Endpoint Detection & Response - FireEye

FireEye Endpoint Security War Story
Ranjit Sawant

©2019 FireEye©2019 FireEye
▪ With over 16 years’ experience in Information Security, he has been working with
various verticals such as BFSI, IT Services and Manufacturing
▪ 8+ years focus & investment is on solutions for Advance Persistent Threats.
▪ Instrumental in supporting key customers with Advanced Threat Protection roadmap &
strategy, solution architecture and business cases.
▪ As Subject Matter Expert for Advanced Threats, he has worked with few prominent
Indian customers within critical industries, to create and design a security solution
aligned to specific business needs.
▪ He firmly believes that Cyber Security is a fast-moving environment, and you will need
to stay a step ahead of the cyber criminals.
▪ Post completing his graduation from a Military Academy, he completed computer
studies from IIHT and Business Management from Welingkar Institute of Management.
Presenter
Ranjit Sawant, FireEye Inc.

▪Attackers don’t Rest
▪Rise in attacks in Covid19 themes
▪Advanced Attack Life Cycle
▪Defining Goals correctly
▪FireEye Endpoint Security Overview
▪WAR STORY
▪Demo
▪Q&A
Agenda Overview
3

Covid19 - Biological and Digital
6

– Sudden move to a distributed
workforce with no field movement
– Staff shortages, in general or due to
sickness
– Ransomware shutting down
organizations worldwide.
– COVID-19-related spear phishing
– Information operations spreading
misinformation
– Targeted attempts to steal intellectual
property from healthcare-focused
research institutions
– Impact on supply chain disruptions on
the flow of medical supplies, teams, or
material, including manufacturing
– Fake News upsurge
– Demanding uptick for latest information
by masses on Covid-19 situation
Present Scenario & Concerns
7

• Malicious actors have always exploited users’ sense of urgency, fear, goodwill
and mistrust
• Threat actors exploiting current crisis is not new.
• Attackers simply take advantage of a particularly overtaxed target set that is
urgently seeking new information.
• Users who are aware of this dynamic, and who approach any new information
with cautious skepticism will be especially prepared to meet this challenge.
Current Situational Implications

▪ Few LURE DOCUMENT VISUALS
Spur in COVID-19 based Cyber Attacks
9

Attackers leveraging all possible vectors (Email, Web, Endpoints)
Social Distancing
10

▪ COVID-19 has rapidly taken over the headlines
▪ Increased risks due to users working from home
en masse.
▪ Threat actors aligning with the COVID-19 topic
for Targetted campaigns
– Financial crime, cyber espionage and
information operations.
– Increasing attack by financially motivated
threat actors seeking to exploit their sense of
urgency, fear, goodwill and mistrust.
– Attackers use email to deliver malware in an
effort to establish a foothold
– Siphon account credentials through phishing
tactics.
There are viruses, and then there are viruses
11
Example of a COVID-19 phishing email used by TEMP.Warlock threat group.

Strengthen
Position within
Target
Establish
Foothold
Package and
Steal Target Data
Complete
Mission
Initial
Compromise
Lateral
Movement
Maintain
Presence
Initial
Recon
Steal Valid User
Credentials
Escalate
Privileges
Identify
Target Data
Internal
Recon
Identify
Exploitable
Vulnerabilities
Gain Initial
Access
Into Target
Advanced Threat Attack Lifecycle
PREVENTION
DWELL TIME / IMPACT
RESPONSE
DETECTION
Malware Problem Human Attacker Problem
BREACH IMPACT
The global median dwell time in 2018 is 204 days, down from 54 days in 2019. (APAC)

Mandiant M-Trend Investigation Report
13
•
•
•

APAC Median Dwell Time
14

APT is a “WHO”….. Not a “WHAT”
Malware Attacker

Define your goal carefully
Are you trying to solve the
APT problem
by catching more malware?

Attacker
Malware Social Engineering Password Theft Legit Tool Abuse
Malware is just one attack vector!

©2019 FireEye
▪ 2nd password reset after
report
▪ 12GB gone over 3 days
▪ Reset unsuccessful?
– ActiveSync
▪ SPAM

©2019 FireEye©2019 FireEye20
What Makes FireEye’s Intelligence Authoritative?
▪ An unparalleled knowledge repository on all stages of attacker operations.
Combative Intelligence (Dark & Deep)
Deploying global researchers with
local knowledge
• 22 countries
• 32+ languages
• 700+ analysts and researchers
Machine Intelligence
Generating attack telemetry globally
• 15,000 sensors
• 56 countries
• Generating tens of millions of MVX
detonations per hour
• 32/63 Zerodays Detected
Victim Intelligence (Mandiant)
Responding to the most significant
breaches
• 15+ years of investigative expertise
• 200+ of the Fortune 500
• 26 countries with consultants
Managed Defense Intelligence
Witnessing attacks as they unfold
• 4 Security Operations Centers
• 99m+ events ingested
• 21m+ alerts validated by Intel
• 33,700+ incidents dispositioned

Dynamic Threat
Intelligence
Skyfeed
Indicators of Compromise
Callback
Binocolo
Global Cache
SmartVision
Riskware
Analytics Rules
MalwareGuard
Multi-Vector Execution
MVX Behavior
MVX Static
MVX Correlation
MVX FUME
SmartLauncher
FAUDE
FAUDE Kraken
FAUDE PhishVision
Binocolo Phishing
Binocolo Central
Domain Reputation
Antivirus
ExploitGuard
Ent. – Search
Helix Rules
Analytics & ML File Delivery & Payload Signature
FireEye
Helix
FireEye
Email
Security
FireEye
Network
Security
FireEye
Endpoint
Security
Threat Intelligence
21
The FireEye Technologies Working Together

Threat Actors Exploit the Coronavirus
to Facilitate Long-Standing Goals
22 https://intelligence.fireeye.com/reports/20-00005611
- FireEye Intelligence assesses with high confidence the
coronavirus is being exploited globally by state-
sponsored espionage and information operations
campaigns and by financially motivated actors.
- Coronavirus-themed malicious emails increased
fourfold during the month of March 2020. However,
coronavirus-related messages represented only two
percent of overall malicious email detections.
- Use of JAR files and macros, and exploitation of CVE-
2017-11882 and CVE-2018-0798.
- We suggest that organizations continue to prioritize
their defensive strategies to counter the actors,
malware, and threat activity deemed most
dangerous to their networks and users

FireEye Endpoint Product Overview
InvestigationProtection and
Detection
Response
ExploitGuard
Real-time
Indicators of
Compromise
Malware
Prevention
Enterprise Search
Forensic Acquisition
Attack Summary and
Audit Viewer
Network to Endpoint
Automated Investigation
Quick
Containment
Scalability
Off Network
Investigation
MalwareGuard

Break The Attack Lifecycle

Capabilities Comparison
Antivirus
Firewall / HIPS
Device Control
App Control
Network
Access Control
Malware
Prevention
Exploit Guard
Behavior / ML
Endpoint APT/
Sandbox
IOC Alerting (Intel
Integration)
Enterprise Search
Live Response (IR)
Threat Hunting
Remediation /
Containment
Investigation &
Forensics
AV - Signature based
(Known Malware)
NGAV – Behavior / ML
(unknown Malware)
EDR – IOC, Hunting
(Detecting Attacker)

Endpoint testing
26
▪ EPP
– Malware testing
▪ Public malware
▪ In house developed
malware
– Agent smoke-test
▪ Does the agent cause
problems?
– Performance
measurement
▪ Low memory, CPU
▪ EDR
– Visibility check
– Data acquisition
(Triage)
– Remediation
capabilities
– Forensic capabilities
– Containment
– Threat hunting

How effective are your Cyber Security
operations?
WHAT
is going on?
How do you know a
threat has been
blocked?
An analyst can’t
investigate if there is
no visibility or
information about a
blocked threat?
WHERE
should you focus?
How do you determine
what an attacker trying
to do, where did he go
and if what was left
behind?
HOW
important is it?
Do you have the
context you need to
effectively prioritize
threats and act on
them?
27
EDR addresses this

Why do you need a Response?
▪ Was the compromise attempt successful?
▪ Am I dealing with a human or a bot?
▪ Was there any command and control activity?
▪ Was there lateral movement and which user accounts were
used to move laterally?
▪ Was there any data theft?
▪ What other systems were accessed ?
EDR addresses this

