Abstract image of a woman sitting on books and studying on a laptop

Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare

Cybereason, profile picture
Cybereason

The document discusses the rising success rates of sophisticated cyber attackers and emphasizes the vulnerabilities inherent in their operations. It highlights the importance of proactive defense strategies for healthcare organizations to turn attacker mistakes into exposure opportunities and explores the dynamics of black market trades involving compromised enterprise resources. Through a case study, it illustrates how an untargeted attack can escalate and stresses the need for continuous monitoring and visibility in cybersecurity efforts.

Technology
1 of 26
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
© 2017Cybereason Inc. All rights reserved. Avoiding a Sophisticated, Targeted Breach Critical Guidance for Healthcare Organizations
© 2017 Cybereason Inc. All rights reserved. Attackers Are Becoming More and More Successful, Little Security Disruption The paradigm graph Time Success Rate Attackers Defenders
© 2017 Cybereason Inc. All rights reserved. Attacker-Defender paradigm in question 100% success • Advanced adversaries succeed almost 100% of the time • BUT, attackers have some inherent vulnerabilities too - an attack is composed of dozens or even hundreds of steps • With the right procedures and toolset in place, a defender can turn any (very likely) mistake made by an attacker into a complete exposure of the malicious operation
© 2017 Cybereason Inc. All rights reserved. Black market trafficking of compromised enterprise computing resources
© 2017 Cybereason Inc. All rights reserved. A new incident is detected • Is it Targeted or Untargeted? • Is it relevant? • A completely untargeted threat can turn into a targeted operation within hours
© 2017 Cybereason Inc. All rights reserved. Business Rationale Machine LifetimeValue Monetization Method Adware / Click-fraud Bulk Sale Unit Sale $18 – $36 $10 – $20 $10 - $1000
© 2017 Cybereason Inc. All rights reserved. Black market machine trading – Machine Valuation Basic – Approx. +50% on “commodity price” (~$5-$10) • Admin privs • Public IP • Network bandwidth Nice – Between +50%-1,000% • Installed software / Accessed websites Jackpot – Between +1,000% - 10,000% • Enterprise affiliation
© 2017 Cybereason Inc. All rights reserved. Black market machine trading
© 2017 Cybereason Inc. All rights reserved. Black market machine trading
© 2017 Cybereason Inc. All rights reserved. Black market Code of Conduct
© 2017 Cybereason Inc. All rights reserved. Black market machine trading – US-based machines
© 2017 Cybereason Inc. All rights reserved. Black market machine trading – Some statistics Percentage of compromised machines for sale per state – Top 5: • 1st prize goes to: California, 21% • 2nd prize goes to: New Jersey, 11% • 3rd prize goes to: New York, 6% • 4th prize goes to: Texas, 6% • 5th prize goes to: Iowa, 6% (what?!...)
© 2017 Cybereason Inc. All rights reserved. Examining a Threat Escalation Incident Case Study
© 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • Starts with untargeted, known file-less click-fraud tool, effecting several machines in the enterprise network • Detection was based on malicious use of PowerShell and malware communication with known malicious C2 domains / IPs • De-prioritized by SOC based on low damage potential
© 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • SOC continues to monitor the compromised endpoints (automated), and blocks access to the known C2 • 5 days later, 1 machine stops attempting to communicate with known C2 and is detected performing DGA and connecting to a previously unknown C2 • C2 communications now occurs only when “outside” the corporate network (no C2 when local IP is in the enterprise subnet, only when on 192.168.* or 10.0.*)
© 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • Over the next 24 hours C2 communication profile changes to include downloading and uploading significantly more data, and click-fraud tool escalated privileges to Local System • Before (typical click-fraud):
© 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • Over the next 24 hours C2 communication profile changes to include downloading and uploading significantly more data • After (could indicate a heavier protocol transmitted over port 8080 / download of additional modules / exfiltration of broader system information):
© 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • Attack tool injects code and migrates into msdtc.exe process • Below, msdtc.exe establishing C2 connection with previously DGA-established C2:
© 2017 Cybereason Inc. All rights reserved. Behavioral Indicators of a transaction
© 2017 Cybereason Inc. All rights reserved. TTPs of Seller-Marketplace-Buyer Relationship C2 • Continuous / reliable / auto verifiable command and control channel – RDP, SSH • Required to enable the transaction • Can use non-standard ports, reverse connections, encapsulation in other protocols (e.g. HTTP) • Exact configuration & persistence method depend on the seller • Tasking-based C2 is very rare in marketplaces since it doesn’t naturally fit the above 3 criteria • Once the buyer goes in, a different mechanism may be put in place
© 2017 Cybereason Inc. All rights reserved. TTPs of Seller-Marketplace-Buyer Relationship Priv.Esc. • Priv.Esc. – Admin access is worth more than unprivileged user access. • Process / installed software enumeration and browser history enumeration. Relevant software and browsing history can up the price of a compromised machine by 100x
© 2017 Cybereason Inc. All rights reserved. TTPs Detection – How to break the system? Change in C2 • From known malicious IP / domain to unknown IP / domain • From straight IP / domain to DGA • Question connections to RDP service – especially on already compromised machines • Long lasting connections • Change in RDP configuration • Question unfamiliar modules loaded as part of the remote assistance service
© 2017 Cybereason Inc. All rights reserved. TTPs Detection – How to break the system? Change in privileges • Monitor for processes performing priv.esc. – especially on already compromised machines • Process / Installed software enumeration and browser history enumeration • Stop of previous attack? In most cases – Not a good indicator… (No code of conduct for this on most marketplaces)
© 2017 Cybereason Inc. All rights reserved. House of Cards Successful defense doesn’t mean stopping every stage of the attack… …find one component of the hack and, over time, the entire operation can collapse.
© 2017 Cybereason Inc. All rights reserved. Returning Power to the Defenders Be Proactive! Establish visibility! Hunt for cyber kill chain behaviors! Time Success Rate Attackers Defenders
© 2017 Cybereason Inc. All rights reserved. you. Thank www.cybereason.com

