Advanced Threats In The Enterprise
•
1 gefällt mir•791 views
What will you Learn: 1.How to gain endpoint visibility and detection capabilities to expose malware and respond with precision to stop attackers. 2.How to use actionable intelligence for rapid breach detection across all endpoints that may have already been infected but not identified as active participants 3.How to Increase Security Operations Center (SOC) efficiency by providing a method to gauge the magnitude of an intrusion and reduce incident response time.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (10)
Ähnlich wie Advanced Threats In The Enterprise
Ähnlich wie Advanced Threats In The Enterprise (20)
Mehr von Priyanka Aash
Mehr von Priyanka Aash (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Advanced Threats In The Enterprise
- 1. 1© Copyright 2012 EMC Corporation. All rights reserved. Advanced Threat in the Enterprise Increasing visibility, integrating context, & leveraging expertise Sudeep Kumar Das, CISA, CISSP Lead - Pre-Sales, RSA India E: sudeep.das@rsa.com M: +91- 98209 18408
- 2. 2© Copyright 2012 EMC Corporation. All rights reserved. Attackers Are Getting Stronger - VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT Attacker Capabilities Time To Discovery
- 3. 3© Copyright 2012 EMC Corporation. All rights reserved. Evolution of RansomWare
- 4. 4© Copyright 2012 EMC Corporation. All rights reserved. RansomWare - 1yr ago • Ver 1.0 • Low ransom - $300 • Lousy Crypto – breakable • Target Everyone • Pretty Trivial
- 5. 5© Copyright 2012 EMC Corporation. All rights reserved. Learning new tricks http://www.theregister.co.uk/2014/12/15/tor_advanced_cryptography_malvertising_the_shape _of_next_gen_ransomware/
- 6. 6© Copyright 2012 EMC Corporation. All rights reserved. Moving up the food chain http://www.theregister.co.uk/2015/02/03/web_ransomware_scum_now_lay_waste_to_your_backups/ That left the victims, whose incremental backups were useless, contemplating whether to restore to a six-month-old full backup and lose a lot of changes, or pay up. "The web application was compromised six months ago [and] several server scripts were modified to encrypt data before inserting it into the database and to decrypt after getting data from the database," High- Tech Bridge writes, describing the attack as an "on-the-fly" process. "During six months, hackers were silently waiting, while backups were being overwritten by the recent versions of the database. "The hackers then removed the key. The database became unusable, the website went out of service, and the hackers demanded a ransom for the key."
- 7. 7© Copyright 2012 EMC Corporation. All rights reserved.
- 8. 8© Copyright 2012 EMC Corporation. All rights reserved. Instantly determine scope and take action Quickly expose endpoint threats Analyze and confirm faster Requirements beyond traditional endpoint security tools…. • Signature-less endpoint threat detection • Deep endpoint visibility & real-time alerting • Confirm infections quickly & respond with precision Enterprise Compromise Assessment Tool
- 9. 9© Copyright 2012 EMC Corporation. All rights reserved. Monitor Endpoint Behavior User clicks on malicious email attachment .exe drops on machine, exploits a vulnerability Malware opens a browser process & connects to C2 for instructions Attacker navigates to sensitive data Attacker uses FTP to exfiltrate data Endpoint Behavior Tracking • Monitor operations performed & look for suspicious activity • Identify any new, unknown file that loads
- 10. 10© Copyright 2012 EMC Corporation. All rights reserved. Alert on Suspicious Activity • Alert on suspicious activity in real-time • Syslog sent to SIEM Solutions • Early warning of potentially malicious activity Endpoint data sent from agent to ECAT Server Detect suspicious activity & trigger alerts Alerts sent via syslog & email
- 11. 11© Copyright 2012 EMC Corporation. All rights reserved. Scan Techniques Live Memory Analysis Disk Inspection Network Traffic Analysis • Detect & analyze suspicious traffic • Full system inventory • Executables, DLLs, Drivers, etc. • Find files on disk & inspect • Validate integrity of system & files • Identify hidden processes, modifications & tampering Compare & Flag Anomalies
- 12. 12© Copyright 2012 EMC Corporation. All rights reserved. Trigger Automatic Scans for Unknown Files Automatically scan when new, unknown file loads Fast insight into how file behaves & impacts system Only needed for 1st machine file detected on
- 13. 13© Copyright 2012 EMC Corporation. All rights reserved. Flag Suspicious Endpoints for Analysis Triage and prioritize investigations quickly Leverage suspect scores and descriptions of anomalous activity Make analysts more efficient during incident investigations Shorten time to validate compromised endpoints
- 14. 14© Copyright 2012 EMC Corporation. All rights reserved. Efficiently Analyze & Remove Noise Whitelist Known-good Blacklist Known-bad Use built-in tools to determine legitimacy of files Check File Hash Cert. Validation File Analyzer Flag known threats Web Searches “RSA ECAT narrowed it down to just 26 files for us to review. We were trawling through thousands before.” Environment Correlation
- 15. 15© Copyright 2012 EMC Corporation. All rights reserved. Respond with Precision Instantly find all other infected endpoints Know exact location & persistence of malicious file for removal Optional remediation agent to remove known malware
- 16. 16© Copyright 2012 EMC Corporation. All rights reserved. Forensic Data Gathering Easily gather critical forensic data • Full memory & process dumps • View Master File Table • Locate modified & deleted files
