KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Yes. Thank you so much for this presentations. I think you, can you hear me? Yeah.
And yeah, my again, so thank you so much for, for having me here. My name is Phillip Pierce. This is my contact on, on Twitter at Phillip Pierce. And today we're gonna talk about this awesome topic. My idea during this conversation is to bring you some new thoughts about how you can use your creative mind when you looking for some security sensors, actually, right? So that's my idea here to you. And this is my contact on other social media.
So you can find me in the Giti hub, you can find different projects that I've been working there with focusing our analysis and thread hunting my linking as well. And I have here, my webpage, you can find here some talks that I've been participating events in English, in Spanish, in Portuguese language and different stocks, but all those stocks related to cybersecurity, right? So let introduce myself. I'm security research at URA Sanu, it's a global company responsible to provide a pan solutions pan it's acronym of the privilege, access management I'm security research in this company.
And I'm hacking is not a crime advocate. It's an awesome project created in the us, but we have difference advocates around, around the world. So the idea behind of this project is to talk more about this concept, call it in hacking and the hacker, because usually when you see the newspaper on, or maybe on TV, usually when some, for example, expos of information happened or some theft of the intellectual property or some REMS or attack happened, usually the, the people on TV on the newspaper associated this kind of things and a hacker, but not it's a cyber criminal, right?
So when you talk about the hacker, when you use you, you can use in your creative mind, that's the idea of this project, right? So this MIS concept, actually the idea is to explain more about the, that, or has you can use your creative mind. So I'm part of the coordinate team on the Devon groups here in Sao.
I'm talking from Brazil, by the way, in this moment, as we can see here in my Mo office, in my balcony, and I'm tructure of the hacker security, it's a Brazilian company responsible to provide some trainings in Portuguese language and I'm structured right inhibitor, this, those three magazine in Europe, by the way. And I have a course of the ma attack with Q chain in the fantastic magazine, right? So this is some information about me. So first of all, would like just to bring you some very simple explanations about the, some, the concepts.
And after that, I explain more technical POC that I, that I made in different security sessions, right? So what is a threat? A simple definition is not a definition from Phillip it's definition from this ISO it's a potential cause of this. Some incident, of course, this incident can, may, can cause, or to the systems or maybe organization, but what kind of incident, Phillip, maybe a software attack theft of intellectual property, identity theft or, and information is tortured. Our example, this information security thread. It's very important.
Understand when you talk about the nowadays for example, many companies, many different startups are building on the cloud or versus the cloud native concept. So, but if you see in the end of the day, all those companies has a software, has a code. So many things. When you talk about this, some potential incident is, is related to some potential threats. That is very important to understand that, okay. And of course has a result. Many different organizations chose to active at thread hunting practice.
I mean, the idea is to work more active or proactively to defense the environment. Okay? And first of all, we need to, we need, we have the threat. And after that, we need to chose when you need to analyze about this kind of thread, if you have a known thread and a known thread, but it's very important to understand how the known thread works. Because when you receive this knowledgement, you can, in your team, of course you can gain this kind of knowledgement. And you can actually recognize when you see some unknown threat, cuz of this is very important.
So when you perform a, some thread hunting or some analysis or more analysis in some artifact, my recommendation, it's always, you need to register that because when you register that you can improve your knowledgement. You can see the, exactly the path as executed by the attacker. And you can create some report to present this report.
That for example, to, as a manager or coordinator tech lead, because you made some analysis and you have this artifact, you have this knowledgement, you can write this report, this report, it's very important to improve your defenses mechanism because you understand what is exactly the best as executed by the attacker, right? And after that, you can improve your defenses mechanism because you discover what is exactly the techniques used by the attacker to evade your security sensors.
And you can produce some, you can create some cyber threat intelligence in your environment, no matter if your company is big or is small. No. The important thing is how you can using the different tools to help you to provide the pro line with the defense attacks. Right? And of course they need to improve that because the it's very important. The threats are changing all the time, right? So you need to have this resilience. What is that thread? Hunting's a very simple, it's a pro approach. When you think about, when you talk about the cyber defense with the offensive save mind.
