The Internal Signs of Compromise

1© Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved.

Know before others…Do you know the internal signs of a compromise?Methodology, Technology, and Services

Stuart Davis, Mandiant Director

2© Mandiant, a FireEye Company. All rights reserved.

Agenda

Background: Threat landscape

Methodology : Evolution of Incident Response

Technology : How MANDIANT finds Evil

Services : What MANDIANT can provide

3© Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved. 3

THREAT LANDSCAPEEvolution of Incident Response

4© Mandiant, a FireEye Company. All rights reserved. 4

It’s a “who,” not a “what”

There is a human at a keyboard

Highly tailored and customized attacks

Targeted specifically at you

They are professional, organized and well

funded

Escalate sophistication of tactics as needed

Relentlessly focused on their objective

If you kick them out they will return

They have specific objectives

Their goal is long-term occupation

Persistence tools and tactics ensure ongoing access

EVOLVING THREAT LANDSCAPE


Gain Initial AccessInto Target

Strengthen Position within Target

Steal Valid User Credentials Identify Target Data Package and Steal

Target Data

Establish Foothold

Escalate Privileges

Internal Recon

Complete Mission

Initial Compromise

MoveLaterally

MaintainPresence

ANATOMY OF A TARGETED ATTACK

6


TIME FROM INITIAL COMPROMISE TO DISCOVERY

2011 2012 2013 2014

416

243 229 205

Source: Mandiant M-Trends 2015

The longest time we detected attackers had been present in the victim’s environment was 2,982 days (over 8 years).

Median number of days that threatgroups were present on a victim’s

network before detection


METHODOLOGYEvolution of Incident Response


History of DFIR (Digital Forensic and Incident Response)

Disk Forensics1995 Memory Forensics2005

• Live Response• Network

Forensics2010


1st Generation (1995-) : Disk Forensics

What to analyze- File System: Full Disk / Eventlogs / Prefetch / Registry Hives / Brower History / Scheduled Task / etc.

How to analyze- Shutdown system, Un-mount disk

- Connect to Write blocker > Make disk image

- Analyze with tools

Tools to use- The Sleuth Kit & Autopsy (Open Source)

- Guidance EnCase

- AccessData FTK

- X-Ways


1st Generation (1995-) : Disk Forensics (cont.)

Pros- Data recover (Carving)

- Law Enforcement

Cons- Business impact : Shutdown System

- Difficult to collect : Disk Encryption, RAID, NAS, Cloud

- Dead artifacts : No Live Data in the memory

- Scale : Disk by disk

Cost-effectiveness- 1 disk for 1 week

- JPY 1,500,000 / disk

- Up to 100 hosts (100 weeks = 2 years?)


2nd Generation (2005-) : Memory Forensics

What to analyze- Memory : Process / Driver / Handles / Network Connection / etc.

How to analyze- Mount external USB or Network Drive

- Dump Physical Memory

- Analyze with tools

Tools- Volatility (Open Source)

- Mandiant Redline (Free)


2nd Generation (2005-) : Memory Forensics (cont.)

Pros- No business impact

- Live Data Acquisition

Cons- Limited Raw Disk Access

- Scale : Host by host

Cost-effectiveness- 1 memory dump for half week

- $8K USD / host (Forensics specialist needed)

- Up to 100 hosts (50 weeks = 1 years?)


3rd Generation (2010-) : Live Response

What to analyze - File System, Memory Forensics by remote

How to analyze- Server, Agent base

- Execute a job in the Host by Agent and feed back the result to Server

- Analyze the result with central tools

Tools- GRR (Open Source)

- Guidance EnCase Enterprise

- ManTech Active Defense


3rd Generation (2010-) : Live Response (cont.)


- Enterprise Scale

- Speed

Cons- No proactive detection

- Lack of intelligence

- Need extensive knowledge

Cost-effectiveness- Per Host License


3rd Generation (2010-) : Network Forensics

What to analyze - Full packet / Session data / Protocol logs / Statistics

How to analyze- Packet Capture

- Protocol Parsing

- Analyze the result with central tools

Network Forensic Tools- Security Onion (Open Source)

- BlueCoat Solera Networks

- RSA Security Analytics (NetWitness)


3rd Generation (2010-) : Network Forensics (cont.)


- Network Visibility

Cons- No visibility for encrypted traffic

- No proactive detection

- Lack of intelligence

- Need extensive knowledge

Cost-effectiveness- Depends on traffic and storage


Traditional Incident Response Process

Identify System Collect Data Analyze Data Report


Breadcrumb Trail

Incidents rarely have a simple, linear trail of evidence- Multiple “patient zero” hosts

- Multiple pivot points for lateral movement

- Forensic artifacts disappear over time

- Noise from commodity malware

19© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL

Phishing CampaignsCompromised Hosts

Accessed Hosts

Hosts with Non-Targeted Malware

Scoping Incidents

20© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL

Phishing Campaigns

Compromised Hosts

Accessed Hosts

??

