WATCH ON-DEMAND
02:49 Panelist Introduction
04:20 Why we produce the Threat Detection Report
06:50 “We are day in and day out doing security operations work with our customers” -Keith
07:55 “How do you get started with all of these different techniques? Prioritizing. Prioritizing based on what real threats are doing and we have that visibility at Red Canary so why not share that?” -Katie
08:12 Webinar Agenda
09:11 What data we use to create the report
09:52 “Throughout 2019, on average, we were parsing roughly 200 billion pieces of end point telemetry per day. To put it another way, we were ingesting about 115 terabytes of telemetry on a daily basis. That all gets forwarded into our platform. Our platform also has a variety of detection criteria built into it that is developed by our detection engineering team. It’s roughly 1,500 or so behavioral analytics that parse through this endpoint data and looks for matches.” -Brian
11:28 “We attempt to map all of these behaviors back to a MITRE ATT&CK technique. Each of those 1,500 confirmed threat detections will include one or more ATT&CK techniques that are associated with them.” -Brian
12:20 What’s in the report
13:24 “Threats don’t occur in isolation, threats are generally parts of attacks, and attacks are parts of campaigns. Even at the bottom level, any given threat is going to be made up of many different behaviors” -Brian
16:05 Reviewing the top ATT&CK techniques
16:44 The top ATT&CK techniques by industry
16:44 Overview of Industries: Finance, Education, Healthcare, Retail, Manufacturing, Services, Technology, Energy, and Transportation.
17:13 The top ATT&CK technique – Process Injection
21:32 Understanding the trends we are seeing
23:20 “None of these tactics occur in isolation. Even one piece of malware is going to exhibit a number of these behaviors. The top 10 doesn’t appear out of thin air. It is the product of a lot of adversary tactics they are trying. They are seeing what sticks, and the things that stick, we can expect to see more of. Last year’s data was a great exemplification of the phenomenon.” -Keith
24:30 “No matter what the threat was, it followed a relatively similar pattern based on three overarching phases: how they get in, how they get around, and how they get paid.” -Tony
25:09 “Where an adversary starts on a network is not the place they are going to end up.” -Tony
26:15 “Our data in this report is shaped in no small way by Trickbot engagements. The behaviors that Trickbot uses in its infections are very prevalent in our top 10.” -Brian
32:39 “The biggest trend we saw in the last year was lateral movement was pretty much automatic. It happened in a variety of ways. Trickbot, Emotet, and several other malware threats can use SMB exploitation to get around, but why burn an exploit when you can just use legitimate credentials? In many cases, we saw legitimate credentials were cracked, stolen, or guessed from various malware families. Those were used to get around automatically.” -Tony
37:54 “There is a tight correlation between requested access codes and particular pieces of malware or particular behaviors going and accessing credentials. That can lead to really successful detection, and that understanding is really valuable for implementing preventative controls.” -Keith
42:20 “The last two years have been dominated by the trend of get a foothold, move laterally, and then lock up an entire enterprise.” -Keith
45:19 Commands we have seen for different techniques
48:29 How you can put this information into action
48:59 For Analysts
49:47 “This whole report is about assessing priorities. Are you spending too much time on threats that aren’t relevant to you? Do you know what you are likely to face? The most important part of all of this is learning what to look for. Understand what malicious looks like in your environment in the telemetry.” -Brian
50:40 “Every organization is going to have different threats. They’re not going to be distributed equally.” -Katie
51:48 For Architects
52:35 “The best intelligence you can have in your organization comes from the inside. The first thing you want to do is go talk to your analysts and your IT people and figure out what threats they are worried about. Take the threats they are worried about and compare them to the report.” -Tony
54:30 For Leaders
56:52 “No matter what type of team you lead, you take all of the stuff we talked about and tie it up in a nice bow for the people you lead and work with directly. No matter the level, everyone is getting better.” -Keith
57:20 Key Takeaways
57:45 “Take a look at what we have and then apply that to where your visibility gaps are and where you need to improve your detection.” -Katie
59:00 Questions & Answers
59:08 Question 1: Any observations on Cobalt Strike usage during our response engagement and what we are seeing this year?
01:00:15 “Where Cobalt Strike has made things interesting this year is that we have seen multiple adversaries in the same environment.” -Tony
01:01:50 Question 2: How do we detect bad use of good tools?
01:05:09 “The best thing you can do to get started on this is to focus 80% of effort on what has been publicly documented. Don’t worry about chasing all the hypothetical uses until after you get that 80% done.” -Tony