Achieving Endpoint Resilience

Tsailing Merrem
Anthony Giandomenico

1
Anthony Giandomenico Tsailing Merrem
Practice Director, Digital Forensics and Director of Product Marking,
Incident Response Endpoint Security

2
Security Implications of Global Pandemic
CSO Pandemic Impact Survey
Work From Home at Scale
Three months ago, 16.5% of
employees worked from home
at least 60% of the time. As of
March 23rd, that number
climbed to 78%
More Attacks The New Normal
About one-quarter (26%) of 73% of security executives
organizations have seen an believe that the impact of this
increase in the volume, pandemic will alter the way
severity, and/or scope of their business evaluates risk
cyber-attacks since March for at least the next five years
12th
3
Souce: IDG CSO pandemic impact survey, 2020. https://www.idg.com/tools-for-marketers/cso-pandemic-impact-survey-2/
Working from Home Security Challenges

Phishing COVID Related Phishing

Malicious Remote Password
Games Desktop Reuse
600%

Credential theft/ account

takeover

4
Pain Points

Advanced Complex Tools Lack of Trained

Threats & Manual People
process
• 3% of • Average • 3 Million cyber
endpoints are enterprises skill gap
compromised 10K alerts per
day

Further complicated by remote work at scale

5
Problems that Keep CISOs Awake at Night

Lack of Visibility Breach Anxiety Skill Shortage

63% Accelerating Threat landscape

of companies cannot monitor off-network Alert Fatigue
Ransomware Analyst Burnout
endpoints, over half can’t determine Business disruption
endpoint compliance status

Notes/Sources:
Gartner: Forecast: Internet of Things — Endpoints and Associated Services, Worldwide, 2017

6
Threat Landscape
Updates from the Trenches
FortiGuard Responder Services

Containment,
Preparation Detection & Post-Incident
Remediation Activity
Response & Recovery

• Managed Detection and Response

• 24/7 Threat Monitoring (FortiEDR)
• Incident Response Service
• Assist Customer through a Security Incident
8
One –Two Punch

Data
Exfiltration

Targeted
Ransomware
Attacks

Drop
Destructive
Payload

9
Ransomware Targeted Attacks
Tactics Techniques Procedures

RDP-DMZ
1 Initial Access – RDP or Phishing
(backdoors)

OS Credential Dumping – LSASS

2 CREDS!
Memory

User Workstations Domain Controllers

10
OS Credential Access
Hash
LM and NT Hashes (NTLM)
Attacks (LSASS and SAM hive – Crack or
pass the hash)

Token Delegate tokens for SSO

Attacks (Token = Context and Privileges –
Servers good target)

Credential Stealing hashes, tokens Cache Cached Domain credentials – 10 or 25

Attacks (Mscash2 format and salted = no pass
cached creds, tickets Creds
Attacks the hash)

LSA Service Account, App passwords and

Secrets
Attack auto-login credentials

Kerberos ticket authentication

Ticket
Open Source Tools Attacks (TGT for auth – Golden Tickets –
Metaploit, Mimikatz, fgdump, gsecdump, SMBshell, PWDumpX,
Skelaton Key)
creddump, WCE, Powershell, cachedump, kerberoast,
NTDS.DIT – All NTLM hashes for
NTDS all domain users
(Shadow Copy) 11
Ransomware Targeted Attacks
Tactics Techniques Procedures

RDP-DMZ
1 Initial Access – RDP or Phishing
(backdoors – Cobalt Strike)

OS Credential Dumping – LSASS

2 CREDS!
Memory

Lateral Movement – Lateral Too

3 Transfer - PSEXEC (Emun and
Spreading malware/backdoors)
Defensive Evasion - Impair Defenses
4 Uninstall MS Defender, run malware,
reinstall

User Workstations Domain Controllers

12
 1
GAIN ACCESS & AUTHORITY
§ Credential Attacks
§ Brute Force , Account Creation
§ Pass the Hash, Token Stealing, Cached Creds,
Ticket Stealing (Golden & Silver Ticket , Pass

LATERAL MOVEMENT the Ticket, etc)

2
COPY MALWARE TO SYSTEMS
§ Remote Desktop /VNC
§ PsExec
§ Windows Admin Shares

3
EXECUTE MALWARE ON SYSTEMS
§ PowerShell/WMIC
§ PSEXEC/PSEXESVC
§ Sc.exe/Schtasks.exe/At.exe/Winrs.exe
§ Exploitation of Vulnerabilities (External Blue)

