The document discusses compromise assessments, which are proactive evaluations of systems to detect threats that have evaded existing security controls. A compromise assessment is faster, more affordable, and independent compared to traditional vulnerability assessments and penetration tests. The assessment methodology involves planning, preparation, discovery, collection of data from endpoints, analysis of the collected data using techniques like forensic state analysis, and reporting of findings. It is recommended that organizations conduct regular compromise assessments by a third party to validate network security and detect any unauthorized access.
2. 2018 â Black Hat â Rise of the Compromise Assessment
SPEAKER BACKGROUND
Chris Gerritz
Chief Product Officer
Infocyte, Inc.
Twitter: @gerritzc
Github: @singlethreaded
Prior:
Chief, DCC Operations
AFCERT
(Retired)
Speaker
ď§Incident Response Background
ď§Helped establish and led USAFâs
Enterprise Hunt Team.
ď§Co-founded Infocyte, developer of
threat hunt software designed to
enable compromise assessments.
3. 2018 â Black Hat â Rise of the Compromise Assessment
Vulnerability Assessment
Penetration Test
5. 2018 â Black Hat â Rise of the Compromise Assessment
Compromise Assessment
A proactive evaluation of systems to detect
threats that have evaded existing security controls
⢠Effective at detecting presence of malware, remote
access tools, credential misuse and other indications
of unauthorized access
⢠Fast â Assess a typical enterprise network in hrs/days
⢠Affordable â A typical organization should be able to
conduct it proactively and regularly (i.e. Annually)
⢠Independent â The assessment does not rely on
existing detection solutions already in the
environment
APPLICATIONS
⢠Validate Network Confidentiality
⢠Mergers & Acquisitions (M&A)
⢠Cyber Insurance
⢠Vendor Risk Management
⢠Periodic Threat Hunting
7. 2018 â Black Hat â Rise of the Compromise Assessment
Use MITREâs ATT&CK Model
Used to characterize and describe post-compromise adversary
behavior.
Details the post-compromise tactics, techniques, and procedures
(TTPs) persistent threats use to execute their objectives while
operating inside a network.
9. 2018 â Black Hat â Rise of the Compromise Assessment
1. Planning Review network architecture, needs, and other available
information provided by network owner
2. Preparation Network owner provisions access and installs/preps required
tools
3. Discovery Active enumeration and mapping of network
4. Collection Active endpoint scans and log collection
5. Analysis Analysis of collected data (4 & 5 can be iterative)
6. Reporting Characterize findings and give recommendations
Compromise Assessment Steps
10. 2018 â Black Hat â Rise of the Compromise Assessment
Collection: Endpoint Methods
⢠Real-Time Monitoring
â Log endpoint activity to a central server (i.e. Sysmon+ELK or EDR)
⢠On-Demand Collection (one-time or periodic)
â Collect artifacts and information related to system state (Forensic Triage)
â i.e. process lists, autoruns, shimcache entries, forensic artifacts, etc.
⢠Query - Ask specific questions or look for a specific IOC
â Real-time: Reach down to the endpoint directly (i.e. OSQuery)
â Non Real-Time: Search pre-collected logs or data (i.e. EDR)
11. 2018 â Black Hat â Rise of the Compromise Assessment
Collection
Independent assessors should ideally:
⢠Pull their own primary data, not rely solely on existing data/logs in
the environment (to maintain efficacy across clients)
⢠Minimize permanent changes to the environment (i.e. agentless)
⢠Concentrate primarily on endpoints/servers
â Majority of post-compromise behaviors & artifacts are found on
hosts/devices
12. 2018 â Black Hat â Rise of the Compromise Assessment
Collection Recommendations for CAs
⢠Utilize On-Demand / Forensic Triage type collection to cast the broadest
possible net
â Does not require installed agents (no change management requirement)
⢠Query/IOC searches are not appropriate for a comprehensive, proactive
assessments
â IOCs are overly specific and inefficient; Can only look for specific actors, TTPs, or
malware
13. 2018 â Black Hat â Rise of the Compromise Assessment
Collection Recommendations for CAs
⢠Log analysis hunt techniques have significant challenges for fast, generally
applicable assessments
â Difficult to normalize all the various log formats you may encounter in a client site
â Logs often donât go back far enough or have limited coverage
â Search queries can be expensive â requires searches which are overly specific
