Presentation is loading. Please wait.

Presentation is loading. Please wait.

Closing the Breach Detection Gap

Published byJuniper Lucas Modified over 6 years ago

Similar presentations

Presentation on theme: "Closing the Breach Detection Gap"— Presentation transcript:

1 Closing the Breach Detection Gap
2016 CONFIDENTIAL

2 Cyber Weapons Agenda Top Cyber Weapons
Today’s Breach Detection Gap Threats: Malware, Risky Behavior, Insiders & Advanced Attacks Top Cyber Weapons Signature vs. Behavior-based Attack Detection LightCyber Magna Behavioral Attack Detection Unfortunately, there is no silver bullet to stop ransomware. If there was, ransomware would have been eliminated years ago. But to reduce the risk of infection, organizations should train employees not to open suspicious attachments or click on suspicious links. IT administrators should patch vulnerable client and server software such as browsers and browser plugins, and applications and even network devices—which are often overlooked. They should inspect network traffic for malware using sandbox and virus scanning solutions. They should install end point protection like anti-virus software on all systems. And although this isn’t prevention, organizations should back up files and make sure these backups are not accessible to ransomware or that companies can roll back to an earlier version of files.

3 99% 146 days Breach Detection Gap
Most Organizations Focus on Malware and External Attacks But Cannot Detect Attackers in Their Network 99% of post-intrusion attacks such as reconnaissance and lateral movement do not originate from malware. Most Organizations Cannot Find Breaches on Their Own 146 days Is the median length that attackers are present on a victim’s network before detection Long Attack dwell times & inability to detect SOURCE: 2016 LightCyber Cyber Weapons Report, M-Trends 2016 Threat Report, Verizon Data Breach Investigations Report

4 Most Organizations Focus Only on Malware
HACKING TOOLS NETWORKING TOOLS ADMIN UTILITIES REMOTE DESKTOP APPS

5 Threats Analyzed for Cyber Weapons Research: Targeted Attacks, Insider Attacks, Risky Behavior, and Malware

6 Recon & Lateral Movement
Targeted Attacks Outside the Network Inside the Network  Attacker compromises a client or server in the network k Attacker performs reconnaissance and moves laterally to find valuable data l Attacker steals data by uploading or transferring files The next type of attack we are going to discuss is targeted ransomware attacks. Cybercriminals have stepped up their game, using new, advanced attack methods to compromise organizations, rather than individual users. investigations reveal that attackers first exploited a vulnerability, oftentimes a vulnerability in a Jboss servers, and then from there (*2*) using reconnaissance and lateral movement to infect as many machines as possible.  They have infiltrated organizations and brought network operations to a standstill. By infecting many machines at once, attackers have extorted more money per attack then by infecting clients one-by-one. Instead of requesting a few hundred dollars from an individual user, ransomware authors have demanded thousands or even millions of dollars in ransom payments from their corporate victims. Intrusion (Seconds – Minutes) Active Breach (Hours - Weeks) Establish Backdoor Recon & Lateral Movement Data Exfiltration

7 Recon & Lateral Movement
Insider Attacks  Employee is upset by demotion; decides to steal data and quit job File Server Insider Sensitive Data k Employee accesses many file shares including rarely accessed file shares l Employee uses other user’s credentials and exfiltrates a large volume of data Recon & Lateral Movement Abuse of User Rights Data Exfiltration IT Assets at Risk Databases and file servers are considered the most vulnerable to insider attacks SOURCE: LinkedIn Group - Insider Threat Report sponsored by LightCyber

8 Risky Behavior  Remote desktop access from home
High Risk Website Home Desktop Internet User Remote Desktop IT Admin k User credentials for service account shared by multiple admins l Access to high-risk websites Data Breach Incidents Miscellaneous errors, such as misconfiguration, misdelivery, and other errors, accounted for the highest number of data breaches in 2015 ‘With all of the hubris and bravado in the InfoSec world, one proclamation we usually don’t hear is “Our employees NEVER make mistakes.”’ SOURCE: 2016 Verizon: Data Breach Investigations Report

