45
Do you really need more shiny security toys? Reduce your attack surface by getting back to basics Avishai Wool CTO
Do you really need more shiny security toys? Reduce your attack surface by getting back to basics
Avishai WoolCTO
AGENDA
1. Structure of an APT attack
2. Back to Basics: Reducing the Attack Surface
3. Network Segmentation and Security Zones
4. Managing Zoned Networks with AlgoSec
2 | Confidential
3 | Confidential
1. STRUCTURE OF AN APT ATTACK
4 | Confidential
5 | Confidential
HOW?
1. Repeat until desired data reached:
• Recon • Deliver exploits • Explore the network• Be persistent
2. Exfiltrate data
“Advanced Persistent Threat”, Wikipedia
INFORMATION GATHERING
1. OSINT (Open Source Intelligence)• Port scans, vulnerability scanning externally open services
2. On-site gathering
3. HUMINT (Key employees, social engineering)
4. Foot-printing • Banner grabbing, SNMP Sweeps, DNS zone transfers, etc
6 | Confidential
http://www.pentest-standard.org/index.php/Intelligence_Gathering
INFORMATION GATHERING: REQUIRES NETWORK TRAFFIC
1. OSINT (Open Source Intelligence)• Port scans, vulnerability scanning externally open services
2. On-site gathering
3. HUMINT (Key employees, social engineering)
4. Foot-printing • Banner grabbing, SNMP Sweeps, DNS zone transfers, etc.
7 | Confidential
ATTACK TECHNIQUES (PARTIAL LIST)
• Email attachment• Send a malicious email attachment
• Browser Drive-By-Download• Host the malicious content on a website
• “Water-hole” technique• Compromise a website the victim likely to visit
• Social Engineering• Fool someone to do it for you
• Mobile malware• Spread a malicious mobile application
8 | Confidential
EXPLORE THE COMPROMISED NETWORK
• Move Laterally• Find more devices
• Gain more access
• Find interesting data
Lateral movement relies on (unusual) network traffic
9 | Confidential
ATTACK PERSISTENCY
• Attacker needs to stay for the long term
• Users tend to: • Reboot, patch their systems, update signature detection
• Solution: Deploy software on victim’s machine
• Remote Administrator Tools (RAT) are the most popular• Poison Ivy , Dark Comet, Net Wire, ….
Attack persistency relies on (unusual) network traffic
10 | Confidential
EXFILTRATION
• Attacker needs to exfiltrate data from the network• Encrypted over SSL
• Blend in normal traffic over HTTP
• Picture, Social media posts, pastebin, HTML tags
• VoIP
• Unusual (outbound) traffic
11 | Confidential
STEPPING STONES
12 | Confidential
1
2
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
InternetStep 0
STEPPING STONES
13 | Confidential
1
3
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
InternetStep 0
Step 1
STEPPING STONES
14 | Confidential
1
4
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
InternetStep 0
Step 1 Step 2 Step 3
STEPPING STONES
15 | Confidential
1
5
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
InternetStep 0
Step 1 Step 2 Step 3
Step 4 – exfiltrationGame Over
16 | Confidential
2. BACK TO BASICS: REDUCING THE ATTACK SURFACE
THE FIRST STEP IS THE HARDEST
17 | Confidential
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
• Most ingenious step (social engineering, clever technical exploit delivery, …)• Much of the attack is happening outside of your control• Requires fancy defense technologies to mitigate
MAKE LATERAL STEPS HARDER FOR ATTACKER!
