Living with the threat of Determined Attackers - RANT0214

MANCHESTER RANT FEBRUARY 14TH 2014

YOUR SPEAKER – JAMES MCKINLAY • 2014 CISO LEVEL SECURITY, RISK & COMPLIANCE CONSULTANCY ACROSS EUROPE

• 2013 PCIDSS COMPLIANCE AT WALMART FOR ASDA & GEORGE (LEVEL ONE MERCHANT)

• 2011 - 2013 PCIDSS COMPLIANCE MANCHESTER AIRPORTS GROUP (LEVEL THREE MERCHANT)

• 2006-2011 PCIDSS COMPLIANCE HOMELOAN MANAGEMENT LIMITED (LEVEL ONE SERVICE PROVIDER)

• 2006 ECOMMERCE SECURITY– THOMAS COOK SCHEDULED BUSINESS

EXEC SUMMARY –

• DEFENDERS ARE INCREASINGLY BEING OVERRUN BOTH BY EVENTS GENERATED BY ORDINARY

CYBERCRIME AND BY ADVANCED, TARGETED ATTACKS FROM SOPHISTICATED ADVERSARIES.

• INCREASED COMPLEXITY AND FREQUENCY OF ATTACKS, COMBINED WITH REDUCED EFFECTIVENESS OF

PREVENTATIVE CONTROLS, INCREASES THE NEED FOR ENTERPRISE-SCALE SECURITY INCIDENT RESPONSE

• THREAT INTELLIGENCE AND CONTINUOUS IMPROVEMENT OF INCIDENT RESPONSE PROCESSES ARE

NEEDED BY ENTERPRISES TO REDUCE THE EFFORT REQUIRED IN CONTAINING LOSSES AND RISKS.

WHAT DO I MEAN BY . . . .

•DETERMINED ATTACKERS

•BETTER INTELLIGENCE

•BETTER PREPARED

WHAT DO I MEAN BY DETERMINED ATTACKER

• GET IN PAST YOUR PREVENTATIVE DEFENCES

• STEAL SOME VALID CREDENTIALS

• REMOVE TOOLS USED IN GETTING IN

• FIND SOME REMOTE ACCESS AND USE VALID CREDENTIALS

• EXPLORE THE ENVIRONMENT

• STEAL DATA – RINSE AND REPEAT

JIM ALDRIDGE BH2012

https://dl.mandiant.com/EE/library/BH2012_Aldridge_RemediationPres.pdf

PREVENTATIVE CONTROLS ARE NOT ENOUGH A “Determined attacker will not be put off by traditional IT security technology

•Basic AV Avoidance

•Basic IDS Avoidance

•Modern Sandbox Avoidance

•WAF Identification

•Web Filter Avoidance

•Email Filter Avoidance

BASIC AV AVOIDANCE

• HTTPS://WWW.VEIL-FRAMEWORK.COM/FRAMEWORK/VEIL-EVASION/

BASIC IDS AVOIDANCE

• HTTP://WWW.MONKEY.ORG/~DUGSONG/FRAGROUTE/

• HTTP://EVADER.STONESOFT.COM

MODERN SANDBOX AVOIDANCE

• HTTP://WWW.GIRONSEC.COM/BLOG/2013/10/ANTI-SANDBOXING-IDEAS/

BASIC WAF IDENTIFICATION • OWASP XSS TOOL “XENOTIX” GIVES US A EXAMPLE OF A GUI WAF IDENTIFIER

• HTTPS://WWW.OWASP.ORG/INDEX.PHP/OWASP_XENOTIX_XSS_EXPLOIT_FRAMEWORK

BASIC WEB PROXY AVOIDANCE

• HTTPS

• TOR BRIDGE RELAY

• HTTPS://WWW.TORPROJECT.ORG/

EMAIL FILTER AVOIDANCE TRICKS • LARGE BENIGN ATTACHMENTS MEAN MESSAGES GET SKIPPED FOR SPAM PROCESSING

• WELL FORMED FIRST MESSAGE GETS SENDER ONTO A WHITELIST

• BACKGROUND READING

• “INSIDE THE SPAM CARTEL” , “BOTNETS THE KILLER APP” , “PHISHING EXPOSED”