?

Scoping Incidents


Can’t wait for an alarm to go off before investigating

Intelligence driven

Hosts & Network Devices

Gather Sources of Evidence

?Identify systems of interest, generate

new leads

Hunting


• Red Teaming and Penetration Testing

• ICS Security Assessment

• Security Program Assessment (SPA)

• Response Readiness Assessment (RRA)

• Other strategic services

• Compromise Assessment (CA)

• Incident Response (IR)

• Cyber Defense Center Development (CDC)

• SOC/CIRT transformation

• Incident Response Retainer

• Education

• Deployment & Integration

AM I AT RISK?

AM I PREPARED?

AM I COMPROMISED?

I AM BREACHED!

PREPARE FOR FUTURE EVENTS?

INCIDENT RESPONSE AND PREPAREDNESS CYCLE


AM I PREPARED?AM I AT RISK? AM I COMPROMISED? I AM BREACHED! PREPARE FOR FUTURE EVENTS

DIFFERENTIATORS

VALUE

23

COMPROMISE ASSESSMENT

AM I COMPROMISED?

COMPROMISE ASSESSMENT

Evaluate your environment for the presence of targeted attacker activity using the same methods and technologies used during our incident investigations

OUR APPROACH

• Deploy network and host based inspection technology for comprehensiveness, efficiency, and scale

• Apply intelligence from prior investigations and our own knowledge of attack group tools, tactics, and procedures to assess your environment

• Analyze evidence and anomalous activity to confirm malicious activity

• Summarize our findings and provide strategic recommendations based upon our observations during the engagement

Understand the health of your network- whether or not you have been breached

• Same technology used in all Mandiant investigations for comprehensiveness, efficiency, and scale

• Leverage all of our Intel to search for signs of compromise across the environment

• Pivot into Incident Response mode if targeted attacker activity is identified







TECHNOLOGYHow MANDIANT finds Evil


Investigative Cycle

Indicators Of Compromise (IOC)

Host inspection (MIR)

Network analysis (NTAP)

Log analysis (TAP)

Malware reverse engineering

Threat Intelligence Analysis


Indicators Of Compromise (IOCs)

Indicator Of Compromise

Way of describing threat data like- Malware

- Attacker Methodology

- Evidence of compromise or activity

What Is An Indicator?- MD5: Change Frequently

- File Names/Directories: Many Reused

- Registry Key Values: Many Reused

- Services With Wrong Service dll’s: Outliers

- IPs and Domain Names: Change Frequently


Network : Attacker Monitoring & Forensics

Network visibility

Internet egress points

Decode traffic generated by known malware

Reconstruct command-and-control activity

Recover data theft

Monitor All protocols (full packet capture)


Network : Architecture

Mandiant VPN tunnel

InternetPerimeterFirewall

Switch

Web Proxy

InternalNetworkFirewall

VPN Users

Mandiant

Mandiant Network Sensor

= Network SPAN/TAP

Servers, workstations, laptops

INTERNAL NETWORK


Endpoint : Hunting & Live Response

Host visibility

Agent / controller model

Deploy to all Windows systems in environment

Identify historical evidence of compromise

Search all hosts for IOCs

Conduct deep-dive analysis on systems of interest


Endpoint : Architecture

MIR Controller #nMIR Controller #1

VPN Users

Mandiant

Servers, workstations, laptops

INTERNAL NETWORK

= Mandiant Agent

Mutually authenticated SSL


Big data : Finding Needle & Analysis

Network, endpoint, application events visibility

Detect with Mandiant Threat Intelligence

Source from Syslog, Windows Event Log, File, ODBC

Communication Broker in customer environment

Cloud-based; all technology managed


TOOLS OF THE TRADEA TEAM of analysts enabled by MIR and NTAP


End-point Visibility – Sweeping the Environment


Find One. IOC matches are verified by analysts by extracting suspect artifacts from end-points and/or verifying network sensors for corroborating evidence.


Find One. Then Find Them All.

An initial lead converted to an IOC can yield quick results across the entire estate.


Regional Threats

Indicators of Compromise (IOC) used during a Compromise Assessment are comprised of information from:

• Incident Response engagements• Internal research• Publicly available data• Regional teams input

IOCs are updated continuously and can be made client specific.


Tracking Attackers With Network Sensors

Network sensors enable near real-time detection

of threats, capture of identified malicious

traffic, and tracking of attacker activity.


TO GAIN MORE INSIGHT WATCH THE WEBINAR HERE