Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cylance Mathematical Determination of Good and Bad Leveraging

Similar presentations


Presentation on theme: "Cylance Mathematical Determination of Good and Bad Leveraging"— Presentation transcript:

1 Cylance Mathematical Determination of Good and Bad Leveraging
Preventative/ Response Professional Services Cylance Corey White, VP, Professional Services

2

3 PRESPONSE Professional Services

4 Risk Does Not Equal Threat | Presponse Compromise Assessment

5

6 Malware - Windows / Linux / OSX (31% didn’t use malware)
Dropper/Downloaders – Phishing & Waterholing Malware in Userspace Zero/Single-day Exploits that lead to… Backdoor Trojan RATs – Kernel interactive Service Binaries that mimic legitimate capabilities (RAS/Proxy/AV/Recon/Config) BOTNETs – Platforms for MAAS/Subscription Access WebShells – Internet-facing Server Backdoor RATs (c99/r57/eval)

7 Hacking - .day Exploits Zero Day ½ Day Single Day Forever Day
Vulnerability that only the developer knows about ½ Day Vulnerability that is known about but no patches are yet available Single Day Vulnerability that is known about and patches are available but not applied Forever Day Vulnerability that is known and cannot be patched

8 Hacking - Web Server/Services Exploits
Remote code execution (watch your .htaccess files!) register_globals on in PHP | require ($page . ".php"); SQL injection (watch your user privileges!) AND / OR in SQL $query | $query = "SELECT * FROM users WHERE username = '' or '1=1'"; Cross Site Scripting/XSS (watch your syntax!) Volatile entry in Echo | <?php echo "<p>Your Name <br />"; echo ($_GET[name_1]); ?> Username enumeration (watch your error messages!) Username guessing | Incorrect logon / password combination Username enumeration (watch your error messages!) Username guessing | Incorrect logon / password combination.", "width": "800" }

9 Social Engineering – Access, Behavior, and Authority
Sabotage Phishing Waterholing USB “HoneyDrops” & Other Free Hardware “HelpDesk Operators” “Visitors” (Repairmen, Janitors, Pizza/Flower Delivery, Tailgaters) Subversion Contractors Employees

10 Stage 1 - Compromise Stage 2 - Exploit Stage 3 - Control
Advanced Persistent Threat - Activities Stage 1 - Compromise Social Engineering Backdoors Phishing / Waterholing Help Desk / Visitors Web Site Backdoors Reconnaissance Stage 2 - Exploit Privilege Escalation Lateral Movement User Profile Abuse Remote Access Provisioning Services Bypass/Cancellation Stage 3 - Control Configuration Management Data Targeting Data Exfiltration Sabotage Subversion

11 Most commonly seen indicators of data loss:
Non-standard Packagers (7z, Gz, RAR, PKZIP, etc.) Multipart Files of particular sizes (250/500Mb) “Recycle”/Recycle Bin Residue HTTP 206 Status Codes on Web Servers Non-standard File Transfer Services (Filezilla, FTP, WsFTP, etc.) Non-standard Reverse/Proxy Services (HUCs, PLINK, NC, SSH, etc.)

12 Most commonly seen indicators of sabotage:
Unusual Prefetch / Recent / LNK / Bash binary execution history AT / CRON Jobs Scripts Services Cancellation User Profile Authority Changes

13 Most commonly seen indicators of user profile abuse:
Multiple user accounts on single computer User account on multiple computers Service & Administrative account propagation Extranet LDAP/AD account use Account privilege provisioning/modifications (SuSID, MD5, Admins etc.) Local Services history (MIMIKATZ, PWDUMP, L0pht, CAIN/ABEL)

14 Most commonly seen indicators of lateral movement:
Access history (Type 3 / 4 / 8 / 10 logins, AuthLog) MSTSC history (.RDP, .BMC) Remote job scheduling (AT, SC, WMIC, SSH) Redundant & non-standard RAS tools (VNC, LogMeIn, TeamViewer, NC, PUTTY, PSEXEC, *FTP, SCP) Domain Services history (DSGET, DSQUERY, HYENA) Reconnaissance tools (FPORT, NET/NET1, NETSH, PING)

15 Most commonly seen indicators of insider threats:
Unusual profile access and use history Time HostID Application History Configuration History RBAC violations Other Acceptable Use Policy violations Malware / PUP / PUM…

16 Most common malware identifiers:
Authority – service, administrator, or user Persistence – only 4 persistence mechanisms in Windows Communications – only 44 netsvcs keys in Windows Services Functionality – user and kernel combinations are rare File System – user or system

17 Risk Does Not Equal Threat | Presponse Compromise Assessment
Issues Not Indicators Focus on Priorities

18 Get Ahead of Compromise Activities
Monitor Persistence settings: registry keys, startup folders, scheduled jobs/tasks Service creations Alert User Profile Propagation Lateral Movement/Access Anomalous Use (time/resources) Service State Changes (start/stop) File creations by type (RAR, BAT, VBS, SH, etc.) Sinkhole Communications Prevent Assess and Secure Networks & Applications Automated Tasks Known PUP/PUMs User-space Execution Prevent

19 Victimization INSIDER EMAIL SOCIAL ENGINEERING WEB SUPPLY CHAIN
This is how they get in Web (user) (user) Direct pathway (open ports) Web Database Candy drops (user) Social engineering Supply Chain Insider All boils down to execution DIRECT OPEN PORTS INSIDER CANDY DROP TCP/135

20 Innovation Requires STARVATION

21 WARNING: Deprogramming Required
NO Signatures NO Heuristics NO Behavioral NO Sandboxing NO Dynamic Detonation NO Micro-Virtualization JUST 100% Pure MATH

22 GAP (60%+) UNKNOWN MALICIOUS GOOD 20% 20% 100% Pure Math
Blacklist Whitelist 20% UNKNOWN 20% “THE GREYLIST” Antivirus / HIPS Servers AV Whitelisting / Web Gateway Firewall Behavioral Analysis This is the PROBLEM. Sandboxing IDS/IPS

23 This is the STATEMENT. The eye catcher.

24 Trust Vendor the Trust Math the
This is our SOLUTION: Mathematical Execution Control. This is top-to-bottom and left-to-right, use Einstein as the reference point David Hilbert Grothendieck Pascal Pythagoras Fermat Emmy Noether Bernhard Gauss Einstein Euclid Euler Leibniz Godel Archimedes Newton Poincare LaGrange Fibonacci Descartes Erdos

25 Product Portfolio Infinity DETECT SWEEP* JUNE 2013 OCTOBER 2013
Free, Silent REST API over SSL Advanced Threat Over 5,000 seats Detection only V-API V-Forensics V-Gateway V-Helpdesk Detection only Windows Agent Cloud management Silent / small footprint Detection and Protection Browser delivery Detection of threats Silent / small footprint Detection with Protection option JUNE 2013 OCTOBER 2013 FEBRUARY 2014 APRIL 2014

26


Download ppt "Cylance Mathematical Determination of Good and Bad Leveraging"

Similar presentations


Ads by Google