Scribd Logo
Upload

Welcome to Scribd!

  • Tech Stream 3 - Deep Discovery Inspector Best Practices - Part 1

    Uploaded by

    aforabad
    11 views19 pages

    Original Title

    Tech Stream 3 - Deep Discovery Inspector Best Practices - part 1

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    11 views19 pages

    Tech Stream 3 - Deep Discovery Inspector Best Practices - Part 1

    Uploaded by

    aforabad

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 19

    Deep Discovery Inspector (DDI)





    © 2020 Trend Micro Inc


    1 Intelligence Gathering
    • Identify & research target
    • Use LinkedIn, Facebook, Twitter, etc
    2 Point of Entry
    Threat Agent • Zero-day malware
    • Delivered via social engineering (email,
    document or drive by download).
    1 3 6
    3 Command & Control (C&C) Communication
    • Remainder of malware downloads
    • Attacker provides instruction to malware
    Intelligence C&C External
    Gathering Server Servers 4 Lateral Movement
    • Attacker compromises additional machines
    • Harvests credentials, escalate privilege levels

    2 4 5 5 Asset/Data Discovery
    • Identify the noteworthy servers and the
    File Databas services that house the data of interest.
    Store e
    Point Lateral Data of 6 Data Exfiltration
    of Entry Movement Interest • Data is funneled to an internal staging server
    • Data is chucked, compressed and encrypted
    • Data is communicated externally

    © 2020 Trend Micro Inc


    North

    Point of Entry
    Command & Control
    Proxy/MTA Data Exfiltration

    East West

    Lateral Movement
    DDI Data and Asset Discovery
    Network Traffic Copy
    Tap
    y Tra
    op ffi c
    Cop
    cC
    ffi y
    South
    T ra

    Switch Switch
    User PC File/Application User PC
    SPAN port SPAN port
    Server

    © 2020 Trend Micro Inc 100+ network protocols


    Patterns

    Rules

    NIC: Raw Network Traffic (mirror)

    Event Classification
    Engine (LogX) Network Content
    Inspection Engine

    Network Content Advanced Threat


    Virtual Analyzer
    Correlation Engine Scan Engine

    Detection Name: VA_


    Detection Name: HEUR_; EXPL_

    Predictive File and Web Mobile


    Cloud Sandbox
    © 2020 Trend Micro Inc Certified Safe
    Machine Domain Reputation Application Retro Scan
    OSX/Android Software
    Learning Census and Inspection Reputation
    0 times
    Heuristics

    Downloader
    Sandboxed
    0 times
    2 times

    0 times
    Trojan Ransomware
    0 times

    0 times
    Spyware Backdoor
    1 time

    Exploiter
    81 times

    © 2020 Trend Micro Inc


    Making sense out of the detections
    and
    connecting dots

    © 2020 Trend Micro Inc


    Attack Order 1 2 3 4 5

    VS
    Investigation Order 5 3 4 2 1

    1 Intelligence Gathering

    Evil Outside, aka Internet


    Point of Entry
    2
    My Trusted Network

    3 Command and Control 5 Data Exfiltration

    4
    Lateral Movement

    It is in© general
    2020 Trend Microsafe
    Inc to start investigation from the Command and Control detections,
    But check first if there are any Data Exfiltration detections!
    Data Exfiltration

    The last stage of the attack you want to see, but if that happens it is
    good to see it ASAP!

    Detected by Network Content Inspection Engine

    Detects data exfil over many protocols, e.g. TCP, ICMP, UDP, HTTP,
    DNS, FTP, etc.

    Actions:
    • Check if data exfil rules are enabled under:
    Administration -> Monitoring / Scanning -> Detection Rules
    • Some Important Rule ID: 611, 1861, 1885, 1886, 2563 – 2567, 2584,
    4233
    •© 2020Optionally
    Trend Micro Inc Enable packet capture
    Data Exfiltration

    Where to look for data exfiltration detections?

    1. Affected Hosts under Detections menu

    2. All Detections under Detections menu

    When data exfiltration is detected


    1. Triage the incident – check with business users whether this is
    normal process
    2. Download exfiltrated file and do risk assessment of lost data
    3. Grab destination address and lookup for the process on the
    compromised internal system listed as a source in detection
    4. Optionally use EDR solution for retrospective search if available
    © 2020 Trend Micro Inc
    Command and Control

    Trend Micro Smart Protection Network

    Virtual Analyzer (sandbox) of DDI

    Network Content Inspection Rules of DDI

    DDI Admin user defined addresses

    3rd party threat intelligence (feed)

    © 2020 Trend Micro Inc


    Command and Control

    Where to look for command and control detections?

    1. Threats at a Glance widget on the Dashboard

    2. Affected Hosts under Detections menu

    3. All Detections under Detections menu

    Where to look for collected C&C addresses?

    1. In C&C Callback Addresses under Detections menu

    © 2020 Trend Micro Inc


    Lateral Movement

    Any malicious activity happening between nodes of the Trusted networks

    • Network and Port Scans


    • Vulnerability attacks against of the peer systems
    • Brute Force Login attacks
    • Propagation of the hacking tools
    • Etc.

    What payloads / tools can be used in Lateral Movement?

    • Exploits
    • Malware – backdoors, data stealers, ransomware, etc.
    • Normal admin tools – netcat, psexec, tiny web servers, etc.

    © 2020 Trend Micro Inc


    Lateral Movement

    Where to look for lateral movement detections?

    1. Threats at a Glance widget on the Dashboard

    2. Affected Hosts under Detections menu

    3. All Detections under Detections menu

    © 2020 Trend Micro Inc


    Point of Entry

    Any detection of event which involves internal and external IP


    addresses and constitute initial infection phase.
    For example:
    • Internal machine initiated connection to external IP address and
    fetches malicious or suspicious file/payload
    • Internal machine initiated connection to external IP address
    which is classified as Disease Vector by Trend Micro reputation
    • External IP address initiated a connection to internal machine
    and it is classified as a Disease Vector or BOT by Trend Micro
    reputation
    • External IP address initiated a connection to internal machine
    and sent over malicious payload/exploit
    • Etc.

    © 2020 Trend Micro Inc


    Point of Entry

    Where to look for point of entry detections?

    1. Affected Hosts under Detections menu

    2. All Detections under Detections menu

    Expect a lot of Point of Entry detections.


    Make sure you always connect the dots by observing point
    of entry events in combination with other attack phases
    such as C&C and Lateral Movement

    © 2020 Trend Micro Inc


    © 2020 Trend Micro Inc
    Threat connect is a contextual interface to the Trend Micro Threat
    Intelligence Data.
    Each DDI Detection Name is a link to the Threat Connect.
    Very useful for Reputation detections.

    © 2020 Trend Micro Inc


    Use advanced search function on All Detections screen.
    It helps to create a complex search queries combining different
    search criteria in one logical chain

    For example:
    1. Find hosts which have C&C detections
    2. And also have point of entry
    3. And payload was malicious
    4. And had sandbox detections

    © 2020 Trend Micro Inc


    Helps to save time for security admins

    Highlights important detections

    © 2020 Trend Micro Inc

    You might also like