More Related Content

PPTX
Cybereason - behind the HackingTeam infection server
Amit Serper
 
PDF
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
North Texas Chapter of the ISSA
 
PDF
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
North Texas Chapter of the ISSA
 
PDF
Activated Charcoal - Making Sense of Endpoint Data
Greg Foss
 
PDF
Webinar: Stopping evasive malware - how a cloud sandbox array works
Cyren, Inc
 
PDF
SecureSet WarGames - Logging and Packet Capture Training
Greg Foss
 
PDF
Deception Driven Defense - Infragard 2016
Greg Foss
 
PDF
Webinar: Insights from Cyren's 2016 cyberthreat report
Cyren, Inc
 
Cybereason - behind the HackingTeam infection server
Amit Serper
 
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
North Texas Chapter of the ISSA
 
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
North Texas Chapter of the ISSA
 
Activated Charcoal - Making Sense of Endpoint Data
Greg Foss
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Cyren, Inc
 
SecureSet WarGames - Logging and Packet Capture Training
Greg Foss
 
Deception Driven Defense - Infragard 2016
Greg Foss
 
Webinar: Insights from Cyren's 2016 cyberthreat report
Cyren, Inc
 

What's hot (20)

PDF
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Cyren, Inc
 
PDF
Webinar: IT security at SMBs: 2016 benchmarking survey
Cyren, Inc
 
PDF
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Cyren, Inc
 
PPTX
Advanced Threat Hunting - Botconf 2017
Kevin Finley
 
PDF
Threat Landscape Lessons from IoTs and Honeynets
Digital Transformation EXPO Event Series
 
PDF
Webinar: Dispelling the Myths about Cloud Security
Cyren, Inc
 
PDF
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
PDF
Webinar: A deep dive on ransomware
Cyren, Inc
 
PDF
Webinar: Insights from CYREN's 2015 Q2 Cyber Threats Report
Cyren, Inc
 
PDF
Webinar: Is your web security broken? - 10 things you need to know
Cyren, Inc
 
