SlideShare una empresa de Scribd logo

Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare

Cybereason
Cybereason

A closer look at black market machine trading and a case study examining specific tactics, techniques, and procedures (TTPs) utilized by adversaries.

Tecnología
1 de 26
Descargar para leer sin conexión
© 2017Cybereason Inc. All rights reserved. Avoiding a Sophisticated, Targeted Breach Critical Guidance for Healthcare Organizations
© 2017 Cybereason Inc. All rights reserved. Attackers Are Becoming More and More Successful, Little Security Disruption The paradigm graph Time Success Rate Attackers Defenders
© 2017 Cybereason Inc. All rights reserved. Attacker-Defender paradigm in question 100% success • Advanced adversaries succeed almost 100% of the time • BUT, attackers have some inherent vulnerabilities too - an attack is composed of dozens or even hundreds of steps • With the right procedures and toolset in place, a defender can turn any (very likely) mistake made by an attacker into a complete exposure of the malicious operation
© 2017 Cybereason Inc. All rights reserved. Black market trafficking of compromised enterprise computing resources
© 2017 Cybereason Inc. All rights reserved. A new incident is detected • Is it Targeted or Untargeted? • Is it relevant? • A completely untargeted threat can turn into a targeted operation within hours
© 2017 Cybereason Inc. All rights reserved. Business Rationale Machine LifetimeValue Monetization Method Adware / Click-fraud Bulk Sale Unit Sale $18 – $36 $10 – $20 $10 - $1000
© 2017 Cybereason Inc. All rights reserved. Black market machine trading – Machine Valuation Basic – Approx. +50% on “commodity price” (~$5-$10) • Admin privs • Public IP • Network bandwidth Nice – Between +50%-1,000% • Installed software / Accessed websites Jackpot – Between +1,000% - 10,000% • Enterprise affiliation
© 2017 Cybereason Inc. All rights reserved. Black market machine trading
© 2017 Cybereason Inc. All rights reserved. Black market machine trading
© 2017 Cybereason Inc. All rights reserved. Black market Code of Conduct
© 2017 Cybereason Inc. All rights reserved. Black market machine trading – US-based machines
© 2017 Cybereason Inc. All rights reserved. Black market machine trading – Some statistics Percentage of compromised machines for sale per state – Top 5: • 1st prize goes to: California, 21% • 2nd prize goes to: New Jersey, 11% • 3rd prize goes to: New York, 6% • 4th prize goes to: Texas, 6% • 5th prize goes to: Iowa, 6% (what?!...)
© 2017 Cybereason Inc. All rights reserved. Examining a Threat Escalation Incident Case Study
© 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • Starts with untargeted, known file-less click-fraud tool, effecting several machines in the enterprise network • Detection was based on malicious use of PowerShell and malware communication with known malicious C2 domains / IPs • De-prioritized by SOC based on low damage potential
© 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • SOC continues to monitor the compromised endpoints (automated), and blocks access to the known C2 • 5 days later, 1 machine stops attempting to communicate with known C2 and is detected performing DGA and connecting to a previously unknown C2 • C2 communications now occurs only when “outside” the corporate network (no C2 when local IP is in the enterprise subnet, only when on 192.168.* or 10.0.*)
© 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • Over the next 24 hours C2 communication profile changes to include downloading and uploading significantly more data, and click-fraud tool escalated privileges to Local System • Before (typical click-fraud):
© 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • Over the next 24 hours C2 communication profile changes to include downloading and uploading significantly more data • After (could indicate a heavier protocol transmitted over port 8080 / download of additional modules / exfiltration of broader system information):
© 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • Attack tool injects code and migrates into msdtc.exe process • Below, msdtc.exe establishing C2 connection with previously DGA-established C2:
© 2017 Cybereason Inc. All rights reserved. Behavioral Indicators of a transaction
© 2017 Cybereason Inc. All rights reserved. TTPs of Seller-Marketplace-Buyer Relationship C2 • Continuous / reliable / auto verifiable command and control channel – RDP, SSH • Required to enable the transaction • Can use non-standard ports, reverse connections, encapsulation in other protocols (e.g. HTTP) • Exact configuration & persistence method depend on the seller • Tasking-based C2 is very rare in marketplaces since it doesn’t naturally fit the above 3 criteria • Once the buyer goes in, a different mechanism may be put in place
© 2017 Cybereason Inc. All rights reserved. TTPs of Seller-Marketplace-Buyer Relationship Priv.Esc. • Priv.Esc. – Admin access is worth more than unprivileged user access. • Process / installed software enumeration and browser history enumeration. Relevant software and browsing history can up the price of a compromised machine by 100x
© 2017 Cybereason Inc. All rights reserved. TTPs Detection – How to break the system? Change in C2 • From known malicious IP / domain to unknown IP / domain • From straight IP / domain to DGA • Question connections to RDP service – especially on already compromised machines • Long lasting connections • Change in RDP configuration • Question unfamiliar modules loaded as part of the remote assistance service
© 2017 Cybereason Inc. All rights reserved. TTPs Detection – How to break the system? Change in privileges • Monitor for processes performing priv.esc. – especially on already compromised machines • Process / Installed software enumeration and browser history enumeration • Stop of previous attack? In most cases – Not a good indicator… (No code of conduct for this on most marketplaces)
© 2017 Cybereason Inc. All rights reserved. House of Cards Successful defense doesn’t mean stopping every stage of the attack… …find one component of the hack and, over time, the entire operation can collapse.
© 2017 Cybereason Inc. All rights reserved. Returning Power to the Defenders Be Proactive! Establish visibility! Hunt for cyber kill chain behaviors! Time Success Rate Attackers Defenders
© 2017 Cybereason Inc. All rights reserved. you. Thank www.cybereason.com