So that's my idea. When you talk about the thread hunting, basically, it's the process that you worked with proactively interactively searching through the networks to detect, first of all, need to detect. And after that is late advanced, persistent threat, not a simple threat is advanced persistent threat.
Again, that evade is existing, existing security solutions. I mean, you have your secured solutions in your environment, according your business that you apply the security sensors. And when you have the Analyst or researchers inside of your company, this authority hunter, the person, the professional can looking more or the searching through the network all the time, right? So what is a hunter? It's a professional, the qualified, secure professional. Actually they need to have recognize this is the first because of that. It's very important. Understand about the known threads.
Remember the flow. Remember they recognize the first, second it is late because they need to treat that. Okay. And after that, then the, the professional can disable the potential apt it's Aroy of the advanced persistent thread, right? So it's more advanced techniques when they're organized by some groups of the cyber criminals to attack some different companies, right? So this professional is responsible to search for a potential internal or external intruders to discover the risk or possible malicious attacked inside of the organization. Just a simple concept. Okay.
So let me explain more about the technique that I using in this specific task using pattern code to simulate some adversary attack, right? So the purpose of this test, it was run or running different pattern script to good different. And here is the, the key, the various efficient and detection test in various endpoint solution. It's just an important plug clarify here that my idea not to give you or to tell you what is the best secured solution or security antivirus, or secure the best IDR?
No, it's not my idea here. It's just to explain what you can use in your environment, this efficient and detection test, how you can simulate according your environment. Right? So that's the idea. So I was good pilot script to download different models in my environment. And after that, I can see the result of this pirate script, right? So the first purpose it was simulate using to understand about what is exactly the behavior, the resilience presenting in the specific solutions.
I mean, what is exactly efficient detection, according the signatures, according the next generation antivirals, according machine learning. So I was recruiting some hours inside of the environment and I would like to see how this is the behavior about the signatures, again, next generation VIRs and machine learning. And the second I will download more than one hour in the same environment using the API request to download many different models in the same environment. Because my idea here is to simulate some outbreaking infection in the environment, right?
So I would like to see how is the behavior of the signatures basically understand what is the behavior of the engines? So I create these attacks in my environment to see what is the behavior from the sum security sensors, right? So here is the first code that I create here. It's basically a pattern script, very simple. Okay. Basically this pattern code is you can find this code in a ma BAAR, it's a hepo of supported by, by the community, right?
So the community uploaded many different MAs inside there, and basically inside of this ma baar.com ma BAAR BOC, S C actually, but I can share after that, this presentation in the chat with you, the, the URL, and basically you have here this code in the documentation, right? So it's very interesting. Just a co I COPI this from this website. Basically I will, I can download this a real model. It's very important to qualify. This test happened with a Rio Moor, right? So I will download the mower. I need to set basically the hash, the information of the hash militias. Okay.
And after that I use a good dash. You here has considered my mouse here and to unzip the download fire again, when I download this file in my environment, I have the Mawer in my, the real model, my environment, the sequence of the code, I will set here, the, the password to uncompress this five inside environment.
And I, you using my API to request this environment, right? So as you can see here, it's very simple.
So here, let's see what is the behavior with the cyber reason, by the way, I have awesome conversation with the cyber reason. I talk with the different teams inside there.
When I, as a good, this test, another point to clarify, I reported all those tests to the, all those vendors. Okay. And I have a good conversations again, with the cyber reasons. I talk with the Sam, it's a CSO from cyber reason, and I reported some possible vulnerabilities. And of course, all those vulnerabilities with the cyber reasons it was improved, actually. So as you can see here, the code, I sat basically the binary require calling the patent script and to set the hash again. And if you see here, I dunno, maybe it's a small, but basically this is hash it's from when cry. Basically.
Here's the explanation about the, when cry. Okay. It's a real Mo it's in, by the way. Very no ma okay. And basically this is the code I download here and unpack it this ma as you can see here. Okay. So the ma will be, the ma was downloaded inside of my environment. And after that, as you can see here, the behavior, it was very nice because it was blocked by cyber reason, right? So this is the first test. Basically I download using the spider script and it was block it, right?
