Hi, everyone, thanks for joining us for this black hat session. We will demonstrate how, security professionals can leverage SOAR, and XDR tools, to speed up triage, investigation and response, to sophisticated attacks, spanning multiple users and end points. We'll show you how Cortex XDR, can provide visibility, into the specific impact, of a critical breach, and how automation with Cortex XSOAR, can speed up response times, and orchestrate remediation actions. My name is Peter Havens, and I work on the Cortex product team, at Palo Alto Networks. For today, I will be playing the role of a SecOps, incident responder, which might be similar to a tier two or tier three analyst in your organization. I'll be in charge of doing a full investigation, and confirmation of the extent of the breach. My name is Pramukh Ganeshamurty, and I'm part of the Cortex XSOAR product team. Today, I'll be playing the role of a triage analyst, in the psychopath organization, which might be equivalent to your tier one analyst. We have a pretty interesting attack scenario for this demonstration, which was cooked up and executed by our very own cybersecurity guru, John Breccia, here at Palo Alto Networks. For the purposes of this demonstration, we have disabled prevention, and left sensors in detection only mode. This gives us a better picture of the defenses across the life cycle, of the attack. The attack itself takes several hours to execute. Prior to this, we've gone through the entire process. Let me give you a quick summary, of the actions that were taken, and then we'll show you what it's like to use, SOAR and XDR tools, to respond to an incident like this. All right, so this one, like so many others, begins with, a spear phishing email, that was sent to, a number of users, luring them in with a subject of ComicCon, and Avengers Endgame project gag reel, because, who wouldn't want to see more of that. From the phishing email, the adversary is going to land, a remote access Trojan, as the core payload, and leverage it to establish, command and control within the organization. From there, the attacker will do some recon, on the compromised source, and start to attempt to move laterally, within the organization. As they experience some success moving laterally, they will attempt to establish multiple beachheads, in case some of the endpoints are taken offline. As we've seen in the past, the adversary may set up some of the compromise hosts as, sacrificial lambs, if you will, in case, their actions are discovered. Then they could lay low for a period of time, and resurface the attack from another compromise standpoint. The adversary will work to establish persistence in the organization, and once they have a firm foothold, they will move toward the mission objective, which in this case, is, the exfiltration of some data of significant value. We'll uncover more as we investigate the attack. We'll start the demonstration with Primack, starting his shift, just after the attack, playing the role of a SecOps, trial journalist, which might be similar to a Tier one analyst in your organization. Hello everyone. I'm a triage analyst, and I'm just getting started on my shift today. I monitor Cortex XSOAR dashboard page to track all new cases assigned to me. I see a high security incident generated by Cortex XDR, that is assigned to me for initial triage. Let me go ahead and take a look at this incident right away. This incident has 68 other alerts associated with it, that were detected on several different hosts, involving multiple users. Before I take a look at this case on Cortex XSOAR case management section, let me mark this incident as feary, so that it is readily accessible to me, all the way through its successful remediation. I see that this incident has just occurred, and involves 22 high security alerts, and 47 alerts of medium security. There are four potentially impacted hosts, affecting five users. I'm glad, there is a Cortex XSOAR playbook, already associated with this incident. Playbooks are tasks based workflows, consisting of incident response actions, that run automatically, in the work-plan section. Playbooks can also enforce easily, either on the individual task level, or on the overall playbook level, with the help of a timer. This saves a lot of time for a team to conduct advanced security research. Without XSOAR, the same amount of time or have been spent on dealing with initial incident response actions, such as assigning incident ownership, incident enrichment indicator extraction, reputation checks, condition checks among several other automated response actions. In fact, it was the playbook that automatically assigned me the ownership of this incident, as it knew my shift schedule, and also had learned about my past incident transactions. Thanks to XSOAR, today we use the same time to perform security research on latest cyber threats, that helps us in strengthening our overall security posture. The playbook has already executed several initial tasks such as performing XDR BIOC, checking if there is user information in the XDR incident, and if so, extracting user info into the incident context. All the tasks under file analysis section have also been completed. It seems there are files to be analyzed. This task has used Palo Alto Networks autofocus