Join Infocyte's co-founder and Chief Product Officer, Chris Gerritz, as we review the findings from our 2019 Mid-market Threat Detection and Incident Response report. In the first half of 2019, we completed over 550,000 digital forensic inspections across hundreds of customer and partner networks, exposing hidden and malicious threats, unknown vulnerabilities, and more. Our Mid-market Report (and this webinar) shares the findings from our DFIR investigations, compromise assessments, and ongoing threat hunting activities.

1. Chris Gerritz

4. Attack Outcomes
Respond
Hunt
• Block what can be
blocked
• What you detect
through monitoring, you
must respond quickly.
• The rest you must be
proactive: hunt and
assess
:-)

5. Today’s Cyber Attacks are Chained Events
Stages of a modern malware attack:
1. Emotet = Go-Wide Trojan (easier
to detect)
2. Trickbot = Targeted RAT (harder to
detect)
3. Ransomware

8. Infocyte spans the Attack LIfecycle

9. ●
○
○
●
●

10. ●
●
○
●
●

13. Earliest
Forensic
Timestamp
Detected on

14. • Dwell Time calculations require earliest
timestamp from the initial infection:
○ First system compromised (beachhead)
○ Best done with host-based telemetry
Source Details Notes
MAC File System Times File Created Time Earliest Timestamp! Infocyte uses this.
Windows Event Logs Event ID 4688 (Process Creation) Logs executions but poorly formatted and
almost useless for proactive detection
Sysmon (or commercial EDR) Event ID 1 (Process Creation)
Event ID 2 (File Creation Time
Changed)
Same as 4688 but Sysmon and EDR events
are formatted for remote storage & analysis
(e.g. includes hash)
ID 2 can help detect time manipulation but
is noisy
Network IDS/Proxy/FW Event Exploit or C2 events Will indicate some part of the infection chain
Calculating Dwell Time (Sources of Time)

15. Potential Issues with Time
• Anti-Forensics is a class of techniques used by hackers to dork up forensic analysis
such as timeline creation
Source Potential Issues Mitigations
MAC File System Times
($STANDARD_INFO)
Easy to manipulate these timestamps
from user-space (aka TimeStomping)
1. Compare to $FILE_INFO
2. Check for absence of sub-second
resolution (timestomp doesn’t add this)
MAC File System Times
($FILE_INFO)
Hard to manipulate but not impossible
(i.e. a kernel rootkit)
Verify timestamps make sense (not before
OS release date or in future)
Windows Event Logs Logs can be deleted (modifying event
is extremely difficult in Windows 10)
Remotely store logs
Sysmon (or commercial EDR) Process Start Times are not the
earliest timestamps
Telemetry != Detection
Process start times are good approximations
in many attacks but not all.
Ensure this was actually the earliest
execution
Network IDS/Proxy/FW Event Most early exploit events not
detected/logged (i.e. email vector)
Aggregate ALL network log sources into a
super timeline

16. Eliminate threat from network.
Example: wipe and reload infected host or delete malware
For every threat or vulnerability finding there are three
choices for remediation that happen in practice:
Don't outright fix but use additional layers of security to reduce the risk/threat.
Example: Block C2 at firewall or DNS blackhole
Problem: Malware “might” be neutered but still on system (sometimes forever)
Fix
Accept
Remediation Concerns
Mitigate
The cost of fixing outweighs the risk: Ignore it… (yes, this happens sometimes)
Longest dwelling
infections found
were in this
category

18. Command
Premium Hunt & IR Support
✓
✓
✓
✓
✓
Confidential
™

19. ™
∙ ∙ ∙ ∙ ∙ ∙ ∙

20. Quarterly Reports:
- Q3 Report Coming Soon
- Refining our methodology while expanding data volume
Annual Report 2020 (Summer)
- Work with Verizon DBIR
- Provide additional rigor to dataset
Future Reports