NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
2 likes1,736 views
The document discusses the significant breach detection gap in cybersecurity, emphasizing that 99% of post-intrusion activities, like lateral movement, do not stem from malware. It outlines various attack methods, including insider threats and risky behaviors, while highlighting the limitations of traditional malware detection methods. The presentation advocates for behavior-based attack detection technologies, such as LightCyber's Magna platform, which leverage behavioral analytics for effective breach identification and remediation.
![@NTXISSA #NTXISSACSC4
Current Limitations
Known Bad
Traditional Security
§ Signatures, IoC’s, Packet Signatures,
Domains, Sandbox Activity
§ Block, or Miss
§ Necessary, Not Sufficient
What’s Needed
§ Learn What is Good [Baseline]
§ Detect What Isn’t [Anomaly]
§ Catch What Slips Through the
Cracks of Traditional Security
Problems:
• Too Many False Alarms / False Positives
• Missed Variants / False Negatives
• Only Detect Malware-Based Attacks
Learned Good
Benefits:
• Eliminates Zero-Day Exploit Dilemma
• Hundreds of Opportunities to Detect
• Applicable to All Techniques & Stages
What’s Needed?
Agents &
Signatures
Agentless &
Signature-less](https://image.slidesharecdn.com/ntxissacsc4112overholsermark-161015160908/85/NTXISSACSC4-Artifacts-Are-for-Archaeologists-Why-Hunting-Malware-Isn-t-Enough-20-320.jpg)
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
- 4. @NTXISSA #NTXISSACSC4 Crypting Services • “Crypting” can be used to obfuscate malware until AV does not detect it • Upload malware • Malware encrypted/re-encoded and scanned against all known AV • Process repeats until all AV fails to detect the malware • Brian Krebs has a good article on crypters • (https://krebsonsecurity.com/2014/05/antivirus- is-dead-long-live-antivirus/) NTX ISSA Cyber Security Conference – October 7-8, 2016 4
- 7. @NTXISSA #NTXISSACSC4 TargetedAttacks Outside the Network Intrusion (Seconds – Minutes) Intrusion Active Breach (Hours - Weeks) Establish Backdoor Recon & Lateral Movement Data Exfiltration Inside the Network Attacker compromises a client or server in the network 2 Attacker performs reconnaissance and moves laterally to find valuable data 3 Attacker steals data by uploading or transferring files
- 8. @NTXISSA #NTXISSACSC4 Insider Attacks Recon & Lateral Movement Abuse of User Rights Data Exfiltration Employee is upset by demotion; decides to steal data and quit job 2 Employee accesses many file shares including rarely accessed file shares 3 Employee uses other user’s credentials and exfiltrates a large volume of data IT Assets at Risk • Databases and file servers are considered the most vulnerable to insider attacks SOURCE: LinkedIn Group - Insider Threat Report sponsored by LightCyber File Server Insider Sensitive Data
- 14. @NTXISSA #NTXISSACSC4 Networking and Hacking Tools • Attackers use well- known tools to map the network, probe clients, and monitor activity • NCrack, Mimikatz, and Windows Credential Editor can be used to steal user credentials • Some tools are native OS utilities
- 16. @NTXISSA #NTXISSACSC4 Remote Desktop Tools • Remote desktop tools are: • Used for C&C and lateral movement • Also indicative of risky user behavior
- 20. @NTXISSA #NTXISSACSC4 Current Limitations Known Bad Traditional Security § Signatures, IoC’s, Packet Signatures, Domains, Sandbox Activity § Block, or Miss § Necessary, Not Sufficient What’s Needed § Learn What is Good [Baseline] § Detect What Isn’t [Anomaly] § Catch What Slips Through the Cracks of Traditional Security Problems: • Too Many False Alarms / False Positives • Missed Variants / False Negatives • Only Detect Malware-Based Attacks Learned Good Benefits: • Eliminates Zero-Day Exploit Dilemma • Hundreds of Opportunities to Detect • Applicable to All Techniques & Stages What’s Needed? Agents & Signatures Agentless & Signature-less