13
Ransomware Targeted Attacks
Tactics Techniques Procedures

RDP-DMZ
1 Initial Access – RDP or Phishing
(backdoors – Cobalt Strike)

OS Credential Dumping – LSASS Data Exfiltration

2 CREDS!
Memory

Lateral Movement – Lateral Too

3 Transfer - PSEXEC (Emun and
Spreading malware/backdoors)
Defensive Evasion - Impair Defenses
4 Uninstall MS Defender, run malware,
reinstall
Exfiltration of Data or any other
5 Objective (volume shadow copies are
stopped and possibly backups)
Delivery Ransomware via Group
6 Policy Modification and Boot or Logon
Initialization Scripts User Workstations Domain Controllers

14
Incident Response Process
No
Process
Testing Deploy
Preparation Planning Technology
?
& Training
People

Yes

Detection & DETECT: SIEM Alert – Hosts, Servers, Security/Network Devices, Applications – Threat Intel (TIP)
Analysis ANALYSIS: Review Tool/Logs Pcaps, RE - Malware Sample, External Research

Automated Analysis and Response

Hours
No
Human Expertise
Low Yes Initial Actions: High Yes Containment Actions:
Isolation of Perimeter,
Response Medium Additional Analysis or Monitoring Threat
Host, Server, Access
Threat? (Honeypots/ Vulnerability Scans) ? Layer

Yes:

No
Resolved Forensics, Threat Removal/Clean Up, Yes Contained
Recover ? Reporting and Lessons Learned… ?
No

Recovery? 15
Security Considerations for Remote Workers

Pre-emptive controls
(Self-Protect) Self-defense

Visibility Endpoint Self-healing

Resilience

16
Visibility

Mission Criticality Cyber Assets

Identifying and Monitoring Operating System

Mission Critical Business Applications/Data
Processes Services/Processes
Consequence Based Vulnerabilities

17
Visibility is Not Enough

Responsible patching
window – 2-6 weeks

Average time for

working exploits – 7
days

Preemptive
compensation controls

18
Prevention is Necessary But Not 100%

Know Your Environment Reduce Attack Surface

Security Hygiene Malware Prevention

5-10% ransomware bypasses file-based malware

prevention

19
Top Priority – Boost Malware Protection Maturity
• 25-30% of Enterprises
have already adopted EDR
• 31% are interested in
deploying EDR technology
in the future

• 14% are currently engaged

in an ongoing project to
deploy EDR technology
• Strong preference in
integrated endpoint security
solution with prevention,
detection and response

Source: The Enterprise Strategy Group 2020

20
 197 days Average time to discover data breaches

69 days Average time to contain breaches once discovered

62%
24 hours Of breaches can be identified

Source: Ponemon Institute (on behalf of IBM), 2019

SANS institute

21
 Need for Automation, Real Time Response
FortiEDR Blocks Malicious Actions in real time

SECURITY CONTINUOUS
DETECT ENRICH VALIDATE ESCALATE BLOCK
SEARCH REMEDIATE
MONITORING ENVIRONMENT ENDPOINTS
PROCESS

1ST GEN EDR 1-120 MINUTES 10 MIN

SOC/IR
15 MIN 5 MIN 10 MIN 10 MIN 1 HOUR
MANUAL EFFORT

FortiEDR Detect and Defuse + Continuous Validation and Full Remediation

PLAYBOOK BASED
OPTIONAL MDR SERVICE

22
1st Generation EDR hallenges

83% agree that using EDR demand 78% EDR more Complex than
advanced security analytics skill anticipated

83% 78%

23
 FortiEDR – Real-time & Automated
Visibility + Action
Pre-Infection Post-Infection/ Post Execution

Discover Prevent Detect Defuse Respond & Remediate

& Predict Investigate & Roll back
Proactive risk Pre-execution File-less and Stop Breach and Full attack visibility Automated Dis-
mitigation protection advanced threats Ransomware infection

• Discover rogue • Kernel-level • Behavioral based • Block Malicious • Playbook automation • Clean up / Roll back
devices & IoT • Machine learning • Detect memory actions • Forensic data • Eliminate re-
• Vulnerabilities AV based attacks • Prevent data loss • Threat hunting image/rebuild
• Virtual patching • Threat classification • Zero Dwell time • Big data analytics • Minimize business
disruption

