Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SANS 2019 CTI Summit Keynote

bromiley
January 23, 2019
Technology
1
80

SANS 2019 CTI Summit Keynote

It's 2019. Cyber attacks have no sign of slowing down, nation states are ramping up old groups while bringing new soldiers to the battlefield, and there's little - if any - consequences for those who launch these attacks. To make matters worse, we have annoyances like ransomware and O365 compromises running around, which are keeping our IR teams distracted. Sometimes it feels like there's no solution in sight.

It's time to confront the problem head on - it's time to start moving faster than our attackers. In this talk, let's examine how to bring the six-step incident response process to the _entire_ organization - at scale, and at warp speed. Let's also examine critical gaps in IR processes that are allowing attackers to remain inside the environment, preventing your IR team from ever reaching the remediation and recovery steps. It's time to kick the attacker out, once and for all.

bromiley

January 23, 2019
Tweet

More Decks by bromiley

See All by bromiley
Purple Packets - BSides Austin 2019
bromiley
0
270
I Got 99 Email Problems, and Spearphishing Ain't One
bromiley
0
85
Event Logs? What Event Logs?
bromiley
0
35
Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years
bromiley
0
130
Going Right to the Data, Part 2: An Advanced Look at MS SQL Forensic Analysis
bromiley
0
71
Database Forensics without the Database
bromiley
0
4.6k
Cache Me If You Can!
bromiley
1
430
Beef Up Your DFIR Toolbox with Elasticsearch
bromiley
0
220
NoSQL Forensics: What to do with (No)ARTIFACTS
bromiley
2
400

Other Decks in Technology

See All in Technology
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
2.1k
コードファーストの考え方。 Amplify Gen2から学ぶAWS次世代のWeb開発体験
yoshiitaka
1
260
AWS学習者向けにAzureの解説スライドを作成した話
handy
3
170
The AI Revolution Will Not Be Monopolized: Behind the scenes
inesmontani
PRO
1
150
ルーターでプレゼンする
puhitaku
1
3.2k
require(ESM)とECMAScript仕様
uhyo
4
940
LLM開発・活用の舞台裏@2024.04.25
yushin_n
3
1.1k
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.3k
FrontDoorとWebAppsを組み合わせた際のリダイレクト処理の注意点
kenichirokimura
1
700
Python と Snowflake はズッ友だょ!~ Snowflake の Python 関連機能をふりかえる ~
__allllllllez__
2
140
リテール金融(キャッシュレス・ネット銀行・ネット証券)の競争環境と経済圏
8maki
0
1.5k
LangSmith入門―トレース/評価/プロンプト管理などを担うLLMアプリ開発プラットフォーム
os1ma
5
670

Featured

See All Featured
Building an army of robots
kneath
300
41k
Building Your Own Lightsaber
phodgson
100
5.7k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
For a Future-Friendly Web
brad_frost
172
9k
Designing with Data
zakiwarfel
96
4.8k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
245
20k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
64
14k
Large-scale JavaScript Application Architecture
addyosmani
504
110k
Optimizing for Happiness
mojombo
370
69k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
21
1.4k
Creatively Recalculating Your Daily Design Routine
revolveconf
211
11k

Transcript

  1. ONE, TWO, SKIP A FEW (THOUSAND) Mega-Scale Incident Response

  2. WHOAMI • Matt Bromiley • SANS Instructor (FOR572/FOR508) • Incident

    Responder, Threat Researcher, Hacker of all sorts • Based in Dallas, TX • Somewhat of a foodie

  3. A CASE STUDY IN ENTERPRISE BREACHES

  4. A CASE STUDY IN ENTERPRISE BREACHES 4 • Major global

    corporation • 600+ stores • Campaign spanned nine months in 2017 • Attackers refined card-scraping malware as necessary • Re-deployed to capture terminals that were offline

  5. A CASE STUDY IN ENTERPRISE BREACHES 5

  6. A CASE STUDY IN ENTERPRISE BREACHES 6

  7. A CASE STUDY IN ENTERPRISE BREACHES 7 APAC EU NA

  8. A CASE STUDY IN ENTERPRISE BREACHES 8 APAC EU NA

  9. A CASE STUDY IN ENTERPRISE BREACHES 9 APAC EU NA

    <redacted> Service Account <8-char alphanum password> Administrator <7-char alpha password>

  10. 1 A CASE STUDY IN ENTERPRISE BREACHES - - -

    - - - - - - - - - - - - - - - - - - - fwnmc /Create /SC HOURLY /TN “fwnmc” /RU “ “ /TR “ shell32.dll ShellExecuteA Schtasks.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run fwnmc - - - - - - - - - - - - - - - - - - - - - - Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

