Optimize SecOps Investigation and Response to Stop Sophisticated Attacks with Cortex XDR and XSOAR

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everyone thanks for joining us for this blackout session where we'll demonstrate how security professionals can leverage soar and xdr tools to speed up triage investigation and response to sophisticated attacks spending multiple users and endpoints we'll show you how cortex xdr can provide visibility into the specific impact of a critical breach and how automation with cortex xor can speed up response times and orchestrate remediation actions my name is peter havens and i work on the cortex product team at palo alto networks and for today i will be playing the role of a sec ops incident responder which might be similar to a tier 2 or tier 3 analyst in your organization i'll be in charge of doing a full investigation and confirmation of the extent of the breach and my name is brahma ganesha murthy and i am part of the cortex xor product team today i will be playing the role of a triage analyst in the secops organization which might be equivalent to your tier 1 analyst so we have a pretty interesting attack scenario for this demonstration which was cooked up and executed by our very own cyber security guru john bradshaw here at palo alto networks for the purposes of this demonstration we have we have disabled prevention and left sensors in detection only mode this gives us a better picture of the defenses across the life cycle of the attack the attack itself takes several hours to execute so prior to this we've gone through the entire process so let me give you a quick summary of the actions that were taken and then we'll show you what it's like to use soar and xdr tools to respond to an incident like this alright so this one like so many others begins with a spear phishing email that was sent to a number of users luring them in with a subject of comic con and avengers end game project gag reel because who wouldn't want to see more of that from the phishing email the adversary is going to land a rat a remote access trojan as the core payload and leverage it to establish command and control within the organization from there the attacker will do some recon on the compromised hosts and start to attempt to move laterally within the organization as they experience some success moving laterally they will attempt to establish multiple beachheads in case some of the endpoints are taken offline as we've seen in the past the adversary may set up some of the compromise hosts as sacrificial lambs if you will in case their actions are discovered then they can lay low for a period of time and resurface the attack from another compromised end point the adversary will work to establish persistence in the organization and once they have a firm foothold they will move toward the mission objective which in this case is the exfiltration of some data of significant value we'll uncover more as we investigate the attack so we'll start the demonstration with promote starting his shift just after the attack playing the role of a secops triage analyst which might be similar to a tier 1 analyst in your organization hello everyone i am a triage analyst and i am just getting started on my shift today i monitor cortex xor's dashboard page to track all new cases assigned to me i see a high severity incident generated by cortex xdr that is assigned to me for initial triage let me go ahead and take a look at this incident right away oh my gosh this incident has 68 other alerts associated with it that were detected on several different hosts involving multiple users before i take a look at this case on cortex xor's case management section let me mark this incident as favorite so that it is readily accessible to me all the way through its successful remediation i see that this incident has just occurred and involves 22 high civility alerts and 47 alerts of medium stability gosh there are four potentially impacted hosts affecting five users i am glad there is a cortex-sexual playbook already associated with this incident playbooks are task-based workflows consisting of instant response actions that run automatically in the work plan section playbooks can also enforce sla either on the individual task level or on the overall playbook level with the help of a timer this saves a lot of time for our team to conduct advanced security research without xo the same amount of time would have been spent on dealing with initial incident response actions such as assigning incident ownership incident enrichment indicator extraction reputation checks conditional checks among several other automated response actions in fact it was the playbook that automatically assigned me the ownership of this incident as it knew my shift schedule and also had learned about my past incident triage actions thanks to xo today we use the same time to perform security research on latest cyber threats that helps us in strengthening our overall security posture the playbook has already executed several initial tasks such as performing xdr alertsing checking if there is user information in the xtr incident and if so extracting user info into the incident context all the tasks under file analysis section have also been completed it seems there are files to be analyzed this task has used palo alto networks autofocus to perform sample analysis on the files and has provided the list of parent processes and actions it is interesting to note the mention of several processes along with registry information i will go ahead and mark the register information as a note and add the details to the evidence board it is possible to add the details to the evidence board right from within the task the register information is now available under the evidence board so that auditors and other users who are interested to know about this information can always look up this under the evidence board section okay so there are three tasks waiting for my response i'm not sure which accounts were impacted so i cannot make a decision at this point about which user accounts to disable or anything related to email actions there is this task that is waiting for my approval to block an ip on the firewall the ipv 2.2.2.199 is clearly an external address to the organization and is not part of the trusted allo list let me check the details of this ip on xor's indicators page hmm there are 12 hits so far let me check the details of this ip on xo's thread intel management section here i see its reputation timeline information ip location details and also related incidents since it's clearly a bad external ip based in france i will go ahead and approve this action to block this ip immediately