So as you can see here, the log of the environment, it was detected by a no ma, as you can see here and call it onery, creeper. Okay. The second test I, I executed in the so solution. And as you can see here, I changing the hash because I, I try to download another different sample in this case, not a sample. It's a ma again, all those samples uploaded in Maar are Maer, it's very important to qualify. So all those Maers are known, has a ma in the various photo, it's antivirus, scanning's a different cloud sandbox cloud. It's known has a ma okay. So I download in this case.
And as you can see here, it was blocked. So the behavior, I, I hope when I execute the stats, that all those vendors should be blocked, this attacks, right? Because I is including by the script. And after that, I will download the sample.
And I, the idea remember, is to understand about the, what is the behavior of the signatures after that machine learning and after that, the next generation to virals and so on. And so on. When I executed here in crowd strike, for example, I have a different behavior. I change once again at the hash and execute to download and unpack it. But in this case, when I execute this task in the last year, in October, almost one year ago, when I execute this task, the count strike didn't block it.
And the, the answer provided from this vendor specifically vendor, it was because the contract didn't have any signatures ING in their product because of that. They didn't detect it as a malware.
So, and from my perspective, it's the opinion, opinion, okay. Should be detected. It's very important. You have the, the signatures ING because the approach from crowd strike is different because from their idea is they can act to block at some solutions after the user clicking in the power. So from my perspective, it's not a good way because, you know, as you give you some, you know, more inside of your environment and you keeping trying your security sensors, even if this Mo it knows is no has a militia.
So why you didn't block it based on signatures, because of that, I think it's very important. You have deep the two approach and the signatures and behavior monitor in machine learning. I it's my, again, it's my idea. When you think about the detection, but, okay. Let's see about the second patent code. Okay. The second part and code is almost different because as you can see here in the code, I can set here, the downloading here, the URL it's based on the download this folder. And as you can see here, you have the di daily ma batch.
What that means Phillip, the daily batch basically is the repository that Mar are put all those Maers in this specifically repository in the end of the day. So in the end of the day, you can have their 2000 hours, 200 hours, 15, I dunno, 500 hours per day. So in this hepo, we have more than 100 hours, by the way. And in this case, I basically, I sat, this is specifically repository to download all those mowers.
Remember my idea here is to simulate then out to break infections, because I would like to understand what is the behavior from the engine maybe thes works good, or maybe let's suppose that this engines maybe broken, for example, what should be the behavior of these specifically anger? So that's my idea of this test. So as a good once again, with the cyber reason, the same, the same platform, as you can see, almost all those MOS were blocked, basically didn't block. I think it's four MAs. I reported this ma to the, to the team and they improved that. It was very nice.
As you can see here, the data it's in September 10, as you can see, they call specifically data here, the, the zip, as you can see here, and after that, the download is completed. And after that, the saving data set, and after that, the data set is unpacked. As you can see here in this case, more than 200 mow when executing the cyber reason, we have the similar behavior blocked many different mowers, but as you can see here, the so solution has a different engines.
They have more than one aging side of the security sensor because of that, the CPU and the memory, it was, you know, it was too high because you have more than one aging side of the environment, but again, they didn't block more than two, any mowers and I, all those mowers. And just to finish this presentation, just a simple spoil alert, because we don't have a time to explain all those details. I create this specifically pattern script to call the some open, open, open soca, basically to gain the reverse she, inside of my environment.
It's a simple open soca and is a good piece in the count strike, because I would like to see what is exactly the behavior from the count strike. And I sat here the configurations and apply here, the, the, the best practice, according the, the called strike. And after that, I try to good this reverse the shell. And I call here the shell dock by, and that code that I, I show you. Okay. And after that, as you can see here, I gain the access because the solution didn't block it. My simple open soca disappear, right? It's a simple technique using pattern.
My idea here to simulate if I fact that this machine and the user clicking this specifically binary, or if the, some people is executing this specifically binary or specifically showing pattern, what is the behavior? So again, the access of course I is executing difference actions, as you can see here, but it's a simple spoiler. Okay. We don't have a time to explain all those detail. And if you have any question, so again, I'm available. Thank you so much for this time.
And again, this is my contact, and if you have any doubts, any questions again, thank you. Thank you so much.
