Embed Size (px)
Citation preview
Effiziente Abwehr von Cyber Kriminalität
Timo JobstHead of Cyber Defense Center
www.kapsch.net |
C:\whoami
25.02.2019 | FH Campus Wien 2
Timo Jobst
Cyber Defense, Incident Response, Threat Intel
CISSP, GCFA, GCTI, CCE,…
>15 Jahre in Cyber Security
Sport & Outdoor Fan
www.kapsch.net |
Was haben Sie 1986 gemacht?
www.kapsch.net |
Cliff Stoll - 1986
25.02.2019 | FH Campus Wien 4
www.kapsch.net |
A Long Story Short
25.02.2019 | FH Campus Wien 5
Hacker Hannover
Berkeley Laboratory
ARPANET / MILNET
www.kapsch.net |
A Long Story Short
25.02.2019 | FH Campus Wien 6
Hacker Hannover
Berkeley Laboratory
ARPANET / MILNET
www.kapsch.net |
Back to todays Cyber Defense
Back to the Future
www.kapsch.net |
Sliding Scale of Cyber Security
Grundbausteine
▪ Planung
▪ Entwicklung
▪ Design
Stellt die Basis für alles weitere her
Solange die Basis nicht stimmt, ist ein teures Invest von Security sinnlos
Falsch konfigurierte Hard- u. Software erzeugt viel Noise im Netzwerk
Gewartete und gepatchte Systeme bieten dem Angreifer weniger Angriffsfläche
25.02.2019 | FH Campus Wien 8
www.kapsch.net |
Sliding Scale of Cyber Security
25.02.2019 | FH Campus Wien 9
Typische Security Landschaft
▪ Firwalls, Anti-Malware Systeme, IPS, AV,…
Diese benötigen Wartung aber keine kontinuierliche menschliche Betreuung
Prevention und Protection können meist leicht umgangen werden
www.kapsch.net |
Sliding Scale of Cyber Security
25.02.2019 | FH Campus Wien 10
Gut geschulte Analysten benötigt um ebenfalls gut geschulte Angreifer zu
identifizieren
Gute Architektur und Passive Defense ist Grundvoraussetzung
Motivierter Angreifer wird es immer schaffen ein Netz zu kompromittieren
Monitor, Respond, Learn – Wissen auf die internen Netzwerke übertragen
Incident Response, Malware Reverse Engineering, Threat Analyse, NSM,….
Threat Hunting
Angreifer sind Wandlungsfähig, Defender müssen ebenso Intelligent und
Flexible sein.
www.kapsch.net |
Pew-Pew Maps
25.02.2019 | FH Campus Wien 11
www.kapsch.net |
Sliding Scale of Cyber Security
25.02.2019 | FH Campus Wien 12
Intelligence wird für effektive Active Defense benötigt
Analysierte und bewertete Information führt zu Intelligence
Tools erstellen keine Intelligence, nur Analysten können dies
Vom Angreifer lernen um daraus besser zu reagieren und zu identifizieren
www.kapsch.net |
Sliding Scale of Cyber Security
25.02.2019 | FH Campus Wien 13
Wird eher von Militär und großen Security Unternehmen durchgeführt
Kostenintensiv
www.kapsch.net |
Sliding Scale of Cyber Security
25.02.2019 | FH Campus Wien 14
www.kapsch.net |
Sliding Scale of Cyber Security
25.02.2019 | FH Campus Wien 15
www.kapsch.net |
Sliding Scale of Cyber Security
25.02.2019 | FH Campus Wien 16
www.kapsch.net |
Active Defense & Intelligence
Großer Technologie Stack
Viel Open Source und
einige kommerzielle
Produkte
Hardware
Woher kommt die Intel?
OSINT/Kommerziell?
Wo verarbeite ich die
Daten?
Wie produziere ich Intel?
Erfahrung im Security
Bereich
Analytisches Denken
Netzwerk & OS Knowhow
IR & Forensic Knowhow
Welche Daten braucht
man?
Schwachstellen
Wie kommt man an diese
Daten?
Wo speichert man sie?
