Company Confidential
Powered by
Activated CharcoalMaking Sense of Endpoint Data
Company Confidential
Greg Foss
Head of Global Security Operations
OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, Cyber APT
The Endpoint is the new Perimeter
Company Confidential
The easiest path into any network…
Company Confidential
Social Engineering
Nothing like a little pretext to get people to click on your links…
Company Confidential
• Phishing• 91% of ‘advanced’ attacks began with a phishing email
or similar social engineering tactics.• http://www.infosecurity-magazine.com/view/29562/91-of-
apt-attacks-start-with-a-spearphishing-email/
• 2014 Metrics• Average cost per breach => $3.5 million• 15% Higher than the previous year
• http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis
Company Confidential
Drive By Downloads, Malvertizing, and Watering Hole Attacks
Image Source: https://blog.kaspersky.com/what-is-malvertising/5928/
Company Confidential
Company Confidential
Training is Critical to Success
Company Confidential
Key Focus Areas:
• Employees
Image Source: http://www.cloudpro.co.uk/hr/5803/gov-offers-hr-workers-free-cyber-security-training
Company Confidential
End User Tips - Phishing
Company Confidential
All You Need is +
Company Confidential
Shortened URLTracking
Testing and Validation
Company Confidential
Rogue Wi-Fi Network – Threat Simulation
Company Confidential
USB Drop – Training Exercise : Case Study
Company Confidential
Building a Believable Campaign
Use realistic files with somewhat realistic data
Staged approach to track file access and exploitation
Company Confidential
Profit
Send an email when the Macro is run…
Use a bogus email (unlike I did here) – I know, I know. Bad OpSec.
Company Confidential
Tools\calculator.exe
Company Confidential
“Nobody’s going to an an exe from some random USB” - Greg
Yep… They ran it...
Company Confidential
Now we have our foothold…
Fortunately they didn’t run this as an admin
Company Confidential
Company Confidential
Key Focus Areas:
• Employees
• IT Staff
• Roles and Responsibilities
• Incident Response Duties
• Configuration Monitoring
• Malware Removal
• Security Infrastructure
Company Confidential
Key Focus Areas:
• Employees
• IT Staff
• Security Staff
• Table Top and Red vs Blue Exercises
• Threat Simulation Leads to Process Improvement
• Announced vs Unannounced Simulations or Penetration Testing
Company Confidential
Purple Team FTW!
• Employees
• IT Staff
• Security Staff
• Table Top and Red vs Blue Exercises
• Threat Simulation Leads to Process Improvement
• Announced vs Unannounced Simulations or Penetration Testing
Company Confidential
Key Focus Areas:
• Employees
• IT Staff
• Security Staff
• Leadership
Company Confidential
Key Focus Areas:
• Employees
• IT Staff
• Security Staff
• Leadership
• Processes and Procedures
Continuous Monitoring and Detection
Company Confidential
Automating OSINT and Response
Domain Tools
Passive Total
VirusTotal
Cisco AMP ThreatGRID
Netflow / IDS
Firewalls
Proxy / DNS
Endpoint
SIEM
API Integration SecOps Infrastructure
Company Confidential
Company Confidential
Malware Beaconing
Company Confidential
Company Confidential
Malware Beaconing
Company Confidential
Correlate Network / Log Activity with Endpoint Data
Company Confidential
Macro Phishing Attacks
• Common
• Bypasses Most AV
• Heavily Obfuscated
• Newer attacks
targeting Office 365
Company Confidential
Macro Attack Detection
Company Confidential
Full Command Line Details
Company Confidential
Full Command Line Details
Company Confidential
Be Careful – Don’t Jump To Conclusions…
Company Confidential
Be Careful – Don’t Jump To Conclusions…
Centralized Logging and Event Management
Company Confidential
Company Confidential
Threat Feed Configuration
Company Confidential
Full Event Alerting
Company Confidential
Syslog Only
Company Confidential
Watchlist Configuration
Company Confidential
Carbon Black Event Forwarder
LogRhythm => Use LEEF Format
https://github.com/carbonblack/cb-event-forwarder
Dashboards and Investigations
Company Confidential
Company Confidential
Company Confidential
Long Tail Analysis
Strange activity can bubble to the surface when viewing the whole picture
Company Confidential
Company Confidential
Taking it a Step Further…
Company Confidential
Additional Integration
Alarming
Trigger on Specific Watch List Hits
Company Confidential
Additional Integration
Alarming
Admin Tracking
Company Confidential
Additional Integration
Alarming
Admin Tracking
Reporting
Company Confidential
Additional Integration
Alarming
Admin Tracking
Reporting
Automation
Perform Actions Based on Alarms Observed
Company Confidential
LogRhythmChallenge . com
Booth #600 #logrhythmchallenge
Company Confidential
Mini Network Monitor
Booth #600
Company Confidential
Thank You!
QUESTIONS?
Greg Foss
Greg . Foss [at] LogRhythm . com
@heinzarelli