detecting advanced and evasive threats on the network
TRANSCRIPT
MT 36 Detecting Evasive
ThreatsNetwork Edition
Events
Opportunistic 85.7%
Exploits 12.3%
Ransomware - 1.2%
Targeted - .5%
FakeAV - .3%
A lot going on in the world
Motives vary
Motives vary
Motives vary
What industry verticals are victims?
46%
19%
12%
8%
4%
4%4%
4%
Targeted Intrusion Victims by Industry Vertical
Manufacturing
Technology Provider
Education
Other Services
Retail
Business Services
Media
Misc. Financial
Source: Targeted Threat Responses Jan 2015 – Sept 2015
Threat groups
• Known Tools (Infrastructure)• Known Targets (pre-Compromise) & Victims (post-Compromise)• Known Techniques & Procedures (Capability)• Known Identity
Candidate Threat
Groups
TG-0416 Vertical Hopscotch
Vertical
Healthcare
Government
Technology Providers
Manufacturing
Financial
Membership Organizations
H2
2011
H1 H2
2012
H1 H2
2013
H1 H2
2014
H1 H2
2015
H1
How are threat groups entering networks?
29%
29%
29%
14%
Targeted Intrusion Access Vector
Phishing
Credential Abuse
Scan & Exploit
Web Exploit
Source: Targeted Threat Responses Jan 2015 – Sept 2015
Phishing…everyday occurrence
Watch your webmail…spear phishing to corporate and personal mail
From: XXXXXXXX XXXXXXXX [mailto:[email protected]]Sent: XXXXXXX, XXXXXXXX ##, 201X 11:01 PMTo: XXXXXXXX, XXXXXXXXSubject: Internal Security Survey
Dear all,Key target is finding and exploring company internal security problems in 201X.Download the report: http://<company web domain>/download/survey.pdfplease fill the report and send to [email protected] tomorrow morning.
IT Department
1. Adversary identifies websites known or suspected to be visited by designated target
2. Identified sites are probed for vulnerability
3. Adversary places exploits on one or more sites where it is likely to be accessed by targets4. Users visit malicious website
5. Exploits are attempted against visitors. Delivery is often filtered by IP or other characteristics
6. Initial foothold malware is delivered to the victim
Site
s of In
tere
stUser Visits
CompromisedSite
Exploit used to deliver initial
foothold malware
Strategic Web Compromise (SWC)
Identify Vulnerable Site & Place
Exploit
Scans website for available vulnerabilities
Deploys chinachopper shell
Adversary can now try to escalate privileges, dump passwords and move laterally in internal network
Identifies Struts with unpatched vulnerabilities
Exploiting weakness
• Exploitation of architecture and configuration vulnerabilities – just as effective– just as devastating– harder to detect
• Use available tools instead of malware– Steal credentials– Use existing administration tools
• Malware removed after initial intrusion compromises credentials
Credential abuse
No malware? No Problem
TG-0416
“Transport rule found on server that blind copies any messages with ?CMS?, ?pw?, ?pwd?, ?pass? or ?password? in the body or subject of an email on server XYZ to email account [email protected]”
Living off the Land
Current State of Affairs
How victims learned of targeted intrusions across their organizations:
60% Third party detected adversary tradecraft
28%12%
Notified by law enforcement or government entity
Staff discovered threat actor activity
Source: Targeted Threat Responses Jan 2015 – Sept 2015
50%In half of of targeted intrusions, the entry point of the threat actors was undetermined
100%In all intrusions, threat actors “lived off the land” using stolen credentials and native tools to achieve their mission
• Next Generation Toolsets provide only limited value. Tools need to be updated with the latest Threat intelligence, continually monitored, and run by trained professionals.
The industry’s definition of defeat is different from our adversary's definition of winning.
