ntxissacsc4 - artifacts are for archaeologists: why hunting malware isn't enough
TRANSCRIPT
@NTXISSA#NTXISSACSC4
ArtifactsAreforArchaeologists:WhyHuntingForMalwareIsn’t
EnoughMarkOverholser
ConsultingEngineerLightCyber,Inc.October7,2016
@NTXISSA#NTXISSACSC4
Agenda
Today’sBreachDetectionGap
Threats:Malware,RiskyBehavior,Insiders&AdvancedAttacks
TopCyberWeapons
Signaturevs.Behavior-basedAttackDetection
LightCyberMagnaBehavioralAttackDetection
@NTXISSA#NTXISSACSC4
99%ofpost-intrusionbehaviorssuchasreconnaissanceandlateralmovementdonotoriginatefrommalware.
BreachDetectionGap
146daysIsthemedianlengththatattackersarepresentonavictim’snetworkbeforedetection
SOURCE:2016LightCyberCyberWeaponsReport,M-Trends2016ThreatReport,VerizonDataBreachInvestigationsReport
MostOrganizationsFocusonMalwareand
ExternalAttacks
MostOrganizationsCannotFind
BreachesonTheirOwn
ButCannotDetectAttackers
inTheirNetwork
@NTXISSA#NTXISSACSC4
Crypting Services
• “Crypting”canbeusedtoobfuscatemalwareuntilAVdoesnotdetectit• Uploadmalware• Malwareencrypted/re-encodedandscannedagainstallknownAV
• ProcessrepeatsuntilallAVfailstodetectthemalware
• BrianKrebshasagoodarticleoncrypters• (https://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/)
NTXISSACyberSecurityConference– October7-8,2016 4
5 ©2016LightCyber- Confidential
MostOrganizationsFocusOnlyonMalware
6
ThreatsAnalyzedforCyberWeapons
Research:TargetedAttacks,InsiderAttacks,RiskyBehavior,andMalware
@NTXISSA#NTXISSACSC4
TargetedAttacksOutsidetheNetwork
Intrusion(Seconds– Minutes)
Intrusion
ActiveBreach(Hours- Weeks)
EstablishBackdoor
Recon&LateralMovement
DataExfiltration
InsidetheNetwork
� Attackercompromisesaclientorserverinthenetwork
2 Attackerperformsreconnaissanceandmoveslaterallytofindvaluabledata
3 Attackerstealsdatabyuploadingortransferringfiles
@NTXISSA#NTXISSACSC4
InsiderAttacks
Recon&LateralMovement
AbuseofUserRights
DataExfiltration
� Employeeisupsetbydemotion;decidestostealdataandquitjob
2 Employeeaccessesmanyfilesharesincludingrarelyaccessedfileshares
3 Employeeusesotheruser’scredentialsandexfiltrates alargevolumeofdata
ITAssetsatRisk
• Databasesandfileserversareconsideredthemostvulnerabletoinsiderattacks
SOURCE:LinkedInGroup- InsiderThreatReportsponsoredbyLightCyber
FileServer
Insider
SensitiveData
@NTXISSA#NTXISSACSC4
RiskyBehavior
2Usercredentialsforserviceaccountsharedbymultipleadmins
�Remotedesktopaccessfromhome
3Accesstohigh-riskwebsites
HighRiskWebsite
HomeDesktop
Internet
DataBreachIncidents
SOURCE:2016Verizon:DataBreachInvestigationsReport
User
RemoteDesktopITAdmin
ITAdmin
Miscellaneouserrors,suchasmisconfiguration,misdelivery,andothererrors,accountedforthehighestnumberofdatabreachesin2015
‘WithallofthehubrisandbravadointheInfoSecworld,oneproclamationweusuallydon’thearis“OuremployeesNEVERmakemistakes.”’
