Group-IB Security Ecosystem Portfolio update Tim Bobak APAC Sales Director Group-IB
Moneytaker Case Study Moneytaker Investigation Tracking started in Autumn of 2016 after first Russian Incident
What happened after the breaches? Thefts from card processing and other payment systems
Document exfiltration Confidential documents, Personal Data SWIFT and security guidelines
Breaches go public But Group-IB stopped other attacks on US banks
How did we investigate Attackers used SSL certificates across multiple campaigns and attack infrastructure
What do we use? We survey the internet daily
Group-IB Ecosystem Threat Intelligence Driven Products
How our ecosystem is developed Very few companies globally have the infrastructure to create Threat Intelligence driven cyber security products Group-IB Infrastructure Analyst Driven Experience & TI • HoneyNet and botnet analysis • Forensics • Hacker community infiltration • Investigations • Open-source monitoring • Malware monitoring and research • ISP Level Sensors • CERT-GIB request database • IDS, EDR & Sandbox deployments • Security assessment • Clientside malware detection • Domain & Registrar data
Early warning system to hunt attackers
Threat Detection System TDS Endpoint TDS Sensors TDS Sandbox Huntbox Threat Detection System is a multi-part platform designed to cover all attack avenues inside of your network
Attack Vectors covered Integrated modules to cover popular attack vectors Browser Customer Mail Local network Supply chain facing apps TDS Endpoint TDS Endpoint TDS Sensor TDS Sensor TDS Polygon TDS Sensor TDS Polygon TDS Endpoint TDS Endpoint How can you use this to catch a Moneytaker?
TDS Sensor In-depth traffic Encrypted Traffic inspection Analysis Analyses DNS, HTTP, Hop Mechanisms to work with hidden HTTP / HTTPS, SMB and more channels, DG Algorithms Unique signatures Detect Lateral movement Proprietary data from exclusive Detects tools and techniques used sources written by our team by attackers for persistence
Detecting network activity Usage Socks on port 7080 and 1808 VNC clients like as Fileless VNC, VNC, UltraVNC In the US, they used the LogMeIn Hamachi
TDS Sandbox Unparalleled Stops Anti-evasion Detection Techniques Detailed reports for Extremely low false further investigation positive rates File extraction from Retrospective analysis emails and traffic Full process tree Get deep technical insights into the Hardware | Cloud malicious files targeting your networks
Detecting malicious documents Emails with malicious attachments widely used in targeted attacks Malware Samples hosted on Moneytaker infrastructure Provides another avenue for detection
TDS Endpoint and Huntbox TDS Huntbox TDS Endpoint Catch and log Link infrastructure changes made used by attackers by malware Send files to Enrich against data Polygon for from all your networks analysis Link suspicious Track the incident processes to from start to finish traffic Respond: clean All TDS Platform and isolate Detections in one infected hosts
Huntbox & EDR – tracking an actor
Huntbox & EDR – tracking an actor
Group-IB Ecosystem After protecting: Getting smarter…
Threat Intelligence UNIQUE COLLECTION DEEP AND DARK WEB INFRASTRUCTURE MONITORING HUMAN TTP FROM THE WILD INTELLIGENCE FINISHED THREAT KNOWLEDGE OF INTELLIGENCE MALWARE & CYBERCRIME TOOLS «Group-IB has the advantage of getting PERSONALIZED DATA visibility on many unique threats» FOR YOUR ORGANISATION
Nation State Espionage
Cybercriminal brand abuse Fraudsters copy legitimate site using similar domain and replace payment details.
Make intelligence actionable Detailed TTPs and unique Tactical indicators Dedicated Team Members Reverse Engineering Requests Underground forum sweeps Attack analysis and recommendations Actionable API data for SIEM & TIP Platforms Group-IB CERT 24/7 monitoring and response
Group-IB Ecosystem Protecting your Customers en-masse
Protecting Clientside Attackers have developed tools and techniques to steal from your customers These need to be detected Group-IB has developed Secure Bank and Secure Portal, for protecting customers online in banking and e-commerce
Session analysis on PC and Mobile Devices Functionality Behavioral Cross-channel analysis analysis IP & Device Botting and RDP fingerprinting Detection Detects code Global user changes & profiling malware Advanced rule Social engine engineering and AML detection Deploys via Javascript or SDK
Investigating with Secure Bank
Group-IB Ecosystem Suggestions and Review
Consulting & Response Cyber Security Services You can remain unaware for months of hidden but active Security Investigations threats in networks Assessments and Computer Penetration Forensics Compromise assessment Testing allows for analyst driven detection, advisory and Incident assessment of previously Red Teaming Response undetected attacks From multiple actors… Compromise Pre-Incident Assessments Response Already available and used in ASEAN and APAC
Review – Security driven by Intelligence
Thank you for your attention! Questions? Tim Bobak APAC Sales Director Group-IB Twitter: @enablethemacros Email: bobak@group-ib.com
Recommend
More recommend