Scribd Logo
Upload

Welcome to Scribd!

  • NGAV Track Advanced Policies With CB Defense - Kirk Hasty

    Uploaded by

    Deepak Arora
    67 views32 pages

    Original Title

    NGAV Track Advanced Policies with Cb Defense_Kirk Hasty (1)

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    67 views32 pages

    NGAV Track Advanced Policies With CB Defense - Kirk Hasty

    Uploaded by

    Deepak Arora

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 32

    DAY 2

    10.10.17
    Advanced Policies with Cb Defense
    How to tailor your prevention to maximize effectiveness

    2 Confidential © 2017 Carbon Black. All Rights Reserved.


    1. The Stair-Step Approach to Improvement

    2. Baselining and Tuning


    Agenda
    3. Improving From News and Incidents

    4. Expert Techniques From The Community

    Confidential © 2017 Carbon Black. All Rights Reserved.


    The Stair-Step Approach To Improvement
    A repeatable process for continuous
    improvement with minimal disruption

    4 Confidential © 2017 Carbon Black. All Rights Reserved.


    Best Practices Blog – A Must Read

    → Find it in the User Exchange under “Best Practices”

    5 5 Confidential © 2017 Carbon Black. All Rights Reserved.


    Security is About Continuous Improvement

    + You can get plenty of value out of the box


    − Common patterns, turned on by default

    + You can get more with baselining and tuning


    − Many patterns are well-known, but may cause false positives

    + Advanced attacks may require advanced techniques


    − Always be applying what you learn from reports, from incidents

    You can make your posture better every day,


    if you go through some simple exercises.

    6 6 Confidential © 2017 Carbon Black. All Rights Reserved.


    Take the Steps, One by One

    NOVICE EXPERT

    Deploy expert techniques,


    engage in community.
    Employ advanced rules,
    based on news or incidents.
    Use well-known rules,
    baselining and tuning first.
    Deploy, out-of-box settings,
    immediate value.

    7 7 Confidential © 2017 Carbon Black. All Rights Reserved.


    Step By Step With This Iterative Process

    Identify
    Develop the
    a place to
    new policy
    improve

    Deploy the
    policy

    Test for
    efficacy
    & false
    positives

    8 8 Confidential © 2017 Carbon Black. All Rights Reserved.


    Build Containers That Track Status

    + Where should machines go when newly installed?


    + Which policy should they remain in for a certain level?
    + What machines can be triaged for going to the next level?

    Create policy names that help you


    manage the status of different machines

    9 9 Confidential © 2017 Carbon Black. All Rights Reserved.


    Stair-steps: Remain, or Advance?

    ADVANCED ADVANCED
    (policies with same settings)

    TRIAGE FOR
    INTERMEDIATE INTERMEDIATE
    ADVANCED
    (policies with same settings)

    TRIAGE FOR
    BASIC BASIC
    INTERMEDIATE
    (policies with same settings)

    INSTALL

    10 Confidential © 2017 Carbon Black. All Rights Reserved.


    2

    Baselining and Tuning


    Use well-known rules to create
    better security policies

    11 Confidential © 2017 Carbon Black. All Rights Reserved.


    Configure, Search, Move, Repeat

    1. Create a higher-level policy with some rules you want to try.


    2. Move some computers from lower-level default policy to “triage for next level” policy.
    3. Search for a TTP that matches a rule you created in that higher-level policy.
    4. All computers that show up → move to the static policy for this level (the “lower level”)
    5. Repeat steps 2 and 3 for all TTP’s/rules in the higher-level policy.
    6. All computers left in “triage” policy → move up to the next level.

    12 12 Confidential © 2017 Carbon Black. All Rights Reserved.


    Example Target for Triage Policies

    13 13 Confidential © 2017 Carbon Black. All Rights Reserved.


    Example Scenario: PowerShell Executing Code from Memory

    + Query in the Investigate tab:


    − applicationName:powershell.exe AND (threatIndicators:MODIFY_MEMORY_PROTECTION OR
    threatIndicators:SUSPICIOUS_BEHAVIOR or threatIndicators:PACKED_CALL)

    14 14 Confidential © 2017 Carbon Black. All Rights Reserved.


    Example Scenario: PowerShell Executing Code from Memory

    + Create a rule correlating with the detection event


    − Application: **\powershell*.exe
    − Operation: “Tries to execute code from memory”
    − Action: “Terminate process”

    15 15 Confidential © 2017 Carbon Black. All Rights Reserved.


    Unexpected App Behavior 1

    (applicationName:winword.exe AND (threatIndicators:NETWORK_ACCESS) AND NOT


    destAddress:192.168.*.* and not destAddress:10.0.*.*)

    You can do the same for Excel, PowerPoint,


    Adobe Reader, or even web browsers.

    16 16 Confidential © 2017 Carbon Black. All Rights Reserved.


    Unexpected App Behavior 2

    (applicationName:Winword.exe OR parentName:Winword.exe) AND (targetCommandLine:powershell.exe


    OR interpreterName:powershell.exe OR targetCommandLine:cscript.exe OR interpreterName:cscript.exe
    OR targetCommandLine:wscript.exe OR interpreterName:wscript.exe OR targetCommandLine:cmd.exe OR
    interpreterName:cmd.exe)

    You can do the same for Excel, PowerPoint,


    Adobe Reader, or even web browsers.

    17 17 Confidential © 2017 Carbon Black. All Rights Reserved.


