Company Confidential

Powered by

Activated CharcoalMaking Sense of Endpoint Data

Company Confidential

Greg Foss

Head of Global Security Operations

OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, Cyber APT

The Endpoint is the new Perimeter

Company Confidential

The easiest path into any network…

Company Confidential

Social Engineering

Nothing like a little pretext to get people to click on your links…

Company Confidential

• Phishing• 91% of ‘advanced’ attacks began with a phishing email

or similar social engineering tactics.• http://www.infosecurity-magazine.com/view/29562/91-of-

apt-attacks-start-with-a-spearphishing-email/

• 2014 Metrics• Average cost per breach => $3.5 million• 15% Higher than the previous year

• http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis

Company Confidential

Drive By Downloads, Malvertizing, and Watering Hole Attacks

Image Source: https://blog.kaspersky.com/what-is-malvertising/5928/

Company Confidential

Company Confidential

Training is Critical to Success

Company Confidential

Key Focus Areas:

• Employees

Image Source: http://www.cloudpro.co.uk/hr/5803/gov-offers-hr-workers-free-cyber-security-training

Company Confidential

End User Tips - Phishing

Company Confidential

All You Need is +

Company Confidential

Shortened URLTracking

Testing and Validation

Company Confidential

Rogue Wi-Fi Network – Threat Simulation

Company Confidential

USB Drop – Training Exercise : Case Study

Company Confidential

Building a Believable Campaign

Use realistic files with somewhat realistic data

Staged approach to track file access and exploitation

Company Confidential

Profit

Send an email when the Macro is run…

Use a bogus email (unlike I did here) – I know, I know. Bad OpSec.

Company Confidential

Tools\calculator.exe

Company Confidential

“Nobody’s going to an an exe from some random USB” - Greg

Yep… They ran it...

Company Confidential

Now we have our foothold…

Fortunately they didn’t run this as an admin

Company Confidential

Company Confidential

Key Focus Areas:

• Employees

• IT Staff

• Roles and Responsibilities

• Incident Response Duties

• Configuration Monitoring

• Malware Removal

• Security Infrastructure

Company Confidential

Key Focus Areas:

• Employees

• IT Staff

• Security Staff

• Table Top and Red vs Blue Exercises

• Threat Simulation Leads to Process Improvement

• Announced vs Unannounced Simulations or Penetration Testing

Company Confidential

Purple Team FTW!

• Employees

• IT Staff

• Security Staff

• Table Top and Red vs Blue Exercises

• Threat Simulation Leads to Process Improvement

• Announced vs Unannounced Simulations or Penetration Testing

Company Confidential

Key Focus Areas:

• Employees

• IT Staff

• Security Staff

• Leadership

Company Confidential

Key Focus Areas:

• Employees

• IT Staff

• Security Staff

• Leadership

• Processes and Procedures

Continuous Monitoring and Detection

Company Confidential

Automating OSINT and Response

Domain Tools

Passive Total

VirusTotal

Cisco AMP ThreatGRID

Netflow / IDS

Firewalls

Proxy / DNS

Endpoint

SIEM

API Integration SecOps Infrastructure

Company Confidential

Company Confidential

Malware Beaconing

Company Confidential

Company Confidential

Malware Beaconing

Company Confidential

Correlate Network / Log Activity with Endpoint Data

Company Confidential

Macro Phishing Attacks

• Common

• Bypasses Most AV

• Heavily Obfuscated

• Newer attacks

targeting Office 365

Company Confidential

Macro Attack Detection

Company Confidential

Full Command Line Details

Company Confidential

Full Command Line Details

Company Confidential

Be Careful – Don’t Jump To Conclusions…

Company Confidential

Be Careful – Don’t Jump To Conclusions…

Centralized Logging and Event Management

Company Confidential

Company Confidential

Threat Feed Configuration

Company Confidential

Full Event Alerting

Company Confidential

Syslog Only

Company Confidential

Watchlist Configuration

Company Confidential

Carbon Black Event Forwarder

LogRhythm => Use LEEF Format

https://github.com/carbonblack/cb-event-forwarder

Dashboards and Investigations

Company Confidential

Company Confidential

Company Confidential

Long Tail Analysis

Strange activity can bubble to the surface when viewing the whole picture

Company Confidential

Company Confidential

Taking it a Step Further…

Company Confidential

Additional Integration

Alarming

Trigger on Specific Watch List Hits

Company Confidential

Additional Integration

Alarming

Admin Tracking

Company Confidential

Additional Integration

Alarming

Admin Tracking

Reporting

Company Confidential

Additional Integration

Alarming

Admin Tracking

Reporting

Automation

Perform Actions Based on Alarms Observed

Company Confidential

LogRhythmChallenge . com

Booth #600 #logrhythmchallenge

Company Confidential

Mini Network Monitor

Booth #600

Company Confidential

Thank You!

QUESTIONS?

Greg Foss

Greg . Foss [at] LogRhythm . com

@heinzarelli