- 17. 17© Copyright 2012 EMC Corporation. All rights reserved. Usease – Vawtrack… "Vawtrak, also known as NeverQuest and Snifula, injects a DLL [dynamic link library] into browser processes," and when targeted URLs are visited, Vawtrak inserts extra code into the Web page. The extra code is used for a wide variety of purposes, including bypassing two-factor authentication, attempting to infect the victim with a mobile malware component using social engineering, and automatically initiating a transfer out of the victim's account and subsequently hiding the evidence of the transfer." Stolen credentials are used, in combination with injected code and proxying through the victim's machine, to initiate fraudulent transfers to bank accounts controlled by the Vawtrak botnet administrators. Machine score bumped to 679 after infecting with vawtrak malware Detect floating code where vawtrack injects to process to add itself into the memory space of the the browser itself Detecting suspect thread
- 18. 18© Copyright 2012 EMC Corporation. All rights reserved. Pivot Between Endpoint & Network Views Syslog alert of suspicious activity & critical endpoint data RSA Security Analytics RSA ECAT Right click to pivot between SA/ECAT
- 19. 19© Copyright 2012 EMC Corporation. All rights reserved. Trial Process (30 day, 50 agent license) Customer fills out Trial Form Automated nurture emails sent weekly Core Rep emails link to customer Sales Ops monitors mailbox; generates & sends license file. Customer installs & sends CID to mailbox Customer gets license file & continues with trial SE provides support if needed Sales responsible for follow-up Sales Associates • Qualifies & sets mtg. 2 weeks out • Sends SW/instructions • Copies Core rep & SE
- 20. 20© Copyright 2012 EMC Corporation. All rights reserved. THANK YOU
Hinweis der Redaktion
- Note: the quote from lead Malware Analyst in EMC’s CIRC (part of EMC’s case study) RSA ECAT collects a ton of information about the endpoint, and provides analysts with an effective way to analyze it. RSA ECAT provides several built-in tools to help security analysts determine if a file is malicious, including the ability to check the legitimacy of file certificates and hashes, check for known-threats, identify any code modifications typically made by malware, and more. Tools: File Hashes- check for known file hashes. ECAT provides 2 hash databases: Bit9 (licensed through RSA) and NIST (provided at no added charge). If a file hash is known to be good, then there is a good chance that the file is legitimate and can be trusted. Any type of modification made to the file (i.e. malware making changes to it) will change the file hash. Hash types checked: SHA-256, MD5, SHA-1 Cert Validation- ECAT performs a validation of the “digital stamp” applied on files when they are released by software vendors. Code signing certificates are issued to companies and individuals by trusted authorities such as VeriSign who follow a strict authenticating process. The certificate validation process is done on the ECAT server to avoid potential tampering by malware on the agent/client-side. If the cert is valid, then it’s evidence that the file is likely ok. Flag known threats- ECAT can check for known threats so analysts don’t waste time investigating and can focus their effort on validating unknown threats. There are 2 sources for known threats that can be integrated with ECAT: YARA rules: YARA is an open source tool that’s used by many organizations to identify and classify malware. Customers can also incorporate YARA rules, as another source to check files against to identify known threats. OPSWAT Metascan: Metascan is a multi-engine AV scanner that combines unique technologies and engines from 4 or more AV vendors to scan for known threats. Metascan is installed on the ECAT Server, and all incoming files are checked against the AV engines to automatically find known threats. Endpoints will be automatically flagged as infected in the ECAT console. Web searches- Analysts can use Virus Total, Google, etc. to search for any information in the security community about files (i.e. has a file hash been seen before and is it associated with a known threat)…another way to help analysts during their investigation to validate if a file is legitimate File analyzer- If a copy of the file has been downloaded to the ECAT server, there is a file analyzer that can be used to actually look down through the strings of the file. Environment correlation- Security teams will have context about how many machines a particular file has been found on, whether the file is active or dormant on a machine, and which machines are connecting to a particular IP address. Whitelist: With RSA ECAT, security analysts have the flexibility to whitelist known-good (trusted) files and filter them from view during an investigation Blacklist: You can also blacklist known-bad files and IPs, so they’ll be automatically flagged if found on any endpoints. This helps to reduce time during an investigation. With the ability to whitelist/blacklist, it significantly reduces the amount of data that analysts have to investigate (see customer quote on slide) and with the suspect levels that ECAT automatically applies, it helps analysts to focus their investigations even further.
- Easily move between endpoints, network packets & logs during investigations: Direct integration between RSA ECAT and RSA Security Analytics provides comprehensive visibility into endpoint activity, network packets, and logs, and enables your analysts to seamlessly transition between endpoint and network views during investigations.