Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jessica Payne Microsoft Global Incident Response and Recovery

Published byPatrick Gallagher Modified over 8 years ago

Similar presentations

Presentation on theme: "Jessica Payne Microsoft Global Incident Response and Recovery"— Presentation transcript:

1

2 Jessica Payne Microsoft Global Incident Response and Recovery
Anatomy of the Attack – How Cybersecurity Investigations Actually Work Jessica Payne Microsoft Global Incident Response and Recovery WIN433

3 Welcome to the worst day of your life

4 The Phone call This is the FIB. We noticed your server at x.x.x.x is communicating with a server associated with a malicious actor. Good luck with that. . . . Contoso CISO

5 Typical customer reaction

6 Television Cybersecurity
Takes 45 minutes (without commercials) You see the attack They immediately notice the compromise Investigators are in general omnipotent Has guns Has a non-natural hair colored goth girl. Always.

7 Statistics (source: 2014/13 Verizon Reports+SIR)
Microsoft Ignite 2015 4/25/ :28 PM Statistics (source: 2014/13 Verizon Reports+SIR) Only 9% spot own compromise (sometimes by accident) Majority spotted by external party Attacker is on network an average of 200+ days before detection 75% use stolen credentials – tracking your own people is hard Self remediation pretty much impossible (you’ll see why) © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Typical Attack Bad guy targets workstations with malware
Power: Domain Controllers Bad guy targets workstations with malware User is compromised, Bad guy elevates privilege and harvests credentials. Data: Servers and Applications Bad guy starts “credentials crabwalk” Bad guy finds host with domain privileged credentials, steals, and elevates privileges Access: Users and Workstations Bad guy owns network, can do what he wants.

9   Special just for you IP    Modern malware Bob the non-admin
<----packets!--  Special just for you IP ----packet--> SuperLegitService.exe win32k.sys 

10  FIB Provided information FIB FLASH FIB Liason Alert #NC-1701
FIB has obtained information that the actor known as APT2005 “Rapid Rhino” has begun attacks against the kitty litter industry vector. Technical Details : ChriKit is a first generation Trojan that has full remote shell capabilities and credential theft toolsets. Traffic is beaconed over typical HTTP/HTTPs ports with minimal identifying strings. The Trojan is installed as a service, where the name varies.

11 So what do we know? Malicious host that was being beaconed to (C2 server) Potential threat family Through proxy/firewall logs we have identified host that was beaconing

12 (Those are time machines)
The Incident Response tools we wish we had (Those are time machines)

13 What fancy tools do y’all use?
WOLF – internal tool to gather data Autoruns – gathers ASEPs to indicate malware persistence Event Logs USN Change Journal – file system level details

14 Other fun tools Volatility/Memory snaps – memory analysis can be really useful, but it’s hard to grab remotely and transfer to us and even harder to catch something in the act YARA – Yet Another Regex Analyzer allows for matching of files against regular expressions PE Analysis – tools for analyzing Portable Executable header data – caution use OFFLINE in targeted attacks IDA Pro – How (some) Reverse Engineers do it.

15 Dramatic Pause

16 First do no harm If you have a suspected compromise GET HELP

17 Band-Aids don’t fix bullet holes
Don’t play whackamole – malware has sleeps Holistic diagnosis and recovery are needed in a targeted compromise. You will not find it all with basic tools and firewall logs. Engage a professional. A full compromise means a full recovery More data is more knowledge – but don’t be overwhelmed Don’t rely on tools, this is part art as well as science. Know what is normal, know that persistence can be unexpected – Powershell profiles, etc.

18 The investigation Jessica Payne

19 Real live malware Microsoft Ignite 2015 4/25/2017 11:28 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Real live malware Microsoft Ignite 2015 4/25/2017 11:28 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Real live malware Microsoft Ignite 2015 4/25/2017 11:28 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 Real live malware

23 Tips DO - search on file hashes
DO NOT – submit files to Virus Total for analysis DO NOT – ping or use DNS lookup DO – Get professional help DO – Submit the sample to us (tagged as DHA if you suspect) DO – Send us telemetry! DO – Get Professional help!

24 Using Sigcheck to collect hash

25 Using Virus Total URL search

26 Using Virus Total hash search

27 Using Virus Total URL search

28 Pretty much undetectable evil
Jessica Payne

29 Monitoring strategies
Make sure you have the right logs enabled (this is trickier than it sounds) Central collection of logs is huge Firewalls are also huge (critical) – from a logging perspective but also blocking. Powershell. Lock it up, upgrade it and monitor it. Sysmon Good news in Windows 10! Advanced Threat Analytics – it can detect some of this.

