Incident Detection and Response

Slides:

Advertisements

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

Advertisements

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

By Hiranmayi Pai Neeraj Jain

Learning to Live with an Advanced Persistent Threat

Cyber Attack Scenario Overview Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.

System and Network Security Practices COEN 351 E-Commerce Security.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Network Security Testing Techniques Presented By:- Sachin Vador.

Windows Enumeration Tools Roy Introduction SMB Protocol Inter Process Communication(IPC)

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

13Computer Intrusions Dr. John P. Abraham Professor UTPA.

Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.

COEN 250 Computer Forensics Windows Life Analysis.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

Chapter 12 Operating System Security Strategies The 2010 Australian Signals Directorate (ASD) lists the “Top 35 Mitigation Strategies” Over 85% of.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

How to fight an APT attack: Identifying and Responding to a visit from China.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Enterprise Network Security Accessing the WAN – Chapter 4.

COEN 250 Computer Forensics Windows Life Analysis.

Advanced Persistent Threats (APT) Sasha Browning.

MANAGED SECURITY TESTING PROACTIVELY MANAGING VULNERABILITIES.

Copyright © 2015 Cyberlight Global Associates Cyberlight GEORGIAN CYBER SECURITY & ICT INNOVATION EVENT 2015 Tbilisi, Georgia19-20 November 2015 Hardware.

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

Chapter 1 Real World Incidents Spring Incident Response & Computer Forensics.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

February 2016 Meeting. Web Defacement and Spear Phishing.

Chapter 12 Operating System Security. Possible for a system to be compromised during the installation process before it can install the latest patches.

1 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Healthcare Breaches – The Next Digital Epidemic Tim Parisi, Senior Consultant.

 Terms:  “Security”: is a system’s ability to provide services while maintaining the five IA pillars  “Attack”: an action that violates one of the.

COMMUNICATING EXTERNAL THREAT & RESPONSE Metaphor & Use Case.

Taking on Tomorrow's Challenges Today Taking on Tomorrow's Challenges Today Almost every organisation has been attacked …. But most don’t know about it!

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Defining your requirements for a successful security (and compliance

Proactive Incident Response

Understanding Cyber Attacks: Technical Aspects of Cyber Kill Chain

Hacking Windows.

Your Partner for Superior Cybersecurity

Nessus Vulnerability Scan

Cybersecurity - What’s Next? June 2017

Working at a Small-to-Medium Business or ISP – Chapter 8

Security Risk Profiles – Tips and Tricks

Secure Software Confidentiality Integrity Data Security Authentication

Nessus Vulnerability Scan

Rules of Thumb to Mathematical Rule- A Cyber Security Journey

Data Compromises: A Tax Practitioners “Nightmare”

Conquering all phases of the attack lifecycle

Dissecting the Cyber Security Threat Landscape

UNIVERSITY Common Cyber Security Myths An Update on Cyber Security.

Cyber Threat Landscape

Determined Human Adversaries: Mitigations

Cybersecurity Strategy

Internet Worm propagation

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Shifting from “Incident” to “Continuous” Response

David J. Carter, CISO Commonwealth Office of Technology

Chapter 4: Protecting the Organization

How to Mitigate the Consequences What are the Countermeasures?

BACHELOR’S THESIS DEFENSE

BACHELOR’S THESIS DEFENSE

BACHELOR’S THESIS DEFENSE

Determined Human Adversaries: Mitigations

CMSC 491/691 Malware Analysis

Test 3 review FTP & Cybersecurity

Presentation transcript:

Incident Detection and Response Wade Woolwine Mike Scutt

Agenda Introductions Threat Types Attack Lifecycle (Targeted Threats) IDR Program Best Practices Threat Scenarios Q/A

Threat Types Commodity Disruptive Targeted Cryptolocker, virus, bot, etc Disruptive DDoS, Social Media Hijacking, Web Defacement, etc Targeted Organized Crime, Nation State, Hacktivism, etc

IDR Program Best Practices Business Goals and Priorities Asset and Inventory Management Attack Surface Management Threat Detection Threat Validation and Investigation Breach Containment Cleanup and Mitigation Constant Improvements

Spearphishing 91% 72% 78% Breaches begin with a spearphish - 2014 PhishMe Still the preferred method of infiltration Effective in almost 100% of cases It’s evolving More relevance to target IT problems scare people, attackers know that Attackers perform targeted recon 72% Of observed phishing emails sent on weekdays - 2015 M-Trends 78% Of observed phishing emails are IT related - 2015 M-Trends

Spearphish Attack Lifecycle Malware Backdoor Dropper Link Attachment Email The email Technology: relies on threat intelligence Awareness: it works! The dropper Technology: sandbox, AV, whitelisting, proxy Patching: no exploit == no dropper The malware Technology: sandbox, AV, whitelisting, behavior analysis, network IDS/IPS

Exploit and Abuse 35% 73% 89% Breaches begin with a web compromise - 2014 DBIR VPN and other Remote Access Technology Single factor VPN, Virtualized environment Traditional Exploits Exploitable vulnerabilities on internet facing assets Web Based Exploits Webserver, web application, backing databases 73% Of vulnerabilities in 2014 are remote exploitable - 2014 Secunia 89% EHR applications use single factor authentication - 2014 Duo Security

Internet Facing Vulnerability Exploit Lifecycle Lateral Movement Deploy Backdoor Local System Access Exploit Internet Facing Vulnerability The vulnerability Vulnerability scanning and patch management The Exploit Sandbox The backdoor sandbox, AV, whitelisting Lateral movement Behavior analysis, proper network segmentation

Reconnaissance

Active Directory Enumeration DSQuery.exe – query for objects in AD

Active Directory Enumeration DSGet.exe – get object details from AD

Active Directory Enumeration GPResult.exe – view Group Policy Objects for computers and users

Local/Remote Network Drive Enumeration Net.exe view \\COMPUTERNAME View network shares on a remote computer Net.exe view /DOMAIN View network shares on a domain Net.exe share View local network shares

More Discovery Find.exe Network scans SMB scans PSTools find [/v] [/c] [/n] [/i] "string" [[Drive:][Path]FileName[...]] Passwords IP addresses PII Network scans SMB scans PSTools

Lateral Movement

Pass the Hash PSExec / Metasploit

Pass the Hash WCE.exe – Windows Credentials Editor

NTDS.dit Offline Cracking NTDS.dit is a full backup of the AD database, including passwords Use VSSAdmin.exe to create a volume shadow copy Copy NTDS.dit file from the volume shadow copy Exfil offline and use your favorite hash cracking tools

Scheduled Tasks At.exe Schtasks.exe Schedule running code on remote hosts

PSExec Run arbitrary programs on a remote system Other PSTools: PSFile PSInfo PSList PSKill PSLoggedOn PSLogList PSService

Other Techniques Backdoors – deploy backdoors on all systems of interest with remote shell capabilities Proxies – to move around segregated networks with ACLs in place Keyloggers – capture credentials typed by the user Authentication Hooking – hook the Windows authentication and grab hashes/passwords WMI – the sky is the limit!

Mission Target

Staging RAR.exe Zip.exe MakeCab.exe Can encrypt data Can create small parts to reassemble later Not always present on systems Zip.exe Can encrypt Always present on systems MakeCab.exe .CAB files blend in well with Windows

Maintain Presence

Maintain Presence Webshells Remote access (VPN, etc) Backdoors Web based full function backdoors hidden in legitimate applications Remote access (VPN, etc) Reuse compromised credentials to maintain access through legitimate remote access technologies Backdoors Attackers log in to perform maintenance tasks on backdoors and dump additional credentials.

Q/A Thank you!