1. technology and computing
2. computer security
3. antivirus and malware

So you got hacked now what?
Chris Catanzaro
Blue Coat Systems
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
1
We Live In A Post Prevention World
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
2
Answering the Most Dreaded Questions from the CISO
Who did this to us?
How did they do it?
What systems and data were affected?
Can we be sure it is over?
Can it happen again?
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
3
Anatomy of an Attack
§ First things First
•  When talking about indicators of compromise and how
one might find them, we need to first step back and fully
understand the steps of an attack or attack cycle so we
know what to look for.
•  This attack cycle is often referred to as a Kill Chain
•  Understanding the concepts that are described in the
Kill Chain will help you correlate events of seemingly
uninteresting data to solve incident response type
conditions.
•  It is important when you get an indicator of compromise
to know what phase of the Kill Chain you are looking at,
this will help you understand what to look for next in
your investigation.
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
4
Anatomy of an Attack
§ Definitions
•  Threat
– An agent or human actor that might attempt to compromise or violate the security of a system
•  Vulnerability
– Existence of a design or implementation error or weakness that could lead to an unexpected or an
undesirable compromise of the system
•  Exploit
– A defined way to take advantage of a vulnerability
•  Attack
– An attempt to compromise or gain access to systems and/or data
•  Attack Surface
– The summation of all exposed services, drivers, software, input fields, protocols, and interfaces
(including people) through which a threat may attack
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
5
Anatomy of an Attack
§ Understanding The Threats
•  Insider Threats
•  Cybercriminals
•  Nation States
•  Hacktivists
§ Why They Do It
•  Financially Motivated
•  Politically Motivated
•  Nationalistically Motivated
•  Industrial Espionage / Stealing Trade Secrets
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
6
Anatomy of an Attack
§ Understanding The Kill Chain
•  What is it?
– The Kill Chain is a military model that was applied to information security by Hutchins, Cloppert,
and Amin of Lockheed Martin in 2009, and recently re-popularized by John “Four” Flynn from the
Facebook security team in his Blackhat presentation “Intrusion Along the Kill Chain”.
•  Why is it important?
– The basic idea of a Kill Chain is that there is a sequence of elements that must occur in order for
an attack to succeed. By understanding each of the elements in a Kill Chain, we can use
attributes of those elements, as well as combinations of elements, to better predict future threats.
•  Why do analysts often over look it?
– The basic problem is analysts often filter out the events and alerts that seem uninteresting,
common, or minor. And while it is true, by themselves, they are some what meaningless and
unimportant, however, if you put them in context with other events, you begin to see a much larger
picture of what is going on, gain more clarity, and understand where to focus your efforts.
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
7
Anatomy of an Attack
§ Reconnaissance
•  The first phase in an attackers Kill Chain is reconnaissance.
•  Sometimes this includes detectable but seemingly innocuous activity such as visiting your public
website, conference proceedings, mailing lists, clicking on the “About Us” page to learn about the
management team, or the “Investors” or “Directors” page to learn about those close to and well
trusted by management.
•  More often, this kind of activity occurs undetectably, using the endless supply of social network,
open source, and doxing sites that are available today.
•  Goals of the Attacker
– Define target, find and organize accomplices
– Research target infrastructure and employees
– Gather all public information
– Identify potential attack vectors
Recon
Risk and Cost to Contain/Remediate
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
8
Anatomy of an Attack
§ Weaponize
•  This involves the automated creation of a Trojan infected file, that looks like a
normal PDF or a Word or Excel doc that has some sort of interesting or
enticing title, something like “Executive Salaries” or “Q4 Termination List”.
•  Pirated software and hacked versions of the latest most popular games are
also high susceptible.
•  Other forms are off-the-shelf exploit kits and the variety of tools that are used to
promote stealthy program execution.
•  Goals of the Attacker
– Find and use good exploit kits
– Create seemingly normal files that are embedded with malicious payloads
– Use packed / encrypted EXEs to avoid detection and analysis
Recon
BHE
Weaponize
WHE
Risk and Cost to Contain/Remediate
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
9
Anatomy of an Attack
§ Delivery
•  The most common methods of delivery are still links and attachments in email and
social media, infected flash based banner ads, and “found” removable media.
•  There is no network filter known than can protect against a user pulling an email out of
his SPAM or PHISHING folder and viewing the attached PDF file.
•  USB removable media can also be used to get malicious software in to a specific
organization via the autorun.ini.
•  Goals of the Attacker
– Create unique and interesting email messages and posts in social media sites and various
message boards and classifieds (Craigslist)
– Use disguised HTTP links or infected attachments
– Litter infected removable media around company site or targeted user’s home
Recon
Weaponize
Delivery
Risk and Cost to Contain/Remediate
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
10
Anatomy of an Attack
§ Exploitation / Initial Intrusion
•  This is the area that we tend to be most obsessed with, often to the effect of
blindness to the others.
•  Exploitation targets a vulnerability, either behavioral or technological.
•  As you would expect, attackers want to have the greatest chance of success at
this phase, so they focus on applications that are most likely to be present on a
target’s machine: Acrobat, Java, Microsoft Office, Internet Explorer, and 32bit
operating systems (this last one will shift over time).
•  Goals of the Attacker
– Targets vulnerable user behavior and client applications
– Attack unpatched Java, Flash, Acrobat, IE, Office, etc
– Need to make sure once it is delivered to an end machine that it has a high
probability of working.
Recon
Weaponize
Delivery
Exploitation
Risk and Cost to Contain/Remediate
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
11
Anatomy of an Attack
§ Persistence
•  This is where a successful exploit installs a remote access tool that allows
the attacker to interact with the victim’s machine, and to have a persistent
connection to the network.
