Professional Documents
Culture Documents
Tsailing Merrem
Anthony Giandomenico
1
Anthony Giandomenico Tsailing Merrem
Practice Director, Digital Forensics and Director of Product Marking,
Incident Response Endpoint Security
2
Security Implications of Global Pandemic
CSO Pandemic Impact Survey
3
Souce: IDG CSO pandemic impact survey, 2020. https://www.idg.com/tools-for-marketers/cso-pandemic-impact-survey-2/
Working from Home Security Challenges
4
Pain Points
Notes/Sources:
Gartner: Forecast: Internet of Things — Endpoints and Associated Services, Worldwide, 2017
6
Threat Landscape
Updates from the Trenches
FortiGuard Responder Services
Containment,
Preparation Detection & Post-Incident
Remediation Activity
Response & Recovery
Data
Exfiltration
Targeted
Ransomware
Attacks
Drop
Destructive
Payload
9
Ransomware Targeted Attacks
Tactics Techniques Procedures
RDP-DMZ
1 Initial Access – RDP or Phishing
(backdoors)
10
OS Credential Access
Hash
LM and NT Hashes (NTLM)
Attacks (LSASS and SAM hive – Crack or
pass the hash)
RDP-DMZ
1 Initial Access – RDP or Phishing
(backdoors – Cobalt Strike)
12
1
GAIN ACCESS & AUTHORITY
§ Credential Attacks
§ Brute Force , Account Creation
§ Pass the Hash, Token Stealing, Cached Creds,
Ticket Stealing (Golden & Silver Ticket , Pass
2
COPY MALWARE TO SYSTEMS
§ Remote Desktop /VNC
§ PsExec
§ Windows Admin Shares
3
EXECUTE MALWARE ON SYSTEMS
§ PowerShell/WMIC
§ PSEXEC/PSEXESVC
§ Sc.exe/Schtasks.exe/At.exe/Winrs.exe
§ Exploitation of Vulnerabilities (External Blue)
13
Ransomware Targeted Attacks
Tactics Techniques Procedures
RDP-DMZ
1 Initial Access – RDP or Phishing
(backdoors – Cobalt Strike)
14
Incident Response Process
No
Process
Testing Deploy
Preparation Planning Technology
?
& Training
People
Yes
Detection & DETECT: SIEM Alert – Hosts, Servers, Security/Network Devices, Applications – Threat Intel (TIP)
Analysis ANALYSIS: Review Tool/Logs Pcaps, RE - Malware Sample, External Research
Yes:
No
Resolved Forensics, Threat Removal/Clean Up, Yes Contained
Recover ? Reporting and Lessons Learned… ?
No
Recovery? 15
Security Considerations for Remote Workers
Pre-emptive controls
(Self-Protect) Self-defense
16
Visibility
17
Visibility is Not Enough
Responsible patching
window – 2-6 weeks
Preemptive
compensation controls
18
Prevention is Necessary But Not 100%
19
Top Priority – Boost Malware Protection Maturity
• 25-30% of Enterprises
have already adopted EDR
• 31% are interested in
deploying EDR technology
in the future
20
197 days Average time to discover data breaches
62%
24 hours Of breaches can be identified
21
Need for Automation, Real Time Response
FortiEDR Blocks Malicious Actions in real time
SECURITY CONTINUOUS
DETECT ENRICH VALIDATE ESCALATE BLOCK
SEARCH REMEDIATE
MONITORING ENVIRONMENT ENDPOINTS
PROCESS
SOC/IR
15 MIN 5 MIN 10 MIN 10 MIN 1 HOUR
MANUAL EFFORT
22
1st Generation EDR hallenges
83% agree that using EDR demand 78% EDR more Complex than
advanced security analytics skill anticipated
83% 78%
23
FortiEDR – Real-time & Automated
Visibility + Action
Pre-Infection Post-Infection/ Post Execution
• Discover rogue • Kernel-level • Behavioral based • Block Malicious • Playbook automation • Clean up / Roll back
devices & IoT • Machine learning • Detect memory actions • Forensic data • Eliminate re-
• Vulnerabilities AV based attacks • Prevent data loss • Threat hunting image/rebuild
• Virtual patching • Threat classification • Zero Dwell time • Big data analytics • Minimize business
disruption
25
Machine Learning Anti-Malware
REAL-TIME PREVENTION
PREVENT
• Machine learning, kernel-based AV REAL-TIME PROTECTION
26
Detect and Defuse
Stop the Breach in Real-Time
PREVENT
• Behavioral based detection REAL-TIME PROTECTION
27
Respond and Remediate
ORCHESTRATED INCIDENT RESPONSE
PREVENT
• Automated event classification REAL-TIME PROTECTION
28
Discover and Predict
Attack Surface Reduction
PREVENT
• Rogue and IoT devices REAL-TIME PROTECTION
29
“Automat-able” Incident Response examples
The Who (attack target) and What (Type of incident)
Malicious Incident /C Level
Reporting
Custom Custom
Ticket
Syslog SNMP
Message Message Track
Suspend Block
Isolate Isolate Related
Roam Suspend Create an
Related Related Logout
Device IP(s)
Network
User Exception
Application IP(s)
Remediation Customized
Malicious Incident / HR
30
Extended Response Beyond the Endpoints
FortiGate
• Automate blocking of malicious destination IP
FortiNAC
• Extended response - move endpoints to remediation VLAN
FortiSandbox
• Threat intelligence sharing
FortiSIEM
• Alerts and Logs
FortiSOAR
• Extended workflow automation
31
FortiEDR Advanced Endpoint Protection, with Real Time Detection
and Response
Benefits
REAL-TIME and AUTOMATED
Self-healing endpoints
Post-infection protection, automated remediation
TIME TO VALUE
Eliminate post breach operational expenses and breach damage
to the organization
MANAGEMENT
Single integrative console that inherently eliminates alert clutter
32