to perform sample analysis on the files and has provided the list of patent processes and actions. It is interesting to note the mention of several processes along with registry information. I will go ahead and mark the registry information as a note and add the details to the evidence group. It is possible to add the details to the evidence group right from within the task. The registry information is now available under the evidence board so that auditors and other users who are interested to know about this information can always look up this under the evidence board section. There are three tasks waiting for my response. I'm not sure which accounts were impacted so I cannot make a decision at this point about which user accounts to disable or anything related to email actions. There is this task that is waiting for my approval to block an IP on the firewall. The IP 2.2.2.199 is clearly an external address to the organization and is not part of the trusted analyst. Let me check the details of this I.P on ESOAR Indicator's Beach. There are 12 hits so far, let me check the details of this IP on ESOAR Threat Intel Management section. Here I see its reputation, timeline information, IP location details, and also related incidents. Since it's clearly a bad external IP based in France. I'll go ahead and approve this action to block this IP immediately on the firewall. Behold, the external IP address have been blocked successfully. Given that there are potentially four impacted hosts and five potentially compromised users. Let me get some expert help from Peter to investigate this incident further. I will add Peter to this investigation so that he can immediately take a look at this incident and perform an investigation. Cortex XSOAR warrant functionality really makes it easy for me to actively collaborate with my teammates and get immediate help. I'm just waking up and I've got a notification on my phone that I have a new incident to investigate. Probably nothing serious I hope but I'd better take a look. All right, four hosts, five users, an active threat, high severity. I'd better dive into this one right away. The first thing I will do is open up the extra home homepage and I see a new incident. Let's go ahead and take a look and see what we've got here. This actually looks serious. Right off the bat I can see this is a significant attack campaign involving a number of users and hosts and I see a lot of alerts in the incident. I think I better dive right into Cortex XDR for a closer look. I've got the link directly into Cortex XDR here in extra and it's going to drop me right into the incident. Normally when I launch into XDR, I get to see my home screen which contains my dashboard with a summary of all the incidents and things that I like to monitor here. But in this case, I'm already directly in the incident I need to investigate so let me go back there and get started. First, I want to let the rest of the team know I'm investigating this. I'll click on actions and change this to investigating and I can see one, two, three, four different users involved in this incident. Looks like users ccolier might be at the center of this one, three different endpoints and one of our Windows servers. Let's see what software was involved here. I see MimiKatz was used probably to obviously get to compromise credentials. We've got this Avenger's Endgame executable. It looks like someone may have thought they were watching an Mp4, we'll have to look into that. We can grab the wildfire report of this guy and see exactly what it did. You can see the wildfire report here. I can also just download that and save it for later, which is what I'm going to do. In addition to pulling the wildfire report, I've got access to autofocus for additional threat intelligence about this malware as well, and I can click right into that here. What else? Some other living off the land binaries and executables looks like there was some use of PsExec, probably leveraging the credentials gathered with Mimikatz to execute commands on other systems and move laterally. At this point, I need to take a step back and fall back on my upset training and try to answer the following questions: Which user accounts were compromised? What persistence mechanisms have been put in place? Which systems are involved? What's the Endgame mission objective? What were the tactics, techniques, and procedures that were employed here? Then ultimately, I need to identify what actions we need to take in response to the breach. Fortunately, most of that information is automatically collated and stitched together for me in a single incident in Cortex XDR without the need for anyone to dig into a bunch of different data sources and pull this together manually. Let's get into the details. We can see here that we have 69 alerts as well as another 138 insights. Wow. Hopefully you're already seeing the amazing value that Cortex XDR brings to the security analyst. I have all this information pulled from many different sources all together in one place. All the heavy lifting of collecting the artifacts of the attack is basically done for me. Let's look at these insights. Insights may not rise to the same level as an alert, but they show us additional information about the behavior of the adversary. With this