SlideShare una empresa de Scribd logo

The attack lifecycle. Cybereason can help you answer: Are you under attack?

Cybereason
Cybereason

A walk through of each stage of the attack lifecycle and examples of what we see attackers doing to advance attacks.

Tecnología
1 de 23
Descargar para leer sin conexión
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage Are you under attack? Lateral Movement Recon DamageC & C Privilege Escalation
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV External Recon o People/Social Engineering • Conferences • Call help desk or admin o Technology • External scans • Buy information & tools on black market o Business Intelligence • Trusted relationships • 3rd party vendors “Even Rao, a highly experienced cybersecurity researcher, nearly fell for the scam, as he happened to have recently mailed a package via UPS.”
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Initial Infection o Phishing & spear phishing o Vulnerability exploit o Infected USB drive Lateral Movement Recon DamageC & C Initial Infection Privilege EscalationInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Initial Infection: Process Injection Running a procedure as a thread inside another process o Evasion o Reading host process memory o Affecting host process behavior o Server persistence Lateral Movement Recon DamageC & C Initial Infection Privilege EscalationInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Malicious code launches and carries out an infection within a tool or process o Unlike traditional malware • Doesn’t use a file o Runs in memory of the device Examples of processes/tools o Legitimate Windows processes o Windows management interface o Meterpreter o Executing remote commands Initial Infection: Fileless Malware Recon DamageC &CInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Why o Establish and maintain connection to: • Execute malicious code • Update malware • Sending back collected info • Provide heartbeat to indicate the attack is still alive How o Legitimate HTTP o Legitimate DNS request o Fast Flux o TOR o IRC o Facebook / Twitter / YouTube comments o Domain Generation Algorithm Command & Control Privilege Escalation Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Command & Control: Domain Generation Algorithm o C&C servers quickly get blacklisted o DGA generates 1000’s of domains • Predictable to attacker, unpredictable to security researcher • One will be C&C o When C&C domain blacklisted, attacker: • Selects another generated domain • Registers it • Continues attack Spread Damage Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Why o Gain better persistence o Cred dump/user impersonation o Operate under the radar How o Exploit vulnerabilities • Command line vulnerability • Process injection o Leverage improper configurations • Local admin rights for all users • User lockout policies Privilege Escalation Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Privilege Escalation: Exploit Windows Vulnerabilities o Windows kernel mode driver vulnerabilities o Windows task scheduler vulnerabilities o Vulnerabilities in Windows design – Windows user account control (UAC) – DLL search order Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Why o Paint a picture of the IT infrastructure • Who are the administrators? • What steps get me closer to my target? • What type of services are running? o Identify target and a path to the target How o ARP scanning o NetBIOS enumeration o Port scanning o Credential stealing Internal Reconnaissance Initial infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Recon: Port Scanning o Services use ports to communicate • HTTP = 80, DNS = 53, etc… o Attacker scans the subnet to find exposed and exploitable services Spread DamageC & C DamageInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Recon: Credential Theft o Mimikatz o Windows Credential Editor o Lazagne Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Why o Gain access to target machines • Domain controllers • OWA o Persistence How o Use legitimate tools maliciously • Pass The Hash/Ticket • Shares • PSExec • RDP • SSH • PowerShell • SCCM Lateral Movement Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Lateral Movement: PsExec Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage Legitimate use IT admin runs PsExec to run a process on a remote machine interactively Malicious use Attacker runs PsExec with stolen credential hashes to spread their malware through an entire network
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Lateral Movement: PowerShell Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage Legitimate use IT admin runs PowerShell to monitor firewall Malicious use Attacker PowerShell with encoded commands to spread malware
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Lateral movement: Pass-the-Ticket Legitimate authentication: Kerberos Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Lateral movement: Pass-the-Ticket Malicious use: Pass the Ticket Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Why o Establish long term access • Primary goal is often persistent accessibly How o Scheduled tasks o Autoruns o Temp files o Fileless malware Persistence Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Damage Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage o FTP/SSH o Email o DNS o Dropbox o Pastebin o Ransomware o Corporate financials o Credit card data o System corruption Business Profit Sabotage
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage Are you under attack? Lateral Movement Recon DamageC & C Privilege Escalation
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Total Enterprise PROTECTION
Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV

Recomendados

Protecting the manufacturing industry
Protecting the manufacturing industryProtecting the manufacturing industry
Protecting the manufacturing industryCybereason
 
Protecting the healthcare industry
Protecting the healthcare industryProtecting the healthcare industry
Protecting the healthcare industryCybereason
 
The Incident Response Checklist - 9 Steps Your Current Plan Lacks
The Incident Response Checklist - 9 Steps Your Current Plan LacksThe Incident Response Checklist - 9 Steps Your Current Plan Lacks
The Incident Response Checklist - 9 Steps Your Current Plan LacksCybereason
 
Maturing your threat hunting program
Maturing your threat hunting programMaturing your threat hunting program
Maturing your threat hunting programCybereason
 
The Cyber Attack Lifecycle
The Cyber Attack LifecycleThe Cyber Attack Lifecycle
The Cyber Attack LifecycleCybereason
 
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksHunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksF _
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation ApproachesPriyanka Aash
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsPriyanka Aash
 

Recomendados

Protecting the manufacturing industry
Protecting the manufacturing industryProtecting the manufacturing industry
Protecting the manufacturing industryCybereason
 
Protecting the healthcare industry
Protecting the healthcare industryProtecting the healthcare industry
Protecting the healthcare industryCybereason
 
The Incident Response Checklist - 9 Steps Your Current Plan Lacks
The Incident Response Checklist - 9 Steps Your Current Plan LacksThe Incident Response Checklist - 9 Steps Your Current Plan Lacks
The Incident Response Checklist - 9 Steps Your Current Plan LacksCybereason
 
Maturing your threat hunting program
Maturing your threat hunting programMaturing your threat hunting program
Maturing your threat hunting programCybereason
 
The Cyber Attack Lifecycle
The Cyber Attack LifecycleThe Cyber Attack Lifecycle
The Cyber Attack LifecycleCybereason
 
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksHunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksF _
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation ApproachesPriyanka Aash
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsPriyanka Aash
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayEnergySec
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsRoger Johnston
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesomeSumedt Jitpukdebodin
 
2018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 32018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 3FRSecure
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Barry Greene
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
Safety life cycle seminar IEC61511
Safety life cycle seminar IEC61511Safety life cycle seminar IEC61511
Safety life cycle seminar IEC61511Luis Atencio
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017FRSecure
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...HITCON GIRLS
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure
 
2018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 62018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 6FRSecure
 
Introduction to Functional Safety and SIL Certification
Introduction to Functional Safety and SIL CertificationIntroduction to Functional Safety and SIL Certification
Introduction to Functional Safety and SIL CertificationISA Boston Section
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotShah Sheikh
 
What is pentest
What is pentestWhat is pentest
What is pentestitissolutions
 
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefYehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefShah Sheikh
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017FRSecure
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
Baking Safety into Infrastructure Testing
Baking Safety into Infrastructure TestingBaking Safety into Infrastructure Testing
Baking Safety into Infrastructure TestingJessica DeVita
 
Cyber Attack Lifecycle
Cyber Attack LifecycleCyber Attack Lifecycle
Cyber Attack LifecycleShannon Sevor
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academyamallblitz0
 

Más contenido relacionado

La actualidad más candente

Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayEnergySec
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsRoger Johnston
 
2018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 32018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 3FRSecure
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Barry Greene
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
Safety life cycle seminar IEC61511
Safety life cycle seminar IEC61511Safety life cycle seminar IEC61511
Safety life cycle seminar IEC61511Luis Atencio
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017FRSecure
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...HITCON GIRLS
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure
 
2018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 62018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 6FRSecure
 
Introduction to Functional Safety and SIL Certification
Introduction to Functional Safety and SIL CertificationIntroduction to Functional Safety and SIL Certification
Introduction to Functional Safety and SIL CertificationISA Boston Section
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotShah Sheikh
 
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefYehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefShah Sheikh
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017FRSecure
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
Baking Safety into Infrastructure Testing
Baking Safety into Infrastructure TestingBaking Safety into Infrastructure Testing
Baking Safety into Infrastructure TestingJessica DeVita
 

