Technical Deep-Dive: Red Canary

[Music]

[Music] thank you all for joining um super excited to be talking with you all today i'm going to go ahead and take you through a presentation specifically surrounding ransomware and different real-life detection opportunities that we can leverage in our own environments to uncover ransomware i'll be using a real world example of something that we over here at red canary discovered in one of our customers environments and then we'll go ahead and talk about some tips and tricks that we can leverage not only to detect ransomware but hopefully prevent it from entering our environment in the first place so please drop any questions you have in the chat and we'll go ahead and get to those at the end

so my name is cara seeley i am a customer solutions engineer here at red canary i am based out of boston massachusetts and a fun fact about me is that i am a nissan certified personal trainer um so what do i do as a customer solutions engineer here at red canary i work with all of our future customers and help them learn a little bit more about what it is that we do answer all their questions and sometimes we go ahead and actually deploy red canary in their environment to get a hands-on feel for what it is that we do so our table of contents today we're going to level set first by talking about what mitre attack is for those of

you who may not have heard of it before we are aligned heavily to it over here and it's really our common language so we'll go ahead and level that on all of that before we then move into how red canary is leveraging miter attack in our own detections and then we'll go ahead into that real world ransomware outbreak that i was speaking to earlier and give you all an idea of you know what ransomware really looks like when it's beginning to infiltrate the environment and how we can detect it earlier on um than when it's you know say encrypting files or exfiltrating information want to make sure we're catching sooner and then we'll go through those

practical tips and tricks to make sure that we're helping protect you from these threats as well so let's go ahead and first level set on what minor attack is um if you've not not heard of mitre attack before um it's a globally accessible knowledge base of different adversary tactics and techniques and it's based on real world observations so simply put it's a collection of tools techniques and processes that are leveraged by adversaries to perform malicious activities it's informed by front intel and real world data and so why is minor attack important not only to red canary but just you know folks in general the first component is documentation um you know actually documenting those tactics techniques and

procedures used by the adversaries is vital for us to understand how we can better protect ourselves from it it also helps us to understand goals of the adversaries so tactics represent the why or the goal that that adversary is trying to achieve in that part of the attack so for example persistence tactic represents techniques and sub-techniques that would be leveraged to keep access to systems across resorts and change credentials and other interruptions it also helps us understand how adversaries are achieving their goals so techniques represent the actual actions that are being used for the adversaries to accomplish that part of their mission so using that persistence one again an example of a persistence technique could

include any access access or action or configuration change that lets the adversary maintain their foothold on a system and these could be things like replacing or hijacking legitimate code or even adding startup code and then lastly it helps us understand specific implementations that adversaries use for a technique so procedures are the behaviors performed and executed by the attacker in each step of that attack so an example of that could be you know malicious code being injected into a pdf file or a link to a cloud-based drive to drop a threat onto an point

and here's just another example to bring that to life a bit more this is an example of a tactic defined as lateral movement and then the following attacks that could be possible once lateral movement is achieved so lateral movement consists of techniques that an adversary would leverage to either you know control remote systems on a network and reaching their objective would often involve pivoting through multiple systems and accounts in order to gain elevated permissions so they might do things like install remote access tools to accomplish that or even leverage legitimate credentials with native networking and operating system tools which might in fact be stealthier so now that we've level set on miter attack we'll go ahead and transition

into how red canary specifically leverages it so minor attack by the numbers there are at the time 156 techniques 272 sub techniques and 59 data sources in the miter attack matrix so it's very overwhelming um and with that immense amount of techniques and different ways to detect those techniques it can be a very daunting task to take on to create detection opportunities for each and every single one some of those might require deeper detection coverage than others some aren't feasible for detection at all so really what i'm seeing is that you probably don't want to just develop the ability to detect each and every technique in the matrix and call it a day something like credential dumping for

example might deserve 50 different methods of detection or something like domain trust discovery might only need one method and so how do we actually leverage this the first thing is that a common language is essential for us when we're communicating with the different security teams that we partner with when we are leveraging behavioral analytics to hunt for adversary behavior or confirm threatening activity in your environment it's important to us that you quickly understand what it is that we're communicating so we found that the miter attack taxonomy of behavioral techniques that best fit our philosophy so we exclusively use attack at red canary here a couple of things that we do here every single detection analytic that we

leverage is mapped to one or more attack techniques that that analytic identifies we also produce a coverage heat map which allows our customers to understand the total coverage that we have that we contribute to your security program and then any sort of potentially threatening activity or confirmed threats published following that investigation will show the set of attack techniques compiled from the underlying events so that you have an idea of what it is that the adversary was leveraging in that attack and then here just a little bit about our detection methodology at red canary red canary's threat detection engine is comprised of thousands of detectors at any given time and it's continuously updated and refined as we learn more

