Conquering all phases of the attack lifecycle

The Headlines: Damage. Damage. Damage. http://techcrunch.com/2014/12/16/hack-sony-twice-shame-on-sony/ http://www.bloomberg.com/news/2014-12-19/staples-says-1-16-million-cards-affected-in-breach.html http://www.wsj.com/articles/j-p-morgan-says-about-76-million-households-affected-by-cyber-breach-1412283372 http://www.bbc.com/news/technology-25681013 http://www.wsj.com/articles/home-depot-breach-bigger-than-targets-1411073571

The Technical Headlines: Penetration. http://www.computerworld.com/article/2862578/twofactor-authentication-oversight-led-to-jpmorgan-breach-investigators-reportedly-found.html http://www.scmagazine.com/home-depot-breach-caused-by-windows-vulnerability/article/382450/ http://www.securityweek.com/target-confirms-point-sale-malware-was-used-attack http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/?_r=0

The Attack Lifecycle Penetration ↓ Hacking operation ↓ Breach detected Damage Sec. Min. Hrs. Days Weeks Months Time Breach C & C Recon Spread Damage

The Attack Lifecycle

External Recon Social Networking Conferences Call Help Desk or Admin External Scans Buy Information/Tools in Black Market

Breach: Penetration. Privilege escalation. Obfuscation. Phishing & spear phishing Vulnerability exploit Social Engineering Infected USB drive Compromised credentials Autorun Process Injection Breach C & C Recon Spread Damage

Process Injection Evasion Reading host process memory Running another procedure as a thread inside another process. Evasion Reading host process memory Affecting host process behavior

Process Injection Code injection is a great way to hide yourself. It's a great way to gain privileges to do things that might be blocked otherwise. This is part of the first step of an attack, part of the [foothold]. If we're able to identify this specific technique, we can stop the attack in the very, very early stage.

Command & Control Operation. Exfiltration. Legitimate HTTP Legitimate DNS request Fust Flux TOR Facebook / Twitter / YouTube comments Domain Generation Algorithm Breach C & C Recon Spread Damage

Command & Control Domain generation algorithm Regular C&C servers can be blacklisted and firewalled DGA is generating a daily domain list (1000’s of domains) Malware tries to resolve each one of those random domains. The attack (who created the algorithm) knows which domains will be generated. Once a certain C&C domain is blocked, attacker can select one of the daily generated domains, register it and continue his endeavors. Breach C & C Recon Spread Damage

Command & Control DGA Breach C & C Recon Spread Damage

Recon Scanning ARP scanning SYN scanning FYN scanning Port scanning ("half-open scanning“) FYN scanning Port scanning Breach C & C Recon Spread Damage

Reconnaissance Port Scanning Services are using ports to communicate (HTTP = 80, DNS = 53, etc.) When an attacker gets a foothold on a computer, he needs to move around the organization. The attacker scans the subnet to find exposed and exploitable services on other computers and platforms. Once an open port is found, further exploitation occurs.

Reconnaissance Port Scanning

Spread Pass The Hash/Ticket Shares PSExec Lateral movement - Legitimate tools used maliciously. Pass The Hash/Ticket Shares PSExec Breach C & C Recon Spread Damage

Spread PSEXEC - Legitimate tools used maliciously. A legitimate tool by Microsoft. Commonly used by IT professionals Allows to run a process on a remote machine interactively. Attackers use that technique to spread their malware through an entire network. Breach C & C Recon Spread Damage

Lateral Movement --- Pass-the-ticket

Lateral Movement --- Pass-the-ticket

Damage. Business. Money. Physical. Breach C & C Recon Spread Damage

The Attack Lifecycle

www.cybereason.com Thank you.