@NTXISSA#NTXISSACSC4
MalwareRansomwareAttack
Laptop
FileServers
MaliciousWebsite
2 Infectedclientcontactscommandandcontrolserverandreceivesauniquecryptographickey
�Userdownloadsransomwarefromawebsiteor opensamaliciousemailattachment3Ransomwareencrypts
dataonthelocalclient
4Ransomwareencryptsdataonnetworkdrives
InfectedEmail
Command&Control
Internet
@NTXISSA#NTXISSACSC4
CyberWeaponsResearchFindingsBasedonAnonymizedAlertDataandNetworktoProcessAssociation(N2PA)TechnologyFromLightCyberCustomers
@NTXISSA#NTXISSACSC4
TopAttackBehaviors
• Reconnaissancewasthemostcommonattackbehavior
• Reconnaissanceisaniterativeprocessoftrialanderrorasattackerssearchforvaluableassets
@NTXISSA#NTXISSACSC4
CyberWeaponsUsedinPhasesofanAttack
@NTXISSA#NTXISSACSC4
NetworkingandHackingTools• Attackersusewell-
knowntoolstomapthenetwork,probeclients,andmonitoractivity
• NCrack,Mimikatz,andWindowsCredentialEditorcanbeusedtostealusercredentials
• SometoolsarenativeOSutilities
@NTXISSA#NTXISSACSC4
AdminTools• Attackersusea
varietyofcommandlineshells,includingnativeOSutilities
• Admintoolsareusedforlateralmovementaswellasreconandexfiltration
@NTXISSA#NTXISSACSC4
RemoteDesktopTools
• Remotedesktoptoolsare:• UsedforC&Candlateralmovement
• Alsoindicativeofriskyuserbehavior
@NTXISSA#NTXISSACSC4
Malware
• 28%ofsuspiciousprocessesassociatedwithalertswereeithermalwareorriskware
• 1%ofeast-westthreatsoriginatedfrommalware
@NTXISSA#NTXISSACSC4
MajorFindings
70%+ofmalwarewasonlydetectedonasinglesite,revealingtargeted&polymorphicvariants
Attackersoftenuse“benign”apps,nativeOStoolsandwebbrowserstoconductattacks
Companiesthatonlylookformalwarewillmissattackersthatarealreadyinthenetwork
19
Signaturevs.Behavior-basedAttackDetection
@NTXISSA#NTXISSACSC4
CurrentLimitationsKnownBad
TraditionalSecurity§ Signatures,IoC’s,PacketSignatures,Domains,SandboxActivity
§ Block,orMiss§ Necessary,NotSufficient
What’sNeeded§ LearnWhatisGood[Baseline]§ DetectWhatIsn’t[Anomaly]§ CatchWhatSlipsThroughthe
CracksofTraditionalSecurity
Problems:• TooManyFalseAlarms/FalsePositives• MissedVariants/FalseNegatives• OnlyDetectMalware-BasedAttacks
LearnedGood
Benefits:• EliminatesZero-DayExploitDilemma• HundredsofOpportunitiestoDetect• ApplicabletoAllTechniques&Stages
What’sNeeded?
Agents&Signatures
Agentless&Signature-less
@NTXISSA#NTXISSACSC4
BehavioralAttackDetection:OptimalDataContext
LightCyberMagnaPlatformUsingBehavioralAnalyticstoFindAttacks&MalwareonYourNetwork
@NTXISSA#NTXISSACSC4
BehavioralAttackDetection
MagnaPlatformOverview• Network-CentricDetection• Agentless&Signature-less• Post-Intrusion:NTA/UEBA
Differentiation• MostAccurate&Efficient:Proven &MeasuredSuccess
• BroadestContext:Network+Endpoint+User
• BroadestAttackCoveragewithIntegratedRemediation
VerticalsServed• Finance&Insurance• PublicSector• Retail,Healthcare,Legal• ServiceProviders• Media,Technology,&More
OperationsOverview• USHQ- CA• EMEAHQ- Amsterdam• ILHQ- RamatGan• CustomersWorld-Wide
MAGNA
AboutLightCyber
@NTXISSA#NTXISSACSC4
Profiling,Detection,Investigation,&Remediation
BehavioralProfiling- Network-CentricEndpointandUserProfiling
AttackDetection- AnomalousAttackBehaviorAcrosstheAttackLifecycle
AutomatedInvestigation- Network, User,&ProcessAssociation+Cloud
IntegratedRemediation- Block AttackerswithNGFW,NAC,orLockAccountswithAD
@NTXISSA#NTXISSACSC4
SIEM
EvolvingITSecurityInvestmentNeeds
LockheedMartin: CyberKillChain
ActiveAttackPhase
(Weeks– Months)
IntrusionAttemptPhase(Seconds– Minutes)
Sand
boxing
StatefulFW
IPS/IDS
NetworkAV
DamageSecurity
Expenditure
IncidentResponse
(Weeks– Months)
BreachDetectionGap
@NTXISSA#NTXISSACSC4
LightCyberMagnaPlatform
NetworkTraffic
Endpoints
HQ/DCMAGNADETECTOR
TAP/SPAN
CoreSwitch
MAGNA UI
MAGNAPATHFINDER
RemoteOfficeMAGNAPROBE
TAP/SPAN
Switch
MAGNAMASTER
Email&Reports SIEMRemediation
@NTXISSA#NTXISSACSC4
LightCyberMagnaSecurityUseCases
LightCyberMagnaprovidesaccurateandefficientsecurityvisibilityintoattacksandattackersinyournetwork.