Recomendados

Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection server
Amit Serper
 
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
North Texas Chapter of the ISSA
 
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
North Texas Chapter of the ISSA
 
Activated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataActivated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint Data
Greg Foss
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array works
Cyren, Inc
 
SecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingSecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture Training
Greg Foss
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016
Greg Foss
 
Webinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportWebinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat report
Cyren, Inc
 

Recomendados

Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection server
Amit Serper
 
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
North Texas Chapter of the ISSA
 
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
North Texas Chapter of the ISSA
 
Activated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataActivated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint Data
Greg Foss
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array works
Cyren, Inc
 
SecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingSecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture Training
Greg Foss
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016
Greg Foss
 
Webinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportWebinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat report
Cyren, Inc
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingWebinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Cyren, Inc
 
Webinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyWebinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking survey
Cyren, Inc
 
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat ReportWebinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Cyren, Inc
 
Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017
Kevin Finley
 
Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets
Digital Transformation EXPO Event Series
 
Webinar: Dispelling the Myths about Cloud Security
Webinar: Dispelling the Myths about Cloud SecurityWebinar: Dispelling the Myths about Cloud Security
Webinar: Dispelling the Myths about Cloud Security
Cyren, Inc
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Webinar: A deep dive on ransomware
Webinar: A deep dive on ransomwareWebinar: A deep dive on ransomware
Webinar: A deep dive on ransomware
Cyren, Inc
 
Webinar: Insights from CYREN's 2015 Q2 Cyber Threats Report
Webinar: Insights from CYREN's 2015 Q2 Cyber Threats ReportWebinar: Insights from CYREN's 2015 Q2 Cyber Threats Report
Webinar: Insights from CYREN's 2015 Q2 Cyber Threats Report
Cyren, Inc
 
Webinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to knowWebinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to know
Cyren, Inc
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinar
ThreatConnect
 
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend ReportWebinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Cyren, Inc
 
Managing Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectManaging Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnect
ThreatConnect
 
DerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseDerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven Defense
Greg Foss
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17
Greg Foss
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain
OpenDNS
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018
Greg Foss
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
John Bambenek
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
Greg Foss
 
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Cybereason
 
Some PowerShell Goodies
Some PowerShell GoodiesSome PowerShell Goodies
Some PowerShell Goodies
Cybereason
 

Más contenido relacionado

La actualidad más candente

Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017
Kevin Finley
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinar
ThreatConnect
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
Greg Foss
 

