BSidesPGH 2024 Track 1 Conor Osthoff & Rhiannon Dixon It's Not a False Positive, It's Alert Fa

thanks so much for that so I'm Connor ooff I'm an associate director at SRM a little bit about the company and what it is we do we are a global risk and cyber security consultancy doing business in 10 different countries I have Ranna Dixon here with me as well who's a member of my team and a manager of incident response the two of us partner up together on a broad range of engagements everything from traditional ransomware and Recovery operations to network intrusions business email compromise and everything that falls in between thank you Connor as Connor noted I'm Ranna Nixon I'm an incident response engagement lead and manager at SRM so a little bit more about what we do at SRM

we provide intelligence resilience and response Services across our eight office locations internationally supporting our Global clients for our intelligence Services we provide intelligence that informs iCal decision making and strategies we turn information into actionable Insight we provide services including merger and acquisition strategy and due diligence citizenship and Visa support for individuals and organizations and strategic and corporate intelligence services for our resilience Services we make organizations more resilient to cyber security threats we identify and resolve emerging threats ahead of time this is where we provide support like strategy and security transformation road maps assessments against Regulatory and governance Frameworks like nist and ISO and reviewing and building security policies and procedures finally there are response Services where Connor and I

sit we respond to cyber attacks and organizational crisises with urgency and efficiency we also have a kidnapping Ransom and extortion team which specializes in assisting with organizational crisises and threats to physical security

so I think how I'd like to start this off is just to set the stage with the goals of security monitoring as we go through the presentation here we'll talk about a lot of different concepts each of them related and they're all going to help us build that narrative that we have at the beginning here which helps us understand the implications of a closed alert as it relates to an actual true positive incident so here I think we can all agree on the first one that we would hope that an effect Ive security monitoring program will allow us to identify block and prevent threats so making sure that the logic is there to do these rational things as alerts

come across the table as well we want to reduce the likelihood of incident so great we've made a detection we have put some type of detection mechanism or criteria in place that will help us block and prevent threats and really what is the goal of that it's to reduce the likelihood that one of these alerts could result in a true positive incident another important topic here is to be able to detect risk accepted threats so there's is a very common scenario right where you need to apply a patch to a critical vulnerability it could result in some type of downtime for the business maybe it's a public facing device that you use to connect to

your internal Network there are a lot of situations here right whenever you're talking about a security monitoring program and a vulnerability Management program as a plug into it so one thing that we want to be able to do is if we have a vulnerability or a threat that can't be remediated we want to make sure that we have detection criteria for it lastly another healthy goal of one of these security program options or topics rather is to generate metrics so these metrics will be used for a few different things they'll be used for alert tuning alert baselining they'll be used to determine the amount of time that it's going to take you to respond to certain

aspects or elements of a particular detection and honestly it'll it'll probably help you get some budget too if if you find out that your security team is flooded with alerts and things like that all right so we've discussed the goals of a mature security monitoring program what are some of the types of failures now I hope that for all of you when you know you log into your computers in the morning I I hope it doesn't look anything like this right I hope it's not dozens of alerts across dozens of platforms forms and different security tools with no single pane of glass unfortunately uh that is the reality for many of us working in the

security and operation spaces uh there will be dozens hundreds thousands of different alerts uh generating quite a lot of noise throughout the environment and it's on the Security Professionals to sort through that noise and determine which of these alerts are actually something that requires action and may be critical to the organization so I'll quickly walk through these different types and categories of failures of course alert fatigue uh which is the topic of this presentation and which we'll be focusing on quite a bit more there's also an adequate tuning or baselining which is another failure which heavily leads to alert fatigue there's also knowledge and training failures so even if the it manager the sock manager has a good understanding of

how to action certain types of alerts does every analyst and engineer on the team who's going to be prioritizing these alerts also understand how to respond and which ones are critical that can lead to knowledge and training failures if they don't have the understanding of responding to those types of alerts we also see failures relating to a longer dwell time a longer dwell time can essentially cause Security Professionals to think oh it must be a false positive it's been in the environment a very long time if you're seeing alerts uh which are taking place over the course of weeks and months from the same tooling it can be easy to assume it must be business

