Exploring the Defender's Advantage

© 2023 ConnectWise. All rights reserved.
Exploring the Defenders Advantage
How To Protect, Detect, and Respond to Your Threats
Raffael Marty & Bryson Medlock
February 2023

LEFT OF BOOM BOOM RIGHT OF BOOM
RECONNAISSANCE
RESOURCE DEVELOPMENT
INITIAL ACCESS
EXECUTION
PERSISTENCE
PRIVILEGE ESCALATION
DEFENSE EVASION
CREDENTIAL ACCESS
DISCOVERY
LATERAL MOVEMENT
COLLECTION
COMMAND AND CONTROL
EXFILTRATION
IMPACT
IDENTIFY PROTECT DETECT RESPOND RECOVER
ASSUME BREACH
MITRE ATT&CK TACTICS
NIST FUNCTIONAL AREAS
FOR CYBER RESILIENCE
Deriving value
from Red and
Purple Teaming
Presented by:
John Strand
Exploring the
Defenders Advantage
Presented by:
Raffael Marty +
Bryson Medlock

Exploring The Defenders Advantage
• The Defender’s Tools of the Trade
• Individual Tools Don’t Cut It - We Need Intelligence
• BlackCat Case-Study – The Need for Intelligence

Speakers
• 25 years in cybersecurity
• Investor and Advisory | LED Tinkerer | Zen Student
• Chief Research and Intelligence Officer @ Forcepoint
• Head of Security Analytics @ Sophos
• Founder @ Loggly – the first logging as a service platform
• Chief Security Strategist @ Splunk
• Head of Content @ ArcSight
• 10+ years in IT (mostly Linux sysadmin)
• 10+ years in cybersecurity
• Lead Trainer for the Alert Logic SOC
• Trained L2+L3 Linux Sysadmins at HostGator
• Creator/Organizer of CTFs
Raffael Marty
General Manager Cybersecurity @ ConnectWise
Bryson Medlock
Threat Intelligence Evangelist @ ConnectWise

NIST FUNCTIONAL AREAS FOR CYBER RESILIENCE
• Not one product covers all areas – one needs multiple solutions to get comprehensive security coverage
Defender Tools – Many Needs
Devices
AV, EPP, FIM, HIPS,
Whitelisting, Patch Mgmt,
Email security
EPP, UEBA, SIEM, Email Security
EP Response (EDR, MDR),
EP Forensics
Applications
RASP, WAF, ZT App
Access, CASB, SSPM
Source Code Compromise, App IDS,
SIEM,CASB, SSPM
SSPM
Networks
FW, IPS, UTM, Microseg,
ESG, SWG, SASE, ZTNA,
DNS, VPN
DDoS Detection, Net Traffic Analysis,
UEBA, SIEM, DNS
DDoS Response, NW
Forensics, SASE
Data
Encryption, Tokenization,
DLP, DRM, DBAM, Email
security
Dark Web Scanning, Data Behavior
Analytics, SIEM
DRM, Breach Response
Users
Security Awareness
Training, MFA
Insider Threat, UEBA, SIEM

Defender Tools – Considerations
Devices
AV, EPP, FIM, HIPS,
Whitelisting, Patch Mgmt,
Email security
EPP, UEBA, SIEM, Email Security
EP Response (EDR, MDR),
EP Forensics
Applications
RASP, WAF, ZT App
Access, CASB, SSPM
Source Code Compromise, App IDS,
SIEM,CASB, SSPM
SSPM
Networks
FW, IPS, UTM, Microseg,
ESG, SWG, SASE, ZTNA,
DNS, VPN
DDoS Detection, Net Traffic Analysis,
UEBA, SIEM, DNS
DDoS Response, NW
Forensics, SASE
Data
Encryption, Tokenization,
DLP, DRM, DBAM, Email
security
Dark Web Scanning, Data Behavior
Analytics, SIEM
DRM, Breach Response
Users
Security Awareness
Training, MFA
Insider Threat, UEBA, SIEM
• All operating systems
• On-prem, cloud, IoT
• On-prem and SaaS
• Covering BYOD
• Dealing with alert monitoring
and false positives
• What data?
• MFA across all applications
(on-prem, cloud, SaaS)

Defender Tools – Can We Simplify?
Devices
EDR
Patch Management
Email Security
EDR
Email Security
EDR
Applications
CASB
SSPM
CASB
SSPM
SSPM
Networks
FW
IPS
IDS
Data
Encryption
Email security
Dark Web Scanning
Users
Sec Awareness Training
MFA
What about fail-saves (both capability failures and human error)? Use your RMM?

