Determining Evil from Benign in the Normally Abnormal World of InfoSec

Rick McElroy, Security Strategist@infosecrick

09-07-18

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL2

Know normal.

Find evil.

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL3

VISION

A World Safe from Cyber Attacks

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL4

NORMAL ABNORMAL

MITRE

ATT&CKTM

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL5

"There aren't necessarily clear points of

difference between what's normal and

abnormal. Abnormal behavior may

just be an exaggeration of normalbehavior.”

- Professor David Watson

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL6

Levels of Abnormal Process

Memory

System

User

Team

Department

Company

Industry

Country

Global

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL7

Evil

Current TableActual Table

Normal Benign

Abnormal Evil

Normal Evil

Abnormal Benign

Frequent GOOD!!

Infrequent BAD!!

(Lawful Good) (Chaotic Good)

(Chaotic Evil) (Lawful Evil)

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL8

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL9

Evil..or not Evil?

Normal Benign

Abnormal Evil

Normal Evil

Abnormal Benign

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL10

Evil..or not Evil?

Normal Benign

Abnormal Evil

Normal Evil

Abnormal Benign

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL11

Evil..or not Evil?

Normal Benign

Abnormal Evil

Normal Evil

Abnormal Benign

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL12

Evil..or not Evil?

Normal Benign

Abnormal Evil

Normal Evil

Abnormal Benign

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL13

Evil..or not Evil?

Normal Benign

Abnormal Evil

Normal Evil

Abnormal Benign

¯\_(ツ)_/¯

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL14

Know normal.

Find evil.

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL15

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL16

Goals of Effort

We want everyone to contribute data back to MITRE

We want to help teach developers to do the right thing

We want to reduce false positives for everyone

We want to save everyone time

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL17

Our Commitment Slide

Host NORMINT Slack

Provide good known binaries back to MITRE

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL18

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL19

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL20

“We cannot change the cards

we are dealt, just how we play

the hand.”

― Randy Pausch

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL21

Know normal.

Find evil.

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL22

Thank you.rmcelroy@carbonblack.com

@infosecrick

www.CarbonBlack.com

I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL23

Questions?

www.CarbonBlack.com