Hunting and Forensics
29
Overview
▪ Detailed endpoint investigation with complete
activity timelines
▪ A single workflow for all actions and tasks
▪ Auto download of Triage data from compromised
endpoints
▪ Investigation capabilities with HX Triage Viewer
▪ Single-click workflow based containment
Benefits
◆ Quickly identifies and contains endpoints when
threats or suspicious activities are detected
◆ Immediate remediation strategy guidance with
IR Engagement or Managed Defense customers

Threat Hunting (Enterprise Search)
30
Overview
▪ Analysts can easily follow incidents from alert to
resolution where traditional security products can
only detect malware or collect data
▪ Search for all evidence of advanced intrusions, not
just malware, using endpoint monitoring and
advanced forensics
▪ Reconnaissance, Compromised Credentials,
Lateral Movement, Exfiltration
Benefits
▪ Visibility into the entire enterprise
▪ Ability to broadly search for known malicious
behavior
▪ Ability to proactively “Hunt” for suspicious activity
▪ Comprehensive investigation capabilities on
compromised endpoints
ON PREMISE ENDPOINTS REMOTE ENDPOINTS
DVR Cache
Service Listing
Port Listing
User Accounts
Scheduled Tasks
Process Listing
System Information
Disk/Volume Listing
Browser URL
File Download
DNS Routing
Driver Modules Listing
Drivers in Memory
Rootkit Hook Detection
Process Listing from
Memory
Event Log History
Registry Hive Listing
File Listing from Raw Disk
Investigate
Enterprise Search
A quick broad investigation for simple indicators
Live
Response
Deep Look

Adaptive Security Strategy
> Prevent Threats
applying intelligence to
enhance system defense
>> Detect Incident
prioritize and contain with
integrated methodologies
>>>> Respond
investigate and remediate,
adapting policy as needed
>>> Analyze
Quickly hunt across 100k
endpoints, deep forensics
to analyze past events
Continuous
Visibility
and
Verification

©2019 FireEye
▪ Context from email and network
▪ Automated request for containment
▪ Automation rule books
▪ Alert prioritization
▪ Contextual intelligence
▪ Investigative tools
32
Breaches are
Inevitable….

©2019 FireEye
▪ Context from email and network
▪ Automated request for containment
▪ Automation rule books
▪ Alert prioritization
▪ Contextual intelligence
▪ Investigative tools
33
….Impactful
Breaches are
Preventable!

Cyber Security Maturity Curve
34
CAPABILITY
DEVICE MGT
NETWORK OPERATIONS
CENTRE (NOC)
C Y B E R S E C U R I T Y P R O G R A M M A T U R I T Y
SECURITY OPERATIONS CENTRE
(SOC)
CYBER INCIDENT RESPONSE
TEAM (CIRT)
CYBER DEFENSE CENTRE
(CDC)
MATURITY
Anti-Virus
Firewall
IDS/IPS
Incident Response
Retainer
NG Firewall
SIEM
SIEM
Monitoring
Advanced
Threat Protection
Threat Detection
& Response
Logs
Analytics
On-demand
CIRT Services
Response
Capability
Threat Intel &
Data Analytics
Network
Forensics
Incident
Response
Threat
Intelligence
Subscription
APT
Hunting
Adaptive
Detection
Investigation &
Response
Proactive
Hunting

Asian Bank, Security Conscious

APT38 is a financially
motivated North Korean
regime-backed group
responsible for conducting
destructive attacks against
financial institutions, as well
as some of the world's
largest cyber heists. Based
on widely publicized
operations alone, the
group has attempted to
steal more than $1.1 billion.
APT38 Targeting

Money, Money, Money

Kevin Mandia Defines IR In 8 Words
44
Putting IR in layman terms for a Congressional audience

Kevin Mandia Defines IR In 8 Words
45
Putting IR in layman terms for a Investment Analyst audience

“What Happened
And
What To Do About It”
Incident Response Is Understanding:
46

▪ Not so good
– Reimage the machine and move on
– Google the malware name
▪ A Little bit better
– Log Files / SIEM provides some visibility
▪ Getting Real Answers
– Endpoint Detection & Response
– E.g. visibility into command line activity of the attacker
How Can We Learn “What Happened”