PDF
Intelligence driven defense webinar
ThreatConnect
 
PDF
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Cyren, Inc
 
PDF
Managing Indicator Deprecation in ThreatConnect
ThreatConnect
 
PDF
DerbyCon 5 - Tactical Diversion-Driven Defense
Greg Foss
 
PDF
Phishing Intelligence Engine - BlueHat v17
Greg Foss
 
PDF
What Happens Before the Kill Chain
OpenDNS
 
PDF
PIE - BSides Vancouver 2018
Greg Foss
 
PPTX
Corporate Espionage without the Hassle of Committing Felonies
John Bambenek
 
PPTX
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
PDF
Threat Intelligence Field of Dreams
Greg Foss
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Cyren, Inc
 
Webinar: IT security at SMBs: 2016 benchmarking survey
Cyren, Inc
 
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Cyren, Inc
 
Advanced Threat Hunting - Botconf 2017
Kevin Finley
 
Threat Landscape Lessons from IoTs and Honeynets
Digital Transformation EXPO Event Series
 
Webinar: Dispelling the Myths about Cloud Security
Cyren, Inc
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Webinar: A deep dive on ransomware
Cyren, Inc
 
Webinar: Insights from CYREN's 2015 Q2 Cyber Threats Report
Cyren, Inc
 
Webinar: Is your web security broken? - 10 things you need to know
Cyren, Inc
 
Intelligence driven defense webinar
ThreatConnect
 
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Cyren, Inc
 
Managing Indicator Deprecation in ThreatConnect
ThreatConnect
 
DerbyCon 5 - Tactical Diversion-Driven Defense
Greg Foss
 
Phishing Intelligence Engine - BlueHat v17
Greg Foss
 
What Happens Before the Kill Chain
OpenDNS
 
PIE - BSides Vancouver 2018
Greg Foss
 
Corporate Espionage without the Hassle of Committing Felonies
John Bambenek
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
Threat Intelligence Field of Dreams
Greg Foss
 
Ad

Viewers also liked (11)

PDF
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Cybereason
 
PDF
Some PowerShell Goodies
Cybereason
 
PDF
Ransomware is Coming to a Desktop Near You
Cybereason
 
PDF
Threat Hunting 102: Beyond the Basics
Cybereason
 
PDF
Deploying a data centric approach to enterprise agility
Comparative Agility
 
PPTX
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
Anthony Melfi
 
PDF
Cybersecurity and Internet Governance
Kenny Huang Ph.D.
 
PDF
Profiling an enigma: The mystery of North Korea’s cyber threat landscape
Tom K
 
PDF
Gray Hat PowerShell - ShowMeCon 2015
Ben Ten (0xA)
 
PPTX
How to do everything with PowerShell
Juan Carlos Gonzalez
 
PPTX
Slideshare ppt
Mandy Suzanne
 
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Cybereason
 
Some PowerShell Goodies
Cybereason
 
Ransomware is Coming to a Desktop Near You
Cybereason
 
Threat Hunting 102: Beyond the Basics
Cybereason
 
Deploying a data centric approach to enterprise agility
Comparative Agility
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
Anthony Melfi
 
Cybersecurity and Internet Governance
Kenny Huang Ph.D.
 
Profiling an enigma: The mystery of North Korea’s cyber threat landscape
Tom K
 
Gray Hat PowerShell - ShowMeCon 2015
Ben Ten (0xA)
 
How to do everything with PowerShell
Juan Carlos Gonzalez
 
Slideshare ppt
Mandy Suzanne
 
Ad

Similar to Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare (20)

PPTX
CTEK Cyber Briefing - April 2022.pptx
Sophia Price
 
PPTX
CynergisTek Cyber Briefing April 2022
SophiaPalmira1
 
PDF
Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016
Cameron Brown
 
PDF
BIZGrowth Strategies — Cybersecurity Special Edition 2023
CBIZ, Inc.
 
PDF
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
ClearDATACloud
 
PDF
Cybersecurity: A Manufacturers Guide by Clearnetwork
Clearnetwork
 
PPTX
Cyber Sec Update Secure World Seattle Nov 13, 2014
Kevin Murphy
 
PDF
Protecting Your Business From Cybercrime
David J Rosenthal
 
DOC
Data breach represents potential existential risk to any organization
Robert Anderson
 
DOC
DATA BREACH REPRESENTS POTENTIAL EXISTENTIAL RISK
Robert Anderson
 
PDF
Unveiling the Latest Threat Intelligence Practical Strategies for Strengtheni...
Auxis Consulting & Outsourcing
 
PPTX
How secure are you?
Joe Morris
 
PPTX
Ways To Protect Your Company From Cybercrime
thinkwithniche
 
PDF
How Vulnerable Is Your Industry to Cyber Crime?
David Hunt
 
PPTX
Cyber Security and Healthcare
Jonathon Coulter
 
PDF
Webinar: Cybersecurity and the New Age of Hackers
Modern Healthcare
 
PPTX
Cybersecurity Presentation 6-11-15
Turner and Associates, Inc.
 
