Living with Determined Attackers MOSI Edition

49

description

Slide deck from the Security Pressures seminar held in Manchester Museum of Science and Industry, November 2014

Transcript of Living with Determined Attackers MOSI Edition

Page 1: Living with Determined Attackers MOSI Edition
Page 2: Living with Determined Attackers MOSI Edition

YOUR SPEAKER – • 2014 HEAD OF INFORMATION SECURITY – WORLDLINE (ATOS GROUP)

• 2014 CISO LEVEL SECURITY, RISK & COMPLIANCE CONSULTANCY ACROSS EUROPE

• 2013 PCIDSS COMPLIANCE AT WALMART FOR ASDA & GEORGE (LEVEL ONE MERCHANT)

• 2011 - 2013 PCIDSS COMPLIANCE MANCHESTER AIRPORTS GROUP (LEVEL THREE MERCHANT)

• 2006-2011 PCIDSS COMPLIANCE HOMELOAN MANAGEMENT LIMITED (LEVEL ONE SERVICE PROVIDER)

• 2006 ECOMMERCE SECURITY– THOMAS COOK SCHEDULED BUSINESS

Page 3: Living with Determined Attackers MOSI Edition

EXEC SUMMARY –

• DEFENDERS ARE INCREASINGLY BEING OVERRUN BOTH BY EVENTS GENERATED BY ORDINARY

CYBERCRIME AND BY ADVANCED, TARGETED ATTACKS FROM SOPHISTICATED ADVERSARIES.

• INCREASED COMPLEXITY AND FREQUENCY OF ATTACKS, COMBINED WITH REDUCED EFFECTIVENESS OF

PREVENTATIVE CONTROLS, INCREASES THE NEED FOR ENTERPRISE-SCALE SECURITY INCIDENT RESPONSE

• THREAT INTELLIGENCE AND CONTINUOUS IMPROVEMENT OF INCIDENT RESPONSE PROCESSES ARE

NEEDED BY ENTERPRISES TO REDUCE THE EFFORT REQUIRED IN CONTAINING LOSSES AND RISKS.

Page 4: Living with Determined Attackers MOSI Edition

WHAT DO I MEAN BY . . . .

•DETERMINED ATTACKERS

•BETTER INTELLIGENCE

•BETTER PREPARED

Page 5: Living with Determined Attackers MOSI Edition

WHAT DO I MEAN BY DETERMINED ATTACKER

• GET IN PAST YOUR PREVENTATIVE DEFENCES

• STEAL SOME VALID CREDENTIALS

• REMOVE TOOLS USED IN GETTING IN

• FIND SOME REMOTE ACCESS AND USE VALID CREDENTIALS

• EXPLORE THE ENVIRONMENT

• STEAL DATA – RINSE AND REPEAT

Page 6: Living with Determined Attackers MOSI Edition

JIM ALDRIDGE BH2012

https://dl.mandiant.com/EE/library/BH2012_Aldridge_RemediationPres.pdf

Page 7: Living with Determined Attackers MOSI Edition

PREVENTATIVE CONTROLS ARE NOT ENOUGH A “Determined attacker will not be put off by traditional IT security technology

•Basic AV Avoidance

•Basic IDS Avoidance

•Modern Sandbox Avoidance

•WAF Identification

•Web Filter Avoidance

•Email Filter Avoidance

Page 8: Living with Determined Attackers MOSI Edition

BASIC AV AVOIDANCE

• HTTPS://WWW.VEIL-FRAMEWORK.COM/FRAMEWORK/VEIL-EVASION/

• HTTPS://WWW.SHELLTERPROJECT.COM/

https://www.veil-framework.com/framework/veil-evasion/
https://www.veil-framework.com/framework/veil-evasion/
https://www.veil-framework.com/framework/veil-evasion/
https://www.veil-framework.com/framework/veil-evasion/
https://www.veil-framework.com/framework/veil-evasion/
https://www.shellterproject.com/
https://www.shellterproject.com/
Page 9: Living with Determined Attackers MOSI Edition

