The Weakest Link: Detect '18 Presentation Series | Anomali


The Weakest Link: Detect ‘18 Presentation Series

After you have watched this Webinar, please feel free to contact us with any questions you may have at


This talk is about the weakest link.

My name is Kris Palmer.

One of the Principal Security Engineers with Anomali.

I've been here for quite some time.

Been in the space for well over about 15 years, doing some form of intelligence.

From a traditional point of view on the defense side of house, being in the Air Force, as well as working in the commercial space, doing it from more of a technical collection point, building technologies, integrating technologies.

So yeah, I thought this was pretty interesting.

I'm a sales engineer, which is what they classify me as.

I'm in that role with our company.

But I work with many of you.

Some I haven't.

Been able to kind of show you what we do at Anomali, but also talk about it from a more abstract approach.

So to kind of start off too, this particular discussion is going to be a little bit different than what you guys have probably been used to in this conference.

I'm going to take you guys a different direction.

We're going to get into some football schematics, which I'm going to show you how that applies to being weak.

Hopefully that's interesting and useful.

What really counteroffensive defensive posture means, kind of talk a little about that.

Coming from a defensive background, there's different theories on what countering really means and offensive when we talk about cyber intel.

But want to kind of break that down a little bit from my experience and how we've used some useful tactics to do that.

And then who's the weakest link?

You know, the highest percentage of exploit vector and talk a little about a few of those.

But one that is, I think, really common-- and I've seen a few other talks which really highlight that particular vector.

Then behavioral activity, and then sort of link reinforcement and resiliency.

And then we'll kind of wrap up with any questions.

So kind of another extended overview, really just getting into complex, adversarial, offensive capabilities, what that really means.

Really talking about it from a football perspective, because there's a lot of similarities.

I'm an avid football fan.

I'm from Texas, which is actually interesting.

I went to the University of Texas, and we play TCU this week, which I'm going to talk a lot about what they do in this presentation.

So it wasn't deliberate.

It just happened to be that way.

So I'm a little upset about what I'm going to talk about, because they may beat us.

But they use a lot of disguise and deception in their defense game plans.

And then just organizational weaknesses in terms of links, and strategies, behaviors that contribute to exposures, and then just, again, how you be more resilient.

So what is counter offensive defensive posture?

So 1 plus 1 equals 3, right?

It depends on who you talk to, how do you approach countering.

But it's really an idiom.

Some think of it as a true retaliatory type of capability.

You know, if you break it down, it's really, what does "counter" mean?

You oppose something at the very heart of it.

And then offensive is basically actively aggressive, you know?

In game reference, a player's looking to score.

I need to go do something.

And then defense is basically just defending or resisting an attack.

It's just that simple.

And so if you think of it, it's more of like a covert way of doing it.

I want to be more forward-leaning in how I approaching being more offensive, not necessarily actually actively going out and doing things that are offensive.

I mean, there's lots of discussion around integrity, and legalities, and foreign policies, and just things around not being able to actively do that.

But be more deceptive and divert sort of how attackers are approaching the industry today.

So again, it kind of operates on an active defense cyber strategy.

So it's not really traditional, as offensive as we talked.

It's more thinking about it as I want to build a strategy that's more active, put tools in place that are going to allow me to be more active.

If you think of it from not necessarily hacking back per se, but it's really being more of a nuance and really deterring and trapping attackers who can gain intelligence, to me, that's something that we were successful in doing in some of my previous jobs-- is basically being able to divert what we see, build an intelligence profile, and then sort of really making it nuanced.

And I'll talk a little about how that can be done with just a few tools and things that help you accomplish that goal.

And then really just shifting odds.

I mean, deceptive techniques, I think, are ways that you can really be more active instead of being reactive, accepting alerts, but really taking that and allowing that to enable your operations.

Again, and knowing, and wasting attackers' time, and really gather that intel, and analyzing it.

Once you do the analyzing of the intelligence, you can see various behaviors, patterns, and take that intelligence back to your SOC, to your IR teams, and begin to allow them to be more forward-leaning versus just alert exhaustion.

And this is just a quote.

I mean, this is a quote that I thought was pretty interesting.

You know, it just talks about literally how counter intelligence defensively and offensively guards against adversarial intelligence operations.

And this is, I think, true.

I mean, you think about covert actions and just being able to find ways to sort of stall the hostile activity, be able to gain that counterintelligence back, and then just be able to really use it for both sides, whether it's offensive and defensive in your organization.

I think that was a pretty interesting quote.

And I thought that was relevant for this conversation.

Vince Lombardi.

I mean, that's as simple as it gets.