La actualidad más candente (20)

Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles Away
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
 
2018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 32018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 3
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
 
Safety life cycle seminar IEC61511
Safety life cycle seminar IEC61511Safety life cycle seminar IEC61511
Safety life cycle seminar IEC61511
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10
 
2018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 62018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 6
 
Introduction to Functional Safety and SIL Certification
Introduction to Functional Safety and SIL CertificationIntroduction to Functional Safety and SIL Certification
Introduction to Functional Safety and SIL Certification
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
 
What is pentest
What is pentestWhat is pentest
What is pentest
 
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefYehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
Baking Safety into Infrastructure Testing
Baking Safety into Infrastructure TestingBaking Safety into Infrastructure Testing
Baking Safety into Infrastructure Testing
 

Similar a The attack lifecycle. Cybereason can help you answer: Are you under attack?

Cyber Attack Lifecycle
Cyber Attack LifecycleCyber Attack Lifecycle
Cyber Attack LifecycleShannon Sevor
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academyamallblitz0
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academyananthakrishnansblit
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academyananthakrishnansblit
 
Cyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochiCyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochiamallblitz0
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academyamallblitz0
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academyananthakrishnansblit
 
MIT-6-determina-vps.ppt
MIT-6-determina-vps.pptMIT-6-determina-vps.ppt
MIT-6-determina-vps.pptwebhostingguy
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Phil Agcaoili
 
Pragmatic intelsans intelsummit2014
Pragmatic intelsans intelsummit2014Pragmatic intelsans intelsummit2014
Pragmatic intelsans intelsummit2014setuid0
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationMalachi Jones
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablowISSA LA
 

Similar a The attack lifecycle. Cybereason can help you answer: Are you under attack? (20)

Cyber Attack Lifecycle
Cyber Attack LifecycleCyber Attack Lifecycle
Cyber Attack Lifecycle
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academy
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academy
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academy
 
Cyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochiCyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochi
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academy
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academy
 
MIT-6-determina-vps.ppt
MIT-6-determina-vps.pptMIT-6-determina-vps.ppt
MIT-6-determina-vps.ppt
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...
 
Pragmatic intelsans intelsummit2014
Pragmatic intelsans intelsummit2014Pragmatic intelsans intelsummit2014
Pragmatic intelsans intelsummit2014
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
 
Cybersecurity - Jim Butterworth
Cybersecurity - Jim ButterworthCybersecurity - Jim Butterworth
Cybersecurity - Jim Butterworth
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
 

Más de Cybereason

Antifragile Cyber Defense
Antifragile Cyber DefenseAntifragile Cyber Defense
Antifragile Cyber DefenseCybereason
 
An Introduction to the Agile SoC
An Introduction to the Agile SoCAn Introduction to the Agile SoC
An Introduction to the Agile SoCCybereason
 
Protecting the financial services industry
Protecting the financial services industryProtecting the financial services industry
Protecting the financial services industryCybereason
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsCybereason
 
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Cybereason
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance HealthcareAvoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance HealthcareCybereason
 
Some PowerShell Goodies
Some PowerShell GoodiesSome PowerShell Goodies
Some PowerShell GoodiesCybereason
 
Ransomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near YouRansomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near YouCybereason
 

Más de Cybereason (8)

Antifragile Cyber Defense
Antifragile Cyber DefenseAntifragile Cyber Defense
Antifragile Cyber Defense
 
An Introduction to the Agile SoC
An Introduction to the Agile SoCAn Introduction to the Agile SoC
An Introduction to the Agile SoC
 
Protecting the financial services industry
Protecting the financial services industryProtecting the financial services industry
Protecting the financial services industry
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the Basics
 
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance HealthcareAvoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
 
Some PowerShell Goodies
Some PowerShell GoodiesSome PowerShell Goodies
Some PowerShell Goodies
 
Ransomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near YouRansomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near You
 

Último

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 

Último (20)

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 

The attack lifecycle. Cybereason can help you answer: Are you under attack?

