Responding to Lateral Movement
You just detected an adversary moving laterally in your environment. Now what? Join experts from Red Canary and Kroll to learn how to cut mean time to remediation and reduce the impact of incidents.
You will learn:
- Lessons from a series of rapidly spreading Emotet infections
- Critical considerations and tools for scoping, containment, and remediation
- Trends across industries and organization sizes
- Step-by-step response plans
Whether you’re a team of one or a dozen, you’ll walk away with a solid action plan and foundational metrics you can use to start improving your response processes today.
01:50 Presenter Introduction
03:19 Webinar Agenda
04:24 What is Lateral Movement?
08:55 How Emotet Propagates
09:35 “A lot of organizations find themselves playing catch-up with some of the best practices around having a decent antivirus product out and deployed.” – Scott
09:55 “A lot of people are still in the mode of giving local admin to everybody.” – Scott
10:30 “The first thing Emotet is going to try to do is dump passwords on an initially infected system, and then it’s pretty short work from there to keep moving from system to system with that same admin password.” – Scott
10:55 “Think about the internal movement possibilities if someone is able to get administrator credentials and then use those open protocols.” – Scott
11:27 “You may realize that 95% of our systems are under management, the remaining 5% can just as easily get infected. And if they are not being covered with inventory tools, antivirus, or whatever other measures you have, they can continue to reinfect other systems, making it very hard to get ahead of an outbreak.” – Scott
12:39 3 Phases of Response
15:17 Phase 1: Visibility
15:34 What Data You Need
16:16 “The main things you use for process auditing are things like the command-line: what are the network connections every process is making, what are the file modifications, and any Windows registry entries and services that were created.” – Julie
16:57 Accessing The Data
17:03 “There are a number of free and paid tools. Many of which you’ve probably either heard of or worked with in your own environment.” – Julie
20:58 Phase 2: Containment
21:09 Stop Infection & C2
21:45 “There is going to be a network component where it tries to call home to its command and control to either get an update or to bring down the infection again. This can get really interesting if you have mobile workers versus corporate workers that are behind some of your other controls.” – Eric
23:32 Tools
26:28 “Some of these can be managed using active directory group policies. Some of them can be baked in with the tools you already have.” – Tony
27:40 Phase 3: Response
28:00 Undoing The Damage
29:08 “If you can limit it to a specific workstation, you really reduce the harm that one of these outbreaks can do to an organization as a whole.” – Scott
32:09 Process Tips and Tricks
33:02 “We’ve found that response tends to be more iterative. You toggle back and forth between the containment and eradication.” – Scott
36:55 Improving Efficiency
37:58 “We’ve found that the most important thing is to know the threat, and to know what it is you’re trying to get under control.” – Julie
40:07 “I would definitely encourage you to look through the tools you already have and see where you can automate part of the process.” – Julie
40:20 Tracking Our Progress
42:07 “Automation can come down to something as simple as API calls to open a ticket.” – Phil
44:04 What to Put in Place Today
49:12 “Before these incidents occur, understand the risk to your organization and write policies.” – Scott
51:30 Questions & Answers
51:40 Question 1: Even with Windows environments that have macOS in them, there is a potential for lateral movement around macOS machines.
51:53 “It’s still possible to move around with SMB with non-Windows machines, but it is a little bit easier to use other protocols like SSH.” – Tony
52:52 Question 2: Are there open-sourced SOAR options?
53:20 “It’s an undeveloped space for sure.” – Scott
53:37 “There is so much possibility for them to be customized to the environment. It’s kind of odd to have that kind of customizability and that sort of support with a community option instead of having paid support and somebody paid to work 100% of their time on it.” – Tony
54:00 Question 3: We have a small security staff, but a large number of employees. Can you recommend any methods for more of an automated approach to blocking lateral movement instead of inspecting each particular use of PowerShell or something similar as an example?
54:16 “I hear ‘automated approach to blocking lateral movement’ and I think of an IPS system.” – Tony