Más contenido relacionado La actualidad más candente (20) Similar a Endpoint Detection & Response - FireEye (20) Más de Prime Infoserv (20) Endpoint Detection & Response - FireEye2. ©2019 FireEye©2019 FireEye
▪ With over 16 years’ experience in Information Security, he has been working with
various verticals such as BFSI, IT Services and Manufacturing
▪ 8+ years focus & investment is on solutions for Advance Persistent Threats.
▪ Instrumental in supporting key customers with Advanced Threat Protection roadmap &
strategy, solution architecture and business cases.
▪ As Subject Matter Expert for Advanced Threats, he has worked with few prominent
Indian customers within critical industries, to create and design a security solution
aligned to specific business needs.
▪ He firmly believes that Cyber Security is a fast-moving environment, and you will need
to stay a step ahead of the cyber criminals.
▪ Post completing his graduation from a Military Academy, he completed computer
studies from IIHT and Business Management from Welingkar Institute of Management.
Presenter
Ranjit Sawant, FireEye Inc.
3. ©2019 FireEye©2019 FireEye
▪Attackers don’t Rest
▪Rise in attacks in Covid19 themes
▪Advanced Attack Life Cycle
▪Defining Goals correctly
▪FireEye Endpoint Security Overview
▪WAR STORY
▪Demo
▪Q&A
Agenda Overview
3
7. ©2019 FireEye©2019 FireEye
– Sudden move to a distributed
workforce with no field movement
– Staff shortages, in general or due to
sickness
– Ransomware shutting down
organizations worldwide.
– COVID-19-related spear phishing
– Information operations spreading
misinformation
– Targeted attempts to steal intellectual
property from healthcare-focused
research institutions
– Impact on supply chain disruptions on
the flow of medical supplies, teams, or
material, including manufacturing
– Fake News upsurge
– Demanding uptick for latest information
by masses on Covid-19 situation
Present Scenario & Concerns
7
8. ©2019 FireEye©2019 FireEye
• Malicious actors have always exploited users’ sense of urgency, fear, goodwill
and mistrust
• Threat actors exploiting current crisis is not new.
• Attackers simply take advantage of a particularly overtaxed target set that is
urgently seeking new information.
• Users who are aware of this dynamic, and who approach any new information
with cautious skepticism will be especially prepared to meet this challenge.
Current Situational Implications
11. ©2019 FireEye©2019 FireEye
▪ COVID-19 has rapidly taken over the headlines
▪ Increased risks due to users working from home
en masse.
▪ Threat actors aligning with the COVID-19 topic
for Targetted campaigns
– Financial crime, cyber espionage and
information operations.
– Increasing attack by financially motivated
threat actors seeking to exploit their sense of
urgency, fear, goodwill and mistrust.
– Attackers use email to deliver malware in an
effort to establish a foothold
– Siphon account credentials through phishing
tactics.
There are viruses, and then there are viruses
11
Example of a COVID-19 phishing email used by TEMP.Warlock threat group.
12. ©2019 FireEye©2019 FireEye
Strengthen
Position within
Target
Establish
Foothold
Package and
Steal Target Data
Complete
Mission
Initial
Compromise
Lateral
Movement
Maintain
Presence
Initial
Recon
Steal Valid User
Credentials
Escalate
Privileges
Identify
Target Data
Internal
Recon
Identify
Exploitable
Vulnerabilities
Gain Initial
Access
Into Target
Advanced Threat Attack Lifecycle
PREVENTION
DWELL TIME / IMPACT
RESPONSE
DETECTION
Malware Problem Human Attacker Problem
BREACH IMPACT
The global median dwell time in 2018 is 204 days, down from 54 days in 2019. (APAC)
19. ©2019 FireEye
▪ 2nd password reset after
report
▪ 12GB gone over 3 days
▪ Reset unsuccessful?
– ActiveSync
▪ SPAM
20. ©2019 FireEye©2019 FireEye20
What Makes FireEye’s Intelligence Authoritative?
▪ An unparalleled knowledge repository on all stages of attacker operations.