on the firewall lo and behold the external ip address have been blocked successfully given that there are potentially four impacted hosts and five potentially compromised users let me get some expert help from peter to investigate this incident further i will add peter to this investigation so that he can immediately take a look at this incident and perform an investigation cortex exor's war room functionality really makes it easy for me to actively collaborate with my teammates and get immediate help okay so i'm just waking up and i've got a notification on my phone that i have a new incident to investigate probably nothing serious i hope but i'd better take a look uh all right four hosts five users an active threat high severity i'd better dive into this one right away so the first thing i will do is open up the xor homepage and i see a new incident let's go ahead and take a look and see what we've got here this actually looks serious right off the bat i can see this is a significant attack campaign involving a number of users and hosts and i see a lot of alerts in the incident i think i better dive right into cortex xdr for a closer look i've got the link directly into cortex xdr here in xor and it's going to drop me right into the incident great so normally when i launch into xdr i get to see my home screen which contains my dashboard with a summary of all the incidents and things that i like to monitor here but in this case i'm already directly in the incident i need to investigate so let me go back there and get started first i'm going to let the rest of the team know i'm investigating this so i'll click on actions and change this to investigating and i can see one two three four different users involved in this incident looks like user c collier might be at the center of this one three different endpoints and one of our windows servers [Music] okay let's see what software was involved here i see mimikatz was used probably to obviously get to compromise credentials and we've got this avengers end game executable it looks like someone may have thought they were watching an mp4 we'll have to look into that we can grab the wildfire report of this guy and and see exactly what it did okay you can see the wildfire report here i can also just download that and save it for later which is what i'm going to do in addition to pulling the wildfire report i've got access to autofocus for additional threat intelligence about this malware as well and i can click right into that here all right what else some other living off the land binaries and executables looks like there was some use of ps exec probably leveraging the credentials gathered with mimikats to execute commands on other systems and move laterally okay at this point i need to take a step back and fall back on my offset training and try to answer the following questions which user accounts were compromised what persistence mechanisms have been put in place which systems are involved what's the endgame mission objective and what were the tactics techniques and procedures that were employed here and then ultimately i need to identify what actions we need to take in response to the breach fortunately most of that information is automatically collated and stitched together for me in a single incident in cortex xdr without the need for anyone to dig into a bunch of different data sources and pull this together manually let's get into the details we can see here that we have 69 alerts as well as another 138 insights wow so hopefully you're already seeing the amazing value that cortex xdr brings to the security analyst i have all this information pulled from many different sources all together in one place all the heavy lifting of collecting the artifacts of the attack is is basically done for me let's look at these insights insights may not rise to the same level as an alert but they show us additional information about the behavior of the adversary and with this one we can see there's a full-fledged attack with some data collection happening credential access discovery evasion execution lateral movement you name it a lot of reconnaissance as well if you want to know more about these specific ttps i can scroll over and find the links to to miter which will provide me with all the details i need all right well let's see where this all started i'm going to sort my alerts by timestamp and analyze the earliest one looks like we've got a firewall alert that fired first and then i can see that we started to get some alerts on pc1 and that is associated with user c collier so i'll analyze that and see what happened there and and remember for this demonstration i have everything set to detection only if prevention on the firewall or on the endpoint agents was on we would have stopped the attack here and at numerous other points in in the attack lifecycle let's look down the timeline a bit more i see our our second system here and the user was w sanchez let's analyze that as well now if i want a more focused view on just a single user or pc i could quickly filter this list with my key assets section of the incident i'll just right click here and filter based on the next user see shadwick okay looks like user c shadwick is also involved and on one of our windows servers let's also analyze what's going on there all right let's see what happened all right i'm going to jump over to the tab with the c collier investigation and there we've got a nice picture of everything that was going on in this flow let me zoom in here and see what we can see looks like a lot happened here and right off the bat i would probably isolate or quarantine this endpoint from my actions menu here but given this is a shared demo environment i don't have that option or access to do that but that would likely be my first action if i did that way i could make sure this endpoint could not participate or initiate any other network activity other than the communication to our xdr service or other facilities that i've set up as allowed when the endpoint is isolated okay looks like this started with 7-zip so somebody's opening a zip file and then we have a file type obfuscation alert here and a process with a double extension it looks like our user thought they were watching a gag reel video but instead they were executing the malicious payload which launched the quasar client then it looks like it jumped through some hoops to uh to relaunch itself probably with elevated privileges okay looks like it's scheduling a task to start the quasar client on startup and there we go with rl set to highest for elevated privileges there's a bit of persistence from there it looks like we have a a lot of commands that were executed