Threat Intel
• Over 10 Products
• Disconnected
• Duplicate Alerts
• Duplicate Policy Configuration
• MSPs Will Have To Manage, No 3rd Party Provider
• What about SIEM?
ü Single Interface
ü Better Detection (Correlation)
ü Lower False Positives
ü External Intelligence
ü Environmental Context
q Only Covers Detection
q Needs Data Inputs
• Could Be Coupled With SOAR
Context
Defender Tools – Let’s Take Inventory

Intelligence != Public Threat Intelligence Feeds
The Need for Intelligence – Taking a Step Back
• Strategic Intelligence: Non-technical, risk-based intelligence on a business level. Informs business
related decisions.
• Tactical Intelligence: Details of threat actor tactics, techniques, and procedures (TTPs).
• Operational Intelligence: Actionable information about specific incoming attack.
• Technical Intelligence: Technical threat indicators (e.g., malware hashes, C2 IP addresses, etc.).

Intelligence
Pros Cons Source
Indicators of Compromise
(IOCs)
Ease of use and broad
availability
Hard to find industry / customer
relevant IOCs, high false positives,
change over time, always reactive
Public threat feeds
Move from event-based to risk-based
Intelligence – A Different View
TTPs Not specific to individual
attacks / attackers / malware
No common exchange format, except
maybe sigma?
Mitre ATT&CK, Sigma, other?
Leading Indicators – left of
boom risk
Move threat detection left in
kill-chain, independent of
specific attack
Hard to collect, hard to define the
causation
Environment specific logs and threat
hunting
Anomalies / Environment
Specific Insights
Good predictors Hard to scale across all your
customers
In-house, contextual information
across each customer, threat hunting

Risk-focused System
• Risk drives access decisions in a ZTNA environment
• Risk can drive automatic (or semi-automatic) responses
Subject
Resources
Policy Enforcement
Point(s)
access
Analytics Engine
can access?
access
request
Policy Decision Point
risk
decision
Policy Engine
Risk
informed
policy
decision
From Defense to Automated Protection

BlackCat Case-Study 1
Compromised Credentials – Manufacturing Company

T1003
OS Credential
Dumping
T1007
System Services
Discovery
T1018
Remote System
Discovery
T1020
Automated
Exfiltration
T1021
Remote Services
T1030
Data Transfer Size
Limits
T1036
Masquerading
T1039
Data from Network
Shared Drive
T1041
Exfiltration over C2
Channel
T1046
Network Service
Discovery
T1047
Windows Mgmt.
Instrumentation
T1048
Exfiltration over
Alternate Protocol
T1053
Scheduled Task /
Job
T1057
Process Discovery
T1059
Command &
Scripting Interpreter
T1069
Permission Groups
Discovery
T1070
Indicator Removal
on Host
T1071
Application Layer
Protocol
T1074
Data Staged
T1078
Valid Accounts
T1082
System Information
Discovery
T1087
Account Discovery
T1106
Native API
T1119
Automated
Collection
T1133
External Remote
Services
T1134
Access Token
Manipulation
T1135
Network Share
Discovery
T1190
Exploit Public-
Facing Application
T1219
Remote Access
Software
T1482
Domain Trust
Discovery
T1485
Data Destruction
T1486
Data Encrypted for
Impact
T1489
Service Stop
T1490
Inhibit System
Recovery
T1498
Network Denial of
Service
T1505
Server Software
Component
T1537
Transfer Data to
Cloud Account
T1548
Abuse Elevation
Control Mechanism
T1552
Unsecured
Credentials
T1555
Credentials from
Password Stores
T1560
Archive Collected
Data
T1562
Impair Defenses
T1567
Exfiltration over Web
Services
T1569
System Services
T1570
Lateral Tool
Transfer
T1572
Protocol Tunneling
T1573
Encrypted Channel
Devices
Applications
Networks
Data
Users
DETECT RESPOND

Timeline
Manufacturing company
1st day – Cisco
AnyConnect VPN
account test
7th day – VPN
connected, RDP
as different
user, view Task
Manager
8th day -
VPN Login
8th day - RDP
traffic to an
unmonitored host
8th day - Couple
hours later -
ransomware
spreading from
unmonitored
host via SMB

Event Logs Cleared
• wevtutil.exe cl {event log}
• CW SIEM signature:
process.args:(("wevtutil.exe" OR "wevtutil") AND
("cl" OR "clear-log"))

Event Logs Cleared - Sigma
title: Suspicious Eventlog Clear or Configuration Change
detection:
selection_wevtutil:
Image|endswith: 'wevtutil.exe’
CommandLine|contains:
- 'clear-log ' # clears specified log
- ' cl ' # short version of 'clear-log’
- 'set-log ' # modifies config of specified log.
- ' sl ' # short version of 'set-log’
- 'lfn:' # change log file location and name
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml

Shadow Volume Deletion
• process.command_line: "cmd" /c "vssadmin.exe Delete Shadows /all /quiet”
• CW SIEM Signature:
• process.executable:"vssadmin.exe" AND process.command_line.text:("delete shadows" AND "all")
• Sigma:
• title: Shadow Copies Deletion Using Operating Systems Utilities
• https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_wi
n_shadow_copies_deletion.yml (69 lines)

Crypter Running via WMI
• process.command_line: wmic /node:”REDACTED" process call create
"C:UsersFqq09.exe --access-token <REDACTED 32 bit token>”
• CW SIEM Signature:
• process.args:("wmic" AND "node") AND process.command_line.text:"process
call create" AND NOT process.args:("ltsvc" OR "Agent_Installer.msi")

Crypter Running via WMI - Sigma
title: WMI Reconnaissance List Remote Services
detection:
selection_img:
- Image|endswith: 'WMIC.exe’
- OriginalFileName: 'wmic.exe’
selection_cli:
CommandLine|contains|all:
- '/node:’
- 'service’
condition: all of selection*
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml

BlackCat Case-Study 2
Compromised Credentials – Law Office

First Alert
• Lateral Movement first observed from decommissioned
Windows 7 system pulled out of a closet
• No EDR or any other monitoring

Crypter Deployed

CW Control Commands
• 7z2107-x64.exe
• MEGAsyncSetup64.exe
• GetProcesses
• GetSoftware
• StopService – WRSVC (Webroot) [FAILED]
• Msg Administrator – “Hello <REDACTED>! We stolen from
your network <REDACTED>gb sensitive data. If you don't
want leak your data please contact us. Follow
Instruction in readme file”
• RemotePC.exe

Full Timeline Unclear
• Lateral Movement first observed from decommissioned Windows 7 system pulled
out of a closet
• No EDR or any other monitoring
• CW SIEM owned (not p0wned!), but not deployed
• Incident Support investigation:
• Five different CW Control accounts used
• All were shutdown by CW Scammer Hammer
• Mimikatz found
• Koadicis found
• One Admin Login:
• Data 7zip’d
• Megasync installed
• Putty.exe
• Megaxyn uninstalled

Visibility is Key
• Case 1
• TA found system w/o Sysmon and used it for staging
• System logs were cleared, limited forensics on that one system
• Firewall logs were key
• Case 2
• EDR only, but not everywhere
• Decommissioned Windows 7 system in closet w/o any EDR or other
security tools likely point of Initial Access
• No SIEM, logs were cleared, severely limited forensics

Building Detections
Easy Mode

BlackCat
[CRU][Windows] Reg add to
"HKEY_CURRENT_USER Software
Microsoft Windows CurrentVersion
Run"
[T1047] Windows
Management
Instrumentation

Don’t Reinvent the Wheel – Detection Rules Exist
• MITRE CAR
• https://car.mitre.org/
• SIGMA
• https://github.com/SigmaHQ/sigma
• Elastic Detection Rules
• https://github.com/elastic/detection-rules
Make sure you have the right data triggering these rules

Example - T1003 OS Credential Dumping
• NTDSUtil
• MITRE CAR pseudocode:
• files = search File:Create ntds_dump = filter files where ( file_name =
"ntds.dit" and image_path = "*ntdsutil.exe") output ntds_dump
• Sigma
• title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
• https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/p
roc_creation_win_ntdsutil_usage.yml
• Elastic:
• (process.pe.original_file_name == "ntdsutil.exe" and process.args :
"create*full*") or
• CW SIEM
• [CRU][Windows] Dump Active Directory Database with NTDSUtil
• process.command_line.text:(("ntdsutil" OR "ntdsutil.exe") AND ("ac i ntds" OR
"activate instance ntds") AND "ifm" AND "create full")

Defender’s Advantage - Takeaways
1. Know what you protect - deploy an asset management program
2. Central place to collect logs / data (SIEM)
1. Make sure you have the right tools to collect all relevant data
2. Think about defense in-depth to cover ‘single layer failures’
3. Collect contextual information (assets, users, etc)
3. Relevant and actionable intelligence - not just a TI feed
4. Drive detections into automated protection (ZTA, etc.)
5. Leverage your RMM to assist your security tools

The premier cybersecurity conference for MSPs interested in
creating new revenue streams, securing clients, and seeing
the latest cyber innovation first hand.
June 5-7, 2023 | Gaylord Palms Resort + Convention Center
Learn more at connectwise.com/secure

Thank You
@raffaelmarty
@ConnectWiseCRU
connectwise.com/cybersecurity

Exploring the Defender's Advantage

More Related Content

What's hot

Similar to Exploring the Defender's Advantage

More from Raffael Marty

Recently uploaded

Exploring the Defender's Advantage