25.02.2019 | Titel der Präsentation 17
www.kapsch.net |
Beurteilung Data Sources
Host/Network Proactive/Live
Pivots
Pro
Con
25.02.2019 | Kapsch Managed Defense Service 18
Criteria Grade
Retention
Context
Search
Acquisition
Pivot Fields
GRADE
www.kapsch.net |
Packet Capture (PCAP)
Network Proactive
IP, Port, Protocol Fields, Payload
Pro
• Highest contex network data source
• Wide level of tool support
• Likely already examined by IDS
Con
• Large disk footprint limits retention
• Limited value when encryption is used
• Significant extraneous data
• Slow to retrieve and filter
25.02.2019 | Kapsch Managed Defense Service 19
Criteria Grade
Retention D
Context A+
Search C
Acquisition D
Pivot Fields A+
GRADE B-
www.kapsch.net |
Network Flow Data
Network Proactive
IP, Port
Pro
• Possible to store for a long time
• Very fast and flexible to search
• Can be generated from network devices or
sensors
• Ideal starting point
Con
• Virtually no context
• Several formats can produce different results
25.02.2019 | Kapsch Managed Defense Service 20
Criteria Grade
Retention A+
Context D
Search A+
Acquisition A
Pivot Fields D
GRADE A-
www.kapsch.net |
Memory Image
Host Live
Too Many to Name
Pro
• Incredibly context rich
• Often the only way to find certain types of
malware or hidden processes
• Individual dumps are easy to navigate with
some tools
Con
• Time consuming to acquire and parse
• Not feasible for proactive collection or long
retention
25.02.2019 | Kapsch Managed Defense Service 21
Criteria Grade
Retention F
Context A
Search B
Acquisition D
Pivot Fields A+
GRADE B
www.kapsch.net |
DetectionsPyramid of Pain
25.02.2019 | FH Campus Wien 22
Behavioral based detection
Automation of traditional indicators
Signature
Source: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
www.kapsch.net |
MITRE ATT&CKMITRE´s Adversarial Tactics, Techniques, and Common Knowledge
25.02.2019 | FH Campus Wien 23
An adversary model and framework for describing the actions an adversary may take to
compromise and operate within an enterprise network
Focus on the last for steps of the Cyber Attack Lifecycle
www.kapsch.net |
MITRE ATT&CK
11 Tactics
Derived from later stages (expoit,
control, maintain and execute) of a
seven-stage Attack Lifecycle
Categories contain list of
techniques adversary could use to
perform that tactic
25.02.2019 | FH Campus Wien 24
www.kapsch.net |
MITRE ATT&CK
11 Tactics
Derived from later stages (expoit,
control, maintain and execute) of a
seven-stage Attack Lifecycle
Categories contain list of
techniques adversary could use to
perform that tactic
~223 Techniques
Windows, Mac, Linux
Techniques provide technical,
description, indicators, useful
defensive sensor data, detection
analytics, and potentioal mitigations
25.02.2019 | FH Campus Wien 25
www.kapsch.net |
APT28, Sofacy, Fancy Bear
25.02.2019 | Titel der Präsentation 26
www.kapsch.net |
APT28, Sofacy, Fancy Bear
25.02.2019 | FH Campus Wien 27
www.kapsch.net |
APT29, Cozy Bear
25.02.2019 | Titel der Präsentation 28
www.kapsch.net |
APT29, Cozy Bear
25.02.2019 | FH Campus Wien 29
www.kapsch.net |
Kombination APT28/APT29
25.02.2019 | Titel der Präsentation 30
www.kapsch.net |
Kombination APT28/APT29
25.02.2019 | FH Campus Wien 31
Die BedrohungGezielte Angriffe
www.kapsch.net |
Das Ziel: Energieversorgung WaldviertelOperation Powerhouse
25.02.2019 | FH Campus Wien 33
www.kapsch.net |
Der Plan: NetzwerkzugriffOperation Powerhouse
