Presentation is loading. Please wait.

Presentation is loading. Please wait.

Incident Detection and Response

Published byDarrell Nicholson Modified over 5 years ago

Similar presentations

Presentation on theme: "Incident Detection and Response"— Presentation transcript:

1 Incident Detection and Response
Wade Woolwine Mike Scutt

2 Agenda Introductions Threat Types Attack Lifecycle (Targeted Threats)
IDR Program Best Practices Threat Scenarios Q/A

3 Threat Types Commodity Disruptive Targeted
Cryptolocker, virus, bot, etc Disruptive DDoS, Social Media Hijacking, Web Defacement, etc Targeted Organized Crime, Nation State, Hacktivism, etc

4

5 IDR Program Best Practices
Business Goals and Priorities Asset and Inventory Management Attack Surface Management Threat Detection Threat Validation and Investigation Breach Containment Cleanup and Mitigation Constant Improvements

6 Spearphishing 91% 72% 78% Breaches begin with a spearphish
PhishMe Still the preferred method of infiltration Effective in almost 100% of cases It’s evolving More relevance to target IT problems scare people, attackers know that Attackers perform targeted recon 72% Of observed phishing s sent on weekdays M-Trends 78% Of observed phishing s are IT related M-Trends

7 Spearphish Attack Lifecycle
Malware Backdoor Dropper Link Attachment The Technology: relies on threat intelligence Awareness: it works! The dropper Technology: sandbox, AV, whitelisting, proxy Patching: no exploit == no dropper The malware Technology: sandbox, AV, whitelisting, behavior analysis, network IDS/IPS

8 Exploit and Abuse 35% 73% 89% Breaches begin with a web compromise
DBIR VPN and other Remote Access Technology Single factor VPN, Virtualized environment Traditional Exploits Exploitable vulnerabilities on internet facing assets Web Based Exploits Webserver, web application, backing databases 73% Of vulnerabilities in 2014 are remote exploitable Secunia 89% EHR applications use single factor authentication Duo Security

9 Internet Facing Vulnerability
Exploit Lifecycle Lateral Movement Deploy Backdoor Local System Access Exploit Internet Facing Vulnerability The vulnerability Vulnerability scanning and patch management The Exploit Sandbox The backdoor sandbox, AV, whitelisting Lateral movement Behavior analysis, proper network segmentation

10 Reconnaissance

11 Active Directory Enumeration
DSQuery.exe – query for objects in AD

12 Active Directory Enumeration
DSGet.exe – get object details from AD

13 Active Directory Enumeration
GPResult.exe – view Group Policy Objects for computers and users

14 Local/Remote Network Drive Enumeration
Net.exe view \\COMPUTERNAME View network shares on a remote computer Net.exe view /DOMAIN View network shares on a domain Net.exe share View local network shares

15 More Discovery Find.exe Network scans SMB scans PSTools
find [/v] [/c] [/n] [/i] "string" [[Drive:][Path]FileName[...]] Passwords IP addresses PII Network scans SMB scans PSTools

16 Lateral Movement

17 Pass the Hash PSExec / Metasploit

18 Pass the Hash WCE.exe – Windows Credentials Editor

19 NTDS.dit Offline Cracking
NTDS.dit is a full backup of the AD database, including passwords Use VSSAdmin.exe to create a volume shadow copy Copy NTDS.dit file from the volume shadow copy Exfil offline and use your favorite hash cracking tools

20 Scheduled Tasks At.exe Schtasks.exe
Schedule running code on remote hosts

21 PSExec Run arbitrary programs on a remote system Other PSTools: PSFile
PSInfo PSList PSKill PSLoggedOn PSLogList PSService

22 Other Techniques Backdoors – deploy backdoors on all systems of interest with remote shell capabilities Proxies – to move around segregated networks with ACLs in place Keyloggers – capture credentials typed by the user Authentication Hooking – hook the Windows authentication and grab hashes/passwords WMI – the sky is the limit!

23 Mission Target

24 Staging RAR.exe Zip.exe MakeCab.exe Can encrypt data
Can create small parts to reassemble later Not always present on systems Zip.exe Can encrypt Always present on systems MakeCab.exe .CAB files blend in well with Windows

25 Maintain Presence

26 Maintain Presence Webshells Remote access (VPN, etc) Backdoors
Web based full function backdoors hidden in legitimate applications Remote access (VPN, etc) Reuse compromised credentials to maintain access through legitimate remote access technologies Backdoors Attackers log in to perform maintenance tasks on backdoors and dump additional credentials.

27 Q/A Thank you!

Download ppt "Incident Detection and Response"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Learning to Live with an Advanced Persistent Threat

Learning to Live with an Advanced Persistent Threat
Cyber Attack Scenario Overview Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.

Cyber Attack Scenario Overview Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Windows Enumeration Tools Roy Introduction SMB Protocol Inter Process Communication(IPC)

Windows Enumeration Tools Roy Introduction SMB Protocol Inter Process Communication(IPC)
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
13Computer Intrusions Dr. John P. Abraham Professor UTPA.

13Computer Intrusions Dr. John P. Abraham Professor UTPA.
Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.

Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.

Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.
Chapter 12 Operating System Security Strategies The 2010 Australian Signals Directorate (ASD) lists the “Top 35 Mitigation Strategies” Over 85% of.

Chapter 12 Operating System Security Strategies The 2010 Australian Signals Directorate (ASD) lists the “Top 35 Mitigation Strategies” Over 85% of.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Similar presentations

Ads by Google