If an attacker had a foothold in your network today, would you know it?
If they made it past your real-time defense measures (EDR, EPP, AV, UEBA, firewalls, etc.) or an analyst misinterpreted a critical alert, chances are they've entrenched themselves for the long haul. Skilled and organized attackers know long-term persistence in your network is the most critical component to meeting their goal of stealing information, causing damage, or pivoting attacks on other organizations.
Threat hunting is the proactive practice of finding attackers in your environment before they can cause damage (or at least stop the bleeding from continued exposure). Unfortunately, effective threat hunting practices remain out-of-reach for most organizations due to lack of security infrastructure and qualified people to manage advanced endpoint security solutions.
One solution to this problem is to hire a third party to conduct a periodic assessment geared toward discovery of unauthorized access and compromised systems. This is called a "compromise assessment" and just recently compromise assessments have become one of the most requested services from top security service providers.
Customers don’t want to just know if they can be hacked (a good penetration tester will generally conclude “yes”) they want to know if they ARE hacked—right now—and if so, what endpoints/hosts/servers on their network are compromised.
In this presentation, which was originally prepared for Black Hat 2018, Chris Gerritz outlines the growing practice of compromise assessments and the best practices being utilized by some of the largest and most sophisticated managed security service providers (MSSPs) with this offering.
What approaches are most effective?
What data is being utilized?
What are some of the top challenges?
To request a free 100-node compromise assessment or to learn more about Infocyte HUNT — our comprehensive threat hunting platform — and start a free trial, please visit https://try.infocyte.com.
2. 2018 – Black Hat – Rise of the Compromise Assessment
SPEAKER BACKGROUND
Chris Gerritz
Chief Product Officer
Infocyte, Inc.
Twitter: @gerritzc
Github: @singlethreaded
Prior:
Chief, DCC Operations
AFCERT
(Retired)
Speaker
Incident Response Background
Helped establish and led USAF’s
Enterprise Hunt Team.
Co-founded Infocyte, developer of
threat hunt software designed to
enable compromise assessments.
3. 2018 – Black Hat – Rise of the Compromise Assessment
Vulnerability Assessment
Penetration Test
4. 2018 – Black Hat – Rise of the Compromise Assessment
5. 2018 – Black Hat – Rise of the Compromise Assessment
Compromise Assessment
A proactive evaluation of systems to detect
threats that have evaded existing security controls
• Effective at detecting presence of malware, remote
access tools, credential misuse and other indications
of unauthorized access
• Fast – Assess a typical enterprise network in hrs/days
• Affordable – A typical organization should be able to
conduct it proactively and regularly (i.e. Annually)
• Independent – The assessment does not rely on
existing detection solutions already in the
environment
APPLICATIONS
• Validate Network Confidentiality
• Mergers & Acquisitions (M&A)
• Cyber Insurance
• Vendor Risk Management
• Periodic Threat Hunting
7. 2018 – Black Hat – Rise of the Compromise Assessment
Use MITRE’s ATT&CK Model
Used to characterize and describe post-compromise adversary
behavior.
Details the post-compromise tactics, techniques, and procedures
(TTPs) persistent threats use to execute their objectives while
operating inside a network.
9. 2018 – Black Hat – Rise of the Compromise Assessment
1. Planning Review network architecture, needs, and other available
information provided by network owner
2. Preparation Network owner provisions access and installs/preps required
tools
3. Discovery Active enumeration and mapping of network
4. Collection Active endpoint scans and log collection
5. Analysis Analysis of collected data (4 & 5 can be iterative)
6. Reporting Characterize findings and give recommendations
Compromise Assessment Steps
10. 2018 – Black Hat – Rise of the Compromise Assessment
Collection: Endpoint Methods
• Real-Time Monitoring
– Log endpoint activity to a central server (i.e. Sysmon+ELK or EDR)
• On-Demand Collection (one-time or periodic)
– Collect artifacts and information related to system state (Forensic Triage)
– i.e. process lists, autoruns, shimcache entries, forensic artifacts, etc.