XLSTrojan
Comfoo Trojan
Sajdela Trojan
Chinese Infostealer Blue Butterfly Lingbo
Dynamer
Targeted-CG
Orsam
Leouncia
Huntah
Poison Ivy
Bifrose
Hupigon
PcClient
gh0st
Wkysol
ZWShell
Mswab
Mirage
Wykcores
Hydraq
Whitewell
Werchan
Foxjmp
Sanshell
Lostmin
Pirp
httpBrowser
And many more…
Malware doesn’t matter…the adversaries simply don’t care
骑驴找马
• Endpoint security controls fail– AV fails– Whitelisting fails– Novel malware persistence mechanisms
› DLL Side Loading› DLL Search Order Hijack› Binary modification
– Memory based exploits– Rootkits– Even exploitation of the security software itself!
• Network controls fail– Encrypted binary protocols over HTTP– Use of common ports and protocols– Frequently burning infrastructure– Use of public services for C2 and exfil
• Log analysis detections fail
• Mobile Machine Learning Clouds of Advanced Malware Protection fail too!
But I have a magic mobile machine learning cloud of advanced malware protection
Adaptable Persistent Threat
• Not a thing, a who
• Think project management…– Adversary has already planned for most
common defenses and responses– Setbacks trigger planning or strategy shifts, not
abandon
• Plan to fail…– History teaches us that controls fail– Endpoint controls fail– Network controls fail– Log and SIEM analytics fail
How do we win?
Reduce time to detect advanced threat actor activity and reduce effort to respondto their operations
Lots of oppourtunity
We win by disrupting the threat actors before they complete their mission of data exfiltration
~1 month before data loss begins
~2 weeks to data exfiltration
~6 weeks before the threat actors win
I.N.T.E.L.L.I.G.E.N.C.E.
Architecture Affects Visibility
627732;10Mar2015;3:58:15;a.a.a.a;log;vpnroute;;External;inbound;VPN-1 & FireWall-1;;chkma;Network;4;{00000000-0000-0000-0000-000000000000};EPC RULE;MSTerminalServices;x.x.x.17;y.y.y.136;tcp;;;;;3389;2913;;;IKE;ESP: 3DES + MD5 + DEFLATE;x.x.x.17;;;ACMEAPT_Access;VPN-1;VPN;;;;;;;;;;;;;;;;;compromisedusername;;;;;;;;;{11111111-1111-1111-1111-111111111111};IKE;ESP: AES-128 + MD5;38.109.75.18;;;ACMEAPT_Internal;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
How do you win?(The first 6 hours)
• Prevent the exploit
• Detect the malware execution
• Prevent or Monitor the malware execution
Detect potential danger early
DNS Telemetry
Internal name server
.com Root name server
foo.com authoritative name server
Request: A record evil.foo.com
Request: NS record foo.com
Request: A record evil.foo.com
NS Response
A Record Response
A Record
Response
IDS/IPS strategic and tactical detection
How do you win?(The first 6 hours)
• Credential use
• Lateral movement technique
• Execution
06zz.yy:28:01.727 06zz.yy:28:04.703 6 192.168.x.y 0 17 192.168.a.b 2048 1 0 4 24006zz.yy:28:01.759 06zz.yy:28:04.735 16 192.168.a.b 0 6 192.168.x.y 0 1 0 4 24006zz.yy:28:14.199 06zz.yy:28:14.359 6 192.168.x.y 56639 17 192.168.a.b 445 6 6 7 145606zz.yy:28:14.231 06zz.yy:28:14.359 16 192.168.a.b 445 6 192.168.x.y 56639 6 2 5 119806zz.yy:28:16.611 06zz.yy:28:17.667 6 192.168.x.y 56640 17 192.168.a.b 80 6 2 3 20006zz.yy:28:16.643 06zz.yy:28:17.699 16 192.168.a.b 80 6 192.168.x.y 56640 6 4 3 12006zz.yy:28:44.258 06zz.yy:29:23.330 16 192.168.a.b 445 6 192.168.x.y 56644 6 2 128 1073506zz.yy:28:44.258 06zz.yy:29:23.522 6 192.168.x.y 56644 17 192.168.a.b 445 6 2 221 27406606zz.yy:29:56.517 06zz.yy:29:56.837 6 192.168.x.y 56644 17 192.168.a.b 445 6 0 6 111506zz.yy:29:56.549 06zz.yy:29:56.645 16 192.168.a.b 445 6 192.168.x.y 56644 6 0 5 94806zz.yy:30:13.845 06zz.yy:30:13.909 6 192.168.x.y 56644 17 192.168.a.b 445 6 4 3 26406zz.yy:30:13.877 06zz.yy:30:13.909 16 192.168.a.b 445 6 192.168.x.y 56644 6 0 2 224
Internal netflow: What lateral movement looks like
How do you win?
