Building Cyber Resilience: No Safe Harbor

Start date: mm.dd.yyyy
End date: mm.dd.yyyy
Building Cyber Resilience:
No Safe Harbor
OISC 10 Mar 2021
Mark Sangster
Principal Evangelist and VP
Industry Security Strategies
eSentire
Nick Enger
CTO
ATC
Louie Hollmeyer
Director
ATC

No Safe Harbor
ATC & eSentire
• Independent IT Consulting
• Digital Transformation (DX) in Four Core Segments:
o Voice | Network | Cloud | Cybersecurity
• Solution Agnostic
• 400+ Technology Providers
• Founded 2001
• Category Creator
• World’s Largest MDR Company
*Attendees will receive a copy of Mark’s book, “No Safe Harbor.” We will also
be raffling off Amazon gift cards to attendees and booth visitors.
**Mark will be in the ATC-eSentire booth directly following this presentation.

eSentire CONFIDENTIAL
eSentire Managed Detection and Response
2001
Year founded
750+
Customers across
48 countries
97%
Customer retention rate
$6 Trillion+
90%
year-over-year growth
2.6 Billion+
indicators of concern ingested
in 2019
S E A T T L E
W A T E R L O O
N E W Y O R K
C O R K
L O N D O N
In assets under protection

IOC
D E T E C T I O N
INCIDENT
D E T E C T I O N
THREAT
A N A LY S I S
INCIDENT
I N V E S T I G AT I O N
THREAT
C O N TA I N M E N T
DISRUPT
C O N TA I N
THREAT
H U N T I N G
24/7
M O N I T O R I N G
24/7
3 6 0 - D E G R E E S
2 0 M I N
TO CONTAINMENT
3 5 S E C
TO TRIAGE
T H R E A T
H U N T I N G
A N D
R E S P O N S E
M A C I N E
L E A R N I N G
H U M A N
E X P E R T I S E
eSentire Managed Detection and Response
NORTH-SOUTH
N E T W O R K
EAST-WEST
E N D P O I N T S
IAAS + SAAS
C L O U D
SYSTEM
L O G S
THREAT
I N T E L L I G E N C E
DATA
A N A LY T I C S
SOC
P O R TA L
AT L A S
C L O U D - N A T I V E
S O A R

“Only after disaster can we be resurrected.”

Tyler Durden
Fight Club 1999 Chuck Palahniuk

On July 23 1983, Air Canada 143 was a passenger flight between Montreal and Edmonton. Midway
through the flight at an altitude of 41,000 feet, the plane ran out of fuel.

On July 23 1983, Air Canada 143 was a passenger flight between Montreal and Edmonton. Midway
through the flight at an altitude of 41,000 feet, the plane ran out of fuel.
The crew was able to glide the Boeing 767 aircraft safely to an emergency landing at a former Air
Force base in Gimli, Manitoba. There were only minor injuries. This unusual aviation incident earned
the aircraft the nickname "Gimli Glider.”

Initially hailed as heroes, following the airline’s internal investigation, Captain Pearson
was demoted for six months and First Officer Quintal was suspended for two weeks for
allowing the incident to happen. Three maintenance workers were also suspended.

R E G U L AT O R Y
CHANGES
M E C H A N I C A L
FAILURES
N O V E L
TECHNOLOGY
H U M A N
ERROR

E M E R G I N G
T E C H N O L O G Y
G L A S S C O C K P I T
F L Y - B Y - W I R E
T W O P I L O T S
R E D U C E D C R E W
N O V E L
A I R C R A F T D E S I G N
S A F E T Y
T H R E A T S
H U M A N E R R O R S
M I S C A L C U L A T I O N S
O B S O L E T E
G O V E R N A N C E
M E C H A N I C A L
F A I L U R E S
A C C O U N T A B I L I T Y
F A A + N T S B
R E G U L A T O R Y C H A N G E S

A C C O U N T A B I L I T Y
C O M P L I A N C E + C O N T R A C T S + C O V E R A G E
S O P H I S T I C A T E D
T H R E A T S
M A L W A R E
A S - A - S E R V I C E
H A N D S - O N
K E Y B O A R D
C U L T U R A L
E N G I N E E R I N G
E M E R G I N G
T E C H N O L O G Y
A C C E S S
R E M O T E W O R K E R S
A S S E T S
C L O U D - B A S E S
W O R K L O A D S
D I S T R I B U T E D

Cyber accountability is growing
Reasonable care, attorney-client privilege and discovery, and ransom payment violations

