Company Confidential
Powered by
Activated CharcoalMaking Sense of Endpoint Data
Greg FossHead of Global Security OperationsLogRhythm
Sarah MillerThreat Intelligence AnalystCarbon Black
The Endpoint is the new Perimeter
Company Confidential
The easiest path into any network…
Company Confidential
Social Engineering
Nothing like a little pretext to get people to click on your links…
Company Confidential
• Phishing• 91% of ‘advanced’ attacks began with a phishing email
or similar social engineering tactics.• http://www.infosecurity-magazine.com/view/29562/91-of-
apt-attacks-start-with-a-spearphishing-email/
• 2014 Metrics• Average cost per breach => $3.5 million• 15% Higher than the previous year
• http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis
http://www.infosecurity-magazine.com/view/29562/91-of-apt-attacks-start-with-a-spearphishing-email/http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis
Company Confidential
Drive By Downloads, Malvertizing, and Watering Hole Attacks
Image Source: https://blog.kaspersky.com/what-is-malvertising/5928/
Company Confidential
Training is Critical to Success
Company Confidential
Key Focus Areas:
• Employees
Image Source: http://www.cloudpro.co.uk/hr/5803/gov-offers-hr-workers-free-cyber-security-training
Company Confidential
End User Tips - Phishing
Company Confidential
All You Need is +
Company Confidential
Shortened URLTracking
Company Confidential
Feedback Loop
Testing and Validation
Company Confidential
Rogue Wi-Fi Network – Threat Simulation
Company Confidential
USB Drop – Training Exercise : Case Study
Company Confidential
Building a Believable Campaign
Use realistic files with somewhat realistic data
Staged approach to track file access and exploitation
Company Confidential
“Nobody’s going to an an exe from some random USB” - Greg
Yep… They ran it...
Company Confidential
Now we have our foothold…
Fortunately they didn’t run this as an admin
Company Confidential
Company Confidential
Key Focus Areas:
• Employees
• IT Staff
• Roles and Responsibilities
• Incident Response Duties
• Configuration Monitoring
• Malware Removal
• Security Infrastructure
Company Confidential
Key Focus Areas:
• Employees
• IT Staff
• Security Staff
• Table Top and Red vs Blue Exercises
• Threat Simulation Leads to Process Improvement
• Announced vs Unannounced Simulations or Penetration Testing
Company Confidential
Purple Team FTW!
• Employees
• IT Staff
• Security Staff
• Table Top and Red vs Blue Exercises
• Threat Simulation Leads to Process Improvement
• Announced vs Unannounced Simulations or Penetration Testing
Company Confidential
Key Focus Areas:
• Employees
• IT Staff
• Security Staff
• Leadership
Company Confidential
Key Focus Areas:
• Employees
• IT Staff
• Security Staff
• Leadership
• Processes and Procedures
Continuous Monitoring and Detection
Company Confidential
Automating OSINT and Response
Domain Tools
Passive Total
VirusTotal
Cisco AMP ThreatGRID
Netflow / IDS
Firewalls
Proxy / DNS
Endpoint
SIEM
API Integration SecOps Infrastructure
Company Confidential
Company Confidential
Malware Beaconing
Company Confidential
Company Confidential
Malware Beaconing
Company Confidential
Correlate Network / Log Activity with Endpoint Data
Company Confidential
Macro Phishing Attacks
• Common
• Bypasses Most AV
• Heavily Obfuscated
• Newer attacks
targeting Office 365
Company Confidential
Macro Attack Detection
Company Confidential
Full Command Line Details
Company Confidential
Full Command Line Details
Company Confidential
Be Careful – Don’t Jump To Conclusions…
Centralized Logging and Event Management
Company Confidential
Company Confidential
Threat Feed Configuration
Company Confidential
Full Event Alerting
Company Confidential
Syslog Only
Company Confidential
Tuning Feeds
Company Confidential
Watchlist Configuration
Company Confidential
Carbon Black Event Forwarder
LogRhythm => Use LEEF Format
https://github.com/carbonblack/cb-event-forwarder
Dashboards and Investigations
Company Confidential
Company Confidential
Company Confidential
Company Confidential
Company Confidential
Company Confidential
Company Confidential
Long Tail Analysis
Strange activity can bubble to the surface when viewing the whole picture
Company Confidential
Company Confidential
Taking it a Step Further…
Company Confidential
Additional Integration
Alarming
Trigger on Specific Watch List Hits
Company Confidential
Additional Integration
Alarming
Admin Tracking
Company Confidential
Additional Integration
Alarming
Admin Tracking
Reporting
Company Confidential
Additional Integration
Alarming
Admin Tracking
Reporting
AutomationPerform Actions Based on Alarms Observed
Company Confidential
Thank You!
QUESTIONS?
Greg FossGreg . Foss [at] LogRhythm . com@heinzarelli
Sarah MillerSMiller [at] CarbonBlack . com
@beyazfar3
Activated CharcoalSlide Number 2The Endpoint is the new PerimeterThe easiest path into any network…Social EngineeringSlide Number 6Drive By Downloads, Malvertizing, and Watering Hole AttacksSlide Number 8Training is Critical to SuccessKey Focus Areas:End User Tips - PhishingAll You Need is +Shortened URL TrackingFeedback LoopTesting and ValidationSlide Number 16USB Drop – Training Exercise : Case StudyBuilding a Believable Campaign“Nobody’s going to an an exe from some random USB” - GregNow we have our foothold…Slide Number 21Key Focus Areas:Key Focus Areas:Purple Team FTW!Key Focus Areas:Key Focus Areas:Continuous Monitoring and DetectionAutomating OSINT and ResponseSlide Number 29Malware BeaconingSlide Number 31Malware BeaconingCorrelate Network / Log Activity with Endpoint DataMacro Phishing AttacksMacro Attack DetectionFull Command Line DetailsFull Command Line DetailsBe Careful – Don’t Jump To Conclusions…Centralized Logging and Event ManagementSlide Number 40Threat Feed ConfigurationFull Event AlertingSyslog OnlyTuning FeedsWatchlist ConfigurationCarbon Black Event ForwarderDashboards and InvestigationsSlide Number 48Slide Number 49Slide Number 50Slide Number 51Slide Number 52Slide Number 53Long Tail AnalysisSlide Number 55Slide Number 56Taking it a Step Further…Additional IntegrationAdditional IntegrationAdditional IntegrationAdditional IntegrationThank You!