SlideShare a Scribd company logo

Enabling effective hunt teaming and incident response

J
jeffmcjunkin

This document provides an overview of enabling effective hunt teaming and incident response with limited resources. It defines hunt teaming as proactively assuming compromise, finding compromised hosts, determining how they were compromised through forensics, and implementing preventative and detective controls. Incident response is defined as reactively noticing an incident, stopping any active threats, and learning from the incident to implement improved controls. The document discusses how most attacks actually occur based on data from breaches, and provides examples of low-cost tools and techniques that can be used for persistence and program execution tracking, centralized logging, and data exfiltration detection.

Technology
1 of 41
Downloaded 16 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Enabling effective Hunt Teaming and Incident Response (with zero budget and limited time)
whoami Jeff McJunkin, Senior Technical Analyst Counter Hack Challenges Certifications: Yes* *CISSP, CCNA, GSEC, GCED, GPEN, GCFA, GCIH, GMOB, GXPN, GREM, GCIA, hopefully soon GSE
What do I do? ● Expert witness (digital forensics) ● TA (and soon, here ın Portland, teach!) for SANS ● Create challenges to help people learn offensive and defensive security ○ (SANS NetWars Tournament) ● Background in systems / network administration
Enabling effective hunt teaming and incident response
Disclaimer on tools ● I will discuss specific tools ● I’m not paid to endorse these tools They’re just examples that I’ve found to work well (Well, usually)
What is hunt teaming? Step 1) Assume compromise (It turns out this is very realistic)
What is hunt teaming? Step 1) Assume compromise (It turns out this is very realistic) Step 2) Find your compromised hosts
What is hunt teaming? Step 1) Assume compromise (It turns out this is very realistic) Step 2) Find your compromised hosts Step 3) Find how they were compromised (forensication time!)
What is hunt teaming? Step 1) Assume compromise (It turns out this is very realistic) Step 2) Find your compromised hosts Step 3) Find how they were compromised (forensication time!) Step 4) Set up preventative and detective controls
What is incident response? Step 1) Notice an incident. Example incident sources include... ● Help desk notices malware on system ● Network team notices lots of outbound traffic from a usually-quiet machine ● Your university is featured on https://krebsonsecurity.com/ Step 2) Hair on fire, stop the bleeding!
What is incident response? Step 1) Notice an incident. Example incident sources include... ● Help desk notices malware on system ● Network team notices lots of outbound traffic from a usually-quiet machine ● Your university is featured on https://krebsonsecurity.com/ Step 2) Hair on fire, stop the bleeding Step 3) Learn, implement detective and preventative controls
Note the difference Hunt teaming is proactive. Incident response is reactive. Learning how you’re owned proactively is preferred, but we all encounter surprises.
What do we prepare for? ● Prevention, prevention, prevention ● Penetration testers? ● Things that make our bosses upset (Critical Nessus findings) ● Antivirus ● Patching ● Compliance ● Protecting The Perimeter
An aside on compliance... ● Compliance is probably a net positive ● HIPPA, PCI, CJIS, etc. ● But sometimes we can focus too much on compliance and miss focusing on security
What actually happens? Focus on DATA, not anecdotes. The Verizon Data Breach Report is perhaps the best source of actual compromise data we have in this industry.
Enabling effective hunt teaming and incident response
What actually happens? - Target 2013 Breach 40 million credit cards stolen What weaknesses were used? ● Third-party network access ● No review of security logs ● Lack of segmentation
What actually happens? - Home Depot 2014 Breach 56 million credit cards stolen What software was used? Details are still forthcoming, but… ● Malware that scraped RAM for credit card information ● Same malware family as Target! ● Likely Domain Admin-level access by the attackers ● Current indications: Attackers targeted self-checkout lane computers
But those examples are too big, and not us! Good point. Here’s a smaller, local example: C&K Systems, Inc.
C&K Systems, Inc. ● Who are they? ○ Third-party payment vendor for Goodwill ● What happened? ○ No details yet ● Who else was affected? ○ Two other unnamed clients Notice a growing tendency for “watering hole” attacks
C&K Systems, Inc. How long until they noticed the breach?
C&K Systems, Inc. How long until they noticed the breach? 18 MONTHS.
Enabling effective hunt teaming and incident response
Today’s attacks versus Yesterday’s defenses ● How do you detect memory-only malware? ○ Never touching the hard drive ● What logs are normal from your machines? ○ I.e., do you have a baseline to compare against? ● How often do you review these logs? ● What if the attacker has “gone native”? ○ Example: No “hacker tools”, just PowerShell and valid credentials
A useful thought exercise... Imagine if there were no anti-virus. Imagine if all your computers had unpatch-able known exploits. (Not too difficult, given XP and Server 2003’s end of life)
Where do we stand a chance? 1. Exploit 2. Installation (persistence) 3. Command and Control 4. Exfiltration (...maybe)
What’s the difference? Prepare, hunt, respond, learn
Prepare, hunt, respond, learn Get useful data ahead of time (program execution, centralized logging, persistence, evidence of pivoting)
Prepare, hunt, respond, learn Assume compromise. Act accordingly.
Prepare, hunt, respond, learn Find evil and exterminate it.
Prepare, hunt, respond, learn Red team is threat emulation, blue team should be able to describe red team’s actions
Mind the gap ● How do you track persistence? ● How about new program execution? ● How about data exfiltration? Full packet capture?
Persistence How many methods of persistence do you know of?
Persistence How many methods of persistence do you know of? I promise Sysinternals Autoruns knows more.
Centralized Persistence Tracking? 1. Scheduled Task via Group Policy (autorunsc.exe to plain text file on file server) 2. Diff most recent and second-most recent files. 3. Email upon difference.
Enabling effective hunt teaming and incident response
Tracking program execution ● Ever heard of Carbon Black? ○ For many shops, Sysinternals Sysmon is equivalent. ○ For free.
Example event of program execution
Centralized logging? Step 1) Get your Windows Event Logs to one server (Event Log Forwarding). Step 2) Get your centralized Windows Event Logs into something easier to work with. (Splunk, ELK, SexiLog) Use NXLog Community, not Snare. Snare is now dead to me.
Data exfiltration ● How many spare desktops do you have? ● Install Security Onion on one, set up a SPAN port mirroring your outbound traffic Snort / Suricata / Bro are their own presentations NWACC 2014, by Jesse Martinich and Christina Kaiseramn!
Questions? I’ll be around for the rest of the day as well. Don’t want to ask here? Send me an email: jeff@counterhack.com or jeff.mcjunkin@gmail.com

