SlideShare una empresa de Scribd logo

Detecting advanced and evasive threats on the network

Dell World
Dell World

Threat actors are increasingly employing evasive tactics that bypass traditional security controls, including more advanced technologies such as sandboxing. In this session, Dell SecureWorks will share examples of tactics used, their impact, what this means for organizations and new capabilities for addressing the risk posed by these threats.

Tecnología
1 de 51
Descargar para leer sin conexión
MT 36 Detecting Evasive Threats Network Edition
Events Opportunistic 85.7% Exploits 12.3% Ransomware - 1.2% Targeted - .5% FakeAV - .3% A lot going on in the world
Motives vary
Motives vary
Motives vary
What industry verticals are victims? 46% 19% 12% 8% 4% 4% 4% 4% Targeted Intrusion Victims by Industry Vertical Manufacturing Technology Provider Education Other Services Retail Business Services Media Misc. Financial Source: Targeted Threat Responses Jan 2015 – Sept 2015
Threat groups • Known Tools (Infrastructure) • Known Targets (pre-Compromise) & Victims (post-Compromise) • Known Techniques & Procedures (Capability) • Known Identity Candidate Threat Groups
TG-0416 Vertical Hopscotch Vertical Healthcare Government Technology Providers Manufacturing Financial Membership Organizations H2 2011 H1 H2 2012 H1 H2 2013 H1 H2 2014 H1 H2 2015 H1
How are threat groups entering networks? 29% 29% 29% 14% Targeted Intrusion Access Vector Phishing Credential Abuse Scan & Exploit Web Exploit Source: Targeted Threat Responses Jan 2015 – Sept 2015
Phishing…everyday occurrence
Watch your webmail… spear phishing to corporate and personal mail From: XXXXXXXX XXXXXXXX [mailto:xxxxxx.yyyyyyyy@zzzzzzzzz.zzz] Sent: XXXXXXX, XXXXXXXX ##, 201X 11:01 PM To: XXXXXXXX, XXXXXXXX Subject: Internal Security Survey Dear all, Key target is finding and exploring company internal security problems in 201X. Download the report: http://<company web domain>/download/survey.pdf please fill the report and send to xxxxxx.yyyyyyyy@zzzzzzzzz.zzz tomorrow morning. IT Department
1. Adversary identifies websites known or suspected to be visited by designated target 2. Identified sites are probed for vulnerability 3. Adversary places exploits on one or more sites where it is likely to be accessed by targets 4. Users visit malicious website 5. Exploits are attempted against visitors. Delivery is often filtered by IP or other characteristics 6. Initial foothold malware is delivered to the victim SitesofInterest User Visits Compromised Site Exploit used to deliver initial foothold malware Strategic Web Compromise (SWC) Identify Vulnerable Site & Place Exploit
Scans website for available vulnerabilities Deploys chinachopper shell Adversary can now try to escalate privileges, dump passwords and move laterally in internal network Identifies Struts with unpatched vulnerabilities Exploiting weakness
• Exploitation of architecture and configuration vulnerabilities – just as effective – just as devastating – harder to detect • Use available tools instead of malware – Steal credentials – Use existing administration tools • Malware removed after initial intrusion compromises credentials Credential abuse
No malware? No Problem TG-0416
“Transport rule found on server that blind copies any messages with ?CMS?, ?pw?, ?pwd?, ?pass? or ?password? in the body or subject of an email on server XYZ to email account company2014@outlook.com” Living off the Land
Current State of Affairs How victims learned of targeted intrusions across their organizations: 60% Third party detected adversary tradecraft 28% 12% Notified by law enforcement or government entity Staff discovered threat actor activity Source: Targeted Threat Responses Jan 2015 – Sept 2015 50% In half of of targeted intrusions, the entry point of the threat actors was undetermined 100% In all intrusions, threat actors “lived off the land” using stolen credentials and native tools to achieve their mission
• Next Generation Toolsets provide only limited value. Tools need to be updated with the latest Threat intelligence, continually monitored, and run by trained professionals. The industry’s definition of defeat is different from our adversary's definition of winning.
XLSTrojan Comfoo Trojan Sajdela Trojan Chinese Infostealer Blue Butterfly Lingbo Dynamer Targeted-CG Orsam Leouncia Huntah Poison Ivy Bifrose Hupigon PcClient gh0st Wkysol ZWShell Mswab Mirage Wykcores Hydraq Whitewell Werchan Foxjmp Sanshell Lostmin Pirp httpBrowser And many more… Malware doesn’t matter… the adversaries simply don’t care 骑驴找马
• Endpoint security controls fail – AV fails – Whitelisting fails – Novel malware persistence mechanisms › DLL Side Loading › DLL Search Order Hijack › Binary modification – Memory based exploits – Rootkits – Even exploitation of the security software itself! • Network controls fail – Encrypted binary protocols over HTTP – Use of common ports and protocols – Frequently burning infrastructure – Use of public services for C2 and exfil • Log analysis detections fail • Mobile Machine Learning Clouds of Advanced Malware Protection fail too! But I have a magic mobile machine learning cloud of advanced malware protection