BASIC IDS AVOIDANCE

• HTTP://WWW.MONKEY.ORG/~DUGSONG/FRAGROUTE/

• HTTP://EVADER.STONESOFT.COM

http://www.monkey.org/~dugsong/fragroute/
http://evader.stonesoft.com/
Page 10: Living with Determined Attackers MOSI Edition

MODERN SANDBOX AVOIDANCE

• HTTP://WWW.GIRONSEC.COM/BLOG/2013/10/ANTI-SANDBOXING-IDEAS/

Page 11: Living with Determined Attackers MOSI Edition

BASIC WAF IDENTIFICATION • OWASP XSS TOOL “XENOTIX” GIVES US A EXAMPLE OF A GUI WAF IDENTIFIER

Page 12: Living with Determined Attackers MOSI Edition

BASIC WEB PROXY AVOIDANCE

• HTTPS

• TOR BRIDGE RELAY

Page 13: Living with Determined Attackers MOSI Edition

EMAIL FILTER AVOIDANCE TRICKS • LARGE BENIGN ATTACHMENTS MEAN MESSAGES GET SKIPPED FOR SPAM PROCESSING

• WELL FORMED FIRST MESSAGE GETS SENDER ONTO A WHITELIST

• BACKGROUND READING

• “INSIDE THE SPAM CARTEL” , “BOTNETS THE KILLER APP” , “PHISHING EXPOSED”

Page 14: Living with Determined Attackers MOSI Edition

BASIC PHISHING MANAGERS

• SET - HTTP://WWW.SOCIAL-ENGINEER.ORG/FRAMEWORK

• PHISH FRENZY - HTTP://WWW.PENTESTGEEK.COM/2013/11/04/INTRODUCING-PHISHING-FRENZY/

http://www.social-engineer.org/framework
http://www.social-engineer.org/framework
http://www.social-engineer.org/framework
http://www.pentestgeek.com/2013/11/04/introducing-phishing-frenzy/
http://www.pentestgeek.com/2013/11/04/introducing-phishing-frenzy/
http://www.pentestgeek.com/2013/11/04/introducing-phishing-frenzy/
http://www.pentestgeek.com/2013/11/04/introducing-phishing-frenzy/
http://www.pentestgeek.com/2013/11/04/introducing-phishing-frenzy/
http://www.pentestgeek.com/2013/11/04/introducing-phishing-frenzy/
Page 15: Living with Determined Attackers MOSI Edition

COMPLETE ATTACK MANAGERS

• HTTP://WWW.ADVANCEDPENTEST.COM/FEATURES

http://www.pentestgeek.com/2013/11/04/introducing-phishing-frenzy/
http://www.pentestgeek.com/2013/11/04/introducing-phishing-frenzy/
http://www.pentestgeek.com/2013/11/04/introducing-phishing-frenzy/
http://www.pentestgeek.com/2013/11/04/introducing-phishing-frenzy/
http://www.advancedpentest.com/features
Page 16: Living with Determined Attackers MOSI Edition

POST EXPLOITATION

• BOOK “CODING FOR PENETRATION TESTERS” HAS A CHAPTER DEVOTED TO THIS

Page 17: Living with Determined Attackers MOSI Edition

WHAT IS THE MESSAGE

•DON'T GET COMPLAISANT –

IF THEY WANT TO GET IN

BADLY ENOUGH – THEY

WILL GET IN !

Page 18: Living with Determined Attackers MOSI Edition

WHAT DO I MEAN BY . . . .