La actualidad más candente (20)

Webinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingWebinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxing
 
Webinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyWebinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking survey
 
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat ReportWebinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
 
Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017
 
Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets
 
Webinar: Dispelling the Myths about Cloud Security
Webinar: Dispelling the Myths about Cloud SecurityWebinar: Dispelling the Myths about Cloud Security
Webinar: Dispelling the Myths about Cloud Security
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
Webinar: A deep dive on ransomware
Webinar: A deep dive on ransomwareWebinar: A deep dive on ransomware
Webinar: A deep dive on ransomware
 
Webinar: Insights from CYREN's 2015 Q2 Cyber Threats Report
Webinar: Insights from CYREN's 2015 Q2 Cyber Threats ReportWebinar: Insights from CYREN's 2015 Q2 Cyber Threats Report
Webinar: Insights from CYREN's 2015 Q2 Cyber Threats Report
 
Webinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to knowWebinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to know
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinar
 
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend ReportWebinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
 
Managing Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectManaging Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnect
 
DerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseDerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven Defense
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
 

Destacado

bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
Anthony Melfi
 

Destacado (11)

Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
 
Some PowerShell Goodies
Some PowerShell GoodiesSome PowerShell Goodies
Some PowerShell Goodies
 
Ransomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near YouRansomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near You
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the Basics
 
Deploying a data centric approach to enterprise agility
Deploying a data centric approach to enterprise agilityDeploying a data centric approach to enterprise agility
Deploying a data centric approach to enterprise agility
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
 
Cybersecurity and Internet Governance
Cybersecurity and Internet GovernanceCybersecurity and Internet Governance
Cybersecurity and Internet Governance
 
Profiling an enigma: The mystery of North Korea’s cyber threat landscape
Profiling an enigma: The mystery of North Korea’s cyber threat landscapeProfiling an enigma: The mystery of North Korea’s cyber threat landscape
Profiling an enigma: The mystery of North Korea’s cyber threat landscape
 
Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015
 
How to do everything with PowerShell
How to do everything with PowerShellHow to do everything with PowerShell
How to do everything with PowerShell
 
Slideshare ppt
Slideshare pptSlideshare ppt
Slideshare ppt
 

Similar a Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare

Securing Privileged Access “Inside the Perimeter”
Securing Privileged Access “Inside the Perimeter”Securing Privileged Access “Inside the Perimeter”
Securing Privileged Access “Inside the Perimeter”
Bomgar
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your Company
Veriato
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Ulf Mattsson
 
How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware A...
How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware A...How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware A...
How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware A...
Aggregage
 

Similar a Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare (20)

Securing Privileged Access “Inside the Perimeter”
Securing Privileged Access “Inside the Perimeter”Securing Privileged Access “Inside the Perimeter”
Securing Privileged Access “Inside the Perimeter”
 
The Case for EDR: What's In Your Toolkit
The Case for EDR: What's In Your ToolkitThe Case for EDR: What's In Your Toolkit
The Case for EDR: What's In Your Toolkit
 
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
 
CWIN17 Rome / A holostic cybersecurity
CWIN17 Rome / A holostic cybersecurityCWIN17 Rome / A holostic cybersecurity
CWIN17 Rome / A holostic cybersecurity
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your Company
 
Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017 Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
 
Don’t WannaCry? Here’s How to Stop Those Ransomware Blues
Don’t WannaCry? Here’s How to Stop Those Ransomware BluesDon’t WannaCry? Here’s How to Stop Those Ransomware Blues
Don’t WannaCry? Here’s How to Stop Those Ransomware Blues
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External Threats
 
The 2018 Threatscape
The 2018 ThreatscapeThe 2018 Threatscape
The 2018 Threatscape
 
How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware A...
How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware A...How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware A...
How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware A...
 
The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptx
 
2018 State of Cyber Resilience
2018 State of Cyber Resilience2018 State of Cyber Resilience
2018 State of Cyber Resilience
 
Is Your Use of Windows Backup Opening the Door to Hackers?
Is Your Use of Windows Backup Opening the Door to Hackers?Is Your Use of Windows Backup Opening the Door to Hackers?
Is Your Use of Windows Backup Opening the Door to Hackers?
 
