Temet Nosce: Know Thy Endpoint Through and Through Thomas V. - PowerPoint PPT Presentation

Temet Nosce: Know Thy Endpoint Through and Through Thomas V. Fischer

I am … § Threat Researcher § 25+ years experience in InfoSec § Spent number years in IR team positions § Director @BSidesLondon § Contact • tfischer@digitalguardian.com • tvfischer+sans@gmail.com • @Fvt • keybase.io/fvt

A Journey into the end point § Being in the right place at the right time § Real time actionable intelligence § (re)Enabling the end point as an active defence mechanism § Detecting behaviour… Public 3

Defense in un- depth § Strong focus on network solutions § Lost faith in the end point solutions § Afraid to go back But that’s not where the important stuff is… Public 4

Walls, Walls, Walls… Public 5

Are we in the wrong place § Reliance on next-gen network detection § Endpoint solution tend towards post incident § Something suspicious in logs :- activate endpoint resolution § Forensics ~ what changed != necessarily what happened Public 6

World of information… § Build an Arsenal & Key Tools § Procexp; procmon; tcpview Public 7

Deep dive… Public 8

Application DNA § Build information events § Track similar events together § Use the API right hooks where appropriate § Associate a sequence of events into one action • Sequence of file read/file writes :- file edit • Track renames, or read/writes :- file move Public 9

Single Footprint Intelligence § Sysinternals tools on steroids § High level of visibility: • File ops • Network ops • Registry ops • DLL activity • Process data Public 10

Real Time Forensics Evidence § Detect compromise events § Log the foot prints Public 11

Data visualised… § Do you really know what that Chinese software is doing § Dridex in realtime § Those flash things Public 12

It’s Doing This so Probably Suspicious § Enable behavioural analysis § phishing :- (a+b),(c,(d|e)),!(x,y,z) y l e t s i u n a o i t f i a e c d n i D l o a f i m o t a k r s t i l R i f x e § Response ? t s o y m l n s l i Kill any point in the chain u A a o t r i e c i c l a m Initial Entry Vector Entry Vector Attack (EVA) Alert Indicator of Compromise Alert Subsequent Attack Stages Base Rules Correlated Alerts Base Rules – Exploit/Installation Base Rules - Recon Base Rules – C&C Correlated Alerts ATP1010-Detect ATP505-User ATP506-Office both RTLO and double-clicks on app opens LTRO in file Email – Malicious Office File Outlook attachment via ATP1011-Detect ATP507-Office ATP306-WMI attachment Outlook macro calling spawns CMD or multiple spaces WMI Powershell before executable ATP9101-GEN.IOC ATP906- File Manipulation ATP8003-Office ATP9005-Office ATP1012-Detect opens email Suspected Office ATP521-Email executes code RTLO in File ATP2xxx- attachment Correlated Alerts macro phishing Suspicious child attachment saved ATP307-Office ATP103-Office ATP1014-Create process creating via Outlook spawns CMD or ATP9201-IOC ATP523-Office macro calling c:\program.exe ATP2xxx-High risk network op Persistence (tagged) Powershell via n opens saved email WSH application netop Detected WSH ATP522-Email attachment If IOC Alert fired, ATP2101-SMB after suspicious g attachment saved check for EVA scanning over event fired. If yes, fire via Outlook short period ATP9104-IOC.NET ATP9xxx-Indicator correlated IOC of Infection i ATP3101-Execute Enumeration Alert c:\program.exe Detected n file ATP2xxx-Port ATP3212- e scanning detected SVCHOST not ATP9202-IOC ATP505-User ATP101-Acrobat ATP405-Process Network Activity ATP102-Acrobat ATP304-CMD ATP904- child process of b double-clicks on opens PDF process tree running batched launched from Suspected PDF ATP3103- ATP2xxx-NET.OUT Detected Outlook attachment via CMD or services.exe saving EXE commands phishing attack Application with Malicious attachment Outlook Powershell obfuscated component list y ATPxxxx-Acrobat extension launch ATP1204- ATP9103-GEN.IOC opens email Suspicious Outbound process modifying l ATP522-Email attachment ATP2xxx-NET.OUT Network Email – Malicious PDF local hosts file Malicious e attachment saved via Outlook component list ATPxxxx-Acrobat ATPxxxx-Acrobat The correlated IOC alert k opens saved email Correlated Alerts Correlated Alerts executes code triggers from an IOC alert ATP521-Email attachment ATP9102-GEN.IOC that then looks to see if an i attachment saved Process EVA triggered, and if so, via Outlook L Base Rules alerts itself (tagged) ATP9xxx- Correlated IOC Alert Public 13

Behaviour Tree Tag file Execute command shell File write new Open of tagged Move file to user Write file location file directory Execute binary Outlook creates Load of macro temp file subsystem Other process file open Network connection Active Risk - elevated Risk - unknown Attachment Opened Attachment Suspicious activity Public 14

Keeping the Story Alive § Increase Visibility: • More DLL events • Memory events § Capture More… § Automate anomaly detection Public 15

Let’s run a phishing attachment Public 16

Q&A • tfischer@digitalguardian.com • tvfischer+sec@gmail.com • @Fvt • keybase.io/fvt Thank you…