one, we can see there's a full fledged attack with some data collection happening, credential access, discovery, evasion, execution, lateral movement, you name it, a lot of reconnaissance as well. If you want to know more about these specific TTPs, I can scroll over and find the links to monitor, which will provide me with all the details I need. Well, let's see where this all started. I'm going to sort my alerts by timestamp and analyze the earliest one. Looks like we've got a firewall alert that fired first and then I can see that we started to get some alerts on PC1, and that is associated with user C Colyer, so I'll analyze that and see what happened there. Remember, for this demonstration, I have everything set to detection only, if prevention on the firewall or on the endpoint agents was on, we would have stopped the attack here and at numerous other points in the attack life-cycle. Let's look down the timeline a bit more, I see our second system here and the user was Davis Sanchez. Let's analyze that as well. Now, if I want a more focused view on just a single user or PC, I could quickly filter this list with my key assets section of the incident. I'll just right click here and filter based on the next user, C Chadwick. Looks like user C Chadwick is also involved and on one of our Windows' servers. Let's also analyze what's going on there. Let's see what happened. I'm going to jump over to the tab with the C Colyer investigation and there we've got a nice picture of everything that was going on in this flow. Let me zoom in here and see what we can see. Looks like a lot happened here and right off the bat, I would probably isolate or quarantine this endpoint from my actions menu here, but given this is a shared demo environment, I don't have that option or access to do that. But that would likely be my first action if I did. That way I could make sure this endpoint could not participate or initiate any other network activity other than the communication to our XDR service or other facilities that I've set up as allowed when the endpoint is isolated. It looks like this started with 7-Zip, so somebody's opening a zip file, and then we have a file type obfuscation alert here and a process with a double extension. It looks like our user thought they were watching a gag reel video, but instead they were executing the malicious payload which launched the Quasar client. Then it looks like it jumped through some hoops to relaunch itself, probably with elevated privileges. Looks like it's scheduling a task to start the Quasar client on startup and there we go with RL set to highest for elevated privileges. There's a bit of persistence. From there, it looks like we have a lot of commands that were executed from a CMD prompt. We can look at those, we'll scroll up to the top here. Looks like it may have started by attempting to kill the antivirus agent first and then we've got some recon going on here, seems to have started with let's see. Looks like it's looking for user group information, probably trying to find a user who might have access to something important. Here is trying to gather credentials via Mimikatz and procdump on Alsace. If you wanted more information on this technique, we can click on the alert here and jump right to the detailed description of the technique in Mitre. Back to the investigation. If we keep going down, ultimately we can see the attacker is leveraging what he's learned in the reconnaissance phase and attempting to execute his payload on other systems on the network. Well, I have a pretty good high level idea of the adversary's motions here on C Colier and PC1, let's hop over to one of the other systems and see how some of the other users and computers were affected. All right, so I'm going to open the tab with the W. Sanchez investigation and we've got our causality view again. It looks like a lot of the same, and that makes sense as it's the same payload we can see here at the start of the execution, is different as on W. Sanchez's system, it began with PsExec rather than [inaudible] and that lines up with what we saw in the lateral movement from C colier system. It looks like this quasar client is at the heart of the attack. It would be interesting to get the wildfire report on this. I'll just click here and download that. Again, if you wanted to look at the wildfire report, it's right here in the interface. Great, so I have full access to the dynamic analysis Wildfire data on this executable, I can view the details here, but I think I'm going to save this for later. Let's close that and have a look at some of the commands that were executed on this end point. Okay, looks like some more credential harvesting was done. Safe to assume we have another compromised account. Let's take a look at some of the processes. All right, in general, it looks like a lot of the same sort of reconnaissance I saw in the first system. Maybe a little less activity. Let's take a look at our third system so lets jump over to the C Chadwick Tab here and there we are, there's the causality view. Not a big surprise, looks to be more of the same, very similar to what we saw on the second system. This is our Windows Server, but execution looks very similar to what we saw in PC2. Let's take a look at the processes and we can see again that