•DETERMINED ATTACKERS

•BETTER INTELLIGENCE

•BETTER PREPARED

Page 19: Living with Determined Attackers MOSI Edition

WHAT DO I MEAN BY BETTER INTELLIGENCE

• TO KNOW WHAT YOU KNOW AND TO KNOW WHAT YOU DON'T KNOW IS THE SIGN OF ONE WHO KNOWS

• KNOW THE WEAKNESSES IN YOUR DEFENCES

• KNOW THE TECHNIQUES USED BY YOUR ENEMY

• KNOW WHO TO TURN TO FOR HELP

Page 20: Living with Determined Attackers MOSI Edition

WHERE ARE MY WEAKNESSES • INTERNAL AND EXTERNAL AUDIT REPORTS

• PENETRATION TEST RESULTS

• RISK WORKSHOPS

• INTERVIEW FRONT LINE STAFF

• WHISTLE-BLOWING HOTLINE

• ITS WORTH ASSUMING THAT YOUR PERIMETER HAS BEEN BREACHED

• AND THAT YOU SHOULD PLAN A RESPONSE STRATEGY

Page 21: Living with Determined Attackers MOSI Edition

APT INTELLIGENCE REPORTS IN MARKETING • VENDOR ISSUED APT REPORTS AND ADVANCED MALWARE REPORTS

• MANDIANT APT1 REPORT OPENED THE FLOOD GATES

Page 22: Living with Determined Attackers MOSI Edition

MALWARE RESEARCH COMMUNITY • HTTP://AVCAESAR.MALWARE.LU/

• HTTP://WWW.MALSHARE.COM/ABOUT.PHP

• HTTPS://MALWR.COM/

• HTTP://SUPPORT.CLEAN-MX.DE/CLEAN-MX/VIRUSES?

• HTTP://VIRUSSHARE.COM/ABOUT.4N6

• HTTP://VIRUSTOTAL.COM

• HTTP://VXVAULT.SIRI-URZ.NET/VIRILIST.PHP

• HTTP://WWW.OFFENSIVECOMPUTING.NET

Small sample

Page 23: Living with Determined Attackers MOSI Edition

RSS ENABLED BLOGGING COMMUNITY

RSS Bandit http://stopmalvertising.com/

Page 24: Living with Determined Attackers MOSI Edition

IP REPUTATION COMMUNITIES • EXAMPLE: ALIENVAULT OPEN THREAT EXCHANGE

Page 25: Living with Determined Attackers MOSI Edition

“NOT MARKETING” VENDOR REPORTS • MICROSOFT SECURITY INTELLIGENCE REPORTS

• CISCO ANNUAL REPORTS

Page 26: Living with Determined Attackers MOSI Edition

CISP ENVIRONMENT • GOVERNMENT CYBER SECURITY STRATEGY INVOLVES REACHING OUT TO INDUSTRY BEYOND CNI

• GCHQ, CESG AND CPNI COLLABORATED ON CISP

Page 27: Living with Determined Attackers MOSI Edition

READING: WHITEPAPERS • FEW EXAMPLES

• SOC

• IR

• DATA BREACH

• MALWARE

Page 28: Living with Determined Attackers MOSI Edition

BACKGROUND READING: BOOKS

Page 29: Living with Determined Attackers MOSI Edition

DEEPER DIVE : BOOKS

Page 30: Living with Determined Attackers MOSI Edition

WHAT DO I MEAN BY . . . .

•DETERMINED ATTACKERS

•BETTER INTELLIGENCE

•BETTER PREPARED

Page 31: Living with Determined Attackers MOSI Edition

WHAT DO I MEAN BY BETTER PREPARED • USER AWARENESS

• CYBER STRATEGY AT BOARD LEVEL

• IT ASSURANCE FRAMEWORK

• SECURITY OPERATIONS MATURITY

• SOC

• CIRT

• THREAT INTELLIGENCE

• PROACTIVE APT HUNTERS

Page 32: Living with Determined Attackers MOSI Edition

PHISHING AWARENESS • DO YOU REMEMBER THE DIY SLIDES

Page 33: Living with Determined Attackers MOSI Edition

PROFESSIONAL PHISHING AWARENESS

• PHISH5

• PHISHME

Page 34: Living with Determined Attackers MOSI Edition

CYBER STRATEGY AT BOARD LEVEL • GOVERNMENT COMMITMENT TO SUPPORT INDUSTRY

• .GOV.UK AND SEARCH “CYBER”

