• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Technology Security Through Absurdity: Lessons Learned
 

Technology Security Through Absurdity: Lessons Learned

on

  • 187 views

Dyn Director of Security Chris Brenton did a presentation in NYC regarding DNS security and how he learned some valuable lessons the absurd way.

Dyn Director of Security Chris Brenton did a presentation in NYC regarding DNS security and how he learned some valuable lessons the absurd way.

Statistics

Views

Total Views
187
Views on SlideShare
187
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Technology Security Through Absurdity: Lessons Learned Technology Security Through Absurdity: Lessons Learned Presentation Transcript

    • Security Through Absurdity: Lessons Learned December 13th, 2013 Chris Brenton Director of Security @chris_brenton cbrenton@dyn.com
    • Why Security Through Absurdity? Pg. 2 Security Through Absurdity: Lessons Learned @chris_brenton
    • Because we need to enjoy life’s humorous moments Pg. 3 Security Through Absurdity: Lessons Learned @chris_brenton
    • Two paths lie before you… Pg. 4 Security Through Absurdity: Lessons Learned @chris_brenton
    • Enjoy the Journey •Find the humor “nuggets” •Leverage the life lessons •Grow and move forward Pg. 5 Security Through Absurdity: Lessons Learned @chris_brenton
    • Let It Thin Your Soul “Like butter scraped over too much bread” Pg. 6 Security Through Absurdity: Lessons Learned @chris_brenton
    • Rock The Gandalf Look By increasing the gray hair density Pg. 7 Security Through Absurdity: Lessons Learned @chris_brenton
    • Rock The Gandalf Look By increasing the gray hair density I already have a 14 yr old daughter dedicated to that last task Pg. 8 Security Through Absurdity: Lessons Learned @chris_brenton
    • Our Journey Begins Contracted as a security consultant Owner wants locked down VPN access to business Pg. 9 Security Through Absurdity: Lessons Learned @chris_brenton
    • Security Requirements Normally disabled state Must call first to get access Must know IP address Pg. 10 Security Through Absurdity: Lessons Learned @chris_brenton
    • More Security Requirements 2 Factor authentication Time limit on access Log and alert on everything! Pg. 11 Security Through Absurdity: Lessons Learned @chris_brenton
    • First Day Onsite I show up early Pg. 12 Security Through Absurdity: Lessons Learned @chris_brenton
    • First Day Onsite I show up early UPS arrives Pg. 13 Security Through Absurdity: Lessons Learned @chris_brenton
    • First Day Onsite I show up early UPS arrives Retrieves key from under rock Pg. 14 Security Through Absurdity: Lessons Learned @chris_brenton
    • First Day Onsite I show up early UPS arrives Retrieves key from under rock Lets themselves into building Pg. 15 Security Through Absurdity: Lessons Learned @chris_brenton
    • Is This A Problem? Pg. 16 Security Through Absurdity: Lessons Learned @chris_brenton
    • Is This A Problem? Key has been under rock for 5 years Pg. 17 Security Through Absurdity: Lessons Learned @chris_brenton
    • Is This A Problem? Key has been under rock for 5 years Everyone knows its there Pg. 18 Security Through Absurdity: Lessons Learned @chris_brenton
    • Is This A Problem? Key has been under rock for 5 years Everyone knows its there – “X” employees (including disgruntle ones) – All delivery couriers Pg. 19 Security Through Absurdity: Lessons Learned @chris_brenton
    • Is This A Problem? Key has been under rock for 5 years Everyone knows its there – “X” employees (including disgruntle ones) – All delivery couriers – Even the local pizza parlor staff Pg. 20 Security Through Absurdity: Lessons Learned @chris_brenton
    • Did I Forget to Mention… Business model was computer sales Pg. 21 Security Through Absurdity: Lessons Learned @chris_brenton
    • Did I Forget to Mention… Business model was computer sales In excess of $15K in inventory Pg. 22 Security Through Absurdity: Lessons Learned @chris_brenton
    • Did I Forget to Mention… Business model was computer sales In excess of $15K in inventory Nothing high risk saved on the corporate network Pg. 23 Security Through Absurdity: Lessons Learned @chris_brenton
    • Security Task List Mitigate risks that could put you out of business next week Pg. 24 Security Through Absurdity: Lessons Learned @chris_brenton
    • Security Task List Mitigate risks that could put you out of business next week Then move on to the week after that Pg. 25 Security Through Absurdity: Lessons Learned @chris_brenton
    • Security Task List Mitigate risks that could put you out of business next week Then move on to the week after that Lather, rinse repeat Pg. 26 Security Through Absurdity: Lessons Learned @chris_brenton
    • What Did Life Teach Me? Never assume a business risk analysis has been performed Pg. 27 Security Through Absurdity: Lessons Learned @chris_brenton
    • What I Now Do Differently Don’t assume your contact understands their risks Perform a mini risk assessment Pg. 28 Security Through Absurdity: Lessons Learned @chris_brenton
    • We implemented a great security solution… But don’t have resources to maintaining it Pg. 29 Security Through Absurdity: Lessons Learned @chris_brenton
