AV Evasion - How Adversaries Aim to Bypass Antivirus Tools

[Music]

all right um good afternoon everyone good afternoon everyone good afternoon all right that's more like it um welcome to this talk uh my talk is entitled AV evasion and I'm just going to go through basically how adversaries aim to bypass antivirus toos right um hopefully it's not going to be boring for people and then hopefully you're going to learn one or two things yeah sounds good okay awesome a little bit about myself my name is Marvin G um a principal Security Solutions architect part of elastic super happy to be at the very first B in JC um I'm also part of the global security specialist um at elastic I'm based out of Stockholm in Sweden but I'm Zambian um and I love

South Africa just hard to say it um I'm passionate about security operations and basically intelligence that's what I've been doing for the good chunk of the past 8 years or so um apart from that I love to travel um I've got a very big ambitious audacious goal I want to go to Every African country so far so bad seven out of seven out of the the 54 countries we have on the continent and I've been to South Africa like over 30 times so yeah you guys are not helping with that any who I love Seafood I love South Africa wines my colleague Paul if you can raise your hand he's from cap town he just had to bring me South

African wine cuz I love South African wine okay and I love just exploring new hobbies right and I'm super super happy to be here if you want to connect with me on LinkedIn that's my LinkedIn it's basically Marvin G um super happy to connect okay let's get into my talk um my talk is going to look like this so I'll start with a2s where are we today anybody working with endpoint Security in your organizations antivirus Solutions okay one hand two hands um you know what happened yesterday right with crowd strike I'm I'm not I'm not making fun of them it was just it's it was a bit hilarious anyhow all right so I'll talk about where we are today and then

I'll go through common evasion techniques right and then we'll go into a little bit of a deep dive some of you will begin to yawn um in terms of the Advanced Techniques and then we'll talk about defensive strategies and best practices hopefully time allowing I'll also take a few questions from the audience sounds good awesome okay I'll try and keep this interactive I love to ask questions so don't feel intimidated um nothing against you if I pointed you to answer some of the questions who recognizes this

wave it it's only one it can only be one so is it is it a sign or cosine it's cosine right cuz it's starting it's not starting on the Zero all right interesting okay so the reason I put in this slide is basically this is how my talk is going to be it's going to be like a cosine wave right sometimes you might relate with the content I'm going to be presenting sometimes you might get lost in the weeds I tried to keep it simple and complex at the same time um but hopefully it's going to be good okay so let's look at where we are to to day antivirus right there's too many acronyms to start off with there's

so many definitions of what AV is right there's the classic antivirus do we still call them antivirus tools yes no it depends um depending on which vendors you're looking at um some people call it next Generation antivirus then you're going to be seeing acronyms such as EP right which is endpoint protection platform then there's EDR as well which is endpoint detection and response and there's a new kid in town xdr extended detection and response it's a bit confusing isn't it anyway so what are my thoughts on all these uh those emojis say all right uh I I hate acronyms so in a nutshell what is antivirus so this is basically an application that's been designed to

prevent detect and remove malware right malicious software um historically AV started out by focusing on computer virus programs right um the Morris we ring a bell anybody yes um but then also there's been an increase in terms of attacks that are focusing on the end point so today we're leing in the times of Bot Nets we're living in the times of ransomware and this has led to more advanced capabilities in antivirus Solutions right so whereas it in the past when something bad breaks out we just create signatures right maybe the hash value of the malicious software or things like that we still do signature detections from an antivirus point of view but there's more capabilities that has been inbuilt into

these tools so we're talking heuristics right where we're looking for certain patterns and certain relations and doing a bit of a statistical analysis in terms of the processes that are running running on the endpoint and then there's machine learning and behavioral based analytics where we not focusing on signatures but we're focusing on behaviors that are going on on the end point make sense and then we at a point where security teams want to have visibility into what's going on on workstations what's going on in the Savers right and now we have this concept of EDR endpoint detection and response um but essentially with EDR what we're doing is just combining the antimalware capability of a2s and then we're doing