    Unknown Apps & Memory Pops 1

    (processEffectiveReputation:NOT_LISTED OR
    processReputationProperty:NOT_LISTED) AND
    (threatIndicators:INJECT_CODE OR
    threatIndicators:HAS_INJECTED_CODE OR
    threatIndicators:COMPROMISED_PROCESS OR
    threatIndicators:PROCESS_IMAGE_REPLACED OR
    threatIndicators:MODIFY_PROCESS OR
    threatIndicators:HOLLOW_PROCESS)

    (threatIndicators:UNKNOWN_APP OR
    processEffectiveReputation:UNKNOWN OR
    processReputationProperty:UNKNOWN) AND
    (threatIndicators:INJECT_CODE OR
    threatIndicators:HAS_INJECTED_CODE OR
    threatIndicators:COMPROMISED_PROCESS OR
    threatIndicators:PROCESS_IMAGE_REPLACED OR
    threatIndicators:MODIFY_PROCESS OR
    threatIndicators:HOLLOW_PROCESS)

    18 18 Confidential © 2017 Carbon Black. All Rights Reserved.


    Unknown Apps & Memory Pops 2

    (processEffectiveReputation:NOT_LISTED OR
    processReputationProperty:NOT_LISTED) AND
    (threatIndicators:SCRAPE_MEMORY OR
    threatIndicators:RAM_SCRAPING OR
    threatIndicators:READ_SECURITY_DATA)

    (threatIndicators:UNKNOWN_APP OR
    processEffectiveReputation:UNKNOWN OR
    processReputationProperty:UNKNOWN) AND
    (threatIndicators:SCRAPE_MEMORY OR
    threatIndicators:RAM_SCRAPING OR
    threatIndicators:READ_SECURITY_DATA)

    19 19 Confidential © 2017 Carbon Black. All Rights Reserved.


    Unknown / Unlisted Apps

    Q: This application is legitimate, and so are


    these operations. How can I make this app
    listed / known?

    A: Add the app via the “Reputation” page.

    20 20 Confidential © 2017 Carbon Black. All Rights Reserved.


    Additional UNKNOWN, NOT_LISTED

    + “Tries to execute code from memory.”


    − MODIFY_MEMORY_PROTECTION

    + “Tries to communicate over the network.”


    − NETWORK_ACCESS

    + “Tries to run an unknown application.”


    − UNKNOWN_APP

    21 21 Confidential © 2017 Carbon Black. All Rights Reserved.


    3

    Improving From News


    And Incidents
    Get better by monitoring what’s happening
    in your environment and the world

    22 Confidential © 2017 Carbon Black. All Rights Reserved.


    Where to Monitor News & Incidents

    + https://github.com/hslatman/aweso
    me-threat-intelligence

    + http://reddit.com/r/netsec
    + http://reddit.com/r/sysadmin

    23 23 Confidential © 2017 Carbon Black. All Rights Reserved.


    Recent CCleaner Attack

    + Popular free software tool for optimizing system performance on PCs


    + Supply chain attack
    + Potentially unwanted program
    + 2.27 million users affected

    24 24 Confidential © 2017 Carbon Black. All Rights Reserved.


    Suspect Malware & Unwanted Programs

    (processEffectiveReputation:PUP OR
    processReputationProperty:PUP)

    (processEffectiveReputation:SUSPECT_MALWARE
    OR
    processReputationProperty:SUSPECT_MALWARE)
    OR (targetEffectiveReputation:SUSPECT_MALWARE
    OR targetReputationProperty:SUSPECT_MALWARE)

    25 25 Confidential © 2017 Carbon Black. All Rights Reserved.


    What is Suspected / Unwanted?

    + Toolbar that engages in all sorts of unnecessary operations, such as memory scraping.

    + Applications built by entities known to engage in questionable activities or relations.

    + Packager / wrapper that has been associated with known campaigns.

    + Security tool that can be used against you, like a port mapper or penetration toolkit.

    26 26 Confidential © 2017 Carbon Black. All Rights Reserved.


    Combating PowerShell Attacks

    (POWERSHELL.EXE OR POWERSHELL_ISE.EXE) AND


    (threatIndicators:INJECT_CODE OR
    threatIndicators:HAS_INJECTED_CODE OR
    threatIndicators:COMPROMISED_PROCESS OR
    threatIndicators:PROCESS_IMAGE_REPLACED OR
    threatIndicators:MODIFY_PROCESS OR
    threatIndicators:HOLLOW_PROCESS)

    (POWERSHELL.EXE OR POWERSHELL_ISE.EXE) AND


    (threatIndicators:MODIFY_MEMORY_PROTECTION OR
    threatIndicators:SUSPICIOUS_BEHAVIOR or
    threatIndicators:PACKED_CALL)

    You can take the same


    approach with any
    command shell, or any
    program you don’t want
    touching memory.

    27 27 Confidential © 2017 Carbon Black. All Rights Reserved.


    4

    Expert Techniques From


    The Community
    Get best practices and advanced policies from
    other Cb Defense customers

    28 Confidential © 2017 Carbon Black. All Rights Reserved.


    Navigating the User eXchange

    SHARE NOW

    29 29 Confidential © 2017 Carbon Black. All Rights Reserved.


    The Community in Practice

    30 30 Confidential © 2017 Carbon Black. All Rights Reserved.


    Summary

    NOVICE EXPERT

    BASELINE & INCIDENTS & EXPERT


    TUNING NEWS COMMUNITY
    ● Search & create policies ● Monitor your detections ● Ask questions
    ● Other low-hanging fruit ● Plug into threat alerts ● Follow members & trends
    ● Get used to the process ● Test for false positives ● Collaborate and interact

    31 31 Confidential © 2017 Carbon Black. All Rights Reserved.


    Questions?

    THANK YOU

    32 Confidential © 2017 Carbon Black. All Rights Reserved.

    You might also like