from a cmd prompt we can look at those we'll scroll up to the top here looks like it may have started by attempting to kill the antivirus agent first and then we've got some recon going on here seems to have started with uh let's see looks like it's looking for user group information probably trying to find a user who might have access to something important okay here is trying to gather credentials via mimikatz and proc dump on elsas if you wanted more information on this technique we can click on the alert here and jump right to the detailed description of the technique in minor all right back to the investigation okay so if we keep going down ultimately we can see the attacker is leveraging what he's learned in the reconnaissance phase and attempting to execute his payload on other systems on the network well i have a pretty good high level idea of the adversary's motions here on collier and pc1 let's hop over to one of the other systems and see how some of the other users and computers were affected all right so i'm going to open the tab with the w sanchez investigation and we've got our causality view again it looks like a lot of the same and that makes sense as as it's the same payload we can see here the start of the execution is different as on w sanchez's system it began with ps exec rather than 7-zip and that lines up with what we saw in the lateral movement from c collier system it looks like this quasar client is at the heart of the attack it would be interesting to get the wildfire report on this so i'll just click here and download that again if you wanted to look at the wildfire report it's right here in the um in the interface great so i have full access to the dynamic analysis wildfire did on this executable i can view the details here but i think i'm going to save this for later so let's close that and have a look at some of the the commands that were that were executed on this end point okay looks like uh some more credential harvesting was done so safe to assume we have another compromised account let's take a look at some of the processes all right in general it looks like a lot of the same sort of reconnaissance i saw in the first system maybe maybe a little less activity let's take a look at our our third system so i'm going to jump over to the c shadwick tab here and there we are there's the causality view not a big surprise looks to be more of the same very similar to what we saw on the second system this is our windows server but execution looks very similar to what we saw in pc2 let's take a look at the processes and we can see again that we have proc dump of lsas so looks like we will add another user to the list of likely compromised accounts i noticed this on the other systems as well looks like the attacker is heavily leveraging wmic for reconnaissance as well well i'm starting to get a pretty good idea of the users persistence the systems involved and the tactics but i have a feeling i'm not not done because it looks like the adversary was exiting the environment and covering their tracks here and there so i suspect they achieved their endgame or their mission objective but we don't know what that is yet i have a suspicion that the adversary did most of their work on c collier's system so i'm going to go back there and take a closer look at their actions so let's go back over to the c collier tab and now i'm going to drop down into the forensics table on this quasar client and see what it's doing let's start with the processes that it executed and there we can see our scheduled task that we saw earlier and here we see it looks like it's cleaning up after itself by deleting its schedule task a few hours later all right let's check out the network connections it made as well okay looks like it's making an outbound connection to an unknown host 2.2.2.199 okay right away i know that's not an ip address i recognize so i'm going to right click on that and open quick launcher and just try to find out some more information about activity associated with that ip address we'll check some outgoing connections from that ip and see what we can see and query builder pulls pulls up all of the information about connections to that ip address and i can see here yeah as i suspected it looks like this is in france and we don't have any business in france and i'm pretty sure this is um this is not something within our organization so good to identify that as that could be the ip address of our attacker let's take a look at some of the file activity okay i see some interesting batch files here uh let me just filter on bat and see if i can see other ones so put in a startup bat filter everything else out all right and i see a recon.bat file that's likely what initiated all of the netgroup recon and wmic commands that we saw and and i can get this level of detail for process activity file network and registry activity as well as the dll modules loaded etc on every step of the execution and remember i didn't have to do anything to pull this information together it's automatically stitched into the incident within cortex xdr so it looks like a lot of activity was launched from the cmd instance let's take a look at some of the executions here alright sorting by time uh oh okay that doesn't look good sql command i know that ip range i think that's one of our customer database servers and it looks like we have another compromise user account here the sql sa account that is not good all right then it looks like they mounted the sql server using another compromised account the sc admin account really not good and then oh just after that i can see that it looks like they compress some of some of our demonstration documents probably to prepare them for exfiltration definitely not good last it looks like they were covering their tracks with windows event log utility and clearing the application security and system logs okay let's take a look at the the file activity all right what's this um looks like they created a backup file wonder what they were backing up uh there it is on the db server again okay i think i may have found their end game it looks like they successfully exfiltrated 200 megabytes of data from our customer database right so i'd still like to identify where this all started from so i'm going to go back to my incident and look at my firewall alerts and try to see if i can identify where this all originated from i'm going to add the ability to look at email subject and sender information and hopefully we'll find out what the source of this was and we can remediate that as well okay here i can see the email subject the sender etc all the information about where this started from and that should be an xor so we can we