Telemetry collection of the endpoint itself right process activity network activity registry activity whatever you and then EDR also introduces the possibility to take response actions there's malware on my endpoint I need to take a certain response action maybe kill the process maybe suspend the process maybe I select the host from the network right so that's that response capability is part of EDR 2s so far so good all right I hope there's there's no one who's thinking I'm in the wrong session um yeah all right cool let's look at the components that make up an EDR to the first one is the agent right and this is what caus problems for crowd strike yesterday but I'm not here to

talk about crowd strike anyway um so these are the components of an edr2 you've got the agent which is the software that you install on the endpoint and essentially the agent is there to control and consume data from sensors Additionally the agent is responsible for things such as alerting blocking and deception capability and I'll touch on that a little bit later apart from the agent an av2 also have sensors right sensors are just basically there to intercept data so there stuff that is happening on the endpoint and you want a two that's going to be keeping track of what's going on so essentially the sensor is there to do um particularly that and it's a super

fast processor cuz again there's a lot of activity there's a lot of processes on the endpoints so you want this applic ation to be picking up that data in real time so you want it to be quick and then there's Telemetry right so this is the actual raw data the sensor is sensing the data that is telemetry so this is raw data produced by a sensor or the actual endpoint which is the host and we focus on completeness of the data right was it a file creation was a file opened was a file altered was a file deleted so the Telemetry needs to be complete in telling you what is going on on the endpoint

so what sensor types do we have so just going back to the previous slide we're saying EDR 2s is the agent the sensors and the Telemetry so what sensor types do we have these data readers right so you've got first of all the static static scanners right so essentially you've got other software running on the endpoint you want this static um static scanner that's going to be scanning you know the files and the binaries that are existing on the end point and then you've got your file engine right cuz we're talking Telemetry the file engine is basically tracking file activity on the endpoint make sense and then you've got the memory engine as well and I'll

go a little bit in depth in terms of what the memory engine does but essentially we're just looking at the processes that are running in memory and we're just tracking basically certain activities in that sense and then you've got the network engine right so this is endpoint Centric Network engine our endpoints connect to our to the internet right to networks so you want to track what's going on on the endpoint from that point of view and then there's emulators as well sandboxes including deception mechanisms included as part of the sensors not all EDR vendors do this some do some don't and we'll get into some of those nuances a bit later on there's a little not at the end of the

the the slide itself that says various vendors we implemented and utilize the above differently so you're not going to get this complete set in EDR 2 but at least you expect to have um some of these sensor types present in EDR 2s so let's look at the basic architecture again please keep this in mind edr2 is the agent sensors and Telemetry and those are the different sensor types at the bare minimum an EDR agent is going to have at the bottom we see the agent Service as as again right so there's the agent itself and then there's the various sensors the status scanner you've got the hook D and then you've got a kenel mode

driver I hope people are familiar with user space and kenel space hands up if you're familiar with user space kenel space operating systems okay not so many hands up um all right anyhoo so at the basic um architecture this is how an EDR agent looks like it's the agent service that is running and then the sensors that are collecting data you can fuse in the other engines that we discussed on the previous Slide the file engine the network engine etc etc but at the bare minimum this is how the architecture of an EDR looks like so the question then is how does an av2 do the protections on the Endo right so this is an example of basically how

an AV can hook itself in the operating system so you've got the user land space or the user space and you've got the keno space right so you might want to maybe make a change to a file or an application might want to do a certain change right so the application is running in user space but then for it to make certain changes it needs to interact with the Kel right under the hood so what a2s do is they'll sit in between you know that core into the ndl right so if again I'm now I'm beginning to go a little bit deeper into the the the Integrity Det details but essentially for any application in user

