Presentation is loading. Please wait.

Presentation is loading. Please wait.

Corey White, VP, Professional Services Cylance Mathematical Determination of Good and Bad Leveraging Preventative / Response Professional Services.

Similar presentations


Presentation on theme: "Corey White, VP, Professional Services Cylance Mathematical Determination of Good and Bad Leveraging Preventative / Response Professional Services."— Presentation transcript:

1 Corey White, VP, Professional Services Cylance Mathematical Determination of Good and Bad Leveraging Preventative / Response Professional Services

2

3

4 Risk Does Not Equal Threat | Presponse Compromise Assessment

5

6 Malware - Windows / Linux / OSX (31% didn’t use malware) Dropper/Downloaders – Phishing & Waterholing Malware in Userspace Zero/Single-day Exploits that lead to… Backdoor Trojan RATs – Kernel interactive Service Binaries that mimic legitimate capabilities (RAS/Proxy/AV/Recon/Config) BOTNETs – Platforms for MAAS/Subscription Access WebShells – Internet-facing Server Backdoor RATs (c99/r57/eval)

7 Hacking -.day Exploits Zero Day Vulnerability that only the developer knows about ½ Day Vulnerability that is known about but no patches are yet available Single Day Vulnerability that is known about and patches are available but not applied Forever Day Vulnerability that is known and cannot be patched

8 Hacking - Web Server/Services Exploits Remote code execution (watch your.htaccess files!) register_globals on in PHP | require ($page. ".php"); SQL injection (watch your user privileges!) AND / OR in SQL $query | $query = "SELECT * FROM users WHERE username = '' or '1=1'"; Cross Site Scripting/XSS (watch your syntax!) Volatile entry in Echo | Your Name "; echo ($_GET[name_1]); ?> HERE_IS_MY_CODE Username enumeration (watch your error messages!) Username guessing | Incorrect logon / password combination

9 Social Engineering – Access, Behavior, and Authority Subversion Contractors Employees Sabotage Phishing Waterholing USB “HoneyDrops” & Other Free Hardware “HelpDesk Operators” “Visitors” (Repairmen, Janitors, Pizza/Flower Delivery, Tailgaters)

10 Advanced Persistent Threat - Activities Stage 2 - Exploit Privilege Escalation Lateral Movement User Profile Abuse Remote Access Provisioning Services Bypass/Cancellation Stage 1 - Compromise Social Engineering Backdoors Phishing / Waterholing Help Desk / Visitors Web Site Backdoors Reconnaissance Stage 3 - Control Configuration Management Data Targeting Data Exfiltration Sabotage Subversion

11 Most commonly seen indicators of data loss: Non-standard Packagers (7z, Gz, RAR, PKZIP, etc.) Multipart Files of particular sizes (250/500Mb) “Recycle”/Recycle Bin Residue HTTP 206 Status Codes on Web Servers Non-standard File Transfer Services (Filezilla, FTP, WsFTP, etc.) Non-standard Reverse/Proxy Services (HUCs, PLINK, NC, SSH, etc.)

12 Most commonly seen indicators of sabotage: Unusual Prefetch / Recent / LNK / Bash binary execution history AT / CRON Jobs Scripts Services Cancellation User Profile Authority Changes

13 Most commonly seen indicators of user profile abuse: Multiple user accounts on single computer User account on multiple computers Service & Administrative account propagation Extranet LDAP/AD account use Account privilege provisioning/modifications (SuSID, MD5, Admins etc.) Local Services history (MIMIKATZ, PWDUMP, L0pht, CAIN/ABEL)

14 Most commonly seen indicators of lateral movement: Access history (Type 3 / 4 / 8 / 10 logins, AuthLog) MSTSC history (.RDP,.BMC) Remote job scheduling (AT, SC, WMIC, SSH) Redundant & non-standard RAS tools (VNC, LogMeIn, TeamViewer, NC, PUTTY, PSEXEC, *FTP, SCP) Domain Services history (DSGET, DSQUERY, HYENA) Reconnaissance tools (FPORT, NET/NET1, NETSH, PING)

15 Most commonly seen indicators of insider threats: Unusual profile access and use history Time HostID Application History Configuration History RBAC violations Other Acceptable Use Policy violations Malware / PUP / PUM…

16 Most common malware identifiers: Authority – service, administrator, or user Persistence – only 4 persistence mechanisms in Windows Communications – only 44 netsvcs keys in Windows Services Functionality – user and kernel combinations are rare File System – user or system

17 Risk Does Not Equal Threat | Presponse Compromise Assessment Issues Not Indicators Focus on Priorities

18 Get Ahead of Compromise Activities Monitor – Persistence settings: registry keys, startup folders, scheduled jobs/tasks – Service creations Alert – User Profile Propagation – Lateral Movement/Access – Anomalous Use (time/resources) – Service State Changes (start/stop) – File creations by type (RAR, BAT, VBS, SH, etc.) – Sinkhole Communications Prevent – Assess and Secure Networks & Applications – Automated Tasks – Known PUP/PUMs – User-space Execution Prevent

19 Victimization CANDY DROP SUPPLY CHAIN SOCIAL ENGINEERING WEB DIRECT OPEN PORTS TCP/135 INSIDER

20 STARVATION Innovation Requires

21 WARNING: Deprogramming Required JUST 100% Pure MATH NO Signatures NO Heuristics NO Behavioral NO Sandboxing NO Dynamic Detonation NO Micro- Virtualization

22 MALICIOUSGOOD Blacklist “THE GREYLIST” UNKNOWN Sandboxing Servers AV Antivirus / HIPS Firewall / Web Gateway IDS/IPS Whitelisting 100% Pure Math GAP (60%+) 20% Whitelist 20% Behavioral Analysis

23

24 Trust the VendorTrustthe Math

25 JUNE 2013 Infinity Product Portfolio Free, Silent REST API over SSL Advanced Threat Over 5,000 seats Detection only OCTOBER 2013 V-API V-Forensics V-Gateway V-Helpdesk Detection only FEBRUARY 2014 Windows Agent Cloud management Silent / small footprint Detection and Protection DETECT SWEEP* DETECT SWEEP* APRIL 2014 Browser delivery Detection of threats Silent / small footprint Detection with Protection option

26


Download ppt "Corey White, VP, Professional Services Cylance Mathematical Determination of Good and Bad Leveraging Preventative / Response Professional Services."

Similar presentations


Ads by Google