More Related Content

ODP
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
jeffmcjunkin
 
PPTX
Abstract Tools for Effective Threat Hunting
chrissanders88
 
PDF
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
North Texas Chapter of the ISSA
 
PPTX
SOC2016 - The Investigation Labyrinth
chrissanders88
 
PDF
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
PPTX
Art into Science 2017 - Investigation Theory: A Cognitive Approach
chrissanders88
 
PDF
Resistance Isn't Futile: A Practical Approach to Threat Modeling
Katie Nickels
 
PDF
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE - ATT&CKcon
 
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
jeffmcjunkin
 
Abstract Tools for Effective Threat Hunting
chrissanders88
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
North Texas Chapter of the ISSA
 
SOC2016 - The Investigation Labyrinth
chrissanders88
 
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
Art into Science 2017 - Investigation Theory: A Cognitive Approach
chrissanders88
 
Resistance Isn't Futile: A Practical Approach to Threat Modeling
Katie Nickels
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE - ATT&CKcon
 

What's hot (20)

PDF
Threat Hunting with Splunk
Splunk
 
PDF
From Theory to Practice: How My ATTACK Perspectives Have Changed
MITRE - ATT&CKcon
 
PPTX
Threat Hunting with Splunk Hands-on
Splunk
 
PDF
Building a Threat Hunting Practice in the Cloud
ProtectWise
 
PDF
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
PPTX
Threats that Matter - Murray State University 2017
chrissanders88
 
PDF
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
PPTX
Threat hunting on the wire
InfoSec Addicts
 
PPTX
Threat hunting - Every day is hunting season
Ben Boyd
 
PPTX
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
PPTX
Building a Successful Threat Hunting Program
Carl C. Manion
 
PDF
Threat Hunting Report
Morane Decriem
 
PPTX
Threat Hunting with Splunk
Splunk
 
PDF
What's a MITRE with your Security?
MITRE - ATT&CKcon
 
PDF
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
MITRE - ATT&CKcon
 
PPTX
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
Frode Hommedal
 
PDF
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
PDF
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
MITRE - ATT&CKcon
 