â Requires very experienced security personnel versed in both TTPs of attackers and the
networkâs unique logging capabilities to do accurate behavior matching
⢠X type of attack produces Y behavior, which will be expressed in these logs as Z
⢠Deploying new monitoring tools has limited effect
â Looks forward at new activity, not backwards
14. 2018 â Black Hat â Rise of the Compromise Assessment
Deep host inspection to identify what is on each system
Search for indicators missed via historical search of logs and/or alert data
Historical Search
(Source: Alerts)
State Analysis
(Source: Forensics)
Hunt Methodologies
Query (IoC)
Forensic Triage
Event Match
Artifacts and/or Malware
Find anomalies relative to baselined profiles and user behavior
Query (TTP)
Behavior Analysis
(Source: Logs)
Search for patterns of behavior based on known attacker tactics (TTPs)
Baseline
Pattern Match
Deviation from Normal
15. 2018 â Black Hat â Rise of the Compromise Assessment
Analysis: Forensic State Analysis (Forensic Triage)
Utilizing data stacking and hunt analysis methods:
1. Review all running processes and loaded modules ď current look
2. Review all autorun entries and locations ď future look
3. Review all execution & forensic artifacts ď historical look
4. Identify any evidence of host manipulation or indications of generic
compromise
5. Review recent privileged account usage
16. 2018 â Black Hat â Rise of the Compromise Assessment
Analysis Technique: Forensic State Analysis
Threat Hunting technique that applies phased levels of analysis to
collected data to reduce the data set to a manageable level:
1. Enrichment - Reputation & threat intel lookups
2. Triage â Algorithms & methods to categorize interesting things
a. Data Stacking
b. Anomaly/Outlier Identification
3. Advanced Analysis
a. Static/Dynamic Analysis of Interesting Samples
b. TTP Pattern Matching (dig into logs)
17. Infocyte HUNTâ˘
Threat Hunting. Simplified.
Proactive discovery of threats inside your network
ďź Active or Dormant Malware (file-based & in-memory)
ďź Forensic Artifacts & Indications of Compromise
(historical)
ďź Installed Applications (unauthorized, risky, or vulnerable)
Agentless, Cloud-enabled Architecture
ďź Interrogate endpoints/servers without installing software
The premier hunt platform for hunt teams, compromise
assessments, and incident response.
ďź Forensic State Analysis (FSA) - Performs a deep inspection
of every host (inc. volatile memory inspection)
ďź âZero to Heroâ in hours/daysânot months or years
18. 2018 â Black Hat â Rise of the Compromise Assessment
Azure | AWS | GCC
Infocyte HUNT⢠Architecture
Your Network,
Cloud, or Datacenter
Infocyte HUNTâ˘
Analyst
Workstations
& Terminals
Infocyte SOC
Incyte⢠Cloud Services
Reputation & Threat
Intel Services
Advanced Malware
Analysis Services
External
Threat Intelligence
Primary Data Collection
âSurveysâ are deployed to endpoints
via existing remote management
protocols (i.e. WMI, SSH) and
dissolve within minutes
Infocyte HUNTâ˘
Servers
Incyte Cloud
Data Usage:
⢠Licensing
⢠File Hash & IP/DNS submissions
⢠Executable Sample Detonation
Advanced Analysis Services:
⢠Multi-AV
⢠Static & Dynamic Analysis
⢠Synapse Score (ML-based
Categorization of Backdoors/RATs)
Infocyte SOC
⢠Managed Threat Hunting
⢠Threat Research
19. Why canât my prevention & real-time
monitoring tools do this?
20. 2018 â Black Hat â Rise of the Compromise Assessment
Threat Hunting vs Protection
Why most protection tools make
poor hunt tools:
⢠Prevention and real-time detection
solutions (AV/IDS) strive for low False
Positive (FP) alerting
⢠Hunt solutions widen the aperture and
seek low False Negatives (FN)
â For Hunters: anomalies, outliers, and
suspicious activity are leads, not FPs to be
tuned out
â A good hunt solution sorts and scores
leads; enables a quick path to verify and
investigate to a conclusion
Low FP
(AV)
Low FN
(Hunt)
A hunt solution triages the
gap in the middle for high
quality leads and
conclusions
Good
Bad
Original Diagram Source: Crowdstrikeâs Blog on Machine Learning
21. 2018 â Black Hat â Rise of the Compromise Assessment
Recommendations & Predictions
1. Conduct independent Compromise Assessments by a competent
third party on the same interval as your penetration test.
2. Conduct internal assessments (aka âHuntsâ) on a regular basis, as
resources allow.
Prediction:
With the increasing risk of undetected long term compromise, regulators,
insurers, and risk managers will consider mandating this service be conducted
on a regular interval or prior to major financial events.