1 of 20

�Need for Security: Simulation

Simon Howe - Regional Director, Asia Pacific & Japan

Brett Callaughan – Technical Director, Asia Pacific & Japan

2 of 20

2 ways to determine the effectiveness of your security program…

You can do it

or

Your adversary can do it

3 of 20

Does This Sound Familiar?

Core challenges…

Massive Escalation �in Threats

People Problem

Cybersecurity

Tools Sprawl

Biz/Board<>IT Security Communication Challenges

(Problem Slide/Warmer)

The Warmer: When we talk with CISOs like you recently, the overwhelming impression that we hear is that they are constantly behind the eight ball. Why?

We’re seeing a massive escalation in the number of threats to the organization. Which is why testing is more critical than ever as these major headlines are exploding and are increasing in frequency and impact.

We understand why CISOs are really concerned because your teams are incredibly reactive to all these different things going on. Things are evolving quickly and constantly changing. We’re constantly reacting from one major log4j to the next log4j or the latest headline. Your team has been stuck in this reactive mode for a prolonged period of time. Which is causing your team to feel pain and suffering. This has created a People problem.

You’re attempting to be more proactive by buying more security controls and tools. But buying and deploying more tools won’t solve the problem. The industry approach to installing tools and signing them off as a project once installed is broken. This has created a tool sprawl problem. Which in turn only exacerbates your Cybersecurity Talent Shortage and Gap problem.

We also hear that there are ongoing challenges communicating with the Business/Board. The Business is getting more & more concerned whether their cybersecurity program is working or not. Governance and IT Security don’t understand each other. They speak different languages. There’s missing data and evidence that the Board is asking for that the CISO’s team is unable to provide. We need to get the right data layer presentation together to communicate more effectively with the Board in the language that they understand. Biz/Board<>IT Security Communication challenges.

General Warmer hook questions (do it organically):

Does this sound familiar to you? Are you concerned about your people?
Do you feel frustrated that you are stuck in this cyber tool sprawl merry go round?
Which of these issues/challenges are most pressing for you and your team today?
Did we miss something important for you? What are you seeing that we’re not seeing?
Does purchasing and deploying a tool improve your security posture and reduce risk? Ultimately that should be the question to ask and the decision to make… Do you have the ability to ask and answer that question today?
Do you have a Red Team doing your testing? Or are you using external pen testers? Do you find that you’re forced into hiring more junior people due to the lack of cyber security talent?
What would you need to feel confident that you can defend your org against the next adversarial attack?
Can you and your team empirically prove to the Board and Regulators that you are okay today?

4 of 20

AttackIQ – what we do

Security Control Validation

Test your security controls to validate their effectiveness.

Cloud Security

Validate cloud security effectiveness for AWS, Azure, and third-party cloud security providers (next generation firewalls, micro-segmentation, endpoint detection and response).

MITRE ATT&CK

Leverage a library of scenarios aligned to the MITRE ATT&CK framework of known adversary tactics, techniques, and procedures.

Compliance�Align threat and risk management frameworks (i.e., NIST 800-53, CMMC, PCI with MITRE ATT&CK) to validate compliance effectiveness.

AttackIQ Security Optimisation Platform

A breach and attack simulation (BAS) platform that tests your security program by emulating the adversary at scale and continuously.

Seller’s Set-Up for Next Steps

Mr./Ms. CISO, based on what we’ve learned working with some of the top cyber teams in the world, is to focus on the Security Control Validation, Threat Emulation and Compliance use cases.

Note to seller: given our teaching conversation focuses on the question of “prove your security controls are effective”, we feel starting the prospect on the simple use case of security control validation (which happens to be our top use case) makes the best sense.

As far as engagement, we have a series of workshops that we facilitate with key stakeholders on your side. The intent of each of these workshops are to ensure alignment with your team on security control validation problem and potential solution working with AttackIQ.

Our first workshop is what we call a “Key Stakeholder Workshop”. In this workshop we will:

�Key Stakeholder Workshop:

Discovery session to align on the definition of the problem(s) we are trying to solve

Document the current state and challenges

Agree to the value proposition and desired business outcomes to solving the problem

Define future state and positive business outcomes

High level requirements

Define the minimum required capabilities in a solution

Preliminary business case and feasibility of solution

Determine a go no/go

Recommend AttackIQ Academy courses

Does this sound appealing to you?

