Living with the threat of Determined Attackers - RANT0214
•
4 gefällt mir•7,187 views
Presentation Slides from Manchester RANT 14-02-2014
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Living with the threat of Determined Attackers - RANT0214
Ähnlich wie Living with the threat of Determined Attackers - RANT0214 (20)
Mehr von James '-- Mckinlay
Mehr von James '-- Mckinlay (10)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Living with the threat of Determined Attackers - RANT0214
- 2. MANCHESTER RANT FEBRUARY 14TH 2014
- 3. YOUR SPEAKER – JAMES MCKINLAY • 2014 CISO LEVEL SECURITY, RISK & COMPLIANCE CONSULTANCY ACROSS EUROPE • 2013 PCIDSS COMPLIANCE AT WALMART FOR ASDA & GEORGE (LEVEL ONE MERCHANT) • 2011 - 2013 PCIDSS COMPLIANCE MANCHESTER AIRPORTS GROUP (LEVEL THREE MERCHANT) • 2006-2011 PCIDSS COMPLIANCE HOMELOAN MANAGEMENT LIMITED (LEVEL ONE SERVICE PROVIDER) • 2006 ECOMMERCE SECURITY– THOMAS COOK SCHEDULED BUSINESS
- 4. EXEC SUMMARY – • DEFENDERS ARE INCREASINGLY BEING OVERRUN BOTH BY EVENTS GENERATED BY ORDINARY CYBERCRIME AND BY ADVANCED, TARGETED ATTACKS FROM SOPHISTICATED ADVERSARIES. • INCREASED COMPLEXITY AND FREQUENCY OF ATTACKS, COMBINED WITH REDUCED EFFECTIVENESS OF PREVENTATIVE CONTROLS, INCREASES THE NEED FOR ENTERPRISE-SCALE SECURITY INCIDENT RESPONSE • THREAT INTELLIGENCE AND CONTINUOUS IMPROVEMENT OF INCIDENT RESPONSE PROCESSES ARE NEEDED BY ENTERPRISES TO REDUCE THE EFFORT REQUIRED IN CONTAINING LOSSES AND RISKS.
- 5. WHAT DO I MEAN BY . . . . •DETERMINED ATTACKERS •BETTER INTELLIGENCE •BETTER PREPARED
- 6. WHAT DO I MEAN BY DETERMINED ATTACKER • GET IN PAST YOUR PREVENTATIVE DEFENCES • STEAL SOME VALID CREDENTIALS • REMOVE TOOLS USED IN GETTING IN • FIND SOME REMOTE ACCESS AND USE VALID CREDENTIALS • EXPLORE THE ENVIRONMENT • STEAL DATA – RINSE AND REPEAT
- 8. PREVENTATIVE CONTROLS ARE NOT ENOUGH A “Determined attacker will not be put off by traditional IT security technology •Basic AV Avoidance •Basic IDS Avoidance •Modern Sandbox Avoidance •WAF Identification •Web Filter Avoidance •Email Filter Avoidance
- 9. BASIC AV AVOIDANCE • HTTPS://WWW.VEIL-FRAMEWORK.COM/FRAMEWORK/VEIL-EVASION/
- 10. BASIC IDS AVOIDANCE • HTTP://WWW.MONKEY.ORG/~DUGSONG/FRAGROUTE/ • HTTP://EVADER.STONESOFT.COM
- 11. MODERN SANDBOX AVOIDANCE • HTTP://WWW.GIRONSEC.COM/BLOG/2013/10/ANTI-SANDBOXING-IDEAS/
- 12. BASIC WAF IDENTIFICATION • OWASP XSS TOOL “XENOTIX” GIVES US A EXAMPLE OF A GUI WAF IDENTIFIER • HTTPS://WWW.OWASP.ORG/INDEX.PHP/OWASP_XENOTIX_XSS_EXPLOIT_FRAMEWORK
- 13. BASIC WEB PROXY AVOIDANCE • HTTPS • TOR BRIDGE RELAY • HTTPS://WWW.TORPROJECT.ORG/
- 14. EMAIL FILTER AVOIDANCE TRICKS • LARGE BENIGN ATTACHMENTS MEAN MESSAGES GET SKIPPED FOR SPAM PROCESSING • WELL FORMED FIRST MESSAGE GETS SENDER ONTO A WHITELIST • BACKGROUND READING • “INSIDE THE SPAM CARTEL” , “BOTNETS THE KILLER APP” , “PHISHING EXPOSED”
- 15. BASIC PHISHING MANAGERS • SET - HTTP://WWW.SOCIAL-ENGINEER.ORG/FRAMEWORK • PHISH FRENZY - HTTP://WWW.PENTESTGEEK.COM/2013/11/04/INTRODUCING-PHISHING-FRENZY/ • SENINJA - HTTP://WWW.ALDEID.COM/WIKI/SOCIAL-ENGINEERING-NINJA
- 16. COMPLETE ATTACK MANAGERS • HTTP://WWW.ADVANCEDPENTEST.COM/FEATURES • HTTP://WWW.FASTANDEASYHACKING.COM/
- 17. POST EXPLOITATION • BOOK “CODING FOR PENETRATION TESTERS” HAS A CHAPTER DEVOTED TO THIS
- 18. POST EXPLOITATION (2) • WCE - HTTP://WWW.AMPLIASECURITY.COM/RESEARCH.HTML • PRIVILEGE ESCALATION - HTTPS://WWW.INSOMNIASEC.COM/RELEASES
- 19. WHAT IS THE MESSAGE •DON'T GET COMPLAISANT – IF THEY WANT TO GET IN BADLY ENOUGH – THEY WILL GET IN !