25.02.2019 | FH Campus Wien 34
Mailserver
Versuch #1
www.kapsch.net |
Versuch #1Operation Powerhouse
25.02.2019 | FH Campus Wien 36
www.kapsch.net |
Versuch #1Operation Powerhouse
25.02.2019 | Business Breakfast 2018 37
www.kapsch.net |
Versuch #1Operation Powerhouse
25.02.2019 | FH Campus Wien 38
www.kapsch.net |
Versuch #1Operation Powerhouse
25.02.2019 | FH Campus Wien 39
www.kapsch.net |
Das Problem: Die SandboxOperation Powerhouse
25.02.2019 | FH Campus Wien 40
Mailserver Sandbox
www.kapsch.net |
Versuch #1Operation Powerhouse
25.02.2019 | FH Campus Wien 41
www.kapsch.net |
Versuch #1Operation Powerhouse
25.02.2019 | FH Campus Wien 42
Versuch #2
www.kapsch.net |
Versuch #2Operation Powerhouse
25.02.2019 | FH Campus Wien 44
www.kapsch.net |
Versuch #2Operation Powerhouse
25.02.2019 | FH Campus Wien 45
www.kapsch.net |
Versuch #2Operation Powerhouse
25.02.2019 | FH Campus Wien 46
www.kapsch.net |
Die Lösung: Environmental KeyingOperation Powerhouse
25.02.2019 | FH Campus Wien 47
Mailserver Sandbox
www.kapsch.net |
Versuch #2Operation Powerhouse
25.02.2019 | FH Campus Wien 48
www.kapsch.net |
Versuch #2Operation Powerhouse
25.02.2019 | FH Campus Wien 49
www.kapsch.net |
Versuch #2Operation Powerhouse
25.02.2019 | FH Campus Wien 50
www.kapsch.net |
Versuch #2Operation Powerhouse
25.02.2019 | FH Campus Wien 51
FazitPrevention Fails
www.kapsch.net |25.02.2019 | 53
www.kapsch.net |
Defensible Network
25.02.2019 | FH Campus Wien 55
Mailserver Sandbox
Cyber Defense Technologie Stack
NSM
EDR
Log
Vuln Scanning
www.kapsch.net |
Defensible Network
25.02.2019 | Business Breakfast 2018 56
Mailserver Sandbox
Cyber Defense Technologie Stack
NSM
EDR
Log
Vuln Scanning
Threat Intel
Ticketing
www.kapsch.net |
Defensible Network
25.02.2019 | FH Campus Wien 57
Mailserver Sandbox
Cyber Defense Technologie Stack
NSM
EDR
Log
Vuln Scanning
Threat Intel
Ticketing
Hunting
www.kapsch.net |
Defensible Network
25.02.2019 | FH Campus Wien 58
Mailserver Sandbox
Cyber Defense Technologie Stack
NSM
EDR
Log
Vuln Scanning
Threat Intel
Ticketing
Hunting
Timo Jobst
Cyber Security Analyst
Kapsch BusinessCom
Kapsch BusinessCom
Wienerbergstrasse 53
1120 Wien, Österreich
Phone: +43 50 811 5791
E-Mail: [email protected]
www.kapsch.net
59
Operation Powerhouse
1. NSM - Network Monitoring
2. EDR – Endpoint
3. LOG – Logging
www.kapsch.net |
NSM Alert Overview
25.02.2019 |
www.kapsch.net |
NSM Alert Overview
25.02.2019 |
www.kapsch.net |
NSM Alert Overview
25.02.2019 |
www.kapsch.net |
NSM Alert Intel-ADDR 62.218.147.233
25.02.2019 |
www.kapsch.net |
NSM Alert SSL Connection
25.02.2019 |
www.kapsch.net |
STATUS
25.02.2019 |
www.kapsch.net |
STATUS
25.02.2019 |
- IP: 62.218.147.233 -
Intel Alert – Beacon?
www.kapsch.net |
STATUS
25.02.2019 |
- IP: 62.218.147.233 -
Intel Alert – Beacon?
- Domain: bbtt.login-portal.at -
Unknown – Free SSL CERT
www.kapsch.net |
STATUS
25.02.2019 |
- IP: 62.218.147.233 -
Intel Alert – Beacon?
- Domain: bbtt.login-portal.at -
Unknown – Free SSL CERT
Next Step
Query Intel
www.kapsch.net |
Intel Check – login-portal.at
25.02.2019 |
www.kapsch.net |
Intel Check – 62.218.147.233
25.02.2019 |
www.kapsch.net |
Intel Check – Known Domains
25.02.2019 |
www.kapsch.net |
Intel Check – Shared Events
25.02.2019 |
Operation Powerhouse
www.kapsch.net |
Intel Check – Shared Events
25.02.2019 |
www.kapsch.net |
STATUS
25.02.2019 |
- IP: 62.218.147.233 -
Intel Alert – Beacon?