Page 35: Living with Determined Attackers MOSI Edition

CYBER STRATEGY ( ALSO WORTH A READ) • BELGIAN CHAMBER OF COMMERCE - BCSG

• HTTP://WWW.ICCBELGIUM.BE/INDEX.PHP/QUOMODO/BECYBERSECURE

Page 36: Living with Determined Attackers MOSI Edition

ITAF –V- ITCF • WHAT IS IT ASSURANCE

Page 37: Living with Determined Attackers MOSI Edition

SECOPS MATURITY (SOC) • HP PAPER FIVE GENERATIONS OF SOC

• SIEM

• CORRELATION

• STAFFING

• DROWNING IN DATA

Page 38: Living with Determined Attackers MOSI Edition

SECOPS MATURITY (CIRT)

• THREAT INTELLIGENCE FEEDS

• LIVE RESPONSE TECHNIQUES

• ENTERPRISE CLASS FORENSIC ACQUISITION

• STAFF DEVELOPMENT

• MALWARE REVERSING SKILLS / SOCIAL ENGINEERING SKILLS

• WORKFLOW BPM TOOLING

• NETWORK CONTAINMENT / NAC

Page 39: Living with Determined Attackers MOSI Edition

OPEN IOC • WHAT IS OPEN IOC - HTTP://WWW.OPENIOC.ORG/

http://www.openioc.org/
Page 40: Living with Determined Attackers MOSI Edition

FREE TOOLS • FROM MANDIANT

Page 41: Living with Determined Attackers MOSI Edition

LESSONS WITH OPENIOC FREE TOOLS

Page 42: Living with Determined Attackers MOSI Edition

SECOPS MATURITY (APT HUNTERS) • WHAT IS REDLINE

• COLLECTS WINDOWS ACTIVITY FROM

• FILE

• REGISTRY

• DNS LOOKUPS

• PROCESSES IN MEMORY

• NETWORK CONNECTIONS

• FIRST RESPONDER INVESTIGATIONS

Page 43: Living with Determined Attackers MOSI Edition

(.MANS) REDLINE TRIAGE COLLECTION • 1

Page 44: Living with Determined Attackers MOSI Edition

(.MANS) REDLINE TRIAGE COLLECTION • 2

Page 45: Living with Determined Attackers MOSI Edition

(.MANS) REDLINE TRIAGE COLLECTION • 3

Page 46: Living with Determined Attackers MOSI Edition

TACKLING ADVANCED THREATS • THERE IS NO SINGLE TECHNOLOGY TO

• “RULE THEM ALL”

• 1) RECOGNISE “PREVENTATIVE” ISN'T ENOUGH

• 2) GET SENIOR LEVEL SPONSORSHIP

• 3) GET THE RIGHT PEOPLE

• 4) GET THE RIGHT TOOLING

Page 47: Living with Determined Attackers MOSI Edition

VENDORS TACKLING ADVANCED THREATS • THERE IS NO SINGLE TECHNOLOGY TO RULE THEM ALL

Mandiant

Carbon Black

Guidance Software

CounterTack

CrowdStrike

Tanium

Intelligent ID

Nexthink

Webroot

LogRhythm

TrustCloud

Cyvera

ARBOR – Prevail

DAMBALLA – Failsafe

FIDELIS – XPS

LANCOPE – StealthWatch

SOURCEFIRE - FireAMP

RSA – Netwitness

SOLERA – DeepSee

SOLERA – BluecoatATP

AHNLABS – MDS

CHECKPOINT – threat emulation

FIREEYE – ATP

LASTLINE – Previct

MCAFEE – ValidEdge

TREND – Deep Discovery

PALOALTO – Wildfire

BLUERIDGE – Appguard

BROMIUM – vsentry

HBGARY – DigitalDNA

INVINCEA – Enterprise

Threat Analyser

RSA – ecat

TRIUMFANT – mdar

Page 48: Living with Determined Attackers MOSI Edition

CREDITS • JEFF YEUTER @ MANDIANT FOR THE REDLINE EXAMPLE

• JIM ALDRIDGE @ MANDIANT FOR THE BLACKHAT2012 APT PRESENTATION

• ANTON CHUVAKIN @ GARTNER FOR THE PAPER “SECURITY INCIDENT RESPONSE IN THE AGE OF APT”

