Garrett Schubert – EMC Corporation Critical Incident Response Center
description
Transcript of Garrett Schubert – EMC Corporation Critical Incident Response Center
![Page 1: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/1.jpg)
![Page 2: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/2.jpg)
Malware\Host Analysis for Level 1 Analysts
“Decrease exposure time from detection to eradication”Garrett Schubert – EMC Corporation
Critical Incident Response Center
Incident Response\Content Lead
![Page 3: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/3.jpg)
Surgery on the front lines
![Page 4: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/4.jpg)
![Page 5: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/5.jpg)
The Adversary
CRIMINALS
Unsophisticated, but noisy
Organized, sophisticated supply chains (PII, PCI, financial services, retail)
Organized crime
Petty criminals
NON-STATE ACTORS
Various reasons, including collaboration with the enemy
Political targets of opportunity, mass disruption, mercenary
Cyber-terrorists / Hacktivists
Insiders
NATION STATE ACTORS
Government, defense contractors, IP rich organizations, waterholes
Nation states
![Page 6: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/6.jpg)
Attack Lifecycle (Kill Chain)
Reconnaissance Weaponize Delivery Exploitation Installation C2 Action
Research
& M
apping
the Targe
t
Create th
e Malw
are
Send to
targe
t
Compromise Host
Install B
ackdoor
Control th
e Device
Exfiltr
ate Data
*http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
Incident Response Team Maturity
![Page 7: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/7.jpg)
- Eyes on Glass- Analysis- Forensic- Coordination- Remediation- Rule/Report Creation- Workflow Development
Advanced Tool & Tactics
Cyber Threat Intelligence
CIRT
Content Analytics
- Specific functions- Reduces “Scope Creep”- Focused workflow
CIRC 2009 Today
An Evolution
L1 L2 L3
![Page 8: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/8.jpg)
Advanced Tool & Tactics
Cyber Threat Intelligence
CIRT
Content Analytics
Incident Monitoring & Response • Threat Indicator Portal (IOC’s)• Source Actor Attribution• Attack Sensing & Warning• Social Media• High Value Target (HVT)
• Eyes-On-Glass• End User Intake• Event Triage-Incident Command • Incident Containment• 24x7 Coverage
• Content Development• Integration• Scripting• Workflow• Rules/Reports
• Reverse Malware Engineering• Host & Network Forensic• Hunters• Cause & Origin Determination• Scripting & Integration
![Page 9: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/9.jpg)
![Page 10: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/10.jpg)
Low Quality - Black and White
![Page 11: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/11.jpg)
Low Quality - Black and White
![Page 12: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/12.jpg)
Where’s Waldo now?
![Page 13: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/13.jpg)
The People
![Page 14: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/14.jpg)
The Process
AV
Auth
WAF DLP
AD
WLAN
EP
URLFW
IPS
Data Enhancement
LocationIdentity
Division
Departm
ent
Data
Asset Value
Geo Info
Regulation CIRC IT
Threats
Incidents
GRC
Incident Workflow
Log and Packet data
HR
Legal
Eng.
![Page 15: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/15.jpg)
The Tech
![Page 16: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/16.jpg)
PlugX (Sogu) Use case• EMC CIRC received intelligence about a command
and control server.• The C2 server was identified as the call back station for
a PlugX RAT.
• MISSION: Identify impact to EMC and defend against all found threats
![Page 17: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/17.jpg)
Network traffic
![Page 18: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/18.jpg)
Find the malware from C2
![Page 19: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/19.jpg)
Network Connection to Process
![Page 20: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/20.jpg)
Scoping threat within Organization
![Page 21: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/21.jpg)
Origination of malware – Root cause
![Page 22: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/22.jpg)
Recommendations• Cyber Threat Intelligence
• Prioritize your intel!• Not all IoCs have the same threat
• Content Analytics• Get business\organizational context at alert• Don’t make the analyst query for data you know they need
• “Frontline” IR Analysts - CIRT• Level 1 analysts need the right tools• Stop training run books – THINK out of the box
• Malware Team - ATTA• Share\document TTP and pivot points of specific
campaigns
![Page 23: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/23.jpg)
Questions?
![Page 24: Garrett Schubert – EMC Corporation Critical Incident Response Center](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813aea550346895da35304/html5/thumbnails/24.jpg)
The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him.
- Sun Tzu, The Art of War