Download   Report
  1. No category

FROM THE FRONT LINES: We Are Mandiant

FROM THE FRONT LINES:
M-TRENDS® 2015
© Mandiant, a FireEye Company.
© Mandiant,
All rights
a FireEye
reserved.
Company.
CONFIDENTIAL
All rights reserved. CONFIDENTIAL
1
We Are Mandiant
 Expert Responders for Critical Security Incidents
 Full Range of Security Consulting
 Worldwide Presence
-
Mandiant is a FireEye Company
-
1,500+ employees
-
Offices in 40+ countries
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
2
Introductions
Jen Weedon
 Manager, Threat Intelligence
 2.5 Years at Mandiant/FireEye
 Leads strategic analysis team
 Advises and briefs on cyber threat risks to public and private sector clients
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
3
Introductions
Jason Rebholz
 Principal Consultant
 Five years at Mandiant
-
Incident Response
-
Forensics
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
4
Introductions
Ryan Kazanciyan
 Technical Director
 Incident Response Functional Lead
 5.5 years at Mandiant
 Co-author, “Incident Response & Computer
Forensics, 3rd Ed”
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
5
Agenda
 By the Numbers
 Trend 1: Struggling with Disclosure
 Trend 2: Retail in the Crosshairs
 Trend 3: The Evolving Attack Lifecycle
 Trend 4: Blurred Lines – Criminal and APT Actors Take a Page from Each Others’ Playbook
 Q&A
Note: Some information has been sanitized to protect our clients’ interests.
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
6
BY THE NUMBERS
© Mandiant, a FireEye Company.
© Mandiant,
All rights
a FireEye
reserved.
Company.
CONFIDENTIAL
All rights reserved. CONFIDENTIAL
7
Who’s a Target?
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
8
How Compromises Are Being Detected
9
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Dwell Time
24 days less than 2013
Longest Presence: 2,982 days
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
10
APT Phishing
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
11
TREND 1
Struggling with Disclosure
© Mandiant, a FireEye Company.
© Mandiant,
All rights
a FireEye
reserved.
Company.
CONFIDENTIAL
All rights reserved. CONFIDENTIAL
12
Trend 1: Struggling with Disclosure
 Mandiant worked with over 30 companies that publicly disclosed a compromise
 Public is asking more informed questions
-
Attribution
-
Malware
-
Attacker TTPs
 Public speculation starting to affect investigations
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
13
Why the Increase in Notifications?
 Mandiant worked an increased number of cases where protected data was lost
-
Cardholder data, Personally identifiable information (PII), and Protected Health Information (PHI)
-
Contractual and legal obligation to notify
 69% of victims did not self-detect
-
Increased pressure to notify
 More companies willing to notify
-
Companies feel like it’s the right thing to do
-
Being a breach victim is less taboo than in the past
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
14
Critical Investigation Questions
 Questions you should have answers to during the investigation
-
How did the attacker gain initial access to the environment?
-
How did the attacker maintain access to the environment?
-
What is the storyline of the attack?
-
What data was stolen from the environment?
-
Have you contained the incident?
15
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
The Takeaways
 Breaches are inevitable
-
Have an effective communication strategy available
 Consistent communication is key
-
Based on factual investigative findings
 Public speculation will happen
-
Avoid distracting the investigation
CAUTION
Investigation Hazard
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
16
TREND 2
Retail in the Crosshairs
© Mandiant, a FireEye Company.
© Mandiant,
All rights
a FireEye
reserved.
Company.
CONFIDENTIAL
All rights reserved. CONFIDENTIAL
17
Trend 2: Retail in the Crosshairs
 Retailers thrust into the spotlight in 2014
-
Mandiant responded to many headlines
 New groups getting into the game
 Small misconfigurations led to greater compromise
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
18
Themes of Financial-Motivated Attackers in 2014
 Application virtualization servers used as an entry point
-
Valid credentials used to authenticate
-
Misconfigurations / lack of network segmentation allowed greater access
 New tools, tactics, and procedures
-
Highly sophisticated malware
-
Publically available tools
 Increased number of attacks against e-commerce in locations that deployed chip-and-PIN
technology
-
Attackers shifting focus to lowest hanging fruit
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
19
Initial Access To Environment
 Attacker authenticated to a virtual application server
-
Already had legitimate credentials, no failed logons
 Escaped from “jailed” environment to gain additional control over the system
 Misconfiguration in virtual application server resulted in greater access to environment
-
No segmentation
 Same local administrator password on all systems
-
Allowed attacker privileged access to systems
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
20
Lateral Movement - Forensic Artifacts
 Attacker used the “psexec_command” Metasploit module to execute commands on remote
systems
-
Mimics command execution capability of the SysInternals PsExec utility
 Windows 7/Server 2008 System event logs tracked installation of service
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
21
Persistence - Sophisticated Malware
 Backdoor targeted Windows XP systems
 Used a sophisticated packer
 Backdoor gets capabilities from shellcode
 Ability to download additional shellcode
-
Makes for a versatile backdoor
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
22
Data Theft
 Attacker used domain controller as pivot point into retail environment
-
The retail domain had a two-way trust with the corporate domain
-
The store registers ran Microsoft Windows XP
-
The store registers were joined to the retail domain
 Deployed card harvesting malware to registers throughout the environment
 Malware wrote stolen track data to temporary MSSQL database
 Attacker queried database to collect stolen track data
 Transferred files off of network using FTP
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
23
A Retailer Case Study
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
24
Protect Yourself
 Secure remote access
-
Two-factor authentication required
 Secure access to the PCI environment
-
Segment the PCI environment
-
Require access through internal jump server
 Deploy application-whitelisting on critical assets
-
Protect the POS servers and registers
 Managed privileged accounts
-
Control access
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
25
TREND 3
The Evolving Attack Lifecycle
© Mandiant, a FireEye Company.
© Mandiant,
All rights
a FireEye
reserved.
Company.
CONFIDENTIAL
All rights reserved. CONFIDENTIAL
26
Trend 3: The Evolving Attack Lifecycle
 Threat actors have used stealthy new tactics to move laterally and maintain persistence in victim
environments.
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
27
Attack Lifecycle
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
28
Hijacking the VPN
 Heartbleed vulnerability
 Single-factor authentication & credential theft
 Bypassing two-factor authentication
Dumping certificates with Mimikatz (Image Source: www.darkoperator.com)
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
29
Password Harvesting
“Victims quickly learned that the path from a few infected systems to complete compromise of an
Active Directory domain could be incredibly short.”
 Clear-text passwords in memory
 “Golden Ticket” Kerberos attack
 Malicious security packages
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
30
Persisting with WMI
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
31
Persisting with WMI
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
32
Persisting with WMI
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
33
TREND 4
Blurred Lines – Criminal and APT Actors Take a Page from Each Others’ Playbook
© Mandiant, a FireEye Company.
© Mandiant,
All rights
a FireEye
reserved.
Company.
CONFIDENTIAL
All rights reserved. CONFIDENTIAL
34
Trend 4: Blurred Lines – Criminal and APT Actors Take a Page
from Each Others’ Playbook
 As actors' tactics merge, discerning their goals becomes critical to gauging the impact of incidents.
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
35
Tactical Overlaps between Cybercriminals and APT Groups
 Interactive social engineering & social media presence
 Custom malware and tools, development on the fly
 Effective lateral movement and long-term persistence
 Repeated, wide scale data theft
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
36
From Russia with Ambiguity: Intent Matters
 Russia-based cyber activity
-
Nation state espionage
-
Cybercrime
-
Gray area...
 APT28 and “Sandworm”
-
Use of BlackEnergy (traditionally crimeware) to target Industrial Control Systems
 Intent & motive matters
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
37
Conclusion
 Organizations are under increasing pressure to disclosure details on breaches and provide
attribution
 Retail remains a top target as attackers found more victims
 Threat actors have adopted stealthy new tactics to hide in compromised environments
 Attribution is becoming harder as the lines blur between tactics used by cyber criminals and nationstate actors
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
38
RESOURCES
© Mandiant, a FireEye Company.
© Mandiant,
All rights
a FireEye
reserved.
Company.
CONFIDENTIAL
All rights reserved. CONFIDENTIAL
39
Free Resources
 Available on www.mandiant.com
‒ Redline
‒ IOC Editor
‒ IOC Finder
‒ Memoryze
‒ Memoryze for Mac
‒ Highlighter
‒ ApateDNS
‒ Heap Inspector
‒ PdbXtract
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
40
Mandiant Consulting
Incident
Response
 Investigation and resolution of large-scale security breaches
Security
Assessments
 Unique offerings applying Mandiant’s specialized expertise in
advanced threats to evaluate organizations' security programs,
systems and processes; we can also determine if attackers are
active in your network