•  These connections are generally outbound by nature to avoid dealing with
firewalls, and somewhat invert the client/server paradigm where the victim
machine becomes a server, and the attacker’s client is the console that can
connect to any number of victim servers.
•  RATs (Remote Access Tool / Trojan) are somewhat different to botnets in that
botnets tend to be programmatically controlled en masse whereas RATs are
usually much more personalized.
•  Goals of the Attacker
– Establish a tenacious foothold by installing a RAT
Recon
Weaponize
Delivery
Exploitation
Persistence
Risk and Cost to Contain/Remediate
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
12
Anatomy of an Attack
§ Command and Control
•  The system is being controlled by the attacker at this point
•  C&C generally uses legitimate protocols to avoid anomaly detection, and
is often encrypted with OS-provided SSL channels.
•  Other forms of C&C involve the use of hiding in plain site in HTLM, social
networks, or even legitimate image files.
•  Recently Google Docs has proven as a successful method to allow
remote “hands on the keyboard” access inside the target environment.
•  Goals of the Attackers
– Create outbound connection
– Uses stealthy but benign channels
Recon
Weaponize
Delivery
Exploitation
Persistence
C2
Risk and Cost to Contain/Remediate
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
13
Anatomy of an Attack
§ Extension
•  Extension refers to additional movement within an infiltrated environment
since it is unlikely that the victim machine contains the specific asset that
the attacker is looking for.
•  Involves gathering credentials from the victims machine, discovering
higher-value assets (such as servers, domain controllers) through internal
reconnaissance, moving laterally to these machines via RDP or Windows
APIs, and escalating privileges using additional exploits.
•  Weak security once inside
– Organizations suffer from escargot model of security
– “hard and crunchy on the outside, soft and chewy on the inside”
•  Goals of the Attacker
– Expand access and obtain credentials through lateral movement
– Exploit credentials with every jump and increase persistence
Recon
Weaponize
Delivery
Exploitation
Persistence
C2
Extension
Risk and Cost to Contain/Remediate
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
14
Anatomy of an Attack
§ Damage
•  Only now, after progressing through the first seven phases, can intruders take
actions to achieve their original objectives.
•  Typically, this objective is data exfiltration which involves collecting, encrypting
and extracting information from the victim environment; violations of data
integrity or availability are potential objectives as well.
•  This can also include any form of compromise to the confidentiality, integrity, or
availability of any information system assets.
•  Goals of the Attacker
– Covert exfiltration of data to a collection point
– Compromise or destruction of assets
Recon
Weaponize
Delivery
Exploitation
Persistence
C2
Extension
Damage
Risk and Cost to Contain/Remediate
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
15
Anatomy of an Attack
§ Understanding The Kill Chain
•  Need complete visibility, every step of the way or you loose ability to put the pieces back together
– When we filter out some alerts and events and do not view them in the context of the entire Kill Chain,
we are effectively looking at seemingly random events. Tracing the Kill Chain, at this point, is nearly
impossible, which makes finding the really bad stuff even that much more difficult.
Recon
Weaponize
Delivery
Exploitation
Persistence
C2
Extension
Damage
Risk and Cost to Contain/Remediate
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
16
How did we find out we were Hacked?
§ Outside source
• FBI
• Your information posted on a Malnet
• The Hackers themselves (Hacktavists)
§ Internal detection
• Tools Catch
– SIEM, DLP, Sandbox
• Data Exfiltration
– Proxy SG
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
17
Now we have some Options
§ Option A - Hire and investigation company
• Very Expensive
• Don’t know your systems and network environment
• Are they good? Do they really know what they are doing?
§ Option B - Investigate yourself
• Your network your systems your access
• Still expensive
• Are you looking in the right places?
• Do you have enough data?
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
18
POST-PREVENTION SECURITY GAP
KnownAttacks
Files
Targeted
Insider-Threats
Known IPs/URLs
Modern
Tactics &
Techniques
Web Application Firewall
Hactivists
DLP
Known Malware
Zero-Day
Threats
Email Gateway
Cybercriminals
SIEM
Known
Threats
Novel Malware
Web Gateway
Nation States
Host AV
Traditional
Advanced
Threats
IDS / IPS
Threat
Actors
NGFW
Advanced Threat
Protection
•  Content
•  Detection
•  Analytics
•  Context
•  Visibility
•  Analysis
•  Intelligence
SIGNATURE-BASED DEFENSE-IN-DEPTH TOOLS
SSL
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
19
INVESTIGATE & REMEDIATE
Security Analytics Platform
Full Security Visibility of All
Network Traffic
Forensic Details Before,
During and After an Alert
Reduce Time-to-Resolution
and Breach Impact
The Security Camera for Your Network
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
20
Security Analytics Platform
THE SECURITY CAMERA FOR YOUR NETWORK
Turing Complexity into Context
Records, classifies and indexes all packets and flows up to 10Gbps
Providing realtime analysis and
full visibility of
everything going in
and out of your
network
DPI classification of over 2,000 applications and thousands of meta attributes
On the wire, real-time visibility and analysis of data exfiltration & infiltration
Security Context – including reputation, user and social personas, artifacts
The ‘Black Box’ for incident response, forensics, root cause and impact analysis
Solera is the Security Camera for your Network
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
21
Security Camera for your Network
1
Ongoing
Operations
2
Incident
Containment
3
Incident
Resolution
•  Know what happened before, during and after an alert, with
complete, clear supporting evidence
•  Multiple sources for real-time integrity & reputation of URL, IP
address, file hash or email address
•  Trace back and discover Tactics, Techniques & Procedures and
identify Indicators of Compromise
Forensic Details
Before, During and
After an Alert
•  Integrated workflows with leading network security tools to add
context and improve effectiveness
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
22
THANK YOU!
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
23
Thank You
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
24