PPTX
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
PDF
Threat hunting workshop
Megan Shippy
 
Threat Hunting with Splunk
Splunk
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
MITRE - ATT&CKcon
 
Threat Hunting with Splunk Hands-on
Splunk
 
Building a Threat Hunting Practice in the Cloud
ProtectWise
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
Threats that Matter - Murray State University 2017
chrissanders88
 
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Threat hunting on the wire
InfoSec Addicts
 
Threat hunting - Every day is hunting season
Ben Boyd
 
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Building a Successful Threat Hunting Program
Carl C. Manion
 
Threat Hunting Report
Morane Decriem
 
Threat Hunting with Splunk
Splunk
 
What's a MITRE with your Security?
MITRE - ATT&CKcon
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
MITRE - ATT&CKcon
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
Frode Hommedal
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
MITRE - ATT&CKcon
 
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Threat hunting workshop
Megan Shippy
 
Ad

Viewers also liked (20)

PPTX
Worst-Case Scenario: Being Detected without Knowing You are Detected
EndgameInc
 
PPTX
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
EndgameInc
 
PPTX
Extracting the Malware Signal from Internet Noise
EndgameInc
 
PDF
Hardware-Assisted Rootkits & Instrumentation
EndgameInc
 
PPTX
Hunting on the Cheap
EndgameInc
 
PPTX
​Dynamic Detection of Malicious Behavior
EndgameInc
 
PPTX
Hunting before a Known Incident
EndgameInc
 
PPTX
Hiding In Plain Sight – Protect Against Bad Hashes
Tripwire
 
PDF
Mr201401 consideration for indicators of malware likeness based on static fil...
FFRI, Inc.
 
PPTX
Dll hijacking
antitree
 
PPTX
Concepts of Malicious Windows Programs
Natraj G
 
PDF
Big Game Hunting - Peculiarities In Nation State Malware Research
pinkflawd
 
PPTX
Dns security threats and solutions
Frank Victory
 
PPTX
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
AlienVault
 
PPT
PE Packers Used in Malicious Software - Part 1
amiable_indian
 
PDF
Level Up Your Security with Threat Intelligence
IBM Security
 
PDF
SOC Foundation
Masoud Ostad
 
PDF
Dreaming of IoCs Adding Time Context to Threat Intelligence
Priyanka Aash
 
PPTX
Infoblox Secure DNS Solution
Srikrupa Srivatsan
 
PPTX
Machine Learning for Malware Classification and Clustering
EndgameInc
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
EndgameInc
 
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
EndgameInc
 
Extracting the Malware Signal from Internet Noise
EndgameInc
 
Hardware-Assisted Rootkits & Instrumentation
EndgameInc
 
Hunting on the Cheap
EndgameInc
 
​Dynamic Detection of Malicious Behavior
EndgameInc
 
Hunting before a Known Incident
EndgameInc
 
Hiding In Plain Sight – Protect Against Bad Hashes
Tripwire
 
Mr201401 consideration for indicators of malware likeness based on static fil...
FFRI, Inc.
 
Dll hijacking
antitree
 
Concepts of Malicious Windows Programs
Natraj G
 
Big Game Hunting - Peculiarities In Nation State Malware Research
pinkflawd
 
Dns security threats and solutions
Frank Victory
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
AlienVault
 
PE Packers Used in Malicious Software - Part 1
amiable_indian
 
Level Up Your Security with Threat Intelligence
IBM Security
 
SOC Foundation
Masoud Ostad
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Priyanka Aash
 
Infoblox Secure DNS Solution
Srikrupa Srivatsan
 
Machine Learning for Malware Classification and Clustering
EndgameInc
 
Ad

Similar to Enabling effective hunt teaming and incident response (20)

PDF
HITB2013AMS Defenting the enterprise, a russian way!
F _
 
PPTX
International Cooperative: APT Hunting
Joshua Lawton, MBA
 
PPT
Incident handling.final
ahmad abdelhafeez
 
PDF
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
CODE BLUE
 
PDF
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
Codemotion
 
PDF
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...
CODE BLUE
 
PPTX
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Anton Chuvakin
 
PPT
Pentesting hygt frde education of engi.ppt
asranausheenasra
 
PDF
Digital Forensics & Incident Response Fundamentals.pdf
Christopher Doman
 
PPTX
Advanced malware analysis training session3 botnet analysis part2
Cysinfo Cyber Security Community
 