required it must be business necessary even if actually it's not we also see failures around the blocking of grayware this is particularly because although today's automation tooling when it's fully deployed across the environment and it's been successfully configured can often easily weed out the super critical alerts the easy bads the ransomware they can also weed out the very low-level alerts uh the easy ones like adwar or informational alerts but then there's the vast array of cross the middle criticality alerts all the way from just a little bit more than low alert to not quite high is the team actually confident that those alerts are being being prioritized correctly and there aren't some hidden higher critical

alerts amongst those that are categorized as mid we also see configuration failures if the tool isn't sending all of the data or not sending it in a way that the receiving platform is configured to process then you don't get the full picture finally we see identity failures this is simply when there is misidentification and an alert is incorrectly reported by a tool or it's correctly reported and then misunderstood due to human error so we've talked about the goals of an effective security monitoring program we've also talked about the actual types of failures that are going to be generated inevitably as a result of your program while you're working on perfecting it another important thing to

frame here is just the material impact right so what happens financially speaking and in terms of a time commitment for your organization as well whenever you do have one of these detections that in one way or another fails as a result of those failures on the previous slide so just looking at the data here what I can say is the metrics that are provided at the top of the slide here are a mixture of what we have access to internally from the incidents that we respond to at SRM but that's also paired with some publicly available information from chub who is one of the largest carriers who are going to be actually sourcing a lot of

the customers that are unfortunately victims to a lot of these different types of threats so I think at the top there we have the average claim cost at around $400,000 obviously that's important from a dollars and cents perspective and it helps us to understand and frame just how expensive a lot of these cyber security threats are understanding that there are extremes on both ends of that Spectrum as well 20 days to rebuild for your average ransomware incident and some of your larger Network intrusions as well for these big companies and big organizations so while you're sourcing that claims cost and and all the things that go into there right so incident response Services restoration services

any legal fees and and considerations from that level of Consulting all of those go into that $400,000 figure but as well you do have all this business Interruption time whenever your systems are encrypted everything's offline non-operational and you're trying to get your environment restored and back up and running partner that concern with one the claims cost but to that impact to outage and and business service and then you also have an average loss in 1.5% of the full company value which really frames just how critical it is to be able to effectively detect threats I mean most companies can survive one incident like this right as you go from two three four five incidents over a

10-year period that's a very significant difference and a very different conversation that you'd be having at that time as well so if we if we take a look at the graph here what we want to explain is the amount of time that needs to be taken to respond to and remediate a lot of these different incidents once they become an actual incident so at the bottom here we have an isolated infection this would be one system that has in one way or another interacted with a malicious file and that system itself is compromised there's not necessarily any additional malicious activity at this point you're confident it's one system you've probably quarantined that system at this point

one thing that goes goes into the costs here is going to be an actual analysis to figure out you know I don't think that there was Hands-On keyboard activity yet as a result of this but I need to make sure I need to do my due diligence to really understand if any data on that system had been accessed if there were any attempts at lateral movement and things like that again at this point you don't expect that which is why it happens to be an isolated infection but these things still need to occur as a result of that incident response process kind of One Step Up in complexity here right we do have command and control so command and

control is kind of what we described previously but a step further this would be a system that's infected that you actively see commands being sent to that system with a threat actor behind them orchestrating their actions on objectives usually this is still going to be at an early stage it wouldn't be what we consider at this point a full-blown Network intrusion right but they may be doing things like performing reconnaissance commands they may be seeing what systems exist to their left and right what they have access to proving that they have access and and really looking at where they can go within your network business email compromise is usually relatively small in terms of the fees associated with

response efforts recovery efforts containment actions the expensive part here is really who pays the victim or your internal organization if you've actually issued a fraudulent payment or something like that so sometimes the carrier covers it sometimes if you work with law enforcement you're able to get get that transfer reversed sometimes you're able to as well get that remediated by working with a combination of these channels but ultimately sometimes you do get stuck with the bag there and that can be a very expensive thing as well usually this fraud you know sometimes it is on the low end of$ 25 to $50,000 but very commonly in the matters that we work they happen to be 400,000 and up to

800,000 in range Network intrusion again is just that Step Up in complexity right so you've had command and control Network intrusion is command and control at a larger scale so you have multiple systems compromised you have that C2 or that command and Control software spread out to a bunch of different systems that means that large scale attacks are right on the edge of being orchestrated which really feeds into those next actions on objectives that we have here that really increases costs so one thing Network intrusion events usually preface data exfiltration as well as the deployment of ransomware which you can see here just how how much more severe and how much more expensive it is to respond to

a ransomware attack just given how much of your environment is going to need to be rebuilt and also understanding that threat actors commonly pursue double extortion tactics meaning that they're going to want to charge you a ransom for the actual decryption of your data so they're charging for availability or attempting to monetize the availability of your data we also have them seeking financial gain assoc associated with the exfiltration of data all right so we've seen we've seen the goals of the security monitoring program we've seen the impact uh when those goals fail to be met you can take a quick moment to focus on thread actor attribution The Source behind a lot of these ransomware incidents that Connor

and I are managing daytoday let's spend a minute just going right to the source uh of these different sample of the thread actor groups that are behind the ransomware statistics that we just provided we have here lock bit 3.0 Aira SEI Cactus Medusa Alfie and Inc among many many other financially motivated thread actor groups while they're active in environments these groups typically provide valuable opportunities to remediate the threats before they become a larger issue with the majority of the threat actors on this slide they align with lock pit 3.0 approach which is to spend time in the environment often 2 to 3 weeks or more uh dwell time in the environment before deploying a ransom or

payload during that time they're learning the environment they're escalating privileges they're Gathering the juiciest data to exfiltrate before they deploy that ransomware the biggest standout to this trend is the sexi uh thread actor group so the sexi thread actor group does take a different approach from what we've seen once gaining access their goal is to deploy ransomware in under an hour their goal is only to encrypt the virtual infrastructure so that's one group that does have a very marketly different approach uh instead of dwelling in the environment for a very long period of time beforehand their goal is to gain that access and then deploy ransomware almost immediately uh and only on the virtual infrastructure

however the majority of the threat actors on here and the majority of the thread actor groups that we deal with on a a daily basis their their uh tactics techniques procedures are markedly different in that they're spending several weeks at a time which is plenty of time for there to be lots of alerts generated as long as security teams know what to be on the lookout for so we talked about who you have to be worried about if you have a MISD detection that results in a true positive incident we've also talked about the material impact of that right so talking from a cost perspective another important thing to talk about here is going to be common entry vectors

so how we see these threat actors gaining access to the normally restricted environment it still happens brute force of accounts you know that are single Factor authentication based there are a lot of small to mediumsized companies that have vpns that still have single Factor authentication and they haven't been MFA hasn't been enrolled or added to that authentication mechanism to provide the additional security so we do see threat actors still brute forcing their way into networks by compromising accounts in that way we also see exploited perimeter devices usually these are going to be things that provide some form of remote connectivity into your environment but there are lots of Network Technologies that are Security based as well and in Palo Alto

comes to mind just because of their recent vulnerabilities that they've had where there are perimeter devices that are vulnerable to things like remote code execution vulnerabilities where after they've been successfully exploited the threat actor has effectively Hands-On keyboard access to that system and is going to be able to move around your environment and conduct their actions on objectives the use of compromis credentials again we think about fishing most of the time whenever this happens it could also be a credential reuse situation where they have a compromised password for a personal account that could be used to authenticate to some form of internal infrastructure so we do still see that frequently drive by download and and

watering whole attacks are somewhat similar here in in the example that they both require web browser interaction and interaction with a web page sometimes it's as simple as you meant to click on a product you accidentally clicked on the advertisement you're sent on a series of four redirects before you go where you actually planned to redirect 2 redirect three one of them downloads something onto your system the end user then interacts with it thinking it's a legitimate file resulting in a command and control or an isolated infection situation The Watering Hole attack is is a bit more targeted in terms of trust usually this will be I guess if I were to put you into perspective here you're

at your computer you're going through your web browser you want to book a cruise right it's a you booked it two years ago through this provider the only difference here is that whenever you go to the actual Services page this time there's a download that happens automatically it is very common that threat actors will compromise a legitimate website modify the code in the back end to host a malicious file whenever you go there or a normal user goes there attempting to buy Services the file will be downloaded if you interact with the file that's downloaded you then have a system level compromise so this has happened in some of our largest incidents that we've worked

which just shows as well that it's still a prevalent tactic for these threat actors to gain access to the internal infrastructure as well I I honestly really wish I didn't have to bring this one up but it's been a few years of responding to incidents that were caused by on-prem exchange specifically proxy shell and it's like Microsoft knows that it's a very difficult technology to administrate if you've ever tried to build an exchange server it's probably one of the worst days of your life it's even worse if you have to rebuild it after it got hosed as a result of an incident so honestly what I would I would say here is make an effective plan

to migrate from exchange on Prem to exchange online no it can't be a hybrid implementation because it's still vulnerable this will give me a lot more hours of sleep and I I definitely would appreciate that thank you Connor and I I second that uh so in terms of thread actor tooling we'll speak briefly on the most common tools that we see used by thread actors across these three different categories right of reconnaissance post exploitation and then of course live off the land so first in terms of reconnaissance I'll say that the tools that we see noted here primarily fall into three categories of host-based reconnaissance Network and then identity and access management reconnaissance of course with host-based reconnaissance

it's very important to make sure that security tooling is implemented uh and will be alerting on these sorts of activities in the reconnaissance stage it's also important to make sure that there are around if there's Network reconnaissance taking place so if it appears that there's a device in the envir environment attempting to find out what devices have different IP addresses that can be communicated with and it's very very important to not forget identity and access management based reconnaissance right um you know if there's Tooling in the environment that can find out in active directory uh what types of groups there are what types of users there are if there's suspicious activity in terms of new users being

added or suddenly having elevation of privileges that aren't expected it's important to have security tooling that will be alerting on that in terms of post exploitation so what happens next after these common entry vectors next is they're continuing their actions on objectives so with these post exploitation Frameworks uh these are tools which are often used by Red teams to conduct legitimate penetration testing and vulnerability scanning however they're also heavily used by thread actors to exploit moving from one system to another so if there is an in-house penetration testing team it's important to know who's on that team which accounts do they have which tools are they going to be using and if there's anything outside of that Norm

taking place there should be alerts taking place on that unusual activity finally we have the live off the land category thread actors want to reduce their visit ability and the environment uh if there are tools already present that will further their goals that's what they're going to use you know most a lot of thread actor groups do not have a preference between any desk and team viewer they'll simply use what's already in the environment that they know appears to be approved by the business and may not be alerted on with that I'll pass it to Connor to speak to each of these tools in a bit more detail definitely and I think you did a

great job of of framing it really what I would like to share here is I usually frame it as a pick one type of scenario so for example if you look at live off the land you see a few different remote access Solutions right Splashtop connectwise any desk team viewer the thread actor might see that you have one of those on the system and then they'll know that they can use that one not every system in your environment is going to have each of those tools or Solutions though especially if it's a server in your in your critical infrastructure or it's a low privilege and user workstation in situations like that it's very common that they would

bring one of these tools in to assist with their persistence so that they can maintain control of that system without having to go in through their means of initial access every time which is going to save them a lot of time if they can come and go through their own means so if you happen to be one of the organizations that uses any desk for example put detections or blocks in place for team viewer Atia Splashtop connectwise really the same thing goes for everything else these are very powerful tools that can be used for nefarious purposes if a threat actor has access to your network and they have particular actions on objectives that they want to pursue another particularly

impactful tool here would happen to be ar clone I know how important it is to a lot of organizations it really is the best tool at what it does but I'll also say that 99% of incidents that we've worked out of the hundreds over the last couple of years one commonality that they all have is if when SC and filezilla aren't there or if there's stringent security controls in place that would prevent transfers from where they want to send that data it's our clone that they bring onto that system so if you can detect our clone being executed if you can even detect R clone by file name or hash that's still going to be really really helpful at impeding

that actual exfiltration objective knowing just how commonly AR clone does happen to be used in these types of incidents another important thing here is just to make sure that we frame commonly exploited technology so I have a lot of vendors listed here and you know I don't have any particular favorites I don't want it to seem like I'm picking on these vendors independently what what it happens to be in in what's closer to the truth behind this slide is that thread actors prefer to reuse as much code as possible as much of their procedures as possible so these aren't so much common culprits as they are common targets if we think about just how prevent you know Palo

Alto is as a brand for example it's it's much easier to justify from a Time perspective a threat actor crafting and exploit that they can use across a very broad range of Technologies and that's really why we see it frequently used as a point of initial access right so there's a thought here that if you're using a prevalent piece of software there is a chance that it's already it's already being targeted in a way that could cause you organizational harm and what I'll also say is that if we pick a couple more off of here VH for example this one has a different type of implication right most of the companies that we work with have V backups again

it's very great at what it does the problem comes with insecure storage of those backups so when thread actors gain access to networks what do they do they harvest credentials when they harvest credentials one of the things that they're going to do with those powerful credential sets is delete the backups they want to make sure that if they're going to encrypt your environment that you can't rebuild through your own means if you're able to store these backups offsite and you have it behind a tight lock and key that's helpful what we find is that most organizations do not and it's really as simple as getting those credentials and running a script to delete all of the VM backups so that

backup system that you put in place that you've put all this time into that you practiced execution of during your change management Windows most of the time we see this solution overcome in just about 20 minutes because we put it in there we made sure it worked but we didn't effectively secure it another thought that kind of plays into that same area would be Windows Defender or Microsoft Defender right good tool it's a tool that's getting better as well it's affordable which is really great for a lot of organizations it filters out a lot of the low-level threats that your organization would face but at this point it really is just standard practice for threat actor seiz Defender

they bring their new flavor of script that they have that disables it they run it with administrative privileges they have it disabled across multiple systems so it is an effect Ive tool but unfortunately it's targeted so often and it doesn't have proper tamper protection built in yet so it really does cause challenges to a lot of organizations that they think the tool is is designed to help them

overcome all right so so far do you feel confident in your ability to detect at this point we've described the goals of security monitoring and aler alerting we've described them fortunate reasons why those goals are sometimes not met the threat actors and the tactics techniques and procedures that they use however this is only the beginning in the next portion of our presentation we'll discuss leading practices for alert baselining to reduce alert fatigue while increasing environment security thanks for that yeah I mean it wouldn't be a bsides presentation if there wasn't a a dank meme involved but back to business so incident commonalities what we hope to frame here is really of the situations that we see

missed alerts or costly alerts what is actually playing into those narratives so the first one here we have threat killed and quarantined but the dropper succeeded the thought behind this is that you've had an end user workstation or a type of system in your environment it has interacted with malicious code piece of malware whatever that happens to be most of the times when this infection happens it's not straightforward meaning that it's not all contained in that initial code delivery it's a multiphased approach you know where the system is going to go from different system level resources first out to the internet get what it needs there's going to be multiple iterations and back and forths before

you have that system level compromise so it's pretty common that a tool that's meant to detect these threats says that a threat was killed and quarantined when actually it only caught you know the Final Phase of delivery and really you have another infection going on that prefaced it so you think that it's been remediated you haven't put time into figuring out if that's true and as you do you realize more and more like okay maybe this system is compromised so we do see that frequently as well backup Solutions can be particularly tricky whenever you're trying to make effective detections one thing that we see commonly right I did mention credential harvesting in concept or at least in principle one thing that

thread actors do they get access to your domain controller they dump ntds.dit that gives them all of the credential sets that they would want to use in your environment not in the perfect format but they at least have hashes for those accounts as well we see that backup Solutions need to access these highly important files as well right so they attempt to access these files so that they can copy them and back them up that creates a alert for the access to that file in general which is very loud because it's going to happen on every system every time that you make that backup or for ntds.dit an example just your domain controllers so that's one

thought there is the allow backup solution actually obscures your ability to make an effective detection for when these sensitive files are being accessed curb roosting alerts are are another particularly hard one it's difficult to begin with to write a good detection for finding curb roasting and the only reason that we need to worry about it right is because Legacy authentications are being used in the environment it happens a lot especially in older companies or companies that have been here a long time and have done many different upgrades but if if an effective goal of a security monitoring program is to identify credential misuse it's critical that we're able to identify this as well and it is very

very loud Baseline configuration sets used to detect command and control specifically to this example what we'd meant here is that a lot of times companies that don't have you know a full security engineering team for example right they buy a product they get some out of the boox detections these detections they need to be tuned and they need to rotate frequently because it could be a situation right where something on a Wednesday shows up as a as C2 activity then you find out 2 days later that the thread actor has refreshed the infrastructure it's not a command and control server anymore now it's a legitimate web page every time that this example happens it creates a false

positive alert you close these alerts day in and day out and it creates a situation where your senses are kind of dulled right you're fatigued from how many of these types of alerts you've had to close you miss the ones that are actual true positives and then lastly here just adding an additional layer of complexity for what we see is actually more of an identity issue so the use of VPN or dat Center IP address ranges to conduct these attacks it's challenging to you know generate an alert every time that you see a VPN address or a data center address being used what we find though is that most organizations don't really understand the IP address ranges

that they should be blocking for this type of activity or that they should be allowing for this type of activity that brings us to the hero of the day alert baselining I will say that we'll walk through this baselining cycle due to the fast pace of change in business operations mature baselining is going to have to follow a cycle it's no longer perhaps never was a oneandone item it's something that needs to be done circularly in an ongoing cycle we'll begin with measuring understanding and measuring what's normal this is across traffic applications user behav Behavior everything aligning with what we spoke about earlier in terms of host-based network-based and identity and access management based reconnaissance we want

to make sure that we have a good idea of what is normal in the environment each organization is going to have to define the amount of alerts that Mak sense based on these factors based on the number of noise generators in the in the environment based on the amount of alerts that the organization security operations team can realistically handle based on the number of security team members the amount of Automation and the degree of single pain of glass maturity across the alerting platforms for a small business with under 100 employees receiving a critical alert every single week likely means the definition of critical is too broad or it means that end users need more training for a very large business with

a broader attack surface a critical alert every may be power for the course and the team has plenty of resources to cope with it that brings us into the defined stage of the baselining cycle Define how many alerts is too many based on the tooling the resources available in the environment and how many noise generators there are that brings us to the educate stage of the baselining cycle if an alert must be loud make sure that everyone knows why this is very very important again even if the sock manager or the it manager has a good understanding of based on this type of alert these additional actions need to take place it's very important that the

analysts the engineers and all the other members of the security team also have an understanding if an alert is loud what actually needs to take place as next steps a team of 50 people is of course going to be able to handle more alerts than a team of a single person and a team that's equipped with a single pane of glass alerting platform will be able to handle far more alerts than a team without that capability so the amount of loud alerts in each environment is going to change based on those factors then we get to the collaborate stage of the baselining cycle which is also very important given the amount of change that's taking place in modern

business operations it's important to collaborate with the business to understand ideally ahead of time about when normal is changing it may be that the business is choosing to migrate from sap to Oracle uh it maybe that there's other security Tooling in the environment or business tooling which is changing month over month and year over year it's important to collaborate with the business to understand because per our earlier examples if any desk used to be used but now it isn't then it's important to set up alerts once it's been phased out and it's no longer part of the EnV environment infrastructure we don't want to just keep it around and that's something that has to be

collaborated on with the business rather than just determining in a silo what seems to be used and not checking in with the business side that brings us to the investigate phase of the baselining cycle this is very important to not rely merely on passive alerting even once the organization's baselining has been set up it's configured and it's very mature it's still important to investigate all of the critical and high alerts that are coming through and make sure that team members know how to appropriately respond rather than just letting the alert go by along with all of the others when starting in protect protect mode with a tool first setting up alerting for the higher risk alerts like

ransomware and malware will make sense based on the organization's risk appetite then trimming the numerous false positive alerts by working with the business to identify those false positives at are alerts for business necessary tooling and ensuring that those applications tools or protocols and traffic destinations are appropriately whitelisted and won't be adding to the security team's load of alerts lastly reviewing the medium alerts over a longer period of time is very important to gain an understanding of the typical mid Threat Level alerts that are experienced by the organization many Advanced security tools tools can enact an appropriate response for critical risk and lowrisk alerts once they've been tuned to the environment and are completely deployed but the mid

risk alerts can take the most time to tune and to Baseline it's also important to remember here throughout the baselining cycle that we're not only talking about alerts coming from inside your environment do you subscribe to critical updates from sisa do you subscribe to critical updates from your main it and security vendors if if so those alerts should also be incorporated into that single pane of glass and into the alert baselining methodology that the organization will use that brings us to turn tuning across alert types and the value that's provided based on the criticality level so as you can see this graph simply charts uh the time investment for tuning based on different alert types against

the value added so in that far right hand corner we have of course the critical alerts critical alerts are going to be the highest value ad because if they aren't tuned for then the business is open to the risk of mislabeling a critical alert as low or in the other direction weighing down the security team with vast amounts of supposedly critical alerts that are impossible to prioritize and to manage with the right security tooling and an understanding of the organization's typical Baseline and asset management tuning of critical alerts can be a relatively faster process uh it's easy to recognize the absolutely known bads right now we also have false positives on here as the second most value added

subset of criticality to focus on that's because despite the name uh this presentation is not hating on recognizing true false positives whitelisting them appropriately tuning those false positives is the highest value ad because when not tuned correctly false positives are generating massive amounts of noise if the system is set to protect protect mode then false positives can also impede business functionality to the point of the business actually asking the security team to turn off or remove security tooling altogether which further increases that risk to the business therefore tuning positives can take a large amount of time but it's a very high value activity for the security team to conduct as part of the alert baselining and it does depend on what

type of organization you have how long that false positive tuning will take organizations that primarily build software design Graphics may have more false positives than schools for example organizations with strong asset management will also have a much easier time with tuning for false positives than organizations with lower Asset Management maturity also note that tackling the middle level alerts as we mentioned it can take additional time compared to the highs in the lows because again most security automation tools can recognize the easy highs and the easy lows so it's the areas in the middle that we often see needing additional manual intervention and some additional categorization and assistance to make sure that they are baselined and

prioritized correctly all right with that said I do have some leading principles here that I can I can leave you with I'm not going to go through each of them considering you know we just did to get to this point but if you need a frame a reference there it is what I will say is there's a lot of uh friendly faces here so I appreciate you showing up for me and showing support there's also a lot of new faces and you know I'd like to get to meet everyone if you have any questions Ranna and I you know we're going to be here all day so we'll be going in and out of the different rooms

we appreciate you showing up for the presentation that we had today we hope you enjoyed it and uh yeah thanks [Applause] again I have to ask you if you have any questions Jake

so really what the the so the question there in case not everybody is able to hear it is when thread actors are pursuing exfiltration objectives what types of data are they targeting so really it depends on the type of environment that they're in if you know if it's a financial institution they're definitely going after the internal Finance data as well as the external Finance data so things that they would use for their customers most of the times it's not it's not such a scientific approach we see that they they do perform some file system level reconnaissance that's evident through like shell bags and Link file artifacts and stuff like that most of the times yeah they're just clicking through

folders that happen to look a dealing to them maybe they'll go through the payroll folder the taxes folder and then once they find that they usually back out a few directories and then they'll try to take everything from that first directory and back most of them are volume based and the thought there right is if they have 700 gigabytes of data there's probably going to be more things that they're willing to pay to incentivize a payment for if only you had some Honeypot payroll folders yeah exactly Adam um so I realize that most people are dealing with probably just having a first-party sock they typically might not have an MDR when you do have the

opportunity to use a third party service um like an MDR um what frequency do you feel is appropriate for doing rule tuning so I think that really there should be a rollup that happens weekly that just shows based on type of alert category and measures how many alerts have been escalated how many alerts have been detected I think that it's critical to figure out how much of that noise is actually going to be sifted out before it made its way to your team so if you find that that number is too high I think weekly is probably good I would say in terms of looking at actual true positive remediations and trying to calculate what has been missed versus

what has been escalated and what that means for the maturity of the overall program I think that that should happen monthly at the least

awesome thank you very oh one more sure thanks um so you mentioned Defender and um how there's no temper protection in a lot of implementations um do you mostly find that victims um are using Defender versus like like I guess how many times do you have like a more modern EDR that's catching a lot of those like so for instance the tool that you tool list listing that you had a lot of those many edrs worth it solv is going to detect those and there's also tons of tamper protections and requires a much higher skill set to dismantle how much do you notice like attacker actually going for like dismantling of these EDR tools versus just saying I'm

just going to go for a company that's using defender or something weaker that's true I would say probably one in 20 do we see traditional or conventional EDR that's going to be bested a lot of times whenever we do have that metric though it's it's as we mentioned right the tool they might think that it is or they don't want to they don't want a business Interruption but for whatever the reason they think that their tool is going to be actively protecting against threats or blocking them really it's just detecting them so not much to overcome there as you know as well it is it is a large process to bypass like a sentinel one or or a crowd strike EDR

solution most of the times that we see that happen it's the threat actor going into registry and doing really loud things right deleting values deleting configurations actually ripping critical Services out of the system then it's still not enough right because you have all these critical Services running in memory already next they usually force a reboot and the system comes back up in safe mode so think of like how many opportunities the organization has to detect that and really the window that they force that reboot has to be perfect otherwise people are going to realize what's happening whenever they have a critical service go down and come back up and it's not even in a fully

operational state right it is in safe mode so yeah they do usually Target victims that are a bit easier some of the larger you know like Fortune 500 Fortune 100 companies we have seen EDR bypasses like that used in those particular environments but yeah significantly less common thank you so much great talk thanks again everyone lunch is being served in the event center so if you go back over to the track two side down where it says event Center you'll find the lunch buffets