- 23. @NTXISSA #NTXISSACSC4 Behavioral Attack Detection Magna Platform Overview • Network-Centric Detection • Agentless & Signature-less • Post-Intrusion: NTA/UEBA Differentiation • Most Accurate & Efficient: Proven & Measured Success • Broadest Context: Network + Endpoint + User • Broadest Attack Coverage with Integrated Remediation Verticals Served • Finance & Insurance • Public Sector • Retail, Healthcare, Legal • Service Providers • Media, Technology, & More Operations Overview • US HQ - CA • EMEA HQ - Amsterdam • IL HQ - Ramat Gan • Customers World-Wide MAGNA About LightCyber
- 24. @NTXISSA #NTXISSACSC4 Profiling, Detection, Investigation, & Remediation Behavioral Profiling - Network-Centric Endpoint and User Profiling Attack Detection - Anomalous Attack Behavior Across the Attack Lifecycle Automated Investigation - Network, User, & Process Association + Cloud Integrated Remediation - Block Attackers with NGFW, NAC, or Lock Accounts with AD
- 25. @NTXISSA #NTXISSACSC4 SIEM Evolving IT Security Investment Needs Lockheed Martin: Cyber Kill Chain Active Attack Phase (Weeks – Months) Intrusion Attempt Phase (Seconds – Minutes) Sandboxing Stateful FW IPS / IDS Network AV Damage Security Expenditure Incident Response (Weeks – Months) Breach Detection Gap
- 28. @NTXISSA #NTXISSACSC4 LightCyber Delivers Unbeatably Accurate Results Source: http://lightcyber.com/lower-security-alerts-metrics/ Most IT security teams can’t keep up with the deluge of security alerts 62% ACROSS ALL ALERTS 99% ACROSS MAGNA’S AUTOMATED “CONFIRMED ATTACK” CATEGORY LIGHTCYBER ACCURACY
- 29. @NTXISSA #NTXISSACSC4 Malware Example Magna Detects: • Active Command & Control channel • Malware Infection • No signs of internal spreading • Likely opportunistic, not (yet) targeted Detection Pattern: • C&C • Malware • (No East-West)
- 30. @NTXISSA #NTXISSACSC4 Risky Behavior Example Magna Detects: • RDP to > 20 Workstations • Likely non-malicious Internal activity since there is no association with other malicious findings Detection Pattern: • Credential Abuse • Not Linked to Exfil or Other
- 31. @NTXISSA #NTXISSACSC4 Insider Attack Example Detection Pattern: • Credential Abuse • Linked to Exfil or Other Findings Magna Detects: • Suspicious access to file shares • Exfiltration • This Correlation indicates likely Insider Attack
- 32. @NTXISSA #NTXISSACSC4 Targeted Attack Example Magna Detects: • Anomalous file with known Threat Intelligence • Recon • Lateral Movement • Exfiltration • This Correlation Indicates Targeted Attack Detection Pattern: • Multiple Correlated Findings • North-South + East-West
- 33. @NTXISSA #NTXISSACSC4 User, Entity; Network + Endpoint Magna Detects: • Anomalous Network Activity • Anomalous and Malicious Processes on the Endpoint • Anomalous User Activity Magna Correlates: • User • Entity • Network • Process • Endpoint
- 34. @NTXISSA #NTXISSACSC4 Reporting: Alert Activity, Triage Activity & SLA, Asset View, and More LightCyber Magna Attack Detection Report Reporting Period: 1/0/1900 1/0/1900 Number of days 1 Total Alerts for Period 0 Average #Alerts per day 0.00 Total Alerts handled 5 Unverified average handling time (days) 2.54 Suspicious average handling time (days) 10.78 Confirmed average handling time (days) 12.47 0 0.5 1 1.5 2 2.5 3 3.5 Alerts Triage and Handling Suspicious Unverified 1 1.5 2 2.5 3 3.5 Alert Types and Categories C&C 20% Exfilt 10% Lateral 10% Malware 20% Recon 40% Alerts Categories 45% 11% 33% 11% Alerts Handling & Accuracy Relevant and Handled Whitelisted Ignored Still Open 0.0 2.0 4.0 6.0 8.0 10.0 12.0 14.0 16.0 18.0 Normal Resolved Whitelisted Normal Archived Confirmed Suspicious Unverified Alert Handling Time (days) arnold jenny 40% 60% Alert Handling by Analyst arnold jenny
- 35. @NTXISSA #NTXISSACSC4 LightCyber Ecosystem Integration Endpoints HQ / DC MAGNAPATHFINDER MAGNADETECTOR MAGNAMASTER Core Switch MAGNA UIRemediation SIEM Network Packet Broker IAM & Policy Mgmt
- 38. @NTXISSA #NTXISSACSC4@NTXISSA #NTXISSACSC4 The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) NTX ISSA Cyber Security Conference – October 7-8, 2016 38 Thank you