avoiding sophisticated targeted breach critical guidance healthcare
TRANSCRIPT
© 2017Cybereason Inc. All rights reserved.
AvoidingaSophisticated,TargetedBreachCriticalGuidanceforHealthcareOrganizations
© 2017 Cybereason Inc. All rights reserved.
AttackersAreBecomingMoreandMoreSuccessful,LittleSecurityDisruptionTheparadigmgraph
Time
SuccessR
ate
Attackers
Defenders
© 2017 Cybereason Inc. All rights reserved.
Attacker-Defenderparadigminquestion100%success
• Advancedadversariessucceedalmost100%ofthetime
• BUT,attackershavesomeinherentvulnerabilitiestoo- an
attackiscomposedofdozensorevenhundredsofsteps
• Withtherightproceduresandtoolsetinplace,adefendercan
turnany(verylikely)mistakemadebyanattackerintoa
completeexposureofthemaliciousoperation
© 2017 Cybereason Inc. All rights reserved.
Black market traffickingofcompromisedenterprisecomputingresources
© 2017 Cybereason Inc. All rights reserved.
Anewincidentisdetected
• IsitTargetedorUntargeted?
• Isitrelevant?
• Acompletelyuntargetedthreatcanturnintoatargeted
operationwithinhours
© 2017 Cybereason Inc. All rights reserved.
BusinessRationaleMachine
Life
timeVa
lue
Monetization Method
Adware/Click-fraudBulkSale
UnitSale
$18 – $36$10 – $20
$10 - $1000
© 2017 Cybereason Inc. All rights reserved.
Blackmarketmachinetrading– MachineValuation
Basic– Approx.+50%on“commodityprice”(~$5-$10)
• Adminprivs
• PublicIP
• Networkbandwidth
Nice– Between+50%-1,000%
• Installedsoftware/Accessedwebsites
Jackpot– Between+1,000%- 10,000%
• Enterpriseaffiliation
© 2017 Cybereason Inc. All rights reserved.
Blackmarketmachinetrading
© 2017 Cybereason Inc. All rights reserved.
Blackmarketmachinetrading
© 2017 Cybereason Inc. All rights reserved.
BlackmarketCodeofConduct
© 2017 Cybereason Inc. All rights reserved.
Blackmarketmachinetrading– US-basedmachines
© 2017 Cybereason Inc. All rights reserved.
Blackmarketmachinetrading– SomestatisticsPercentageofcompromisedmachinesforsaleperstate– Top5:
• 1stprizegoesto:California,21%
• 2ndprizegoesto:NewJersey,11%
• 3rdprizegoesto:NewYork,6%
• 4thprizegoesto:Texas,6%
• 5thprizegoesto:Iowa,6%(what?!...)
© 2017 Cybereason Inc. All rights reserved.
Examining a Threat Escalation IncidentCaseStudy
© 2017 Cybereason Inc. All rights reserved.
Blackmarketmachinetrading– CasestudyIncidentdetails,asseeninseveralenterprises:
• Startswithuntargeted,knownfile-less
click-fraudtool,effectingseveral
machinesintheenterprisenetwork
• Detectionwasbasedonmalicioususeof
PowerShellandmalware
communicationwithknownmalicious
C2domains/IPs
• De-prioritizedbySOCbasedonlow
damagepotential
© 2017 Cybereason Inc. All rights reserved.
Blackmarketmachinetrading– CasestudyIncidentdetails,asseeninseveralenterprises:
• SOCcontinuestomonitorthecompromised
endpoints(automated),andblocksaccessto
theknownC2
• 5dayslater,1machinestopsattemptingto
communicatewithknownC2andisdetected
performingDGAandconnectingtoa
previouslyunknownC2
• C2communicationsnowoccursonlywhen
“outside”thecorporatenetwork(noC2
whenlocalIPisintheenterprisesubnet,
onlywhenon192.168.*or10.0.*)
© 2017 Cybereason Inc. All rights reserved.
Blackmarketmachinetrading– CasestudyIncidentdetails,asseeninseveralenterprises:
• Overthenext24hoursC2communicationprofilechangestoinclude
downloadinganduploadingsignificantlymoredata,andclick-fraudtool
escalatedprivilegestoLocalSystem
• Before(typicalclick-fraud):
© 2017 Cybereason Inc. All rights reserved.
Blackmarketmachinetrading– CasestudyIncidentdetails,asseeninseveralenterprises:
• Overthenext24hoursC2communicationprofilechangestoincludedownloading
anduploadingsignificantlymoredata
• After(couldindicateaheavierprotocoltransmittedoverport8080/downloadof
additionalmodules/exfiltrationofbroadersysteminformation):
© 2017 Cybereason Inc. All rights reserved.
Blackmarketmachinetrading– CasestudyIncidentdetails,asseeninseveralenterprises:
• Attacktoolinjectscodeandmigratesintomsdtc.exe process
• Below,msdtc.exe establishingC2connectionwithpreviouslyDGA-establishedC2:
© 2017 Cybereason Inc. All rights reserved.
Behavioral Indicatorsofatransaction
© 2017 Cybereason Inc. All rights reserved.
TTPsofSeller-Marketplace-BuyerRelationshipC2
• Continuous/reliable/autoverifiablecommandandcontrolchannel– RDP,SSH
• Requiredtoenablethetransaction
• Canusenon-standardports,reverseconnections,encapsulationinother
protocols(e.g.HTTP)
• Exactconfiguration&persistencemethoddependontheseller
• Tasking-basedC2isveryrareinmarketplacessinceitdoesn’tnaturallyfit
theabove3criteria
• Oncethebuyergoesin,adifferentmechanismmaybeputinplace
© 2017 Cybereason Inc. All rights reserved.
TTPsofSeller-Marketplace-BuyerRelationshipPriv.Esc.
• Priv.Esc.– Adminaccessisworthmorethanunprivilegeduseraccess.
• Process/installedsoftwareenumerationandbrowserhistoryenumeration.
Relevantsoftwareandbrowsinghistorycanupthepriceofacompromised
machineby100x
© 2017 Cybereason Inc. All rights reserved.
TTPsDetection– Howtobreakthesystem?
ChangeinC2
• FromknownmaliciousIP/domaintounknownIP/domain
• FromstraightIP/domaintoDGA
• QuestionconnectionstoRDPservice– especiallyonalreadycompromised
machines
• Longlastingconnections
• ChangeinRDPconfiguration
• Questionunfamiliarmodulesloadedaspartoftheremoteassistanceservice
© 2017 Cybereason Inc. All rights reserved.
TTPsDetection– Howtobreakthesystem?
Changeinprivileges
• Monitorforprocessesperformingpriv.esc.– especiallyonalreadycompromised
machines
• Process/Installedsoftwareenumerationandbrowserhistoryenumeration
• Stopofpreviousattack?Inmostcases– Notagoodindicator…(Nocodeof
conductforthisonmostmarketplaces)
© 2017 Cybereason Inc. All rights reserved.
HouseofCards
Successfuldefensedoesn’tmean
stoppingeverystageoftheattack…
…findonecomponentofthehackand,over
time,theentireoperationcancollapse.
© 2017 Cybereason Inc. All rights reserved.
ReturningPowertotheDefendersBeProactive!Establishvisibility!Huntforcyberkillchainbehaviors!
Time
SuccessR
ate
Attackers
Defenders
© 2017 Cybereason Inc. All rights reserved.
you.Thankwww.cybereason.com