Automation | Cloud . Hybrid . Air-gap deployment | OS coverage

24
Discover and Predict
Attack Surface Reduction
PREVENT
• Rogue and IoT devices REAL-TIME PROTECTION

• Applications, vulnerabilities & rating

• Risk-based proactive policies, virtual
patching DISCOVER
DETECT &
DEFUSE
& PREDICT NO ALERT FATIGUE
NO DWELL TIME
PROACTIVE RISK
MANAGEMENT

RESPOND & REMEDIATE

CUSTOMIZED DISINFECTION

CLOUD, ON-PREMISES OR LIGHTWEIGHT

HYBRID MANAGEMENT AGENT

25
Machine Learning Anti-Malware
REAL-TIME PREVENTION
PREVENT
• Machine learning, kernel-based AV REAL-TIME PROTECTION

• Feeds from a continuously updated

cloud database
• Real-time automated prevention of DISCOVER
DETECT &
DEFUSE
ransomware encryption & PREDICT NO ALERT FATIGUE
NO DWELL TIME
PROACTIVE RISK
MANAGEMENT

RESPOND & REMEDIATE

CUSTOMIZED DISINFECTION

CLOUD, ON-PREMISES OR LIGHTWEIGHT

HYBRID MANAGEMENT AGENT

26
Detect and Defuse
Stop the Breach in Real-Time
PREVENT
• Behavioral based detection REAL-TIME PROTECTION

• Block Malicious actions

• Stop data exfiltration, lateral movement, C&C
DETECT &
DISCOVER DEFUSE
• Deny access to file systems - Prevent & PREDICT NO ALERT FATIGUE

ransomware encryption, registry tempering

NO DWELL TIME
PROACTIVE RISK
MANAGEMENT

RESPOND & REMEDIATE

CUSTOMIZED DISINFECTION

CLOUD, ON-PREMISES OR LIGHTWEIGHT

HYBRID MANAGEMENT AGENT

27
Respond and Remediate
ORCHESTRATED INCIDENT RESPONSE
PREVENT
• Automated event classification REAL-TIME PROTECTION

• Customizable playbooks based on device group and

threat classification
• Automated response and remediation DISCOVER
DETECT &
DEFUSE
& PREDICT NO ALERT FATIGUE
• Notify users, terminate process, isolate device PROACTIVE RISK
NO DWELL TIME
MANAGEMENT

• Remove files, roll back malicious changes,

clean up persistency

• Investigation and threat hunt

RESPOND & REMEDIATE
CUSTOMIZED DISINFECTION

CLOUD, ON-PREMISES OR LIGHTWEIGHT

HYBRID MANAGEMENT AGENT

28
Discover and Predict
Attack Surface Reduction
PREVENT
• Rogue and IoT devices REAL-TIME PROTECTION

• Applications, vulnerabilities & rating

• Risk-based proactive policies, virtual
patching DISCOVER
DETECT &
DEFUSE
& PREDICT NO ALERT FATIGUE
NO DWELL TIME
PROACTIVE RISK
MANAGEMENT

RESPOND & REMEDIATE

CUSTOMIZED DISINFECTION

CLOUD, ON-PREMISES OR LIGHTWEIGHT

HYBRID MANAGEMENT AGENT

29
 “Automat-able” Incident Response examples
The Who (attack target) and What (Type of incident)
Malicious Incident /C Level

Reporting

Custom Custom
Ticket
Syslog SNMP
Message Message Track

Mitigations and Control

Inconclusive Incident /C Level

Suspend Block
Isolate Isolate Related
Roam Suspend Create an
Related Related Logout
Device IP(s)
Network
User Exception
Application IP(s)

Remediation Customized
Malicious Incident / HR

Rollback Remove Terminate Direct

Persistency File Process RESTAPI Scripts
Connect

30
Extended Response Beyond the Endpoints
FortiGate
• Automate blocking of malicious destination IP

FortiNAC
• Extended response - move endpoints to remediation VLAN

FortiSandbox
• Threat intelligence sharing

FortiSIEM
• Alerts and Logs

FortiSOAR
• Extended workflow automation

31
FortiEDR Advanced Endpoint Protection, with Real Time Detection
and Response
Benefits
REAL-TIME and AUTOMATED
Self-healing endpoints
Post-infection protection, automated remediation
TIME TO VALUE
Eliminate post breach operational expenses and breach damage
to the organization

MANAGEMENT
Single integrative console that inherently eliminates alert clutter

FLEXIBLITY & SCALE

Support Windows, Mac and Linux, including Legacy XP, 2003
Native Cloud, Hybrid, Air-Gap/on-premise deployment

32