  11. 1 A CASE STUDY IN ENTERPRISE BREACHES Persistence Priv. Escalation

    Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery C:\documents and settings\all users\application data\serwvdrv32.exe C:\documents and settings\all users\application data\msascui32.exe C:\documents and settings\all users\application data\perfhost32.exe C:\documents and settings\all users\application data\ovftool32.exe C:\documents and settings\all users\application data\atiapfxx32.exe C:\documents and settings\all users\application data\igfxem32.exe C:\documents and settings\all users\application data\gfxuiex32.exe C:\documents and settings\all users\application data\authhost32.exe C:\documents and settings\all users\application data\userinit32.exe C:\documents and settings\all users\application data\rpcping32.exe C:\documents and settings\all users\application data\wowreg32.exe C:\documents and settings\all users\application data\auditpol32.exe C:\documents and settings\all users\application data\faswin.exe C:\documents and settings\all users\application data\igfxtray32.exe C:\documents and settings\all users\application data\igfxext32.exe C:\documents and settings\all users\application data\vssadmin32.exe C:\documents and settings\all users\application data\openssl32.exe C:\documents and settings\all users\application data\asioins32.exe C:\documents and settings\all users\application data\ebhost32.exe C:\documents and settings\all users\application data\smarts32.exe C:\documents and settings\all users\application data\wmi32.exe C:\documents and settings\all users\application data\clientmngr32.exe

  12. 1 A CASE STUDY IN ENTERPRISE BREACHES C:\Users\Administrator\Desktop\weekly schedule manual.pdf

    C:\Users\Administrator\Desktop\store intranet manual.pdf C:\Users\Administrator\Desktop\e-mail passworld changing.pdf C:\Users\Administrator\Desktop\new timeclock.pdf C:\Users\Administrator\Desktop\macau ipos manual_06302014.pdf C:\Users\Administrator\Desktop\mexico ipos manual.pdf C:\Users\Administrator\Desktop\mexico pos manual.pdf C:\Users\Administrator\Desktop\el salvador pos manual.pdf C:\Users\Administrator\Desktop\costa rica pos manual.pdf C:\Users\Administrator\Desktop\chile pos manual _ updated 10-24-2013.pdf C:\Users\Administrator\Desktop\panama pos manual _ updated nov2013.pdf C:\Users\Administrator\Desktop\test store pos manual _091013.pdf C:\Users\Administrator\Desktop\net pos manual 070513.pdf C:\Users\Administrator\Desktop\canada fpos manual.pdf C:\Users\Administrator\Desktop\fpos manual_v1.9.12.pdf Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

  13. 1 A CASE STUDY IN ENTERPRISE BREACHES • Credential harvesting

    was performed by dumping and exfiltrating out the lsass.exe process. • LSASS (Local Security Authority Subsystem Service) is responsible for enforcing security policy. Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

  14. 1 A CASE STUDY IN ENTERPRISE BREACHES ABEJV9BR.txt || ssui

    -- 92e410a36175598c594c1c9d489388ae sendspace.com/1536386390412830947557232395131730580430 lastdl -- 490878988 sendspace.com/1536144207411230950253419690163430583125 _ga -- GA1.2.1249074351.1490732055 sendspace.com/1600397313510430729976422018396230583125 _gat -- 1 sendspace.com/160052055270430583126422478442230583125 Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - - - [4:56:01 PM]:C:\Windows\addins\PSTools\psexec.exe \\10.230.28.13 -d -s -f -u \administrator -p <redacted> /c C:\Intel\ag.exe Connecting to 10.230.28.13...Starting PSEXESVC service on 10.230.28.13... Connecting with PsExec service on 10.230.28.13... Copying C:\Intel\ag.exe to 10.230.28.13... Starting C:\Intel\ag.exe on 10.230.28.13... ag.exe started on 10.230.28.13 with process ID 7744. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - - -

  15. 1 A CASE STUDY IN ENTERPRISE BREACHES Persistence Priv. Escalation

    Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

  16. 1 A CASE STUDY IN ENTERPRISE BREACHES Persistence Priv. Escalation

    Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

  17. 1 A CASE STUDY IN ENTERPRISE BREACHES - - -

    - - - - - - - - - - - 010200032700L05175ee612.99 010200032700L05ddc2d7e5.sha64 010106032700L057d352977.n9 010106032700L05adffa944.n9 012906032700L050acbff99.99 012906032700L057d1c6381.sha64 123108070600L02948dfec4.n9 010109016700L01b12fc210.f9 010109070600L022cb6ac94.f9 102417037600L03f5fbba13.sha64 102417045600L039f08eb45.sha64 102517012600L041c5e1597.n9 102517026100L026f93d9c5.n9 112317044900L059f67c2ed.f9 - - - - - - - - - - - - Persistence Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

  18. 1 A CASE STUDY IN ENTERPRISE BREACHES C:\Users\Administrator\Desktop\WR.zip C:\Users\Administrator\Desktop\Desktop1.zip C:\Users\Administrator\Desktop\P92.zip

    C:\Users\Administrator\Desktop\Asia.zip C:\Users\Administrator\Desktop\P98.zip C:\Users\Administrator\Desktop\RW.zip C:\Users\Administrator\Desktop\123211.zip C:\Users\Administrator\Desktop\P136.zip Priv. Escalation Exfiltration Execution Defense Evasion C2 Cred. Access Collection Lateral Movement Discovery

