Activated Charcoal Making Sense of Endpoint Data Company - - PowerPoint PPT Presentation

▶

Jul 11, 2023 203 likes •833 views

Powered by Activated Charcoal Making Sense of Endpoint Data Company Confidential Greg Foss Sarah Miller Head of Global Security Operations Threat Intelligence Analyst LogRhythm Carbon Black The Endpoint is the new Perimeter The easiest

SLIDE 1

Company Confidential

Powered by

Activated Charcoal

Making Sense of Endpoint Data

SLIDE 2

Greg Foss

Head of Global Security Operations LogRhythm

Sarah Miller

Threat Intelligence Analyst Carbon Black

SLIDE 3

The Endpoint is the new Perimeter

SLIDE 4

Company Confidential

The easiest path into any network…

SLIDE 5

Company Confidential

Social Engineering

Nothing like a little pretext to get people to click

n your links…

SLIDE 6

Company Confidential

Phishing
91% of ‘advanced’ attacks began with a phishing email
r similar social engineering tactics.
http://www.infosecurity-magazine.com/view/29562/91-of-

apt-attacks-start-with-a-spearphishing-email/

2014 Metrics
Average cost per breach => $3.5 million
15% Higher than the previous year
http://www.ponemon.org/blog/ponemon-institute-

releases-2014-cost-of-data-breach-global-analysis

SLIDE 7

Company Confidential

Drive By Downloads, Malvertizing, and Watering Hole Attacks

Image Source: https://blog.kaspersky.com/what-is-malvertising/5928/

SLIDE 8

Company Confidential

SLIDE 9

Training is Critical to Success

SLIDE 10

Company Confidential

Key Focus Areas:

Employees

Image Source: http://www.cloudpro.co.uk/hr/5803/gov-offers-hr-workers-free-cyber-security-training

SLIDE 11

Company Confidential

End User Tips - Phishing

SLIDE 12

Company Confidential

All You Need is +

SLIDE 13

Company Confidential

Shortened URL Tracking

SLIDE 14

Company Confidential

Feedback Loop

SLIDE 15

Testing and Validation

SLIDE 16

Company Confidential

Rogue Wi-Fi Network – Threat Simulation

SLIDE 17

Company Confidential

USB Drop – Training Exercise : Case Study

SLIDE 18

Company Confidential

Building a Believable Campaign

Use realistic files with somewhat realistic data Staged approach to track file access and exploitation

SLIDE 19

Company Confidential

“Nobody’s going to an an exe from some random USB” - Greg

Yep… They ran it...

SLIDE 20

Company Confidential

Now we have our foothold…

Fortunately they didn’t run this as an admin

SLIDE 21

Company Confidential

SLIDE 22

Company Confidential

Key Focus Areas:

Employees
IT Staff
Roles and Responsibilities
Incident Response Duties
Configuration Monitoring
Malware Removal
Security Infrastructure

SLIDE 23

Company Confidential

Key Focus Areas:

Employees
IT Staff
Security Staff
Table Top and Red vs Blue Exercises
Threat Simulation Leads to Process Improvement
Announced vs Unannounced Simulations or Penetration Testing

SLIDE 24

Company Confidential

Purple Team FTW!

Employees
IT Staff
Security Staff
Table Top and Red vs Blue Exercises
Threat Simulation Leads to Process Improvement
Announced vs Unannounced Simulations or Penetration Testing

SLIDE 25

Company Confidential

Key Focus Areas:

Employees
IT Staff
Security Staff
Leadership

SLIDE 26

Company Confidential

Key Focus Areas:

Employees
IT Staff
Security Staff
Leadership
Processes and Procedures

SLIDE 27

Continuous Monitoring and Detection

SLIDE 28

Company Confidential

Automating OSINT and Response

Domain Tools Passive Total VirusTotal Cisco AMP ThreatGRID Netflow / IDS Firewalls Proxy / DNS Endpoint