Adaptable Persistent Threat • Not a thing, a who • Think project management… – Adversary has already planned for most common defenses and responses – Setbacks trigger planning or strategy shifts, not abandon • Plan to fail… – History teaches us that controls fail – Endpoint controls fail – Network controls fail – Log and SIEM analytics fail
How do we win?
Reduce time to detect advanced threat actor activity and reduce effort to respond to their operations
Lots of oppourtunity We win by disrupting the threat actors before they complete their mission of data exfiltration ~1 month before data loss begins ~2 weeks to data exfiltration ~6 weeks before the threat actors win
I.N.T.E.L.L.I.G.E.N.C.E.
Architecture Affects Visibility 627732;10Mar2015;3:58:15;a.a.a.a;log;vpnroute;;External;inbound;VPN-1 & FireWall- 1;;chkma;Network;4;{00000000-0000-0000-0000-000000000000};EPC RULE;MSTerminalServices;x.x.x.17;y.y.y.136;tcp;;;;;3389;2913;;;IKE;ESP: 3DES + MD5 + DEFLATE;x.x.x.17;;;ACMEAPT_Access;VPN-1;VPN;;;;;;;;;;;;;;;;;compromisedusername;;;;;;;;;{11111111-1111-1111- 1111-111111111111};IKE;ESP: AES-128 + MD5;38.109.75.18;;;ACMEAPT_Internal;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;
How do you win? (The first 6 hours) • Prevent the exploit • Detect the malware execution • Prevent or Monitor the malware execution
Detect potential danger early
DNS Telemetry Internal name server .com Root name server foo.com authoritative name server Request: A record evil.foo.com Request: NS record foo.com Request: A record evil.foo.com NS Response A Record Response A Record Response
IDS/IPS strategic and tactical detection
How do you win? (The first 6 hours) • Credential use • Lateral movement technique • Execution
06zz.yy:28:01.727 06zz.yy:28:04.703 6 192.168.x.y 0 17 192.168.a.b 2048 1 0 4 240 06zz.yy:28:01.759 06zz.yy:28:04.735 16 192.168.a.b 0 6 192.168.x.y 0 1 0 4 240 06zz.yy:28:14.199 06zz.yy:28:14.359 6 192.168.x.y 56639 17 192.168.a.b 445 6 6 7 1456 06zz.yy:28:14.231 06zz.yy:28:14.359 16 192.168.a.b 445 6 192.168.x.y 56639 6 2 5 1198 06zz.yy:28:16.611 06zz.yy:28:17.667 6 192.168.x.y 56640 17 192.168.a.b 80 6 2 3 200 06zz.yy:28:16.643 06zz.yy:28:17.699 16 192.168.a.b 80 6 192.168.x.y 56640 6 4 3 120 06zz.yy:28:44.258 06zz.yy:29:23.330 16 192.168.a.b 445 6 192.168.x.y 56644 6 2 128 10735 06zz.yy:28:44.258 06zz.yy:29:23.522 6 192.168.x.y 56644 17 192.168.a.b 445 6 2 221 274066 06zz.yy:29:56.517 06zz.yy:29:56.837 6 192.168.x.y 56644 17 192.168.a.b 445 6 0 6 1115 06zz.yy:29:56.549 06zz.yy:29:56.645 16 192.168.a.b 445 6 192.168.x.y 56644 6 0 5 948 06zz.yy:30:13.845 06zz.yy:30:13.909 6 192.168.x.y 56644 17 192.168.a.b 445 6 4 3 264 06zz.yy:30:13.877 06zz.yy:30:13.909 16 192.168.a.b 445 6 192.168.x.y 56644 6 0 2 224 Internal netflow: What lateral movement looks like
How do you win? • Tactical and Strategic detection of webshells
Internal netflow: What network exploration looks like 06xx.yy:22:17.523 06xx.yy:22:17.523 6 192.168.x.y 60616 17 192.168.1.0 137 17 0 1 78 06xx.yy:22:17.523 06xx.yy:22:17.523 6 192.168.x.y 60616 17 192.168.1.1 137 17 0 1 78 06xx.yy:22:17.523 06xx.yy:22:17.523 6 192.168.x.y 60616 17 192.168.1.2 137 17 0 1 78 06xx.yy:22:17.555 06xx.yy:22:17.555 6 192.168.x.y 60616 17 192.168.1.3 137 17 0 1 78 06xx.yy:22:17.555 06xx.yy:22:17.555 6 192.168.x.y 60616 17 192.168.1.4 137 17 0 1 78 06xx.yy:22:17.555 06xx.yy:22:17.555 6 192.168.x.y 60616 17 192.168.1.5 137 17 0 1 78 06xx.yy:22:17.587 06xx.yy:22:17.587 6 192.168.x.y 60616 17 192.168.1.6 137 17 0 1 78 06xx.yy:22:17.587 06xx.yy:22:17.587 6 192.168.x.y 60616 17 192.168.1.7 137 17 0 1 78 06xx.yy:22:17.587 06xx.yy:22:17.587 6 192.168.x.y 60616 17 192.168.1.8 137 17 0 1 78 06xx.yy:22:17.619 06xx.yy:22:17.619 6 192.168.x.y 60616 17 192.168.1.10 137 17 0 1 78 06xx.yy:22:17.619 06xx.yy:22:17.619 6 192.168.x.y 60616 17 192.168.1.11 137 17 0 1 78 (more or less sequentially mapping the environment) 06xx.yy:42:45.159 06xx.yy:42:49.159 9 192.168.x.y 60616 0 192.168.253.78 137 17 0 1 78 06xx.yy:42:45.159 06xx.yy:42:49.159 9 192.168.x.y 60616 0 192.168.253.79 137 17 0 1 78 06xx.yy:42:45.167 06xx.yy:42:49.171 9 192.168.x.y 60616 0 192.168.253.80 137 17 0 1 78 06xx.yy:42:45.179 06xx.yy:42:49.179 9 192.168.x.y 60616 0 192.168.253.81 137 17 0 1 78 06xx.yy:42:45.191 06xx.yy:42:49.191 9 192.168.x.y 60616 0 192.168.253.82 137 17 0 1 78 06xx.yy:42:47.063 06xx.yy:42:47.063 9 192.168.x.y 60616 0 192.168.253.255 137 17 0 1 78 Scanned ~65k IPs in rapid succession…
How do you win? • Without significant tripwires, data exfiltration of sensitive intellectual property occurred in 6 weeks • With proper visibility, the threat actors could have been detected at least 6 different ways within the first 6 hours of the intrusion
Placeholder: iSensor Slide Showing China Chopper Commands
Exfil • Top talkers • Outbound flows • Firewall/Proxy monitoring
Redefine winning
Redefine winning
The optimal security continuum Threat Intelligence People Process Technology
Context to answer the questions that matter What is it? Is it really a threat? Did it succeed? What happened next? Who was behind it? What are their intentions? Did they achieve their objectives yet? How did they get in, where are they, how do I get them out and prevent them from winning? What should I do next? Intelligence on threat actors Ability to collect telemetry and apply that intelligence in the network and at the endpoint Analytics beyond malware and signatures
Who has the first question?
Thanks!