space when it makes a CO into the canel the EDR sits in between and does an interception so think of it like border control right they inspect you they check your passport and everything like that so that's essentially what's happening here so the do hooking is basically being implemented by the av2 make sense I'm not losing people am I okay I hope I'm getting drinks after this all right so we're talking about Telemetry right so what example Telemetry can we collect from the end points this is a screenshot from elastic defend which is elastics edr2 this is just for exhibition I'm not here to sell I wish I could but yeah um so we're looking at Windows right so typically

not just elastic defend but any two other tools as well they're able to collect similar Telemetry so we were talking just a recap about the different sensor types right so we're scanning file changes we're scanning memory activity we're scanning network activity this is an example of how we do it on elastic right so we're collecting Windows API activity all the do and Driver load activity right we're collecting file Telemetry from the point a file is created all the changes that you make to web document for example when you delete it or the Telemetry we're tracking it so an edr2 needs to be able to do that so the topic is Av evasion so I've given you a recap of what an av2 is and

I've gone into how a2s work right let's look at how evasion then happens cuz what attackers want to do is bypass these capabilities right they're primarily two categories of evasion the first one is on disk evasion right and the second one is inmemory evasion and anyone got an idea what on dis evasion could be just even a wrong answer is okay please scann that scan your to see absolutely anyone else with an answer to that no yes okayden sector on the drive sorry hiden sector on the drive hidden sectors on the hard drive so any presence of files on disk right so essentially attackers want to place certain malicious files on disk and then those files are going to do something

that's going to evade the edr2 in memory evasion uh anyone to describe what that could be and why we're now faced with inmemory evasion yes like direct object manipulation to drop a process out of the forward link backward link l right running M okay and the idea is to evade the own dis right not picking up the running process in memory if if you're scarting through the memory space okay perfect um I hope you were able to hear that right so with on disk evasion this is where attackers land on the computer and they put their malicious files on disk right and then that file is going to do certain executions take certain steps and then it's going to do an

evasion and we look at how own dis evasion looks like in a bit and then in memory to your point the attacker's objective is not to leave any traces on disk cuz edr2 is are scanning the disc so they go straight into memory and they're trying to compromise the processes that are running in memory make sense okay I don't want to leave anyone behind and the Expressions on your faces are not helping some people look lost others look like yeah yeah you know um okay so let's look at um Onis evasion right so the first the first on on dis evasion tactic or technique I want to talk about out is Parkers so Parkers are basically tools

that compress encrypt and otherwise modify malicious software and the goal is to evade detection so these are still files that still land on disk but they try the objective is to try and make it so hard to be detected by AV and EDR 2s make sense um and then they often employ techniques such as code compression encryption and then the adding extraneous Cod or junk instructions to disguise the true nature of the mawe itself so there's two objectives shrink the size of the malware and then also alter the logic of the malware itself and then add in a bit of garbage as well in that sense as the graphic is showing so you've got the original malicious

file and then you use this parer software or technique that Parks it reduces it reduces the size as well and then it Blends in with the files on the computer that makes it super hard um to do to do detection on Parkers so um the the whole goal here is basically to evade signature based detections right so again um ma is associated with behaviors observables um certain things like foul hashes for example so if your detection is dependent on those types of things Parkers are going to try and evade um that type of capability the other evasion tactics on disk is obfuscators and cryptors any software developers in the house so we do know what obfuscation is

from a software development point of view this is where you write code but you write it in a way that if another person came and read read the code they wouldn't really understand what's going on that's what also attackers do when they're writing their I'm not saying you're attackers but that's what attackers do anyway um they do the OB OB OBC jeez English um so you've got obious obfuscators and cryptors right so obfuscation is basically this is a malicious file it's on disk it does execute and becomes a process but when the av2 begins to go through it looking for signatures or indications of malice in the code itself it's been written in such a way that it's sophiscated right

and then in addition to that you've got cryptos as well what cryptos do is a fou land on disk it's sated you can't really make sense of it you can't do the reverse engineering to understand what the code is doing but as soon as it goes in memory so the file is running it's a process there's Crypts that are part of the code with keys in there right so it will be encrypted when it lands on disk as soon as it begins to execute in memory the Cryptor is going to decrypt the malicious part of the code so it makes it a bit super hard for you to do the analysis from a ma point of view