can respond and pull those out of exchange web services okay so we've done a lot or i guess i should say cortex xdr has done a lot for us it's answered all of the upset questions for us we know what users are involved what systems are involved we know the persistence mechanisms that have been used to maintain a presence in the environment we know the endgame the mission objective of the adversary and we know the tactics techniques and procedures they've used to accomplish those objectives and we know the impact is significant in this case so here's hoping we've got a time stone lying around so we can go back and turn prevention on otherwise we've got some serious damage control to do in relation to this attack but in all seriousness i hope we know by now that prevention is not perfect and no solution will ever successfully block 100 of attacks if you're not using a solution that can not only do a fantastic job of blocking attacks but can also provide you the visibility you need to determine what actions an adversary has taken if they got further in the attack life cycle than you would have liked then what value are they really adding i hope this demonstration gives you a sense of the value that cortex xdr can deliver in giving you that visibility and transparency into a threat actor's behavior and this is just scratching the surface with what cortex xdr can bring to the table coming from the perspective of a breach investigation after this investigation is wrapped up xdr provides an awesome and complete solution for you to do additional threat hunting leveraging the information you've learned from your investigation you can use the cortex xdr built-in query builder to do additional digging on similar indicators of compromise or behaviors that may have occurred in your organization even if they were not identified as iocs at the time all of that information is stored in the cortex xdr data lake and available for additional threat hunting in addition xdr has the tools you need to respond and remediate we've got both live terminal and our script execution engine which can be used to do further investigation or remediate some of the actions that have been taken on those endpoints i could leverage our live terminal to connect to some of the isolated endpoints and servers with live terminal right from in xdr i can connect to my endpoints and get an interactive remote interface for examining the running processes in file explorer from there there's quite a bit i can do i can terminate processes that are running or suspend them i can start an investigation to maybe get a verdict from virustotal or from wildfire i can get the file hash i can download the file mark it as interesting or just copy the value and use it in our query builder for additional thread hunting i can also run command prompt commands powershell commands or python commands on any of the operating systems that cortex xdr supports direct through live terminal and i don't need to worry about whether python or the correct version of python is installed as the agent installation takes care of putting the right one in place for me in addition to live terminal i've got our script execution engine at my disposal for remediation i can pick from one of the canned scripts included with cortex xdr or i can copy one and customize it or create my own script and i can run those scripts across any of the affected endpoints simultaneously and get feedback on how those executed and use that for remediation actions on the endpoints okay so i'll head back to xor and wrap things up we've got some additional actions that work plan is recommending we take and yeah we need to disable these users so let's go ahead and disable c collier c shadwick and rogers w sanchez just just to be safe and we'll put a note in here just to make sure that we know we need to change their passwords and it's a good opportunity to ensure that we enable mfa on these accounts if it's not already done and yes we identified the email the phishing the spearfishing email that was at the heart of this so let's go ahead and eradicate that from the exchange web services environment as well and i'll just put a note here to clarify what we found in the investigation phase and we'll mark that as complete as well and i've got a few other actions i've got to follow up on so i'll go ahead and disable additional user accounts associated with the investigation we'll go ahead and disable the sc admin account we identified that gave access to the sql server and finally i'm going to leave a note from my colleague to let them know that i've wrapped up the investigation and that we have a few additional actions left to do so that's it for me i'm going to hand it back to promote to give you a little bit more of an explanation of how xor does its thing take it away from look cortex xor has really made our lives easier since we no longer need to have direct access to the enforcement points such as the active directory server or to the firewall or to the exchange web server to perform remediation actions once provided with approval xo takes care of the enforcement of response actions by itself with the help of orchestration analysts can always use the built-in command line interface to perform ad hoc orchestration of response actions on other security products from a central place without having to switch screens they don't have to spend any time in opening further tickets for remediation procedures since everything is documented automatically in xo's war room functionality and is available for quick reference even after closure of investigation given the busy schedule and time sensitivity of analyst and incident responder actions there is always scope for human errors to seep into psychops xor's task-based workflows and automated response actions ensures no human error occurs thanks pramuk i hope we've been able to show you how cortex xdr can provide automated root cause analysis and unparalleled visibility into the impact of a critical breach we've done some studies with our customers of cortex xdr and we've found that on average it has reduced investigation times by a pretty astounding 88 percent by automatically stitching alerts across a multitude of users and endpoints and additional data sources into a single complete incident and hopefully you've seen how automation with cortex xor can speed response times and really orchestrate all of those remediation actions thank you so much for joining us today and stay safe out there thanks you

Info

Channel: Cortex by Palo Alto Networks

Views: 5,779

Rating: 4.9215684 out of 5

Keywords:

Id: 3ZAeF2MiSwY

Channel Id: undefined

Length: 30min 2sec (1802 seconds)

Published: Tue Aug 18 2020