Recomendados

SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
Splunk
 
Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk
 
SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop
Splunk
 
[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by...
[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by...[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by...
[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by...
CODE BLUE
 
Splunk Enterprise for Information Security (Hands-On)
Splunk Enterprise for Information Security (Hands-On) Splunk Enterprise for Information Security (Hands-On)
Splunk Enterprise for Information Security (Hands-On)
Splunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
Shannon Cuthbertson
 
Gov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsGov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior Analytics
Splunk
 
Veterans Administration Hacked by foreign orgs, security needs standardization
Veterans Administration Hacked by foreign orgs, security needs standardizationVeterans Administration Hacked by foreign orgs, security needs standardization
Veterans Administration Hacked by foreign orgs, security needs standardization
Michael Holt
 

Recomendados

SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
Splunk
 
Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk
 
SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop
Splunk
 
[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by...
[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by...[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by...
[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by...
CODE BLUE
 
Splunk Enterprise for Information Security (Hands-On)
Splunk Enterprise for Information Security (Hands-On) Splunk Enterprise for Information Security (Hands-On)
Splunk Enterprise for Information Security (Hands-On)
Splunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
Shannon Cuthbertson
 
Gov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsGov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior Analytics
Splunk
 
Veterans Administration Hacked by foreign orgs, security needs standardization
Veterans Administration Hacked by foreign orgs, security needs standardizationVeterans Administration Hacked by foreign orgs, security needs standardization
Veterans Administration Hacked by foreign orgs, security needs standardization
Michael Holt
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
Splunk
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE - ATT&CKcon
 
Splunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat DefenseSplunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat Defense
Splunk
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE - ATT&CKcon
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for Security
Gabrielle Knowles
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 
G data mobile_mwr_q2_2015_us
G data mobile_mwr_q2_2015_usG data mobile_mwr_q2_2015_us
G data mobile_mwr_q2_2015_us
linkedinbeam
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE - ATT&CKcon
 
RIPE 83: How much 'bad traffic' should I be seeing from each economy?
RIPE 83: How much 'bad traffic' should I be seeing from each economy?RIPE 83: How much 'bad traffic' should I be seeing from each economy?
RIPE 83: How much 'bad traffic' should I be seeing from each economy?
APNIC
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM Workshop
Splunk
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
Jeremiah Grossman
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
MITRE - ATT&CKcon
 
Webinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise SecurityWebinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise Security
Georg Knon
 
Security investigation hands-on workshop 2018
Security investigation hands-on workshop 2018Security investigation hands-on workshop 2018
Security investigation hands-on workshop 2018
YoungCho50
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Splunk
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Keith Brooks
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
Jeremiah Grossman
 
Prescriptive Cloud Services for the Future Ready Enterprise
Prescriptive Cloud Services for the Future Ready EnterprisePrescriptive Cloud Services for the Future Ready Enterprise
Prescriptive Cloud Services for the Future Ready Enterprise
Dell World
 
So You Need To Build A Private Cloud. What Now? Best Practices For Building Y...
So You Need To Build A Private Cloud. What Now? Best Practices For Building Y...So You Need To Build A Private Cloud. What Now? Best Practices For Building Y...
So You Need To Build A Private Cloud. What Now? Best Practices For Building Y...
Dell World
 

Más contenido relacionado

La actualidad más candente

MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
Jeremiah Grossman
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 

La actualidad más candente (20)

SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
 
Splunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat DefenseSplunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat Defense
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for Security
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
G data mobile_mwr_q2_2015_us
G data mobile_mwr_q2_2015_usG data mobile_mwr_q2_2015_us
G data mobile_mwr_q2_2015_us
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
 
RIPE 83: How much 'bad traffic' should I be seeing from each economy?
RIPE 83: How much 'bad traffic' should I be seeing from each economy?RIPE 83: How much 'bad traffic' should I be seeing from each economy?
RIPE 83: How much 'bad traffic' should I be seeing from each economy?
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM Workshop
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
 
Webinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise SecurityWebinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise Security
 
Security investigation hands-on workshop 2018
Security investigation hands-on workshop 2018Security investigation hands-on workshop 2018
Security investigation hands-on workshop 2018
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 

Destacado

Destacado (6)

Prescriptive Cloud Services for the Future Ready Enterprise
Prescriptive Cloud Services for the Future Ready EnterprisePrescriptive Cloud Services for the Future Ready Enterprise
Prescriptive Cloud Services for the Future Ready Enterprise
 
So You Need To Build A Private Cloud. What Now? Best Practices For Building Y...
So You Need To Build A Private Cloud. What Now? Best Practices For Building Y...So You Need To Build A Private Cloud. What Now? Best Practices For Building Y...
So You Need To Build A Private Cloud. What Now? Best Practices For Building Y...
 
Cloud: To Build or Buy - Can You Justify On-Premises IT?
Cloud: To Build or Buy - Can You Justify On-Premises IT?Cloud: To Build or Buy - Can You Justify On-Premises IT?
Cloud: To Build or Buy - Can You Justify On-Premises IT?
 
Cloud security: Accelerating cloud adoption
Cloud security: Accelerating cloud adoption Cloud security: Accelerating cloud adoption
Cloud security: Accelerating cloud adoption
 
Dell Data Center Networking Overview
Dell Data Center Networking OverviewDell Data Center Networking Overview
Dell Data Center Networking Overview
 
Client solutions for the modern workforce
Client solutions for the modern workforceClient solutions for the modern workforce
Client solutions for the modern workforce
 

Similar a Detecting advanced and evasive threats on the network

Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application Security
Cenzic
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
PROIDEA
 
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate levelBSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
Jakub "Kuba" Sendor
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
Cisco Canada
 
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...
Precisely
 
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon
 

Similar a Detecting advanced and evasive threats on the network (20)

DEVNET-1180 Security from the Cloud
DEVNET-1180 Security from the CloudDEVNET-1180 Security from the Cloud
DEVNET-1180 Security from the Cloud
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security Analysis
 
Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application Security
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
 
4 Cyber Security KPIs
4 Cyber Security KPIs4 Cyber Security KPIs
4 Cyber Security KPIs
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit Framework
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit framework
 
IRJET- Ethical Hacking
IRJET- Ethical HackingIRJET- Ethical Hacking
IRJET- Ethical Hacking
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 
ISOC Efforts in Collaborative Responsibility Toward Internet Security and Res...
ISOC Efforts in Collaborative Responsibility Toward Internet Security and Res...ISOC Efforts in Collaborative Responsibility Toward Internet Security and Res...
ISOC Efforts in Collaborative Responsibility Toward Internet Security and Res...
 