- 20. WHAT DO I MEAN BY . . . . •DETERMINED ATTACKERS •BETTER INTELLIGENCE •BETTER PREPARED
- 21. WHAT DO I MEAN BY BETTER INTELLIGENCE • TO KNOW WHAT YOU KNOW AND TO KNOW WHAT YOU DON'T KNOW IS THE SIGN OF ONE WHO KNOWS • KNOW THE WEAKNESSES IN YOUR DEFENCES • KNOW THE TECHNIQUES USED BY YOUR ENEMY • KNOW WHO TO TURN TO FOR HELP
- 22. WHERE ARE MY WEAKNESSES • INTERNAL AND EXTERNAL AUDIT REPORTS • PENETRATION TEST RESULTS • RISK WORKSHOPS • INTERVIEW FRONT LINE STAFF • WHISTLE-BLOWING HOTLINE • ITS WORTH ASSUMING THAT YOUR PERIMETER HAS BEEN BREACHED • AND THAT YOU SHOULD PLAN A RESPONSE STRATEGY
- 23. APT INTELLIGENCE REPORTS IN MARKETING • VENDOR ISSUED APT REPORTS AND ADVANCED MALWARE REPORTS • MANDIANT APT1 REPORT OPENED THE FLOOD GATES
- 24. MALWARE RESEARCH COMMUNITY • HTTP://AVCAESAR.MALWARE.LU/ • HTTP://WWW.MALSHARE.COM/ABOUT.PHP • HTTPS://MALWR.COM/ • HTTP://SUPPORT.CLEAN-MX.DE/CLEAN-MX/VIRUSES? • HTTP://VIRUSSHARE.COM/ABOUT.4N6 • HTTP://VIRUSTOTAL.COM • HTTP://VXVAULT.SIRI-URZ.NET/VIRILIST.PHP • HTTP://WWW.OFFENSIVECOMPUTING.NET Small sample
- 25. RSS ENABLED BLOGGING COMMUNITY RSS Band it http://rssbandit.org/ http://stopmalvertising.com/
- 26. IP REPUTATION COMMUNITIES • EXAMPLE: ALIENVAULT OPEN THREAT EXCHANGE HTTPS://WWW.ALIENVAULT.COM/OPEN-THREAT-EXCHANGE
- 27. “NOT MARKETING” VENDOR REPORTS • MICROSOFT SECURITY INTELLIGENCE REPORTS • CISCO ANNUAL REPORTS
- 28. CISP ENVIRONMENT • GOVERNMENT CYBER SECURITY STRATEGY INVOLVES REACHING OUT TO INDUSTRY BEYOND CNI • GCHQ, CESG AND CPNI COLLABORATED ON CISP HTTPS://WWW.CISP.ORG.UK/
- 29. READING: WHITEPAPERS • FEW EXAMPLES • SOC • IR • DATA BREACH • MALWARE
- 32. DEEPER DIVE : BOOKS
- 33. WHAT DO I MEAN BY . . . . •DETERMINED ATTACKERS •BETTER INTELLIGENCE •BETTER PREPARED
- 34. WHAT DO I MEAN BY BETTER PREPARED • USER AWARENESS • CYBER STRATEGY AT BOARD LEVEL • IT ASSURANCE FRAMEWORK • SECURITY OPERATIONS MATURITY • SOC • CIRT • THREAT INTELLIGENCE • PROACTIVE APT HUNTERS
- 35. PHISHING AWARENESS • DO YOU REMEMBER THE DIY SLIDES
- 36. PROFESSIONAL PHISHING AWARENESS • PHISH5 • PHISHME
- 37. CYBER STRATEGY AT BOARD LEVEL • GOVERNMENT COMMITMENT TO SUPPORT INDUSTRY • .GOV.UK AND SEARCH “CYBER”
- 38. CYBER STRATEGY ( ALSO WORTH A READ) • BELGIAN CHAMBER OF COMMERCE - BCSG • HTTP://WWW.ICCBELGIUM.BE/INDEX.PHP/QUOMODO/BECYBERSECURE