PPTX
Malware Most Wanted: Security Ecosystem
Cyphort
 
PPT
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
Anton Chuvakin
 
PPT
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
guestc0c304
 
PPTX
Purple Teaming - The Collaborative Future of Penetration Testing
FRSecure
 
PPTX
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
sixdub
 
PPTX
What does "monitoring" mean? (FOSDEM 2017)
Brian Brazil
 
PDF
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
PDF
Are you ready for the next attack? Reviewing the SP Security Checklist
APNIC
 
PDF
Bypassing Antivirus for effective security
ArafatAshrafiTalha
 
PDF
Incident handling is a clearly defined set of procedures to manage and respon...
Varun Mithran
 
HITB2013AMS Defenting the enterprise, a russian way!
F _
 
International Cooperative: APT Hunting
Joshua Lawton, MBA
 
Incident handling.final
ahmad abdelhafeez
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
CODE BLUE
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
Codemotion
 
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...
CODE BLUE
 
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Anton Chuvakin
 
Pentesting hygt frde education of engi.ppt
asranausheenasra
 
Digital Forensics & Incident Response Fundamentals.pdf
Christopher Doman
 
Advanced malware analysis training session3 botnet analysis part2
Cysinfo Cyber Security Community
 
Malware Most Wanted: Security Ecosystem
Cyphort
 
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
Anton Chuvakin
 
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
guestc0c304
 
Purple Teaming - The Collaborative Future of Penetration Testing
FRSecure
 
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
sixdub
 
What does "monitoring" mean? (FOSDEM 2017)
Brian Brazil
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
Are you ready for the next attack? Reviewing the SP Security Checklist
APNIC
 
Bypassing Antivirus for effective security
ArafatAshrafiTalha
 
Incident handling is a clearly defined set of procedures to manage and respon...
Varun Mithran
 

Recently uploaded (20)

PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
PDF
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PDF
Doc9.....................................
SofiaCollazos
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PPTX
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
Doc9.....................................
SofiaCollazos
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
The Future of AI & Machine Learning.pptx
pritsen4700
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 