  19. LET’S TALK ABOUT DETECTION

  20. LET’S TALK ABOUT DETECTION

  21. LET’S TALK ABOUT PROCESS

  22. SIX-STEP INCIDENT RESPONSE PROCESS Preparation Scoping Containment/Intelligence Development Eradication/Remediation Recovery

    Lessons Learned

  23. SIX-STEP INCIDENT RESPONSE PROCESS Preparation Scoping Containment/Intelligence Development Eradication/Remediation Recovery

    Lessons Learned Dwell Time Time to Contain Time to Remediate

  24. SIX-STEP INCIDENT RESPONSE PROCESS

  25. IS IT WORKING?

  26. IS IR WORKING?

  27. FINDING HOPE

  28. PILLARS OF MEGA-SCALE IR VISIBILITY DETECTION INTEGRATION & AUTOMATION INTELLIGENCE

    COLLABORATION

  29. PILLARS OF MEGA-SCALE IR VISIBILITY DETECTION COLLABORATION INTELLIGENCE INTEGRATION &

    AUTOMATION Your goal an in IR is to achieve these things!

  30. THIS FEELS FAMILIAR SOC IR Team

  31. VISIBILITY

  32. VISIBILITY VISIBILITY IS ESSENTIAL FOR SUCCESSFUL INCIDENT RESPONSE WITHOUT IT,

    HOW CAN YOU EXPECT TO ANSWER WHAT? WHERE? WHEN? HOW?

  33. SLIDING SCALE OF HOST VISIBILITY HOST NETWORK

  34. SLIDING SCALE OF HOST VISIBILITY HOST NETWORK

  35. SLIDING SCALE OF HOST VISIBILITY I need to validate alerts

    I need to scale investigation Scoping Containment/ Intelligence Development

  36. VISIBILITY (HOST) Velociraptor • Improvement on GRR • Endpoint agent

    that provides on- demand access • Written to be faster, more tolerant of network issues • Command-line agent interaction https://docs.velociraptor.velocidex.com/blog/html/index.html

  37. VISIBILITY (HOST) PowerShell • Built into Windows – almost everywhere

    • Powerful scripting

  38. VISIBILITY (HOST) sysmon • Part of the Sysinternals suite •

    Endpoint visibility via logging • Allows you to pipe key events to a central location • Customizable/easily deployable https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

  39. VISIBILITY (HOST) osquery • Created by Facebook • Endpoint visibility

    • Allows you to treat your environment like a database • Ask questions that you cannot ask elsewhere https://osquery.io/

  40. SLIDING SCALE OF NETWORK VISIBILITY Data Privacy We need to

    investigate Scoping Containment/ Intelligence Development

  41. VISIBILITY (NETWORK) NetFlow • You are already generating it! •

    Capture it, use it • Profile your network, find traffic flows • Combine with host data to true 100% visibility

  42. VISIBILITY (NETWORK) Zeek (formerly Bro) • Protocol-aware • Throughput capable

    • Allows for signatures • Allows you to treat your environment like a database • Ask questions that you cannot ask elsewhere https://www.zeek.org/

  43. DETECTION

  44. DETECTION At enterprise scales, you cannot be expected to detect

    things manually Learn to write detections – push them using the aforementioned tools. https://virustotal.github.io/yara/ https://suricata-ids.org/

  45. COLLABORATION

  46. COLLABORATION COLLABORATION IS THE DIVIDING LINE BETWEEN A GOOD TEAM

    AND AN UNSTOPPABLE TEAM.

  47. COLLABORATION TheHive • Allows for individual case management and collaboration

    • You can assign tasks, roles, responsibilities. • Track case metrics • Automatically enrich/enhance data https://thehive-project.org/

  48. INTELLIGENCE

  49. INTELLIGENCE External threat intelligence tells you what’s going on in

    the world Internal threat intelligence tells you what’s going on in your world

  50. INTELLIGENCE (+ AUTOMATION/INTEGRATION) TheHive + Cortex • Ingests observables, automatically

    performs lookups • Allows for integration into multiple tools, such as MISP • Customizable https://thehive-project.org/

  51. AUTOMATION & INTEGRATION

  52. AUTOMATION & INTEGRATION Make all of the above talk to

    each other. Leave the boring stuff to the computers.

  53. AUTOMATION & INTEGRATION I’ve got two acronyms for you. ML

    AI

  54. AUTOMATION & INTEGRATION The future is investigator empowerment, not tool

    enhancement.

  55. TAKEAWAYS

  56. DID I JUST IMPROVE MY SOC? Yes. That’s the point.

  57. KEY TAKEWAYS (1) At a certain point, realize you need

    tools. At a certain point, realize you need people. Make your tools and your people talk to each other.

  58. KEY TAKEWAYS (2) Write detections – you will find things

    about your environment you didn’t know. Deploy detections and let them do their job. Build your in-house knowledge. It will prevent you from making mistakes.

  59. KEY TAKEWAYS (3) Empower your people and team. Your investment

    in them will pay off in them 100-fold.

  60. THANK YOU @MBROMILEYDFIR