Combative Intelligence (Dark & Deep)
Deploying global researchers with
local knowledge
• 22 countries
• 32+ languages
• 700+ analysts and researchers
Machine Intelligence
Generating attack telemetry globally
• 15,000 sensors
• 56 countries
• Generating tens of millions of MVX
detonations per hour
• 32/63 Zerodays Detected
Victim Intelligence (Mandiant)
Responding to the most significant
breaches
• 15+ years of investigative expertise
• 200+ of the Fortune 500
• 26 countries with consultants
Managed Defense Intelligence
Witnessing attacks as they unfold
• 4 Security Operations Centers
• 99m+ events ingested
• 21m+ alerts validated by Intel
• 33,700+ incidents dispositioned
21. ©2019 FireEye©2019 FireEye
Dynamic Threat
Intelligence
Skyfeed
Indicators of Compromise
Callback
Binocolo
Global Cache
SmartVision
Riskware
Analytics Rules
MalwareGuard
Multi-Vector Execution
MVX Behavior
MVX Static
MVX Correlation
MVX FUME
SmartLauncher
FAUDE
FAUDE Kraken
FAUDE PhishVision
Binocolo Phishing
Binocolo Central
Domain Reputation
Antivirus
ExploitGuard
Ent. – Search
Helix Rules
Analytics & ML File Delivery & Payload Signature
FireEye
Helix
FireEye
Email
Security
FireEye
Network
Security
FireEye
Endpoint
Security
Threat Intelligence
21
The FireEye Technologies Working Together
22. ©2019 FireEye©2019 FireEye
Threat Actors Exploit the Coronavirus
to Facilitate Long-Standing Goals
22 https://intelligence.fireeye.com/reports/20-00005611
- FireEye Intelligence assesses with high confidence the
coronavirus is being exploited globally by state-
sponsored espionage and information operations
campaigns and by financially motivated actors.
- Coronavirus-themed malicious emails increased
fourfold during the month of March 2020. However,
coronavirus-related messages represented only two
percent of overall malicious email detections.
- Use of JAR files and macros, and exploitation of CVE-
2017-11882 and CVE-2018-0798.
- We suggest that organizations continue to prioritize
their defensive strategies to counter the actors,
malware, and threat activity deemed most
dangerous to their networks and users
23. ©2019 FireEye©2019 FireEye
FireEye Endpoint Product Overview
InvestigationProtection and
Detection
Response
ExploitGuard
Real-time
Indicators of
Compromise
Malware
Prevention
Enterprise Search
Forensic Acquisition
Attack Summary and
Audit Viewer
Network to Endpoint
Automated Investigation
Quick
Containment
Scalability
Off Network
Investigation
MalwareGuard
25. ©2019 FireEye©2019 FireEye25
Capabilities Comparison
Antivirus
Firewall / HIPS
Device Control
App Control
Network
Access Control
Malware
Prevention
Exploit Guard
Behavior / ML
Endpoint APT/
Sandbox
IOC Alerting (Intel
Integration)
Enterprise Search
Live Response (IR)
Threat Hunting
Remediation /
Containment
Investigation &
Forensics
AV - Signature based
(Known Malware)
NGAV – Behavior / ML
(unknown Malware)
EDR – IOC, Hunting
(Detecting Attacker)
26. ©2019 FireEye©2019 FireEye
Endpoint testing
26
▪ EPP
– Malware testing
▪ Public malware
▪ In house developed
malware
– Agent smoke-test
▪ Does the agent cause
problems?
– Performance
measurement
▪ Low memory, CPU
▪ EDR
– Visibility check
– Data acquisition
(Triage)
– Remediation
capabilities
– Forensic capabilities
– Containment
– Threat hunting
27. ©2019 FireEye©2019 FireEye
How effective are your Cyber Security
operations?
WHAT
is going on?
How do you know a
threat has been
blocked?
An analyst can’t
investigate if there is
no visibility or
information about a
blocked threat?
WHERE
should you focus?
How do you determine
what an attacker trying
to do, where did he go
and if what was left
behind?
HOW
important is it?
Do you have the
context you need to
effectively prioritize
threats and act on
them?