those of you that are loing your heads thank you very much at least some people are following so that's really good okay so the effective um so essentially effective antivirus evasion also necessitates combining all the previously mentioned stuff the op skaters The Parkers and the crypts additionally some people are so smart they also include anti- reversing cuz there's a whole domain called maare reverse engineering um there's certain steps that you need to do in order to do the malare reverse engineering but some attackers are so smart they also don't necessitate you know um anti- rasing and then there's also anti-debugging right um those of you that do a bit of ma analysis you know that most of the times we use a debugger

to go through the code of the mawe itself um but sometimes you know there's a lot of um implementations that try to stop you from doing the anti-debugging okay so those are the common evasion techniques let's go into the common um let's go into the Advanced Techniques as well well right the ones that we're calling in memory so again just a recap in memory evasion the attacker doesn't want to leave any evidence on disk cuz it's easy to find files on disk right cuz we're own the disk but essentially attackers would try and go into straight into memory cuz there processes that are running in memory and they'll try to compromise those processes make sense

I'm not losing anyone am I please sorry sir I just was very curious about

yeah with buffer overflows that's a very good question so buffer overflows four into it's a bit of a combination of on dis and in memory evasion the new buffer flow buffer overflow attacks actually are also in memory only so buffer overflow essentially is you're looking at how a legitimate piece of software is executing right but then again developers love to do things really quickly so sometimes you're not really tracking how your application is going to run in memory right so sometimes there can be cuse to other programs that are being made in the context of a running process uh or if you're not essentially buffer overflow doesn't keep track of the memory space so sometimes you're doing certain things

and executing in memory and then you go over the allocated space for that application right now what what attackers do is they look for these applications that have got these uh vulnerabilities if if I can call it that so they look for an application that goes into memory and overruns the space that's allocated to it and they look for the next address once I overrun the space allocated for me in memory and then I try to put my malicious code on that next step where the application falls into right it's not really part of my talk truck but essentially I would consider buffer overflows to be also in memory type of attacks but again it depends on the

malicious code where it's going to point to cuz sometimes you can point the malicious code to pick up a file that is on disk and that's why I said it can be a combination of the two good question though and leave some of the questions for the networking hour all right so in memory let's just do a recap of a process from a computer point of view right so a process is basically just a file in execution isn't it so when you have a file on dis it's not doing anything it's not a process as soon as it's in memory and that file is executing then it's a process that's what a process is according to operating

systems right now once a process starts there's different states a process can take the first one is it's in the new state it can be in the ready state it can be suspended it can be running terminated and the like so I just want want you to recap on these states so a process can be new it can be stopped it can be suspended can be killed and attackers take advantage of process States so usually on our laptops we've got legitimate software running right and attackers would try to take advantage of these different states so for example you're running Microsoft Word H it's running okay it's in memory an attacker might want to take advantage

of the state of that process when it's in memory and that's we're going to look at in this section so far so good I'm not losing anyone I hope okay so for a long time AV Solutions have focused on on disk scanning you remember the Arvest days right Arvest a Vera you do you know scan my laptop and it Go scanning your files it's just basically looking for signatures on the files on disk right this is still relevant we're not saying signature best detections are not relevant but then masquerading plus other techniqu keep evolving to evade on disk detections and then adversaries like we've already established they're now going fou less so they don't want to

leave files on dis cuz there's they know there's an av2 that's going to do the scanning so what they're doing now is they're leveraging leing off the land mechanisms who knows what leing off the land is don't be shy who knows what leaving off the land is who wants to describe to the audience what leaving off the land is yes sir it's using standard binaries that are built into the operating system or that are standard to on the task so an example might be usug Windows orell to a script that but basically you don't bring your own binary in that own signature use existing binaries like you can't say cmd.exe is is a malicious program itly

helps you as a absolutely so living of the land is where attackers leverage the things that we've come to trust on our workstations is that a fair statement right so for examples cmd.exe the command line on Windows we know it's a legit Windows software right or service so when it's running or the av2 is doing the scanning it sees it cmd.exe it's not going to scan it so what attackers are doing with inmemory evasion is they're targeting cmd.exe cuz they know we trust it and then what they try to do is to compromise the functioning of cmd.exe and I'm just using it as an example they can choose so many other binaries on Windows and the equivalents on Linux or

