SlideShare a Scribd company logo

The Case for EDR: What's In Your Toolkit

Download as PPTX, PDF
Dawn Yankeelov, profile picture
Dawn Yankeelov

The document discusses Endpoint Detection and Response (EDR) and outlines its importance in identifying and managing malware threats. It provides an overview of Cybereason, the speaker's background, and various types of malware including fileless malware and specific examples like Emotet and TrickBot. The presentation emphasizes the need for proactive monitoring and the evolving landscape of cybersecurity threats.

Technology
1 of 36
Downloaded 17 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
© 2017 Cybereason Inc. All rights reserved. What’s in your toolkit? The Case for EDR
© 2017 Cybereason Inc. All rights reserved. Index • This presentation: • About Me • About Cybereason • My Job • Disclaimers • Products/Vendors • Defense In Depth • Examples • Q/A
© 2017 Cybereason Inc. All rights reserved. About me • Hometown boy! • CAL Alumni 2001 • Education • USF (Double BA in Poly Sci and Finance) • UofL (Post Bac Cert in Accounting) • Boston University MET (MS in Comp Sci) • Work • American Well: Security Analyst (2015) • PayPal: Security Engineer (2016-2018) • Cybereason: Security/Malware Analyst (2019) • Other • Jit-Jitsu Whitebelt (Black belt in training)
© 2017 Cybereason Inc. All rights reserved. About Cybereason • Founded in 2012 by former members of the elite Israeli Defense force 8200 • Currently around 500 employees with $100+ million dollars in funding, most from Japanese Softbank • Offices in Boston, Tel Aviv, Tokyo, London and Sydney (more coming soon)
© 2017 Cybereason Inc. All rights reserved. What’s my job? • Identify the Malware before it spreads • Drop unidentified Malware into sandbox • Reverse Engineer Malware • Triage and make recommendations based on the type of Malware • Quarantine vs Re-Image the machine
© 2017 Cybereason Inc. All rights reserved. Disclaimer! • I’m still learning!!!
© 2017 Cybereason Inc. All rights reserved. Other Disclaimer • EDR is not meant there is a be all end all solution!
© 2017 Cybereason Inc. All rights reserved. Which products? Who are the vendors? Anti-virus Firewall WAF
© 2017 Cybereason Inc. All rights reserved. New Generation Products EDR
© 2017 Cybereason Inc. All rights reserved. Defense in Depth Recognize this?
© 2017 Cybereason Inc. All rights reserved. Defense in Depth The Layers
© 2017 Cybereason Inc. All rights reserved. What is EDR? Endpoint Detection and ResponseRemediation • Gives a full story • Shows behaviors and uses data and predictive analytics to determine malicious behavior • Addresses the need for continuous monitoring • Combines many tools for a single purpose which empowers the analyst as well as the party to make sure the proper actions are taken • In other words its helpful!
© 2017 Cybereason Inc. All rights reserved. Attack Lifecycle
© 2017 Cybereason Inc. All rights reserved. Different types of Malware
© 2017 Cybereason Inc. All rights reserved. APT vs. Commodity Malware WannaCry • NSA Leak • Eternal Blue & Double Pulsar
© 2017 Cybereason Inc. All rights reserved. APT vs. Commodity Malware Stuxnet
© 2017 Cybereason Inc. All rights reserved. Types of Malware • PUP (potentially unwanted program) • Applications that would be considered unwanted despite often having been downloaded by the user. • Ransomware • Threatens to publish the victim's data or perpetually block access(encrypt) to it unless a ransom is paid.
© 2017 Cybereason Inc. All rights reserved. Types of Malware • Dropper • Malicious code that exists only to download other malicious code. • Information-stealing malware • Collects information from a victim’s computer and usually sends it to the attacker. • Rootkit • Malicious code designed to conceal the existence of other code.
© 2017 Cybereason Inc. All rights reserved. Fileless Malware • What is it? • Legitimate process being ran in the background • Data saved in Registry can be called by wscript • Powershell process one liner process base64 etc pushses straight to RAM • Calling invoke expression can run via admin and collect and receive data and go undetected to typical AV as this is a legitimate process • Using Operating System against itself • Cobalt kitty --------------------------
© 2017 Cybereason Inc. All rights reserved. Fileless Malware • Current Trends • 42% of companies surveyed by the Ponemon Institute reported experiencing at least one fileless malware attack in 2017 and 77% of all successful attacks were fileless. (https://digitalguardian.com/blog/what-fileless-malware-or-non-malware-attack- definition-and-best-practices-fileless-malware) • In the first half of 2018 there was a 94% increase in fileless malware attacks and 5.2 Powershell attacks per 1000 endpoint according to Threatpost (https://threatpost.com/threatlist- ransomware-attacks-down-fileless-malware-up-in-2018/136962/)
© 2017 Cybereason Inc. All rights reserved. Mimikatz • What is it? • Open source application (Used both by Red team and malicious individuals) to dump clear text authentication credentials • By default since windows 8.1 wont spit out clear text passwords (Wdigest)
© 2017 Cybereason Inc. All rights reserved. Emotet/Trickbot/Ryuk
© 2017 Cybereason Inc. All rights reserved. Emotet/Trickbot/Ryuk
© 2017 Cybereason Inc. All rights reserved. Emotet/Trickbot/Ryuk
© 2017 Cybereason Inc. All rights reserved. Emotet/Trickbot/Ryuk
© 2017 Cybereason Inc. All rights reserved. Emotet/Trickbot/Ryuk
© 2017 Cybereason Inc. All rights reserved. Tiny Banker
© 2017 Cybereason Inc. All rights reserved. Tiny Banker
© 2017 Cybereason Inc. All rights reserved. Tiny Banker The process ran a DNS query to the following: vqwgqnbtectr.pw > 216.218.185[.]162 sucjuv.in > 216.218.185[.]162 hbsnmsmlsvib.in > 216.218.185[.]162 ehhrupqrycm.pw > 216.218.185[.]162 uatuwc.pw > 216.218.185[.]162 fpexkrdtxpfs.in > 216.218.185[.]162 okzhyctznzft.pw > 216.218.185[.]162 zawmg.pw > 216.218.185[.]162 lxpcbahva.pw > 216.218.185[.]162 bifcp.in > 216.218.185[.]162 pojde.in > 216.218.185[.]162 And many many more….
© 2017 Cybereason Inc. All rights reserved. Tiny Banker
© 2017 Cybereason Inc. All rights reserved. Tiny Banker
© 2017 Cybereason Inc. All rights reserved. Tiny Banker
© 2017 Cybereason Inc. All rights reserved. Tiny Banker
© 2017 Cybereason Inc. All rights reserved. Demo https://www.youtube.com/watch?v=Hc7h-rIyd5A
© 2017 Cybereason Inc. All rights reserved. Q/A • Feedback • Joshua.chou@cybereason.com • jdudeoflife
© 2017 Cybereason Inc. All rights reserved. you.Thank www.cybereason.com

More Related Content

PPTX
Research: From zero to phishing in 60 seconds
Imperva
 
PDF
Intelligence driven defense webinar
ThreatConnect
 
PDF
Save Time and Act Faster with Playbooks
ThreatConnect
 
PPTX
Cyber Resilency VANCOUVER, BC Nov 2017
Kevin Murphy
 
PPTX
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Black Duck by Synopsys
 
PPTX
Advanced Threat Hunting - Botconf 2017
Kevin Finley
 
PDF
Managing Indicator Deprecation in ThreatConnect
ThreatConnect
 
PPTX
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Black Duck by Synopsys
 
Research: From zero to phishing in 60 seconds
Imperva
 
Intelligence driven defense webinar
ThreatConnect
 
Save Time and Act Faster with Playbooks
ThreatConnect
 
Cyber Resilency VANCOUVER, BC Nov 2017
Kevin Murphy
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Black Duck by Synopsys
 
Advanced Threat Hunting - Botconf 2017
Kevin Finley
 
Managing Indicator Deprecation in ThreatConnect
ThreatConnect
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Black Duck by Synopsys
 

What's hot (20)

PPTX
The Business Benefits of Threat Intelligence Webinar
ThreatConnect
 
PDF
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
NetworkCollaborators
 
PDF
A Blueprint for Web Attack Survival
Imperva
 
PPTX
Cerdant Security State of the Union
David Perkins
 
PDF
[OWASP Poland Day] Embedding security into SDLC + GDPR
OWASP
 
PDF
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Cybereason
 
PPTX
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Black Duck by Synopsys
 
PDF
CEH Vs CISSP: Which one is better?
Mercury Solutions Limited
 
POTX
Ransomware: Why Are Backup Vendors Trying To Scare You?
marketingunitrends
 
PPTX
Solnet dev secops meetup
pbink
 
PDF
Robert Hurlbut - Threat Modeling for Secure Software Design
centralohioissa
 
PDF
ІЛЛЯ ЛУБЕНЕЦЬ «DevSecOps наступний етап розвитку DevOps» GO DevOps
UA DevOps Conference
 
PPTX
Maltego Webinar Slides
ThreatConnect
 
PDF
Building a Strategic Plan for Your Security Awareness Program
Priyanka Aash
 
DOCX
Why security is the kidney not the tail of the dog v3
Ernest Staats
 
PDF
Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...
NetworkCollaborators
 
PPTX
Malware: To The Realm of Malicious Code (Training)
Satria Ady Pradana
 
PDF
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
PPTX
API Security Survey
Imperva
 
PPTX
The Top 7 Causes of Major Security Breaches
Kaseya
 
The Business Benefits of Threat Intelligence Webinar
ThreatConnect
 
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
NetworkCollaborators
 
A Blueprint for Web Attack Survival
Imperva
 
Cerdant Security State of the Union
David Perkins
 
[OWASP Poland Day] Embedding security into SDLC + GDPR
OWASP
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Cybereason
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Black Duck by Synopsys
 
CEH Vs CISSP: Which one is better?
Mercury Solutions Limited
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
marketingunitrends
 
Solnet dev secops meetup
pbink
 
Robert Hurlbut - Threat Modeling for Secure Software Design
centralohioissa
 
ІЛЛЯ ЛУБЕНЕЦЬ «DevSecOps наступний етап розвитку DevOps» GO DevOps
UA DevOps Conference
 
Maltego Webinar Slides
ThreatConnect
 
Building a Strategic Plan for Your Security Awareness Program
Priyanka Aash
 
Why security is the kidney not the tail of the dog v3
Ernest Staats
 
Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...
NetworkCollaborators
 
Malware: To The Realm of Malicious Code (Training)
Satria Ady Pradana
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
API Security Survey
Imperva
 
The Top 7 Causes of Major Security Breaches
Kaseya
 
Ad

Similar to The Case for EDR: What's In Your Toolkit (20)

PDF
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
Michael Gough
 
PDF
When Security Tools Fail You
Michael Gough
 
PPTX
Malware Analysis
Ramin Farajpour Cami
 
PDF
Threat Landscape Lessons from IoTs and Honeynets
Digital Transformation EXPO Event Series
 
PDF
endpoint-detection-and-response-datasheet.pdf
Olufemi37
 
PPTX
Advanced Threats In The Enterprise
Priyanka Aash
 
PPTX
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
Mike Spaulding
 
PPTX
Info sec 12 v1 2
Prof John Walker FRSA Purveyor Dark Intelligence
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
PDF
CNIT 152: 4 Starting the Investigation & 5 Leads
Sam Bowne
 
PDF
Can_We_Really_Detect_These_So_Called_Sophisticated_Attacks?
Michael Gough
 
PDF
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Resilient Systems
 
PDF
4 Getting Started & 5 Leads
Sam Bowne
 
PDF
Malware
Setiya Nugroho
 
PPTX
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Damir Delija
 
PPTX
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Adrian Sanabria
 
PDF
The attack lifecycle. Cybereason can help you answer: Are you under attack?
Cybereason
 
PPTX
Exploring the Capabilities and Economics of Cybercrime
Cylance
 
PDF
Practical Incident Response - Work Guide
Eduardo Chavarro
 
PDF
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
Sam Bowne
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
Michael Gough
 
When Security Tools Fail You
Michael Gough
 
Malware Analysis
Ramin Farajpour Cami
 
Threat Landscape Lessons from IoTs and Honeynets
Digital Transformation EXPO Event Series
 
endpoint-detection-and-response-datasheet.pdf
Olufemi37
 
Advanced Threats In The Enterprise
Priyanka Aash
 
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
Mike Spaulding
 
Info sec 12 v1 2
Prof John Walker FRSA Purveyor Dark Intelligence
 
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
CNIT 152: 4 Starting the Investigation & 5 Leads
Sam Bowne
 
Can_We_Really_Detect_These_So_Called_Sophisticated_Attacks?
Michael Gough
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Resilient Systems
 
4 Getting Started & 5 Leads
Sam Bowne
 
Malware
Setiya Nugroho
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Damir Delija
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Adrian Sanabria
 
The attack lifecycle. Cybereason can help you answer: Are you under attack?
Cybereason
 
Exploring the Capabilities and Economics of Cybercrime
Cylance
 
Practical Incident Response - Work Guide
Eduardo Chavarro
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
Sam Bowne
 
Ad

More from Dawn Yankeelov (20)

PDF
What's Ahead: Ways to Stay Engaged in Cyber Security Trends, Policy & Inform...
Dawn Yankeelov
 
PPT
TALK Public Policy 2022
Dawn Yankeelov
 
PPTX
A Look At Evolving Cybersecurity Policy for Financial Institutions 2021
Dawn Yankeelov
 
PPTX
Discussing Guidance & Liabilities Regarding Reopening
Dawn Yankeelov
 
PPTX
DHS Cybersecurity Services for Building Cyber Resilience
Dawn Yankeelov
 
PPTX
Cyber Security Threats Facing Small Businesses--June 2019
Dawn Yankeelov
 
PPTX
A Look at Cyber Insurance -- A Corporate Perspective
Dawn Yankeelov
 
PPTX
Cyber Security Resilience by KY CISO David Carter
Dawn Yankeelov
 
PPTX
Cyber Security Resilience from Metro Louisville Govt.
Dawn Yankeelov
 
PPTX
Cybersecurity Information From KY's CISO
Dawn Yankeelov
 
PDF
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
Dawn Yankeelov
 
PDF
Kentucky's Cyber Enclave
Dawn Yankeelov
 
PPTX
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
Dawn Yankeelov
 
PDF
RCM Brain: AI Bots in Healthcare
Dawn Yankeelov
 
PPTX
Kentucky's Cyber Engineering Pathway for Teens By Scott U'Sellis
Dawn Yankeelov
 
PPTX
PSST: Seamless Data Solutions
Dawn Yankeelov
 
PDF
RCM Brain: AI Bots in Healthcare
Dawn Yankeelov
 
PPTX
Cybersecurity Trends & Startups by Gula Tech Adventures
Dawn Yankeelov
 
PPTX
How I Will Phish You
Dawn Yankeelov
 
POTX
Understanding Research & Development Tax Credits in KY
Dawn Yankeelov
 
What's Ahead: Ways to Stay Engaged in Cyber Security Trends, Policy & Inform...
Dawn Yankeelov
 
TALK Public Policy 2022
Dawn Yankeelov
 
A Look At Evolving Cybersecurity Policy for Financial Institutions 2021
Dawn Yankeelov
 