BASIC PHISHING MANAGERS

• SET - HTTP://WWW.SOCIAL-ENGINEER.ORG/FRAMEWORK

• PHISH FRENZY - HTTP://WWW.PENTESTGEEK.COM/2013/11/04/INTRODUCING-PHISHING-FRENZY/

• SENINJA - HTTP://WWW.ALDEID.COM/WIKI/SOCIAL-ENGINEERING-NINJA

COMPLETE ATTACK MANAGERS

• HTTP://WWW.ADVANCEDPENTEST.COM/FEATURES

• HTTP://WWW.FASTANDEASYHACKING.COM/

POST EXPLOITATION

• BOOK “CODING FOR PENETRATION TESTERS” HAS A CHAPTER DEVOTED TO THIS

POST EXPLOITATION (2)

• WCE - HTTP://WWW.AMPLIASECURITY.COM/RESEARCH.HTML

• PRIVILEGE ESCALATION - HTTPS://WWW.INSOMNIASEC.COM/RELEASES

WHAT IS THE MESSAGE

•DON'T GET COMPLAISANT –

IF THEY WANT TO GET IN

BADLY ENOUGH – THEY

WILL GET IN !

•BETTER PREPARED

WHAT DO I MEAN BY BETTER INTELLIGENCE

• TO KNOW WHAT YOU KNOW AND TO KNOW WHAT YOU DON'T KNOW IS THE SIGN OF ONE WHO KNOWS

• KNOW THE WEAKNESSES IN YOUR DEFENCES

• KNOW THE TECHNIQUES USED BY YOUR ENEMY

• KNOW WHO TO TURN TO FOR HELP

WHERE ARE MY WEAKNESSES • INTERNAL AND EXTERNAL AUDIT REPORTS

• PENETRATION TEST RESULTS

• RISK WORKSHOPS

• INTERVIEW FRONT LINE STAFF

• WHISTLE-BLOWING HOTLINE

• ITS WORTH ASSUMING THAT YOUR PERIMETER HAS BEEN BREACHED

• AND THAT YOU SHOULD PLAN A RESPONSE STRATEGY

APT INTELLIGENCE REPORTS IN MARKETING • VENDOR ISSUED APT REPORTS AND ADVANCED MALWARE REPORTS

• MANDIANT APT1 REPORT OPENED THE FLOOD GATES

MALWARE RESEARCH COMMUNITY • HTTP://AVCAESAR.MALWARE.LU/

• HTTP://WWW.MALSHARE.COM/ABOUT.PHP

• HTTPS://MALWR.COM/

• HTTP://SUPPORT.CLEAN-MX.DE/CLEAN-MX/VIRUSES?

• HTTP://VIRUSSHARE.COM/ABOUT.4N6

• HTTP://VIRUSTOTAL.COM

• HTTP://VXVAULT.SIRI-URZ.NET/VIRILIST.PHP

• HTTP://WWW.OFFENSIVECOMPUTING.NET

Small sample

RSS ENABLED BLOGGING COMMUNITY

RSS Band it http://rssbandit.org/ http://stopmalvertising.com/

IP REPUTATION COMMUNITIES • EXAMPLE: ALIENVAULT OPEN THREAT EXCHANGE HTTPS://WWW.ALIENVAULT.COM/OPEN-THREAT-EXCHANGE

“NOT MARKETING” VENDOR REPORTS • MICROSOFT SECURITY INTELLIGENCE REPORTS

• CISCO ANNUAL REPORTS

CISP ENVIRONMENT • GOVERNMENT CYBER SECURITY STRATEGY INVOLVES REACHING OUT TO INDUSTRY BEYOND CNI

• GCHQ, CESG AND CPNI COLLABORATED ON CISP HTTPS://WWW.CISP.ORG.UK/

READING: WHITEPAPERS • FEW EXAMPLES

• SOC

• IR

• DATA BREACH

• MALWARE

REFERENCES • PAPERS

• HTTP://H71028.WWW7.HP.COM/ENTERPRISE/DOWNLOADS/SOFTWARE/ESP-BWP014-052809-09.PDF

• HTTP://WWW.EMC.COM/COLLATERAL/WHITE-PAPERS/H12651-WP-CRITICAL-INCIDENT-RESPONSE-MATURITY-JOURNEY.PDF

• HTTPS://OTALLIANCE.ORG/RESOURCES/INCIDENT/2014OTADATABREACHGUIDE.PDF

• HTTP://WWW.MICROSOFT.COM/EN-GB/DOWNLOAD/DETAILS.ASPX?ID=34793

• HTTP://WWW.ASD.GOV.AU/INFOSEC/TOP-MITIGATIONS/TOP35MITIGATIONSTRATEGIES-LIST.HTM

• HTTP://WWW.FIRST.ORG/CONFERENCE/2008/PAPERS/KILLCRECE-GEORGIA-SLIDES.PDF

• HTTP://WWW.SANS.ORG/READING-ROOM/WHITEPAPERS/DETECTION/EARLY-MALWARE-DETECTION-CORRELATION-INCIDENT-RESPONSE-SYSTEM-CASE-STUDIES-34485