Page 49: Living with Determined Attackers MOSI Edition

FIND ME

• ON LINKEDIN

• UK.LINKEDIN.COM/IN/JMCK4CYBERSECURITY/

• MANY REFERENCES KEPT AT

• HTTP://WWW.CISO-ADVISOR.CO.UK/COMMUNITY/

http://uk.linkedin.com/in/jmck4cybersecurity/
http://uk.linkedin.com/in/jmck4cybersecurity/
http://www.ciso-advisor.co.uk/community/
http://www.ciso-advisor.co.uk/community/
http://www.ciso-advisor.co.uk/community/
http://www.ciso-advisor.co.uk/community/

Mosi-oa-Tunya / Victoria Falls

Mosi-oa-Tunya / Victoria Falls

Attackers and Defenders - Collaborative Learning

Attackers and Defenders - Collaborative Learning

Living with the threat of Determined Attackers - RANT0214

Living with the threat of Determined Attackers - RANT0214

MOSI/SIMO — Master Output, Slave Input (output SPIMaster ...

MOSI/SIMO — Master Output, Slave Input (output SPIMaster ...

Chess Secrets Great Attackers Collin Crouch

Chess Secrets Great Attackers Collin Crouch

Attackers Vs. Defenders: Restoring the Equilibrium

Attackers Vs. Defenders: Restoring the Equilibrium

Google Gears for Attackers

Google Gears for Attackers

MOSI MODUL 3 Fungction Statment, Resource, Path Network, Vaiable, Shift

MOSI MODUL 3 Fungction Statment, Resource, Path Network, Vaiable, Shift

Data spies, hackers & online attackers

Data spies, hackers & online attackers

BANK ATTACKERS - CORE SE...Bank Attackers © CORE 2012

BANK ATTACKERS - CORE SE...Bank Attackers © CORE 2012

CyberArk: The Cyber Attackers’ Playbook THE CYBER ...media.techtarget.com/.../assets/CyberArk-The-Cyber-Attackers-Playbook-en.pdfCyberArk: The Cyber Attackers’ Playbook 15 What

CyberArk: The Cyber Attackers’ Playbook THE CYBER ...media.techtarget.com/.../assets/CyberArk-The-Cyber-Attackers-Playbook-en.pdfCyberArk: The Cyber Attackers’ Playbook 15 What

Chess Secrets - Great Attackers - collin crouch.pdf

Chess Secrets - Great Attackers - collin crouch.pdf

Computer Security: Computer Science with Attackers

Computer Security: Computer Science with Attackers

2015 2016 - cfly.trustedpartner.comcfly.trustedpartner.com/docs/library...Demeulenaere, MOSI President and CEO. MOSI is responsible for some of the learning experiences offered through

2015 2016 - cfly.trustedpartner.comcfly.trustedpartner.com/docs/library...Demeulenaere, MOSI President and CEO. MOSI is responsible for some of the learning experiences offered through

Hunting Attackers with Network Audit Trails

Hunting Attackers with Network Audit Trails

The Japanese were ruthless attackers

The Japanese were ruthless attackers

Patterns of Lone Attackers - KAS

Patterns of Lone Attackers - KAS

Localizing Multiple Jamming Attackers in Wireless Networks › ~yychen › papers › Localizing... · Localizing Multiple Jamming Attackers in Wireless Networks Hongbo Liu ∗, Zhenhua

Localizing Multiple Jamming Attackers in Wireless Networks › ~yychen › papers › Localizing... · Localizing Multiple Jamming Attackers in Wireless Networks Hongbo Liu ∗, Zhenhua

Penetration Testing Assessing Security Attackers 34635

Penetration Testing Assessing Security Attackers 34635

Attackers and Defenders of Noli

Attackers and Defenders of Noli