Unix systems there's actually a cool project um it's called Low beans.com check it out it documents all the binaries that we trust on Windows that we are observing that attackers are beginning to use to do leaving off the land make sense so an analogy I like to make of leaving off the land is usually in our homes if someone walks in that we don't we know he's not part of the family we get suspicious cuz we don't know this person but if my mom walks in oh yeah hi Mom welcome you belong in this house right but what attackers are trying to do is they'll hide in my mom's bag cuz they know it's my mom I'm not

going to go through a bag right so that's the analogy of it with leaving off the land so let's look at in memory evasion the first one is PE injection or portable execution injection right with this basically marware is copying its malicious code into an existing open process and cause it to execute again I'll just go back here a process can be new it can be ready it can be running when it's running it's in memory right so with PE injection basically what the attacker does is the first step is the open a Target process using the open process core function on Windows and then they'll locate a chunk of memory in the process make sense so this process can

be for argument sake you can be running Excel for example Excel is running on your Windows machine what the attacker does is they'll open a Target process using that open process call on Windows they will allocate a chunk of memory in the context of Excel and then what they'll do is they will write the shell callede payload to the newly allocated section and there's a function in Windows that says write process memory so essentially I Target an application that is trusted and then I try to allocate memory in the context of that process and then I write my malicious code straight into that process make sense I hope the the visual is helping with that and the last point

is you create a new thread in the remote process to execute the code so legitimate process Excel for example that's a Target process so what I do is I allocate if the if the application or the software allows me to allocate more memory in its context I add more memory and then I write my malicious code straight into that process's memory and then I execute a thread in the context of that process to execute my shell code so when the ev2 is running it's thinking hey this is Excel We Trust Excel let it do its thing right me is executing malicious code in memory make sense I hope I'm not losing friends I hope I'm

getting free drinks after this please in terms of the way that apple is starting to integrate their applications which are Fess where you're able to basically stream the application onto the device with would that then be considered um memory uh sorry just repeat the question so with apple the way that they're integrating their new uh applications where it's fileless on the device itself where you're able to stream the application on the device would that then be considered in memory as well um so so what you're saying is there's no the app is not resident on disk it's it's going straight into memory um I'm not really familiar with that technique but essentially that's what we're

talking about when we say Fess as long as the binary is not resident on disk it's executing straight in memory that's in memory right but here we're looking at it from an evasion point of view so there's a legitimate software it's been installed it's there on disk but then when it's executing that instance is in memory and attackers go straight into memory and they try to make use of all these functions a classic example is today when we download software Spotify for example there's usually a hash file associated with the binary that we download because you need to validate that no changes have been made to that what attackers do is and I wanted to

show this demo but uh the demo CES were not with me my VM crashed in the morning that's what I wanted to show so you can download Spotify and there's a tool on K Linux that helps you to look in the code of Spotify installer where you can actually hook your malicious code in the binary itself in such a way that by the time you're installing Spotify cuz at that point the file is running in memory these techniques begin to happen so you can literally get a reverse shell if you want to he goes like ooh don't try this at home right yeah exactly so basically this is what attackers try to do and it's a cut and mouse mouse game all

right so far so good okay time flies when you're having fun I'm having fun I don't know about you but uh I'm having fun um another inmemory evasion technique is called reflective D injection so with uh PE injection it's in memory but sometimes it can combine on disk and in memory cuz by the time I'm writing the Shell Code I could also ask the Shell Code to point to a d that is on disk so at some point you still depend on a file on dis or what other attackers do is by the time I'm allocating this Shell Code into that extra memory I'm calling to a remote location where I want to pull the actual