• HTTPS://WWW.GOV.UK/PUBLIC-SERVICES-NETWORK#PSN-STANDARDS

• HTTP://CSRC.NIST.GOV/PUBLICATIONS/NISTPUBS/800-61REV2/SP800-61REV2.PDF

BACKGROUND READING: BOOKS

DEEPER DIVE : BOOKS

•BETTER PREPARED

WHAT DO I MEAN BY BETTER PREPARED • USER AWARENESS

• CYBER STRATEGY AT BOARD LEVEL

• IT ASSURANCE FRAMEWORK

• SECURITY OPERATIONS MATURITY

• SOC

• CIRT

• THREAT INTELLIGENCE

• PROACTIVE APT HUNTERS

PHISHING AWARENESS • DO YOU REMEMBER THE DIY SLIDES

PROFESSIONAL PHISHING AWARENESS

• PHISH5

• PHISHME

CYBER STRATEGY AT BOARD LEVEL • GOVERNMENT COMMITMENT TO SUPPORT INDUSTRY

• .GOV.UK AND SEARCH “CYBER”

CYBER STRATEGY ( ALSO WORTH A READ) • BELGIAN CHAMBER OF COMMERCE - BCSG

• HTTP://WWW.ICCBELGIUM.BE/INDEX.PHP/QUOMODO/BECYBERSECURE

COBITv5

Processes for Management

Deliver, Service and Support

Manage IT Operations

Manage IT Assets

Manage IT Configurations

Manage IT Incidents

Manage Business

Continuity

Manage Information

Security

Manage Business Process

Processes for Governance

ITCF -V- ISMS • CONTROL FRAMEWORK

• HTTP://WWW.ISACA.ORG/COBIT/PAGES/DEFAULT.ASPX

ITAF –V- ITCF • WHAT IS IT ASSURANCE

SECOPS MATURITY (SOC) • SIEM

• CORRELATION

• STAFFING

• DROWNING IN DATA

• HTTP://WWW8.HP.COM/H20195/V2/GETPDF.ASPX/4AA4-6539ENN.PDF

• HTTP://WWW.ACI-NA.ORG/SITES/DEFAULT/FILES/S4-NESSI.PDF

• HTTP://WWW.SECURITE.ORG/PRESENTATIONS/SOC/MEITSEC-SOC-NF-V11.PDF

SECOPS MATURITY (CIRT)

• THREAT INTELLIGENCE FEEDS

• LIVE RESPONSE TECHNIQUES

• ENTERPRISE CLASS FORENSIC ACQUISITION

• STAFF DEVELOPMENT

• MALWARE REVERSING SKILLS / SOCIAL ENGINEERING SKILLS

• WORKFLOW BPM TOOLING

• NETWORK CONTAINMENT / NAC

OPEN IOC • WHAT IS OPEN IOC - HTTP://WWW.OPENIOC.ORG/

FREE TOOLS • FROM MANDIANT

LESSONS WITH OPENIOC FREE TOOLS

SECOPS MATURITY (APT HUNTERS) • WHAT IS REDLINE

• COLLECTS WINDOWS ACTIVITY FROM

• FILE

• REGISTRY

• DNS LOOKUPS

• PROCESSES IN MEMORY

• NETWORK CONNECTIONS

• FIRST RESPONDER INVESTIGATIONS

(.MANS) REDLINE TRIAGE COLLECTION • 1

TACKLING ADVANCED THREATS • THERE IS NO SINGLE TECHNOLOGY TO

• “RULE THEM ALL”

