31. Thank You!
For more information visit www.lastline.com
or contact us at info@lastline.com.
Hinweis der Redaktion
In several
And now let us introduce the topic
rtdsc looping (timing evasion)
obfuscation uses a mildly obfuscated code (oligomorphic decryptor), multistage encrypted shellcode, runpe/hollowing, encryption
track/keylogger data sent to c2 is encrypted; networked based detection of the c2 still quite easy -> enterprise could detect it reliably, but DLP mechanisms would fail
Using publicly available services and tools for each step
Before introducing the topic, it’s worthwhile to provide a high level overview of the Lastline Platform, to make sure the audience will follow correctly the following slides.
Two quick slides to describe the architecture of our platform. To quickly emphasize the scalable architecture, which de-couple the role of the analysis and security enforcement points.
The meaning of this slide is a very old meme: the power is useless without control.
The technology is a mandatory starting point, but it must be easy to integrate to let the organization unleash the full range of capabilities.
I won’t ever use the term remediation, since it may have different meanings (cleaning the endpoint or verify the IOCs). Besides according to my experience, not all the CxOs believe remediation is possible. Rather I believe could be better to use terms such as containment and/or mitigation.
The concept of multi-dimensional information is explained later. Maybe the term is exaggerated (on purpose). The meaning is that the information can be used for both operation engineers and security analysts.
I used the term Breach Mitigation
I used the term Breach Mitigation
I used the term Breach Mitigation
I used the term Breach Mitigation
It is important to stress here that we do not forward single sparse events but the post processed information.
Maybe here it’s worth to mention that this is a real backoff sample analysed in August.