Solution Design Workshop:

From this initial workshop, we move into our “Solution Design Workshop”. In this workshop we will:

Understand your topology and technology stack

Develop High Level Design (HLD), define the solution and required capabilities

Educate team on AttackIQ’s platform

Define scope and coverage of the AttackIQ solution

Finalize the use cases and business outcomes

Define key stakeholder roles and responsibilities (design, build, run)

Agree on the solution validation approach (technical validation)

Refine preliminary business case justification

Determine Go/No Go for solution validation

Solution Validation Workshop:

There are a number of options our customers have chosen to technically validate the solution. We suggest the following in this order:

Demo – tailored to the problem statement defined in the “Key Stakeholder Workshop”

Technical deep dives sessions – architecture design and more detailed HLD

POV/POC – define the scope, timeline, and success criteria of the POV/POC

Business Value Assessment - cost benefit analysis (CBA)

Go No/Go

Finally, we have an executive and key stakeholder review session:

Review current state, future state, outcomes expected

Review of design and technical validation results

Review preliminary solution scope and business case

High level program implementation plan

Mutual action plan (MAP) for success

Go/No Go

5 of 20

AttackIQ – what we do

6 of 20

Automate MITRE ATT&CK Framework

Adversarial Tactics,�Techniques & Common�Knowledge

7 of 20

AttackIQ Leading The Way

The Center brings together the best security teams from around the world to identity and solve the most-pressing problems facing cyber defenders.

https://ctid.mitre-engenuity.org/

https://attack.mitre.org/

8 of 20

AttackIQ Academy 33,000+ Cybersecurity Students from 180+ countries�Practice Creation + Community

https://academy.attackiq.com/

https://academy.attackiq.com/courses/beyond-atomic-testing-with-attack-flows

NN-SD79LSQPQ

9 of 20

AttackIQ Architecture

Direct API

Communication

TLS via TCP port 443

AttackIQ

Integration Manager

Integrations Communications

Utilize Native API’s

Security

Technology

SIEM

Customer Browser

PLATFORM

Management WEBUI

TLS via TCP port 443

REST API

TLS via TCP port 443

Windows

Windows 7

Windows 8.X

Windows 10

Windows 2008

Windows 2012

Windows 2016

Windows 2019

macOS

Sierra

High Sierra

Catalina

Big Sur

Monterey

Linux

Amazon Linux

Amazon Linux 2

Ubuntu 14.04+ LTS

Redhat 6+

Centos 6+

SUSE Linux

IBM zLinux

SIEM API COMMUNICATION

TLS via TCP port 443

x64 & M1

Win32 & x64

x64

10 of 20

AttackIQ Architecture (Prevention)

Management Web Interface�Accessible via Web Brower

Platform

TLS via TCP port 443

REST API

TLS via TCP port 443

Windows

Windows 7

Windows 8.X

Windows 10

Windows 2008

Windows 2012

Windows 2016

Windows 2019

macOS

Sierra

High Sierra

Catalina

Big Sur

Monterey

Linux

Amazon Linux

Amazon Linux 2

Ubuntu 14.04+ LTS

Redhat 6+

Centos 6+

SUSE Linux

IBM zLinux

x64 & M1

Win32 & x64

x64

11 of 20

AttackIQ Integrations (Detection)

Direct API

Native Technology API Communication

AttackIQ

Integration Manager

Security

Technology

SIEM

Native SIEM API Communication

PLATFORM

TLS via TCP port 443

12 of 20

AttackIQ Agent Architecture

AttackIQ

Management server

AttackIQ Agent Communications Agent Initiates Communication

TLS via TCP port 443

AttackIQ Threat Cloud Infrastructure

Attack Communications

Scenarios can initiate communications through the customer’s boundary to specified destinations on the Internet or to AttackIQ staged infrastructure.

ATTACKIQ AGENTS

AGENT

ATTACK

Interval Check-Ins to Management Server

Execute Assigned Scenarios

Activate Attack Module

Generate Detailed Logging

Collect and Submit Results and Logs

Boundary Infrastructure

Firewall \ IDS \ Content Filter \ DLP

Attack Communications

Scenarios can initiate communications to internal infrastructure and systems, emulating adversarial behaviors to test applicable security controls.

Internet

13 of 20

YOUR TELEMETRY IS ONLY AS GOOD AS YOUR DATA SOURCES

Agents

Users

PROXY

IoT Devices

What are your data sources? What are your gaps? �What are the associated business risks due to these gaps?