- 39. Manage IT Operations ITCF -V- ISMS • CONTROL FRAMEWORK • HTTP://WWW.ISACA.ORG/COBIT/PAGES/DEFAULT.ASPX Processes for Management COBITv5 Processes for Governance Deliver, Service and Support Manage IT Assets Manage IT Configurations Manage IT Incidents Manage Business Continuity Manage Information Security Manage Business Process
- 40. ITAF –V- ITCF • WHAT IS IT ASSURANCE
- 41. SECOPS MATURITY (SOC) • SIEM • CORRELATION • STAFFING • DROWNING IN DATA • HTTP://WWW8.HP.COM/H20195/V2/GETPDF.ASPX/4AA4-6539ENN.PDF • HTTP://WWW.ACI-NA.ORG/SITES/DEFAULT/FILES/S4-NESSI.PDF • HTTP://WWW.SECURITE.ORG/PRESENTATIONS/SOC/MEITSEC-SOC-NF-V11.PDF
- 42. SECOPS MATURITY (CIRT) • • • • • • • THREAT INTELLIGENCE FEEDS LIVE RESPONSE TECHNIQUES ENTERPRISE CLASS FORENSIC ACQUISITION STAFF DEVELOPMENT MALWARE REVERSING SKILLS / SOCIAL ENGINEERING SKILLS WORKFLOW BPM TOOLING NETWORK CONTAINMENT / NAC
- 43. OPEN IOC • WHAT IS OPEN IOC - HTTP://WWW.OPENIOC.ORG/
- 44. FREE TOOLS • FROM MANDIANT
- 45. LESSONS WITH OPENIOC FREE TOOLS
- 46. SECOPS MATURITY (APT HUNTERS) • WHAT IS REDLINE • COLLECTS WINDOWS ACTIVITY FROM • • • • • FILE REGISTRY DNS LOOKUPS PROCESSES IN MEMORY NETWORK CONNECTIONS • FIRST RESPONDER INVESTIGATIONS
- 47. (.MANS) REDLINE TRIAGE COLLECTION •1
- 48. (.MANS) REDLINE TRIAGE COLLECTION •2
- 49. (.MANS) REDLINE TRIAGE COLLECTION •3
- 50. TACKLING ADVANCED THREATS • THERE IS NO SINGLE TECHNOLOGY TO • “RULE THEM ALL” • 1) RECOGNISE “PREVENTATIVE” ISN'T ENOUGH • 2) GET SENIOR LEVEL SPONSORSHIP • 3) GET THE RIGHT PEOPLE • 4) GET THE RIGHT TOOLING
- 51. VENDORS TACKLING ADVANCED THREATS • THERE IS NO SINGLE TECHNOLOGY TO RULE THEM ALL ARBOR – Prevail DAMBALLA – Failsafe FIDELIS – XPS LANCOPE – StealthWatch SOURCEFIRE - FireAMP RSA – Netwitness SOLERA – DeepSee SOLERA – BluecoatATP AHNLABS – MDS CHECKPOINT – threat emulation FIREEYE – ATP LASTLINE – Previct MCAFEE – ValidEdge TREND – Deep Discovery PALOALTO – Wildfire BLUERIDGE – Appguard BROMIUM – vsentry HBGARY – DigitalDNA INVINCEA – Enterprise Threat Analyser RSA – ecat TRIUMFANT – mdar Mandiant Carbon Black Guidance Software CounterTack CrowdStrike Tanium Intelligent ID Nexthink Webroot LogRhythm TrustCloud Cyvera
- 52. CREDITS • JEFF YEUTER @ MANDIANT FOR THE REDLINE EXAMPLE • JIM ALDRIDGE @ MANDIANT FOR THE BLACKHAT2012 APT PRESENTATION • ANTON CHUVAKIN @ GARTNER FOR THE PAPER “SECURITY INCIDENT RESPONSE IN THE AGE OF APT”
- 53. TIME IS PRECIOUS – THANK YOU FOR YOURS • FIND ME ON LINKEDIN • UK.LINKEDIN.COM/PUB/JAMES-MCKINLAY/16/A42/206/