    • Case Study #2 Phishing test Pg. 30 Security Through Absurdity: Lessons Learned @chris_brenton
    • Phishing Test Exercise Contracted to help IT test social engineering Test all employees via email Pg. 31 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Setup Pg. 32 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Results 13 of 450 employees hit reply Pg. 33 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Results 13 of 450 employees hit reply Sent their logon credentials Pg. 34 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Results 13 of 450 employees hit reply Sent their logon credentials Via plaintext email Pg. 35 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Results 13 of 450 employees hit reply Sent their logon credentials Via plaintext email To an unknown outside address Pg. 36 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Response Email sent from real IT account Pg. 37 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Response Email sent from real IT account Phishing test revealed Pg. 38 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Response Email sent from real IT account Phishing test revealed Detailed explanation Pg. 39 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Response Email sent from real IT account Phishing test revealed Detailed explanation Phishing email included as reference Pg. 40 Security Through Absurdity: Lessons Learned @chris_brenton
    • What Happened Next? 19 people hit “reply” Pg. 41 Security Through Absurdity: Lessons Learned @chris_brenton
    • What Happened Next? 19 people hit “reply” and sent their credentials Pg. 42 Security Through Absurdity: Lessons Learned @chris_brenton
    • What Happened Next? 19 people hit “reply” and sent their credentials In response to an email telling them never to do this Pg. 43 Security Through Absurdity: Lessons Learned @chris_brenton
    • Math Sanity Check… 13 < 19 Pg. 44 Security Through Absurdity: Lessons Learned @chris_brenton
    • Root Cause Analysis “I just skipped to the executive summary” Pg. 45 Security Through Absurdity: Lessons Learned @chris_brenton
    • What Did Life Teach Me? Email is the wrong medium for in-depth concepts How you convey info matters Pg. 46 Security Through Absurdity: Lessons Learned @chris_brenton
    • What I Now Do Differently Consider the proper medium to convey required information Pg. 47 Security Through Absurdity: Lessons Learned @chris_brenton
    • We rely on host-based security… To warn us when the host has been compromised Pg. 48 Security Through Absurdity: Lessons Learned @chris_brenton
    • Case Study #3 Phishing Rev 2 Pg. 49 Security Through Absurdity: Lessons Learned @chris_brenton
    • Phishing Attack Spoofed email from CEO Pg. 50 Security Through Absurdity: Lessons Learned @chris_brenton
    • Phishing Attack Spoofed email from CEO Claims to point to a BBC article Pg. 51 Security Through Absurdity: Lessons Learned @chris_brenton
    • Phishing Attack Spoofed email from CEO Claims to point to a BBC article Link prompts for email logon name and password Pg. 52 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Results 6 people are duped Pg. 53 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Results 6 people are duped Give away their logon name and password Pg. 54 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Results 6 people are duped Give away their logon name and password In order to read a news story Pg. 55 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Response Containment Pg. 56 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Response Containment 2 Factor authentication Pg. 57 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Response Containment 2 Factor authentication Followed by a huge education and awareness effort Pg. 58 Security Through Absurdity: Lessons Learned @chris_brenton
    • What Was Included Email to all employees Pg. 59 Security Through Absurdity: Lessons Learned @chris_brenton
    • What Was Included Email to all employees Internal blog entries Pg. 60 Security Through Absurdity: Lessons Learned @chris_brenton
    • What Was Included Email to all employees Internal blog entries Updates to awareness training Pg. 61 Security Through Absurdity: Lessons Learned @chris_brenton
    • What Was Included Email to all employees Internal blog entries Updates to awareness training Leverage the grape vine Pg. 62 Security Through Absurdity: Lessons Learned @chris_brenton
    • Segway to 30 days later Pg. 63 Security Through Absurdity: Lessons Learned @chris_brenton
    • Pentester Hired Measure results of education effort Pg. 64 Security Through Absurdity: Lessons Learned @chris_brenton
    • Pentester Hired Measure results of education effort Mass email phishing test sent Pg. 65 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Results Good news!  Pg. 66 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Results Good news!  An order of magnitude improvement in people reporting the attack Pg. 67 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Results Bad News!  Pg. 68 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Results Bad News!  6 people failed the test Pg. 69 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Results Bad News!  6 people failed the test It’s a different 6 people 6=6 Pg. 70 Security Through Absurdity: Lessons Learned @chris_brenton
