Infocyte Mid-market Threat and Incident Response Report Webinar
1 like•228 views
The document discusses the stages of modern malware attacks, emphasizing the importance of quick responses and proactive monitoring techniques such as using telemetry for dwell time calculations. It highlights methodologies for detecting and analyzing breaches, including the use of Sysmon for more effective event logging. Additionally, it touches on the challenges of anti-forensics and the necessary layers of security for mitigating risks associated with malware infections.
Infocyte Mid-market Threat and Incident Response Report Webinar
- 4. Attack Outcomes Respond Hunt • Block what can be blocked • What you detect through monitoring, you must respond quickly. • The rest you must be proactive: hunt and assess :-)
- 5. Today’s Cyber Attacks are Chained Events Stages of a modern malware attack: 1. Emotet = Go-Wide Trojan (easier to detect) 2. Trickbot = Targeted RAT (harder to detect) 3. Ransomware
- 8. Infocyte spans the Attack LIfecycle
- 9. ● ○ ○ ● ●
- 10. ● ● ○ ● ●
- 14. • Dwell Time calculations require earliest timestamp from the initial infection: ○ First system compromised (beachhead) ○ Best done with host-based telemetry Source Details Notes MAC File System Times File Created Time Earliest Timestamp! Infocyte uses this. Windows Event Logs Event ID 4688 (Process Creation) Logs executions but poorly formatted and almost useless for proactive detection Sysmon (or commercial EDR) Event ID 1 (Process Creation) Event ID 2 (File Creation Time Changed) Same as 4688 but Sysmon and EDR events are formatted for remote storage & analysis (e.g. includes hash) ID 2 can help detect time manipulation but is noisy Network IDS/Proxy/FW Event Exploit or C2 events Will indicate some part of the infection chain Calculating Dwell Time (Sources of Time)
- 15. Potential Issues with Time • Anti-Forensics is a class of techniques used by hackers to dork up forensic analysis such as timeline creation Source Potential Issues Mitigations MAC File System Times ($STANDARD_INFO) Easy to manipulate these timestamps from user-space (aka TimeStomping) 1. Compare to $FILE_INFO 2. Check for absence of sub-second resolution (timestomp doesn’t add this) MAC File System Times ($FILE_INFO) Hard to manipulate but not impossible (i.e. a kernel rootkit) Verify timestamps make sense (not before OS release date or in future) Windows Event Logs Logs can be deleted (modifying event is extremely difficult in Windows 10) Remotely store logs Sysmon (or commercial EDR) Process Start Times are not the earliest timestamps Telemetry != Detection Process start times are good approximations in many attacks but not all. Ensure this was actually the earliest execution Network IDS/Proxy/FW Event Most early exploit events not detected/logged (i.e. email vector) Aggregate ALL network log sources into a super timeline
- 16. Eliminate threat from network. Example: wipe and reload infected host or delete malware For every threat or vulnerability finding there are three choices for remediation that happen in practice: Don't outright fix but use additional layers of security to reduce the risk/threat. Example: Block C2 at firewall or DNS blackhole Problem: Malware “might” be neutered but still on system (sometimes forever) Fix Accept Remediation Concerns Mitigate The cost of fixing outweighs the risk: Ignore it… (yes, this happens sometimes) Longest dwelling infections found were in this category
- 18. Command Premium Hunt & IR Support ✓ ✓ ✓ ✓ ✓ Confidential ™
- 19. ™ ∙ ∙ ∙ ∙ ∙ ∙ ∙
- 20. Quarterly Reports: - Q3 Report Coming Soon - Refining our methodology while expanding data volume Annual Report 2020 (Summer) - Work with Verizon DBIR - Provide additional rigor to dataset Future Reports