18 | Confidential
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 1 Step 2 Step 3
Step 4 – exfiltrationGame Over
LATERAL STEPS
• The attacker is now on your turf
• Use your advantages:• Control your network• Know what traffic is usual and what is not
19 | Confidential
UNUSUAL – IN USUAL WAYS
• Lateral traffic is unusual – in usual ways
• Communicating parties that never communicate
• Protocols & ports that are never used
• Firewalls are really good at blocking such traffic
… as long as:• There are firewalls in the traffic path• The firewalls are properly configured
20 | Confidential
21 | Confidential
3. NETWORK SEGMENTATION AND SECURITY ZONES
RECOMMENDATION #1: SEGMENTATION
• Define network zones
• Place firewalls to filter traffic between zones
• Write restrictive policies for traffic between zones
22 | Confidential
USE TECHNOLOGY YOU KNOW WELL
23 | Confidential
2
3
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
USE TECHNOLOGY YOU KNOW WELL
24 | Confidential
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
SEGMENT THE NETWORK: INTERNAL FIREWALLS
25 | Confidential
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
• Place internal firewalls between network zones• Use SDN virtualization technologies to filter traffic inside data center
ZONES FOR HUMANS
• Humans are the weakest link
• Systems they touch directly are at risk
• Usual communication patterns:• Desktop/Laptop Server• Server Server
• Desktops don’t communicate with other desktops
• Servers don’t initiate connections to desktops
26 | Confidential
RECOMMENDATION #2: HUMAN-ACCESS ZONES
• Desktops in separate zones from servers• Firewalls between human-access zones and server zones
• Keep different departments in separate zones
27 | Confidential
RECOMMENDATION #3: SENSITIVE DATA ZONES
• Some types of data are more sensitive• Credit card data (PCI regulation)
• Personally Identifiable Information (GLBA, privacy laws)
• Medical data (HIPAA)
• Financial data (SOX, etc)
• Servers with sensitive data in separate zones
28 | Confidential
POLICY IN A SEGMENTED NETWORK
• Define the segmentation policy as a matrix:
29 | Confidential
Internal
Network
DMZ Peer’s
DMZ
ZOOM IN: FROM/TO THE PEER DMZ
30 | Confidential
Internal
Network
DMZ Peer’s
DMZ
31 | Confidential
4. MANAGING ZONED NETWORKS WITH ALGOSEC
WORKING WITH A SEGMENTED NETWORK
• Preparation:• Identify the network segments
• Create a segmentation policy matrix (spreadsheet)
• Place internal firewalls / virtualized filters between zones
• Continuous Compliance • Ensure that firewalls enforce the segmentation policy
• Change Requests• Identify all the firewalls that need to be modified• What-if proactive risk check against segmentation policy
32 | Confidential
IMPORT SEGMENTATION POLICY SPREADSHEET
33 | Confidential
CONTINUOUS COMPLIANCE
• Daily analysis of all firewalls
34 | Confidential
CONTINUOUS COMPLIANCE
• Automatically check segmentation policy
35 | Confidential
CONTINUOUS COMPLIANCE
… and best-practices knowledge base
36 | Confidential
MAKING A CHANGE REQUEST
37 | Confidential
AUTOMATICALLY IDENTIFY DEVICES TO MODIFY
38 | Confidential
2 traditional firewalls separate network into zones
AUTOMATICALLY IDENTIFY DEVICES TO MODIFY
39 | Confidential
VMware NSX firewall filters all traffic inside the datacenter
EXPLORE PATH DETAILS
40 | Confidential
WHAT-IF RISK CHECK
• How were the risks checked?
41 | Confidential
WHAT-IF RISK CHECK
• How were the risks checked?
• Network segmentation matrix!
42 | Confidential
IMPLEMENT…
• Automatically creates ‘Work Order’ per device
• Implements new rules
… Details in another webinar!43 | Confidential
SUMMARY
• Attacks requires persistency. Keep an eye out for unusual internal and outbound traffic
• Take control your turf: Make lateral steps within your network harder for attackers• Segment the network• Segment the users
• Segment sensitive data
• Maintain control• Intelligent, structured process for change requests
• Proactively assess risk
• Ensure continuous compliance
44 | Confidential
![MapReduce Basics - University at Buffalobina/cse487/spring2018/... · Basics map: (k1,v1) --> [(k2,v2)] reduce: (k2,[v2])-->[(k3,v3)] Implicit between map and reduce is the implicit](https://static.documents.pub/doc/80x56/5edd3839ad6a402d66683ba0/mapreduce-basics-university-at-buffalo-binacse487spring2018-basics-map.jpg)
