Detecting Threats - How to Think Like an Attacker
-
Upload
albert-hui -
Category
Business
-
view
538 -
download
1
description
Transcript of Detecting Threats - How to Think Like an Attacker
DETECTING THREATSHOW TO THINK LIKE A CYBER ATTACKER
Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA, CISM, CRISCPrincipal Consultant
Cyber Risk WorkshopOctober 28th 2014 @ Hong Kong
WHO AM I?
• Spoken at Black Hat, High Tech Crime Investigation Association (Asia Pacific Conference), and Economist Corporate Network.
• Risk Consultant for Banks, Government and Critical Infrastructures.
• SANS GIAC Advisory Board Member.
• Former HKUST lecturer.
Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA, CISM, CRISCPrincipal Consultant
AGENDA
Cyber Attackers’• Motivations (Why do they hack you?)• Methods (How do they break in?)• Damage Potentials (What can they do to you?)
Countermeasures• How to detect cyber attacks?
Copyright © 2014 Albert Hui
CYBER ATTACKERS’ MOTIVATIONS
PRIMARY MOTIVATIONS
Secular Sacred
egomoneyideology
(e.g. hacktivists)
revenge(e.g. formeremployees)
curiosityindustrialespionage
war and terrorism(e.g. state-sponsored
hackers)
Copyright © 2014 Albert Hui
OPPORTUNISTIC ATTACKTREND: HACKER SUPPLY CHAIN
Anon Payment
Hacker Tools /
Bulletproof
Hosting
Monetization
Implications• Sophisticated attacks now available to
non-experts
• Lower breakeven point for attacks
• More “worthwhile” targets
Copyright © 2014 Albert Hui
TARGETED ATTACKTREND: CYBER WARFARE AND APT
Implications• More attack budgets
• 0-day attacks
• Threat level corresponds to strategic value
Copyright © 2014 Albert Hui
CYBER ATTACKERS’ METHODS
CYBER KILL CHAIN
Recon Weaponize Deliver Exploit Install C2 Action
Copyright © 2014 Albert Hui
ATTACK ROUTES
Outside-In(e.g. SQLi, XSS, CSRF)
Inside-Out(e.g. web malware, trojaned pdf) Indirect
Home
Office
FW, IPS, etc.
AV, HIPS, etc.Copyright © 2014 Albert Hui
CYBER ATTACKERS’ DAMAGE POTENTIALS
COMMON EXPLOITATIONS
Steal Stuff• Intellectual property theft
• Steal money
• Monetize the loot for credit card fraud, spam, DDoS etc.
Wreak Havoc• Break system (e.g. via DDoS)
• Cause system malfunction
• Delete business data and ransom
Consequential Damages• Legal and regulatory consequences
• Reputational damage
• Loss of license
Copyright © 2014 Albert Hui
DETECTING CYBER ATTACKS
PHILOSOPHY
Defender’s Dilemma• Must secure all possible vulnerabilities
Intruder’s Dilemma• Must evade all detections
Reason’s Swiss Cheese ModelPicture from NICPLD
Copyright © 2014 Albert Hui
ESSENTIALS FOR DETECTING CYBER ATTACKS
• Layered defense-in-depth• Redundant security (e.g. two different brands of FWs)• Security event correlation (e.g. SIEM)• Trustworthy logging• Up-to-date threat intelligence• Security awareness and reporting channel• Incident response capability (e.g. CSIRT)
Copyright © 2014 Albert Hui
processpeople
technology
THANK YOU