This presentation gives an overview of the requirements for hunting within enterprise networks. This talk will dive into details of how to think like an adversary and why being stealthy is mandatory to hunt for the sentient adversary.
4. Confidential and Proprietary4
How do you avoid detection from the adversary?
No obvious and repeatable signatures
Hide your presence from the adversary
Covert operations and communications to avoid tipping your hand
Low level access to the system
5. Stealth: Does It Matter?
Confidential &
5
For years attackers have looked for the defender
Anti-debugging techniques
Virtual machine detection
Anti-virus detection
Checking running processes on compromised systems
New classes of malware specifically look for endpoint vendors
Common red team tactics to easily detect host based detection and
disable
Many host agents are not hardened against a simple ‘net stop’ command
6. Stealth: What does it accomplish?
Pre-Compromise
• Make Detection Cost Prohibitive
– Increase the difficulty of automated
detection
– Force adversaries to employ their own
manual hunt process
• Find Indicators to Detect and
Prevent
– When the adversary feels undetected
they conduct operations and expose
indicators
Post-Compromise
• Get a Foothold on an Infected
Device
6
7. The Hunting Ground: Critical assets protected
Confidential &
7
The hunting ground reality:
The hunting ground is compromised
The hunting ground is a mix of mission critical assets
You will be hunting on pre- and post-compromised systems
8. Confidential and Proprietary8
Deploying Pre-Compromise
Attacker can easily identify traditional security
Automated checks for service names, hashes, etc.
AV, VM, EDR all susceptible
Manual check of the system
Running processes and services
Open network connection
9. Confidential and Proprietary9
Deploying Pre-Compromise
Attacker changes the attack plan
Modify TTPs
Disable protection
Modify system to change the reported data (root kit)
10. Confidential and Proprietary10
Deploying Post Compromise
Attacker can easily see traditional security installation
Detect admin login
Detect executable on disk
Detect execution
Follow-on attacker actions
Stop the installation
Pivot to another system (or many)
Burn and run
We’re an up and coming, VC backed, high impact cyber company.
Funded by the leading investors in cyber security.
Traditional defense technology has become ineffective against cyberattacks.
We believe Offense is essential to eliminate adversaries from enterprise critical infrastructure.
We believe it is better for our customers to be the hunter than the hunted, and so unlike any other company, Endgame Hunts.
We are pioneering this strategy with methods and technologies developed for the IC/DOD to support their hunt for adversaries to our national interests in hostile cyber environments.
We have adapted these technologies to automate the hunt for adversaries in government and enterprise networks.
Segue
Here are a few key facts that make Endgame the leader in offensive approach to protecting enterprise critical infrastructure.
HUNT CYCLE
Survey – Identify and monitor key valuable assets critical to business operations
The first step is to asses the organization to identify critical assets that the adversary would target within the enterprise network. Once you have identified the critical assets, deploy stealth sensors to monitor the key valuable systems.. The stealth operations enables evasion and tampering from the adversary, allowing you to remain hidden. At the end of this step, the security operator is equipped with a hunt map of the key critical assets and their current and historical network, process behaviors to get a holistic view of the environment.
Secure – Secure the hunting ground to stop adversary movement within the enterprise network
The next step is to secure the hunting ground. Once you begin monitoring the critical assets it is important to lock them down before you begin hunting. The key is to stop any lateral movement of the adversary to prevent them from accessing any other endpoints with the network. Once the hunting ground is secured, you can employ techniques to detect the sentient adversary.
Detect – Pursue the advanced adversary by discovering attacker techniques
Step 3 is to detect the adversary in the enterprise network In the detect step you are detecting . It is crucial to not just rely on known indicators of compromise but also detect never-before-seen malware. This can be achieved by focusing on advanced attacker techniques employed in the environment to gain access to critical infrastructure. Fast and automated detection of these techniques significantly reduces the dwell time of the adversary within the network from days to just hours.
Respond – Develop an intelligent response strategy to eradicate the adversary.
Once the adversary techniques are detected, the security operator needs to craft an appropriate and precise response strategy to eradicate their presence in the network. The response actions can vary from observing the adversary and learning their tactics to suspending them to prevent further damage and loss. This intelligent response needs to enabled in a scalable fashion to address all critical assets infected and minimize business disruption.
.
.
.
HUNT CYCLE
Survey – Identify and monitor key valuable assets critical to business operations
The first step is to asses the organization to identify critical assets that the adversary would target within the enterprise network. Once you have identified the critical assets, deploy stealth sensors to monitor the key valuable systems.. The stealth operations enables evasion and tampering from the adversary, allowing you to remain hidden. At the end of this step, the security operator is equipped with a hunt map of the key critical assets and their current and historical network, process behaviors to get a holistic view of the environment.
Secure – Secure the hunting ground to stop adversary movement within the enterprise network
The next step is to secure the hunting ground. Once you begin monitoring the critical assets it is important to lock them down before you begin hunting. The key is to stop any lateral movement of the adversary to prevent them from accessing any other endpoints with the network. Once the hunting ground is secured, you can employ techniques to detect the sentient adversary.
Detect – Pursue the advanced adversary by discovering attacker techniques
Step 3 is to detect the adversary in the enterprise network In the detect step you are detecting . It is crucial to not just rely on known indicators of compromise but also detect never-before-seen malware. This can be achieved by focusing on advanced attacker techniques employed in the environment to gain access to critical infrastructure. Fast and automated detection of these techniques significantly reduces the dwell time of the adversary within the network from days to just hours.
Respond – Develop an intelligent response strategy to eradicate the adversary.
Once the adversary techniques are detected, the security operator needs to craft an appropriate and precise response strategy to eradicate their presence in the network. The response actions can vary from observing the adversary and learning their tactics to suspending them to prevent further damage and loss. This intelligent response needs to enabled in a scalable fashion to address all critical assets infected and minimize business disruption.