SIEM

API Integration SecOps Infrastructure

SLIDE 29

Company Confidential

SLIDE 30

Company Confidential

Malware Beaconing

SLIDE 31

Company Confidential

SLIDE 32

Company Confidential

Malware Beaconing

SLIDE 33

Company Confidential

Correlate Network / Log Activity with Endpoint Data

SLIDE 34

Company Confidential

Macro Phishing Attacks

Common
Bypasses Most AV
Heavily Obfuscated
Newer attacks

targeting Office 365

SLIDE 35

Company Confidential

Macro Attack Detection

SLIDE 36

Company Confidential

Full Command Line Details

SLIDE 37

Company Confidential

Full Command Line Details

SLIDE 38

Company Confidential

Be Careful – Don’t Jump To Conclusions…

SLIDE 39

Centralized Logging and Event Management

SLIDE 40

Company Confidential

SLIDE 41

Company Confidential

Threat Feed Configuration

SLIDE 42

Company Confidential

Full Event Alerting

SLIDE 43

Company Confidential

Syslog Only

SLIDE 44

Company Confidential

Tuning Feeds

SLIDE 45

Company Confidential

Watchlist Configuration

SLIDE 46

Company Confidential

Carbon Black Event Forwarder

LogRhythm => Use LEEF Format https://github.com/carbonblack/cb-event-forwarder

SLIDE 47

Dashboards and Investigations

SLIDE 48

Company Confidential

SLIDE 49

Company Confidential

SLIDE 50

Company Confidential

SLIDE 51

Company Confidential

SLIDE 52

Company Confidential

SLIDE 53

Company Confidential

SLIDE 54

Company Confidential

Long Tail Analysis

Strange activity can bubble to the surface when viewing the whole picture

SLIDE 55

Company Confidential

SLIDE 56

Company Confidential

SLIDE 57

Taking it a Step Further…

SLIDE 58

Company Confidential

Additional Integration

Alarming Trigger on Specific Watch List Hits

SLIDE 59

Company Confidential

Additional Integration

Alarming Admin Tracking

SLIDE 60

Company Confidential

Additional Integration

Alarming Admin Tracking Reporting

SLIDE 61

Company Confidential

Additional Integration

Alarming Admin Tracking Reporting Automation Perform Actions Based on Alarms Observed

SLIDE 62

Company Confidential

Powered by

Activated Charcoal

Making Sense of Endpoint Data

Greg Foss

Head of Global Security Operations LogRhythm

Sarah Miller

Threat Intelligence Analyst Carbon Black

The Endpoint is the new Perimeter

The easiest path into any network…

Social Engineering

Nothing like a little pretext to get people to click

apt-attacks-start-with-a-spearphishing-email/

releases-2014-cost-of-data-breach-global-analysis

Drive By Downloads, Malvertizing, and Watering Hole Attacks

Training is Critical to Success

Key Focus Areas:

End User Tips - Phishing

All You Need is +

Shortened URL Tracking

Feedback Loop

Testing and Validation

Rogue Wi-Fi Network – Threat Simulation

USB Drop – Training Exercise : Case Study

Building a Believable Campaign

Use realistic files with somewhat realistic data Staged approach to track file access and exploitation

“Nobody’s going to an an exe from some random USB” - Greg

Yep… They ran it...

Now we have our foothold…

Fortunately they didn’t run this as an admin

Key Focus Areas:

Key Focus Areas:

Purple Team FTW!

Key Focus Areas:

Key Focus Areas:

Continuous Monitoring and Detection

Automating OSINT and Response

Domain Tools Passive Total VirusTotal Cisco AMP ThreatGRID Netflow / IDS Firewalls Proxy / DNS Endpoint

SIEM

API Integration SecOps Infrastructure

Malware Beaconing

Malware Beaconing

Correlate Network / Log Activity with Endpoint Data

Macro Phishing Attacks

targeting Office 365

Macro Attack Detection

Full Command Line Details

Full Command Line Details

Be Careful – Don’t Jump To Conclusions…

Centralized Logging and Event Management

Threat Feed Configuration

Full Event Alerting

Syslog Only

Tuning Feeds

Watchlist Configuration

Carbon Black Event Forwarder

LogRhythm => Use LEEF Format https://github.com/carbonblack/cb-event-forwarder

Dashboards and Investigations

Long Tail Analysis

Strange activity can bubble to the surface when viewing the whole picture

Taking it a Step Further…

Additional Integration

Alarming Trigger on Specific Watch List Hits

Additional Integration

Alarming Admin Tracking

Additional Integration

Alarming Admin Tracking Reporting

Additional Integration

Alarming Admin Tracking Reporting Automation Perform Actions Based on Alarms Observed

Thank You!

QUESTIONS?

Greg Foss Greg . Foss [at] LogRhythm . com @heinzarelli Sarah Miller SMiller [at] CarbonBlack . com @beyazfar3