Security Incident Using Huntress & SentinelOne: What Was Found & What Was Missed 🚨

Подписаться 332 тыс.

Просмотров 25 тыс.

50% 1

Huntress Demo & Review 2022
• Huntress MDR Demo & Re...
SentinelOne Review and Malware Rollback Demo.
• SentinelOne Review and...
Threat reports
www.deepinstinct.com/blog/ira...
www.withsecure.com/content/da...
The FRP on GitHub
github.com/fatedier/frp
The Virustotal Link
www.virustotal.com/gui/file/b...
S1 Behavioral page
www.sentinelone.com/blog/beha...
Huntress Blog regarding their product
www.huntress.com/blog/not-all...
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
All Of Our Affiliates that help us out and can get you discounts!
🛒 www.lawrencesystems.com/partn...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 10% off your order at
🛒 lawrence.video/techsupplydirect
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
⏱️ Time Stamps ⏱️
00:00 Security Incident Feb 2023
02:45 Huntress Incident Report
03:29 Virustotal results
04:31 Fast Reverse Proxy
04:53 How It Was Found
06:41 Threat Research
08:35 Using SentinelOne Deep Visibility For Threat Hunting
09:52 Why SentinelOne Did not trigger?
11:45 SentinelOne False Positive
13:12 Closing Thoughts
#cybersecurity #security #threathunting

Наука

Опубликовано:

8 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 77

@_JohnHammond Год назад

Super appreciate the deep dive, and glad we could help in at least some way!

@LAWRENCESYSTEMS Год назад

Huntress was super helpful in this, If it was not for Huntress this file would still be there!

@d00dEEE Год назад

It must be hugely frustrating to not have enough information to isolate the infiltration incident. I'm a "root cause guy" and this would drive me nuts.

@Bill_the_Red_Lichtie Год назад

Really, seriously, in IT security, it is 100% better to call an alarm and catch that "zero day" attack or the mundane "duh, behavior change" as early as possible. It is always a case of better to be safe than sorry!

@javabeanz8549 Год назад

I would much rather investigate an incident that turns out to be a false positive than miss a real attack. In fact, I caught myself recently, I didn't read the installation list, and accidentally installed Nginx, which bit me on the next reboot, as Nginx started before Apache, so the site was all wrong. Still has something to fix, but it wasn't a security incident.

@troywhite76 Год назад

This is the stuff that keepse awake at night. Thanks for this video!

@Luckotheirish213 Год назад

Sorry you had to go through this but it was super fascinating to watch. Internal IT at a small shop, so wear a lot of hats/lightly involved in security. Very helpful to listen to your thought process and reaction. Cheers!

@sekytwo 10 месяцев назад

Loving these videos you learn so much!

@R3DP3NGUIN Год назад

Great vid, very insightful. It kind of highlights the struggle that most organisations have which is limited visibility across their environment. Threat hunting, which many orgs cannot do for various reasons also requires having close to full visibility across your endpoint fleet to be effective

@jojobobbubble5688 Год назад

Great video! I would love to see more of this type of content (but I wish the events which generate this content would end)

@MrMcp76 Год назад

We use Sentinel1 at our company, and when we had a file attempt to make TCP connections that was not what triggered S1 to alert of an issue. It was the scanning the file was doing on both the local machine, as well as the attempts to access network resources like servers that triggered the alert. However, our firewall did alert us of the blocked connection attempts the file was making to its c2c.

@geezergeek1637 Год назад

VERY Intersting. Thank you, Tom.

@texasaggie1 Год назад

Excellent breakdown. I've had huntress find things that evade managed S1. I've had tons of times where an S1 detected threat wasn't detected by Huntress. Both are important apps tho. They are often looking for different things.

@Whipster-Old Год назад

Good to see how this went down. I admire your tenacity and professionalism.

@LAWRENCESYSTEMS Год назад

Thank you

@EagleMitch Год назад

Great video, keep them coming!

@Armmani2000 Год назад

Great video, I would love to see more of these videos..

@NetworkBuildersIT Год назад

Great video and recap.

@rvilladiego Год назад

Good video - what's missing is network visibility to get more context EDR + NDR

@sharedknowledge6640 Год назад

Thanks for this as an example of a real world wake up call for all people who think these things only happen to the “others who are vulnerable” and not them.

