Detecting the Undetectable
advertisement
• Why Are Some Attackers So Hard To Detect? • A Risk-Based Structured Approach • Detecting the Undetectable Framework for Improving Critical Infrastructure Cybersecurity Identify Recover Respond Protect Detect http://www.nist.gov/cyberframework/ • It is very difficult to impossible to stop all hackers and malware (i.e. “assume breach”) • If you can’t stop them, then the next best thing is early detection • …Unfortunately, we aren’t doing a good job at that… Verizon Data Breach Report 2014 “85% of breaches were spotted by an EXTERNAL party, and “In 82 percent of cases...the victim possessed the ability to discover the breach had they had they been more diligent in monitoring and analyzing event-related information available to them at the time of the incident.” 2008 Verizon Data Breach Investigations Report • Initial compromise often begins at badly monitored or unmonitored client workstation or computer • Then, hackers use legitimate user credentials to do rest of damage • Access data the compromised user would normally access • Use same portals end-users would use (e.g. OWA, etc.) Hackers: • Use same remote access methods (e.g. RDP, etc.) as legitimate admins • Use legitimate tools (e.g. sysinternals utiltities, builtin tools, etc.) • (AV doesn’t alert) • Don’t leave easy to notice markers Traditional event monitoring has a hard time detecting: • • • • • Data Copying Buffer overflows Password hash dumps Zero days Normal behavior occurring anomalously (e.g. time, source, frequency, etc.) The Anatomy Of The Attack Power: Domain Controllers 1. Bad guy targets workstations en masse 2. User running as local admin compromised, Bad guy harvests credentials. 3. Bad guy starts “credentials crabwalk” Data: Servers and Applications Access: Users and Workstations 4. Bad guy finds host with domain privileged credentials, steals, and elevates privileges 5. Bad guy owns network, can harvest what he wants. • http://www.microsoft.com/security/sir/default.aspx • http://www.microsoft.com/enus/download/details.aspx?id=36036 • V1 • V2 • http://www.nist.gov/cyberframework/ • http://www.verizonenterprise.com/resources/reports/es _data-breach-investigations-report-2013_en_xg.pdf • • • • • • • Implement a Structured, Risk-Based, Aligned Defense Plan Baseline Use Built-In Windows Tools Use Free Downloadable Tools Network Traffic Analysis A Better Strategy for Logging and Alerting Get Creative A Structured Approach… Most organizations do not right-align their defenses to the threats they are actually incurring: • They can’t name the #1 way they are exploited • They focus on too many “fires” and too many long term projects • They don’t do the simple things that would give them great bang for the buck • They don’t really know or understand their computers and their network • How can anyone readily detect the right things given these conditions? 1. • 2. 3. • 4. 5. 6. 1. 2. 3. 4. • 1. 2. 3. 4. 5. 6. 7. • • • • • • • • • • New Strategy • Identify what absolutely indicates badness • Turn on monitoring on high value assets first • Forward only events that absolutely indicate badness to central collection point • Alert • Always investigate alerts New Strategy – 3 Classes of Monitoring • Single Events, Which By Themselves, Indicate Badness • Single or Aggregate Events On a Single Subject Which Indicate Badness • Aggregate Events Across Enterprise or Business Unit Which Indicate Badness Object Access Auditing • Windows 8 and Windows 7 provide much more granular auditing of object access and changes. • For example, EventID 4657 (Registry Value Changed) o o o o o 29 Object Access Auditing (continued) 30 Special Logon Groups Event 4964 – Special groups have been assigned to a new logon • Event created when a user belonging to a “special group” logs on • Indicate what groups are “special” by listing them in a custom registry key as a string value, using group SID HKLM\System\CurrentControlSet\Control\Lsa\Audit \SpecialGroups • Separate groups by semi-colon (;) Special Logon Groups Event 4908 – Special Groups Logon Table Modified • Indicates when the list of special groups has been modified • You indicate what groups are “special” by listing them in a special string value, using their SID HKLM\System\CurrentControlSet\Control\Lsa\Audit \SpecialGroups • Separate group SIDs in the registry key by semi-colons. No limit to the number of groups • Application Control/Auditing Program • Great for Stopping Unknown Executables and Scripts from executing • Collect Baselines • Try Enabling in Audit-Only Mode • Report/Investigate Future Exceptions Caveats • Only on Windows 7/Windows 2008 R2 and later • Doesn’t Catch Everything • Use along with Process Tracking • • • • • • • • • • • • • • • • • • • • • • • • • Long-time Microsoft/Sysinternals Utility • Can now check all running executables against 50+ AV engines in a few seconds • Checks Against VirusTotal.com • Caution: Won’t Detect Everything • • vents it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understan • us/sysinternals/dn798348.aspx Sysmon.exe -i [-h [sha1|md5|sha256]] [-n] Sysmon.exe -c [[-h [sha1|md5|sha256]] [-n]|--] Sysmon.exe -u • • • • -c • • • • • http://technet.microsoft.com/en- -h -i -m -n -u • • • • • • • • • Honeytokens, Red Herrings, and Canary Values • Digital data which is created and monitored solely as an indicator of digital theft • They can be real data with a “marker” contained within or fake data that simply doesn’t exist in the real world, or at least within a given enterprise • If you detect its use or attempted use, send an alert • Discover the Traits That Make Some Malicious Hackers Difficult to Detect • Create a Structured, Risk-Based Approach • Learn Ways To Detect Malicious Hackers • Understand Which Microsoft Technologies Can Best Help You Visio version PDF version http://aka.ms/CloudArchitecture http://myignite.microsoft.com
