Home >Technology >Sexy defense

Sexy defense

Date post:15-Jan-2015
Category:
View:3,812 times
Download:5 times
Share this document with a friend
Description:
 
Transcript:
  • 1. Sexy DefenseMaximizing the Home-Field AdvantageIftach Ian Amit Director of Services, IOActive Image credit: IDF Spokesperson

2. Agenda Whoami Background - the Red Team was here... What do they actually say? Reading reports 101 Methodology - ipping the Red-Team Map Correlate Act Examples Conclusions 3. Iftach Ian Amit 4. Iftach Ian Amit 5. Iftach Ian Amit 6. Iftach Ian Amit 7. Iftach Ian Amit 8. Iftach Ian Amit 9. Iftach Ian Amit 10. Iftach Ian Amit 11. Iftach Ian Amit 12. Iftach Ian Amit 13. Iftach Ian Amit 14. Iftach Ian Amit 15. Iftach Ian Amit 16. BackgroundYou had a vulnerability assessment done. 17. BackgroundAnd you passed a pentest. 18. Background What did you ACTUALLY get? Pros ConsCompliance? +++Security Posture? --- 19. BackgroundAnd then you had a Red-Team testcome in and wreck havoc... 20. BackgroundHow does that make you feel? 21. Shock 22. Denial 23. Anger 24. Resistance 25. Acceptance? 26. Reading bad reports Here comes the boring part... Terminology... Vulnerability Exposure Threat Risk (yup - you gotta be able to do suite talk toget the $$$). 27. VulnerabilityYoull nd a lot of these in reports...An issue with a software component that, when abused(exploited) can lead to anything from the software crashing,to compromising the system on which the software isinstalled so that the attacker can have full control over it.Additionally, vulnerabilities also refer to logic andoperational issues whether in computing systems,in processes and procedures related to the businessoperations, patch management, or even password policies. 28. Exposure Say what? Usually will connect vulnerabilities to athreat model relevant for the testedorganization 29. ThreatAnything capable of acting against an assetin a manner that could result in harmDened by: Threat Community, ThreatAgents. Capabilities Accessibility to assets 30. RiskEver seen one of these in a report? A real one? The probability of something bad happening toan organizations asset. Yes, probability == math. Coherentlyformulate the elements (vuln, exposure, threat)into a risk score. Repeatable, and defensible from a logicalperspective 31. MethodologyTake a look at how we have beenpracticing attack and defense. For a VERY long time... 32. Defender view 33. Attacker view 34. What does it mean?Attack PostIntelligence Vuln.Exploit Control Exploitation Gathering Research 35. What does it mean?Attack PostIntelligence Vuln.Exploit Control Exploitation Gathering ResearchDefend 36. What does it mean?Attack PostIntelligence Vuln.Exploit Control Exploitation Gathering Research MitigateDetection & ContainDefend 37. What does it mean? AttackPostIntelligence Vuln.ExploitControl Exploitation Gathering Research Threat Intelligence Data MitigateModeling Gathering Correlation Detection & ContainDefend 38. Remember!Its NOT about: It IS about: EgosHaving a mindset of constantimprovement PeopleThere will always be gaps in the Skillsdefense IdentifyITS NOT FAIR! Remediate In the CONTEXT ofRISK 39. Map (information & Security assets) 1st - What is thebusiness doinganyway? How does it make $? Processes, assets,people, technology,3rd parties... Security andIntelligence assets... 40. Map (exposures & Issues) Start from a report (vuln, pt, red-team). Work up from there while weeding outall the irrelevancies 41. InputsProcess InputsProcessInputs 3rdParty Assets VulnerabilityControlsKey personnelSimplied mapping of assets, processes, people, vulnerabilities, and controls 42. Map (Threats) Do you know WHO is out to get you? Their capabilities? What do they know? Their modus-operandi? ... 43. Logs Everywhere, fromeverything. Storage != $ Measure twice, cutonce == get all logs,lter later 44. Marke0ng$ Forums$Sales$ Business$Market$News$ Development$ Raw$ Intelligence$ CERTs$Compe0tors$ Analysis$ Partners$Customers$ 45. Early warning signs Weird PC behavior File permissions Volume of calls to Access to specic lessupport on network storage Physical elements Employee awarenessaround the ofce ... Sales inquiries Probes on a website 46. Early warning signs Weird PC behavior File permissions Volume of calls to Access to specic lessupport on network storage Physical elements Employee awarenessaround the ofce ... Sales inquiries Probes on a website 47. People Stalkers Tailgaters Smokers Construction Sales leads IT guys 48. People Stalkers Tailgaters Smokers ConstructionAWARENESS Sales leads IT guys 49. Correlate external events and timelinesLocal news,Sports, entertainment, nancialRegional newsNational events International stuff 50. Act Building up your defense mojo Training people to identify, report, react Combining technology into the mix Working with others (peers, vendors, intelsources, government?) 