View
92
Download
0
Category
Preview:
Citation preview
Anomaly Detection & You!
Sean Cassidy – CTO, Praesidio
https://www.praesidio.com
✓ Firewall ✓ Security Policies ✓ Anti-virus ✓ Anti-malware ✓ Intrusion detection ✓ Log collection ✓ Alerting
Your network security
✓ Software updates ✓ Phishing training ✓ Threat intel ✓ Access Control ✓ Endpoint security ✓ Two factor auth ✓ Memory forensics
NOTENOUG
H
How are attackers still winning?From: sophia3899@yahoo.comTo: sean@helpfulbank.bizSubject: Loan Possibilities
Hey Sean!
I am interested in applying for a loan. I am looking at a few houses in my price range. My agent sent me an MLS listing that I attached, but It might have been corrupted. It displays sort of funny, it's a word doc apparently. Once I click "Enable Content" at the top, it works. Can you see if you can open it?
My credit is pretty good so I'm hoping my loan application will go through smoothly. My credit score is 705 and I make $68,000 a year. Please let me know if any of the houses in the attached MLS are within my price range for an approval.
Thanks :)Sophia
Normal email address, never used beforeSent to person who does this, very believable
Your employees want to be helpful!Well written email makes it seem legit
Now they're on one of the workstations
• Maintaining access and avoiding detection– Anti-virus is easy to bypass– Rootkits and remote access tools are easy to write
and even easier to use• Watch the traffic on the machine to figure out what
assets are on the network without scanning• Take it slow, time is in the attacker's favor
Pivoting
• What's next for the attacker?– Leverage user's creds– Exploit out-of-date software on the network– Ransomware•Escalate and spread– If your network is hard on the outside and soft on
the inside, you're toast– Nothing is trusted
✓ Firewall ✓ Security Policies ✓ Anti-virus ✓ Anti-malware ✓ Intrusion detection ✓ Log collection ✓ Alerting
What would have helped?
✓ Software updates ✓ Phishing training ✓ Threat intel ✓ Access Control ✓ Endpoint security ✓ Two factor auth ✓ Memory forensics
?
?
?
Signature-based detection is flawed
• Change the malware to not fit AV signatures– IDS signatures, too•Use different IP/domains to evade threat intel– Hijack legit servers (CDNs, etc.)•Spear phishing is cheap and effective•Mobile workforce means there's often no perimeter
“Signature-based detection is only 40-60% effective. Anomaly detection helps fill the gap.
– Thomas HillCIO, Live Oak Bank
Anomaly Detection: more signal
• Attackers must do something your employees don'tExfiltrate data Install
backdoorsAdd nodes to a botnet Modify systems
✓ Firewall ✓ Security Policies ✓ Anti-virus ✓ Anti-malware ✓ Intrusion detection ✓ Log collection ✓ Alerting
Anomaly detection watches everything
✓ Software updates ✓ Phishing training ✓ Threat intel ✓ Access Control ✓ Endpoint security ✓ Two factor auth ✓ Memory forensics
How do you use anomaly detection?
1. Model your network for threats2. Develop attacker scenarios 3. Find the data which would indicate compromise4. Develop algorithms to find those indicators
Step 1: Threat Modeling
• What are the entry points?– Not just your perimeter!•What assets are important to you? To an attacker?•Where do you have monitoring? Where are you blind?•What mitigations do you have in place? What about if those fail?
Step 2: Scenarios
• Data exfiltration– Normally, your file server is busiest during the work
day– Late at night, lots of data is outbound•Botnet activity– The traffic on your network is mostly web traffic– Over the past few days, IRC usage is way up, why?
Step 2: Scenarios
• Insider threat– One of your employee's computers is active on a
weekend– Was it hacked, or are they trying to evade
detection?•Reconnaissance– This week there's a lot of activity from Eastern
Europe and CHina– Are they probing your network for weaknesses?
Step 3: Data
• Instrumentation– Network– IDS– Endpoints•Collected into one central place•Big data solution to crunch the numbers
Step 4: Algorithms
• Start simple, with what you can easily explain– Exponential moving
averages– Netflix's Surus,
Yahoo's EGADS•As your solution matures, explore more advanced algorithms
How Praesidio does Anomaly Detection
Volumetric Protocol Temporal
Geographic Role Lateral
Custom
Volumetric Anomaly Detection
Detects changes in data volumefor each host on your network
Data exfiltration
Botnet activity
Misconfigured systems
Lateral movement
"Someone just uploaded our entire database to Dropbox."
Temporal Anomaly Detection
Detects each device's naturalcadence and reports deviations
Insider threats
Data exfiltration
Lateral movement"One employee was active at 3am on a weekend, why?"
Custom Anomaly Detection
Finds anomalies unique to your business and cybersecurity strategy
Built by you
Tailored to your specific needs "The number of wire transfers per hour peaked to 7x our average."
Anomaly detection needs to constantly adapt, improve, and evaluate.
Questions?
Website: https://www.praesidio.comEmail: sean@praesidio.comTwitter: @sean_a_cassidy
Recommended