Discussing Guidance & Liabilities Regarding Reopening
Dawn Yankeelov
 
DHS Cybersecurity Services for Building Cyber Resilience
Dawn Yankeelov
 
Cyber Security Threats Facing Small Businesses--June 2019
Dawn Yankeelov
 
A Look at Cyber Insurance -- A Corporate Perspective
Dawn Yankeelov
 
Cyber Security Resilience by KY CISO David Carter
Dawn Yankeelov
 
Cyber Security Resilience from Metro Louisville Govt.
Dawn Yankeelov
 
Cybersecurity Information From KY's CISO
Dawn Yankeelov
 
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
Dawn Yankeelov
 
Kentucky's Cyber Enclave
Dawn Yankeelov
 
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
Dawn Yankeelov
 
RCM Brain: AI Bots in Healthcare
Dawn Yankeelov
 
Kentucky's Cyber Engineering Pathway for Teens By Scott U'Sellis
Dawn Yankeelov
 
PSST: Seamless Data Solutions
Dawn Yankeelov
 
RCM Brain: AI Bots in Healthcare
Dawn Yankeelov
 
Cybersecurity Trends & Startups by Gula Tech Adventures
Dawn Yankeelov
 
How I Will Phish You
Dawn Yankeelov
 
Understanding Research & Development Tax Credits in KY
Dawn Yankeelov
 

Recently uploaded (20)

PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Encapsulation theory and applications.pdf
gurumoop
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 

