Upload
fireeye-inc
View
782
Download
1
Embed Size (px)
Citation preview
1© Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved.
Know before others…Do you know the internal signs of a compromise?Methodology, Technology, and Services
Stuart Davis, Mandiant Director
2© Mandiant, a FireEye Company. All rights reserved.
Agenda
Background: Threat landscape
Methodology : Evolution of Incident Response
Technology : How MANDIANT finds Evil
Services : What MANDIANT can provide
3© Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved. 3
THREAT LANDSCAPEEvolution of Incident Response
4© Mandiant, a FireEye Company. All rights reserved. 4
It’s a “who,” not a “what”
There is a human at a keyboard
Highly tailored and customized attacks
Targeted specifically at you
They are professional, organized and well
funded
Escalate sophistication of tactics as needed
Relentlessly focused on their objective
If you kick them out they will return
They have specific objectives
Their goal is long-term occupation
Persistence tools and tactics ensure ongoing access
EVOLVING THREAT LANDSCAPE
5© Mandiant, a FireEye Company. All rights reserved.
Gain Initial AccessInto Target
Strengthen Position within Target
Steal Valid User Credentials Identify Target Data Package and Steal
Target Data
Establish Foothold
Escalate Privileges
Internal Recon
Complete Mission
Initial Compromise
MoveLaterally
MaintainPresence
ANATOMY OF A TARGETED ATTACK
6
6© Mandiant, a FireEye Company. All rights reserved. 6
TIME FROM INITIAL COMPROMISE TO DISCOVERY
2011 2012 2013 2014
416
243 229 205
Source: Mandiant M-Trends 2015
The longest time we detected attackers had been present in the victim’s environment was 2,982 days (over 8 years).
Median number of days that threatgroups were present on a victim’s
network before detection
7© Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved.
METHODOLOGYEvolution of Incident Response
8© Mandiant, a FireEye Company. All rights reserved.
History of DFIR (Digital Forensic and Incident Response)
Disk Forensics1995 Memory Forensics2005
• Live Response• Network
Forensics2010
9© Mandiant, a FireEye Company. All rights reserved.
1st Generation (1995-) : Disk Forensics
What to analyze- File System: Full Disk / Eventlogs / Prefetch / Registry Hives / Brower History / Scheduled Task / etc.
How to analyze- Shutdown system, Un-mount disk
- Connect to Write blocker > Make disk image
- Analyze with tools
Tools to use- The Sleuth Kit & Autopsy (Open Source)
- Guidance EnCase
- AccessData FTK
- X-Ways
10© Mandiant, a FireEye Company. All rights reserved.
1st Generation (1995-) : Disk Forensics (cont.)
Pros- Data recover (Carving)
- Law Enforcement
Cons- Business impact : Shutdown System
- Difficult to collect : Disk Encryption, RAID, NAS, Cloud
- Dead artifacts : No Live Data in the memory
- Scale : Disk by disk
Cost-effectiveness- 1 disk for 1 week
- JPY 1,500,000 / disk
- Up to 100 hosts (100 weeks = 2 years?)
11© Mandiant, a FireEye Company. All rights reserved.
2nd Generation (2005-) : Memory Forensics
What to analyze- Memory : Process / Driver / Handles / Network Connection / etc.
How to analyze- Mount external USB or Network Drive
- Dump Physical Memory
- Analyze with tools
Tools- Volatility (Open Source)
- Mandiant Redline (Free)
12© Mandiant, a FireEye Company. All rights reserved.
2nd Generation (2005-) : Memory Forensics (cont.)
Pros- No business impact
- Live Data Acquisition
Cons- Limited Raw Disk Access
- Scale : Host by host
Cost-effectiveness- 1 memory dump for half week
- $8K USD / host (Forensics specialist needed)
- Up to 100 hosts (50 weeks = 1 years?)
13© Mandiant, a FireEye Company. All rights reserved.
3rd Generation (2010-) : Live Response
What to analyze - File System, Memory Forensics by remote
How to analyze- Server, Agent base
- Execute a job in the Host by Agent and feed back the result to Server
- Analyze the result with central tools
Tools- GRR (Open Source)
- Guidance EnCase Enterprise
- ManTech Active Defense
14© Mandiant, a FireEye Company. All rights reserved.
3rd Generation (2010-) : Live Response (cont.)
Pros- No business impact
- Enterprise Scale
- Speed
Cons- No proactive detection
- Lack of intelligence
- Need extensive knowledge
Cost-effectiveness- Per Host License
15© Mandiant, a FireEye Company. All rights reserved.
3rd Generation (2010-) : Network Forensics
What to analyze - Full packet / Session data / Protocol logs / Statistics
How to analyze- Packet Capture
- Protocol Parsing
- Analyze the result with central tools
Network Forensic Tools- Security Onion (Open Source)
- BlueCoat Solera Networks
- RSA Security Analytics (NetWitness)
16© Mandiant, a FireEye Company. All rights reserved.
3rd Generation (2010-) : Network Forensics (cont.)
Pros- No business impact
- Network Visibility
Cons- No visibility for encrypted traffic
- No proactive detection
- Lack of intelligence
- Need extensive knowledge
Cost-effectiveness- Depends on traffic and storage
17© Mandiant, a FireEye Company. All rights reserved.
Traditional Incident Response Process
Identify System Collect Data Analyze Data Report
18© Mandiant, a FireEye Company. All rights reserved.
Breadcrumb Trail
Incidents rarely have a simple, linear trail of evidence- Multiple “patient zero” hosts
- Multiple pivot points for lateral movement
- Forensic artifacts disappear over time
- Noise from commodity malware
19© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Phishing CampaignsCompromised Hosts
Accessed Hosts
Hosts with Non-Targeted Malware
Scoping Incidents
20© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Phishing Campaigns
Compromised Hosts
Accessed Hosts
??
?
Scoping Incidents
21© Mandiant, a FireEye Company. All rights reserved.
Can’t wait for an alarm to go off before investigating
Intelligence driven
Hosts & Network Devices
Gather Sources of Evidence
?Identify systems of interest, generate
new leads
Hunting
22© Mandiant, a FireEye Company. All rights reserved. 22
• Red Teaming and Penetration Testing
• ICS Security Assessment
• Security Program Assessment (SPA)
• Response Readiness Assessment (RRA)
• Other strategic services
• Compromise Assessment (CA)
• Incident Response (IR)
• Cyber Defense Center Development (CDC)
• SOC/CIRT transformation
• Incident Response Retainer
• Education
• Deployment & Integration
AM I AT RISK?
AM I PREPARED?
AM I COMPROMISED?
I AM BREACHED!
PREPARE FOR FUTURE EVENTS?
INCIDENT RESPONSE AND PREPAREDNESS CYCLE
23© Mandiant, a FireEye Company. All rights reserved.
AM I PREPARED?AM I AT RISK? AM I COMPROMISED? I AM BREACHED! PREPARE FOR FUTURE EVENTS
DIFFERENTIATORS
VALUE
23
COMPROMISE ASSESSMENT
AM I COMPROMISED?
COMPROMISE ASSESSMENT
Evaluate your environment for the presence of targeted attacker activity using the same methods and technologies used during our incident investigations
OUR APPROACH
• Deploy network and host based inspection technology for comprehensiveness, efficiency, and scale
• Apply intelligence from prior investigations and our own knowledge of attack group tools, tactics, and procedures to assess your environment
• Analyze evidence and anomalous activity to confirm malicious activity
• Summarize our findings and provide strategic recommendations based upon our observations during the engagement
Understand the health of your network- whether or not you have been breached
• Same technology used in all Mandiant investigations for comprehensiveness, efficiency, and scale
• Leverage all of our Intel to search for signs of compromise across the environment
• Pivot into Incident Response mode if targeted attacker activity is identified
24© Mandiant, a FireEye Company. All rights reserved.
25© Mandiant, a FireEye Company. All rights reserved.
26© Mandiant, a FireEye Company. All rights reserved.
27© Mandiant, a FireEye Company. All rights reserved.
28© Mandiant, a FireEye Company. All rights reserved.
29© Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved.
TECHNOLOGYHow MANDIANT finds Evil
30© Mandiant, a FireEye Company. All rights reserved.
Investigative Cycle
Indicators Of Compromise (IOC)
Host inspection (MIR)
Network analysis (NTAP)
Log analysis (TAP)
Malware reverse engineering
Threat Intelligence Analysis
31© Mandiant, a FireEye Company. All rights reserved.
Indicators Of Compromise (IOCs)
Indicator Of Compromise
Way of describing threat data like- Malware
- Attacker Methodology
- Evidence of compromise or activity
What Is An Indicator?- MD5: Change Frequently
- File Names/Directories: Many Reused
- Registry Key Values: Many Reused
- Services With Wrong Service dll’s: Outliers
- IPs and Domain Names: Change Frequently
32© Mandiant, a FireEye Company. All rights reserved.
Network : Attacker Monitoring & Forensics
Network visibility
Internet egress points
Decode traffic generated by known malware
Reconstruct command-and-control activity
Recover data theft
Monitor All protocols (full packet capture)
33© Mandiant, a FireEye Company. All rights reserved.
Network : Architecture
Mandiant VPN tunnel
InternetPerimeterFirewall
Switch
Web Proxy
InternalNetworkFirewall
VPN Users
Mandiant
Mandiant Network Sensor
= Network SPAN/TAP
Servers, workstations, laptops
INTERNAL NETWORK
34© Mandiant, a FireEye Company. All rights reserved.
Endpoint : Hunting & Live Response
Host visibility
Agent / controller model
Deploy to all Windows systems in environment
Identify historical evidence of compromise
Search all hosts for IOCs
Conduct deep-dive analysis on systems of interest
35© Mandiant, a FireEye Company. All rights reserved.
Endpoint : Architecture
MIR Controller #nMIR Controller #1
VPN Users
Mandiant
Servers, workstations, laptops
INTERNAL NETWORK
= Mandiant Agent
Mutually authenticated SSL
36© Mandiant, a FireEye Company. All rights reserved.
Big data : Finding Needle & Analysis
Network, endpoint, application events visibility
Detect with Mandiant Threat Intelligence
Source from Syslog, Windows Event Log, File, ODBC
Communication Broker in customer environment
Cloud-based; all technology managed
37© Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved.
TOOLS OF THE TRADEA TEAM of analysts enabled by MIR and NTAP
38© Mandiant, a FireEye Company. All rights reserved.
End-point Visibility – Sweeping the Environment
39© Mandiant, a FireEye Company. All rights reserved.
Find One. IOC matches are verified by analysts by extracting suspect artifacts from end-points and/or verifying network sensors for corroborating evidence.
40© Mandiant, a FireEye Company. All rights reserved.
Find One. Then Find Them All.
An initial lead converted to an IOC can yield quick results across the entire estate.
41© Mandiant, a FireEye Company. All rights reserved.
Regional Threats
Indicators of Compromise (IOC) used during a Compromise Assessment are comprised of information from:
• Incident Response engagements• Internal research• Publicly available data• Regional teams input
IOCs are updated continuously and can be made client specific.
42© Mandiant, a FireEye Company. All rights reserved.
Tracking Attackers With Network Sensors
Network sensors enable near real-time detection
of threats, capture of identified malicious
traffic, and tracking of attacker activity.
43© Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved.
TO GAIN MORE INSIGHT WATCH THE WEBINAR HERE