we have procDump of Alsace. It looks like we will add another user to the list of likely compromised accounts. I noticed this on the other systems as well. Looks like the attacker is heavily leveraging WMIC for reconnaissance as well. Well, I'm starting to get a pretty good idea of the user's persistence, the systems involved and the tactics, but I have a feeling I'm not not done because it looks like the adversary was exiting the environment and covering their tracks here and there. I suspect they achieved their end game or their mission objective, but we don't know what that is yet. I have a suspicion that the adversary did most of their work on C Colier system, so I'm going to go back there and take a closer look at their actions. Let's go back over to the C Colier tab and now I'm going to drop down into the forensics table on this quasar client and see what it's doing. Let's start with the processes that it executed and there we can see our scheduled task that we saw earlier and here we see it looks like it's cleaning up after itself by deleting its scheduled task a few hours later. All right, let's check out the network connections it made as well. It looks like it's making an outbound connection to an unknown host 2.2.2.199. Right away, I know that's not an IP address I recognize, so I'm going to right click on that and open quick launcher and just try to find out some more information about activity associated with that IP address. We'll check some outgoing connections from that IP and see what we can see. Query builder pulls up all of the information about connections to that IP address.I could see here, as I suspect it looks like this is in France and we don't have any business in France and I'm pretty sure this is not something within our organization. Good to identify that as that could be the IP address of our attacker. Let's take a look at some of the final activity. Okay. I see some interesting batch files here. Let me just filter on that BAT and see if I can see other ones. Put in start-up BAT filter everything else out. I see a recon that BAT file that's likely what initiated all of the net group recon and WMIC commands that we saw. I can get this level of detail for process activity, file, network, and registry activity, as well as the DLL modules loaded, et cetera, on every step of the execution. Remember, I didn't have to do anything to pull this information together. It's automatically stitched into the incident within Cortex XDR. It looks like a lot of activity was launched from this cmd instance. Let's take a look at some of the executions here. Sorting by time. That doesn't look good, SQL command. I know that IP range, I think that's one of our customer database servers and it looks like we have another compromised user account here. The SQL SA account, that is not good. Then it looks like they mounted the SQL server using another compromised account; the sc admin account. Really not good. Then, just after that, I can see that it looks like they compressed some of our demonstration documents, probably to prepare them for exfiltration. Definitely not good. Last, it looks like they were covering their tracks with Windows event log utility and clearing the application security and system logs. Okay. Let's take a look at the the file activity. What's this? Looks like they created a backup file. Wonder what they were backing up. There it is on the debe server again. I think I may have found their end game. It looks like they successfully exfiltrated 200 megabytes of data from our customer database. I'd still like to identify where this all started from, so I'm going to go back to my incident and look at my firewall alerts and try to see if I can identify where this all originated from. I'm going to add the ability to look at email subject and sender information and hopefully, we'll find out what the source of this was and we can remediate that as well. Okay, here I can see the email subject, the sender, et cetera; all the information about where this started from and that should be an ex-source so we can we can respond and pull those out of exchange web services. Okay. We've done a lot, or I guess I should say Cortex XDR has done a lot for us. It's answered all of the upset questions for us. We know what users are involved, what systems are involved. We know the persistance mechanisms that have been used to maintain a presence in the environment. We know the end game, the mission objective of the adverse area, and we know the tactics, techniques and procedures they've used to accomplish those objectives. We know the impact is significant in this case, so here's hoping we've got a time stone lying around so we can go back and turn prevention on. Otherwise, we've got some serious damage control to do in relation to this attack. But in all seriousness, I hope we know by now that prevention is not perfect and no solution will ever successfully block 100 percent of attacks if you're not using a solution that can not only do a fantastic job of blocking attacks, but can also provide you the visibility you need to determine what actions an adversary has taken. If they got further in the attack life cycle than you would have liked, then what value are they really adding? I hope this demonstration gives you a sense of the value that