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate levelBSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
 
2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers
 
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...
 
Cisco Security DNA
Cisco Security DNACisco Security DNA
Cisco Security DNA
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdf
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guide
 
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
 

Más de Dell World

Channel Partners: Lead with Dell Software Solutions
Channel Partners: Lead with Dell Software SolutionsChannel Partners: Lead with Dell Software Solutions
Channel Partners: Lead with Dell Software Solutions
Dell World
 
NVMe PCIe and TLC V-NAND It’s about Time
NVMe PCIe and TLC V-NAND It’s about TimeNVMe PCIe and TLC V-NAND It’s about Time
NVMe PCIe and TLC V-NAND It’s about Time
Dell World
 
Innovations in desktop virtualization: Expanding to workstation use cases
Innovations in desktop virtualization: Expanding to workstation use casesInnovations in desktop virtualization: Expanding to workstation use cases
Innovations in desktop virtualization: Expanding to workstation use cases
Dell World
 
Extensibility: The Key To Managing Your Entire Cloud Portfolio
Extensibility: The Key To Managing Your Entire Cloud PortfolioExtensibility: The Key To Managing Your Entire Cloud Portfolio
Extensibility: The Key To Managing Your Entire Cloud Portfolio
Dell World
 

Más de Dell World (20)

Dell Storage Management
Dell Storage ManagementDell Storage Management
Dell Storage Management
 
Dell Networking Wired, Wireless and Security Solutions Lab
Dell Networking Wired, Wireless and Security Solutions LabDell Networking Wired, Wireless and Security Solutions Lab
Dell Networking Wired, Wireless and Security Solutions Lab
 
2020 Vision For Your Network
2020 Vision For Your Network2020 Vision For Your Network
2020 Vision For Your Network
 
Dell Cloud Manager Overview
Dell Cloud Manager OverviewDell Cloud Manager Overview
Dell Cloud Manager Overview
 
Dell PowerEdge Zero Touch Provisioning
Dell PowerEdge Zero Touch ProvisioningDell PowerEdge Zero Touch Provisioning
Dell PowerEdge Zero Touch Provisioning
 
Simplifying Systems Management
Simplifying Systems ManagementSimplifying Systems Management
Simplifying Systems Management
 
Channel Partners: Lead with Dell Software Solutions
Channel Partners: Lead with Dell Software SolutionsChannel Partners: Lead with Dell Software Solutions
Channel Partners: Lead with Dell Software Solutions
 
Innovating Teaching & Learning: Next Generation Student Access Model
Innovating Teaching & Learning: Next Generation Student Access ModelInnovating Teaching & Learning: Next Generation Student Access Model
Innovating Teaching & Learning: Next Generation Student Access Model
 
Executing on the promise of the Internet of Things (IoT)
Executing on the promise of the Internet of Things (IoT)Executing on the promise of the Internet of Things (IoT)
Executing on the promise of the Internet of Things (IoT)
 
Focus on business, not backups
Focus on business, not backupsFocus on business, not backups
Focus on business, not backups
 
NVMe PCIe and TLC V-NAND It’s about Time
NVMe PCIe and TLC V-NAND It’s about TimeNVMe PCIe and TLC V-NAND It’s about Time
NVMe PCIe and TLC V-NAND It’s about Time
 
Key Security Insights: Examining 2014 to predict emerging threats
Key Security Insights: Examining 2014 to predict emerging threats Key Security Insights: Examining 2014 to predict emerging threats
Key Security Insights: Examining 2014 to predict emerging threats
 
The Keys To A Successful Identity And Access Management Program: How Does You...
The Keys To A Successful Identity And Access Management Program: How Does You...The Keys To A Successful Identity And Access Management Program: How Does You...
The Keys To A Successful Identity And Access Management Program: How Does You...
 
