Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jessica Payne Microsoft Global Incident Response and Recovery

Similar presentations


Presentation on theme: "Jessica Payne Microsoft Global Incident Response and Recovery"— Presentation transcript:

1

2 Jessica Payne Microsoft Global Incident Response and Recovery
Anatomy of the Attack – How Cybersecurity Investigations Actually Work Jessica Payne Microsoft Global Incident Response and Recovery WIN433

3 Welcome to the worst day of your life

4 The Phone call This is the FIB. We noticed your server at x.x.x.x is communicating with a server associated with a malicious actor. Good luck with that. . . . Contoso CISO

5 Typical customer reaction

6 Television Cybersecurity
Takes 45 minutes (without commercials) You see the attack They immediately notice the compromise Investigators are in general omnipotent Has guns Has a non-natural hair colored goth girl. Always.

7 Statistics (source: 2014/13 Verizon Reports+SIR)
Microsoft Ignite 2015 4/25/ :28 PM Statistics (source: 2014/13 Verizon Reports+SIR) Only 9% spot own compromise (sometimes by accident) Majority spotted by external party Attacker is on network an average of 200+ days before detection 75% use stolen credentials – tracking your own people is hard Self remediation pretty much impossible (you’ll see why) © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Typical Attack Bad guy targets workstations with malware
Power: Domain Controllers Bad guy targets workstations with malware User is compromised, Bad guy elevates privilege and harvests credentials. Data: Servers and Applications Bad guy starts “credentials crabwalk” Bad guy finds host with domain privileged credentials, steals, and elevates privileges Access: Users and Workstations Bad guy owns network, can do what he wants.

9   Special just for you IP    Modern malware Bob the non-admin
<----packets!--  Special just for you IP ----packet--> SuperLegitService.exe win32k.sys 

10  FIB Provided information FIB FLASH FIB Liason Alert #NC-1701
FIB has obtained information that the actor known as APT2005 “Rapid Rhino” has begun attacks against the kitty litter industry vector. Technical Details : ChriKit is a first generation Trojan that has full remote shell capabilities and credential theft toolsets. Traffic is beaconed over typical HTTP/HTTPs ports with minimal identifying strings. The Trojan is installed as a service, where the name varies.

11 So what do we know? Malicious host that was being beaconed to (C2 server) Potential threat family Through proxy/firewall logs we have identified host that was beaconing

12 (Those are time machines)
The Incident Response tools we wish we had (Those are time machines)

13 What fancy tools do y’all use?
WOLF – internal tool to gather data Autoruns – gathers ASEPs to indicate malware persistence Event Logs USN Change Journal – file system level details

14 Other fun tools Volatility/Memory snaps – memory analysis can be really useful, but it’s hard to grab remotely and transfer to us and even harder to catch something in the act YARA – Yet Another Regex Analyzer allows for matching of files against regular expressions PE Analysis – tools for analyzing Portable Executable header data – caution use OFFLINE in targeted attacks IDA Pro – How (some) Reverse Engineers do it.

15 Dramatic Pause

16 First do no harm If you have a suspected compromise GET HELP

17 Band-Aids don’t fix bullet holes
Don’t play whackamole – malware has sleeps Holistic diagnosis and recovery are needed in a targeted compromise. You will not find it all with basic tools and firewall logs. Engage a professional. A full compromise means a full recovery More data is more knowledge – but don’t be overwhelmed Don’t rely on tools, this is part art as well as science. Know what is normal, know that persistence can be unexpected – Powershell profiles, etc.

18 The investigation Jessica Payne

19 Real live malware Microsoft Ignite 2015 4/25/2017 11:28 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Real live malware Microsoft Ignite 2015 4/25/2017 11:28 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Real live malware Microsoft Ignite 2015 4/25/2017 11:28 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 Real live malware

23 Tips DO - search on file hashes
DO NOT – submit files to Virus Total for analysis DO NOT – ping or use DNS lookup DO – Get professional help DO – Submit the sample to us (tagged as DHA if you suspect) DO – Send us telemetry! DO – Get Professional help!

24 Using Sigcheck to collect hash

25 Using Virus Total URL search

26 Using Virus Total hash search

27 Using Virus Total URL search

28 Pretty much undetectable evil
Jessica Payne

29 Monitoring strategies
Make sure you have the right logs enabled (this is trickier than it sounds) Central collection of logs is huge Firewalls are also huge (critical) – from a logging perspective but also blocking. Powershell. Lock it up, upgrade it and monitor it. Sysmon Good news in Windows 10! Advanced Threat Analytics – it can detect some of this.

30 Defense strategies Credential Theft Mitigations
Microsoft Ignite 2015 4/25/ :28 PM Defense strategies Credential Theft Mitigations Network and Application Segmentation (Firewalls, Applocker, RemoteApp) EMET against initial compromise Well implemented Cloud solutions actually can help (not just a sales pitch.) Unlike TV, not guns. © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 Questions? @jepayneMSFT

32 Complete your session evaluation on My Ignite for your chance to win one of many daily prizes.

33 Continue your Ignite learning path
Microsoft Ignite 2015 4/25/ :28 PM Continue your Ignite learning path Visit Microsoft Virtual Academy for free online training visit Visit Channel 9 to access a wide range of Microsoft training and event recordings Head to the TechNet Eval Centre to download trials of the latest Microsoft products The purpose of this slide is to ensure delegates consider their next steps after your presentation. The learning should not end on 20th November 2015  Option to use this slide in the current generic format or for you to recommend 1 (or more) Microsoft Virtual Academy Course or Channel 9 video that is relevant next steps from your presentation. Thanks © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34


Download ppt "Jessica Payne Microsoft Global Incident Response and Recovery"

Similar presentations


Ads by Google