- Domain: bbtt.login-portal.at -
Unknown – Free SSL CERT
www.kapsch.net |
STATUS
25.02.2019 |
- IP: 62.218.147.233 -
Intel Alert – APT Waldviertel
- Domain: bbtt.login-portal.at -
Unknown – Free SSL CERT
www.kapsch.net |
STATUS
25.02.2019 |
- IP: 62.218.147.233 -
Intel Alert – APT Waldviertel
- Domain: bbtt.login-portal.at -
Completely Unknown – Fresh – Bad Hoster
www.kapsch.net |
STATUS
25.02.2019 |
- IP: 62.218.147.233 -
Intel Alert – APT Waldviertel
- Domain: bbtt.login-portal.at -
Completely Unknown – Fresh – Bad Hoster
- a.exe -
Unknown – Unseen – No Hash
www.kapsch.net |
STATUS
25.02.2019 |
- IP: 62.218.147.233 -
Intel Alert – APT Waldviertel
- Domain: bbtt.login-portal.at -
Completely Unknown – Fresh – Bad Hoster
- a.exe -
Unknown – Unseen – No Hash
Next Step
Check Client
www.kapsch.net |
EDR Alert
25.02.2019 |
www.kapsch.net |
EDR Alert – Overview
25.02.2019 |
Operation Powerhouse
www.kapsch.net |
EDR Alert – Connection Overview
25.02.2019 |
www.kapsch.net |
EDR Alert – Exploit Overview - Origin
25.02.2019 |
www.kapsch.net |
EDR Alert – Exploit Overview – Process Tree
25.02.2019 |
www.kapsch.net |
EDR Alert – Powershell – 2nd Stage Download
25.02.2019 |
www.kapsch.net |
EDR Alert – a.exe
25.02.2019 |
www.kapsch.net |
EDR Alert – Microsoft Word Updater.exe
25.02.2019 |
www.kapsch.net |
STATUS
25.02.2019 |
- IP: 62.218.147.233 -
Intel Alert – APT Waldviertel
- Domain: bbtt.login-portal.at -
Completely Unknown – Fresh – Bad Hoster
- a.exe -
Unknown – Unseen – No Hash
www.kapsch.net |
STATUS
25.02.2019 |
- IP: 62.218.147.233 -
Intel Alert – APT Waldviertel
- Domain: bbtt.login-portal.at -
Completely Unknown – Fresh – Bad Hoster
- a.exe -
2nd Stage Downloader - LEONIE
www.kapsch.net |
STATUS
25.02.2019 |
- IP: 62.218.147.233 -
Intel Alert – APT Waldviertel
- Domain: bbtt.login-portal.at -
Completely Unknown – Fresh – Bad Hoster
- a.exe -
2nd Stage Downloader - LEONIE
- Microsoft Word Updater.exe -
Persistent – Reverse Shell – LEONIE
www.kapsch.net |
STATUS
25.02.2019 |
- IP: 62.218.147.233 -
Intel Alert – APT Waldviertel
- Domain: bbtt.login-portal.at -
Botnet Site – C2 Established
- a.exe -
2nd Stage Downloader - LEONIE
- Microsoft Word Updater.exe -
Persistent – Reverse Shell – LEONIE
www.kapsch.net |
STATUS
25.02.2019 |
- IP: 62.218.147.233 -
Intel Alert – APT Waldviertel
- Domain: bbtt.login-portal.at -
Botnet Site – C2 Established
- a.exe -
2nd Stage Downloader - LEONIE
- Microsoft Word Updater.exe -
Persistent – Reverse Shell – LEONIE
Next Step
Block Client / FW - Check Behavior
www.kapsch.net |
Splunk - Logging Active Directory Alerts
25.02.2019 |
www.kapsch.net |
Splunk - Logging Internal Network Behavior
25.02.2019 | 93
www.kapsch.net |
Splunk - Logging Rev. Shell Indikator (Time)
25.02.2019 | 94
www.kapsch.net |
Splunk - Logging Rev. Shell Indikator (Bytes)
25.02.2019 | 95
www.kapsch.net |
STATUS
25.02.2019 |
- IP: 62.218.147.233 -
Intel Alert – APT Waldviertel
- Domain: bbtt.login-portal.at -
Botnet Site – C2 Established
- a.exe -
2nd Stage Downloader - LEONIE
- Microsoft Word Updater.exe -
Persistent – Reverse Shell – LEONIE
www.kapsch.net |
STATUS
25.02.2019 |
- IP: 62.218.147.233 -
Intel Alert – APT Waldviertel
- Domain: bbtt.login-portal.at -
Botnet Site – C2 Established
- a.exe -
2nd Stage Downloader - LEONIE
- Microsoft Word Updater.exe -
Persistent – Reverse Shell – LEONIE
- Bruteforce vs. AD -
Failed Logins
www.kapsch.net |
STATUS
25.02.2019 |
- IP: 62.218.147.233 -
Intel Alert – APT Waldviertel
- Domain: bbtt.login-portal.at -
Botnet Site – C2 Established
- a.exe -
2nd Stage Downloader - LEONIE
- Microsoft Word Updater.exe -
Persistent – Reverse Shell – LEONIE
- Bruteforce vs. AD -
Failed Logins
- Lateral Movement -
SMB Spreading
www.kapsch.net |
FAZIT
25.02.2019 | Titel der Präsentation 99
cdc@kapsch[.]net
Questions?
Timo Jobst
Head of Cyber Defense Center
Kapsch BusinessCom
Kapsch BusinessCom
Wienerbergstrasse 53
1120 Wien, Österreich
Phone: +43 50 811 5791
E-Mail: [email protected]
www.kapsch.net
100