payload that's going to be malicious and EDR 2s are able to detect this today right with Excuse me with reflective D injection it's similar to PE injection right uh but then the attacker is injecting a d a d into a victim process from memory rather than disk so here we're being explicit there's no file that has to be resident on dis Mak sense so the sh code has to be either somewhere remote or we need to be smart enough in terms of how we want to get it in the context of the memory of the running process the other technique I want to discuss is process hollowing right so with process hollowing just a recap on this one of

the states here is suspended so a process can be running in memory and then you can suspend it and do something else right uh but then remember a process in memory has been allocated memory space right so even if you put it in suspended mode there's still already virtual memory allocated to it and that means you can make use of that virual memory so in process hollowing basically the steps that are included is you're going to look at a legitimate piece of software the ladies were like yeah we've just had enough of this all right so with um with process hollowing again it's the same mechanism right so you've got a Target process again I'm going to be using the example

of excel so Excel is running and then what the attacker does is because they know Excel is already in memory they'll suspend it it's running but then they suspend it and then the next step that they do is they replace a malicious exe executable image right so before before that that Target process actually does anything because it's been given memory space you pause it and then you overwrite its virtual memory space with malicious code and then once you do that the process is then resumed and then um malicious code is executed instead of the legitimate process make sense so another analogy to this is my mom comes home she's opening the door to the house before she goes in I

suspend her as an attacker and then I put in my other guy uh what's your name sir Andre Andre yeah and I just say Andre go in there and get everything let's get out of here right so it's in the context of my mom opened the the door and everyone is say oh yeah Marin's mom is the one that opened the door maybe you're using a smart um Locking System so it shows M Marvin's mom's key is the one that opened the door but essentially as soon as she opens the door we suspend her and then say hey Andre go in and do your thing so in the logs it's going to show it's my mom that did everything but

essentially it's the malicious code that is Andre that did that stuff makes sense so that's that's process hollowing so we we're depending on identifying a process that we can suspend and again this is where cyber security hygiene comes to the place CU certain software is written in a way that any other calling software can suspend it right again this is where good cyber SEC hygiene comes into the play Okay so we've talked about Advanced Techniques and the common evasion techniques what are some of the defense strategies and best practices we can employ to avoid such things from happening in our environments before I go into the defensive strategies any questions on what I presented previously please any legitimate use

cases process injection when you say legitimate as in real life out there yeah like a genuine use case where used legitimately and not just for for malicious intent all right yes absolutely why not just block create memory create process memory or virtual allate memory soing is a use case for that like genuinely there's every day there's there's use cases for that every day on our endpoints right on Windows on Mac on Linux as well so there's legitimate software that requires these functions and this is why I think cyber security is going to be a big problem even 20 years from now cuz um it's a battle between functionality and security right developers want hey this

app is so quid does ABCD it creates value to the organization they never care about security but that app makes business sense so now the thing is how do we map in security into that functionality so it's the same concept with operating systems these functions have been used for years and years they're still being used today as well they're relevant but what we need need to do and you see on the defensive strategies you need to just basically take good cyber security hygiene which application needs to run some of these functions and which applications don't need to have these functions and for the ones that we're going to allow to use some of these functions how can we monitor them and

then also how can we see that they're tilting away from their normal mode of operation make sense any other question please sorry the following could that be appli to services in Windows is they traditionally get suspended terminated or started throughout user using the system uh sorry just could theowing the technique appli to services like your printer service will absolutely yeah as it's being used by user ex yeah absolutely so this is applicable to the services on Microsoft on Windows as well and that's why we call it leaving off the land cuz usually the target process will be a process we trust it could be a d it could be a service it could be just a regular

application that you install in user space but what attackers would do as soon as they land they'll try and see if they've they've got the right so again usually with cyber security attacks um I don't know if you attended the previous talk before lunch uh going through that penetration methodology one of the things that attackers would do is to try and find an initial Vector to get onto the end point and then try to to do a privilege escalation but even when they land even if it's just a normal user they compromise the first thing they'll look out for is hey I compromise Andre on this machine what rights does he have on this machine what can he and what can

he do and not do on this machine so they tried to do an enumeration of services DS user installed applications and they try to look out for these loopholes that they can then exploit to do that evasion of the Ed itself make sense yeah okay all right any other question yes for the process the game so I know for like some edrs you have like something like temp protection maybe so where you can't really of change of the stuff right for the for the Ed right so for one of the steps here the prerequisite is like the mway what follows up the leg leg process wouldn't there be like a way to stop the M like isn't it like a flow in

the process it like a random other process kind of stops without like I assume that it would need to be well say like the the main process like the what you call it say for yeah the parent process basically is the one that is going to Target I mean suspend the actual process right not actually the malware right it's easy to say but in reality I mean the reality is different right um You can easily say hey I'm not going to allow this but then it's coming back to the business criticality of the functions that I mean of the applications that you have on your endpoint so yes in theory you can say that don't allow a process that's not a

parent process to do ABCD but the moment you do that then you're also creating a problem for other legitimate applications that are designed to work with those um types of privileges tend on if you get what I mean and that's why it's always a cut and mouse game all right so let's look at defensive strategies and best practices that we can do so how can we defend our environments from EDR evasion EDR AV evasion there's a typle there the first one is next Generation antivirus capabilities right and that's why if I go back here literally going through the slides again right these acronyms and definitions one of them is next Generation antivirus now again I'm from

elastic I'm going to Define Next Generation antivirus in the context of our EDR solution right so when we talk about Advanced on Next Generation AV as a defensive mechanism we're talking about edr2 or a2s that have got first of all memory protection and it comes to your point what is memory protection this is where now we just concentrate on the processes that are running in memory memory the calls that are being made we're looking at the threads as well that are running in processes right do we know what a thread is anybody one the needid and the thread no so a process we already established it's a file that is being executed right so it's in memory now once it's in

memory usually a process has got multiple objectives you want it to do so many things so what a process does is when it's in memory it has what we call threads of execution so there's multiple things happen happening simultaneously right so it's one process with threads within the context of the process so with memory protection uh the latest AV needs to be able to track what is happening in the process how is it doing thread memory allocation what threads are being spawned and is it tied to again the parent process relationship ship I mean the the parent child relationship right so the um the Next Generation antivirus needs to be able to do that memory

protection um where you do that advanced scanning of what's going on in memory what the processes are calling is it expected Behavior right the next one is behavioral analytics so traditionally a2s have been doing signature based detections but now we need to focus more on not just signatures but also behaviors Outlook opened it's spawned Excel that is normal cuz there's attachments in emails right but if suddenly my Excel document is spawning set you for example right set you on Windows handles the certificates on Windows that's not normal behavior so now that's what we need to start doing in order to detect evasions we need to start tracking behaviors right I don't expect Excel to spawn set you till there's no use case

for that right so the Next Generation antivirus needs to be able to do Behavior analytics in that sense and then the last one is deception Technologies right deception Technologies so when we looked at process hollowing or just generally all the techniques I discussed I said one of the first steps that Tuckers do is they try and enumerate the Endo which processes or which applications can I which like which applications have got excessive privileges let me put it that way which process can I suspend so they try to do that enumeration right so some of the new a2s what they do is they know attackers are going to land on the endpoint so they put deception in there

so maybe deliberately put a an application that you can suspend but maybe that has been put in just to see if anyone is going to leverage that for evasion make sense other strategies the usual critical Basics this sounds so basic but it's so hard to do in reality because there's a lot of moving Parts in organizations the first one is endpoint hardening right and comes back to your point again you know you need to understand what type of an organization you are the types of users that you have and then you do the relevant hardening maybe certain users don't need applications that have got these permissions turned on right maybe certain servers are so critical in your

environment they don't need some of these capabilities turned on make sense so again endpoint hardening is very important but you can't Harden an end point if you don't understand its role in your organization the second point is threat intelligence Integrations how many people work in Security in the audience don't be shy how many of you collect threat intelligence don't be shy few hands okay so threat intelligence is very important cuz again these attacks are always evolving every day so what you want to do is collect relevant threat Intel and do what re an indicator match with the data that you're seeing in your environment make sense and then also you want to do Advanced logging so