51. Assess where YOU are! Get a clear view of your current securityposture Lying to yourself isnt going to make youfeel better At least in long run... :-| 52. Constant development Expect changes Processes, partners, customers, 3rd parties,internal services/products, people, culture, Embrace changes - never sign off into a nitestrategy document. Make it a living document. Educate people about it. Show how it adapts according to the business.TO SUPPORT IT! 53. Align outwards 54. Align outwards Compare notes with peers 55. Align outwards Compare notes with peers Keep track of whats new on the offensive side 56. Align outwards Compare notes with peers Keep track of whats new on the offensive side And how it relates to you 57. Align outwards Compare notes with peers Keep track of whats new on the offensive side And how it relates to you Never accept a successful audit or compliance toregulation as a sign of effective defense 58. Align outwards Compare notes with peers Keep track of whats new on the offensive side And how it relates to you Never accept a successful audit or compliance toregulation as a sign of effective defense 59. Align outwards Compare notes with peers Keep track of whats new on the offensive side And how it relates to you Never accept a successful audit or compliance toregulation as a sign of effective defense Will usually prove the opposite 60. Align outwards Compare notes with peers Keep track of whats new on the offensive side And how it relates to you Never accept a successful audit or compliance toregulation as a sign of effective defense Will usually prove the opposite 61. Align outwards Compare notes with peers Keep track of whats new on the offensive side And how it relates to you Never accept a successful audit or compliance toregulation as a sign of effective defense Will usually prove the opposite Great - you are now one with the lowestcommon denominator of the lowestbidders... 62. Its not about:Tech People Skill 63. Its about:Tech Cat Skill People Herding 64. Counter-intel Own up to YOUR information Set traps Intelligence Technology Booby-trap tools, work with LE, and mostimportantly: LEGAL IANAL! 65. Counter-intel Own up to YOUR information Set traps Intelligence Technology Booby-trap tools, work with LE, and mostimportantly: LEGAL IANAL! 66. Examples 67. 1. Identify your threat communities / agents2. Locate their hangouts (where they get toolz)3. Inltrate to get info4. Manipulate stuff1. Backdoor it.2. Make sure it leaves a distinct signature.5. Update custom signature in detection systems6. Kick back, and watch the fun 68. Use THEIR tools... 69. Use THEIR tools... Hmmmmmmm...I betcha people are going to miss it :-) 70. Demo time1. Download RAT2. Find appropriate location3. Insert RAT4. Release5. Prot? 71. Demo1. Obtain crypter2. Enhance [not in this demo]3. Leave a unique present in crypted les4. Release5. Prot? 72. Law is hackable Dont think that its impossible to get bywith these things... Example: Microsofts takedown of Bredolab- legal bypass by using trademarkinfringement claims Directly affect infected computers! 73. Kippohttp://code.google.com/p/kippo/ 74. Artillery Open up listeners on multiple ports Anything that touches them gets blacklisted You can play with this to report insteadof blacklist... Monitor lesystem changes and email diff to you. Block SSH brute-force attackssvn co http://svn.secmaniac.com/artillery artillery/ 75. Then: Technology Find stuff that works FOR you. Or make it. SIEM/SOC would be a major focus Other correlation engines Feed technology all the data it can handle Financial info? Semantic data? GoogleAlerts? --> Anything goes... 76. Counter Intelligence use-caseProblemdormant accounts used for fraud (and/ormoney laundering) 77. Counter Intelligence use-caseProblemdormant accounts used for fraud (and/ormoney laundering)Account 78. Counter Intelligence use-caseProblemdormant accounts used for fraud (and/ormoney laundering)Account 79. Counter Intelligence use-caseProblemdormant accounts used for fraud (and/or>1yr dormantmoney laundering)Account 80. Counter Intelligence use-caseProblemdormant accounts used for fraud (and/or>1yr dormantmoney laundering)Accountlaundering 81. Counter Intelligence use-caseProblemdormant accounts used for fraud (and/or>1yr dormantmoney laundering)Account laundering Intl. transfers 82. Counter Intelligence use-caseProblemdormant accounts used for fraud (and/or >1yr dormantmoney laundering)AccountlaunderingInternal/ Intl. transfers External??? 83. Account 84. AccountAccount Account AccountAccount 85. ListAccountAccount Account AccountAccount 86. AccountingMarketing List Branch mgmt.AccountAccount Account AccountAccount 87. Accounting ListAccountAccount Account AccountAccountMarketing Branch mgmt. 88. Accounting List ListAccountAccountAccountAccountAccount Account Account AccountAccountAccountMarketing Branch mgmt. 89. Accounting List ListAccountAccountAccountAccountAccount Account Account AccountAccountAccountListMarketingAccount AccountAccountAccount Account Branch mgmt.

Popular Tags:

Click here to load reader

Embed Size (px)
Recommended