• Tactical and Strategic detection of webshells
Internal netflow: What network exploration looks like06xx.yy:22:17.523 06xx.yy:22:17.523 6 192.168.x.y 60616 17 192.168.1.0 137 17 0 1 7806xx.yy:22:17.523 06xx.yy:22:17.523 6 192.168.x.y 60616 17 192.168.1.1 137 17 0 1 7806xx.yy:22:17.523 06xx.yy:22:17.523 6 192.168.x.y 60616 17 192.168.1.2 137 17 0 1 7806xx.yy:22:17.555 06xx.yy:22:17.555 6 192.168.x.y 60616 17 192.168.1.3 137 17 0 1 7806xx.yy:22:17.555 06xx.yy:22:17.555 6 192.168.x.y 60616 17 192.168.1.4 137 17 0 1 7806xx.yy:22:17.555 06xx.yy:22:17.555 6 192.168.x.y 60616 17 192.168.1.5 137 17 0 1 7806xx.yy:22:17.587 06xx.yy:22:17.587 6 192.168.x.y 60616 17 192.168.1.6 137 17 0 1 7806xx.yy:22:17.587 06xx.yy:22:17.587 6 192.168.x.y 60616 17 192.168.1.7 137 17 0 1 7806xx.yy:22:17.587 06xx.yy:22:17.587 6 192.168.x.y 60616 17 192.168.1.8 137 17 0 1 7806xx.yy:22:17.619 06xx.yy:22:17.619 6 192.168.x.y 60616 17 192.168.1.10 137 17 0 1 7806xx.yy:22:17.619 06xx.yy:22:17.619 6 192.168.x.y 60616 17 192.168.1.11 137 17 0 1 78
(more or less sequentially mapping the environment)
06xx.yy:42:45.159 06xx.yy:42:49.159 9 192.168.x.y 60616 0 192.168.253.78 137 17 0 1 7806xx.yy:42:45.159 06xx.yy:42:49.159 9 192.168.x.y 60616 0 192.168.253.79 137 17 0 1 7806xx.yy:42:45.167 06xx.yy:42:49.171 9 192.168.x.y 60616 0 192.168.253.80 137 17 0 1 7806xx.yy:42:45.179 06xx.yy:42:49.179 9 192.168.x.y 60616 0 192.168.253.81 137 17 0 1 7806xx.yy:42:45.191 06xx.yy:42:49.191 9 192.168.x.y 60616 0 192.168.253.82 137 17 0 1 7806xx.yy:42:47.063 06xx.yy:42:47.063 9 192.168.x.y 60616 0 192.168.253.255 137 17 0 1 78
Scanned ~65k IPs in rapid succession…
How do you win?
• Without significant tripwires, data exfiltration of sensitive intellectual property occurred in 6 weeks
• With proper visibility, the threat actors could have been detected at least 6 different ways within the first 6 hours of the intrusion
Placeholder:iSensor Slide Showing China Chopper Commands
Exfil
• Top talkers
• Outbound flows
• Firewall/Proxy monitoring
Redefine winning
Redefine winning
The optimal security continuum
Threat Intelligence
People Process
Technology
Context to answer the questions that matter
What is it? Is it really a threat?Did it succeed? What happened next?
Who was behind it? What are their intentions?Did they achieve their objectives yet?
How did they get in, where are they, how do I get them out and prevent them from winning?
What should I do next?
Intelligence on threat actors
Ability to collect telemetry and apply that intelligencein the network and at the endpoint
Analytics beyond malware and signatures
Who has the first question?
Thanks!