about the latest threats that are impacting our customers and red canary's detectors are not um you know just looking for threats our detectors are really aimed at identifying interesting events and we want that to generate events for our analysts to review and have them ultimately make the determination of whether or not that event is malicious so we would rather investigate more benign events than potentially miss something by being too specific and our detectors cover a wide array of behaviors and can generate a lot of events for our team to investigate and we track that conversion from true positive events to true positive malicious or suspicious detections and this enables efficient tuning and helps us identify areas where a behavior is

accurate at highlighting a um a specific action but might not actually produce threats

so now let's go ahead and take a look at a real world example here in this example we're going to go ahead and look at a scenario where a healthcare customer of ours was probably just near moments away from a full-blown ransomware outbreak we'll walk through 10 different detection opportunities that we leverage to uncover that behavior and stop it in its tracks and just for a little bit of background on how this threat was initially able to gain access into the environment it was through a spear phishing email that contained a pdf attachment and once one of their end users opened that pdf it reached out to google drive and downloaded an executable file that's

known as bizarre

and so we're going to go ahead and run through each of these 10 detection opportunities um they were identified within a roughly 50 minute time frame and like i said it's likely that this customer was very close to a full-blown ransomware attack um we here at red canary have been tracking ransomware for many years and we have many analytics in our effect detection engine that are aimed at uncovering these ransomware tactics and techniques and procedures so we'll go ahead and walk through these feel free to jot down notes these are practical examples that you can leverage to go ahead and detect these specific behaviors but we also do have a more detailed blog post that we can share out

as well if you'd like to take your time reading through each of those we'll go through each of these detection opportunities at a high level now so our first detection opportunity is categorized within privilege escalation which is when an adversary tries to obtain higher level permissions on a system or network here specifically the adversary is leveraging a technique called process injection which is a way to disguise themselves as a legitimate process and this type of behavior can be particularly difficult to detect because the attacker is hiding within trusted tools such as command.exe in this case and we were able to detect this behavior by looking for instances of command prompt making network connections and executing without any command line

parameters now red canary understands this type of adversary behavior and we've built associated detectors to identify the manifestation of bazaar so if you wanted to refine this even further you could look for the hollow command.exe spawning a child process typical child processes associated with bazaar would include svc host explorer net.exe and nltest.exe and those lead us into our second detection opportunity here so from there we observe several reconnaissance commands specifically we observe the adversary leveraging nltest.exe to make domain trust determinations nl test usually cannot be disabled but we were able to identify this behavior by looking for instances of it executing with a command line that included certain parameters those are included in the blog post as well and we found this

to be a very high fidelity analytic for us when it comes to catching ransomware families so continuing on in this discovery category our detection opportunity 3 of 10 we saw the adversary here attempting to enumerate windows domain admin accounts this is a behavior that we commonly associate with ransomware as well so here we find it useful to look for commands containing net group domain admins

next we saw the adversary leveraging additional trusted tools and attempt to continue flying under the radar we observed explorer.exe spawning svc host which is not a normal execution pattern we don't typically see svc host as a child of explorer typically the only process that should be spawning svc host is services.exe so you could look for situations where svc hosts is the child process of anything other than services.exe to identify that anomalous behavior another way that we detected this activity was looking for svc host executing without a command line when we see a cc host executing without a command line that typically indicates that svc hosts may have been spawned to host injected code which is exactly what

we saw in this detection opportunity

halfway through with our detection opportunities now in this part of the attack cobalt strike was dropped onto the endpoint and was executed by run dll32 this allowed for the intrusion to spread laterally leveraging wmi which then eventually spawned powershell to run an encoded command and that encoded powershell command here created another cobalt strike beacon so the detection opportunity that we leveraged was looking for encoded powershell commands it's a great way to catch the specific evil as well as other types but if that's too noisy for you and you do run a lot of encoded powershell commands you could also look for instances when powershell is a child process of command.exe

next in detection opportunity 6 we saw successful lateral movement with cobalt strikes ps exec module so with this run dll32 spawned with no command line arguments and it performed multiple network connections over smb to other systems so a detection opportunity here would be seeing run dia lo 32 spawning without arguments it's very suspicious so we recommend not only looking out for that behavior but also looking for instances of it making network connections another way related to this that you could search for this type of activity would be looking within the windows system event logs and that would be for the id 7045 event id 7045 creates the records the creation of new windows services

in detection opportunity seven out of ten um here we observe the attacker enumerating enterprise administrator accounts this discovery technique can be used to gain information about the environment and can help adversaries determine which accounts exist in order to aid in their follow-on behavior so here we recommend looking for the commands that actually list out these account accounts um such as net group enterprise admin domain again these are all listed in our follow-up article which you guys will have access to detection opportunity 8 comprised of many different indications act of activity for multiple dlls being loaded and associated credential operations to regis server 32 making external coms adversaries in many cases may leverage credential materials stored in process

