Mais conteúdo relacionado
Semelhante a Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare (20)
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
- 1. © 2017Cybereason Inc. All rights reserved.
Avoiding a Sophisticated, Targeted Breach
Critical Guidance for Healthcare Organizations
- 2. © 2017 Cybereason Inc. All rights reserved.
Attackers Are Becoming More and More Successful,
Little Security Disruption
The paradigm graph
Time
Success Rate
Attackers
Defenders
- 3. © 2017 Cybereason Inc. All rights reserved.
Attacker-Defender paradigm in question
100% success
• Advanced adversaries succeed almost 100% of the time
• BUT, attackers have some inherent vulnerabilities too - an
attack is composed of dozens or even hundreds of steps
• With the right procedures and toolset in place, a defender can
turn any (very likely) mistake made by an attacker into a
complete exposure of the malicious operation
- 4. © 2017 Cybereason Inc. All rights reserved.
Black market trafficking
of compromised enterprise
computing resources
- 5. © 2017 Cybereason Inc. All rights reserved.
A new incident is detected
• Is it Targeted or Untargeted?
• Is it relevant?
• A completely untargeted threat can turn into a targeted
operation within hours
- 6. © 2017 Cybereason Inc. All rights reserved.
Business Rationale
Machine LifetimeValue
Monetization Method
Adware / Click-fraud
Bulk Sale
Unit Sale
$18 – $36
$10 – $20
$10 - $1000
- 7. © 2017 Cybereason Inc. All rights reserved.
Black market machine trading – Machine Valuation
Basic – Approx. +50% on “commodity price” (~$5-$10)
• Admin privs
• Public IP
• Network bandwidth
Nice – Between +50%-1,000%
• Installed software / Accessed websites
Jackpot – Between +1,000% - 10,000%
• Enterprise affiliation
- 11. © 2017 Cybereason Inc. All rights reserved.
Black market machine trading – US-based machines
- 12. © 2017 Cybereason Inc. All rights reserved.
Black market machine trading – Some statistics
Percentage of compromised machines for sale per state – Top 5:
• 1st prize goes to: California, 21%
• 2nd prize goes to: New Jersey, 11%
• 3rd prize goes to: New York, 6%
• 4th prize goes to: Texas, 6%
• 5th prize goes to: Iowa, 6% (what?!...)
- 13. © 2017 Cybereason Inc. All rights reserved.
Examining a Threat
Escalation Incident
Case Study
- 14. © 2017 Cybereason Inc. All rights reserved.
Black market machine trading – Case study
Incident details, as seen in several enterprises:
• Starts with untargeted, known file-less
click-fraud tool, effecting several
machines in the enterprise network
• Detection was based on malicious use of
PowerShell and malware
communication with known malicious
C2 domains / IPs
• De-prioritized by SOC based on low
damage potential
- 15. © 2017 Cybereason Inc. All rights reserved.
Black market machine trading – Case study
Incident details, as seen in several enterprises:
• SOC continues to monitor the compromised
endpoints (automated), and blocks access to
the known C2
• 5 days later, 1 machine stops attempting to
communicate with known C2 and is detected
performing DGA and connecting to a
previously unknown C2
• C2 communications now occurs only when
“outside” the corporate network (no C2
when local IP is in the enterprise subnet,
only when on 192.168.* or 10.0.*)
- 16. © 2017 Cybereason Inc. All rights reserved.
Black market machine trading – Case study
Incident details, as seen in several enterprises:
• Over the next 24 hours C2 communication profile changes to include
downloading and uploading significantly more data, and click-fraud tool
escalated privileges to Local System
• Before (typical click-fraud):
- 17. © 2017 Cybereason Inc. All rights reserved.
Black market machine trading – Case study
Incident details, as seen in several enterprises:
• Over the next 24 hours C2 communication profile changes to include downloading
and uploading significantly more data
• After (could indicate a heavier protocol transmitted over port 8080 / download of
additional modules / exfiltration of broader system information):
- 18. © 2017 Cybereason Inc. All rights reserved.
Black market machine trading – Case study
Incident details, as seen in several enterprises:
• Attack tool injects code and migrates into msdtc.exe process
• Below, msdtc.exe establishing C2 connection with previously DGA-established C2:
- 19. © 2017 Cybereason Inc. All rights reserved.
Behavioral Indicators
of a transaction
- 20. © 2017 Cybereason Inc. All rights reserved.
TTPs of Seller-Marketplace-Buyer Relationship
C2
• Continuous / reliable / auto verifiable command and control channel – RDP, SSH
• Required to enable the transaction
• Can use non-standard ports, reverse connections, encapsulation in other
protocols (e.g. HTTP)
• Exact configuration & persistence method depend on the seller
• Tasking-based C2 is very rare in marketplaces since it doesn’t naturally fit
the above 3 criteria
• Once the buyer goes in, a different mechanism may be put in place
- 21. © 2017 Cybereason Inc. All rights reserved.
TTPs of Seller-Marketplace-Buyer Relationship
Priv.Esc.
• Priv.Esc. – Admin access is worth more than unprivileged user access.
• Process / installed software enumeration and browser history enumeration.
Relevant software and browsing history can up the price of a compromised
machine by 100x
- 22. © 2017 Cybereason Inc. All rights reserved.
TTPs Detection – How to break the system?
Change in C2
• From known malicious IP / domain to unknown IP / domain
• From straight IP / domain to DGA
• Question connections to RDP service – especially on already compromised
machines
• Long lasting connections
• Change in RDP configuration
• Question unfamiliar modules loaded as part of the remote assistance service
- 23. © 2017 Cybereason Inc. All rights reserved.
TTPs Detection – How to break the system?
Change in privileges
• Monitor for processes performing priv.esc. – especially on already compromised
machines
• Process / Installed software enumeration and browser history enumeration
• Stop of previous attack? In most cases – Not a good indicator… (No code of
conduct for this on most marketplaces)
- 24. © 2017 Cybereason Inc. All rights reserved.
House of Cards
Successful defense doesn’t mean
stopping every stage of the attack…
…find one component of the hack and, over
time, the entire operation can collapse.
- 25. © 2017 Cybereason Inc. All rights reserved.
Returning Power to the Defenders
Be Proactive! Establish visibility! Hunt for cyber kill chain behaviors!
Time
Success Rate
Attackers
Defenders