I showed you an example earlier on of the type of telemetry our edr2 collects you really want that because again security has gotten to a point of it's not if you'll be compromised it's when you will be compromised but even then you want to show that you've got Duke can due diligence you want to have logs you need to be able to be at a point where you can go back in time and Trace back where did this start how did it escalate you know what was the objective and what did they do and that applies to AV evasion as well and that allows you to do threat hunting I know my time is up I guess you give me 2 minutes 3

minutes maybe all right sounds good um so if you do Advanced logging it allows you to do the after Thea investigation or if threat Intel tells you there's new techniques for the type of assets you have in your environment your windows your Linux you should be able to do threat hunting hey I've heard just again hypothetically speaking I've heard Absa was hacked and this is how the hackers did it and I also have similar Assets in my environment you should be able to go into your data and do threat hunting just to see if you're seeing the same observables and indicators of compromise make sense and then collaboration and sharing I know South Africa is really good at

this um your cyber security communities are really good but you also want to be in touch with the authorities your National if you're a bank you want to collaborate with other people that are interested in threat Intel sharing you just want to collaborate and share right cuz these techniques are always changing and then also you want to amp up your incident response planning and one of the things that people don't do is to prepare for AV evasion cuz the assumption is always hey I've got an antivirus solution I'm safe but attackers are evading that sometimes they're even disabling that capability right so you need to be be ready from an incident response point of view my EDR

has been bypassed how do you respond to that right how many of us address this in our instant response plan like your a your AV being evaded like do you have an IR plan for that you do do you ish is you do I want to hear about it during the networking and the last one is user awareness and training again the basic stuff right malicious attachments be on the lookout for that gen is here it's not helping with fishing because fishing has become so good I need to confess sometimes also for for the tricks cuz it's become so good right but nevertheless we still need to be resilient and Empower our users our regular users just to practice you know

best best practices don't download attachments don't install unnecessary software don't fall for some of these things right and there something that needs to occur every now and then okay with is that any other questions that was a quick no any questions I can take one or two uh I think there's a mic yes yeah in terms of investigating or analyzing suspicious uh process executions would you say it's effective in looking at process IDs and thread IDs in terms of finding root cause or would that just lead to Rabbit holding um it depends right it depends because PS are os specific right um yeah it depends it could be it could be necessary in the in

the process of doing the investigation you want to track that absolutely um I mean yeah definitely you want to do that right cuz you want to see usually when processes are running in memory what you're going to say is what you're going to see is the process ID more than the process name of course the name is is going to be there but majority of the time it's going to be the process ID so you just want to keep track of that right but but again it's dependent on the investigation that you're doing at the time my general view in terms of what data do you need for thread hunting or you know post- event

investigations is you need all the data just collect everything and that's why if you remember one of the slides that I showed a lot of Av and edr2 today they're kenel drivers they don't run in user space they run in Keno space and that gives gives you a position of power cuz essentially you're seeing everything that is happening on the end point and even if there was a compromise you want to store those logs externally from the endpoint so you can do incident response you can do your digital forensics as well and that's why I'm a huge fan of collect all the Telemetry it's going to be expensive but collect all the Telemetry uh yes it is we have a

solution for that visit our booth outside I'm not here to sell one last question I'll take one more question cuz I'm over time all right thank you very much and please visit our stand outside there's a lot of swag really cool swag but the elastic stand um yeah and come through for a chart as well thank you very much thank you