Client Security Strategies To Defeat Advanced Threats
Client Security Strategies To Defeat Advanced ThreatsClient Security Strategies To Defeat Advanced Threats
Client Security Strategies To Defeat Advanced Threats
 
What a data-centric strategy gives you that others do not
What a data-centric strategy gives you that others do notWhat a data-centric strategy gives you that others do not
What a data-centric strategy gives you that others do not
 
Data Movement, Management and Governance In The Cloud: DocuSign Case Study
Data Movement, Management and Governance In The Cloud: DocuSign Case StudyData Movement, Management and Governance In The Cloud: DocuSign Case Study
Data Movement, Management and Governance In The Cloud: DocuSign Case Study
 
Innovations in desktop virtualization: Expanding to workstation use cases
Innovations in desktop virtualization: Expanding to workstation use casesInnovations in desktop virtualization: Expanding to workstation use cases
Innovations in desktop virtualization: Expanding to workstation use cases
 
Extensibility: The Key To Managing Your Entire Cloud Portfolio
Extensibility: The Key To Managing Your Entire Cloud PortfolioExtensibility: The Key To Managing Your Entire Cloud Portfolio
Extensibility: The Key To Managing Your Entire Cloud Portfolio
 
Deploying Unified Communications with Lync on the easiest, most secure platform
Deploying Unified Communications with Lync on the easiest, most secure platformDeploying Unified Communications with Lync on the easiest, most secure platform
Deploying Unified Communications with Lync on the easiest, most secure platform
 
Make A Stress Free Move To The Cloud: Application Modernization and Managemen...
Make A Stress Free Move To The Cloud: Application Modernization and Managemen...Make A Stress Free Move To The Cloud: Application Modernization and Managemen...
Make A Stress Free Move To The Cloud: Application Modernization and Managemen...
 

Último

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Detecting advanced and evasive threats on the network

  • 1. MT 36 Detecting Evasive Threats Network Edition
  • 2. Events Opportunistic 85.7% Exploits 12.3% Ransomware - 1.2% Targeted - .5% FakeAV - .3% A lot going on in the world
  • 3.
  • 7. What industry verticals are victims? 46% 19% 12% 8% 4% 4% 4% 4% Targeted Intrusion Victims by Industry Vertical Manufacturing Technology Provider Education Other Services Retail Business Services Media Misc. Financial Source: Targeted Threat Responses Jan 2015 – Sept 2015
  • 8. Threat groups • Known Tools (Infrastructure) • Known Targets (pre-Compromise) & Victims (post-Compromise) • Known Techniques & Procedures (Capability) • Known Identity Candidate Threat Groups
  • 9. TG-0416 Vertical Hopscotch Vertical Healthcare Government Technology Providers Manufacturing Financial Membership Organizations H2 2011 H1 H2 2012 H1 H2 2013 H1 H2 2014 H1 H2 2015 H1
  • 10. How are threat groups entering networks? 29% 29% 29% 14% Targeted Intrusion Access Vector Phishing Credential Abuse Scan & Exploit Web Exploit Source: Targeted Threat Responses Jan 2015 – Sept 2015
  • 12. Watch your webmail… spear phishing to corporate and personal mail From: XXXXXXXX XXXXXXXX [mailto:xxxxxx.yyyyyyyy@zzzzzzzzz.zzz] Sent: XXXXXXX, XXXXXXXX ##, 201X 11:01 PM To: XXXXXXXX, XXXXXXXX Subject: Internal Security Survey Dear all, Key target is finding and exploring company internal security problems in 201X. Download the report: http://<company web domain>/download/survey.pdf please fill the report and send to xxxxxx.yyyyyyyy@zzzzzzzzz.zzz tomorrow morning. IT Department
  • 13. 1. Adversary identifies websites known or suspected to be visited by designated target 2. Identified sites are probed for vulnerability 3. Adversary places exploits on one or more sites where it is likely to be accessed by targets 4. Users visit malicious website 5. Exploits are attempted against visitors. Delivery is often filtered by IP or other characteristics 6. Initial foothold malware is delivered to the victim SitesofInterest User Visits Compromised Site Exploit used to deliver initial foothold malware Strategic Web Compromise (SWC) Identify Vulnerable Site & Place Exploit
  • 14. Scans website for available vulnerabilities Deploys chinachopper shell Adversary can now try to escalate privileges, dump passwords and move laterally in internal network Identifies Struts with unpatched vulnerabilities Exploiting weakness
  • 15. • Exploitation of architecture and configuration vulnerabilities – just as effective – just as devastating – harder to detect • Use available tools instead of malware – Steal credentials – Use existing administration tools • Malware removed after initial intrusion compromises credentials Credential abuse
  • 16. No malware? No Problem TG-0416
  • 17. “Transport rule found on server that blind copies any messages with ?CMS?, ?pw?, ?pwd?, ?pass? or ?password? in the body or subject of an email on server XYZ to email account company2014@outlook.com” Living off the Land
  • 18. Current State of Affairs How victims learned of targeted intrusions across their organizations: 60% Third party detected adversary tradecraft 28% 12% Notified by law enforcement or government entity Staff discovered threat actor activity Source: Targeted Threat Responses Jan 2015 – Sept 2015 50% In half of of targeted intrusions, the entry point of the threat actors was undetermined 100% In all intrusions, threat actors “lived off the land” using stolen credentials and native tools to achieve their mission
  • 19. • Next Generation Toolsets provide only limited value. Tools need to be updated with the latest Threat intelligence, continually monitored, and run by trained professionals. The industry’s definition of defeat is different from our adversary's definition of winning.
  • 20. XLSTrojan Comfoo Trojan Sajdela Trojan Chinese Infostealer Blue Butterfly Lingbo Dynamer Targeted-CG Orsam Leouncia Huntah Poison Ivy Bifrose Hupigon PcClient gh0st Wkysol ZWShell Mswab Mirage Wykcores Hydraq Whitewell Werchan Foxjmp Sanshell Lostmin Pirp httpBrowser And many more… Malware doesn’t matter… the adversaries simply don’t care 骑驴找马
  • 21.
  • 22. • Endpoint security controls fail – AV fails – Whitelisting fails – Novel malware persistence mechanisms › DLL Side Loading › DLL Search Order Hijack › Binary modification – Memory based exploits – Rootkits – Even exploitation of the security software itself! • Network controls fail – Encrypted binary protocols over HTTP – Use of common ports and protocols – Frequently burning infrastructure – Use of public services for C2 and exfil • Log analysis detections fail • Mobile Machine Learning Clouds of Advanced Malware Protection fail too! But I have a magic mobile machine learning cloud of advanced malware protection
  • 23.
  • 24.
  • 25. Adaptable Persistent Threat • Not a thing, a who • Think project management… – Adversary has already planned for most common defenses and responses – Setbacks trigger planning or strategy shifts, not abandon • Plan to fail… – History teaches us that controls fail – Endpoint controls fail – Network controls fail – Log and SIEM analytics fail
  • 26.
  • 27. How do we win?