14 of 20

GARTNER SOC VISIBILITY TRIAD: NDR, SIEM, AND EDR

SIEM

EDR

The Cyber Triad

NDR

COMPLETE VISIBILITY

REAL-TIME DETECTION

INTELLIGENT RESPONSE

Network-based detection tools got the highest levels of satisfaction when compared against other detection approaches.

“

2019 SANS SOC SURVEY RESULTS

“

15 of 20

Founded in 2007 Headquarter in Seattle, USA
Co-founders Jesse Rothstein & Raja Mukerji were formally senior engineers at F5 Networks & architects of BIG-IP v9
Trusted by the world’s leading enterprises to delivery visibility, detection, and investigation at scale
800 customers, 5,000+ deployments, 5 million assets protected
Innovator in machine learning and analytics
Leaders in Gartner MQ and EMA Radar

INDUSTRY ACCOLADES

KEY ANZ CUSTOMERS

16 of 20

HOW DOES IT WORK?

17 of 20

EXAMPLE: DISTRIBUTED DEPLOYMENT (SENSORS)

VPC Traffic Mirroring

EC2: Apache

ExtraHop Cloud:

ML, Record Store, Control Plane

EC2: MS SQL Database

EC2: Reveal(x) AMI

AWS VPC

SPAN

AD

DNS

Reveal(x) Sensor

Branch

SPAN | ERSPAN | TAP Agg.

DNS

Storage

Reveal(x) Sensor

On-prem DC (1)

SPAN | ERSPAN | TAP Agg.

DNS

Storage

Reveal(x) Sensor

On-prem DC (2)

18 of 20

19 of 20

20 of 20

A software solution that provides endpoint detection and response capabilities to detect and respond to advanced cyber threats.

Regarding the 'Create Account with a weak password' scenario, ESET detected the command used to create the account. By examining the process tree for this detection, we can confirm that the command was triggered by an AttackIQ process. To prevent this scenario from happening again in the future, we can add a rule action to kill the process on the affected computer. With this rule action in place, ESET will automatically prevent the attack from being executed in the future.

Regarding the 'Lateral Movement through WinRM' scenario, ESET detected another high-severity alert for potential lateral movement. To prevent this scenario in the future, we can add an action to isolate the affected computer from the network. By doing so, we can stop the attacker from moving laterally through WinRM and prevent them from accessing other systems on the network.

ESET EDR complements traditional endpoint protection solutions by providing additional layers of detection and response capabilities, allowing us to prevent attacks that may be able to bypass traditional solutions.

---------------

Now let's take advantage of the ESET EDR capabilities and investigate the attack from a security analyst point of view.

Inspecting the top 10 unresolved detections, a detection for 'file being modified in the startup folder' stands out.

Going into the details of this detection we can see the triggering process was only seen on a single system and it was first seen in the environment 13 days ago.

The ESET Threat intel feed rates this process with a low reputation and popularity score.

And assessing the process tree on the right we can see an Attack IQ process raised a python subprocess, which in turn dropped a suspicious executable that modified a file in startup folder and created a suspicious executable in the startup folder.

Taking all of this as indicator of compromise, an analyst can quickly raise a case and add related objects, such as the effected machine, triggering process and executable.��Now investigating this incident we can look at the detection and see if there was any auto remediation action taken. And we can clearly see the process was killed and this attack stage was prevented.

Continuing our investigation, we can examine the affected machine and the alerts raised on it. We have user management from cmd line, suspicious executable created in startup folder which could mean the attacker is trying to setup some persistence on the machine and then we have an execution alert for known malicious powershell cmd being run. We can scroll to the right to find remediation action in place, which killed the process and blocked the module automatically.

Considering the multiple alerts raised on the affected machine, the security analyst can go back and quickly network isolate the machine as a precautionary measure.

Moving to the "Executables" tab, we can perform a deeper analysis of the suspicious executables. According to ESET Threat Intel feed, both of them have a low reputation and popularity rating. It's worth noting that the python.exe made over 6000 file modifications and 400 network calls, while the AttackIQ agent installer made over 9000 file modifications and 8 registry changes. This data provides us with further insights that can be used to strengthen our defences by blocking these executables from running in our environment.

It's remarkable how quickly you can investigate and take actions to safeguard your IT environment with ESET EDR. This can significantly reduce your mean time to detect and respond to a threat (MTTD/MTTR). By reducing the MTTD & MTTR, you lower the risk of experiencing high-impact cybersecurity incidents.