30 Defense strategies Credential Theft Mitigations
Microsoft Ignite 2015 4/25/ :28 PM Defense strategies Credential Theft Mitigations Network and Application Segmentation (Firewalls, Applocker, RemoteApp) EMET against initial compromise Well implemented Cloud solutions actually can help (not just a sales pitch.) Unlike TV, not guns. © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 Questions? @jepayneMSFT

32 Complete your session evaluation on My Ignite for your chance to win one of many daily prizes.

33 Continue your Ignite learning path
Microsoft Ignite 2015 4/25/ :28 PM Continue your Ignite learning path Visit Microsoft Virtual Academy for free online training visit Visit Channel 9 to access a wide range of Microsoft training and event recordings Head to the TechNet Eval Centre to download trials of the latest Microsoft products The purpose of this slide is to ensure delegates consider their next steps after your presentation. The learning should not end on 20th November 2015  Option to use this slide in the current generic format or for you to recommend 1 (or more) Microsoft Virtual Academy Course or Channel 9 video that is relevant next steps from your presentation. Thanks © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34

Download ppt "Jessica Payne Microsoft Global Incident Response and Recovery"

Similar presentations

If a bad guy can alter the operating system on your computer, it's not your computer anymore A bad guy could have altered the operating system on EVERY.

If a bad guy can alter the operating system on your computer, it's not your computer anymore A bad guy could have altered the operating system on EVERY.
Pierre Sleep tight knowing you’re prepared for outages Protect your environment with Azure ARC32 4.

Pierre Sleep tight knowing you’re prepared for outages Protect your environment with Azure ARC32 4.
Cory Banks Beyond Deployment How IT Can Inspire, Motivate, and Drive Sustainable Adoption PRD32 5.

Cory Banks Beyond Deployment How IT Can Inspire, Motivate, and Drive Sustainable Adoption PRD32 5.
Jordan Knight Developing for the Microsoft Band MOB342.

Jordan Knight Developing for the Microsoft Band MOB342.
Karl Thomson, StorageCraft Product Evangelist True Disaster Recovery System recovery is not enough – get true resiliency to face disasters DAT226 B.

Karl Thomson, StorageCraft Product Evangelist True Disaster Recovery System recovery is not enough – get true resiliency to face disasters DAT226 B.
Luke Notley Migrating from AWS to Azure Seamlessly CLD32 1.

Luke Notley Migrating from AWS to Azure Seamlessly CLD32 1.
Andrew Hennessy Automating Server Application migrations to the Cloud – Goodbye Server 2003. INF21 3.

Andrew Hennessy Automating Server Application migrations to the Cloud – Goodbye Server INF21 3.
Kevin Francis Developing on Windows Devices ARC33 2.

Kevin Francis Developing on Windows Devices ARC33 2.
Chris Hewitt Adding magic to your business with Perceptual Intelligence ARC323 B.

Chris Hewitt Adding magic to your business with Perceptual Intelligence ARC323 B.
Matt McSpirit Software-defined Networking in Windows Server 2016 INF32 4.

Matt McSpirit Software-defined Networking in Windows Server 2016 INF32 4.
Vakhtang Assatrian Asia Communications TSP Lead, Microsoft Architecture options for implementing Skype for Business PRD32 7.

Vakhtang Assatrian Asia Communications TSP Lead, Microsoft Architecture options for implementing Skype for Business PRD32 7.
Creating highly available and resilient Microservices on Microsoft Azure Service Fabric

Creating highly available and resilient Microservices on Microsoft Azure Service Fabric
Andrew Coates Advanced Windows 10 development with the Office 365 APIs DEV33 5.

Andrew Coates Advanced Windows 10 development with the Office 365 APIs DEV33 5.
Alessandro Cardoso, Microsoft MVP Creating your own “Private Cloud” with Windows 10 Hyper- V WIN443.

Alessandro Cardoso, Microsoft MVP Creating your own “Private Cloud” with Windows 10 Hyper- V WIN443.
Michael Porfirio and Chris Gondek Beyond Backup The Next Generation Commvault Data Platform DAT22 5.

Michael Porfirio and Chris Gondek Beyond Backup The Next Generation Commvault Data Platform DAT22 5.
Jeff Alexander & Andrew McMurray Runtime Provisioning in Windows 10 WIN327.

Jeff Alexander & Andrew McMurray Runtime Provisioning in Windows 10 WIN327.
Michael Niehaus Using the Windows Store for Business: New Capabilities for Managing Apps in the Enterprise WIN335.

Michael Niehaus Using the Windows Store for Business: New Capabilities for Managing Apps in the Enterprise WIN335.
Mahesh Krishnan Architecting highly resilient applications on Azure ARC42 7.

Mahesh Krishnan Architecting highly resilient applications on Azure ARC42 7.
Jessica Payne Microsoft Global Incident Response and Recovery

Jessica Payne Microsoft Global Incident Response and Recovery
Dr Greg Low Working with SQL Server Spatial Data DAT33 3.

Dr Greg Low Working with SQL Server Spatial Data DAT33 3.

Similar presentations

Ads by Google