U S I N G Y O U R O W N T O O L S
HAND -O N-KEYB OARD
1
F 5 0 0 B U S I N E S S P R A C T I C E S
MALWARE A S - A - S E R V I C E
2
T H E Y U N D E R S TA N D Y O U R B U S I N E S S
CULT URE -BASED AT TACKS
3
STATE-SPONSORED actors move down stream
while ORGANIZED CRIME grows in ferocity and coordination

Business Email Compromise (BES)
Fraudulent Transfers of Funds (FTF)
On April 1, 2018, the CFO of a firm received a phishing
email, which redirected him to a site designed to look like
a legitimate Microsoft Office365 login page. The CFO
unknowingly entered his login credentials.
They accessed the CFO's Office365 account 464 times
between April 6 and 20, 2018. They sent fraudulent wire
transfer requests from the account to the financial team.
To hide their activities from the CFO, the conspirators
created used email rules to mark messages read and move
them to another folder.
The finance team at Unatrac processed 15 payments to
overseas accounts, totaling almost $11 million, most of
which could not be recovered.

Standing your ground against cyberattacks
C O U N T E R I R
82%
C U S T O M
M A L W A R E
50%
When you turn the lights on an adversary, assume an escalation
Ransomware-as-a-service lowers the entry barriers
for prospective cybercrime entrepreneurs, it has
the very real potential to increase the “supply” of
ransomware operators.
Vmware Carbon Black: Custom malware is now being used in 50 percent of the attacks
reported by respondents demonstrating the scale of the dark web, where such
malware and malware services can be purchased to empower traditional criminals,
spies and terrorists, many of whom do not have the sophisticated resources to execute
these attacks.
CrowdStrike: PINCHY SPIDER pioneered the RaaS model of operations, in which the
developer receives a share of the profits that affiliates collect from successful
ransomware infections. Beginning in February 2019, this adversary advertised its
intention to partner with individuals skilled in RDP/VNC networks and with spammers
who have experience in corporate networking.

Complex and persistent campaigns to create a major security event and seven-figure ransoms
This is how phishing and cyber campaigns actually work
N E G O T I A T E D R A N S O M
OPERATIONAL DISRUPTION
E X T O R T I O N P A Y M E N T
PUBLIC EXPOSURE
R E S A L E R E V E N U E
DATA BREACH
INFILTRATION
DATA
EXFILTRATION
HARVEST
CREDENTIALS
ACCESS
VIA VPN
VIA
RAT/RDP
VALIDATING
ACCOUNTS

They understand your business
Exploiting industry culture to mimic trusted actors

44% Experienced a third-party material breach
32% Lack resources to audit third parties
15% Were notified by the third party responsible
Supply chain cyber risks
Three Ps of 3rd-Party Risk: Policies, Prevention and Promises

Macro
Events
Trusted
Sources
Industry
Influences
Social
Engineering
Target Intelligence
Tailored Campaign
Hijacked Docs
Cloned Email
Chimera Sites
Client Identities
Hijacked
Credentials
Endpoint
Via RDP
1 VPN
Creates
Account-B
Powershell Deploy
Mimikatz
Never assume a cyber singularity
Adversaries use ecosystem experts to island hop and disable defenses
Endpoint
Via RDP
2
VPN
Creates
Account-C
PSExec SunCrypt
Ransomware
Endpoint
Via RDP
Endpoint
Uninstall EDR
3
VPN
Creates
Account-D
Revo
Netwalker
Ransomware
CLIENT
Credentials
VENDOR
Credentials

A C O U N T A B I L I T Y
Can you see your
entire environment?
How do you manage
cybersecurity expenses?
How do you fill
expertise gaps?
How do you scale to
handle the data volume?
How quickly can you
respond to threats?
What is your cyber risk?
What are your obligations?

MDR services offer turnkey threat detection and response via
modern, remotely delivered, 24/7 security operations center
capabilities and technology.
M D R e v o l v e d f r o m M S S P
E x t e r n a l S O C o r a u g m e n t s
i n t e r n a l c a p a b i l i t i e s
M D R l a c k s a c l e a r s e r v i c e
d e f i n i t i o n a c r o s s v e n d o r s
D i f f e r e n t i a t i o n i s d i f f i c u l t
a c r o s s v a r i e d a p p r o a c h e s

EXPERT-DRIVEN
INVESTIGATION
Expert threat
analysis
Investigation and
confirmation
AUTOMATED
ANALYSIS
Machine
speed and scale
Aggregation
and correlation
ATLAS CLOUD SOAR
Automation | Orchestration | Response
FULL SPECTRUM DETECTION
E N D P O I N T S N E T W O R K
C L O U D L O G S
I N S I D E R A S S E T S
D I G I TA L T R A N S F O R M AT I O N L E A D S TO A L A C K O F V I S I B I L I T Y
How do you cover the entire threat surface?
1
E X P E R T
P E O P L E
M A C H I N E
L E A R N I N G
CONTAINMENT
CONFIRMED
IMMEDIATE
UNLIMITED
SURGICAL
DOCUMENTED

