Jessica Payne Microsoft Global Incident Response and Recovery Anatomy of the Attack – How Cybersecurity Investigations Actually Work Jessica Payne Microsoft Global Incident Response and Recovery WIN433
Welcome to the worst day of your life
The Phone call This is the FIB. We noticed your server at x.x.x.x is communicating with a server associated with a malicious actor. Good luck with that. . . . Contoso CISO
Typical customer reaction
Television Cybersecurity Takes 45 minutes (without commercials) You see the attack They immediately notice the compromise Investigators are in general omnipotent Has guns Has a non-natural hair colored goth girl. Always.
Statistics (source: 2014/13 Verizon Reports+SIR) Microsoft Ignite 2015 4/25/2017 11:28 PM Statistics (source: 2014/13 Verizon Reports+SIR) Only 9% spot own compromise (sometimes by accident) Majority spotted by external party Attacker is on network an average of 200+ days before detection 75% use stolen credentials – tracking your own people is hard Self remediation pretty much impossible (you’ll see why) http://www.microsoft.com/security/sir http://www.verizonenterprise.com/DBIR/ © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Typical Attack Bad guy targets workstations with malware Power: Domain Controllers Bad guy targets workstations with malware User is compromised, Bad guy elevates privilege and harvests credentials. Data: Servers and Applications Bad guy starts “credentials crabwalk” Bad guy finds host with domain privileged credentials, steals, and elevates privileges Access: Users and Workstations Bad guy owns network, can do what he wants.
Special just for you IP Modern malware Bob the non-admin <----packets!-- Special just for you IP ----packet--> SuperLegitService.exe win32k.sys
FIB Provided information FIB FLASH FIB Liason Alert #NC-1701 FIB has obtained information that the actor known as APT2005 “Rapid Rhino” has begun attacks against the kitty litter industry vector. Technical Details : ChriKit is a first generation Trojan that has full remote shell capabilities and credential theft toolsets. Traffic is beaconed over typical HTTP/HTTPs ports with minimal identifying strings. The Trojan is installed as a service, where the name varies.
So what do we know? Malicious host that was being beaconed to (C2 server) Potential threat family Through proxy/firewall logs we have identified host that was beaconing
(Those are time machines) The Incident Response tools we wish we had (Those are time machines)
What fancy tools do y’all use? WOLF – internal tool to gather data Autoruns – gathers ASEPs to indicate malware persistence Event Logs USN Change Journal – file system level details
Other fun tools Volatility/Memory snaps – memory analysis can be really useful, but it’s hard to grab remotely and transfer to us and even harder to catch something in the act YARA – Yet Another Regex Analyzer allows for matching of files against regular expressions PE Analysis – tools for analyzing Portable Executable header data – caution use OFFLINE in targeted attacks IDA Pro – How (some) Reverse Engineers do it.
Dramatic Pause
First do no harm If you have a suspected compromise GET HELP
Band-Aids don’t fix bullet holes Don’t play whackamole – malware has sleeps Holistic diagnosis and recovery are needed in a targeted compromise. You will not find it all with basic tools and firewall logs. Engage a professional. A full compromise means a full recovery More data is more knowledge – but don’t be overwhelmed Don’t rely on tools, this is part art as well as science. Know what is normal, know that persistence can be unexpected – Powershell profiles, etc.
The investigation Jessica Payne
Real live malware Microsoft Ignite 2015 4/25/2017 11:28 PM © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Real live malware Microsoft Ignite 2015 4/25/2017 11:28 PM © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Real live malware Microsoft Ignite 2015 4/25/2017 11:28 PM © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Real live malware
Tips DO - search on file hashes DO NOT – submit files to Virus Total for analysis DO NOT – ping or use DNS lookup DO – Get professional help DO – Submit the sample to us (tagged as DHA if you suspect) https://www.microsoft.com/security/portal/submission/submit.aspx DO – Send us telemetry! DO – Get Professional help!
Using Sigcheck to collect hash
Using Virus Total URL search
Using Virus Total hash search
Using Virus Total URL search
Pretty much undetectable evil Jessica Payne
Monitoring strategies Make sure you have the right logs enabled (this is trickier than it sounds) Central collection of logs is huge Firewalls are also huge (critical) – from a logging perspective but also blocking. Powershell. Lock it up, upgrade it and monitor it. Sysmon Good news in Windows 10! Advanced Threat Analytics – it can detect some of this.
Defense strategies Credential Theft Mitigations Microsoft Ignite 2015 4/25/2017 11:28 PM Defense strategies Credential Theft Mitigations Network and Application Segmentation (Firewalls, Applocker, RemoteApp) EMET against initial compromise Well implemented Cloud solutions actually can help (not just a sales pitch.) Unlike TV, not guns. © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Questions? http://aka.ms/jessica @jepayneMSFT
Complete your session evaluation on My Ignite for your chance to win one of many daily prizes.
Continue your Ignite learning path Microsoft Ignite 2015 4/25/2017 11:28 PM Continue your Ignite learning path Visit Microsoft Virtual Academy for free online training visit https://www.microsoftvirtualacademy.com Visit Channel 9 to access a wide range of Microsoft training and event recordings https://channel9.msdn.com/ Head to the TechNet Eval Centre to download trials of the latest Microsoft products http://Microsoft.com/en-us/evalcenter/ The purpose of this slide is to ensure delegates consider their next steps after your presentation. The learning should not end on 20th November 2015 Option to use this slide in the current generic format or for you to recommend 1 (or more) Microsoft Virtual Academy Course or Channel 9 video that is relevant next steps from your presentation. Thanks © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.