Embed Size (px)
Citation preview
Tamas FolnagySept 17, 2015
Cyber(r)evolution Advanced network defense strategies in high profile environments
Citi Architecture and Technology Engineering
Information Classification: [Public]
Agenda
1. Landscape – who and why ?
2. Looking back (...the old times...)
3. What’s out there today ?
4. Plan ahead...the future !
5. Remarks
Ready?
Introduction
tamas@box ~> whoamiTamas Folnagy
Engineering Lead, Global Network Perimeter Engineering, CATE CitiSecure
„Playing” with computers since early age
Large Scale Complex Enterprise Security
• Small but effective group• Large organization• Constant interesting challenges• Engineering solutions
Land(e)scape ?
Security Breach and Issues• On a daily basis• Big players
Information Sharing• Yes!• Large Scale Media Coverage• „Parent” factor
Dawn...
• Are we there yet?• We already passed.
Motivation – a „small” not comprehensive list
Financial gain• Direct profit• Fraud• „Sell” high value assets• Extortion
Information leak / technical advancements• Industrial espionage• Map and entrance to „others”• Win the game
Passion, tension, hobby• Proof of concept• Doomsday• Something new• „Friends” for the win!
Others• ...and beyond imagination (not!)
Group of Activists
Sharing a common belief, and using the cyberspace as extra
means for their cause.
State Driven
Unlimited Resources and Manpower, extensive skillset.
Cyber Underground
Financial gain is the motivation, resources and skillsets (as money allows)
Individuals
Training, Extra Skillsets, Limited on resources however
clever tactics
Response?
On a diagram
Multiple Entry Points• Defend each• Each is a „risk”• Assuming knowledge
The past and present
The medieval defenses still work (to a point...)
Fort BourtangeStar fortress, Groningen, Netherlands
Fortified City of NaardenNetherlands
Changing perimeter – from the 90’s to the present
Basic Principles• Defend the web!
─ Access Control Lists
─ Server tuning (?!)
• Basic Firewall(s)
• Not so basic Firewalls(s)
• Appl. Awareness (1994)
• Perimeter shall do it all
• Early IDS systems
• Snort (1998)
• Limited Segmentation
• Cryptography
• IPsec
• PKI
Advancements• Defend the perimeter
─ Advanced Firewalls (NGFW)
─ Advanced IPS/IDS
• Robust Application Recogn.
• Hardware design and horsepower
• Decrypt / Encrypt
• Complex Protocols
• VoIP
• DCE-RPC
• Citrix
• Digital „Boom”
• Serious Business on the NET
• DoS / DDoS
Moore’s law? (More processing more power?)
Transistor counts• Doubling every 2 year• (Slight decrease in 2015)
More horsepower• Increased protection (UTM)• Processing• Modeling / Forecast
It has its „downsides”• Rise in vulnerabilites• Fuzzy capacity• Mathematical Breakthrough• Bruteforce
The changed world
13
• Financial Industry
─ Online banking
─ E-trading
• Payment Providers
• E-wallets
• Fast & Easy
• Web of trust in banking
• Intl. Transfers
• Critical Infrastructure
• SCADA
• Building management
• Offshoring / Outsourcing
• Virtualization
• Simplicity
• Home Systems
─ Media Players / Routers
─ Digital House Management
• Streaming Media Services
• Online Music Library
• E-commerce
• Friends
• Social Media Platforms
• File and Content Sharing
• Media Agencies
• Publishing
• Communication channels
Secure our „home”
Secure our financials
Break the chain (at any point)
Cyber Kill Chain (Has some focus on perimeter)Famous Lockheed Martin
• Port Scans, Search for user addresses (e-mail), Social Networks, Reconnaissance
• Creating a malware, or develop exploit with payloadWeaponization
• Direct Links via e-mail, Spear Phishing, WebSite, Social Media Direct Link, SMS MessageDelivery
• Activate the delivered malware or code. Exploitation
• Escalate Privileges, Deploy Rootkit, Establish persistenceInstallation
• Establish C&C channel, ensure remote control is in place, start reconnaissanceCommand & Control
• Exfiltrate Data, Constant Persistence and Surveillance, Expand footholdAction on Target
A disrupt, detect or break the chain to save the „day”(Deceiption works too)
Reconnaisance
Weaponization
Delivery
ExploitationInstallation
C&C
Actions on Target
Firewall
IPS
AV / OS
IDS / PATCHHIDS / AV
FW / IPS
FW / IPS
A „simple” network perspective
Perimeter• ACL• Firewall• IDS/IPS• Proxy
Critical Assets• IDS/ADS• Patching / Vuln. Mgmt.• OS. hardening
The more complex, the better, not just perimeter
Focus• Perimeter• Internal• High profile• Every-where!
If all works – feel the harmonyIf all works – feel the harmony
Are we paranoid? Not really.
2006
2007
2008
2009
2010
2011
2012
2013
2014
0
1000
2000
3000
4000
5000
6000
7000
8000
Vulnerability0-dayBrowser
Source: Symantec
Rise in malware
2013 1H 2013 2H 2014 1H 2014 2H 2015 1H0
20000000
40000000
60000000
80000000
100000000
120000000
MalwareMobileSuspect URL
Source: McAfee Labs
How about individual services?
Online Banking• Direct Attacks• Fraud• Vulnerability detection• DoS / DDoS• Anomaly Detection• Intrusion Detection• Aggregated logging
Detecting abnormal behaviour is key• Digital fingerprint• Normal vs abnormal• Wire-transfer vs. Account status• Machine Learning, Mathematical Algorithms
Internal segmentation and monitoring
Separate high profile• Shall not have direct exposure to internal• Tighter controls• Runbook
Segment networks – if possible• No mixing of services• Relief during break-out
Security Event Management Systems• Aggregate and correlate all system logs• Perform data analytics• Needle in the haystack
Mobile / BYOD Security• It’s a vector too!• Don’t let malware sneak in
Will never stop
Advancements in technology• Use at your best• Multiple layers• Exercises
Co-operate• Information sharing is key• Intelligence gathering and sources
Keep working on• Innovations, new ideas• Industry best practices• R&D...
Thank you!