The Case for EDR: What's In Your Toolkit

  • 1. © 2017 Cybereason Inc. All rights reserved. What’s in your toolkit? The Case for EDR
  • 2. © 2017 Cybereason Inc. All rights reserved. Index • This presentation: • About Me • About Cybereason • My Job • Disclaimers • Products/Vendors • Defense In Depth • Examples • Q/A
  • 3. © 2017 Cybereason Inc. All rights reserved. About me • Hometown boy! • CAL Alumni 2001 • Education • USF (Double BA in Poly Sci and Finance) • UofL (Post Bac Cert in Accounting) • Boston University MET (MS in Comp Sci) • Work • American Well: Security Analyst (2015) • PayPal: Security Engineer (2016-2018) • Cybereason: Security/Malware Analyst (2019) • Other • Jit-Jitsu Whitebelt (Black belt in training)
  • 4. © 2017 Cybereason Inc. All rights reserved. About Cybereason • Founded in 2012 by former members of the elite Israeli Defense force 8200 • Currently around 500 employees with $100+ million dollars in funding, most from Japanese Softbank • Offices in Boston, Tel Aviv, Tokyo, London and Sydney (more coming soon)
  • 5. © 2017 Cybereason Inc. All rights reserved. What’s my job? • Identify the Malware before it spreads • Drop unidentified Malware into sandbox • Reverse Engineer Malware • Triage and make recommendations based on the type of Malware • Quarantine vs Re-Image the machine
  • 6. © 2017 Cybereason Inc. All rights reserved. Disclaimer! • I’m still learning!!!
  • 7. © 2017 Cybereason Inc. All rights reserved. Other Disclaimer • EDR is not meant there is a be all end all solution!
  • 8. © 2017 Cybereason Inc. All rights reserved. Which products? Who are the vendors? Anti-virus Firewall WAF
  • 9. © 2017 Cybereason Inc. All rights reserved. New Generation Products EDR
  • 10. © 2017 Cybereason Inc. All rights reserved. Defense in Depth Recognize this?
  • 11. © 2017 Cybereason Inc. All rights reserved. Defense in Depth The Layers
  • 12. © 2017 Cybereason Inc. All rights reserved. What is EDR? Endpoint Detection and ResponseRemediation • Gives a full story • Shows behaviors and uses data and predictive analytics to determine malicious behavior • Addresses the need for continuous monitoring • Combines many tools for a single purpose which empowers the analyst as well as the party to make sure the proper actions are taken • In other words its helpful!
  • 13. © 2017 Cybereason Inc. All rights reserved. Attack Lifecycle
  • 14. © 2017 Cybereason Inc. All rights reserved. Different types of Malware
  • 15. © 2017 Cybereason Inc. All rights reserved. APT vs. Commodity Malware WannaCry • NSA Leak • Eternal Blue & Double Pulsar
  • 16. © 2017 Cybereason Inc. All rights reserved. APT vs. Commodity Malware Stuxnet
  • 17. © 2017 Cybereason Inc. All rights reserved. Types of Malware • PUP (potentially unwanted program) • Applications that would be considered unwanted despite often having been downloaded by the user. • Ransomware • Threatens to publish the victim's data or perpetually block access(encrypt) to it unless a ransom is paid.
  • 18. © 2017 Cybereason Inc. All rights reserved. Types of Malware • Dropper • Malicious code that exists only to download other malicious code. • Information-stealing malware • Collects information from a victim’s computer and usually sends it to the attacker. • Rootkit • Malicious code designed to conceal the existence of other code.
  • 19. © 2017 Cybereason Inc. All rights reserved. Fileless Malware • What is it? • Legitimate process being ran in the background • Data saved in Registry can be called by wscript • Powershell process one liner process base64 etc pushses straight to RAM • Calling invoke expression can run via admin and collect and receive data and go undetected to typical AV as this is a legitimate process • Using Operating System against itself • Cobalt kitty --------------------------
  • 20. © 2017 Cybereason Inc. All rights reserved. Fileless Malware • Current Trends • 42% of companies surveyed by the Ponemon Institute reported experiencing at least one fileless malware attack in 2017 and 77% of all successful attacks were fileless. (https://digitalguardian.com/blog/what-fileless-malware-or-non-malware-attack- definition-and-best-practices-fileless-malware) • In the first half of 2018 there was a 94% increase in fileless malware attacks and 5.2 Powershell attacks per 1000 endpoint according to Threatpost (https://threatpost.com/threatlist- ransomware-attacks-down-fileless-malware-up-in-2018/136962/)
  • 21. © 2017 Cybereason Inc. All rights reserved. Mimikatz • What is it? • Open source application (Used both by Red team and malicious individuals) to dump clear text authentication credentials • By default since windows 8.1 wont spit out clear text passwords (Wdigest)
  • 22. © 2017 Cybereason Inc. All rights reserved. Emotet/Trickbot/Ryuk
  • 23. © 2017 Cybereason Inc. All rights reserved. Emotet/Trickbot/Ryuk
  • 24. © 2017 Cybereason Inc. All rights reserved. Emotet/Trickbot/Ryuk
  • 25. © 2017 Cybereason Inc. All rights reserved. Emotet/Trickbot/Ryuk
  • 26. © 2017 Cybereason Inc. All rights reserved. Emotet/Trickbot/Ryuk
  • 27. © 2017 Cybereason Inc. All rights reserved. Tiny Banker
  • 28. © 2017 Cybereason Inc. All rights reserved. Tiny Banker
  • 29. © 2017 Cybereason Inc. All rights reserved. Tiny Banker The process ran a DNS query to the following: vqwgqnbtectr.pw > 216.218.185[.]162 sucjuv.in > 216.218.185[.]162 hbsnmsmlsvib.in > 216.218.185[.]162 ehhrupqrycm.pw > 216.218.185[.]162 uatuwc.pw > 216.218.185[.]162 fpexkrdtxpfs.in > 216.218.185[.]162 okzhyctznzft.pw > 216.218.185[.]162 zawmg.pw > 216.218.185[.]162 lxpcbahva.pw > 216.218.185[.]162 bifcp.in > 216.218.185[.]162 pojde.in > 216.218.185[.]162 And many many more….
  • 30. © 2017 Cybereason Inc. All rights reserved. Tiny Banker
  • 31. © 2017 Cybereason Inc. All rights reserved. Tiny Banker
  • 32. © 2017 Cybereason Inc. All rights reserved. Tiny Banker
  • 33. © 2017 Cybereason Inc. All rights reserved. Tiny Banker
  • 34. © 2017 Cybereason Inc. All rights reserved. Demo https://www.youtube.com/watch?v=Hc7h-rIyd5A
  • 35. © 2017 Cybereason Inc. All rights reserved. Q/A • Feedback • Joshua.chou@cybereason.com • jdudeoflife
  • 36. © 2017 Cybereason Inc. All rights reserved. you.Thank www.cybereason.com