Anomaly Detection & You!

Sean Cassidy – CTO, Praesidio

https://www.praesidio.com

✓ Firewall ✓ Security Policies ✓ Anti-virus ✓ Anti-malware ✓ Intrusion detection ✓ Log collection ✓ Alerting

Your network security

✓ Software updates ✓ Phishing training ✓ Threat intel ✓ Access Control ✓ Endpoint security ✓ Two factor auth ✓ Memory forensics

NOTENOUG

H

How are attackers still winning?From: sophia3899@yahoo.comTo: sean@helpfulbank.bizSubject: Loan Possibilities

Hey Sean!

I am interested in applying for a loan. I am looking at a few houses in my price range. My agent sent me an MLS listing that I attached, but It might have been corrupted. It displays sort of funny, it's a word doc apparently. Once I click "Enable Content" at the top, it works. Can you see if you can open it?

My credit is pretty good so I'm hoping my loan application will go through smoothly. My credit score is 705 and I make $68,000 a year. Please let me know if any of the houses in the attached MLS are within my price range for an approval.

Thanks :)Sophia

Normal email address, never used beforeSent to person who does this, very believable

Your employees want to be helpful!Well written email makes it seem legit

Now they're on one of the workstations

• Maintaining access and avoiding detection– Anti-virus is easy to bypass– Rootkits and remote access tools are easy to write

and even easier to use• Watch the traffic on the machine to figure out what

assets are on the network without scanning• Take it slow, time is in the attacker's favor

Pivoting

• What's next for the attacker?– Leverage user's creds– Exploit out-of-date software on the network– Ransomware•Escalate and spread– If your network is hard on the outside and soft on

the inside, you're toast– Nothing is trusted

✓ Firewall ✓ Security Policies ✓ Anti-virus ✓ Anti-malware ✓ Intrusion detection ✓ Log collection ✓ Alerting

What would have helped?

✓ Software updates ✓ Phishing training ✓ Threat intel ✓ Access Control ✓ Endpoint security ✓ Two factor auth ✓ Memory forensics

?

?

?

Signature-based detection is flawed

• Change the malware to not fit AV signatures– IDS signatures, too•Use different IP/domains to evade threat intel– Hijack legit servers (CDNs, etc.)•Spear phishing is cheap and effective•Mobile workforce means there's often no perimeter

“Signature-based detection is only 40-60% effective. Anomaly detection helps fill the gap.

– Thomas HillCIO, Live Oak Bank

Anomaly Detection: more signal

• Attackers must do something your employees don'tExfiltrate data Install

backdoorsAdd nodes to a botnet Modify systems

✓ Firewall ✓ Security Policies ✓ Anti-virus ✓ Anti-malware ✓ Intrusion detection ✓ Log collection ✓ Alerting

Anomaly detection watches everything

✓ Software updates ✓ Phishing training ✓ Threat intel ✓ Access Control ✓ Endpoint security ✓ Two factor auth ✓ Memory forensics

How do you use anomaly detection?

1. Model your network for threats2. Develop attacker scenarios 3. Find the data which would indicate compromise4. Develop algorithms to find those indicators

Step 1: Threat Modeling

• What are the entry points?– Not just your perimeter!•What assets are important to you? To an attacker?•Where do you have monitoring? Where are you blind?•What mitigations do you have in place? What about if those fail?

Step 2: Scenarios

• Data exfiltration– Normally, your file server is busiest during the work

day– Late at night, lots of data is outbound•Botnet activity– The traffic on your network is mostly web traffic– Over the past few days, IRC usage is way up, why?

Step 2: Scenarios

• Insider threat– One of your employee's computers is active on a

weekend– Was it hacked, or are they trying to evade

detection?•Reconnaissance– This week there's a lot of activity from Eastern

Europe and CHina– Are they probing your network for weaknesses?

Step 3: Data

• Instrumentation– Network– IDS– Endpoints•Collected into one central place•Big data solution to crunch the numbers

Step 4: Algorithms

• Start simple, with what you can easily explain– Exponential moving

averages– Netflix's Surus,

Yahoo's EGADS•As your solution matures, explore more advanced algorithms

How Praesidio does Anomaly Detection

Volumetric Protocol Temporal

Geographic Role Lateral

Custom

Volumetric Anomaly Detection

Detects changes in data volumefor each host on your network

Data exfiltration

Botnet activity

Misconfigured systems

Lateral movement

"Someone just uploaded our entire database to Dropbox."

Temporal Anomaly Detection

Detects each device's naturalcadence and reports deviations

Insider threats

Data exfiltration

Lateral movement"One employee was active at 3am on a weekend, why?"

Custom Anomaly Detection

Finds anomalies unique to your business and cybersecurity strategy

Built by you

Tailored to your specific needs "The number of wire transfers per hour peaked to 7x our average."

Anomaly detection needs to constantly adapt, improve, and evaluate.

Questions?

Website: https://www.praesidio.comEmail: sean@praesidio.comTwitter: @sean_a_cassidy