@Hunt4m3x Год назад

Love the shirt! Shady

@lightingman117 Год назад

13:18 - I love your quote

@karikhill Год назад

Speaking of layers, having a good sysmon config running is great for tracing down those first entries.

@LAWRENCESYSTEMS Год назад

Yes!

@TheTannertech Год назад

Huntress's support is fantastic.

@IzzoYourNizzo Год назад

Thank you much for the video, for providing analysis, and education to the community. You make quality content. I realize that Tom hit upon using both tools seems excessive but does anyone have any experience in these tools interferring with eachother or can provide any insight? Personally, I'm concerned with the compute overhead of using both tools in conjunction. I'm not saying it's wrong and like Tom, I'd rather have the coverage than not but does anyone have personal expirence, or Tom could you share your opinion on this?

@carmercado007 Год назад

You should do one with Crowdstrike next

@jd415 Год назад

I have the same Huntress shirt!

@SB-qm5wg Год назад

Sunday alarms are the life. 😞

@ramondewitt8827 Год назад

Dray is a great guy over at Huntress.

@mahlonotero5448 Год назад

We've been happy with Huntress + Windows Defender. It's much less of a headache to manage than S1.

@samsampier7147 Год назад

What’s the cost (labor and any financial capital) of implementing a type of auditing logging for windows hosts? Fascinating video. I’m on the network side so my logs are a bit different.

@joelanzo 3 месяца назад

💗

@PowerUsr1 Год назад

Beautiful breakdown here. Something I’ve done and my org does on the daily. This stuff is hard. I hope (I don’t hope) you have more of these incidents to share and highlight. Is this client running SSL decryption on the firewall? Maybe an external tool (think PaloAlto WildFire) could’ve picked this up, scan it, and email Infosec. If so at least you would know the time of download and what user did so

@spartan1986og Год назад

SOC Analyst here. You are not being too hard on SentinelOne. It is not enough to look for known threats. The product needs to identify threat like behavior as well. This was definitely threat like behavior. There should have been an alert on the behavior so an analyst like me could evaluate the situation. I'll admit I'm not that familiar with SentinelOne. My company uses Carbon Black for XDR detection. Even had Carbon Black not alerted on it, we dump all data to a SIEM (Elastic) and write rules to detect such indicators of compromise. Had our rules seen that local host traffic (because you were 100% correct in your interpretation of it) we'd have seen an alert the first time it happened. Do you use a SIEM? If so, would you be able to tell us which one?

@LAWRENCESYSTEMS Год назад

This client does not have SIEM as part of their plan, for our clients that do we use Blumira.

@g04tn4d0 Год назад

Oh, hell, yeah... now you're into stuff I'm all about! 🤪

@stefanbehrendsen330 Год назад

I'm actually interviewing EDR and MDR vendors right now the company I work at. I've used Huntress in the past at another job and they've always been excellent. One thing I am specifically asking vendors is "what does a zero day look like from install to first detection to remediation?" A lot of initial meetings are crap, it can be hard to cut through the buzzwords and marketing to determine how effective the product is. Most successful attacks are now zero day or advanced persistent threats - signature detection can and will fail. The human element, and how much the company spends on research and threat hunting, is far more important. Any thoughts on products that advertise full stack, like arctic wolf or crowdstrike falcon complete?

@LAWRENCESYSTEMS Год назад

"Most successful attacks are now zero day or advanced persistent threats" is not true, most attacks are unpatched systems and people clicking on something. You never know how any product will protect against a zero day because a true zero day is something that know one knows about except the threat actor. For example NO ONE offered protection from Log4j. Huntress is great, S1 is good.

@stefanbehrendsen330 Год назад

@@LAWRENCESYSTEMS yeah OK that makes sense... thanks for the reply! :)

@AdmV0rl0n Год назад

I'm in an MSP. We have maybe 250 hosts, so not a huge sample. We run Sentinel One on each one. My sample is inadaquate - but my gut feel is that sentinel one doesn't seem to pick much up and in far too many cases, it requires staff to review, and assess what its found. This to me seems to have multiple failures and to be way off what is needed. In this film, I'm not surprised it was in fact left to Tom's team to chase it up and make a case with SO. I've run a lot of AV and NG-AV - previous house was crowdstrike. I am jury out of SO, but can't say I like it it rate it, but as I say, jury out. Assessment of something is not based on knee jerk..

@LAWRENCESYSTEMS Год назад

Our trust is with Huntress more than anything else.

@johnb3170 Год назад

Any worthy actor will easily bypass S1 even in protect mode. That's not the challenge 😉 the challenge is hiding your activity after initial access.

@abrahamdeutsch3175 Год назад

The team at hunters recommended windows defender saying it gives them more visibility and do a better job with detection

@dneumet Год назад

I had a presentation by Huntress a couple of days ago and this is also what they told me. Huntress can see/control Windows Defender whereas it has no visibility into S1. We are considering replacing S1 with a combo of Huntress and WD. Our net spend will be unchanged and we will have the benefits of both.

@PowerUsr1 Год назад

I’m also curious if having multiple MDRs installed contributes to any false positives of the other system. So S1 flags Huntress and the other way around

@LAWRENCESYSTEMS Год назад

No, there is no conflict having these together.

@berndeckenfels Год назад

Sounds like a insider thing if you have no other iocs And „not tcp connection monitor“ answer is just alarming - wrong answer or insufficient tool

@TheBeesKneesPhoto 10 месяцев назад

I'm currently evaluating Huntress and thinking about getting rid of SentinelOne Control and just going Huntress + Defender. What are your thoughts on that? Can Huntress MDR replace SentinelOne Control?

@LAWRENCESYSTEMS 10 месяцев назад

We are still currently using S1 with Huntress but there could be a future where we drop S1 and have Huntress only.

@edwinrosales6322 Год назад

What was the hash of the file that was dropped? Would you mind sharing it and other IOCs?

@LAWRENCESYSTEMS Год назад

We just have the Virustotal lnk as there were not any external IP's we could find it reaching out to. www.virustotal.com/gui/file/b455335d64e1633333899c32b49b867272b3d0b2e0653a484c2c8f22ceb3dbd6

@clomok Год назад

I run a MSP focused specifically for small businesses. Without access to resources like yours, what things can I do to help mitigate against zero day attacks? Currently I rely on Bitdefender and immutable image cloud backups (I am very happy with them). Is there something else I should be doing?

@LAWRENCESYSTEMS Год назад

The best mitigation is to have a plan for if something happens and practice that plan. Have good backups that are well separated is a big key to recovering from an attack.

@mikolosteez61 Год назад

While I appreciate and enjoy your content, this is exactly why MSSPs (Security) and MSPs (IT) should be totally separate. You want security focused professionals that set and push telemetry requirements and have the forensic capability to truly root cause detections. There was no entry point analysis or a real forensic effort to determine the extent of network or system compromise.

@LAWRENCESYSTEMS Год назад

Like so many things, it comes down to budget.

@thoselog Год назад

why no crowdstrike?

@Traumatree Год назад

There are no better, just more expensive.

@Crazy--Clown Год назад

Too expensive

@tinawhite4962 Год назад

Dump S1, pickup ThreatLocker, keep Huntress

@LAWRENCESYSTEMS Год назад

ThreatLocker does not work well in environments with lots of custom software, way too much overhead.

@AspendoraTechnologies Год назад

@@LAWRENCESYSTEMS unfortunately I feel your pain on this. Great for normal offices. I hear those exist somewhere.

@tinawhite4962 Год назад

@@LAWRENCESYSTEMS I understand why you might feel that way. However, I have found approving an application update in ThreatLocker less taxing that investigating S1 false positives and hoping actual malicious activity is detected in time to save the business from a lot of pain.

@abrahamdeutsch3175 Год назад

But seams you disagree

@swollenaor Год назад

I think this doesnt effect company's only, but also on home users and such.

@Traumatree Год назад

I find it odd that none can find where that file came from. And, as usual, Windows is really THE security threat of today's age. You want ot secure your business, stop using Windows for desktop and for server.

@Crazy--Clown Год назад

Unfortunately many have to because of software only available on windows. CAD is a great example