PDF
Protecting Your Business from Cybercrime - Cybersecurity 101
David J Rosenthal
 
PDF
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
OpenDNS
 
PDF
Data Breach Review - Takeaways for the Business Infographic
Isis Holdings
 
CTEK Cyber Briefing - April 2022.pptx
Sophia Price
 
CynergisTek Cyber Briefing April 2022
SophiaPalmira1
 
Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016
Cameron Brown
 
BIZGrowth Strategies — Cybersecurity Special Edition 2023
CBIZ, Inc.
 
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
ClearDATACloud
 
Cybersecurity: A Manufacturers Guide by Clearnetwork
Clearnetwork
 
Cyber Sec Update Secure World Seattle Nov 13, 2014
Kevin Murphy
 
Protecting Your Business From Cybercrime
David J Rosenthal
 
Data breach represents potential existential risk to any organization
Robert Anderson
 
DATA BREACH REPRESENTS POTENTIAL EXISTENTIAL RISK
Robert Anderson
 
Unveiling the Latest Threat Intelligence Practical Strategies for Strengtheni...
Auxis Consulting & Outsourcing
 
How secure are you?
Joe Morris
 
Ways To Protect Your Company From Cybercrime
thinkwithniche
 
How Vulnerable Is Your Industry to Cyber Crime?
David Hunt
 
Cyber Security and Healthcare
Jonathon Coulter
 
Webinar: Cybersecurity and the New Age of Hackers
Modern Healthcare
 
Cybersecurity Presentation 6-11-15
Turner and Associates, Inc.
 
Protecting Your Business from Cybercrime - Cybersecurity 101
David J Rosenthal
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
OpenDNS
 
Data Breach Review - Takeaways for the Business Infographic
Isis Holdings
 

More from Cybereason (9)

PDF
Antifragile Cyber Defense
Cybereason
 
PDF
An Introduction to the Agile SoC
Cybereason
 
PDF
Protecting the financial services industry
Cybereason
 
PDF
Protecting the healthcare industry
Cybereason
 
PDF
Protecting the manufacturing industry
Cybereason
 
PDF
The attack lifecycle. Cybereason can help you answer: Are you under attack?
Cybereason
 
PDF
The Incident Response Checklist - 9 Steps Your Current Plan Lacks
Cybereason
 
PDF
The Cyber Attack Lifecycle
Cybereason
 
PDF
Maturing your threat hunting program
Cybereason
 
Antifragile Cyber Defense
Cybereason
 
An Introduction to the Agile SoC
Cybereason
 
Protecting the financial services industry
Cybereason
 
Protecting the healthcare industry
Cybereason
 
Protecting the manufacturing industry
Cybereason
 
The attack lifecycle. Cybereason can help you answer: Are you under attack?
Cybereason
 
The Incident Response Checklist - 9 Steps Your Current Plan Lacks
Cybereason
 
The Cyber Attack Lifecycle
Cybereason
 
Maturing your threat hunting program
Cybereason
 

Recently uploaded (20)

PDF
The-2025-Engineering-Revolution-AI-Quality-and-DevOps-Convergence.pdf
Kalilur Rahman
 
PPTX
Internet of Everything -Basic concepts details
sendilkumar66
 
PDF
Transform-Your-Factory-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
MENA-ECEONOMIC-CONTEXT-VC MENA-ECEONOMIC
Mustafa Kuğu
 