Security
Transformation
Development/enhancement of your security posture including
security operation center (SOC) design and computer incident
response team (CIRT) capabilities
41
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
M-Trends® 2015
Download the full
report at
www.mandiant.com
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
42
THANK YOU
© Mandiant, a FireEye Company.
© Mandiant,
All rights
a FireEye
reserved.
Company.
CONFIDENTIAL
All rights reserved. CONFIDENTIAL
43
Mandiant Security Consulting Services Datasheet

Mandiant Security Consulting Services Datasheet

Featured Financial Services Case Study Turkiye

Featured Financial Services Case Study Turkiye

Mandiant State of the Hack April 2015

Mandiant State of the Hack April 2015

SECURITY REIMAGINED AX Series

SECURITY REIMAGINED AX Series

I IT & O

I IT & O

Ecole Européenne de Luxembourg II

Ecole Européenne de Luxembourg II

Document 38220

Document 38220

K2 blackpoint Fundamentals Module 1: Understand – PRESENTED BY:

K2 blackpoint Fundamentals Module 1: Understand – PRESENTED BY:

NON-DISCLOSURE AGREEMENT between _____________________________________________________ and

NON-DISCLOSURE AGREEMENT between _____________________________________________________ and

CONFIDENTIAL

CONFIDENTIAL

Instructions: Adding a Confidentiality Statement to Email File options

Instructions: Adding a Confidentiality Statement to Email File options

abcdocz.com

© Copyright 2024