  • 28. Reduce time to detect advanced threat actor activity and reduce effort to respond to their operations
  • 29. Lots of oppourtunity We win by disrupting the threat actors before they complete their mission of data exfiltration ~1 month before data loss begins ~2 weeks to data exfiltration ~6 weeks before the threat actors win
  • 30.
  • 32.
  • 33. Architecture Affects Visibility 627732;10Mar2015;3:58:15;a.a.a.a;log;vpnroute;;External;inbound;VPN-1 & FireWall- 1;;chkma;Network;4;{00000000-0000-0000-0000-000000000000};EPC RULE;MSTerminalServices;x.x.x.17;y.y.y.136;tcp;;;;;3389;2913;;;IKE;ESP: 3DES + MD5 + DEFLATE;x.x.x.17;;;ACMEAPT_Access;VPN-1;VPN;;;;;;;;;;;;;;;;;compromisedusername;;;;;;;;;{11111111-1111-1111- 1111-111111111111};IKE;ESP: AES-128 + MD5;38.109.75.18;;;ACMEAPT_Internal;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;
  • 34.
  • 35. How do you win? (The first 6 hours) • Prevent the exploit • Detect the malware execution • Prevent or Monitor the malware execution
  • 37. DNS Telemetry Internal name server .com Root name server foo.com authoritative name server Request: A record evil.foo.com Request: NS record foo.com Request: A record evil.foo.com NS Response A Record Response A Record Response
  • 38. IDS/IPS strategic and tactical detection
  • 39. How do you win? (The first 6 hours) • Credential use • Lateral movement technique • Execution
  • 40. 06zz.yy:28:01.727 06zz.yy:28:04.703 6 192.168.x.y 0 17 192.168.a.b 2048 1 0 4 240 06zz.yy:28:01.759 06zz.yy:28:04.735 16 192.168.a.b 0 6 192.168.x.y 0 1 0 4 240 06zz.yy:28:14.199 06zz.yy:28:14.359 6 192.168.x.y 56639 17 192.168.a.b 445 6 6 7 1456 06zz.yy:28:14.231 06zz.yy:28:14.359 16 192.168.a.b 445 6 192.168.x.y 56639 6 2 5 1198 06zz.yy:28:16.611 06zz.yy:28:17.667 6 192.168.x.y 56640 17 192.168.a.b 80 6 2 3 200 06zz.yy:28:16.643 06zz.yy:28:17.699 16 192.168.a.b 80 6 192.168.x.y 56640 6 4 3 120 06zz.yy:28:44.258 06zz.yy:29:23.330 16 192.168.a.b 445 6 192.168.x.y 56644 6 2 128 10735 06zz.yy:28:44.258 06zz.yy:29:23.522 6 192.168.x.y 56644 17 192.168.a.b 445 6 2 221 274066 06zz.yy:29:56.517 06zz.yy:29:56.837 6 192.168.x.y 56644 17 192.168.a.b 445 6 0 6 1115 06zz.yy:29:56.549 06zz.yy:29:56.645 16 192.168.a.b 445 6 192.168.x.y 56644 6 0 5 948 06zz.yy:30:13.845 06zz.yy:30:13.909 6 192.168.x.y 56644 17 192.168.a.b 445 6 4 3 264 06zz.yy:30:13.877 06zz.yy:30:13.909 16 192.168.a.b 445 6 192.168.x.y 56644 6 0 2 224 Internal netflow: What lateral movement looks like
  • 41. How do you win? • Tactical and Strategic detection of webshells
  • 42. Internal netflow: What network exploration looks like 06xx.yy:22:17.523 06xx.yy:22:17.523 6 192.168.x.y 60616 17 192.168.1.0 137 17 0 1 78 06xx.yy:22:17.523 06xx.yy:22:17.523 6 192.168.x.y 60616 17 192.168.1.1 137 17 0 1 78 06xx.yy:22:17.523 06xx.yy:22:17.523 6 192.168.x.y 60616 17 192.168.1.2 137 17 0 1 78 06xx.yy:22:17.555 06xx.yy:22:17.555 6 192.168.x.y 60616 17 192.168.1.3 137 17 0 1 78 06xx.yy:22:17.555 06xx.yy:22:17.555 6 192.168.x.y 60616 17 192.168.1.4 137 17 0 1 78 06xx.yy:22:17.555 06xx.yy:22:17.555 6 192.168.x.y 60616 17 192.168.1.5 137 17 0 1 78 06xx.yy:22:17.587 06xx.yy:22:17.587 6 192.168.x.y 60616 17 192.168.1.6 137 17 0 1 78 06xx.yy:22:17.587 06xx.yy:22:17.587 6 192.168.x.y 60616 17 192.168.1.7 137 17 0 1 78 06xx.yy:22:17.587 06xx.yy:22:17.587 6 192.168.x.y 60616 17 192.168.1.8 137 17 0 1 78 06xx.yy:22:17.619 06xx.yy:22:17.619 6 192.168.x.y 60616 17 192.168.1.10 137 17 0 1 78 06xx.yy:22:17.619 06xx.yy:22:17.619 6 192.168.x.y 60616 17 192.168.1.11 137 17 0 1 78 (more or less sequentially mapping the environment) 06xx.yy:42:45.159 06xx.yy:42:49.159 9 192.168.x.y 60616 0 192.168.253.78 137 17 0 1 78 06xx.yy:42:45.159 06xx.yy:42:49.159 9 192.168.x.y 60616 0 192.168.253.79 137 17 0 1 78 06xx.yy:42:45.167 06xx.yy:42:49.171 9 192.168.x.y 60616 0 192.168.253.80 137 17 0 1 78 06xx.yy:42:45.179 06xx.yy:42:49.179 9 192.168.x.y 60616 0 192.168.253.81 137 17 0 1 78 06xx.yy:42:45.191 06xx.yy:42:49.191 9 192.168.x.y 60616 0 192.168.253.82 137 17 0 1 78 06xx.yy:42:47.063 06xx.yy:42:47.063 9 192.168.x.y 60616 0 192.168.253.255 137 17 0 1 78 Scanned ~65k IPs in rapid succession…
  • 43. How do you win? • Without significant tripwires, data exfiltration of sensitive intellectual property occurred in 6 weeks • With proper visibility, the threat actors could have been detected at least 6 different ways within the first 6 hours of the intrusion
  • 44. Placeholder: iSensor Slide Showing China Chopper Commands
  • 45. Exfil • Top talkers • Outbound flows • Firewall/Proxy monitoring
  • 48. The optimal security continuum Threat Intelligence People Process Technology
  • 49. Context to answer the questions that matter What is it? Is it really a threat? Did it succeed? What happened next? Who was behind it? What are their intentions? Did they achieve their objectives yet? How did they get in, where are they, how do I get them out and prevent them from winning? What should I do next? Intelligence on threat actors Ability to collect telemetry and apply that intelligence in the network and at the endpoint Analytics beyond malware and signatures
  • 50. Who has the first question?