Presentation is loading. Please wait.

Presentation is loading. Please wait.

Adversary playbook.

Published byAnnice Chandler Modified over 6 years ago

Similar presentations

Presentation on theme: "Adversary playbook."— Presentation transcript:

1 Adversary playbook

2 welcome REAL WORLD ATTACK DEMOS
Adrian Diaz – Principal Solutions Architect 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

3 EXISTING APPROACHES ARE FAILING
Adversaries Are Getting More Sophisticated MALWARE ATTACKS NON-MALWARE ATTACKS 40% 60% LOW HIGH THREAT SOPHISTICATION Harder to Prevent & Detect NON-MALWARE ATTACKS Questions: How many in the audience have been tackling the advanced threats landscape? Are most still in the malware attacks mentality? How many have in-house advanced capabilities? People/process/tools How many have dealt with a targeted attack? Who understands the endpoint crowded space? EDR/ Nextgen AV / SIEMs / Threat Intel •         Next-Gen AV -Falcon Prevent o    Machine Learning o    Black Known Bad o    Exploit Mitigation o    IOA-Behavioral Blocking •         EDR- Falcon Insight o    Real-time and Historical search o    Record Everything o    Threat Hunting o    Response and containment TERRORISTS HACKTIVISTS CYBER- CRIMINALS Organized Criminal Gangs NATION- STATES MALWARE ATTACKS

4 Ransomware 47% of organizations have experienced a ransomware attack in the last 12 month Source: Osterman Research Traditional AntiVirus and defenses are failing. We need to find a better approach 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

5 THERE IS NO SUCH THING AS 100% PREVENTION…
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

6 $1.6M the average impact of a successful spear- phishing attack.
84% of organizations said a spear-phishing attack successfully penetrated their organization in 2015 $1.6M the average impact of a successful spear- phishing attack. Vanson Bourne. “The Impact of Spear Phishing.” 2016 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

7 200 Days Real Time Visibility
average days attackers spend inside a network before being detected Source: INFOSEC Institute – The Seven Steps of a Successful Cyber Attack 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

8 Scenario Victim machine – Windows 7 workstation
Attacker machine – Kali Linux with Metasploit 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

9 Glossary: The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more. An exploit is the use of software, data, or commands to “exploit” a weakness in a computer system or program to carry out some form of malicious intent, such as a denial-of-service attack, Trojan horses, worms or viruses. The weakness in the system can be a bug, a glitch or simply a design vulnerability. A payload is a piece of code to be executed through said exploit. Have a look at theMetasploit Framework. It is simply a collection of exploits and payloads. Each exploit can be attached with various payloads like reverse or bind shells, the meterpreter shell etc. mimikatz is a tool well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets. Social Engineer Toolkit (SET) The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. ... The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

10 (un)Known Malware / ransomware
Run Cryptowall.exe with ML HEX Mod Cryptowall.exe Disable ML and Enable on Behavior IOA File is quarantined Start Demo 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

11 Beyond Malware - Spear Phishing and Browser exploit
Launch Metasploit on Attacker machine Compile IE Browser Exploit Launch Outlook on Victim machine Click on Spear Phishing link Show Active Sessions Run shell Show Reconnaissance and Exfiltration Start Demo 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

12 Beyond Malware - dumping credentials
Use Meterpreter built-in hash dump Escalate privileges to local system (local admin) Run shell under system privileges Run hashdump Use Mimikatz in Memory Attack with Powershell script to dump credentials Start Demo 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

13 Beyond Malware - Maintain persistence & Lateral movement
Use On-screen keyboard bypass / Sticky keys trick Create a registry entry on the target system allowing a system level shell to be invoked any time the osk.exe (on screen keyboard) process is called Open new terminal in Attacker machine Remote desktop to Victim machine Use Accessibility On-Screen keyboard for command prompt (does not generate logon events) Add new local admin Start Demo 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

14 Beyond Malware - pdf exploit cooltype
Adobe 8.3 CoolType SING Table “uniquename” Stack Buffer Overflow Generate Malicious PDF via msfconsole Prepare Attacking system PDF Payload on Victim machine Open Resume.pdf (Phishing) DIR, Exfil, Meterpreter shell Start Demo Ma 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

15 Beyond Malware - SEToolkit
Run SETOOLKIT Create Browser Exploit Attack Use Meterpreter Windows Reverse_TCP Metasploit Exploit Payloads execute Navigate to browser link on Victim machine Gain session access Start Demo Ma 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

16 PEOPLE, PROCESS & TECHNOLOGY
Threat hunting Skilled People - continuous learning; revisit investigations and adversary techniques Process - build repeatable process workflows into your tools, through enrinched content and API integration Technology - Seek to increase the time to value (TTV) and reducing mean-time- to-detection and response; detect earlier in the attack chain Requires Visibility (Prevention and Detection) Intelligence - combines the use of threat intelligence, analytics, and automated security tools with human smarts. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. PEOPLE, PROCESS & TECHNOLOGY

17 THANK YOU! 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

Download ppt "Adversary playbook."

Similar presentations

Nathan Labadie Systems Engineer, US-Central FireEye

Nathan Labadie Systems Engineer, US-Central FireEye
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
David Flournoy Bit9 Mid-Atlantic Regional Manager

David Flournoy Bit9 Mid-Atlantic Regional Manager
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.

MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.
Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
MIS 5212.001 Week 2 Site:

MIS Week 2 Site:
Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.

Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Advanced Persistent Threats (APT) Sasha Browning.

Advanced Persistent Threats (APT) Sasha Browning.
CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.

CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.
Sky Advanced Threat Prevention

Sky Advanced Threat Prevention

Similar presentations

Ads by Google