memory of else class which can be harvested by administrator or system accounts and using ls credential dumps may allow for again potential lateral movement within a device or over a network medium and some of the signals and behaviors in this detector pointed us to mimikatz which is considered the sixth most prevalent threat across industries from our research

and the next signal we saw was code being injected into reg server 32 via bloodhound this tool performs a massive amount of reconnaissance on networks that are hosting windows systems in order to find the privileged accounts to target so this tool tends to be very noisy and larger networks and it's easy to spot um when it's looking for many smb connections over port 445 so when working with smaller networks it's best to tune your detections to what would be considered a normal volume of traffic our detectors specifically set a threshold to look for behaviors above the normal day-to-day established connections

and then finally in the last minutes of this threat executing its tasks within the network we came to another discovery tactic and this time the technique was to target the ad infrastructure so the adversary may have been looking to gain a larger foothold by identifying other accounts with elevated privileges this could be for both internal and external needs like exfiltration of usernames and passwords or further lateral movement in the network specifically here they were leveraging 80 find which is an open source tool that extracts information from ad so to detect this you could look for instances of 80 find in your environment or perhaps even disallow it completely if that's not possible we have multiple

commands in that article that you can look for as well and that wraps it up i know that's a lot and in under an hour we were able to see all of this activity and detect it we were fortunate that the initial access was detected within minutes as this customer's preventative controls were ineffective and the adversary here was moving quickly in this case we immediately notified the customer and we began rapidly responding to ensure that the adversary was stopped in their tracks and thankfully there was no ransomware outbreak at the hospital that day so those are the 10 detection opportunities that we specifically leverage to uncover that activity next we'll go ahead and just talk

through a couple of proactive and reactive controls that can block or limit the effects of ransomware and the unfortunate event that you do begin to find those beginning signs so first be on the ready you know make sure that in addition to maintaining updates on your operating system software and firmware to actually get a real world feel for these incidents we recommend simulating a ransomware attack in your environment you would identify each team and person's responsibilities and measure how you perform you can also leverage third party assessment services to evaluate the efficacy of your security controls and processes if you do start to find these beginning signs we want you to act quickly these could be things like

isolating the endpoints to stop a lot of that lateral movement that we began to see attempts of in that threat and also you know beginning to immediately take care of indicators of compromise by you know banning and deleting files stopping network connections in their tracks as well and coordinate closely with your security broker should any additional steps be needed following that detection and then just be really really familiar with what your recovery plan is have your backups ready but also test your ability to recover from those backups ensure they're not corrupted and that they'll be viable for you and then always have a paper version of your response plan as well in the event that you need to go offline

and then just a little bit about us over here at red canary and how we help our customers um our customer experience we only want our customers to hear from us in the event that there is a confirmed threat um we do not publish false positives to our customers we want you to know that when you're hearing from us it's because you need to so in one dashboard we publish our confirmed threats our detection and response activity as well as reporting and we do aim to be your security ally we are of course here to help you identify and respond to threats but we also want your security program to get better over time so we aim to work hand

in hand with you to get you to a better posture as you have seen in our presentation today we have deep threat detection capabilities and we perform thorough investigations so when our customers hear from us they have a detailed report of what exactly took place and they have actionable insights into next steps that should be taken place and then responding to that threat we work with our customers to create automated customized playbooks to do things such as automatically take devices off the network or automatically ban those iocs that we were talking about and you also work with an incident handler team so our incident handlers are security experts they know you and your business and they help you respond

to threats as well as provide that proactive security guidance to make sure that you're getting to a better place over time and lastly we deliver tangible results to our customers specifically with miter attack this includes 203 of the miter attack techniques that we cover with our behavioral detections we also deliver a 10 times reduction in mean time to respond and a 75 reduction in realized risk per endpoint over time as we continue to work with you and that is everything that i had for you all today this last slide is just resources for curious that first article there is the official blog post about the attack that we ran through today a little bit more detail into our

detection methodology which we talked a bit about today and then just a little bit more about miter attack our tools that we have for testing your environment as well as katie nichols blog who is our director thread intel over here at red canary well thank you all so much let me go ahead and look at the chat now and see if there are any questions and please feel free to go ahead and add those in there we'll hang out for a couple minutes to make sure everybody gets their questions answered

no questions so far i'll hang out for another minute or two if you guys don't have any questions thank you again for joining i hope that you learned something new today and got a deeper idea into what ransomware is and the things that it tries to do when it's first coming into your environment and just some you know hopefully helpful ideas on how you can put those into practice too enjoy the rest of the conference um please swing by the booth if you have any more questions for us have a great day