9 Malware Ransomware Attack
Internet Malicious Website  User downloads ransomware from a website or opens a malicious attachment Laptop l Ransomware encrypts data on the local client m Ransomware encrypts data on network drives Infected k Infected client contacts command and control server and receives a unique cryptographic key Ransomware can be distributed through many means, including through compromised websites, online malvertising that redirects users to a malicious site, or an with a malicious attachment. Since users are getting more sophisticated, now instead of sending suspicious executable files, attackers will send Microsoft Office documents with malicious macros. They have also sent executables in zip files and changed the file icon to a PDF icon in the zip to make it look harmless. This is a bit simplified, there are usually a few steps like URL redirects, vulnerability exploits and potentially the download of one or more payloads, but the main message is that the software gets downloaded and then the infected client contacts a command and control server to receive a unique cryptographic key. Then the ransomware begins encrypting data on the local client and on network drives. CryptoFortress attempts to find and encrypt all open network SMB shares (not just mapped drives) --- Server Message Block This network-based file encryption is important to consider, because often times organizations can reformat or replace locked computers. But encrypting all of the data on file shares can potentially be much more damaging. Command & Control File Servers

10 Cyber Weapons Research Findings
Based on Anonymized Alert Data and Network to Process Association (N2PA) Technology

11 Top Attack Behaviors Reconnaissance was the most common attack behavior Reconnaissance is an iterative process of trial and error as attackers search for valuable assets Reconnaissance includes over 10 behaviors including: Scans Excessive failed logins Failed attempts to access network devices and ports

12 Cyber Weapons Used in Phases of an Attack

13 Networking and Hacking Tools
Attackers use well-known tools to map the network, probe clients, and monitor activity NCrack, Mimikatz, and Windows Credential Editor can be used to steal user credentials Some tools are native OS utilities

14 Admin Tools Attackers use a variety of command line shells, including native OS utilities Admin tools are used for lateral movement as well as recon and exfiltration

15 Remote Desktop Tools Remote desktop tools are:
Used for C&C and lateral movement Also indicative of risky user behavior Remote desktop programs are used by attackers, IT administrators, and everyday users. Attackers use them to gain access to new hosts, to move laterally within the internal network, or to remotely control compromised devices from the internet. Attackers can steal or correctly guess user credentials to remote desktop programs, and then delve further into the network, impersonating as a legitimate user while operating unnoticed by all legacy security solutions. Remote desktop apps not only provide an entry point for attackers, but also a way for attackers to streamline management and snooping tasks. TeamViewer easily topped the list of the most common remote desktop tool. In somewhat related news, TeamViewer made headlines in May and June when a large number of TeamViewer customers reported that their computers had been accessed illicitly, meaning that even authorized remote control software can be hijacked by attackers. Purportedly using compromised credentials, intruders logged into victims’ machines and drained their bank and PayPal accounts. Some remote desktop tools, such as TeamViewer, Ammyy Adminn, and LogMeIn, are often used for controlling computers from outside the network because they broker connections through their service—basically command and control. Others, like VNC and Remote Desktop Connection, are used within the LAN for lateral movement. While not necessarily malicious, organizations should monitor all remote desktop connections and enforce multi-factor authentication to prevent unauthorized computer access.

16 Malware 28% of suspicious processes associated with alerts were either malware or riskware 1% of east-west threats originated from malware While malware tops the list as a favorite way to initially infiltrate an organization, its popularity sinks heavily once a malicious actor has gained a foothold in the network. In fact, the Cyber Weapons study reveals that almost all malware activity was detected in early phases of the attack lifecycle, such as command and control communications between clients and destinations on the Internet. While riskware programs, such as dual purpose admin and hacker tools, were detected during the reconnaissance phase, they rarely appeared during the lateral movement and data exfiltration phases. Goodware Gone Bad Attackers don’t just rely on malware, riskware, and other “attack tools” to do their dirty work. They also leverage ubiquitous apps like web browsers and native OS tools to carry out attacks. In fact, web browsers like Chrome, Internet Explorer, and Firefox accounted for a sizeable amount of command and control activity. Web browsers are not just used for command and control, they’re also linked to data exfiltration. Web browsers as well as FTP, WinSCP, file sharing apps, and even , were all associated with data exfiltration. Other benign software, in the hands of malicious insiders and external attackers, can become weapons to carry out costly attacks.

