three considerations to amplify your detection and response program

Three Considerations To Amplify Your Detection and Response Program with Mark Dufresne and David Lavinder

Confidential and Proprietary

Who Are We?

Mark Dufresne (@mark_dufresne) Endgame - Director of Threat Research and Adversary Prevention

David Lavinder (@dllavinder) Morphick - Vice President, Threat Intelligence

Prior: 13 years at NSA, Operations Chief for Offensive and Defensive Cyber Ops

Prior: 7 years as Air Force Digital Network Intelligence Principal Intelligence Analyst


Topics

§  3 Key Challenges to a Detection and Response Program –  Advanced TTPs –  Analytical Tradecraft –  Detection Methodologies

§  The Morphick / Endgame Approach –  Beyond IOC/Signature Detection –  Uncovering the Full Story –  Integrated Prevention, Detection, and Response


Advanced TTPs

§  New Attacks > Existing Defenses –  Paradigm Shift – Attackers are People

§  Designed to defeat off-the-shelf defense –  Advanced Evasion Techniques –  Custom rolled malware


§  In-memory Attacks –  DLL side-loading –  Malware-less attacks

§  Malicious use of Admin Tools –  Powershell –  WMI

The Analytical Tradecraft Gap


The Detection Problem

The technology problem: §  Limited enterprise-wide visibility §  Complex tools that don’t work well together §  Static defenses that do not adapt §  Difficult to deploy and maintain solutions

§  SOC analyst talent shortage §  Alert fatigue §  Fighting an asymmetric battle §  Unprepared for an incident

The people problem:


So What Do I Need?

The right tradecraft

armed with

The right technology


The Right Technology

§  Detection –  Beyond IOC/Signature-based detection

§  Visibility –  Enabling visibility and rapid detection of unknown advanced attackers

§  Prevention –  Automatically protecting against the vast majority of malicious activity


Beyond IOC/Signature-Based Detection

§  Signatures (IOCs) aren’t enough

§  Attackers adjust tools and tradecraft

§  Attackers cycle infrastructure

§  Attackers live off the land

Good for pivoting.

Bad foundation for protection.

WHAT ABOUT THE UNKNOWN?


So What Should I Do Instead?

10


§  Focused on behaviors/techniques §  At each stage off the attacker lifecycle §  Layered and working together

You need a different method of detection

But EVERYONE is Saying “Behavior”

11


§  NGAV – malware and exploit prevention §  But what about bypass and file-less attacks? Only part of the problem

§  Both EDR and NGAV are adding detection of behaviors §  Capturing process actions and writing rules (IOAs) §  Still a signature. Still brittle. Vulnerable to bypass. §  Experts needed for configuration

This is still not the right mix

Gather Visibility – Endpoints and Network

§  You need full visibility on system events and other data –  Persistence –  Processes –  Network –  Users –  More

§  A mountain of data doesn’t do you much good without analytics –  Endgame provides sophisticated analytics to guide the hunt –  Chatbot guides users through the hunt –  Robust API allows for flexible and powerful access and

enrichment


Gather Visibility - Memory

§  Memory is a permissive environment for attackers. Why? –  Memory analysis doesn’t scale –  Need to know what you are looking for (search based) –  Until now…

§  Endgame technology –  Patent-pending technology detects stealthy adversaries in

memory in seconds, at scale –  Detects process hollowing, thread hijacking, module hiding,

and much more §  Precise identification of suspicious memory and remediation §  Follow on analytic actions such as extraction of IOCs


Behavioral Preventions

§  Exploits – Hardware and Software approaches §  Macros – Detecting malicious execution of macros §  Malware – Machine learning (Malwarescore™) §  Kernel-level technique preventions

–  Atomic-level system state in the presence of malicious behaviors –  More than streaming rules. Simple configuration, inline and hardened.

§  Ransomware

Layered prevention minimizes adversary’s capability to entrench Much more than traditional AV


The Right Tradecraft

§  Analytical Pivoting –  Discovering unknowns from knowns, across the kill chain

§  Generate Threat Intelligence

–  Extract as much intel from a positive detection event as possible

§  Harden Defenses

–  Update defenses with new intelligence


Visibility Across the Kill Chain

§  A security analyst’s job doesn’t END at detection, it BEGINS there

§  Take that single detection event and explore the kill chain –  How did it get here?

–  What was it going to do next?


The Power of a Security Analyst

§  Discovering unknowns from knowns –  Identifying missed detection opportunities

§  Telling the whole story

–  Tracing an event to earlier kill chain steps

§  Then BUILD IT BACK IN §  The analysis tradecraft is getting lost amongst all the tools

§  Visibility is key, but good tradecraft unlocks the power of that visibility


SOLUTION

§  Combination of Technology and Tradecraft Technology provides layered behavioral prevention Technology provides visibility and access Tradecraft finds the remaining adversary Tradecraft hardens defenses


Managed Endpoint Detection and Response (MEDR)

§  Continuous Endpoint Threat Monitoring & Advanced Prevention

§  Full Attack Cycle Threat Detection

§  Proactive, scalable Threat Hunting

§  Detailed Forensic Investigation and Threat Validation

§  NSA-CIRA Accredited Incident Response Services

Best in-class Tech, Wrapped in Best in-class Service


Interested in learning more?

Come see us at RSA §  Endgame Booth, South Hall #1739 §  Morphick Booth, North Hall #5004

Schedule a Demo §  Endgame

–  Ashwini Almad –  [email protected]

§  Morphick –  Tom Doepker –  [email protected]
