#RSAC SSEESSSSIIOONN IIDD:: AIR-R03 Keeping Up with the Adversary: Creating a Threat-Based Cyber Team Anthony Talamantes Todd Kight Manager, Defensive Cyber Operations Lead Analyst, Defensive Cyber Operations Johns Hopkins Applied Physics Laboratory Johns Hopkins Applied Physics Laboratory #RSAC Where We Were Ground Up Approach Continuous Monitoring Threat Intel — Anti-Virus Behavioral — IPS/IDS — Blackhole/Sinkhole Hunting — Sandboxes — Application Whitelisting Triaging — Alerts — Tickets — Initial IR Mitigation — Internal — USG 2 #RSAC APL Targeted by Nation State – Case Study Malware evolution Persistence in Registry Enumerate running processes Anti-Analysis Techniques TASKKILL on malicious process Actor Consistencies Office themed emails Time stomping Used SSL for C2 Active development 3 #RSAC Peer Collaboration - Nation State Compromise Never Let a Good Incident Go to Waste Extensive use of cloud and SSL — C2 — Exfiltration — Distributing malware PowerShell — Reflective injection — Lateral movement Persistence — WMI — Scheduled tasks — RunOnce Actor’s actions on network – more agile than incident responders 4 #RSAC How Would Our Defenses Perform? Ground Up Approach Continuous Monitoring — Anti-Virus — IPS/IDS — Blackhole/Sinkhole — Sandboxes — Application Whitelisting Triaging — Alerts — Tickets — Initial IR Mitigation — Internal — OSInt — USG 5 #RSAC Philosophy Change Red Queen Hypothesis proposes that organisms must constantly adapt, evolve, and proliferate not merely to gain reproductive advantage, but also simply to survive while pitted against ever-evolving opposing organisms in an ever-changing environment 6 #RSAC New Philosophy Top Down Approach Threat identification Threat Emulation, Actor T Target advanced tactics, techniques and h Profiling, Tradecraft r Analysis, Orchestration e procedures of adversary a t Malware Analysis, I Operationalize Malware analysis n Hunting Behavioral t Artifacts e l l Enlightenment i g e n AV, Sinkhole, IPS, Firewall Silver Bullet or Single Event c e Assumptions 7 #RSAC Cyber Threat Team Construct •Blue sky threats •Research threat actors •Purple Team collaboration •Threat Intelligence •Hybrid Threat Emulation •Tradecraft research •Proof of concept testing •Profiling and Patterns •External Adaptive RT Adaptive Research Red Team Analytics Development •Hunting •Scripting •Continuous monitoring •Content Creation •Gap analysis •Compound Correlation •Fidelity identification •Enrichment •Comparative analysis •Orchestration 8 #RSAC Defensive Cyber ConOps Cyber Threat Team • Research • Adaptive Red Team • DevOps Cyber Hunt Team • Analytics • Ad-hoc hunting • Pivoting on artifacts • Behaviors of compromise • Procedural • Artifacts of compromise • Closing steps •Analysis & Response to alerts Analysis & Response 9 #RSAC Putting it All Together Building the Team