Temet Nosce: Know Thy Endpoint Through and Through Thomas V. - - PowerPoint PPT Presentation

temet nosce know thy endpoint through and through
SMART_READER_LITE
LIVE PREVIEW

Temet Nosce: Know Thy Endpoint Through and Through Thomas V. - - PowerPoint PPT Presentation

Oct 19, 2023 238 likes •414 views

Temet Nosce: Know Thy Endpoint Through and Through Thomas V. Fischer I am Threat Researcher 25+ years experience in InfoSec Spent number years in IR team positions Director @BSidesLondon Contact

slide-1
SLIDE 1

Temet Nosce: Know Thy Endpoint Through and Through

Thomas V. Fischer

slide-2
SLIDE 2

I am …

§ Threat Researcher § 25+ years experience in InfoSec § Spent number years in IR team positions § Director @BSidesLondon § Contact

  • tfischer@digitalguardian.com
  • tvfischer+sans@gmail.com
  • @Fvt
  • keybase.io/fvt
slide-3
SLIDE 3

A Journey into the end point

§ Being in the right place at the right time § Real time actionable intelligence § (re)Enabling the end point as an active defence mechanism § Detecting behaviour…

Public 3

slide-4
SLIDE 4

Defense in un-depth

§ Strong focus on network solutions § Lost faith in the end point solutions § Afraid to go back

Public 4

But that’s not where the important stuff is…

slide-5
SLIDE 5

Walls, Walls, Walls…

Public 5

slide-6
SLIDE 6

Are we in the wrong place

§ Reliance on next-gen network detection § Endpoint solution tend towards post incident § Something suspicious in logs :- activate endpoint resolution § Forensics ~ what changed != necessarily what happened

Public 6

slide-7
SLIDE 7

World of information…

§ Build an Arsenal & Key Tools § Procexp; procmon; tcpview

Public 7

slide-8
SLIDE 8

Deep dive…

Public 8

slide-9
SLIDE 9

Application DNA

§ Build information events § Track similar events together § Use the API right hooks where appropriate § Associate a sequence of events into one action

  • Sequence of file read/file writes :- file edit
  • Track renames, or read/writes :- file move

Public 9

slide-10
SLIDE 10

Single Footprint Intelligence

§ Sysinternals tools on steroids § High level of visibility:

  • File ops
  • Network ops
  • Registry ops
  • DLL activity
  • Process data

Public 10

slide-11
SLIDE 11

Real Time Forensics Evidence

§ Detect compromise events § Log the foot prints

Public 11

slide-12
SLIDE 12

Data visualised…

§ Do you really know what that Chinese software is doing § Dridex in realtime § Those flash things

Public 12

slide-13
SLIDE 13 Initial Entry Vector Entry Vector Attack (EVA) Alert Subsequent Attack Stages Indicator of Compromise Alert Base Rules Correlated Alerts Base Rules – Exploit/Installation Correlated Alerts Base Rules - Recon Base Rules – C&C Email – Malicious PDF Correlated Alerts Email – Malicious Office File Correlated Alerts Base Rules Correlated Alerts ATP522-Email attachment saved via Outlook ATP521-Email attachment saved via Outlook (tagged) ATP505-User double-clicks on Outlook attachment ATP506-Office app opens attachment via Outlook ATP8003-Office
  • pens email
attachment ATP523-Office
  • pens saved email
attachment ATP307-Office spawns CMD or Powershell via WSH ATP103-Office macro calling WSH ATP507-Office macro calling WMI ATP306-WMI spawns CMD or Powershell ATP906- Suspected Office macro phishing ATP9005-Office executes code ATP1010-Detect both RTLO and LTRO in file ATP505-User double-clicks on Outlook attachment ATP101-Acrobat
  • pens PDF
attachment via Outlook ATP102-Acrobat process tree saving EXE ATP304-CMD running batched commands ATP405-Process launched from CMD or Powershell ATP522-Email attachment saved via Outlook ATP521-Email attachment saved via Outlook (tagged) ATPxxxx-Acrobat
  • pens saved email
attachment ATPxxxx-Acrobat
  • pens email
attachment ATPxxxx-Acrobat executes code ATP904- Suspected PDF phishing attack ATP1011-Detect multiple spaces before executable ATP1012-Detect RTLO in File ATP1014-Create c:\program.exe ATP9201-IOC Persistence Detected ATP3101-Execute c:\program.exe file ATP3212- SVCHOST not child process of services.exe ATP1204- Suspicious process modifying local hosts file ATP3103- Application with
  • bfuscated
extension launch ATP9102-GEN.IOC Process ATP9101-GEN.IOC File Manipulation ATP2101-SMB scanning over short period ATP9xxx-Indicator
  • f Infection
Detected ATP9104-IOC.NET Enumeration ATP2xxx-Port scanning detected ATP9202-IOC Network Activity Detected ATP2xxx-NET.OUT Malicious component list ATP2xxx-NET.OUT Malicious component list ATP9103-GEN.IOC Outbound Network ATP2xxx- Suspicious child process creating network op ATP2xxx-High risk application netop after suspicious event ATP9xxx- Correlated IOC Alert The correlated IOC alert triggers from an IOC alert that then looks to see if an EVA triggered, and if so, alerts itself If IOC Alert fired, check for EVA
  • fired. If yes, fire
correlated IOC Alert

L i k e l y b e n i g n A l m

  • s

t c e r t a i n l y m a l i c i

  • u

s D e f i n i t e l y m a l i c i

  • u

s R i s k

  • f

d a t a e x f i l t r a t i

  • n

It’s Doing This so Probably Suspicious

§ Enable behavioural analysis § phishing :- (a+b),(c,(d|e)),!(x,y,z) § Response ? Kill any point in the chain

Public 13

slide-14
SLIDE 14

Behaviour Tree

Public 14 Outlook creates temp file File write new location Other process file open Load of macro subsystem

Tag file

Open of tagged file Write file Network connection Execute command shell Execute binary Move file to user directory

Attachment Opened Active Attachment Suspicious activity Risk - unknown Risk - elevated

slide-15
SLIDE 15

Keeping the Story Alive

§ Increase Visibility:

  • More DLL events
  • Memory events

§ Capture More… § Automate anomaly detection

Public 15

slide-16
SLIDE 16

Let’s run a phishing attachment

Public 16

slide-17
SLIDE 17

Q&A

  • tfischer@digitalguardian.com
  • tvfischer+sec@gmail.com
  • @Fvt
  • keybase.io/fvt

Thank you…