Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware\Host Analysis for Level 1 Analysts “Decrease exposure time from detection to eradication” Garrett Schubert – EMC Corporation Critical Incident.

Published byDarin Butland Modified over 9 years ago

Similar presentations

Presentation on theme: "Malware\Host Analysis for Level 1 Analysts “Decrease exposure time from detection to eradication” Garrett Schubert – EMC Corporation Critical Incident."— Presentation transcript:

1

2 Malware\Host Analysis for Level 1 Analysts “Decrease exposure time from detection to eradication” Garrett Schubert – EMC Corporation Critical Incident Response Center Incident Response\Content Lead

3 Surgery on the front lines

4

5 The Adversary CRIMINALS Unsophisticated, but noisy Organized, sophisticated supply chains (PII, PCI, financial services, retail) Organized crime Petty criminals NON-STATE ACTORS Various reasons, including collaboration with the enemy Political targets of opportunity, mass disruption, mercenary Cyber-terrorists / Hacktivists Insiders NATION STATE ACTORS Government, defense contractors, IP rich organizations, waterholes Nation states

6 Attack Lifecycle (Kill Chain) ReconnaissanceWeaponizeDeliveryExploitationInstallation C2 Action Research & Mapping the Target Create the Malware Send to target Compromise Host Install Backdoor Control the DeviceExfiltrate Data *http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf Incident Response Team Maturity

7 -Eyes on Glass -Analysis -Forensic -Coordination -Remediation -Rule/Report Creation -Workflow Development Advanced Tool & Tactics Cyber Threat Intelligence CIRT Content Analytics - Specific functions - Reduces “Scope Creep” - Focused workflow CIRC 2009 Today An Evolution L1 L2 L3

8 Advanced Tool & Tactics Cyber Threat Intelligence CIRT Content Analytics Incident Monitoring & Response Threat Indicator Portal (IOC’s) Source Actor Attribution Attack Sensing & Warning Social Media High Value Target (HVT) Eyes-On-Glass End User Intake Event Triage-Incident Command Incident Containment 24x7 Coverage Content Development Integration Scripting Workflow Rules/Reports Reverse Malware Engineering Host & Network Forensic Hunters Cause & Origin Determination Scripting & Integration

9

10 Low Quality - Black and White

11

12 Where’s Waldo now?

13 The People

14 The Process AV Auth WAF DLP AD WLAN EP URL FW IPS Data Enhancement Location Identity Division Department Data Asset Value Geo Info Regulation CIRC IT ThreatsIncidentsGRC Incident Workflow Log and Packet data HR Legal Eng.

15 The Tech

16 PlugX (Sogu) Use case EMC CIRC received intelligence about a command and control server. The C2 server was identified as the call back station for a PlugX RAT. MISSION: Identify impact to EMC and defend against all found threats

17 Network traffic

18 Find the malware from C2

19 Network Connection to Process

20 Scoping threat within Organization

21 Origination of malware – Root cause

22 Recommendations Cyber Threat Intelligence Prioritize your intel! Not all IoCs have the same threat Content Analytics Get business\organizational context at alert Don’t make the analyst query for data you know they need “Frontline” IR Analysts - CIRT Level 1 analysts need the right tools Stop training run books – THINK out of the box Malware Team - ATTA Share\document TTP and pivot points of specific campaigns

23 Questions?

24 The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him. - Sun Tzu, The Art of War

Download ppt "Malware\Host Analysis for Level 1 Analysts “Decrease exposure time from detection to eradication” Garrett Schubert – EMC Corporation Critical Incident."

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.
1© Copyright 2014 EMC Corporation. All rights reserved. Securing the Cloud Gintaras Pelenis Field Technologist RSA, the Security Division of EMC

1© Copyright 2014 EMC Corporation. All rights reserved. Securing the Cloud Gintaras Pelenis Field Technologist RSA, the Security Division of EMC
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Classification The Threat Environment Joyce Corell, NCSC Assistant Director for Supply Chain National Defense Industrial Association Global Supply Chain.

Classification The Threat Environment Joyce Corell, NCSC Assistant Director for Supply Chain National Defense Industrial Association Global Supply Chain.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014.

Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014.
David Flournoy Bit9 Mid-Atlantic Regional Manager

David Flournoy Bit9 Mid-Atlantic Regional Manager
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
Mike Goffin 2014-10-17. Who am I? Mike Goffin Lead DeveloperProject Manager Senior Cyber Security Research Engineer The MITRE Corporation.

Mike Goffin Who am I? Mike Goffin Lead DeveloperProject Manager Senior Cyber Security Research Engineer The MITRE Corporation.
Understanding and Dealing with Modern Threats Trent Greenwood, Manager Security Practioners TOLA.

Understanding and Dealing with Modern Threats Trent Greenwood, Manager Security Practioners TOLA.
Oklahoma Chapter Information Systems Security Association Oklahoma Chapter, Tulsa Oklahoma City Chapter, OKC Student Chapter, Okmulgee Oklahoma Chapter,

Oklahoma Chapter Information Systems Security Association Oklahoma Chapter, Tulsa Oklahoma City Chapter, OKC Student Chapter, Okmulgee Oklahoma Chapter,
Did You Hear That Alarm? The impacts of hitting the information security snooze button.

Did You Hear That Alarm? The impacts of hitting the information security snooze button.
1© Copyright 2012 EMC Corporation. All rights reserved. Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil – Territory.

1© Copyright 2012 EMC Corporation. All rights reserved. Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil – Territory.
Selling Security to the Business Peter Frøkjær ADP Global Security Organization In:dk.linkedin.com/in/froekjaer/  :+45 6155.

Selling Security to the Business Peter Frøkjær ADP Global Security Organization In:dk.linkedin.com/in/froekjaer/  :
Enterprise Visibility & Security Analytics Rocky DeStefano, VP of Strategy & Technology.

Enterprise Visibility & Security Analytics Rocky DeStefano, VP of Strategy & Technology.
The Changing World of Endpoint Protection

The Changing World of Endpoint Protection

Similar presentations

Ads by Google