Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS....
Transcript of Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS....
![Page 1: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/1.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.
Fighting a different battle than
conventional cybersecurity companies
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.
Attackers Prey on Uncertainty:
How to Fail at Threat Detection
February 7th, 2020
![Page 2: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/2.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.2
Agenda
Attacker vs. Defender Mindset
The New Threat Landscape
Sophisticated Insiders
Sophisticated External Attackers
Rogue Insider Play-by-Play
Encounter with a Russian APT
Data-Centric Security Strategy
![Page 3: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/3.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.3
Turning the Black Swans White
![Page 4: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/4.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.4
Are You the Farmer or the Turkey?
![Page 5: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/5.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.5
”
“
Yossi Sassi
Defenders live in a world of uncertainty.
The goal is to reduce the attacker’s window of opportunity and reduce uncertainty.
Visibility is the game.
![Page 6: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/6.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.6
Do you have the visibility and context to answer these questions?
Who is using which device?
Who is connecting to our VPN? From where?
Are any suspicious DNS requests being made?
Who is using data on-premises and in the cloud?
Is any data access suspicious or abnormal?
Are users uploading sensitive data to insecure websites?
![Page 7: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/7.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.7
Sophisticated Insider Threats
![Page 8: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/8.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.8
How Insiders Evade Detection
Use a valid device during business hours
Create shadow accounts or use service accounts
Go low and slow
Access unmonitored VIP mailboxes
Grant permissions and then remove them
Mask malicious activities with noise
![Page 9: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/9.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.9
Sophisticated External Attackers
![Page 10: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/10.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.10
Living off the Land
Only using resources already available
Don’t touch the disk or trigger A/V scanning
Load scripts in context of legitimate process
(e.g., powershell.exe)
File-less nature makes the indicators of
compromise harder to detect
![Page 11: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/11.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.11
Ever get this prompt out of the blue?
![Page 12: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/12.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.12
![Page 13: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/13.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.13
How can you block this? Windows needs it.
![Page 14: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/14.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.14
Here’s an attack we detected recently
A savvy engineer decides to monetize corporate secrets
Compromises a service account with Domain Admin (Kerberoasting)
Uses personal workstation crack the account’s password
With privileged service account, user scans file shares for confidential files
ZIPs the files and exfiltrates via personal Gmail account
![Page 15: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/15.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.15
Step 1: Find accounts with Service Principal Names
![Page 16: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/16.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.16
Step 2: Get their Kerberos tickets
![Page 17: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/17.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.17
Step 3: Which of these accounts have elevated privileges?
![Page 18: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/18.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.18
Step 4: Let’s crack one (offline)
![Page 19: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/19.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.19
Step 5: Let’s use our new account to find some files
![Page 20: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/20.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.20
Step 6: Put them in a zip file
![Page 21: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/21.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.21
Step 7: Use Service Account to login to web proxy and Gmail
![Page 22: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/22.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.22
Step 8: Create an email and send
![Page 23: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/23.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.23
DNS tunneling is stealthier for exfiltration
![Page 24: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/24.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.24
Especially when your security vendors do it, too!
Domain: 3.1o19sr00n68…67226sorn3.p29p3…506rp979s.***581p.i.00.s.****hosxl.netRecord type: TXT
Payload 1 “Attacker” DomainPayload 2
![Page 25: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/25.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.25
How quickly & accurately can you
answer the most important question:
“Is our data safe?”
![Page 26: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/26.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.26
The CISO / Board Disconnect
Source: The Cyber Balance Sheet, Cyentia Institute
![Page 27: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/27.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.27
Where is your regulated data located?
Is any of that data exposed and at-risk?
Do only the right people have access?
How is regulated data being processed?
Can you find and delete personal data?
Modern regulations are data-centric
![Page 28: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/28.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.28
So what visibility & context do we need?
ACTIVE DIRECTORY
Potential ticket
harvesting attack
Abnormal access to
sensitive data by a
service account
First time access to
the internet by a
service account
Data exfiltration
attempt via DNS
tunneling
DATA ACCESS NETWORK & DNS
BackupService logs
into Jim-PC for the
first time
![Page 29: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/29.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.29
Varonis alerted on malicious activity
Well-known IR firm told customer there was no sign of
compromise
Customer called the Varonis IR team to be sure
IR team
Discovered and contained infection in 13 minutes
IR began remediation, recovery, and forensics
Research team
Reversed Qbot malware and exposed C2 server
Extracted victim list and found future variants
Russian APT Encounter
![Page 30: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/30.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.30
Malware Analysis: Reversing Qbot Banking Trojan
EVASION
Looked for specific AVs and EDRs
Malware signed with valid certificate
Randomly generated filenames
INFECTION
Phishing emails w/ attachments
Dropped malicious VBS file
Loads payload with BITSAdmin
PERSISTENCE
Runs on startup
Created registry value
Created Scheduled Task
![Page 31: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/31.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.31
Malware Analysis: Show Me the Money
LATERAL MOVEMENT
Scanned for domain users
Brute-forced accounts
Abused default credentials
EXPLOITATION
Opened explorer.exe
Injected In-memory process
Overwrote real explorer.exe
EXFILTRATION
Installed keylogger
Stole banking site cookies
Hooks API calls to intercept
financial info
![Page 32: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/32.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.32
At Least 2,726 Victims Worldwide
![Page 33: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/33.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.33
How do we succeed as
defenders?
![Page 34: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/34.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.34
We know what attackers want:
it's almost always data
![Page 35: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/35.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.35
What if security started with data?
DATA
DETECT
PREVENT
SUSTAIN
We’d know where our sensitive data lives
We’d monitor it for abuse
Only the right people would have access
We’d efficiently sustain our secure state
![Page 36: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/36.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.36
What kind of sensitive
data do I have?
Where is sensitive data
overexposed?
Where are users acting
strangely or maliciously?
What’s being used and
what’s not?
Risk Assessments Reduce Uncertainty
![Page 37: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/37.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.37
OPERATIONALIZE
• Enable alerts and automate response
• Connect to SIEM
• Create and test incident response plans
• Operationalize reporting
• Apply labels
• Index for compliance
DEPLOY
• Deploy
Varonis
• Discover
privileged
accounts
• Classify
sensitive data
• Baseline
activity
• Prioritize risk
FIX
• Remediate exposed sensitive data
• Eliminate remaining global access groups
• Eliminate AD artifacts
• Quarantine sensitive data
• Archive/delete stale data
TRANSFORM
• Identify and assign data owners
• Simplify permissions structure
• Enable data-driven reporting
AUTOMATE
• Automate authorization workflow via Data Owners
• Automate periodic entitlement reviews
• Automate disposition,
quarantining, policy enforcement
IMPROVE
• Regularly review risks, alerts and processes to ensure continuous improvement
Varonis Operational Journey
![Page 38: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/38.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.38
Key Takeaways
If you assume compromise, protecting data should be a priority
Be the farmer, not the turkey!
Sophisticated insiders and external attackers can evade detection
Defenders should seek to reduce uncertainty with visibility and context
Combining the right ingredients can reduce TTD/TTR and help you answer: “Is our
data safe?”
Risk assessments are a great first step in reducing uncertainty
![Page 39: Attackers Prey on Uncertainty: How to Fail at Threat Detection€¦ · 29 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL. Varonis alerted on malicious activity Well-known IR firm told](https://reader034.fdocuments.in/reader034/viewer/2022050222/5f67f948e082c86e30060b5d/html5/thumbnails/39.jpg)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.
Thank You
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.
Aaron Koning
Security Engineer