17 Major Findings Attackers often use “benign” apps, native OS tools and web browsers to conduct attacks 70%+ of malware was only detected on a single site, revealing targeted & polymorphic variants Companies that only look for malware will miss attackers that are already in the network However, even organizations that implement multiple layers of security are still getting compromised. Why? First, because attackers have many different ways to distribute ransomware—even instant messaging, or infected USB drives or more. Second is that because ransomware is now so lucrative, cybercriminals are developing new strains continuously, making it hard for signature-based AV to keep up. Plus, ransomware can be difficult to stop. It can use default processes like Windows Explorer. So even if the end point software detect ransomware, it might be difficult to terminate the process without making the system unstable.

18 Signature vs. Behavior-based Attack Detection

19 Current Limitations What’s Needed?
Known Bad Learned Good Traditional Security Signatures, IoC’s, Packet Signatures, Domains, Sandbox Activity Block, or Miss Necessary, Not Sufficient What’s Needed Learn What is Good [Baseline] Detect What Isn’t [Anomaly] Catch What Slips Through the Cracks of Traditional Security Problems: Too Many False Alarms / False Positives Missed Variants / False Negatives Only Detect Malware-Based Attacks Agents & Signatures Benefits: Eliminates Zero-Day Exploit Dilemma Hundreds of Opportunities to Detect Applicable to All Techniques & Stages Agentless & Signature-less

20 Behavioral Attack Detection: Optimal Data Context

21 LightCyber Magna Platform
Using Behavioral Analytics to Find Attacks & Malware on Your Network

22 Behavioral Attack Detection
About LightCyber Magna Platform Overview Network-Centric Detection Agentless & Signature-less Post-Intrusion: NTA/UEBA Operations Overview US HQ - CA EMEA HQ - Amsterdam IL HQ - Ramat Gan Customers World-Wide Behavioral Attack Detection Differentiation Most Accurate & Efficient: Proven & Measured Success Broadest Context: Network + Endpoint + User Broadest Attack Coverage with Integrated Remediation Verticals Served Finance & Insurance Public Sector Retail, Healthcare, Legal Service Providers Media, Technology, & More MAGNA LightCyber was founded by cyber warfare experts to help security analysts answer one question: would you know if an active attack was underway in your network? LightCyber was founded in 2012 and maintains offices throughout the world, including U.S. headquarters here in Los Altos, California and R&D headquarters in Ramat Gan, Israel. LightCyber Magna is part of an emerging category of products that we call Behavioral Attack Detection solutions that focus on: 1) Reducing Attack Dwell Time and the Related Damage, and do this in large part by 2) Increasing the Efficiency of IT Security Operations. We will go into that in detail during the remainder of this presentation. We serve a wide variety of verticals, including finance, healthcare, and government and LightCyber is recognized for providing attack detection alerts that are highly accurate and actionable. And we actually have published accuracy metrics to stand by those claims. NTA = Network Traffic Analytics UEBA = User & Entity Behavior Analytics

23 Profiling, Detection, Investigation, & Remediation
Behavioral Profiling - Network-Centric Endpoint and User Profiling Attack Detection - Anomalous Attack Behavior Across the Attack Lifecycle Automated Investigation - Network, User, & Process Association + Cloud Integrated Remediation - Block Attackers with NGFW, NAC, or Lock Accounts with AD

24 Evolving IT Security Investment Needs
SIEM Damage Breach Detection Gap Stateful FW IPS / IDS Network AV Sandboxing Security Expenditure Intrusion Attempt Phase (Seconds – Minutes) Active Attack Phase (Weeks – Months) Incident Response (Weeks – Months) Now, if all defenses were 100% safe, if there were no insider threats, if you didn’t have to worry about social engineering or remote access threats, then the perimeter defenses we have today would be good enough. But history and news headlines show us that these defenses are not failsafe. Attackers do get through. Then, what do they do? Most organizations can’t answer this question because they don’t have any tools to monitor this activity—the reconnaissance and the lateral movement and the fata exfiltration which can take days or weeks or months. Lockheed Martin: Cyber Kill Chain