I put the Golden State Warriors in here, because I think they represent this pretty well.

I mean, they leverage a great offense, which actually aids their defense.

And you go into that playing against them or teams that are similar in that nature, it really does kind of speak to how you actually can be a little bit more offensive and kind of aid in how your weaknesses are in defense, kind of just go into game-planning and having more of a forward attack versus just sort of sitting back and reacting, like traditional defenses do.

So Vince Lombardi, I think, said it perfectly there.

So let's talk about some X's and O's, really.

Or let's kind of first break down sort of the baseline for this.

So in football, defensive game-planning and schemes, personnel is vital.

I think that's one-- just like in organizations that you guys work with, personnel is vital.

Without having the right personnel, having the right positions, guys with experience understanding the tools and the policies, you're always going to be behind the curve.

It's the same in football.

Having the right personnel, having the right layers.

I put a couple schemes up here that are pretty base.

Now, these can be expanded, and I'll talk a little bit about how you can expand these.

Obviously, there's different variations.

There's multiple formats.

The 4-3 and 3-4, basically, if you think about it in football, it's the first seven linemen or the guys that are closest to the line of scrimmage that are looking to basically stop more of a run-heavy sort of offense.

That's a style that offenses are attacking that particular scheme.

And so literally, you're looking at having certain personnel that fit that scheme.

So the front four are usually guys that are a little bit more athletic.

Your linebackers are a little bit more designed to come in line to the first layer of defense to kind of stop the run.

That's really their base scheme.

And then you can operate out of different formations there.

You need sort of a run-stuffing nose tackle.

So basically, that nose tackle's a big defensive lineman in the middle who's going to stop and approach different gaps, where the four linebackers are pretty much there to cover more of a pass-happy attack.

So if you're going to throw on me, I need to have guys who can go out in coverage and be multiple.

And so you know, offenses will typically adjust.

I mean, defenses usually-- just like in cybersecurity, we have a baseline, we know sort of our tools, and we know our processes.

Obviously, resources we need to have to support those.

But offenses always adjust.

We're constantly playing catch-up.

It's the same in football.

They're constantly playing catch-up.

They're driving, basically, how the game's going and how the industry's going there.

And so we have to find where the weak links are in football as well as in our organization.

So really kind of talking about it a little bit more-- how the schemes in football, how that posture is very similar.

So if you think about when you're going into determining what a weak link is in football, you have to scout and plan.

Same in cybersecurity.

There's scanning, there's reconnaissance that occurs.

You have to know a little bit about what you're trying to attack and where the weak parts are.

So vulnerabilities, right?

We're looking for vulnerabilities all the time.

The same applies.

I'm looking for, if I see this particular formation and tendency, how do I attack it?

Who's in the wrong place?

If there's just one misstep, how do I exploit that misstep?

And so if you think about it, it's usually players that are making a simple mistake or a misread.

They may see something, they think they have seen a pattern, and it's exploited, because that look is multiple and it can change rapidly, as in cyber.

We get used to certain samples of malware.

We get used to certain indicators.

We get used to certain types of attacks.

And we think we see something, and it shifts.

It's a very, very, I think, unique comparison in terms of that one person can put your entire organization in jeopardy.

Same in football.

So I kind of wanted to talk a little about the exploration to exploitation phase and just kind of show you how that looks from football.

So literally looking at, what's the first phase?

You're looking to ID vulnerabilities.

I want to know where you're vulnerable, find those vulnerabilities, and exploit them.

Football, I'm game-planning.

I'm going into it, looking to see where they're vulnerable, what are their tendencies, what do they like to do, who's weak in their formations?

If you think about it from the next phase, it's scanning and testing.

So I need to know, if I can actually scan and test, are there ports that are open, are there protocols that are weak, are there unpatched systems?

All that sort of thing you're doing before you begin that phase.

And you actually test it.

I mean, there's a lot of code that's out there that's bad that adversaries are using.

But they have to test it.

They find different ways, whether they're dropping it onto some sort of scanning technology to scan or to run it through another malware engine to ensure that that actual code will execute the [?

action-on ?] objectives.

Same in football.

It's scouting and practice.

You have to continue to do this stuff before you actually go out and execute.

And so the next, it's gaining access.

So once I've gained access, now I can do several things-- move laterally, I can hold persistence, modify different services and registry signatures on the platform, and just kind of be able to really act upon all my objectives as I see fit.

Same with football, you know?

Penetrating defensive formations.

So knowing where and how to gain that access, seeing those weak areas, those gaps, seeing places that members in the actual formation are not holding up to sort of their end of the formation, being able to penetrate and use that.

And they're scoring TDs and maintaining access.

That literally goes hand in hand.

I mean, that's sort of the whole lifecycle there.

So I wanted to kind of show you a little bit about what that looks like.

We've talked about it.

So as we've talked about, for those who don't follow football-- and I get it.

I've coached and covered this a little bit in my life.

So this is what we call linemen.

So these are the guys that are literally the big guys that are looking to be closer to the ball to attack the offense.

And then you look at these guys here.

These are the linebackers.

These are sort of the second layer of the defense, and so they're looking to aid in any gaps.

So as we talked about this 4-3, this is more for run-heavy, looking for ways to stop the run.

And what happens is these guys are the ones that are potentially targeted.

They're kind of left on an island.

So not to say these guys won't be, but in this particular formation, I'm looking at ways I can actually exploit this defense.

And you know, you could see maybe these two guys here, these cornerbacks, basically have to play one-on-one.

And if they make one wrong step, that could be a score.

Game over.

So the 3-4 actually shows a little bit of the offense alignment.

So this is the offense.


You have three.

This is that nose, that big guy.

And you've got the linebackers.

So in this particular case, they're more exploitable for maybe a run-heavy offense.

What you see here, this I formation, is more of a power I.

And I'm looking to exploit these gaps.

And I'm looking to-- so this is more to the weakness in the front line versus the back line, due to the fact that I may have more coverage on the back, I can do different things, I can be multiple, I can shift those formations and account for areas that you're weak.

So this is all part of scanning, or doing recon, and scouting how I would be able to attack this particular defense, as an adversary is doing that every day with our organizations.

So just want to talk a little bit about the philosophy.

I think this was interesting, just to kind of break down, literally, what we see.

And this is pulled from football X's and O's.

But basically using simple systems with multiple formations.

Motions, personnel package, using small packages of well-executed plays that have many looks that look complex, but they may not be.

They may be pretty simple.

It's just repeated attempts to confuse the defense and put stress on the defense.

Using multiple tempos.

So now they're speeding up attacks.

Just like you see with overload of intel and an overload with events, it's a lot coming at you.

It's sped up, and it's designed to keep you off balance.

It's designed to have you think and act slowly and then really be aggressive.

So continue to be aggressive, continue to push different route combinations, and just have different things they can do to really have their defense kind of on their heels.

And so this is really, actually, very common to what you'd see in the intel and cyber world, where it's multiple, it's designed to put stress on you as a defender, and it also uses different types of attacks.

So just to show you an example here, so in this particular, we talked about this formation, this sort of 4-- oops, sorry.

This 4-3 here.

So basically, this is actually-- it's still kind of a 4-3, but this is like a nickel.

So he's basically acting as a linebacker.

But if you look at this, what this is designed to do is basically have kind of quick route schemes and have this option.

And what's going on on the offensive side is basically running sort of a zone read.

So literally, the quarterback is reading this guy.

He's the target in this play.

And this guy has a decision to make, which we do.

In our industry, we have to make decisions.

He has to determine, do I shift this way?

And if I shift this way, then I can go up the middle with this running back, bam, expose the defense.

Or if I shift this way, then this is a quick out, and this guy is pretty much not in position, but I'm targeting his tendency, so I'm really watching this guy.

And so I think that's relevant, because we're looking at ways that we can determine who's weak.

If I see something, a member in the organization who maybe has bad practices, and maybe he leaves work, but he has connections to your internal network by email or different devices.

If I can find out where your tendencies are or if I see your patterns, I can actually attack you, similar to this.

I mean, if you think of it from a methodologies standpoint, it's very similar.

And I'm looking to [?

scalf ?] that.

And these tendencies are things that are routinely covered in planning.

And so this is just giving me an idea of what that looks like.

So this is sort of another scheme.

Again, I told you I was, again, talk a little about football.

So you'll learn a little bit about football.

If you don't learn anything today, you'll get an understanding of how this applies.

But this is cloud coverage.

So I want to just talk a little bit about this particular viewpoint.

So from a defensive perspective, you see it's literally-- again, you've got your linebackers.

And the letters don't really matter.

These are basically the linebackers, and you have linemen.



And those guys are literally able to shift.

So I can actually cover.

In more of a zone manner, I can do hooks and curls.

So this gives you some level of an advantage if, for instance, the offense shifts.

So if that particular power I formation, if that power I formation shifts out, this guy comes here, he goes out, you have ways to adapt on the back end, so you're not exposed, even though you may be looking to try to defend against a run play or a traditional run play.

So it just gives you a way to really have more of a zone.

And that cloud is basically representing a zone.

And "zone" is basically having coverage.

Just think of it as coverage areas of the field that you own or you actually have responsibilities for.

So now this is when we start talking about how the defense begins to become more active and bring in techniques that are more deceptive in disguise.

So this is actually a-- Texas Christian University, their coach is notorious for being forward-thinking and having tactics that actually, literally, kind of attack the offense and dictate to the offense versus the offense dictating to the defense.

So this particular is sort of a Smoke and Robber coverage.

So what's happening here, basically, is you've got four linemen, you've got these two middle guys.

And these two guys are the keys.

They're basically safeties.

And they've come up, and they're acting like an additional lineman, but they actually have some pretty deep responsibilities.

So in this particular case, they're basically coming up.

And this fire, it's what it's called, and it's smoke.

Where there's smoke there's fire.

Basically, they come up and they blitz.

And they are literally looking to attack on the outside.

But what it does is it tells these two guys on the inside, this is your [?

assignment and ?] gaps.

And this particular look is very consistent across there.

I mean, this is literally their baseline look.

It kind of goes from a 4-2-5, which is basically 4, 2, and then 5 is sort of their base.

But it changes.

And they're disguising.

So now the offense sees this and says, oh, this could be a blitz.

I think they're going to blitz us.

They're going to bring everyone.

Maybe we can attack these guys.


Or not.


So this is just kind of the first step into being able to be more disguising, more deceiving as a defense.

And then if you look here, this gives you some of the responsibilities of what these guys are doing.

So basically, these four, this guy can cover a flat, he can come out in a hook, can drop down, can go in the flat.

But this gives you a setup of literally, depending on whatever the offense shows you, I have the same look, but it's in disguise.

And based on pre-snap reads and things that I see from the offense, I can actually quickly adjust a few of these guys on the back end.

And so these two guys really make this defense really flexible and be able to do a few different things.

So what I wanted to show you was this one.

So this is actually that same look, but as you see here, these guys now drop.

And so when they're coming up in the coverage, the offense thinks, oh, yeah, again, this could be a blitz, this could be that same look.

But yet, this is how you kind of take back a little bit more of sort of leverage, because these guys are able to now start covering things that are coming their way.

You've got this middle guy here, whose assignment-- sorry about that.

This middle guy's assignment is basically this running back.

And these guys stay in a disguised coverage, which actually allows them to now start to create turnovers, stop the offense, and stop the penetration.

It just gives them a lot of flexibility, and it's been highly successful.

So again, let's talk about, literally, who the weakest link is.

There's a link.

Who is the weakest link?


I thought this was interesting.

So I saw this quote, and I was like, yeah.

It's actually pretty relevant.

So you're only as strong as your weakest link in your crew.

So I thought that actually does apply to cybersecurity.

That applies to football.

That applies to a lot of genres.

That one person can expose you in any way at any point.

And so I think, without further ado, we know who that is.

It's the end users.

We are basically the weakest link.

I had a quote that I kind of-- not only a quote, but a saying-- that "I'm a liability at any point." Because it's our tendencies of how we operate.

But basically, you're vulnerable to target and potentially inadvertent security breaches that could be deliberate.

You could have insider threat-- users that are actually looking to gather information, pass on information outside.

Numbers of things you could do from an insider perspective.

And it's literally employees, it's contractors, it's associates.

I think supply chain has been a big factor in this case, where supply chains are being exposed, and those users are actually compromising entire organizations.

Maybe it be a credential that was popped or just having some sort of access to the network that actually was compromised.

But basically, it's the people being negligent.

It's careless work.

It's careless behaviors.

It could be malicious.

But basically, phishing, as we were talking about a little bit further, is one of the vectors that I think we all know about.

We know it's a highly targeted vector.

And we're all targeted from phishing.

And it's one of the vectors that play on our psychological behaviors, sort of the wetware, if you will.

So human weaknesses.

I mean, that's really what it is.

It's social engineering.

It's basically being able to do things like hybrid phishing attacks, where you're using multiple tool sets or maybe having sequence attacks, where I start off with a phish, and then from there, it's a malware infection.

And then metamorphic malware, which is basically self-mutating campaigns.

So this is interesting because you see that all the time.

Viruses are changing.

The code's changing within its delivery.

So you think you see something that is actually a sample or a tactic, and it's actually mutating in the code.

You have business email compromise scams that are occurring, AI-driven, automated phishing campaigns, which we're seeing more often.

You see the domain generation-type attacks.

You see things that are leveraging machine learning to automate those phishing campaigns.

So it's manipulating your psychology, looking to evade the data and system controls, which is interesting.

So really, when you start talking about phishing, you're talking about ways to not have to necessarily be technical or attack your tools.

It's attacking you.

And if you make a mistake, you can easily be duped.

You can easily provide access out.

You could provide a way to maintain hooks and persistence into your environment.

But just, again, it sidesteps technology, and it's really hard to detect from a signal standpoint, because there's not really signals.

It's really more behaviors and really understanding, how do we address a phishing campaign?

How do we address a phishing object that comes into our environment?

So this is literally from Hackmageddon.

It talks about, literally, distribution of targets.

And I think this is from February of this year.

But as you can see, individuals are still highly targeted.

One of the highest targeted elements in literally determining these percentage of attacks.

It's literally you have different industries like electricity, and you have education, and just IT systems.

But it's individuals that are literally still the highest targeted based on their findings from this year.

So some of the behavioral activity.

Phishing, right?

I think it was, like, begin with a spearphish.

I think that's still a relevant percentage.

And I think 94% of those usually follow with some sort of malicious file or URL link that is associated with that phishing.

So spearfishing, it's a people-focused cyberattack.

So again, it's sidestepping, literally, the technology.

It's really attacking your tendencies.

How do they do that?

It could be email fraud.

Maybe targeting a specific individual, because an individual has shown, again, tendencies that they saw on social media, or maybe tendencies internally that they've monitored.

But being able to expose that and then leverage that to feign to be more of a trusted source.

And actually, sending out things that look legit that aren't legit that you might be exposed to.

And so what I put in here-- the TTPs, I put the kind of TTTPs, which is adding that tools piece.

Because some of the tools are important to understand some of the common techniques for gaining persistence in networks, utilities designed to generate malicious documents that are appended to email campaigns, that have macros, malicious macros embedded.

And some of them literally go out and invoke tools that are-- that laying off the LAN-- you know, PowerShell tools, Windows PE tools, or PE files and PE-- you know, all those sort of elements within those particular OSes.

And they install them backdoors, so that you could now begin to re-attack and re-expose based on dropping in those hooks.

And then doing reconnaissance.

So reconnaissance is literally the first step of it.

I need to do recon to determine if it's a spearfish.

Maybe it's like a spray-and-pray type of attack, where I'm talking massive amounts of people in your organization.

But I need to do the reconnaissance to know how I want to target you.

So the impact of phishing.

This is sort of just showing, in the last couple years, post-phishing, you usually see a malware infection percentage, which is usually up to about 50%.

And then there's usually a compromised account, which could be credentials that they've dumped or been able to compromise and dump, or just compromising a user based on somewhere on the internet that they actually were exposed.

And then loss of data usually follows that way, whether it's [?

exfiltrating, ?] hijacking, just ways to go out and scrape data from your organization after they've gathered a foothold.

So the impact is, I think, pretty significant.

And then social engineering, which is sort of in line with phishing.

They go hand in hand.

But basically, it's a tactic, leveraging a way to sort of build that false sense of trust.

I want to get to know you, I want you to think that I'm legit, and I can reach out to you for certain things, whether it's a phone call, or text, an email, it's IR, chat, whatever it is.

Being able to really gain that trust and then, from there, look at some of the sort of TTTPs here, which is the psychological and behavioral elements to infiltrate your organization.

It relies on heavy social skills, so knowing how to socially communicate, knowing how to socially interact, and send things that might actually look like an expected product, and they're not; or an expected conversation.

It's kind of spoofing the interaction.

And using profiling tools.

So that's a big deal.

Profiling tools like [?

CUP ?] and basic profiling social media activity or your patterns, and using that information against you.

So when they do invite that particular attack, it looks more legitimate, because you've done these things.

You went to these websites.

So it's actually pretty useful.

And literally the wetware.

So we talked about like it's basically operating on your brain-ware, if you will.

You have systems, and technologies, and policies in place, but literally operating on things that are psychological and weaknesses that we all continuously have, whether it's going into a report that was sent to you from, you think, a trusted source, and there's elements in that report that literally are not legit or they're malicious.

And it's just operating on those sort of things that they know that can trick you into exposing that.

So the RSA, I think, breach is one that is, I think, we all know about from the social engineering perspective.

Attackers sent two different phishing emails in a two-day period.

Email was crafted to trick one of the employees-- which he literally went into a spam folder or a junk folder, and there was an Excel file.

So in this case, the subject line was "2011 Recruitment Plan." Obviously, that particular person probably had something to do with maybe-- maybe he was doing a lot of searching for jobs or different things that actually was in line with that particular attack.

But it was able to dupe them into going into that particular file, which, again, that file had a zero-day exploit.

Installed a backdoor.

Backdoor Poison Ivy, which basically was able to reach out and have some C2 communication.

But it wasn't very sophisticated at all.

I mean, it literally started from sending an email, you're going into an email, not understanding that this email potentially was literally a sign of a phish.

And exposing those four employees, which were, in this case, the weak links for that organization.

Credential theft.

So credential theft is very, very prevalent.

It's a way to expose your brand, steal credentials, whether it's browser-based or web-based, and then release those maybe publicly, maybe on the dark market, have those sold.

And then those credentials are out there.

And the HawkEye Keylogger was actually a pretty interesting toolset that was going out, and being able to steal credentials, and actually not even leverage C2 responses.

So literally can go out, steal credentials, not necessarily need a C2 response, but actually can go over SFTP communication or email communication.

So a little bit more obscure, but it was highly successful.

So again, being able to inject stealth malicious [?

threads ?] into legitimate applications.

EternalBlue, as we saw that earlier this year.

And downloading malicious modules.

Access to SQL DLLs to retrieve users' saved login credentials, and then just stealing that information, and maybe having it used and sent across Tor nodes to communicate out to other C2 bots.

But I think credential theft is something that-- in my experience, it's been a key way into starting sort of phishing and social engineering attacks.

And once you start gathering that information, I have a credential, I could do something with it.

It gives me a tool to start targeting an organization.

Maybe there's several domains in an organization that are exposed.

But it gives me my first step to know my attack campaign.

And so I think it just gives you-- being able to understand how you can mitigate credential theft, which we'll talk a little bit about, is going to be very important.

I think we do a lot with brand monitoring and monitoring things [?

that are ?] anomaly, which is pretty neat for credential theft.

So definitely something that is pretty useful there.

So let's get into, how do we reinforce and be more resilient?

First, I've started off with more of a proactive detection insight.

So in my experience, honeypots and decoy systems are how we've done this.

And it's given us a way to kind of take, again, sort of a stealth attack back to the attackers attacking us in terms of being able to build these systems that look like real-time production systems to deceive attackers, invite them in.

They can work alongside your traditional IDSes, your perimeter tools, potentially.

If you deploy them correctly, they can be really effective.

Obviously, no legitimate traffic should be hitting these.

If they are, then you kind of-- you know, that's a problem.

But you know you're gathering that intel, what is actually coming inbound and outbound, to be able to leverage out to your other teams.

And really being able to design to capture research, forensics, threat intel, and just really working with your security ops teams once you've been able to build these decoy systems to deceive, take that intelligence back, and you can get a wealth of indicators, whether it's network-based, getting into sort of the tactics of extracting data from files, and binary extraction, and really uncovering that data, and then pushing that data back out to your teams.

It gives that early warning intrusion system for collection to kind of focus around tactics.

You can uncover a suspicious activity on the network via auto-alerting.

And it's inexpensive, which is the biggest thing, I think.

There's several out there.

We've been doing it here at this company for a little bit, working through some of the more known open-source honeypots.

But I've deployed some personally at home in my own lab.

But it's very inexpensive to do.

And again, if you deploy it right and you have it set up to gather certain types-- I mean, it could be application-focused, it doesn't necessarily have to be network-focused.

You could do different types of focus on the decoys.

But basically, having it there.

And what I like to say is that, basically, you're new to the learning, you're new to the rules, you're new to the correlation.

This is going to assist in not just setting up rules and letting them run.

You're actually going to start being able to apply what you have to things that you've already built in content and now make your content more effective, because you've seen these attacks that are occurring.

And maybe it's targeted, maybe it's not, but that just gives you more insight.

And so really being able to kind of do some things, like honey-patching, which honey-patching, was interesting, because we were able to basically sort of, in an obscure way, throw off attackers which think they might have been successful, but they weren't.

Or maybe they were.

But it just kind of-- we were able to quickly spin up and spin down those particular honeypots and then have the patching done.

So then, basically, that intel we collect, it's deceiving to the outside, which is another tactic that could be deployed in this.

So doing more advanced forensics and IR analysis.

So some of the tools for this-- having sandbox technologies, doing log and packet inspection, big data platforms.

These all go hand in hand.

I mean, you have to be able to analyze malicious files, executables, document exploits, Java applets, to just name a few.

Building rules.

So rules, like maybe [?

Jarl ?] rules or building rules that are looking at building those engines for detecting and creating signatures.

In certain cases, signatures won't be all of it, but it gives you some level of putting in place a control.

And then you can begin to get into stuff that's a little bit less signature-focused.

But evaluating metastrings and extracting strings, and diving into headers.

That information will provide other cryptographic hashing in terms of what you find in that particular file, looking at bytecode.

Just really deep packet inspection will aid in understanding a little bit more about your environment.

In these cases, you really have to have a large storage capacity to do a lot of this if you want to do it the right way for your enterprise.

It can't just be limitations, and storage tools, or log tools, or sims.

You have to have more of a big data philosophy.

So just doing a little bit more dynamic malware analysis, doing more real-time, active, and packet analysis.

And storing that data for the forensic teams to go through.

At our organization, we leverage tools that do a lot of the elastic storing to allow us to really do more forensic hunting and really go back through our data.

So having those toolsets is going to be key for this.

And machine learning-- I think it's not just machine learning to look for patterns, but literally look for things that are matching and then take that data, because it's a massive set, and extract the stuff that you don't care about.

And that's going to go back to doing the rules, whether it's a signature rule, or building a rule that's focused on the log data.

Having those work for you and weed out the stuff you don't care about.

And being able to block those files, once you've uncovered this information, and putting those actions in place, and really looking at what's non-compliant, what are intrusions, do I see viruses?

Being able to give you a little more advantage on what you're seeing from those forensic scenarios.

So threat hunting.

Threat hunting is there.

It's another enablement.

So these are really enablements to SOC.

And again, a lot of this is very difficult for organizations with people, resources.

So this is really more of taking kind of the Holy Grail and putting it together to build a better program to thwart some of these weak links.

But basically, hunting is, I think, paramount.

You have to have teams that can do this.

You can use external CTI platforms.

We have a platform we do, you can leverage.

There's tons of them out there in the open-source world that allow you to do this sort of forensic hunting as well as look at internal telemetry and just having the big data tech tools that allow you to do it.

Your goal here is really dedicated to looking for patterns and techniques.

You're looking for behaviors.

That's really the goal of it.

I mean, we've heard a lot about different TTP, like the ATT&CK MITRE frameworks.

You have [INAUDIBLE].

You have all these different frameworks that are out there that are looking to give you more sequential information on attacks and tactics.

That's all fine, but you have to be able to really be able to find those patterns and techniques, and then uncover, basically, those adversarial footprints and evict them.

You want to be able to go in and evict the things that you see, or if it's an adversary that's living off of a service call, or that's in a system in maybe your HR division or financial systems.

Being able to evict them from those particular infrastructure.

And then doing the analysis to determine the intent and impact.

And so obviously, with hunting, it's not a one-time shop, and you have a team that's built to do specific hunting in different areas of your enterprise.

And once they do that and they uncover methods, they are able to actually do this iterative feedback loop to the teams to enable those teams, whether it's IR teams, whether it's forensics and SOC teams.

Really looking to, again, uncover those methods and create more of a feedback and a report loop to your management.

And then I think one of the most important ones of all is user awareness and risk reduction, which, I think this is actually almost as important and something you can actually implement pretty quickly.

So you have tools like email client tools, and you have user awareness framework, which I think is something that is a little bit under-talked about, or really a framework, not just user training.

Or you know, we always hear that.

And then resiliency.

So being able to adopt a framework to assist email clients and users with IDing phishing attacks.

So understanding characteristics of a phish.

I think that you could ask probably many people in here, can you understand the characteristics?

And we are cyber practitioners, and we get duped.

But understanding those characteristics, understanding the headers, understanding how to break down what that looks like, being able to raise that awareness.

I put a few tools like [INAUDIBLE] and [?

Area ?] 1.

I think they do a really good job, from a client and tool perspective, of giving you ways to understand it from a tool perspective.

There's filtering, and there's analysis done at that layer to give you insight into the phish before you even have to address or encounter that particular object.

And then you leverage some of the built-in security protection and education mechanisms.

Two-factor, obviously, is very common, having two-factor authentication.

Domain and spam filtering, anti-phishing and anti-spoofing techniques and controls.

Really building a human firewall.

And that goes back to that framework.

So not having one user be better than others, but having the entire team understand how to break down and analyze phishing products that are coming your way in the phishing inbox.

Really being able to use that in line with your tools.

And even gamification programs, which we've used in the past, I'm a big fan of, just increases and incentivizes the team to do things.

We're all competitive.

We all want to maybe promote ourselves or be highlighted for our work that we do.

So being able to incentivize your behaviors will breed sort of a team of more of awareness teams, being able to identify and also stress some of the things that they've found.

And therefore, allowing them to be able to help the organization as a whole.

And so benefits are just educating users on the "why," which is key.

Why is this something that is spam.

Not just going to a spam filter and junk, and set it and forget it.

Literally understanding, why is it?

Understanding the objects within that particular phish and then being able to do something with it.

And teaching them how to differentiate legitimate email from fraudulent counterparts.

Dissecting the attributes.

This is all part of building a framework.

And then from there, you're able to start classifying the risk of each particular email.

Maybe that email, you get a sufficient email.

Maybe you see some common things there that you can quickly identify.

And it allows you to really speed up your operations.

You're not focusing on one particular email that you just don't understand, or there's something that's just a little bit obscure in there.

You're actually able to start forwarding it, and pushing things away, and focusing on the things that are really a threat to your environment.

And the advantage you get is the edge.

I mean, you have more of a significant edge.

You can really kind of highlight what you think is a real phishing attack to your organization.

It's educating end users, and it's going to kind of manufacture more of a risk-averse culture.

So now once this framework is built in place, you have your tools, you have users that are understanding how to really break down what these particular objects look like, the attributes within them, the common characteristics, now you've become more risk-averse.

You've kind of built that human firewall, which would allow you to be able to be less averse to any type of attack based on just simple, simple distributions of email.

So kind of to summarize really what we talked about, miscreants in the cyber realm, they use similar philosophies, exploitive offenses, just like in the offense and the defense of football, as a genre.

Organizations are charged with identifying the weak links, which we all are.

We have to figure out who's weak, how are they weak, what are the things that they've done, whether it's phishing, been exposed from social media attacks or credential theft.

Being able to understand those particular behavioral vectors that are pretty common.

And then being able to counter and reinforce those by maybe installing or implementing a threat-hunting enablement group or really assisting the forensic and IR teams, getting into understanding user awareness as well as being able to build more proactive defenses.

With that, any questions?


What's your take on an internal employee clicking on a phishing email and say it was not a [INAUDIBLE] internally, because there was an actual-- there was a malware [INAUDIBLE] or something.

What's your disciplinary action [INAUDIBLE]??

For them just accidentally and inadvertently doing it?

Yeah, what do you think about that?

Yeah, that's a good question.

So I hate to say "disciplinary," because you almost think, oh, that one time, that's it and you're done.

It depends on what the program is in place at that organization, from what I've found.

So in one, you have to find that patient zero.

It's difficult.

Once your teams have done the analysis and said, oh, yeah, we found this user, whether it's looking at [?

AD ?] logs or looking at user activity.

Once we identify it, then you go back.

We usually try to bring them in.

And what we've done, actually, is done scenarios with them.

So if you can get-- again, I know this isn't easy for every organization.

But we were able to do some things that were pretty creative by building up-- we had our own sandbox environment.

We were able to kind of show them a scenario of that-- kind of break down just different-- and we didn't have the actual email.

I think we had to kind of just walk them through scenarios of an email.

But it was more educating them on it, seeing what things that tripped them up.

Was it just a link?

Did they understand what that was?

And so that's why that awareness is key.

You can have the tools, you can have the policies, but if a user doesn't understand exactly basic things, attributes, then you're going to have a problem.

So I think really kind of walking them through and showing them a little bit was [INAUDIBLE] we addressed that.

So it was a good question.


[INAUDIBLE] honeypots.

[INAUDIBLE] Good question.

Good question.


It's interesting.

So it could be labor-intensive.

Depending on the scale of your honeypot distribution system.

So the key is having to update them.

You have to update them.

You have to ensure signatures or your sensors actually have the right signatures to detect what you're looking for.

You have to have a team that understands how they're in line.

I think deployment of them is really, really key.

It's how you deploy them versus having them stood up.

But it could be some level of an effort to do.

We had guys that just literally come from doing it, that they were familiar with how to stand up honeypots and then convince a management and an organization to actually deploy those in some segment of the network.

But it could be fairly intensive, depending on your scale, if you have experience to really get something out of them.

Some people deploy them, and then they don't manage them right, so then you're not getting good intel, you're not seeing and detecting things.

It's just really-- so in my experience, I think there is some level of management that it takes for those.

It's not a simple deploy.

So I do want to make that clear.


We try to implement elements of these things.

And I think I heard earlier this [?

crawl ?] sort of [?


?] It is, literally, you're trying to get to a certain point.

And if you can get to a point where you're able to manage certain elements and then build upon those, whether it's I have a hunt team, where do we go from that hunt team?

And can we bring in some of these things?

I think that's sort of the goal.

So that's a good question.


Any questions about the football part?


[LAUGHS] Hopefully this was useful, and if you have any other questions, I'd love to chat with you guys after.

And thanks for your time.

About Detect LIVE

We believe that threat intelligence holds the promise of allowing organizations to better manage risk and develop resilience. Detect LIVE, brought to you by Anomali, is a virtual event series that provides a platform for security executives, practitioners, and researchers to share insights and experiences related to threat visibility, detection, and response.