Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Activated Charcoal - Making Sense of Endpoint Data

370 Aufrufe

Veröffentlicht am

Recorded Webcast: https://logrhythm.com/resources/webcasts/activated-charcoal-making-sense-of-endpoint-data/

Security operations is all about understanding and acting upon of large amounts of data. When you can pull data from multiple sources, condense it down and correlate across systems, you can highlight trends, find flaws and resolve issues.

This Presentation was given at Black Hat 2016 and, recently, an SC Magazine Webcast, covering the importance of monitoring endpoints and how to leverage endpoint data to detect, respond and neutralize advanced threats.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Activated Charcoal - Making Sense of Endpoint Data

  1. 1. Company Confidential Powered by Activated Charcoal Making Sense of Endpoint Data
  2. 2. Company Confidential Greg Foss Head of Global Security Operations OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, Cyber APT
  3. 3. The Endpoint is the new Perimeter
  4. 4. Company Confidential The easiest path into any network…
  5. 5. Company Confidential Social Engineering Nothing like a little pretext to get people to click on your links…
  6. 6. Company Confidential • Phishing • 91% of ‘advanced’ attacks began with a phishing email or similar social engineering tactics. • http://www.infosecurity-magazine.com/view/29562/91-of- apt-attacks-start-with-a-spearphishing-email/ • 2014 Metrics • Average cost per breach => $3.5 million • 15% Higher than the previous year • http://www.ponemon.org/blog/ponemon-institute- releases-2014-cost-of-data-breach-global-analysis
  7. 7. Company Confidential Drive By Downloads, Malvertizing, and Watering Hole Attacks Image Source: https://blog.kaspersky.com/what-is-malvertising/5928/
  8. 8. Company Confidential
  9. 9. Company Confidential
  10. 10. Training is Critical to Success
  11. 11. Company Confidential Key Focus Areas: • Employees Image Source: http://www.cloudpro.co.uk/hr/5803/gov-offers-hr-workers-free-cyber-security-training
  12. 12. Company Confidential End User Tips - Phishing
  13. 13. Company Confidential All You Need is +
  14. 14. Company Confidential Shortened URL Tracking
  15. 15. Testing and Validation
  16. 16. Company Confidential Rogue Wi-Fi Network – Threat Simulation
  17. 17. Company Confidential USB Drop – Training Exercise : Case Study
  18. 18. Company Confidential Building a Believable Campaign Use realistic files with somewhat realistic data Staged approach to track file access and exploitation
  19. 19. Company Confidential Profit Send an email when the Macro is run… Use a bogus email (unlike I did here) – I know, I know. Bad OpSec.
  20. 20. Company Confidential Toolscalculator.exe
  21. 21. Company Confidential “Nobody’s going to an an exe from some random USB” - Greg Yep… They ran it...
  22. 22. Company Confidential Now we have our foothold… Fortunately they didn’t run this as an admin
  23. 23. Company Confidential
  24. 24. Company Confidential Key Focus Areas: • Employees • IT Staff • Roles and Responsibilities • Incident Response Duties • Configuration Monitoring • Malware Removal • Security Infrastructure
  25. 25. Company Confidential Key Focus Areas: • Employees • IT Staff • Security Staff • Table Top and Red vs Blue Exercises • Threat Simulation Leads to Process Improvement • Announced vs Unannounced Simulations or Penetration Testing
  26. 26. Company Confidential Purple Team FTW! • Employees • IT Staff • Security Staff • Table Top and Red vs Blue Exercises • Threat Simulation Leads to Process Improvement • Announced vs Unannounced Simulations or Penetration Testing
  27. 27. Company Confidential Key Focus Areas: • Employees • IT Staff • Security Staff • Leadership
  28. 28. Company Confidential Key Focus Areas: • Employees • IT Staff • Security Staff • Leadership • Processes and Procedures
  29. 29. Continuous Monitoring and Detection
  30. 30. Company Confidential Automating OSINT and Response Domain Tools Passive Total VirusTotal Cisco AMP ThreatGRID Netflow / IDS Firewalls Proxy / DNS Endpoint SIEM API Integration SecOps Infrastructure
  31. 31. Company Confidential
  32. 32. Company Confidential Malware Beaconing
  33. 33. Company Confidential
  34. 34. Company Confidential Malware Beaconing
  35. 35. Company Confidential Correlate Network / Log Activity with Endpoint Data
  36. 36. Company Confidential Macro Phishing Attacks • Common • Bypasses Most AV • Heavily Obfuscated • Newer attacks targeting Office 365
  37. 37. Company Confidential Macro Attack Detection
  38. 38. Company Confidential Full Command Line Details
  39. 39. Company Confidential Full Command Line Details
  40. 40. Company Confidential Be Careful – Don’t Jump To Conclusions…
  41. 41. Company Confidential Be Careful – Don’t Jump To Conclusions…
  42. 42. Centralized Logging and Event Management
  43. 43. Company Confidential
  44. 44. Company Confidential Threat Feed Configuration
  45. 45. Company Confidential Full Event Alerting
  46. 46. Company Confidential Syslog Only
  47. 47. Company Confidential Watchlist Configuration
  48. 48. Company Confidential Carbon Black Event Forwarder LogRhythm => Use LEEF Format https://github.com/carbonblack/cb-event-forwarder
  49. 49. Dashboards and Investigations
  50. 50. Company Confidential
  51. 51. Company Confidential
  52. 52. Company Confidential Long Tail Analysis Strange activity can bubble to the surface when viewing the whole picture
  53. 53. Company Confidential
  54. 54. Company Confidential
  55. 55. Taking it a Step Further…
  56. 56. Company Confidential Additional Integration Alarming Trigger on Specific Watch List Hits
  57. 57. Company Confidential Additional Integration Alarming Admin Tracking
  58. 58. Company Confidential Additional Integration Alarming Admin Tracking Reporting
  59. 59. Company Confidential Additional Integration Alarming Admin Tracking Reporting Automation Perform Actions Based on Alarms Observed
  60. 60. Company Confidential LogRhythmChallenge . com Booth #600 #logrhythmchallenge
  61. 61. Company Confidential Mini Network Monitor Booth #600
  62. 62. Company Confidential Thank You! QUESTIONS? Greg Foss Greg . Foss [at] LogRhythm . com @heinzarelli

×