Take Down Cyberthreat Dwell Time With Kaspersky Optimum Security - Eric Payne

hello everyone and thank you for joining us today my name is eric payne and i'm a senior enterprise pre-sales engineer here at kaspersky today i'll be talking about the effects of dwell time and its impact to the bottom line i'll go through a real attack scenario and an incident response example and lastly do a deep dive into the product walkthrough alright so let's get started sony equifax solarwinds all our breaches that we've heard about over and over again in the news but what do all these attacks have in common they all had adversaries who were able to breach the corporate network and were able to gain access and then move around undetected for a long period of time

there is no question that any of these companies could have benefited from early detection in fact some of the companies had evidence of early activity but either they were missed or they were not prioritized correctly until much later on when it was too late and the damage was already done so when you're thinking of defending your business against cyber security threats and breaches the key to success is timely detection to adversarial activity we all know it's not if someone can or will break in in fact more and more security analysts manage their infrastructure under the assumption you have already been breached and once you accept this fact you can turn your focus on finding and

neutralizing these threats early before major damage can be done and speaking of damage in the past several years we have been seeing a significant increase in the number of breaches and the costs associated with them the recent ibm data breach report listed the average overall cost of a breach jumped from 1.4 million dollars in 2019 to over 3.8 million dollars in 2020. this will include all the costs associated with the breach of course the the damage itself the reputational damage the cost of cleanup costs of extra resources for investigation and incident response and so on attacks are becoming more and more sophisticated and have devastating impact both short term and long term now these breaches are using

more elusive and evasive techniques and lately they are using more and more common administration tools against you and when adversaries can use common admin tools endpoint security rarely detects their activities another impact to the bottom line is the requirement of having skilled staff who has the experience and the expertise on how to find these threats and then know what to do about neutralizing them so what are we talking about when we talk about evasive threats evasive threats are not the traditional common run-of-the-mill commodity threats those are easy enough to prevent and detect right we are talking about the more advanced threats the ones that are difficult and hard to detect recently most companies had to move to a work from a

home model whether they wanted to or not this makes the endpoints even more appealing to adversaries because the endpoint devices are no longer behind the corporate firewall and this makes the endpoints an easy target more than ever before and adversaries typically will take the path of least resistance going after these easy targets once they get in with some type of phishing attack or other entry point and take advantage of your tools then they can sit in silence then they can quietly explore the network and really entrench themselves inside your infrastructure they have the ability to watch standard communication and activities of all users and admins so they know how to move around undetected without triggering any

endpoint security alarms we talked about total overall cost of a breach here we can take a look at the average cost of a breach related to the amount of time to detection according to our recent incident response report the cost of an early detection can have a huge impact cost of breaches that took longer than a week to detect were 32 greater than if they were identified and responded to in a timely manner and this is just a week the ibm report said that the overall average cost to identify and contain are when adversaries are in your environment for almost a year and these are cases of a successful attack of course if you could detect and

remediate a threat before any major impact was done then this number is significantly lower approaching zero cost which is what we hope to strive for we are even seeing cyber insurance vendors requiring their customers to have more ability than just endpoint now they're requiring tools such as edr solutions or even managed threat hunting service i mentioned legitimate tools before almost a third of all attacks use legitimate tools tools like powershell and ps exec are at top of the list now these are very common tools right tools that most admins will use every day and they can save an enormous amount of time so they can't just be blocked or not allowed to run admins have to use them and if you

wanted to see the breakdown and those specific tools for those incidents and map them to miter here they are we mentioned powershell and ps exec actually sys internal tools are used all over the place other tools like advanced port scanner nmap tools as well as process hacker and many others so you have a few options to help reduce the mtdd or the mean time to detection you can do it yourself by using a product or products designed to seek out adversarial activities and then hire the right experienced analysts or you can get help from the top threat hunters who know how to seek out indicators of access or ioas in your environment which brings us to kaspersky optimum

security solution this solution comprises three components kaspersky threat hunting service endpoint detection and response optimum and endpoint security for business now i'll break these down in the next few slides kaspersky threat hunting is a 24x7 monitoring service which identifies early adversarial activities and generates incident alerts based on severity and priority guided response and detailed reports help break down what was identified and more importantly what you should do about it this of course reduces the high cost of added tools or expertise which reduces the mean time and the cost of incident response edr optimum provides a simple tool for investigation by giving the administrator more visibility into the existing threats in the form of incident cards now where

the admin can review detailed telemetry data about a threat run indicators or compromise scans and respond quickly to threats like device isolation or execution prevention rules and of course our multi-layered endpoint security product with its advanced machine learning components like behavioral analysis which seeks out abnormal behavior like ransomware and exploit prevention which identifies malicious actions such as zero-day threats this helps to stop up to ninety percent of the common malware attacks and endpoint security has built in hardening controls tools like application control web control device control all of which help reduce the attack vector so again these three components make up a solution which identifies early thread activity gives visibility into threats and allows quick and immediate response

actions all on top of one of the best endpoint security solutions with the highest detection ratio among its competitors okay so starting with threat hunting we're going to give you an example of a recent incident we worked on now this is a real attack happened by a customer recently kaspersky was called in to do an incident response and investigation on day 150 and of course with ir you always work your way backwards from the day you start so we will start with day 150 at this time there were hundreds of servers which had already been compromised and were full of malware the customers administrators had been feverishly trying to remove malware but every time they got one

clean and moved on the next one the first one was reinfected they they just couldn't keep up after doing some digging the ir team was able to identify that about 26 days prior to the incident response or day 124 someone installed cryptocurrency mining tools on numerous servers by using remote execution and malware day 124 is actually the same day that the customer realized something was going wrong in their environment they started to see all their servers were consuming way too many resources and there was major service degradation and then after the customer discovered that there was cryptocurrency mining tools installed they decided to implement application lockdown rules preventing any further execution or installs day 122 just a few days before there was

evidence of testing common passwords and searching for common vulnerabilities to exploit now this must have worked because with the accounts with domain admin permissions disabled security software on several servers day 120 new malware was being distributed but was using the same method as day one and way back on day one which was a full 150 days before an incident response action was initiated endpoint security detected a password brute force attack and also detected and neutralized the very first initial malware weak passwords were also used and identified to move throughout the network so now let's take a look at how threat hunting services would have responded for now let's assume the customer decided not to take any recommended

actions they only wanted to be notified while on day one the threat hunting service would have determined that just because a brute force attack attempted and a neutralized malware detection happen it didn't mean that the adversary was stopped at the door in fact a weak password was guessed and they were still able to gain access to the system this would have been mapped to three minor techniques initial access execution and credential access and if you don't know what mitre framework is it's a comprehensive matrix of tactics and techniques used by threat hunters red teamers and defenders to better classify attacks and assess an organizational's risk so organizations can use this framework to identify holes in the defenses and then

prioritize them based on risk an incident alert would have been generated for this compromise with a high severity level and detailed recommendations on what to do the customer would have been able to review all the alert details and have direct integration into the miter framework site for each technique that was used which would have been able to give them background on this technique and the tools that it commonly uses and ways to prevent this in the future day 120 when new versions of the malware were uploaded using the same method a related event would have been added to the same incident all incident history is kept for one year again it would have been mapped to an

execution technique and the customer would have been notified with recommended actions day 122 mitre discovery collection and lateral movement techniques would have been added when signs of scanning for the similar passwords and common vulnerabilities happen day 124 miter execution command and control and collection techniques are identified remember it was at this stage that the customer realized that these system had cryptocurrency tools installed on them and they wanted to implement the application lockdown rule to prevent any further installs of the software so somewhere along the way of day 124 up to day 150 at this point the adversary was no longer able to install its mining tools so now they're ticked off and they wanted to leave but before leaving they decided

to launch a massive malware campaign and all the customer servers here the miter impact technique would have been added to the relevant details of course at any point in time if the customer would have taken the recommended action steps they could have prevented the attack from going on to the next stage before any real damage was done okay so let's walk through some of the components and see what they look like i'm actually going to skip over endpoint security we've all seen plenty of presentations on that so let's focus on kaspersky threat hunting inside the security center web console underneath monitoring and reporting on the left you have an incident tab which of course lists out all the

incidents you can do a search you can sort by status or filter out incidents based on severity each incident has its own unique identifier the next column you can see the severity the analyst set whether it was low medium or high a status column to let you know if you have a new open incident or on hold or resolved and closed the updated column will first list out when the incident was created but then if the incident is later updated it'll reflect the updated timestamp now which all assets were identified in this incident again endpoint security installed on a single device only knows about itself with the threat hunting service we can do cross endpoint correlation to identify if

multiple machines are involved in the same attack next a short description of what this incident is and lastly the different miter techniques used when you go into the incident you can see a summary priority and status but also more description on what the overall recommendations we have for this incident in this case the description says it is recommended to check the legitimacy of this activity and if needed isolate this host and initiate incident response procedures so this one sounds pretty serious we integrate directly into the miter framework website so the user can bring up detailed information about this tactic or technique that was used during this incident and during this incident there was a kaspersky endpoint security

detection that was discovered but that is not a requirement here it's not a requirement to create an incident incidents can be created for a number of different reasons on the right there is an action section where you can do things like close the incident export all the assets involved or send the incident to an email in a pdf format now if you scroll down into the details it'll list out all the actions that were discovered in this case 1 37 pm on march 19 the service detected a suspicious os system info gathering script which was detected on win1001.abc.localdomain the name of the file was getinfo.bat and it was piped to a text file in the

temp directory now all these commands that were executed are part of the batch script are documented now you might recognize some of these or all of these these are very common commands ran by any windows system administrator executed on their own might not seem suspicious at all even if you ran a few of them on their own but this number of commands could indicate a type of network discovery or recon type action notice that the same time a scheduled task was created on this computer with the task name of software updates some of you may know that there really isn't a task called software updates but it sure sounds like it could could be legitimate

or an attempt of someone trying to make it look like it was a legitimate task the command execution is the same command that was executed manually and it was executed by abc tom the assets tab will contain all of the devices that were involved with the incident and you can click on each one it'll bring you up to the computer device properties where you can review events tasks and incidents and so on down at the bottom of the incident page you'll have a detailed list of all iocs or indicators of compromise for this incident if you select one you can create a ioc scan for this one or any of the iocs to run against

all the devices in your environment and then there is a little export button where you can export to an ioc file now this file can be used with other security tools like sim systems there is an md5 hash listed which integrates into our free threat intelligence portal at opentip.kaspersky.com now this is just a subset of data from our full-on paid subscription threat intelligence website the open tip is free and this is where you can search for ips domains urls file hashes things like that the results will tell you what we classify this file as whether it's malicious or not in this case it looks like malware you get a breakdown of all the details about the hash like

how many times we've seen it when was the first time and when was the last time we seen it also it lists the different detection names for the same file here's another incident marked with high priority and it was resolved a malicious file was detected by kez and the recommended actions was to perform a full av scan on the host to make sure it removes any malicious files found and another one with normal priority but suggests to validate that this is a normal activity below we can see wireshark was running right which is a common network tool but adversaries can use his tools to sniff out network traffic later on kez detected both mimikat and

metasploit framework tools on a device which are more commonly likely used by an attacker i mentioned you can schedule a report by email this is what one looks like same features as the incident card you can see that the bat file script doing the recon the scheduled task was created several other events were documented here remote registry keys were added commands written to the current version run key ps exec being executed creating hacker accounts and on the right there's some reg heights being dumped presumably to excel trade to crack offline last section on the right there looks like they were trying to cover their tracks right by wiping the local security log we're able to identify

when these type of activities happen and report them and a nice feature of the incident is a visual view of a timeline of all the activities from initial discovery all the way through clearing the security log all right so that was all about kaspersky threat hunting and now we can move on to kaspersky endpoint detection and response optimum which again allows you to gain visibility into the existing threats and to be able to run a response action on them now let's take a quick look at the typical incident handling process which consists of six stages preparation is getting everything set up and configured to do an incident response this is more of a pre-stage identification is to identify threats to

see if they are just standard commodity threats or if they're more advanced threats that require more attention if a more advanced threat is identified contain the threat like host isolation or prevention rules eradicate any remnants including processes or artifacts device recovery and then finally lessons learned this is where we gather up all the information we learned along the way and review to see what are the next steps to strengthening our security posture so preparation as i mentioned this is more of a pre-stage this is just getting the software set up and configured so you can view all the telemetry data about this detection the identification stage is where we decide if additional actions are required here we

might make the decision early on that this detection is a simple common everyday threat and we really don't need to do anything with it we can consider it resolved and moved on to the next one or we might make the determination this is a more serious threat and we should investigate further so let's take a look behind the scenes at a client detection here we have kaspersky endpoint security running on a machine an event happens which generates an alert now if you open up the reports section you can see that a malicious object was detected and it was blocked notice the detection is from the exploit prevention engine which is part of the advanced threat

protection layer at this point the standard process is to just send the detection and verdict information up to the kaspersky security center but with edro all of the additional telemetry data like all information about process objects any command lines used user accounts who started the process md5s or sha256 hashes and many others are gathered up and a threat formation chain is created this chain is then sent up and with the detection and verdict information to the security center server where an incident card is created over in our new web console you can see at a high level dashboard showing the threats that were detected we can see the most frequent type of threats the most infected devices or the

top 10 users of infected devices we can also see that there are some devices with critical severity vulnerabilities here you can see a incident with view incident card and if you select it the internet card will pop up and there's a few sections with it at the top is the action section this is important to note we are looking at the details of a successfully blocked detection the next section is a gray section here is the threat formation chain this visually shows the detection itself its parents process its parent's parents process and all the little things that it did underneath you have some incident details again this is letting us know that there was a successful detection

and block we can see the date and time we can see that it's tom's laptop and what decision was made and what type of object was found on the bottom are some more details about the process itself the blue box inside the threat formation chain represents the detection if you click on it a pop-up will happen so let's dig through some of this information we can see here that a file called bfwitq.exe was executed in the local temp folder we can see this was launched under the user tom and he's currently running with privilege right so something to think about here should tom have full access to the system or is tom sitting over in hr perhaps his

credentials have been compromised we just don't know yet up at the top we can see a starter parameter was specified now of course it's not uncommon for applications to have startup parameters but in this case i don't know of any legitimate software that has a startup parameter of evil the time here can be very useful right now the file was caught at quarter after 8 in the morning might not be a big deal but what if this were to say 1 30 in the morning for example does tom normally work at 1 30 in the morning perhaps that might indicate some type of malicious activity going on in the middle of the night at the bottom you can see the hash and

again this is integrated into our opentip.kaspersky.com portal we just talked about early we saw malicious results but this time what did it tell us well it tells us that a reputable threat intelligence provider hasn't really seen or categorized this yet this could indicate a new previously unknown threat now back in the incident card we can take a look at the activity for example the process dumped several files on the system by clicking on it we can see a complete list of files dropped looks like the server files were dropped in the app data folder and one was written directly to the root of the c drive you can also click on the injection and network connections

to get a list as well and then we have the register keys notice this one here this is something you're probably familiar with current version run key right that's the key that gets called anytime a computer boots up now adversaries will often inject calls into the registry run key to help maintain a back door or to maintain persistence again here we see the file with the evo parameter added back on the incident card we can see the parent process which is launched from the cswtest.exe process now this was launched under tom again but tom does not have any privilege rights so somewhere along the way his rights were elevated and again no startup parameter here was

used so it appears tom may have downloaded a malicious file and executed it with device selection list built inside of the security center you can build out a list of devices tom has logged into notice he logged on to the domain controller if tom had rights to log on a domain controller he might have the ability to modify domain settings or just extra trade ntds which is basically the database for ad and crack it offline also notice that this security application is currently not running on the dc and since tom has admit credentials he might have been tampering with the device properties which is a common tactic as an adversary would do now down here win 1001 has a very high

count of a number of threat detections this could signify the adversary's entry point we can take a look at the applications that are installed on win1001 advanced ip scanner wireshark burp suite crack util all of these are legitimate tools and can be used by pen testers however they're also commonly used by hackers when they want to scan for devices capture network traffic find vulnerability applications and websites and crack passwords finding these tools on a windows admin computer might be acceptable but in our case if tom's not part of the windows admin group and win1001 is a normal end user's computer this could indicate a compromise device along with the applications installed we can get an idea

if there are any known software vulnerabilities here you can see three pages worth including several known exploits for these vulnerabilities you can find out more information about the known exploits by a direct link here to our kaspersky threats website that's threats.kaspersky.com and again this is a free website you can do research on it'll list out vulnerabilities and exploits that you may find in your environment we give a complete description of what the vulnerabilities do what are the affected products and what the recommended actions to fix them any cves here common vulnerability exposures and links to find out more information about the exploits so once you've done some research on the vulnerability back on the device details you can see that there

are updates on the wind10 device including a critical one for mozilla firefox which if you look will show you that it fixes all of those vulnerabilities that we just looked at okay so what have we found out so far we have a process that was started with elevated permissions and a starter parameter of evil the executable has not been categorized yet by a trusted threat intelligence provider the executable is launching multiple instances and copying itself into different directories the executable dropped several files made a few network connections changed a few registry keys one that looks meant to maintain persistence accounts have been compromised elevated permissions and lateral movement and of course all of this on a highly

vulnerable system with known exploits at this point of the identification stage it's pretty clear we have much more than a normal commodity threat we have something far more serious and we should take immediate action so let's move on to containment now that we believe there is more serious threat going on we want to perform some actions to contain this threat we want to isolate the host from the network we don't want it to spread anywhere else we want to create prevention rules for this file and we want to be able to quarantine some suspicious files now you might ask why do we need to create a prevention rule endpoint security already detected this threat and yes that's true if endpoint

security is installed it will detect and block this malicious file but the goal should be catching the detection sooner in the attack chain the further on down that chain it goes the more damage it can be done and the more expensive it is to clean up so rather than waiting until the file is executed one that we now believe is malicious we create a rule and prevent the execution from even being able to start and not only on this particular device but the prevention rule is placed in a policy which applies to all endpoint devices back on the incident card you have the quick single click option to isolate this host from the network all

inbound outbound communication traffic is blocked and prevented from further spread next in the card pop-up you can create a prevention execution rule with a single click here we want to prevent the execution of parent sw test process this will add a rule to the policy so that all the client devices will pick it up and when an attempt is made the file is blocked here you can see a list and times of prevented rules and how many times they blocked an execution by the prohibited applications report right next to the prevent command is the quarantine button where you can quarantine any of the files that were dropped now that we've gone through the containment stage the next stage is

eradication here we're going to create an indicator of compromise scan using data generated by the endpoint and optionally we can execute remote commands on client devices for example if we wanted to remotely delete a file or kill a process or even run a reg serve command and change back a registry key on the all incident event tab you can selectively choose a single or multiple events and generate an ioc automatically this will build on an ioc list for you and create a scan task we can run this task on all devices in our network and under the action if we if we do discover another instant that matches this ioc's we want to remove it and quarantine it

inside the results you can see the devices that the task ran on we didn't find any matches with the top four devices but the last two show iocs have been detected we started on tom's laptop but it looks like the same detection activities happen over on alex's laptop as well this might indicate lateral movement now why is that important well it's very expensive for adversaries to completely retool all their code so oftentimes they will just reuse their code over and over again but they only change a few bits and bytes to get around the standard signature analysis detection in this case they may have used the same registry key or drop files for example and since we

selected remove and quarantine those files will be moved from devices as well once you find an ioc match you can run remote delete file tasks to purge it from the system here we had an artifact file on a c drive so we can remove it just create a new end agent task to delete a file specify the path select a device and execute the task will purge this file from all devices now once this task has completed you can see the results and we can kill a process if it's still running in memory as well you create an endpoint agent task to terminate the process you set a path and just in case we'll set the exact

md5 hash as well and execute and the results the sw test file has been killed once the radication is complete it's time for recovery back in the containment stage remember we isolated a host from the network in order to prevent the spread of infection now that everything is cleared up we can remove the host from isolation and put it back on the network you can view a list of isolated devices by searching for the tag called isolated from network select the device and simply disable host isolation inside the device object itself and note down below you can set a default timer for it too okay the last step is where we review all the things we've learned from the

incident handling process and see if there's anything that we can take away from it patch management we saw several vulnerabilities listed on win1001 device which have already been known to be exploited and we know we can fix any of those vulnerabilities by implementing or improving a patch management process maybe we need to tighten up our web control rules and explicitly block access to the ip addresses we find in the incident cards it's probably a good time to review our access controls right remove any unnecessary privileges so that users are not running under admin rights if we have repeat offenders they're good candidates for some type of cyber security awareness training teach them what they should not

be clicking on perhaps we should add in a mail or web gateway solution right which allows us to block potential threats at the gateway layer prior to even getting down to the devices and since this telemetry data provides iocs automatically we can export a list of iocs and use them elsewhere outside the environment for example our sim systems and finally threat hunting maybe we need to look at finding 24x7 monitoring service and bringing automated threat hunting from the experts so let's wrap up what does kaspersky optimum security do for you well again it's all about that timely detection to adversarial activity reducing the dwell time can substantially lower the overall cost of a breach by identifying early activity before any

major damage can be done and of course you can save the cost of having threat hunters and security analysts on staff and with that i'll say thank you for listening and i'll open it up for any questions you might have