25 LightCyber Magna Platform
MAGNADETECTOR & MAGNAPROBE for AWS IaaS Cloud Endpoints MAGNAPATHFINDER HQ / DC Core Switch TAP / SPAN MAGNADETECTOR MAGNAMASTER & Reports SIEM Remediation Remote Office MAGNAPROBE TAP / SPAN Switch Network Traffic MAGNA UI Confidintial

26 LightCyber Magna Security Use Cases
LightCyber Magna provides accurate and efficient security visibility into attacks and attackers in your network. Security Visibility Encompasses: Malware Risky Behaviors Insider Attacks Targeted Attacks LOWER RELATIVE RISK HIGHER

27 LightCyber Delivers Unbeatably Accurate Results
Most IT security teams can’t keep up with the deluge of security alerts 62% ACROSS ALL ALERTS 99% ACROSS MAGNA’S AUTOMATED “CONFIRMED ATTACK” CATEGORY LIGHTCYBER ACCURACY Source:

28 Malware Example Magna Detects: Active Command & Control channel
Malware Infection No signs of internal spreading Likely opportunistic, not (yet) targeted Detection Pattern: C&C Malware (No East-West)

29 Risky Behavior Example
Magna Detects: RDP to > 20 Workstations Likely non-malicious Internal activity since there is no association with other malicious findings Detection Pattern: Credential Abuse Not Linked to Exfil or Other

30 Insider Attack Example
Magna Detects: Suspicious access to file shares Exfiltration This Correlation indicates likely Insider Attack Detection Pattern: Credential Abuse Linked to Exfil or Other Findings

31 Targeted Attack Example
Magna Detects: Anomalous file with known Threat Intelligence Recon Lateral Movement Exfiltration This Correlation Indicates Targeted Attack Detection Pattern: Multiple Correlated Findings North-South + East-West

32 User, Entity; Network + Endpoint
Magna Detects: Anomalous Network Activity Anomalous and Malicious Processes on the Endpoint Anomalous User Activity Magna Correlates: User Process Entity Endpoint Network

33 Demo

34 LightCyber Ecosystem Integration
MAGNAPATHFINDER Endpoints HQ / DC Network Packet Broker MAGNADETECTOR MAGNAMASTER Core Switch SIEM Remediation IAM & Policy Mgmt MAGNA UI Confidintial

35 Magna in the Security Ecosystem: Integrated Remediation
Magna Enables You To Terminate Malicious Files (MFT) Block Malicious Domains with NGFW Isolate Infected Machines With NGFW Isolate Infected Machines with NAC Lock Compromised Active Directory Reset Compromised AD Passwords X AD AD Re do slide 6 diagram – but show our remediations Knock The Attacker Back Out Of Your Network

36 Thank You Ask about our free attack simulation offer! Find out if LightCyber is better than your existing security infrastructure at detecting attacks

Download ppt "Closing the Breach Detection Gap"

Similar presentations

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Topic 5: Basic Security.

Topic 5: Basic Security.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.

Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
Computer Security Keeping you and your computer safe in the digital world.

Computer Security Keeping you and your computer safe in the digital world.
Keeping your network devices secure Despite constituting the lifeline of every corporate IT infrastructure, network devices happen to be the most notoriously.

Keeping your network devices secure Despite constituting the lifeline of every corporate IT infrastructure, network devices happen to be the most notoriously.
Taking on Tomorrow's Challenges Today Taking on Tomorrow's Challenges Today Almost every organisation has been attacked …. But most don’t know about it!

Taking on Tomorrow's Challenges Today Taking on Tomorrow's Challenges Today Almost every organisation has been attacked …. But most don’t know about it!
Common System Exploits Tom Chothia Computer Security, Lecture 17.

Common System Exploits Tom Chothia Computer Security, Lecture 17.
An Anatomy of a Targeted Cyberattack

An Anatomy of a Targeted Cyberattack
Understanding and breaking the cyber kill chain

Understanding and breaking the cyber kill chain

Similar presentations

Ads by Google