Malware\Host Analysis for Level 1 Analysts “Decrease exposure time from detection to eradication” Garrett Schubert – EMC Corporation Critical Incident.

Slides:

Advertisements

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

Advertisements

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

1© Copyright 2014 EMC Corporation. All rights reserved. Securing the Cloud Gintaras Pelenis Field Technologist RSA, the Security Division of EMC

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

Classification The Threat Environment Joyce Corell, NCSC Assistant Director for Supply Chain National Defense Industrial Association Global Supply Chain.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.

Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014.

David Flournoy Bit9 Mid-Atlantic Regional Manager

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

Mike Goffin Who am I? Mike Goffin Lead DeveloperProject Manager Senior Cyber Security Research Engineer The MITRE Corporation.

Understanding and Dealing with Modern Threats Trent Greenwood, Manager Security Practioners TOLA.

Oklahoma Chapter Information Systems Security Association Oklahoma Chapter, Tulsa Oklahoma City Chapter, OKC Student Chapter, Okmulgee Oklahoma Chapter,

Did You Hear That Alarm? The impacts of hitting the information security snooze button.

1© Copyright 2012 EMC Corporation. All rights reserved. Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil – Territory.

Selling Security to the Business Peter Frøkjær ADP Global Security Organization In:dk.linkedin.com/in/froekjaer/  :

Enterprise Visibility & Security Analytics Rocky DeStefano, VP of Strategy & Technology.

The Changing World of Endpoint Protection

Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

Ali Alhamdan, PhD National Information Center Ministry of Interior

CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.

WELCOME CyberSecurity and Global Affairs Workshop Enhancing Situational Awareness Through Cyber Intelligence Henry Horton, CISM Partner, CyberSecurity.

1© Copyright 2014 EMC Corporation. All rights reserved. Applying the Power of Data Analytics to Cyber Security Dr. Robert W. Griffin Chief Security Architect.

Incident Response… Be prepared for “not if” but “when” it happens.

ARAMA TECH D A T A P R O T E C T I O N P R O F E S S I O N A L S VISION & STRATEGY.

Keynote 9: Cyber Security in Emerging C4I Systems: Deployment and Implementation Perspectives By Eric J. Eifert, Sr. VP of DarkMatter’s Managed Security.

Cyber Security – The Changing Landscape Erick Weber Department of Public Works Khaled Tawfik Cyber Security.

Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.

2© Copyright 2013 EMC Corporation. All rights reserved. Cyber Intelligence Fighting Cyber Crime Insert Event Date LEADERS EDGE.

ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.

External Threats Internal Threats Nation States Cyber Terrorists Hacktivists Organised criminal networks Independent insider Insider planted by external.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

Why SIEM – Why Security Intelligence??

Welcome Information Security Office Services Available to Counties Security Operations Center Questions.

Cyber Security – Client View Peter Gibbons | Head of Cyber Security, Group Business Services Suppliers’ Summer Conference 15/07/2015.

Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc.

Tripwire Threat Intelligence Integrations. 2 Threat Landscape by the Numbers Over 390K malicious programs are found every day AV-Test.org On day 0, only.

Surveillance and Security Systems Cyber Security Integration.

Defining your requirements for a successful security (and compliance

Proactive Incident Response

Today’s cyber security landscape

Cybersecurity - What’s Next? June 2017

FORCEPOINT Moving Your Business Forward Without Fear

Center of Excellence in Cyber Security

Now, let’s implement/trial Windows Defender Advanced Threat Protection

How Microsoft uses Windows Defender ATP–Welcome to a SecOps world!

Public Facilities and Cyber Security

Cyber Security: State of the Nation

DISA Global Operations

Intelligence Driven Defense, The Next Generation SOC

Active Cyber Security, OnDemand

Cyber Security coordination in Europe CERT-EU’s perspective

Cyber Threat Simulation

Combining the best of Audit and Penetration Testing

Let’s go Threat Hunting

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Shifting from “Incident” to “Continuous” Response

Securing the Threats of Tomorrow, Today.

CRITICAL INFRASTRUCTURE CYBERSECURITY

Chapter 4: Protecting the Organization

Coordinated Security Response

Strategic threat assessment

Managing IT Risk in a digital Transformation AGE

THE CYBER LANDSCAPE UNCLASSIFIED CROSS DOMAIN NETWORK & INFO SHARING

Counter APT Counter APT HUNT operations combine best of breed endpoint detection response technology with an experienced cadre of cybersecurity experts.

AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.

OPIsrael And The Value Of Next Generation SOCs

Presentation transcript:

Malware\Host Analysis for Level 1 Analysts “Decrease exposure time from detection to eradication” Garrett Schubert – EMC Corporation Critical Incident Response Center Incident Response\Content Lead

Surgery on the front lines

The Adversary CRIMINALS Unsophisticated, but noisy Organized, sophisticated supply chains (PII, PCI, financial services, retail) Organized crime Petty criminals NON-STATE ACTORS Various reasons, including collaboration with the enemy Political targets of opportunity, mass disruption, mercenary Cyber-terrorists / Hacktivists Insiders NATION STATE ACTORS Government, defense contractors, IP rich organizations, waterholes Nation states

Attack Lifecycle (Kill Chain) ReconnaissanceWeaponizeDeliveryExploitationInstallation C2 Action Research & Mapping the Target Create the Malware Send to target Compromise Host Install Backdoor Control the DeviceExfiltrate Data * Incident Response Team Maturity

-Eyes on Glass -Analysis -Forensic -Coordination -Remediation -Rule/Report Creation -Workflow Development Advanced Tool & Tactics Cyber Threat Intelligence CIRT Content Analytics - Specific functions - Reduces “Scope Creep” - Focused workflow CIRC 2009 Today An Evolution L1 L2 L3

Advanced Tool & Tactics Cyber Threat Intelligence CIRT Content Analytics Incident Monitoring & Response Threat Indicator Portal (IOC’s) Source Actor Attribution Attack Sensing & Warning Social Media High Value Target (HVT) Eyes-On-Glass End User Intake Event Triage-Incident Command Incident Containment 24x7 Coverage Content Development Integration Scripting Workflow Rules/Reports Reverse Malware Engineering Host & Network Forensic Hunters Cause & Origin Determination Scripting & Integration

Low Quality - Black and White

Where’s Waldo now?

The People

The Process AV Auth WAF DLP AD WLAN EP URL FW IPS Data Enhancement Location Identity Division Department Data Asset Value Geo Info Regulation CIRC IT ThreatsIncidentsGRC Incident Workflow Log and Packet data HR Legal Eng.

The Tech

PlugX (Sogu) Use case EMC CIRC received intelligence about a command and control server. The C2 server was identified as the call back station for a PlugX RAT. MISSION: Identify impact to EMC and defend against all found threats

Network traffic

Find the malware from C2

Network Connection to Process

Scoping threat within Organization

Origination of malware – Root cause

Recommendations Cyber Threat Intelligence Prioritize your intel! Not all IoCs have the same threat Content Analytics Get business\organizational context at alert Don’t make the analyst query for data you know they need “Frontline” IR Analysts - CIRT Level 1 analysts need the right tools Stop training run books – THINK out of the box Malware Team - ATTA Share\document TTP and pivot points of specific campaigns

Questions?

The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him. - Sun Tzu, The Art of War