SecurityVisibilityEncompasses:Malware Risky
BehaviorsInsiderAttacks
TargetedAttacks
LOWERRELATIVERISK
HIGHER
@NTXISSA#NTXISSACSC4
LightCyberDeliversUnbeatablyAccurateResults
Source:http://lightcyber.com/lower-security-alerts-metrics/
MostITsecurityteamscan’tkeepupwiththedelugeofsecurityalerts
62%ACROSS
ALL ALERTS
99%ACROSS MAGNA’S
AUTOMATED “CONFIRMEDATTACK” CATEGORY
LIGHTCYBER ACCURACY
@NTXISSA#NTXISSACSC4
MalwareExample
MagnaDetects:• ActiveCommand&Control
channel• MalwareInfection• Nosignsofinternalspreading• Likelyopportunistic,not(yet)
targeted DetectionPattern:• C&C• Malware• (NoEast-West)
@NTXISSA#NTXISSACSC4
RiskyBehaviorExample
MagnaDetects:• RDPto>20Workstations• Likelynon-malicious
Internalactivitysincethereisnoassociationwithothermaliciousfindings
DetectionPattern:• CredentialAbuse• NotLinkedtoExfil orOther
@NTXISSA#NTXISSACSC4
InsiderAttackExample
DetectionPattern:• CredentialAbuse• LinkedtoExfil orOtherFindings
MagnaDetects:• Suspiciousaccesstofileshares• Exfiltration• ThisCorrelationindicateslikely
InsiderAttack
@NTXISSA#NTXISSACSC4
TargetedAttackExample
MagnaDetects:• Anomalousfilewithknown
ThreatIntelligence• Recon• LateralMovement• Exfiltration• ThisCorrelationIndicates
TargetedAttack DetectionPattern:• MultipleCorrelatedFindings• North-South+East-West
@NTXISSA#NTXISSACSC4
User,Entity;Network+Endpoint
MagnaDetects:• AnomalousNetworkActivity• AnomalousandMalicious
ProcessesontheEndpoint• AnomalousUserActivity
MagnaCorrelates:• User• Entity• Network
• Process• Endpoint
@NTXISSA#NTXISSACSC4
Reporting:AlertActivity,TriageActivity&SLA,AssetView,andMore
LightCyber Magna Attack Detection Report
Reporting Period: 1/0/1900 1/0/1900
Number of days 1
Total Alerts for Period 0
Average #Alerts per day 0.00
Total Alerts handled 5
Unverified average handling time (days) 2.54
Suspicious average handling time (days) 10.78
Confirmed average handling time (days) 12.47
Row Labels Count of Entity Type
(blank) 3
Datacenter 2
Headquarters 2
Finance 1
IT Security 1
0
0.5
1
1.5
2
2.5
3
3.5
Alerts Triage and Handling
Suspicious
Unverified
0
0.5
1
1.5
2
2.5
3
3.5
Riskware (BoBrowser (PUA)) Spam Bot Traffic Command & Control Failed DNS Failed Connections Too Many Destinations Impersonation Large Uploads
Malware C&C Recon Lateral Exfilt
Alert Types and Categories
0
1
2
3
4
5
6
7
Windows 7 Professional (blank)
host
Host Alerts by OS
C&C20%
Exfilt10%
Lateral10%
Malware20%
Recon40%
Alerts Categories
45%
11%
33%
11%
Alerts Handling & Accuracy
Relevant and Handled
Whitelisted
Ignored
Still Open
0.0
2.0
4.0
6.0
8.0
10.0
12.0
14.0
16.0
18.0
Normal Resolved Whitelisted Normal Archived
Confirmed Suspicious Unverified
Alert Handling Time (days)
arnold
jenny
40%
60%
Alert Handling by Analyst
arnold
jenny
@NTXISSA#NTXISSACSC4
LightCyberEcosystemIntegration
Endpoints
HQ/DC
MAGNAPATHFINDER
MAGNADETECTOR MAGNAMASTER
CoreSwitch
MAGNA UIRemediation SIEM
NetworkPacketBroker
IAM&PolicyMgmt
@NTXISSA#NTXISSACSC4
MagnaintheSecurityEcosystem:IntegratedRemediation
TerminateMaliciousFiles(MFT)
BlockMaliciousDomainswithNGFW
IsolateInfectedMachinesWithNGFW
IsolateInfectedMachineswithNAC
LockCompromisedActiveDirectory
ResetCompromisedADPasswords
KnockTheAttackerBackOutOfYourNetwork
MagnaEnablesYouTo
AD AD
X
@NTXISSA#NTXISSACSC4NTXISSACyberSecurityConference– October7-8,2016 37
@NTXISSA#NTXISSACSC4@NTXISSA#NTXISSACSC4
The Collin College Engineering DepartmentCollin College StudentChapteroftheNorthTexasISSA
NorthTexasISSA(InformationSystemsSecurityAssociation)
NTXISSACyberSecurityConference– October7-8,2016 38
Thankyou