powered by - logrhythm€¦ · greg foss head of global security operations logrhythm. sarah...

Company Confidential

Powered by

Activated CharcoalMaking Sense of Endpoint Data

Greg FossHead of Global Security OperationsLogRhythm

Sarah MillerThreat Intelligence AnalystCarbon Black

The Endpoint is the new Perimeter


The easiest path into any network…


Social Engineering

Nothing like a little pretext to get people to click on your links…


• Phishing• 91% of ‘advanced’ attacks began with a phishing email

or similar social engineering tactics.• http://www.infosecurity-magazine.com/view/29562/91-of-

apt-attacks-start-with-a-spearphishing-email/

• 2014 Metrics• Average cost per breach => $3.5 million• 15% Higher than the previous year

• http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis

http://www.infosecurity-magazine.com/view/29562/91-of-apt-attacks-start-with-a-spearphishing-email/http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis


Drive By Downloads, Malvertizing, and Watering Hole Attacks

Image Source: https://blog.kaspersky.com/what-is-malvertising/5928/

Training is Critical to Success


Key Focus Areas:

• Employees

Image Source: http://www.cloudpro.co.uk/hr/5803/gov-offers-hr-workers-free-cyber-security-training


End User Tips - Phishing


All You Need is +


Shortened URLTracking


Feedback Loop

Testing and Validation


Rogue Wi-Fi Network – Threat Simulation


USB Drop – Training Exercise : Case Study


Building a Believable Campaign

Use realistic files with somewhat realistic data

Staged approach to track file access and exploitation


“Nobody’s going to an an exe from some random USB” - Greg

Yep… They ran it...


Now we have our foothold…

Fortunately they didn’t run this as an admin


Key Focus Areas:

• Employees

• IT Staff

• Roles and Responsibilities

• Incident Response Duties

• Configuration Monitoring

• Malware Removal

• Security Infrastructure


Key Focus Areas:

• Employees

• IT Staff

• Security Staff

• Table Top and Red vs Blue Exercises

• Threat Simulation Leads to Process Improvement

• Announced vs Unannounced Simulations or Penetration Testing


Purple Team FTW!

• Employees

• IT Staff

• Security Staff

• Table Top and Red vs Blue Exercises

• Threat Simulation Leads to Process Improvement

• Announced vs Unannounced Simulations or Penetration Testing


Key Focus Areas:

• Employees

• IT Staff

• Security Staff

• Leadership


Key Focus Areas:

• Employees

• IT Staff

• Security Staff

• Leadership

• Processes and Procedures

Continuous Monitoring and Detection


Automating OSINT and Response

Domain Tools

Passive Total

VirusTotal

Cisco AMP ThreatGRID

Netflow / IDS

Firewalls

Proxy / DNS

Endpoint

SIEM

API Integration SecOps Infrastructure


Malware Beaconing


Correlate Network / Log Activity with Endpoint Data


Macro Phishing Attacks

• Common

• Bypasses Most AV

• Heavily Obfuscated

• Newer attacks

targeting Office 365


Macro Attack Detection


Full Command Line Details


Be Careful – Don’t Jump To Conclusions…

Centralized Logging and Event Management


Threat Feed Configuration


Full Event Alerting


Syslog Only


Tuning Feeds


Watchlist Configuration


Carbon Black Event Forwarder

LogRhythm => Use LEEF Format

https://github.com/carbonblack/cb-event-forwarder

Dashboards and Investigations


Long Tail Analysis

Strange activity can bubble to the surface when viewing the whole picture

Taking it a Step Further…


Additional Integration

Alarming

Trigger on Specific Watch List Hits



Alarming

Admin Tracking



Alarming

Admin Tracking

Reporting



Alarming

Admin Tracking

Reporting

AutomationPerform Actions Based on Alarms Observed


Thank You!

QUESTIONS?

Greg FossGreg . Foss [at] LogRhythm . com@heinzarelli

Sarah MillerSMiller [at] CarbonBlack . com

@beyazfar3

Activated CharcoalSlide Number 2The Endpoint is the new PerimeterThe easiest path into any network…Social EngineeringSlide Number 6Drive By Downloads, Malvertizing, and Watering Hole AttacksSlide Number 8Training is Critical to SuccessKey Focus Areas:End User Tips - PhishingAll You Need is +Shortened URL TrackingFeedback LoopTesting and ValidationSlide Number 16USB Drop – Training Exercise : Case StudyBuilding a Believable Campaign“Nobody’s going to an an exe from some random USB” - GregNow we have our foothold…Slide Number 21Key Focus Areas:Key Focus Areas:Purple Team FTW!Key Focus Areas:Key Focus Areas:Continuous Monitoring and DetectionAutomating OSINT and ResponseSlide Number 29Malware BeaconingSlide Number 31Malware BeaconingCorrelate Network / Log Activity with Endpoint DataMacro Phishing AttacksMacro Attack DetectionFull Command Line DetailsFull Command Line DetailsBe Careful – Don’t Jump To Conclusions…Centralized Logging and Event ManagementSlide Number 40Threat Feed ConfigurationFull Event AlertingSyslog OnlyTuning FeedsWatchlist ConfigurationCarbon Black Event ForwarderDashboards and InvestigationsSlide Number 48Slide Number 49Slide Number 50Slide Number 51Slide Number 52Slide Number 53Long Tail AnalysisSlide Number 55Slide Number 56Taking it a Step Further…Additional IntegrationAdditional IntegrationAdditional IntegrationAdditional IntegrationThank You!

powered by - logrhythm€¦ · greg foss head of global security operations logrhythm. sarah...

Documents