they  just  sent  you?   Compare  current  behavior  vs.  older  methods  vs.  “next-­‐gen”   Enable  your  humans  to  do  some  hunQng   Are  you  focused  on  root  cause?  

Thank  You!              jfalck@bit9.com    www.linkedin.com/in/jus/nfalck