EXPERT-DRIVEN
INVESTIGATION
Expert threat
analysis
Investigation and
confirmation
AUTOMATED
ANALYSIS
Machine
speed and scale
Aggregation
and correlation
ATLAS CLOUD SOAR
Automation | Orchestration | Response
C L O U D L O G S
E X P E R T
P E O P L E
M A C H I N E
L E A R N I N G
CONTAINMENT
CONFIRMED
IMMEDIATE
UNLIMITED
SURGICAL
DOCUMENTED
2
A N AVA L A N C H E O F FA L S E P O S I T I V E S L E A D S TO A L E R T OV E R LOA D
How do you prioritize investigation?

R E D U C I N G D W E L L T I M E I S C R I T I C A L
How quickly can you respond to threats?
C L O U D L O G S
3
E X P E R T
P E O P L E
M A C H I N E
L E A R N I N G
CONTAINMENT
35
seconds
to begin triage
6
Investigations every minute
20
minutes
to containment
646
Confirmed incidents per day
ONE MONTH OF CUSTOMER DATA
271,812
indicators of concern
2,190
investigations
65
security incidents
2
escalations
200
endpoints
200
employees

4
R E C R U I T I N G , R E TA I N I N G A N D R E T R A I N I N G
How do you overcome the
cybersecurity skills gap?
E S TA B L I S H E D TA L E NT P I P E L I N E
Maintain access to cybersecurity professionals despite the global shortage
TA K E C A R E O F YO U R S O C A N A LYS TS
Prevent burnout which is the number one problem
E S TA B L I S H Q UA L I T Y A S S U R A N C E
Ensuring customers receive the best possible service
I N V ES T I N TO O L S + T E C H N O LO GY
Continually improve operational effectiveness, efficiency and human-machine
collaboration in the face of ever-increasing threat signals
P R OV I D E C O N T I N UO U S E D U C AT I O N
Support SOC analysts to level-up with new skills and credentials through
continuous education and certification
P R OV I D E C A R E E R A D VA N C E MEN T
Support SOC analysts’ advancement in the SOC, threat analytics or other areas of the organization

Step 0
Unknown IP Connects
via VPN to Endpoint-0
Step 1
Compromised Account-A
access Endpoint-0 via RDP
Step 2
Creates Account-B and
connects to System-0 via
RDP
Step 3
Account-B deploys
Mimikatz via PowerShell
on Endpoint-0
INFECTION
Sunwalker: pervasive and persistent attacks
Step 4
Detection rule
triggered in Carbon
Black Endpoint agent
CONTAINMENT
Step 5
eSentire SOC isolates
Endpoint-0 and
generate alert
Step 6
eSentire Threat Response
Unit initiates broader
investigation and worked
with client
DETECTION
LATERAL
ATTACK
Step 7
Attacker uses Endpoint -2
To deploy SunCrypt
ransomware using PSExec
CONTAINMENT
Step 8
Lateral spread attempt is
automatically blocked by
Carbon Black Endpoint
Step 10
Attacker uses
Account-D to
access Domain
Controller
COUNTER
ATTACK
Step 9
Attacker downloads
Revo Uninstaller to
remove Carbon Black
Step 11
Attacker attempts to
execute Netwalker
ransomware on
Endpoint-2
CONTAINMENT
Step 12
Carbon Black Endpoint
attempts at lateral infection
via PSExec
Step 13
Carbon Black Endpoint blocks
attempt to detonate
Netwalker
Step 14
eSentire SOC Isolates
Endpoint-2
CO-REMEDIATION
Step 15
eSentire SOC
Alerts and makes
recommendations

A C O U N T A B I L I T Y
360° VISIBILITY
Detection and Response
COST EFFECTIVE
Security for the Midmarket
SECURITY EXPERTISE
150+ SOC+TI Analysts
RAPID + SCALABLE
Alert processing
20 MINUTES
Average Time to Resolution
RISK MANAGEMENT
CSO Resources on Call

No Safe Harbor
Question & Answer

Building Cyber Resilience: No Safe Harbor

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Building Cyber Resilience: No Safe Harbor

Ähnlich wie Building Cyber Resilience: No Safe Harbor (20)

Mehr von Advanced Technology Consulting (ATC)

Mehr von Advanced Technology Consulting (ATC) (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Building Cyber Resilience: No Safe Harbor

Hinweis der Redaktion