• 1) RECOGNISE “PREVENTATIVE” ISN'T ENOUGH

• 2) GET SENIOR LEVEL SPONSORSHIP

• 3) GET THE RIGHT PEOPLE

• 4) GET THE RIGHT TOOLING

VENDORS TACKLING ADVANCED THREATS • THERE IS NO SINGLE TECHNOLOGY TO RULE THEM ALL

Mandiant

Carbon Black

Guidance Software

CounterTack

CrowdStrike

Tanium

Intelligent ID

Nexthink

Webroot

LogRhythm

TrustCloud

Cyvera

ARBOR – Prevail

DAMBALLA – Failsafe

FIDELIS – XPS

LANCOPE – StealthWatch

SOURCEFIRE - FireAMP

RSA – Netwitness

SOLERA – DeepSee

SOLERA – BluecoatATP

AHNLABS – MDS

CHECKPOINT – threat emulation

FIREEYE – ATP

LASTLINE – Previct

MCAFEE – ValidEdge

TREND – Deep Discovery

PALOALTO – Wildfire

BLUERIDGE – Appguard

BROMIUM – vsentry

HBGARY – DigitalDNA

INVINCEA – Enterprise

Threat Analyser

RSA – ecat

TRIUMFANT – mdar

CREDITS • JEFF YEUTER @ MANDIANT FOR THE REDLINE EXAMPLE

• JIM ALDRIDGE @ MANDIANT FOR THE BLACKHAT2012 APT PRESENTATION

• ANTON CHUVAKIN @ GARTNER FOR THE PAPER “SECURITY INCIDENT RESPONSE IN THE AGE OF APT”

TIME IS PRECIOUS – THANK YOU FOR YOURS

• FIND ME ON LINKEDIN

• UK.LINKEDIN.COM/PUB/JAMES-MCKINLAY/16/A42/206/

Living with the threat of Determined Attackers - RANT0214

Technology

Dealing With Attackers

Jason Lawrence, MSISA, CISSP, CISA - SplunkConf · PDF filePage 2 24 September 2015 Splunk .conf2015 Who are the attackers? Threat actors threatening your ecosystem Nation states –

Before the Breach: Using threat intelligence to stop attackers in their tracks

Living with Determined Attackers MOSI Edition

Ingalls Threat Intelligence Report · 2020. 1. 24. · MSPs using RMM without MFA are creating an existential threat to both themselves and their clients from attackers who are targeting

Threat Intelligence Solutions · Threat Intelligence Solutions - Taking the Initiative Organizations are facing security challenges like never before while attackers are innovating

EBA — SecurePay Compliance Guide - Entrust Datacard · 2018-11-13 · 3 Today’s consumer lives under the constant threat of identity theft, worrying that attackers will steal

Cyber Threat and Vulnerability Analysis of the U.S ... · determined, well-funded, capable threat actor with the appropriate attack vector can succeed to varying levels depending

Webroot Threat Brief 2016 · » Attackers can license ransomware from third parties - ransomware-as-a-service » Varieties getting harder to detect through thread injection, process

The Attackers Advantage

Check Point Infinity Solution Brief...Check Point Infinity enables you to stay ahead of attackers with real time threat prevention. Leveraging Check Point SandBlast technologies, it

Zscaler Advanced Persistent Threat Protection · devices, and data exfiltration. Protect headquarters, branches and road warriors, all from the cloud APT attackers research and target

A Denial of Service Resistant Intrusion Dection Architecture€¦ · To counter the threat of attackers finding and disabling critical IDS components, IDS vendors devote many resources

The Cyber Threat - Transportation Research Boardonlinepubs.trb.org/onlinepubs/excomm/16-06-Gourley.pdf · malware. Attackers get in fast and remain undetected for months. But risk

AIT AUSTRIAN INSITUTE OF€¦ · Ransomware has become a major cybercrime threat How much money do ransomware attackers make? AUSTRIAN INSTITUTE OF TECHNOLOGY TOMORROW TODAY With

CyberArk: The Cyber Attackers’ Playbook THE CYBER ...media.techtarget.com/.../assets/CyberArk-The-Cyber-Attackers-Playbook-en.pdfCyberArk: The Cyber Attackers’ Playbook 15 What

The Threat Environment Attackers and Their Attacks Primarily from Raymond R. Panko, Corporate Computer and Network Security, 2nd Edition, Prentice-Hall,

Threat Intelligence JujutsuThree Principles of Judo Threat Intelligence •Use the attackers energy against them •Maximum effect, minimum effort •Break their posture, execute the

Threat Advisory: Man-In-The-Middle Attacks Target … 3! akamai’s [state of the internet] / threat advisory 3 3 The use of this technology by attackers may have aided their efforts

Intro to Virtual Machinestbartens/CS550_Spring_2020/lectures/L20_Security.pdfCommon Motivation of Attackers 1. Peeping Tom –Casual prying by nontechnical users 2. Insider threat