Detect Active Cyber-Attacks in Real Time

1
Detect Active Cyber-Attacks in Real Time Protect
your Network
2
Threatscape 2015
Big problem
Expensive
Detection Deficit
Insider? Outsider?
3
EventTracker Threatscape 2015 New Cyber Security
reality for the under-staffed enterprise

• Assume that a successful/damaging cyber attack on
  your infrastructure has already occurred.
• 200 days on average before detection
• 100 of larger orgs are attacked every day, 1 in
  5 SMEs are targeted each year
• 76 of all intrusions involve compromised
  credentials
• Bad traffic is now encrypted, which thwarts
  network packet inspection IDS/IPS
• Evidence of intrusions gets buried within
  millions of other artifacts
• Prevention - Firewalls, AV, AD/NAC, IDS/IPS is
  not enough.
• 100 of breached orgs already had these in place.

4
DFIR in EventTracker v8 Addressing the Detection
Deficit

• Perform automated DFIR on Windows workstations
  and servers
• Move endpoint digital forensics to daily SOP for
  early detection of
• Rogue Processes
• Unknown Services Running
• Unusual OS artifacts
• Evidence of Persistence
• Suspicious Network Activity

5
Solution to the problem90 automation / 10
investigation

• Implement the post-mortem forensics and analysis
  as real time SOP for earlier detection of
  threats.
• deploy advanced, purpose-built threat sensors
• threat intelligence feeds integrated and
  correlated to actual enemy contact in real time
• behavior analysis/anomaly detection based on
  heuristics
• application whitelisting
• and most importantlyskilled people paying
  attention to the basics, 365 days a year
  especially server and workstation skills.

6
Market feedback

• Security Gap
• Compliance ? Security
• Stakeholders personally affected by breaches
• Compliance is a requirement
• Help reduce cost
• Skill shortage
• Impacting ROI on SIEM projects
• Machine learning, less rules tweaking

7
Existing defenses?

• Anti Virus
• Catches some malware based on signatures
• Attackers are hip to its jive
• IDS
• Detects network borne attacks
• Cant see the endpoint or out legitimate
  traffic
• DLP
• Can catch data movement to/from removable media
• SIEM
• See all logs but is everything logged?

8
How are they attacking?

• Malware-based
• Threat Establish Beachhead
• Threat Lateral Movement
• Threat Exfiltrate data
• Compromised credentials-based
• Threat Valid programs for invalid purpose
• Threat Out-of-ordinary

9
Threat Establish beachhead

• Malware lands on the endpoint
• As e-mail attachment?
• From infected USB?
• Evades Anti Virus
• Defense
• Detect launch of every process
• Compare hash against safe list (local and NSRL)
• Alert if first-time-seen and not on safe list
• Caveat Requires framework a watcher

10
Threat Lateral movement

• Move from less to more valuable systems
• From desktop to server/firewall
• Defense
• User behavior, location affinity
• Trace files from endpoint (pre-fetch, default.rdp
  etc.)
• Valid but unusual EXE presence (e.g. route.exe)
• Caveat Requires framework machine learning

11
Threat Ex-filtrate data

• Hides as normal traffic
• Avoid detection by proxy, network monitor
• Defense
• Monitor network activity (esp north/south) for
  out of ordinary behavior
• IDS is useful but cant say which process was
  responsible
• Combination of unknown process connecting to low
  reputation outside address is a strong advantage

12
Endpoint Threat Detection Response

• What is required to defend todays network?
• A framework to collect endpoint data
• Running processes, network connections, windows
  services, users, registry entries, more
• A central repository which can receive, store and
  index the data
• An expandable ruleset to baseline and analyze the
  data
• And (wait for it...) an analyst to
  triage/review/escalate for remediation

13
Scenario

• Win 7 desktop user is with marketing dept
• Required to visit external websites regularly
• Defenses
• Up to date platform (win updates)
• DHCP address
• Next Gen firewall
• Up to date, brand name Anti Virus
• IDS with updated signatures scanning north/south

14
What was seen

• New Windows service created
• Persists on logoff or reboot
• Invisible to the normal user
• Connects to an external site
• Avoids proxy detection by using IP address
• Avoid blocking by using port 80
• Trace back showed phishing e-mail, apparently
  from HR
• About 14 hours later, anti-malware signatures
  updated and a deep scan suggested it was
  Blakamba
• Three days later, Anti-Malware showed other files
  in temp folders with same signature

15
EventTracker Framework

• Central Console
• Data Collection
• Indexing
• Analysis
• Storage
• Sensor for Windows
• MS Gold certified
• Runs in user space
• Tiny footprint
• Options for IDS, Vulnerability Assess, Packet
  inspection

16
Diligent
17
SIEM Simplified Services to get expert help with
EventTracker software installed on premise or in
the cloud
Your IT Assets

• We provide remote Managed Services
• RUN Basic ET Admin Threat Feeds
• WATCH Analytics/Remediation Recos
• COMPLY Compliance Services
• TUNE Advanced ET Tuning
• ET VAS Vulnerability Assessment Service
• ET IDS Managed SNORT signature updates

18
Gartner View of Cyber Security Market Maturity
19
Secure your Network
Your Challenge Growing attack frequency and
sophistication Your Need Cost effective threat
remediation. Scalable Smart
20
(No Transcript)