  • 1. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
  • 2. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage Are you under attack? Lateral Movement Recon DamageC & C Privilege Escalation
  • 3. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV External Recon o People/Social Engineering • Conferences • Call help desk or admin o Technology • External scans • Buy information & tools on black market o Business Intelligence • Trusted relationships • 3rd party vendors “Even Rao, a highly experienced cybersecurity researcher, nearly fell for the scam, as he happened to have recently mailed a package via UPS.”
  • 4. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Initial Infection o Phishing & spear phishing o Vulnerability exploit o Infected USB drive Lateral Movement Recon DamageC & C Initial Infection Privilege EscalationInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  • 5. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Initial Infection: Process Injection Running a procedure as a thread inside another process o Evasion o Reading host process memory o Affecting host process behavior o Server persistence Lateral Movement Recon DamageC & C Initial Infection Privilege EscalationInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  • 6. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Malicious code launches and carries out an infection within a tool or process o Unlike traditional malware • Doesn’t use a file o Runs in memory of the device Examples of processes/tools o Legitimate Windows processes o Windows management interface o Meterpreter o Executing remote commands Initial Infection: Fileless Malware Recon DamageC &CInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  • 7. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Why o Establish and maintain connection to: • Execute malicious code • Update malware • Sending back collected info • Provide heartbeat to indicate the attack is still alive How o Legitimate HTTP o Legitimate DNS request o Fast Flux o TOR o IRC o Facebook / Twitter / YouTube comments o Domain Generation Algorithm Command & Control Privilege Escalation Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  • 8. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Command & Control: Domain Generation Algorithm o C&C servers quickly get blacklisted o DGA generates 1000’s of domains • Predictable to attacker, unpredictable to security researcher • One will be C&C o When C&C domain blacklisted, attacker: • Selects another generated domain • Registers it • Continues attack Spread Damage Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  • 9. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Why o Gain better persistence o Cred dump/user impersonation o Operate under the radar How o Exploit vulnerabilities • Command line vulnerability • Process injection o Leverage improper configurations • Local admin rights for all users • User lockout policies Privilege Escalation Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  • 10. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Privilege Escalation: Exploit Windows Vulnerabilities o Windows kernel mode driver vulnerabilities o Windows task scheduler vulnerabilities o Vulnerabilities in Windows design – Windows user account control (UAC) – DLL search order Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  • 11. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Why o Paint a picture of the IT infrastructure • Who are the administrators? • What steps get me closer to my target? • What type of services are running? o Identify target and a path to the target How o ARP scanning o NetBIOS enumeration o Port scanning o Credential stealing Internal Reconnaissance Initial infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  • 12. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Recon: Port Scanning o Services use ports to communicate • HTTP = 80, DNS = 53, etc… o Attacker scans the subnet to find exposed and exploitable services Spread DamageC & C DamageInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  • 13. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Recon: Credential Theft o Mimikatz o Windows Credential Editor o Lazagne Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  • 14. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Why o Gain access to target machines • Domain controllers • OWA o Persistence How o Use legitimate tools maliciously • Pass The Hash/Ticket • Shares • PSExec • RDP • SSH • PowerShell • SCCM Lateral Movement Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  • 15. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Lateral Movement: PsExec Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage Legitimate use IT admin runs PsExec to run a process on a remote machine interactively Malicious use Attacker runs PsExec with stolen credential hashes to spread their malware through an entire network
  • 16. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Lateral Movement: PowerShell Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage Legitimate use IT admin runs PowerShell to monitor firewall Malicious use Attacker PowerShell with encoded commands to spread malware
  • 17. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Lateral movement: Pass-the-Ticket Legitimate authentication: Kerberos Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  • 18. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Lateral movement: Pass-the-Ticket Malicious use: Pass the Ticket Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  • 19. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Why o Establish long term access • Primary goal is often persistent accessibly How o Scheduled tasks o Autoruns o Temp files o Fileless malware Persistence Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  • 20. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Damage Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage o FTP/SSH o Email o DNS o Dropbox o Pastebin o Ransomware o Corporate financials o Credit card data o System corruption Business Profit Sabotage
  • 21. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage Are you under attack? Lateral Movement Recon DamageC & C Privilege Escalation
  • 22. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV Total Enterprise PROTECTION
  • 23. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV