Presented at
BruCON 0x0A (2018),
Oct. 4, 2018, 4:30 p.m.
(60 minutes).
Disrupting the Kill Chain is a defender’s approach to minimizing cyber-adversary access and success in a Windows environment. It builds upon my previous work on ‘Defending a Microsoft Environment at scale’ which spoke to the innovations made in Windows 10 and the capabilities of a native Microsoft stack to launch a capable defense against most vulnerability classes. This talk is a bluebook of the most effective and efficient controls in Windows 10 and an associated Microsoft environment to disrupt the kill chain.
This talk focuses on leveraging capabilities of a Microsoft stack to launch a capable defense against most vulnerability classes. It starts out by describing the Lockheed Martin kill chain in conjunction with the MITRE ATTACK framework and explains how it has been used by us to build a defense model. We then dwell into specific capabilities of the Windows subsystem to detect and respond to the various stages of an attack lifecycle including: Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Execution, Collection, Exfiltration and Command and Control (C2).
As we continue, we describe a working defense model that dwells into some of the more effective and efficient controls in a Windows 10 ecosystem that address several categories of attacks. These higher efficiency controls are detailed in a few sample deployment guides that are made available on Github and based upon a “single platform approach” I’ve previously described in my other talks. As we continue, we talk about the different ways in which logging, and monitoring data can be collected and analyzed at scale. We talk about implementations that extrapolate the telemetry from these indicators across Microsoft Windows to an enterprise view that reduces noise and improves signal. In order to do this, we explain how WEF works, a sample Sysmon deployment guide and how to collect rich event meta-data from all Windows Event Log sources to build correlation and finally the more recent technique of log collection and hunting using Windows Defender telemetry data. We don’t address the traditional SIEM implementations but talk about specific use cases that address the MITRE ATTACK framework. (Samples of such an approach are visible in my previous talks detailed here between Pages 16-25).
During the second half of the talk, we dwell into some of the automated remediation and incident response capabilities built into the Windows Defender ATP product and how it can be used for handsfree triage and remediation through the use of automation playbooks (Hexadite). We cover scenarios from basic malware / hunting techniques such as frequency analysis, process trees and other indicators that may indicate suspicious behaviors.
In closing, we round up the topics covered, provide some disclaimers that this is not a silver bullet to all attacks and simply reinforce the message that basic hygiene and a handful of properly implemented controls are indeed effective in disrupting the killchain.
Presenters:
-
Vineet Bhatia
Vineet Bhatia (@ThreatHunting) runs cybersecurity operations. His work focuses on digital forensics, threat hunting and aviation cybersecurity.
Links:
Similar Presentations: