three considerations to amplify your detection and response program
TRANSCRIPT
Three Considerations To Amplify Your Detection and Response Program with Mark Dufresne and David Lavinder
Confidential and Proprietary
Who Are We?
Mark Dufresne (@mark_dufresne) Endgame - Director of Threat Research and Adversary Prevention
David Lavinder (@dllavinder) Morphick - Vice President, Threat Intelligence
Prior: 13 years at NSA, Operations Chief for Offensive and Defensive Cyber Ops
Prior: 7 years as Air Force Digital Network Intelligence Principal Intelligence Analyst
Confidential and Proprietary
Topics
§ 3 Key Challenges to a Detection and Response Program – Advanced TTPs – Analytical Tradecraft – Detection Methodologies
§ The Morphick / Endgame Approach – Beyond IOC/Signature Detection – Uncovering the Full Story – Integrated Prevention, Detection, and Response
Confidential and Proprietary
Advanced TTPs
§ New Attacks > Existing Defenses – Paradigm Shift – Attackers are People
§ Designed to defeat off-the-shelf defense – Advanced Evasion Techniques – Custom rolled malware
Confidential and Proprietary
§ In-memory Attacks – DLL side-loading – Malware-less attacks
§ Malicious use of Admin Tools – Powershell – WMI
The Detection Problem
The technology problem: § Limited enterprise-wide visibility § Complex tools that don’t work well together § Static defenses that do not adapt § Difficult to deploy and maintain solutions
§ SOC analyst talent shortage § Alert fatigue § Fighting an asymmetric battle § Unprepared for an incident
The people problem:
Confidential and Proprietary
So What Do I Need?
The right tradecraft
armed with
The right technology
Confidential and Proprietary
The Right Technology
§ Detection – Beyond IOC/Signature-based detection
§ Visibility – Enabling visibility and rapid detection of unknown advanced attackers
§ Prevention – Automatically protecting against the vast majority of malicious activity
Confidential and Proprietary
Beyond IOC/Signature-Based Detection
§ Signatures (IOCs) aren’t enough
§ Attackers adjust tools and tradecraft
§ Attackers cycle infrastructure
§ Attackers live off the land
Good for pivoting.
Bad foundation for protection.
WHAT ABOUT THE UNKNOWN?
Confidential and Proprietary
So What Should I Do Instead?
10
Confidential and Proprietary
§ Focused on behaviors/techniques § At each stage off the attacker lifecycle § Layered and working together
You need a different method of detection
But EVERYONE is Saying “Behavior”
11
Confidential and Proprietary
§ NGAV – malware and exploit prevention § But what about bypass and file-less attacks? Only part of the problem
§ Both EDR and NGAV are adding detection of behaviors § Capturing process actions and writing rules (IOAs) § Still a signature. Still brittle. Vulnerable to bypass. § Experts needed for configuration
This is still not the right mix
Gather Visibility – Endpoints and Network
§ You need full visibility on system events and other data – Persistence – Processes – Network – Users – More
§ A mountain of data doesn’t do you much good without analytics – Endgame provides sophisticated analytics to guide the hunt – Chatbot guides users through the hunt – Robust API allows for flexible and powerful access and
enrichment
Confidential and Proprietary
Gather Visibility - Memory
§ Memory is a permissive environment for attackers. Why? – Memory analysis doesn’t scale – Need to know what you are looking for (search based) – Until now…
§ Endgame technology – Patent-pending technology detects stealthy adversaries in
memory in seconds, at scale – Detects process hollowing, thread hijacking, module hiding,
and much more § Precise identification of suspicious memory and remediation § Follow on analytic actions such as extraction of IOCs
Confidential and Proprietary
Behavioral Preventions
§ Exploits – Hardware and Software approaches § Macros – Detecting malicious execution of macros § Malware – Machine learning (Malwarescore™) § Kernel-level technique preventions
– Atomic-level system state in the presence of malicious behaviors – More than streaming rules. Simple configuration, inline and hardened.
§ Ransomware
Layered prevention minimizes adversary’s capability to entrench Much more than traditional AV
Confidential and Proprietary
The Right Tradecraft
§ Analytical Pivoting – Discovering unknowns from knowns, across the kill chain
§ Generate Threat Intelligence
– Extract as much intel from a positive detection event as possible
§ Harden Defenses
– Update defenses with new intelligence
Confidential and Proprietary
Visibility Across the Kill Chain
§ A security analyst’s job doesn’t END at detection, it BEGINS there
§ Take that single detection event and explore the kill chain – How did it get here?
– What was it going to do next?
Confidential and Proprietary
Visibility Across the Kill Chain
§ A security analyst’s job doesn’t END at detection, it BEGINS there
§ Take that single detection event and explore the kill chain – How did it get here?
– What was it going to do next?
Confidential and Proprietary
The Power of a Security Analyst
§ Discovering unknowns from knowns – Identifying missed detection opportunities
§ Telling the whole story
– Tracing an event to earlier kill chain steps
§ Then BUILD IT BACK IN § The analysis tradecraft is getting lost amongst all the tools
§ Visibility is key, but good tradecraft unlocks the power of that visibility
Confidential and Proprietary
SOLUTION
§ Combination of Technology and Tradecraft Technology provides layered behavioral prevention Technology provides visibility and access Tradecraft finds the remaining adversary Tradecraft hardens defenses
Confidential and Proprietary
Managed Endpoint Detection and Response (MEDR)
§ Continuous Endpoint Threat Monitoring & Advanced Prevention
§ Full Attack Cycle Threat Detection
§ Proactive, scalable Threat Hunting
§ Detailed Forensic Investigation and Threat Validation
§ NSA-CIRA Accredited Incident Response Services
Best in-class Tech, Wrapped in Best in-class Service
Confidential and Proprietary
Interested in learning more?
Come see us at RSA § Endgame Booth, South Hall #1739 § Morphick Booth, North Hall #5004
Schedule a Demo § Endgame
– Ashwini Almad – [email protected]
§ Morphick – Tom Doepker – [email protected]
Confidential and Proprietary