PDF
EIS-Webinar-Regulated-Industries-2025-08.pdf
Earley Information Science
 
DOCX
Basics of Cloud Computing - Cloud Ecosystem
suthak11
 
PPTX
MuleSoft-Compete-Deck for midddleware integrations
zupittejas
 
PDF
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
 
PDF
giants, standing on the shoulders of - by Daniel Stenberg
Daniel Stenberg
 
PDF
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 
PPTX
Module 1 Introduction to Web Programming .pptx
kamleshkc191
 
PDF
LMS bot: enhanced learning management systems for improved student learning e...
IAESIJAI
 
PDF
“The Future of Visual AI: Efficient Multimodal Intelligence,” a Keynote Prese...
Edge AI and Vision Alliance
 
PDF
Lung cancer patients survival prediction using outlier detection and optimize...
IAESIJAI
 
PPTX
Microsoft User Copilot Training Slide Deck
zohoron1
 
PPTX
future_of_ai_comprehensive_20250822032121.pptx
forrandomuse090
 
PDF
Advancing precision in air quality forecasting through machine learning integ...
IAESIJAI
 
PDF
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
PDF
Connector Corner: Transform Unstructured Documents with Agentic Automation
DianaGray10
 
The-2025-Engineering-Revolution-AI-Quality-and-DevOps-Convergence.pdf
Kalilur Rahman
 
Internet of Everything -Basic concepts details
sendilkumar66
 
Transform-Your-Factory-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
MENA-ECEONOMIC-CONTEXT-VC MENA-ECEONOMIC
Mustafa Kuğu
 
EIS-Webinar-Regulated-Industries-2025-08.pdf
Earley Information Science
 
Basics of Cloud Computing - Cloud Ecosystem
suthak11
 
MuleSoft-Compete-Deck for midddleware integrations
zupittejas
 
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
 
giants, standing on the shoulders of - by Daniel Stenberg
Daniel Stenberg
 
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 
Module 1 Introduction to Web Programming .pptx
kamleshkc191
 
LMS bot: enhanced learning management systems for improved student learning e...
IAESIJAI
 
“The Future of Visual AI: Efficient Multimodal Intelligence,” a Keynote Prese...
Edge AI and Vision Alliance
 
Lung cancer patients survival prediction using outlier detection and optimize...
IAESIJAI
 
Microsoft User Copilot Training Slide Deck
zohoron1
 
future_of_ai_comprehensive_20250822032121.pptx
forrandomuse090
 
Advancing precision in air quality forecasting through machine learning integ...
IAESIJAI
 
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
Connector Corner: Transform Unstructured Documents with Agentic Automation
DianaGray10
 

Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare

  • 1. © 2017Cybereason Inc. All rights reserved. Avoiding a Sophisticated, Targeted Breach Critical Guidance for Healthcare Organizations
  • 2. © 2017 Cybereason Inc. All rights reserved. Attackers Are Becoming More and More Successful, Little Security Disruption The paradigm graph Time Success Rate Attackers Defenders
  • 3. © 2017 Cybereason Inc. All rights reserved. Attacker-Defender paradigm in question 100% success • Advanced adversaries succeed almost 100% of the time • BUT, attackers have some inherent vulnerabilities too - an attack is composed of dozens or even hundreds of steps • With the right procedures and toolset in place, a defender can turn any (very likely) mistake made by an attacker into a complete exposure of the malicious operation
  • 4. © 2017 Cybereason Inc. All rights reserved. Black market trafficking of compromised enterprise computing resources
  • 5. © 2017 Cybereason Inc. All rights reserved. A new incident is detected • Is it Targeted or Untargeted? • Is it relevant? • A completely untargeted threat can turn into a targeted operation within hours
  • 6. © 2017 Cybereason Inc. All rights reserved. Business Rationale Machine LifetimeValue Monetization Method Adware / Click-fraud Bulk Sale Unit Sale $18 – $36 $10 – $20 $10 - $1000
  • 7. © 2017 Cybereason Inc. All rights reserved. Black market machine trading – Machine Valuation Basic – Approx. +50% on “commodity price” (~$5-$10) • Admin privs • Public IP • Network bandwidth Nice – Between +50%-1,000% • Installed software / Accessed websites Jackpot – Between +1,000% - 10,000% • Enterprise affiliation
  • 8. © 2017 Cybereason Inc. All rights reserved. Black market machine trading
  • 9. © 2017 Cybereason Inc. All rights reserved. Black market machine trading
  • 10. © 2017 Cybereason Inc. All rights reserved. Black market Code of Conduct
  • 11. © 2017 Cybereason Inc. All rights reserved. Black market machine trading – US-based machines
  • 12. © 2017 Cybereason Inc. All rights reserved. Black market machine trading – Some statistics Percentage of compromised machines for sale per state – Top 5: • 1st prize goes to: California, 21% • 2nd prize goes to: New Jersey, 11% • 3rd prize goes to: New York, 6% • 4th prize goes to: Texas, 6% • 5th prize goes to: Iowa, 6% (what?!...)
  • 13. © 2017 Cybereason Inc. All rights reserved. Examining a Threat Escalation Incident Case Study
  • 14. © 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • Starts with untargeted, known file-less click-fraud tool, effecting several machines in the enterprise network • Detection was based on malicious use of PowerShell and malware communication with known malicious C2 domains / IPs • De-prioritized by SOC based on low damage potential
  • 15. © 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • SOC continues to monitor the compromised endpoints (automated), and blocks access to the known C2 • 5 days later, 1 machine stops attempting to communicate with known C2 and is detected performing DGA and connecting to a previously unknown C2 • C2 communications now occurs only when “outside” the corporate network (no C2 when local IP is in the enterprise subnet, only when on 192.168.* or 10.0.*)
  • 16. © 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • Over the next 24 hours C2 communication profile changes to include downloading and uploading significantly more data, and click-fraud tool escalated privileges to Local System • Before (typical click-fraud):
  • 17. © 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • Over the next 24 hours C2 communication profile changes to include downloading and uploading significantly more data • After (could indicate a heavier protocol transmitted over port 8080 / download of additional modules / exfiltration of broader system information):
  • 18. © 2017 Cybereason Inc. All rights reserved. Black market machine trading – Case study Incident details, as seen in several enterprises: • Attack tool injects code and migrates into msdtc.exe process • Below, msdtc.exe establishing C2 connection with previously DGA-established C2:
  • 19. © 2017 Cybereason Inc. All rights reserved. Behavioral Indicators of a transaction
  • 20. © 2017 Cybereason Inc. All rights reserved. TTPs of Seller-Marketplace-Buyer Relationship C2 • Continuous / reliable / auto verifiable command and control channel – RDP, SSH • Required to enable the transaction • Can use non-standard ports, reverse connections, encapsulation in other protocols (e.g. HTTP) • Exact configuration & persistence method depend on the seller • Tasking-based C2 is very rare in marketplaces since it doesn’t naturally fit the above 3 criteria • Once the buyer goes in, a different mechanism may be put in place
  • 21. © 2017 Cybereason Inc. All rights reserved. TTPs of Seller-Marketplace-Buyer Relationship Priv.Esc. • Priv.Esc. – Admin access is worth more than unprivileged user access. • Process / installed software enumeration and browser history enumeration. Relevant software and browsing history can up the price of a compromised machine by 100x
  • 22. © 2017 Cybereason Inc. All rights reserved. TTPs Detection – How to break the system? Change in C2 • From known malicious IP / domain to unknown IP / domain • From straight IP / domain to DGA • Question connections to RDP service – especially on already compromised machines • Long lasting connections • Change in RDP configuration • Question unfamiliar modules loaded as part of the remote assistance service
  • 23. © 2017 Cybereason Inc. All rights reserved. TTPs Detection – How to break the system? Change in privileges • Monitor for processes performing priv.esc. – especially on already compromised machines • Process / Installed software enumeration and browser history enumeration • Stop of previous attack? In most cases – Not a good indicator… (No code of conduct for this on most marketplaces)
  • 24. © 2017 Cybereason Inc. All rights reserved. House of Cards Successful defense doesn’t mean stopping every stage of the attack… …find one component of the hack and, over time, the entire operation can collapse.
  • 25. © 2017 Cybereason Inc. All rights reserved. Returning Power to the Defenders Be Proactive! Establish visibility! Hunt for cyber kill chain behaviors! Time Success Rate Attackers Defenders
  • 26. © 2017 Cybereason Inc. All rights reserved. you. Thank www.cybereason.com