当前位置:首页 > 报告详情

当威胁组织不离开时:火力下的事件应对.pdf

上传人: 可*** 编号:991795 2025-12-07 23页 673.18KB

1、SANS DFIR Europe Prague 2025When the threat group doesnt leave:Incident Response Under FireSANS DFIR Europe Prague 2025Sep 25About MeIntroEran LiloofHead of Threat Research at Vega Security+10 years in cybersecurityIR background2SANS DFIR Europe Prague 2025Sep 25IR Use Case A Battle With A Persisten

2、t AttackerAttack OverviewMistakes MadeLessons Learned30102030405Incident Management DilemmasAgendaSANS DFIR Europe Prague 2025Sep 254The VictimBackground+30K+110KEmployeesDevices24/7CriticalityLarge enterpriseMany data centersMulti-cloudOT/IOTLegacy systemsSANS DFIR Europe Prague 2025Sep 25Just Anot

3、her AitM Campaign(SMS)5UserMaliciousWebsiteMicrosoftUsernamePasswordMFAUsernamePasswordMFATokenSANS DFIR Europe Prague 2025Sep 256Weakest LinkSocial engineeringLack of permissionsChat with helpdeskHi,helpdeskHow can we help?George forgot his password,reset it pleaseDone.Where should we send the new

4、password?Send it here.I will tell him.Sure!George123Temp!#Now Entra ID global adminJust took two hoursDeleting all global adminsSANS DFIR Europe Prague 2025Sep 257Catch Me If You CanPasswords rotated backPasswords rotatedBackdoors account identifiedCompromised accounts disabledOther accounts passwor

5、d rotationBackdoors accounts disabledTokens forges using federated domainsAdmin logins restricted to the offices IPAdmin logins restriction removedFederated domains removedUnauthorized logins via the corporate VPNRecreating the restrictionSAML tokens forged using ADFS certificatesVPN access blockedA

6、TTACKERdefendersSANS DFIR Europe Prague 2025Sep 25“We have 50 TB of your data.Pay$10M now.You have 4 days.”8First extortion letter after 2 weeks of back and forthSANS DFIR Europe Prague 2025Sep 25Standard IR practice cannot be used hereFull containment not possibleWe must investigate to eradicate,fa

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
1. **攻击概述**:一家大型企业遭受持续攻击,攻击者通过社会工程学获取权限,成为全球管理员,并删除所有全局管理员账户。 2. **事件管理困境**:由于缺乏可见性,事件响应(IR)过程缓慢,攻击者发送勒索信要求支付10M美元。 3. **优先级和决策**:在确定优先处理本地基础设施还是云服务时,团队面临挑战,最终决定优先处理本地基础设施。 4. **调查与清除**:通过EDR和Azure调查,发现攻击者在Entra ID、Office 365、SharePoint和Azure中建立了后门和持久性。 5. **应对策略**:团队采取了隔离、清除和监控措施,同时应对多个干扰和新的发现。 6. **关键教训**:危机事件可能突然发生,缺乏可见性会导致IR过程缓慢,攻击者作为全局管理员时需要扩大IR团队,并在严重事件中使用非标准通信渠道。
"面对持久攻击,如何应对?" 我们能做什么?" 你忽视了什么?"
客服
商务合作
小程序
服务号
折叠