• Query - Ask specific questions or look for a specific IOC
– Real-time: Reach down to the endpoint directly (i.e. OSQuery)
– Non Real-Time: Search pre-collected logs or data (i.e. EDR)
11. 2018 – Black Hat – Rise of the Compromise Assessment
Collection
Independent assessors should ideally:
• Pull their own primary data, not rely solely on existing data/logs in
the environment (to maintain efficacy across clients)
• Minimize permanent changes to the environment (i.e. agentless)
• Concentrate primarily on endpoints/servers
– Majority of post-compromise behaviors & artifacts are found on
hosts/devices
12. 2018 – Black Hat – Rise of the Compromise Assessment
Collection Recommendations for CAs
• Utilize On-Demand / Forensic Triage type collection to cast the broadest
possible net
– Does not require installed agents (no change management requirement)
• Query/IOC searches are not appropriate for a comprehensive, proactive
assessments
– IOCs are overly specific and inefficient; Can only look for specific actors, TTPs, or
malware
13. 2018 – Black Hat – Rise of the Compromise Assessment
Collection Recommendations for CAs
• Log analysis hunt techniques have significant challenges for fast, generally
applicable assessments
– Difficult to normalize all the various log formats you may encounter in a client site
– Logs often don’t go back far enough or have limited coverage
– Search queries can be expensive – requires searches which are overly specific
– Requires very experienced security personnel versed in both TTPs of attackers and the
network’s unique logging capabilities to do accurate behavior matching
• X type of attack produces Y behavior, which will be expressed in these logs as Z
• Deploying new monitoring tools has limited effect
– Looks forward at new activity, not backwards
14. 2018 – Black Hat – Rise of the Compromise Assessment
Deep host inspection to identify what is on each system
Search for indicators missed via historical search of logs and/or alert data
Historical Search
(Source: Alerts)
State Analysis
(Source: Forensics)
Hunt Methodologies
Query (IoC)
Forensic Triage
Event Match
Artifacts and/or Malware
Find anomalies relative to baselined profiles and user behavior
Query (TTP)
Behavior Analysis
(Source: Logs)
Search for patterns of behavior based on known attacker tactics (TTPs)
Baseline
Pattern Match
Deviation from Normal
15. 2018 – Black Hat – Rise of the Compromise Assessment
Analysis: Forensic State Analysis (Forensic Triage)
Utilizing data stacking and hunt analysis methods:
1. Review all running processes and loaded modules current look
2. Review all autorun entries and locations future look
3. Review all execution & forensic artifacts historical look
4. Identify any evidence of host manipulation or indications of generic
compromise
5. Review recent privileged account usage
16. 2018 – Black Hat – Rise of the Compromise Assessment
Analysis Technique: Forensic State Analysis
Threat Hunting technique that applies phased levels of analysis to
collected data to reduce the data set to a manageable level:
1. Enrichment - Reputation & threat intel lookups
2. Triage – Algorithms & methods to categorize interesting things
a. Data Stacking
b. Anomaly/Outlier Identification
3. Advanced Analysis
a. Static/Dynamic Analysis of Interesting Samples
b. TTP Pattern Matching (dig into logs)
17. Infocyte HUNT™
Threat Hunting. Simplified.
Proactive discovery of threats inside your network
Active or Dormant Malware (file-based & in-memory)
Forensic Artifacts & Indications of Compromise
(historical)
Installed Applications (unauthorized, risky, or vulnerable)
Agentless, Cloud-enabled Architecture
Interrogate endpoints/servers without installing software
The premier hunt platform for hunt teams, compromise
assessments, and incident response.
Forensic State Analysis (FSA) - Performs a deep inspection
of every host (inc. volatile memory inspection)
“Zero to Hero” in hours/days—not months or years
18. 2018 – Black Hat – Rise of the Compromise Assessment
Azure | AWS | GCC
Infocyte HUNT™ Architecture
Your Network,
Cloud, or Datacenter
Infocyte HUNT™
Analyst
Workstations
& Terminals
Infocyte SOC
Incyte™ Cloud Services
Reputation & Threat
Intel Services
Advanced Malware
Analysis Services
External
Threat Intelligence
Primary Data Collection
“Surveys” are deployed to endpoints
via existing remote management
protocols (i.e. WMI, SSH) and
dissolve within minutes
Infocyte HUNT™
Servers
Incyte Cloud
Data Usage:
• Licensing
• File Hash & IP/DNS submissions
• Executable Sample Detonation
Advanced Analysis Services:
• Multi-AV
• Static & Dynamic Analysis
• Synapse Score (ML-based
Categorization of Backdoors/RATs)
Infocyte SOC
• Managed Threat Hunting
• Threat Research
19. Why can’t my prevention & real-time
monitoring tools do this?
20. 2018 – Black Hat – Rise of the Compromise Assessment
Threat Hunting vs Protection
Why most protection tools make
poor hunt tools:
• Prevention and real-time detection
solutions (AV/IDS) strive for low False
Positive (FP) alerting
• Hunt solutions widen the aperture and
seek low False Negatives (FN)
– For Hunters: anomalies, outliers, and
suspicious activity are leads, not FPs to be
tuned out
– A good hunt solution sorts and scores
leads; enables a quick path to verify and
investigate to a conclusion
Low FP
(AV)
Low FN
(Hunt)
A hunt solution triages the
gap in the middle for high
quality leads and
conclusions
Good
Bad
Original Diagram Source: Crowdstrike’s Blog on Machine Learning
21. 2018 – Black Hat – Rise of the Compromise Assessment
Recommendations & Predictions
1. Conduct independent Compromise Assessments by a competent
third party on the same interval as your penetration test.
2. Conduct internal assessments (aka “Hunts”) on a regular basis, as
resources allow.
Prediction:
With the increasing risk of undetected long term compromise, regulators,
insurers, and risk managers will consider mandating this service be conducted
on a regular interval or prior to major financial events.