Enabling effective hunt teaming and incident response

  • 1. Enabling effective Hunt Teaming and Incident Response (with zero budget and limited time)
  • 2. whoami Jeff McJunkin, Senior Technical Analyst Counter Hack Challenges Certifications: Yes* *CISSP, CCNA, GSEC, GCED, GPEN, GCFA, GCIH, GMOB, GXPN, GREM, GCIA, hopefully soon GSE
  • 3. What do I do? ● Expert witness (digital forensics) ● TA (and soon, here ın Portland, teach!) for SANS ● Create challenges to help people learn offensive and defensive security ○ (SANS NetWars Tournament) ● Background in systems / network administration
  • 5. Disclaimer on tools ● I will discuss specific tools ● I’m not paid to endorse these tools They’re just examples that I’ve found to work well (Well, usually)
  • 6. What is hunt teaming? Step 1) Assume compromise (It turns out this is very realistic)
  • 7. What is hunt teaming? Step 1) Assume compromise (It turns out this is very realistic) Step 2) Find your compromised hosts
  • 8. What is hunt teaming? Step 1) Assume compromise (It turns out this is very realistic) Step 2) Find your compromised hosts Step 3) Find how they were compromised (forensication time!)
  • 9. What is hunt teaming? Step 1) Assume compromise (It turns out this is very realistic) Step 2) Find your compromised hosts Step 3) Find how they were compromised (forensication time!) Step 4) Set up preventative and detective controls
  • 10. What is incident response? Step 1) Notice an incident. Example incident sources include... ● Help desk notices malware on system ● Network team notices lots of outbound traffic from a usually-quiet machine ● Your university is featured on https://krebsonsecurity.com/ Step 2) Hair on fire, stop the bleeding!
  • 11. What is incident response? Step 1) Notice an incident. Example incident sources include... ● Help desk notices malware on system ● Network team notices lots of outbound traffic from a usually-quiet machine ● Your university is featured on https://krebsonsecurity.com/ Step 2) Hair on fire, stop the bleeding Step 3) Learn, implement detective and preventative controls
  • 12. Note the difference Hunt teaming is proactive. Incident response is reactive. Learning how you’re owned proactively is preferred, but we all encounter surprises.
  • 13. What do we prepare for? ● Prevention, prevention, prevention ● Penetration testers? ● Things that make our bosses upset (Critical Nessus findings) ● Antivirus ● Patching ● Compliance ● Protecting The Perimeter
  • 14. An aside on compliance... ● Compliance is probably a net positive ● HIPPA, PCI, CJIS, etc. ● But sometimes we can focus too much on compliance and miss focusing on security
  • 15. What actually happens? Focus on DATA, not anecdotes. The Verizon Data Breach Report is perhaps the best source of actual compromise data we have in this industry.
  • 17. What actually happens? - Target 2013 Breach 40 million credit cards stolen What weaknesses were used? ● Third-party network access ● No review of security logs ● Lack of segmentation
  • 18. What actually happens? - Home Depot 2014 Breach 56 million credit cards stolen What software was used? Details are still forthcoming, but… ● Malware that scraped RAM for credit card information ● Same malware family as Target! ● Likely Domain Admin-level access by the attackers ● Current indications: Attackers targeted self-checkout lane computers
  • 19. But those examples are too big, and not us! Good point. Here’s a smaller, local example: C&K Systems, Inc.
  • 20. C&K Systems, Inc. ● Who are they? ○ Third-party payment vendor for Goodwill ● What happened? ○ No details yet ● Who else was affected? ○ Two other unnamed clients Notice a growing tendency for “watering hole” attacks
  • 21. C&K Systems, Inc. How long until they noticed the breach?
  • 22. C&K Systems, Inc. How long until they noticed the breach? 18 MONTHS.
  • 24. Today’s attacks versus Yesterday’s defenses ● How do you detect memory-only malware? ○ Never touching the hard drive ● What logs are normal from your machines? ○ I.e., do you have a baseline to compare against? ● How often do you review these logs? ● What if the attacker has “gone native”? ○ Example: No “hacker tools”, just PowerShell and valid credentials
  • 25. A useful thought exercise... Imagine if there were no anti-virus. Imagine if all your computers had unpatch-able known exploits. (Not too difficult, given XP and Server 2003’s end of life)
  • 26. Where do we stand a chance? 1. Exploit 2. Installation (persistence) 3. Command and Control 4. Exfiltration (...maybe)
  • 27. What’s the difference? Prepare, hunt, respond, learn
  • 28. Prepare, hunt, respond, learn Get useful data ahead of time (program execution, centralized logging, persistence, evidence of pivoting)
  • 29. Prepare, hunt, respond, learn Assume compromise. Act accordingly.
  • 30. Prepare, hunt, respond, learn Find evil and exterminate it.
  • 31. Prepare, hunt, respond, learn Red team is threat emulation, blue team should be able to describe red team’s actions
  • 32. Mind the gap ● How do you track persistence? ● How about new program execution? ● How about data exfiltration? Full packet capture?
  • 33. Persistence How many methods of persistence do you know of?
  • 34. Persistence How many methods of persistence do you know of? I promise Sysinternals Autoruns knows more.
  • 35. Centralized Persistence Tracking? 1. Scheduled Task via Group Policy (autorunsc.exe to plain text file on file server) 2. Diff most recent and second-most recent files. 3. Email upon difference.
  • 37. Tracking program execution ● Ever heard of Carbon Black? ○ For many shops, Sysinternals Sysmon is equivalent. ○ For free.
  • 38. Example event of program execution
  • 39. Centralized logging? Step 1) Get your Windows Event Logs to one server (Event Log Forwarding). Step 2) Get your centralized Windows Event Logs into something easier to work with. (Splunk, ELK, SexiLog) Use NXLog Community, not Snare. Snare is now dead to me.
  • 40. Data exfiltration ● How many spare desktops do you have? ● Install Security Onion on one, set up a SPAN port mirroring your outbound traffic Snort / Suricata / Bro are their own presentations NWACC 2014, by Jesse Martinich and Christina Kaiseramn!
  • 41. Questions? I’ll be around for the rest of the day as well. Don’t want to ask here? Send me an email: [email protected] or [email protected]