Temet Nosce - Know thy Endpoint Through and Through; Processes to Data

Presented at DeepSec 2015 „DeepSec No. 9“, Nov. 19, 2015, 4:50 p.m. (50 minutes)

Most organisations today accept that they have been compromised or will be compromised. To that end it is key to be able to gather the intelligence from all sides to take informed decisions on the next steps. The ability to understand the Hows, Whens and Whats can help to responsibly disclose but also to take future actions to better contain and prevent compromise. By bringing back end point protection, using behaviour based techniques and real time or near real time local event correlation, as a keystone in security infrastructure, we start to answer questions like «how did it happen?» or «what did I lose?». This presentation will demonstrate that one of the most complete sources of actionable intelligence resides at the end point, and that living as close as possible to Ring0makes it possible to see how a malicious process or party is acting and the information being touched. Key step to moving forward and bringing better protection to the infrastructure is to move away from the traditional mechanism and bring forward behavioral detection through the real time or near real time identification and aggregation of the individual events happening on the host; identifying the malicious activities and blocking them. This talk looks at how introducing endpoint protection can answer some of the most pertinent questions in the incident response process: When was I compromised? How did it happen? How to detect the next malicious agent or APT? And importantly what was ex-filtrated and how sensitive is it? Using a simple tool like procmon will demonstrate that one of the most complete sources of actionable intelligence resides at the end point, and that by living as close as possible to Ring0 makes it possible to see how a malicious process or party is acting as well as the information being touched: By building a map of the events that the attackers or malware undertake and with this visibility introduce a mechanism to be able to detect, log and block the activity where it counts - at the endpoint. This presentation is targeted for forensics, incident response teams and IT security management who want a better understanding and control of what is going on at the end point.

Presenters:

• Thomas Fischer - Digital Guardian / Security B-Sides London
  With over 20+ years experience, Thomas has a unique view on security in the enterprise with experience in multi domains from policy and risk management,  secure development and incident response and forensics. Thomas has held roles varying from security architect in large companies to consultant for both industry vendors and consulting organizations. Thomas currently plays a lead role in malicious activity and threat analysis for Digital Guardian.

Links:

• https://deepsec.net/archive/2015.deepsec.net/speaker.html#PSLOT208
• https://infocon.org/cons/DeepSec/DeepSec 2015/Temet Nosce - Know thy Endpoint Through and Through Processes to Data - Thomas Fischer.mp4
• https://infocon.org/cons/DeepSec/DeepSec 2015/Temet Nosce - Know thy Endpoint Through and Through - Processes to Data - Thomas Fischer.srt (subtitles)

Similar Presentations:

• 31C3 (2014) / Doing right by sources, done right
• VB2016 / Last-minute paper: The Beginning of the End(point): Where we are now and where we'll be in five years
• 31C3 (2014) / The Invisible Committee Returns with "Fuck Off Google": Cybernetics, Anti-Terrorism, and the ongoing case against the Tarnac 10