27
EDR addresses this
28. ©2019 FireEye©2019 FireEye28
Why do you need a Response?
▪ Was the compromise attempt successful?
▪ Am I dealing with a human or a bot?
▪ Was there any command and control activity?
▪ Was there lateral movement and which user accounts were
used to move laterally?
▪ Was there any data theft?
▪ What other systems were accessed ?
EDR addresses this
29. ©2019 FireEye©2019 FireEye
Hunting and Forensics
29
Overview
▪ Detailed endpoint investigation with complete
activity timelines
▪ A single workflow for all actions and tasks
▪ Auto download of Triage data from compromised
endpoints
▪ Investigation capabilities with HX Triage Viewer
▪ Single-click workflow based containment
Benefits
◆ Quickly identifies and contains endpoints when
threats or suspicious activities are detected
◆ Immediate remediation strategy guidance with
IR Engagement or Managed Defense customers
30. ©2019 FireEye©2019 FireEye
Threat Hunting (Enterprise Search)
30
Overview
▪ Analysts can easily follow incidents from alert to
resolution where traditional security products can
only detect malware or collect data
▪ Search for all evidence of advanced intrusions, not
just malware, using endpoint monitoring and
advanced forensics
▪ Reconnaissance, Compromised Credentials,
Lateral Movement, Exfiltration
Benefits
▪ Visibility into the entire enterprise
▪ Ability to broadly search for known malicious
behavior
▪ Ability to proactively “Hunt” for suspicious activity
▪ Comprehensive investigation capabilities on
compromised endpoints
ON PREMISE ENDPOINTS REMOTE ENDPOINTS
DVR Cache
Service Listing
Port Listing
User Accounts
Scheduled Tasks
Process Listing
System Information
Disk/Volume Listing
Browser URL
File Download
DNS Routing
Driver Modules Listing
Drivers in Memory
Rootkit Hook Detection
Process Listing from
Memory
Event Log History
Registry Hive Listing
File Listing from Raw Disk
Investigate
Enterprise Search
A quick broad investigation for simple indicators
Live
Response
Deep Look
31. ©2019 FireEye©2019 FireEye
Adaptive Security Strategy
> Prevent Threats
applying intelligence to
enhance system defense
>> Detect Incident
prioritize and contain with
integrated methodologies
>>>> Respond
investigate and remediate,
adapting policy as needed
>>> Analyze
Quickly hunt across 100k
endpoints, deep forensics
to analyze past events
Continuous
Visibility
and
Verification
32. ©2019 FireEye
▪ Context from email and network
▪ Automated request for containment
▪ Automation rule books
▪ Alert prioritization
▪ Contextual intelligence
▪ Investigative tools
32
Breaches are
Inevitable….
33. ©2019 FireEye
▪ Context from email and network
▪ Automated request for containment
▪ Automation rule books
▪ Alert prioritization
▪ Contextual intelligence
▪ Investigative tools
33
….Impactful
Breaches are
Preventable!
34. ©2019 FireEye©2019 FireEye
Cyber Security Maturity Curve
34
CAPABILITY
DEVICE MGT
NETWORK OPERATIONS
CENTRE (NOC)
C Y B E R S E C U R I T Y P R O G R A M M A T U R I T Y
SECURITY OPERATIONS CENTRE
(SOC)
CYBER INCIDENT RESPONSE
TEAM (CIRT)
CYBER DEFENSE CENTRE
(CDC)
MATURITY
Anti-Virus
Firewall
IDS/IPS
Incident Response
Retainer
NG Firewall
SIEM
SIEM
Monitoring
Advanced
Threat Protection
Threat Detection
& Response
Logs
Analytics
On-demand
CIRT Services
Response
Capability
Threat Intel &
Data Analytics
Network
Forensics
Incident
Response
Threat
Intelligence
Subscription
APT
Hunting
Adaptive
Detection
Investigation &
Response
Proactive
Hunting
40. ©2019 FireEye©2019 FireEye
APT38 is a financially
motivated North Korean
regime-backed group
responsible for conducting
destructive attacks against
financial institutions, as well
as some of the world's
largest cyber heists. Based
on widely publicized
operations alone, the
group has attempted to
steal more than $1.1 billion.
APT38 Targeting
48. ©2019 FireEye©2019 FireEye
▪ Not so good
– Reimage the machine and move on
– Google the malware name
▪ A Little bit better
– Log Files / SIEM provides some visibility
▪ Getting Real Answers
– Endpoint Detection & Response
– E.g. visibility into command line activity of the attacker
How Can We Learn “What Happened”
50. ©2019 FireEye©2019 FireEye
▪ What We Hoped to see :
– <Command> <parameter 1> <parameter 2> <parameter 3>
– net use e: FinanceServerSWIFT_Procedures_Manuals spring2020
/user:BankDomainFinanceUser
▪ What Happened ?
– The attacker has compromised the account of “FinanceUser”
– The attacker knows the password of FinanceUser is “spring2020”
– The attacker is reconing the Finance Server looking for info about SWIFT
Sophisticated, EDR Aware Attacker
50
51. ©2019 FireEye©2019 FireEye
▪ What We Actually Saw
– Cmd.exe evil-commands.bat > resultsfile
– Del evil-commands.bat
– Del resultsfile
▪ What Happened ?
– We need to know what’s INSIDE evil-commands.bat and resultsfile
– We suspect the attacker has access to 120 machines
▪ This attacker is employing operational security (OPSEC) measures
Sophisticated, EDR Aware Attacker
51
53. ©2019 FireEye©2019 FireEye
OPSEC (Operational Security) is
a term derived from the U.S.
military and is an analytical
process used to deny an
adversary information that
could compromise the secrecy
and/or the operational security
of a mission.
Attacker Operational Security (OPSEC)
53
Source : https://www.tripwire.com/state-of-security/security-data-protection/opsec-everyone-not-just-people-something-hide/
60. ©2019 FireEye©2019 FireEye
CREDENTIAL OUTPUT FILES (METHODOLOGY)
Source: Mandiant
Looking for credential output files in first 64
bytes. These indicators are based on
common hash dumper tool outputs. This is
associated to MITRE ATT&CK (r) Tactic:
Credential Access and Technique: T1003
FireEye Endpoint Security Aligns To ATT&CK
60
Source : https://attack.mitre.org/techniques/T1003/
T1003 FireEye Endpoint Security IOC
61. ©2019 FireEye©2019 FireEye
▪ The Good News
– FireEye Endpoint Security already does this today for many different reasons
▪ The Bad News
– Most of those reasons only require 64 bytes of data which isn’t enough for our
purposes
– It’s not practical to record more than 64 bytes of every file ever written on every
machine so this setting is not configurable
▪ The Other Good News
– FireEye Endpoint Security is Extensible via API
EDR - Looking Into File Contents
61
64. ©2019 FireEye©2019 FireEye
Traditional SIEM
▪ Investigating in Log Data
Advanced EDR/XDR
▪ Investigate in EDR Telemetry
▪ Investigate in Network Traffic History
Endpoint Security
▪ Investigate on Endpoints themselves
remotely & at scale
Evolution Of Endpoint Forensic Investigations
… to understand
“What Happened?”
65. ©2019 FireEye©2019 FireEye
▪ 1,035 Page API Manual
▪ The FireEye Endpoint Security application
programming interface (API) allows users to
automate and integrate actions and
solutions.
▪ API = Application Programming Interface
FireEye Endpoint Security – Robust API
71. ©2019 FireEye©2019 FireEye
▪ Completely automated, customized monitoring
▪ Customized to Attackers tactics
▪ Reduced hours billed to client
▪ Got to “What Happened” much faster
▪ Removed the attacker before they could impact the bank
FireEye Endpoint Security Value Returned
73. ©2019 FireEye©2019 FireEye
No Lost Millions No Leadership Resignations
Outcome
Source : https://www.straitstimes.com/asia/south-asia/bangladesh-central-bank-governor-says-is-ready-to-resign-over-112m-cyber-heist
Source : https://www.theregister.co.uk/2017/10/11/hackers_swift_taiwan/