190312 Sergej Epp AI Ready Go submission...Reconnaissance Weaponization and Delivery Exploitation Command and Control Lateral Movement Installation Actions on the Objective Automated

AI. READY? GO!Sergej EPPChief Security Officer, Central Europe

CONFCIKER

2 | © 2018, Palo Alto Networks. All Rights Reserved.

2008NOVEMBER

3 | © 2019 Palo Alto Networks, Inc. All Rights Reserved.

NETWORKENGINEERS

HACKERS

APPENDIX


SOC

BOTS

RISK MATRIX - 2019


§ Connected vehicle(air/rail/car) threats

§ Quantum computing

§ Data exfiltration in the cloud

§ Cyber Hygiene

§ AI voice fraud§ AI phishing§ AI chatbots

§ Firmware implants§ Destructive

threats§ ID mass

blackmailing

§ OT/IoT Threats§ Insider Threat

§ Third Party Threat§ Spyware§ Identity theft

§ Ransomware Virus

§ AI Exploit Fuzzing§ AI Malware Gen.

§ Biometrics loss § CEO Fraud§ Compromised

patch control

§ Crimeware-as-a-service

§ Phishing

§ SupervisoryOversight

§ BYOD threats § Attack obfuscation§ Denial of Service

§ Banking Malware

§ Advancedregulations

§ Cryptojacking

Emerging Unlikely Possible Likely Very Likely

Acute

Severe

High

Medium

Low


ROBOTS


DETECTION

PREVENTION

RESPONSE

§ Burden to triage§ Costs of false negative

§ Enforcement§ Feedback Loop

SECURITY LIFECYCLE

Cons

tant

ly ch

angi

ng e

nviro

nmen

t

§ Interability of alerts§ Often EDR limited§ Highly time-intensive

8 | © 2019 Palo Alto Networks, Inc. All Rights Reserved.4RECOMMENDATIONS


„I will fix your detection problems“- AI

OUTPUT DATA

INTRODUCTION INTO MACHINE LEARNING


INPUT DATA

PROGRAM

PROGRAMINPUT DATA

OUTPUT DATA

Machine Learning

Traditional Programming

Referece: Prof. Domingos




4. Run Red Team Exercises

5. Cross-organizational telemetry

3. Use Honeypots

2. Review incidents

1. Use public dataset

effe

ctiv

enes

s

HOW TO GET EFFECTIVE TRAINING DATA?


BEISPIEL: SPAM


IT’S A TEAMSPORT!

1. CREATE TRUST FOR

CLOUD SECURITY PRODUCTS



INTERABILITY OF ALERTS


BLIND SPOTS


COMPREHENSIVE ANALYSIS

2. ESTABLISHRICH DATA VISIBILITY


Reconnaissance Weaponizationand Delivery

Exploitation Command and Control

Lateral Movement

Installation Actions onthe Objective

Automated Detection and Prevention

Threat Alerting and Hunting

Focus on this side

Focus on this side

21 | © 2019 Palo Alto Networks. All Rights Reserved.

FOCUS HUMAN EFFORT ON THE RIGHT SIDE OF ATTACK LIFECYCLE

AFAutoFocus

TRTraps

WFWildFire

GPGlobalProtect

APAperture

Cortex XDR

EXAMPLE: THREAT INTELLIGENCE

Block list

Quarantine list

Alert list

Sandbox

ExploitKits, Scanning IPs

C2 IPs Move to quarantinenetwork

Rebuild device

Analyze device

Signatures

Firewall

Endpoint

Indicators

APT IPs

Notify user

AI:beaconing

SHARING

UserViolation

3. AUTOMATE YOUR

SECURITY PLAYBOOKS




THE HIDDEN COSTS OF POINT PRODUCTS

BUY IT

BUY SOMEBODY TO MANAGE

BUY A POINT PRODUCT INTEL PERSON

BUY SOMEBODY TO TIEIT ALL TOGETHER

ACTUAL COSTS

IT‘S SURVEY TIME


100 3050

“HOW MANY SECURITY TOOLS DO YOU USE IN YOUR ORGANIZATION?”

HYPE CYCLE



4. REVIEW YOUR

POINT PRODUCTS


LETS GET IT DONE


MY PLAN FOR CYBERHYGIENE AND FOCUS ON WHAT MATTERS

30 Days

Create inventory for security products and rate them on§ Penetration level across

network, endpoint, cloud§ Prevention maturity§ API maturity§ Crowd intelligence

90 Days

§ Introduce SecDevOps forkey products and validate recommendation from yourinventory

§ Create a plan and share with vendors

270 days

Rationalize security products

CONFICKER INFECTIONS 2019


THANK YOU

Email: [email protected]: @EppSecurity

Documents

190312 Sergej Epp AI Ready Go submission...Reconnaissance Weaponization and Delivery Exploitation Command and Control Lateral Movement Installation Actions on the Objective Automated