Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Incident Patterns

Incident Patterns

A VCDB research project

Kyle Maxwell

June 10, 2014
Tweet

More Decks by Kyle Maxwell

Other Decks in Technology

Transcript

  1. Agenda ➔ Who we are and what this is ➔

    Data Alchemy ➔ Patterns: TTPs and Countermeasures ➔ Conclusions and Q&A anarchosyn
  2. About us Kevin is a data alchemist for Verizon with

    a background in risk management. Kyle is a malware researcher for Verisign with a background in Unix and incident response. Sam Shennan
  3. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. MAIN REPORT 2014 DATA BREACH INVESTIGATIONS REPORT 92 THE UNIVERSE OF THREATS MAY SEEM LIMITLESS, BUT 92% OF THE 100,000 INCIDENTS WE’VE ANALYZED FROM THE LAST 10 YEARS CAN BE DESCRIBED BY JUST NINE BASIC PATTERNS. Conducted by Verizon with contributions from 50 organizations from around the world. POINT-OF-SALE INTRUSIONS WEB-APP ATTACKS PAYMENT CARD SKIMMERS CRIMEWARE DOS ATTACKS INSIDER MISUSE PHYSICAL THEFT AND LOSS CYBER-ESPIONAGE % MISCELLANEOUS ERRORS
  4. Powered by VERIS Both DBIR and VCDB use VERIS to

    model incidents. Vocabulary for Event Recording and Incident Sharing duncan c
  5. Powered by VERIS ➔ Models ORGANIZATION incidents ➔ Strategic ➔

    After-action ➔ Creative Commons license duncan c
  6. Sample bias & limitations ➔ Public sources ➔ Not every

    reporter is Krebs ➔ English-speaking ➔ Sparse data (high unknowns for some attributes) Franco Folini
  7. ➔ Ran Somewhere ➔ I Spy ➔ Snow Job Others

    exist in the data but not necessarily interesting for the DFIR Summit (lost laptops) Patterns to examine McKay Savage
  8. Pattern: Ran somewhere action.malware.variety == ‘Ransomware’ or action.malware.variety == ‘Destroy

    data’ Summary: ➔ 19 incidents ➔ Primarily Cryptolocker ➔ Email vector in 13 of these ➔ Reaches out to C2 server in 5 incidents steve_l / Banksy
  9. Pattern: Ran somewhere Countermeasures: ➔ Examine / block executable attachments

    ➔ Perform regular endpoint backups ➔ Intelligence on C2 addresses ➔ Many DNS queries (NXDOMAIN results) steve_l / Banksy
  10. Pattern: I Spy Matt Biddulph actor.external.motive == ‘Espionage’ Summary: ➔

    199 publicly-described incidents ➔ Primarily South Korea, USA, Russia ➔ Majority of public data from Red October, MiniDuke, and Kimsuky (thanks Kaspersky!)
  11. Pattern: I Spy TTP: ➔ Targeted phishing via email ➔

    Strategic web compromise (watering hole) ➔ Attachment or web page exploits vuln ➔ Drop local malware ➔ Connect to C2 (often resilient) ➔ Locate and exfiltrate data from internal net Matt Biddulph
  12. Pattern: I Spy Countermeasures: ➔ Stop using email for file

    sharing ➔ Look for attachments from “new” outside addresses ➔ Examine attachments in a hardened sandbox ➔ Seriously: Adobe? Java? In 2014? ➔ Monitor endpoints for exploitation & disabled security ➔ EMET prevents many of these null-days ➔ Targeted sectors need to develop lots of threat intel, possibly with external providers Matt Biddulph
  13. Pattern: Snow Job actor == ‘Internal’ and action == ‘Misuse’

    Summary: ➔ 477 incidents (note that Error is excluded) ➔ Known motives overwhelmingly financial Chris Hartman
  14. Pattern: Snow Job TTP: ➔ Vector: LAN or physical access

    ➔ Variety usually “Privilege abuse”, followed by “knowledge” and “possession” abuses ➔ Largely tax return fraud Chris Hartman
  15. Pattern: Snow Job Countermeasures: ➔ Challenge: user has legitimate access

    ➔ Audit log review is tough, ask the NSA! ➔ Beware snake oil “anomaly” solutions ➔ Targeted analysis of specific use cases ➔ Monitor for social media disclosures Chris Hartman
  16. Pattern: Snow Job Chris Hartman ➔ Customer-reported: ID theft, fraud

    ➔ Actor-disclosed: nat’l security, social media