《当威胁组织不离开时:火力下的事件应对.pdf》由会员分享,可在线阅读,更多相关《当威胁组织不离开时:火力下的事件应对.pdf(23页珍藏版)》请在三个皮匠报告上搜索。
1、SANS DFIR Europe Prague 2025When the threat group doesnt leave:Incident Response Under FireSANS DFIR Europe Prague 2025Sep 25About MeIntroEran LiloofHead of Threat Research at Vega Security+10 years in cybersecurityIR background2SANS DFIR Europe Prague 2025Sep 25IR Use Case A Battle With A Persisten
2、t AttackerAttack OverviewMistakes MadeLessons Learned30102030405Incident Management DilemmasAgendaSANS DFIR Europe Prague 2025Sep 254The VictimBackground+30K+110KEmployeesDevices24/7CriticalityLarge enterpriseMany data centersMulti-cloudOT/IOTLegacy systemsSANS DFIR Europe Prague 2025Sep 25Just Anot
3、her AitM Campaign(SMS)5UserMaliciousWebsiteMicrosoftUsernamePasswordMFAUsernamePasswordMFATokenSANS DFIR Europe Prague 2025Sep 256Weakest LinkSocial engineeringLack of permissionsChat with helpdeskHi,helpdeskHow can we help?George forgot his password,reset it pleaseDone.Where should we send the new
4、password?Send it here.I will tell him.Sure!George123Temp!#Now Entra ID global adminJust took two hoursDeleting all global adminsSANS DFIR Europe Prague 2025Sep 257Catch Me If You CanPasswords rotated backPasswords rotatedBackdoors account identifiedCompromised accounts disabledOther accounts passwor
5、d rotationBackdoors accounts disabledTokens forges using federated domainsAdmin logins restricted to the offices IPAdmin logins restriction removedFederated domains removedUnauthorized logins via the corporate VPNRecreating the restrictionSAML tokens forged using ADFS certificatesVPN access blockedA
6、TTACKERdefendersSANS DFIR Europe Prague 2025Sep 25“We have 50 TB of your data.Pay$10M now.You have 4 days.”8First extortion letter after 2 weeks of back and forthSANS DFIR Europe Prague 2025Sep 25Standard IR practice cannot be used hereFull containment not possibleWe must investigate to eradicate,fa