Atelier Technique SYMANTEC ACSS 2018
Atelier Technique SYMANTEC ACSS 2018Atelier Technique SYMANTEC ACSS 2018
Atelier Technique SYMANTEC ACSS 2018
 
David Tweedale - The Evolving Threat Landscape #midscybersecurity18
David Tweedale - The Evolving Threat Landscape #midscybersecurity18David Tweedale - The Evolving Threat Landscape #midscybersecurity18
David Tweedale - The Evolving Threat Landscape #midscybersecurity18
 
WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider ThreatsWEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
 
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
 

Más de Cybereason

Más de Cybereason (9)

Antifragile Cyber Defense
Antifragile Cyber DefenseAntifragile Cyber Defense
Antifragile Cyber Defense
 
An Introduction to the Agile SoC
An Introduction to the Agile SoCAn Introduction to the Agile SoC
An Introduction to the Agile SoC
 
Protecting the financial services industry
Protecting the financial services industryProtecting the financial services industry
Protecting the financial services industry
 
Protecting the healthcare industry
Protecting the healthcare industryProtecting the healthcare industry
Protecting the healthcare industry
 
Protecting the manufacturing industry
Protecting the manufacturing industryProtecting the manufacturing industry
Protecting the manufacturing industry
 
The attack lifecycle. Cybereason can help you answer: Are you under attack?
The attack lifecycle. Cybereason can help you answer: Are you under attack?The attack lifecycle. Cybereason can help you answer: Are you under attack?
The attack lifecycle. Cybereason can help you answer: Are you under attack?
 
The Incident Response Checklist - 9 Steps Your Current Plan Lacks
The Incident Response Checklist - 9 Steps Your Current Plan LacksThe Incident Response Checklist - 9 Steps Your Current Plan Lacks
The Incident Response Checklist - 9 Steps Your Current Plan Lacks
 
The Cyber Attack Lifecycle
The Cyber Attack LifecycleThe Cyber Attack Lifecycle
The Cyber Attack Lifecycle
 
Maturing your threat hunting program
Maturing your threat hunting programMaturing your threat hunting program
Maturing your threat hunting program
 

Último

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Último (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare

  • 1. © 2017Cybereason Inc. All rights reserved. Avoiding a Sophisticated, Targeted Breach Critical Guidance for Healthcare Organizations
  • 2. © 2017 Cybereason Inc. All rights reserved. Attackers Are Becoming More and More Successful, Little Security Disruption The paradigm graph Time Success Rate Attackers Defenders
  • 3. © 2017 Cybereason Inc. All rights reserved. Attacker-Defender paradigm in question 100% success • Advanced adversaries succeed almost 100% of the time • BUT, attackers have some inherent vulnerabilities too - an attack is composed of dozens or even hundreds of steps • With the right procedures and toolset in place, a defender can turn any (very likely) mistake made by an attacker into a complete exposure of the malicious operation
  • 4. © 2017 Cybereason Inc. All rights reserved. Black market trafficking of compromised enterprise computing resources
  • 5. © 2017 Cybereason Inc. All rights reserved. A new incident is detected • Is it Targeted or Untargeted? • Is it relevant? • A completely untargeted threat can turn into a targeted operation within hours
  • 6. © 2017 Cybereason Inc. All rights reserved. Business Rationale Machine LifetimeValue Monetization Method Adware / Click-fraud Bulk Sale Unit Sale $18 – $36 $10 – $20 $10 - $1000
  • 7. © 2017 Cybereason Inc. All rights reserved. Black market machine trading – Machine Valuation Basic – Approx. +50% on “commodity price” (~$5-$10) • Admin privs • Public IP • Network bandwidth Nice – Between +50%-1,000% • Installed software / Accessed websites Jackpot – Between +1,000% - 10,000% • Enterprise affiliation
  • 8. © 2017 Cybereason Inc. All rights reserved. Black market machine trading
  • 9. © 2017 Cybereason Inc. All rights reserved. Black market machine trading
  • 10. © 2017 Cybereason Inc. All rights reserved. Black market Code of Conduct
  • 11. © 2017 Cybereason Inc. All rights reserved. Black market machine trading – US-based machines
  • 12. © 2017 Cybereason Inc. All rights reserved. Black market machine trading – Some statistics Percentage of compromised machines for sale per state – Top 5: • 1st prize goes to: California, 21% • 2nd prize goes to: New Jersey, 11% • 3rd prize goes to: New York, 6% • 4th prize goes to: Texas, 6% • 5th prize goes to: Iowa, 6% (what?!...)
  • 13. © 2017 Cybereason Inc. All rights reserved. Examining a Threat Escalation Incident Case Study
  • 14. © 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • Starts with untargeted, known file-less click-fraud tool, effecting several machines in the enterprise network • Detection was based on malicious use of PowerShell and malware communication with known malicious C2 domains / IPs • De-prioritized by SOC based on low damage potential
  • 15. © 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • SOC continues to monitor the compromised endpoints (automated), and blocks access to the known C2 • 5 days later, 1 machine stops attempting to communicate with known C2 and is detected performing DGA and connecting to a previously unknown C2 • C2 communications now occurs only when “outside” the corporate network (no C2 when local IP is in the enterprise subnet, only when on 192.168.* or 10.0.*)
  • 16. © 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • Over the next 24 hours C2 communication profile changes to include downloading and uploading significantly more data, and click-fraud tool escalated privileges to Local System • Before (typical click-fraud):
  • 17. © 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • Over the next 24 hours C2 communication profile changes to include downloading and uploading significantly more data • After (could indicate a heavier protocol transmitted over port 8080 / download of additional modules / exfiltration of broader system information):
  • 18. © 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • Attack tool injects code and migrates into msdtc.exe process • Below, msdtc.exe establishing C2 connection with previously DGA-established C2:
  • 19. © 2017 Cybereason Inc. All rights reserved. Behavioral Indicators of a transaction
  • 20. © 2017 Cybereason Inc. All rights reserved. TTPs of Seller-Marketplace-Buyer Relationship C2 • Continuous / reliable / auto verifiable command and control channel – RDP, SSH • Required to enable the transaction • Can use non-standard ports, reverse connections, encapsulation in other protocols (e.g. HTTP) • Exact configuration & persistence method depend on the seller • Tasking-based C2 is very rare in marketplaces since it doesn’t naturally fit the above 3 criteria • Once the buyer goes in, a different mechanism may be put in place
  • 21. © 2017 Cybereason Inc. All rights reserved. TTPs of Seller-Marketplace-Buyer Relationship Priv.Esc. • Priv.Esc. – Admin access is worth more than unprivileged user access. • Process / installed software enumeration and browser history enumeration. Relevant software and browsing history can up the price of a compromised machine by 100x
  • 22. © 2017 Cybereason Inc. All rights reserved. TTPs Detection – How to break the system? Change in C2 • From known malicious IP / domain to unknown IP / domain • From straight IP / domain to DGA • Question connections to RDP service – especially on already compromised machines • Long lasting connections • Change in RDP configuration • Question unfamiliar modules loaded as part of the remote assistance service
  • 23. © 2017 Cybereason Inc. All rights reserved. TTPs Detection – How to break the system? Change in privileges • Monitor for processes performing priv.esc. – especially on already compromised machines • Process / Installed software enumeration and browser history enumeration • Stop of previous attack? In most cases – Not a good indicator… (No code of conduct for this on most marketplaces)
  • 24. © 2017 Cybereason Inc. All rights reserved. House of Cards Successful defense doesn’t mean stopping every stage of the attack… …find one component of the hack and, over time, the entire operation can collapse.
  • 25. © 2017 Cybereason Inc. All rights reserved. Returning Power to the Defenders Be Proactive! Establish visibility! Hunt for cyber kill chain behaviors! Time Success Rate Attackers Defenders
  • 26. © 2017 Cybereason Inc. All rights reserved. you. Thank www.cybereason.com