PRACTICAL DEFENSESean Whalen

OVERVIEW

Deploying the right controls, in the right places, for the right reasons is a critical function of any security program. This presentation explores how to optimize existing controls, and when to consider new controls, so you can focus more on operations and less on new fads, while greatly improving your security posture.

STANDARD DISCLAIMERThe views and opinions expressed here are my own, and may not represent those of my past, current, and post-apocalyptic employers.

TRADITIONAL INCIDENT RESPONSE

NEW SECURITY PRODUCTS

THE SALES PITCH

THEN YOU FIND OUT THE PRICE

TRADITIONAL BUDGET

HACKING MOTIVES

• Theft of Intellectual property or other confidential data

• Leverage for advantage and/or leak to embarrassSpying

• Stop critical functions

• Place a heavy burdenDestruction

• Use victim infrastructure to attack others: Exploit trust

relationships or obscure originInfrastructure

• Extortion (e.g. ransomware)

• Sell banking details, PII, or PHI

• Click fraud

Profit

OUTRUN YOUR PEERSMost attackers are opportunists. Even if attackers are after something a bit specific, like medical records to sell, they will move on to other targets if their favorite methods fail

FRUSTRATE YOUR ADVERSARY

WITHOUT EXHAUSTING YOUR

OWN RESORCES

APTS ARE PERSISTENT

• APTs are interested in you because of who you are and unique things you have

• Access to partners

• Instinctual property

• Sensitive/damaging information

• They are not going to give up

• Layers of defenses can trip them up is ways you can detect

• You are never going to detect them if everyday attacks are taking all of your attention

TTPS > ATOMIC INDICATORS

ARE YOU FULLY UTILIZING YOUR EXISTING CONTROLS?

You might not need as much new shiny as you think.

COMMON ATTACK VECTORS• Phishing

• Credential harvesting

• Macros

• Browser exploits

• Server-side attacks

• Insider threats

Yes, you have users who would fill this out

EMAIL MITIGATIONS• Block high-risk attachment types

• Inspect (nested) archive files

• Add warnings to incoming external emails

• Rewrite URLs for tracking and blocking

• Add SPF/DKIM/DMARC checks to risk calculations

• Consider an email sandboxing service

• Establish a user awareness program

• Posters, events, contests, and prizes

• Simulate phishing campaigns

• PhishMe (Simulation service)

• Wombat Security (Tightly integrated training and testing)

• GoPhish (Open source phishing simulation platform)

NETWORK MITIGATIONS• Block all outgoing traffic except for email gateways and web proxies

• Configure your web proxies to block all uncategorized sites

• Automatic VPN for remote workers

• DirectAccess is included in Windows Server 2016

• Deploy multi-factor authentication for all eternal services

• Webmail

• Citrix

• VPN

• CMSs/SharePoints/Wikis

AV ISN’T DEAD

• Crank up the heuristics

• Major enterprise AV vendors are starting to include advanced heuristics and machine learning, you just need to enable it

• Don’t be afraid of it – test it and use pilot groups

• Block PUPs/PUAs

• Again this is a common option, but is frequently turned down or off

• Can greatly cut back on the noise you get from users installing crap

• Create custom polices

• McAfee ePO, SEP ADC, and others can be used to create custom policies

• Block removeable media, prevent Office, browsers, and Adobe reader from spawning processes.

• Block unsigned executables in %tmp% and %appdata%

OTHER ENDPOINT MITIGATIONS

• Follow industry standard security benchmarks

• Restrict admin rights• Avecto Defendpoint (Commercial agent that manages privilege escalation, application whitelisting, and application

sandboxing)

• Microsoft LAPS (Free Microsoft solution that maintains local admin accounts with random passwords

• Visibility • Install sysmon and collect the logs in ElasticSearch or Splunk

• Endpoint Data Recorder (EDR) solutions• Carbon Black Response (Most mature commercial EDR)

• CrowdStrike Falcon (commercial EDR + anti-malware)

• Windows Defender ATP (New Microsoft service offering for Windows 10)

• LimaCharlie (Awesome, flexible, free, open source endpoint monitoring)

• Execution• Block macros in Office files downloaded from the internet – OLE packages too

• Deploy the new Windows 10 mitigations

• Consider AppLocker

WHAT THE BUSINESS THINKS WE DO

WHAT THE BUSINESS THINKS WE DO

GETTING BUY-IN FROM IT

• There often conflicting priorities between security and the rest of IT

• You aren’t the ones getting yelled at by users if something breaks

• SecOps needs a voice at the architecture table

• Reduce surprises – include secure designs in all projects

• IR and intel should help prioritize patching

• Don’t firehose the admins

• Well-placed security controls make everyone’s lives easier

• Bring data; show proof

• Test the hell out of everything

• Automate as much as you can

DOCUMENTATION OR IT DIDN’T HAPPEN

Show your value:

• Did we loose anything?

• Did we stop the attack? When?

• What users were targeted?

• What social engineering theme was used?

• What tools did the attackers use?

• What does that tell us about them?

• How bad could it have been?

• Could we have detected/stopped it sooner? How?

THANK YOU. QUESTIONS?@SeanTheGeek

https://keybase.io/seanthegeek