Command
Name and
Command
Parameters
included in
Alert

▪ What We Hoped to see :
– <Command> <parameter 1> <parameter 2> <parameter 3>
– net use e: FinanceServerSWIFT_Procedures_Manuals spring2020
/user:BankDomainFinanceUser
▪ What Happened ?
– The attacker has compromised the account of “FinanceUser”
– The attacker knows the password of FinanceUser is “spring2020”
– The attacker is reconing the Finance Server looking for info about SWIFT
Sophisticated, EDR Aware Attacker
50

▪ What We Actually Saw
– Cmd.exe evil-commands.bat > resultsfile
– Del evil-commands.bat
– Del resultsfile
▪ What Happened ?
– We need to know what’s INSIDE evil-commands.bat and resultsfile
– We suspect the attacker has access to 120 machines
▪ This attacker is employing operational security (OPSEC) measures
Sophisticated, EDR Aware Attacker
51

What is Operational Security
52

OPSEC (Operational Security) is
a term derived from the U.S.
military and is an analytical
process used to deny an
adversary information that
could compromise the secrecy
and/or the operational security
of a mission.
Attacker Operational Security (OPSEC)
53
Source : https://www.tripwire.com/state-of-security/security-data-protection/opsec-everyone-not-just-people-something-hide/

We need to know the File Contents
54

Magic Bytes
55
File.exe File.pdf

Magic Bytes
56
MZ PK..%PDF-

Initial File
Data
including
“Magic
Bytes”
contained
in alert
57

File Is Malicious 68/70 On Virus Total
58

Initial File
Data reveals
MITRE
ATT&CK
Technique
1003

CREDENTIAL OUTPUT FILES (METHODOLOGY)
Source: Mandiant
Looking for credential output files in first 64
bytes. These indicators are based on
common hash dumper tool outputs. This is
associated to MITRE ATT&CK (r) Tactic:
Credential Access and Technique: T1003
FireEye Endpoint Security Aligns To ATT&CK
60
Source : https://attack.mitre.org/techniques/T1003/
T1003 FireEye Endpoint Security IOC

▪ The Good News
– FireEye Endpoint Security already does this today for many different reasons
▪ The Bad News
– Most of those reasons only require 64 bytes of data which isn’t enough for our
purposes
– It’s not practical to record more than 64 bytes of every file ever written on every
machine so this setting is not configurable
▪ The Other Good News
– FireEye Endpoint Security is Extensible via API
EDR - Looking Into File Contents
61

FireEye Endpoint Security API
62

The Challenge – Why do We Need An API ?
63
Logs
Streaming
Telemetry
Endpoint

Traditional SIEM
▪ Investigating in Log Data
Advanced EDR/XDR
▪ Investigate in EDR Telemetry
▪ Investigate in Network Traffic History
Endpoint Security
▪ Investigate on Endpoints themselves
remotely & at scale
Evolution Of Endpoint Forensic Investigations
… to understand
“What Happened?”

▪ 1,035 Page API Manual
▪ The FireEye Endpoint Security application
programming interface (API) allows users to
automate and integrate actions and
solutions.
▪ API = Application Programming Interface
FireEye Endpoint Security – Robust API

Step 1 : Create a new IOC in the GUI
66

Step 2 : API Call To Watch For Alert From IOC
67
FireEye Endpoint
Security
Compromised
Endpoint
Management
Station

Step 3 : Acquire File Off Machine That Alerted
68
FireEye Endpoint
Security
Compromised
Endpoint
Management
Station

Step 4 : Retrieve Acquired File From GUI
69

▪ Completely automated, customized monitoring
▪ Customized to Attackers tactics
▪ Reduced hours billed to client
▪ Got to “What Happened” much faster
▪ Removed the attacker before they could impact the bank
FireEye Endpoint Security Value Returned

No Lost Millions No Leadership Resignations
Outcome
Source : https://www.straitstimes.com/asia/south-asia/bangladesh-central-bank-governor-says-is-ready-to-resign-over-112m-cyber-heist
Source : https://www.theregister.co.uk/2017/10/11/hackers_swift_taiwan/

Endpoint Detection & Response - FireEye

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Endpoint Detection & Response - FireEye

Similar a Endpoint Detection & Response - FireEye (20)

Más de Prime Infoserv

Más de Prime Infoserv (20)

Último

Último (20)

Endpoint Detection & Response - FireEye