Cortex XDR can deliver in giving you that visibility and transparency into a threat actor's behavior. This is just scratching the surface with what Cortex XDR can bring to the table. Coming from the perspective of a breach investigation, after this investigation is wrapped up, XDR provides an awesome and complete solution for you to do additional threat hunting, leveraging the information you've learned from your investigation. You can use the Cortex XDR built in query builder to do additional digging on similar indicators of compromise or behaviors that may have occurred in your organization, even if they were not identified as IOCs at the time. All of that information is stored in the Cortex XDR Data lake and available for additional threat hunting. In addition, XDR has the tools you need to respond and remediate. We've got both live terminal and our script execution engine, which can be used to do further investigation or remediate some of the actions that have been taken on those end points. I could leverage our live terminal to connect to some of the isolated endpoints and servers. With live terminal right from an XDR, I can connect to my endpoints and get an interactive remote interface for examining the running processes in File Explorer. From there, there's quite a bit I can do, I can terminate processes that are running or suspend them, I can start an investigation to maybe get a verdict from virus total or from wildfire. I can get the file hash, I can download the file, market is interesting, or just copy the value and use it in our query builder for additional threat hunting. I can also run command prompt commands, PowerShow commands, or Python commands on any of the operating systems that Cortex XDR supports direct through live terminal. I don't need to worry about whether Python or the correct version of Python is installed as the agent installation takes care of putting the right one in place for me. In addition to live terminal, I've got our script execution engine at my disposal for remediation. I can pick from one of the can scripts included with Cortex XDR, or I can copy one and customize it, or create my own script. I can run those scripts across any of the affected endpoints simultaneously and get feedback on how those executed and use that for remediation actions on the endpoints. I'll head back to XSOAR and wrap things up. We've got some additional actions that Workplan is recommending we take and we need to disable these users. Let's go ahead and disable Collier's, E Chadwick and Rogers, Debbie Sanchez, just to be safe, and we'll put a note in here just to make sure that we know we need to change their passwords. It's a good opportunity to ensure that we enable MFA on these accounts if it's not already done. We identify the email, the spear fishing email that was at the heart of this. Let's go ahead and eradicate that from the exchange web services environment as well. I'll just put a note here to clarify what we found in the investigation phase, and we'll mark that as complete as well. I've got a few other actions I've got to follow up on, so I'll go ahead and disable additional user accounts associated with the investigation. We'll go ahead and disable the AC admin account we identified that gave access to the SQL server. Finally, I'm going to leave a note for my colleague to let them know that I've wrapped up the investigation and that we have a few additional actions left to do. That's it for me. I'm going to hand it back to Pramukh to give you a little bit more of an explanation of how XSOAR does its thing. Take it away, Pramukh. Cortex XSOAR has really made our lives easier since we no longer need to have direct access to the enforcement points, such as the actual date preserver, or to the firewall, or to the Exchange web server to perform remediation actions. Once provided with approval, XSOAR takes care of the enforcement of response actions by itself. With the help of orchestration. Analysts can always use the built in command line interface to perform an orchestration of response actions on other security products from a central place without having to switch screens. They don't have to spend any time in opening for the tickets for remediation procedures, since everything is documented automatically in exhaust volume functionality and is available for quick reference even after closure of investigation. Given the busy schedule and time sensitivity of analysts and instant responder actions, there's always scope for human errors to seep into Cyclopes. Exhausting task based workflows and automated response actions ensure no human error occurs. Thanks, Pramukh. I hope we've been able to show you how Cortex XDR can provide automated root course analysis and unparallel visibility into the impact of critical breach. We've done some studies with our customers of Cortex XDR and we found that on average, it has reduced investigation times by a pretty astounding 88 percent by automatically stitching alerts across a multitude of users and end points and additional data sources into a single complete incident. Hopefully, you've seen how automation with Cortex XSOAR can speed response times and really orchestrate all of those remediation actions. Thank you so much for joining us today and stay safe out there. Thanks.
