Defense Evasion Case Study

00:00

hello and welcome to another application of the minor attack framework discussion today. We're going to give in to our case study on defense evasion. So we have to start with a question. What's watching your back?

00:16

So in this instance, we're talking about what tools people processes, whatever the case, are watching the back of your business. So what's keeping you safe? What is making sure that the eyes air don in the tes across from a security standpoint?

00:33

So that is the first thing that we want to ponder. But we're going to start really this discussion with another look at dwell time and dwell. Time is always important for us, especially when we talk about defensive Asian, because threat actors, when successful, go for months,

00:52

days, years, hours, whatever the case may be

00:56

undetected. And so I've heard several metrics

00:59

throughout the last few years, and they include anything from 20 seconds to maybe 30 seconds of time that a threat actor actually needs on network to successfully start stealing proprietary information credentials, whatever the case may be.

01:15

And so when we get into the act of days or hours of

01:19

detection not happening

01:23

and the threat actor successfully evading defenses, We now talk about losses or damages that are much, much greater in scope and scale. And so to start with our first bullet, a Fire I analysis of global Breach data from 2018 indicates that half of all organizations last year took 50 days or longer to detect intrusion.

01:42

Previously, this number was up

01:44

57 days in 2017 so it looks like we had a slight reduction between 2017 and 18. But 50 days is still quite the number. In some cases, businesses were learning of attacks from other agencies up to six months after a breach, which is huge.

02:00

I can't imagine how embarrassing it would be to have another entity

02:05

tell me that my systems were compromised under my nose.

02:08

So crypto mining tools and ransomware were among those that were easiest to spot. Typically organizations that were previously compromised or retargeted by Attackers. And so, ah, lot of times when we talk about threat actors,

02:23

we often think of them as business or an organization you know, organize crime.

02:30

And so in their cases, a lot of times thes entity specialize in doing certain things, and so you get a guy that's really good at stealing passwords. Another that's really good at stealing secret sauce information. Another that's good with Ransomware.

02:43

And so,

02:44

really, when we get to a phase of compromise, where it's ransomware or krypton mining tools that are very those are very noticeable things. And so you can't really hide ransomware on production systems. It pretty much cripples

02:59

production and stops. Business is usual. So what was happening before Ransomware was deployed was a threat actor present

03:07

was something going on on the network that you weren't aware of up to the point that that ransomware was deployed.

03:14

And so those are things that keep us up at night as security professionals. And how do we start to reduce the curb or reduce the time it takes for us to tea? Either see threat actors on our systems or stop them entirely. Now

03:30

there are different tools out there, but to name a few that threat actors air using, too, but

03:35

evade your defenses and stay it kind of on a network without being detected. So Crypt Cat is one, and it's a simple UNIX utility that can read and write data across the network connections using TCP or UDP while encrypting the data. So if you're looking for plain text information

03:52

or activities, they may not be picked up if your systems are not set up to decrypt information prior to it, leaving the network

04:00

There's also DNS to TCP, which was designed to relate. He's to be connections through DNS. Traffic doesn't need to run with specific privileges. And so we may remember targets incident. I know that they were taking pink packets and moving

04:16

credit card information over those connections. And so this is just another way that we can try to use a different service. Toe hide information shelter is used to inject show code into native Windows applications. This is just three tools

04:30

in the great scope of tools that are out there. And so, really, your challenge here something that you need to start thinking about, is what are we doing in our organisations to find threat actors if they get on our systems? If all other things fail to include the human element,

04:49

what are we doing

04:51

to get these entities out and keep them out as stated? They're trying to get back into our networks if they compromise them before.

05:00

Was that through fishing? Was that through direct exploitation of Web basing instances or systems? Was that through manipulation of devices that are supposed to be protecting our network? Was that through ah, human element that introduced in infection willingly for money or information?

05:20

There's no telling, really, if we don't have the tools or the process is in place

05:25

to look for these things and to detect these things. And so I challenge you to sit down and come up with scenarios where a threat actor has impacted your network or infected your network. How would you know what would make you aware? What steps would you take to even start looking for them

05:43

if they were using Process Halloween or software packing or some of these other things

05:47

to hide?

05:48

And if the answer is I'm not sure, or if you, you know, take liberties and what your actual capabilities are, that puts you at a disadvantage. So I challenge you to look for open source tools or to look for techniques that are within your wheelhouse that you could actually deploy and use in your network. And if you find that there are gaps

06:08

eso challenge you to start talking to

06:10

your business leaders to see how those could be filled, taking into mind your culture and capabilities.