    • What Did Life Teach Me? You Can Never Save Everyone Strive for 100% but have realistic (cost effective) expectations Pg. 71 Security Through Absurdity: Lessons Learned @chris_brenton
    • What I Now Do Differently Awareness training is good A reward system motivates people to leverage what they learned Pg. 72 Security Through Absurdity: Lessons Learned @chris_brenton
    • We have an Internet policy… But not a Bring Your Own Device policy. Pg. 73 Security Through Absurdity: Lessons Learned @chris_brenton
    • Case Study #4 Product security evaluation Pg. 74 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Setup Contracted by a bank Pg. 75 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Setup Contracted by a bank Evaluate a new system they are considering for purchase Pg. 76 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Setup Contracted by a bank Evaluate a new system they are considering for purchase Hired to evaluate security Pg. 77 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Evaluation Pg. 78 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Evaluation Worst system ever!!! Pg. 79 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Evaluation Worst system ever!!! Hybrid that combines Windows and a mini computer Pg. 80 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Evaluation Worst system ever!!! Hybrid that combines Windows and a mini computer Got root 3 times in 20 minutes Pg. 81 Security Through Absurdity: Lessons Learned @chris_brenton
    • 0wn3d During Preso Pg. 82 Security Through Absurdity: Lessons Learned @chris_brenton
    • My Write Up Most pointed review I’ve written to date Pg. 83 Security Through Absurdity: Lessons Learned @chris_brenton
    • My Write Up Most pointed review I’ve written to date Documented why the architecture was horribly flawed Pg. 84 Security Through Absurdity: Lessons Learned @chris_brenton
    • My Write Up Most pointed review I’ve written to date Documented why the architecture was horribly flawed Can’t be patched! Pg. 85 Security Through Absurdity: Lessons Learned @chris_brenton
    • Quick Factoid! The word “horrible” has over 50 synonyms Pg. 86 Security Through Absurdity: Lessons Learned @chris_brenton
    • Quick Factoid! The word “horrible” has over 50 synonyms It is actually possible to use them all in a single professional documents Pg. 87 Security Through Absurdity: Lessons Learned @chris_brenton
    • How The Bank Responded Pg. 88 Security Through Absurdity: Lessons Learned @chris_brenton
    • How The Bank Responded They purchased the system Pg. 89 Security Through Absurdity: Lessons Learned @chris_brenton
    • How The Bank Responded They purchased the system And opted for the premium support Pg. 90 Security Through Absurdity: Lessons Learned @chris_brenton
    • How The Bank Responded They purchased the system And opted for the premium support Contract had already been signed Pg. 91 Security Through Absurdity: Lessons Learned @chris_brenton
    • Convo With The Bank Me: Which part of “horribly insecure” did you not understand? Pg. 92 Security Through Absurdity: Lessons Learned @chris_brenton
    • Convo With The Bank Bank: But we can migrate the data without any conversion costs! Pg. 93 Security Through Absurdity: Lessons Learned @chris_brenton
    • Convo With The Bank Me: Sounds like you made up your mind ahead of time. Why did you have me evaluate the system? Pg. 94 Security Through Absurdity: Lessons Learned @chris_brenton
    • Convo With The Bank Bank: We hoped you would like it. Pg. 95 Security Through Absurdity: Lessons Learned @chris_brenton
    • What Did Life Teach Me? Not everyone understands “Security Speak” Pg. 96 Security Through Absurdity: Lessons Learned @chris_brenton
    • What I Now Do Differently Tailor to your audience: Convert “security speak” to “risk” and “financial” lingo Pg. 97 Security Through Absurdity: Lessons Learned @chris_brenton
    • We collect system logs… but no one actually looks at them Pg. 98 Security Through Absurdity: Lessons Learned @chris_brenton
    • Case Study #5 The Epic battle of good and evil… Pg. 99 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Setup DNS SaaS company Pg. 100 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Setup DNS SaaS company Offers a “dynamic DNS” product Pg. 101 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Setup DNS SaaS company Offers a “dynamic DNS” product Great solution for cloud users Pg. 102 Security Through Absurdity: Lessons Learned @chris_brenton
    • The Setup DNS SaaS company Offers a “dynamic DNS” product Great solution for cloud users Unfortunately can be used for evil Pg. 103 Security Through Absurdity: Lessons Learned @chris_brenton
    • How The Bad Guys Operate Build an infrastructure of “Command and Control” servers Pg. 104 Security Through Absurdity: Lessons Learned @chris_brenton
    • How The Bad Guys Operate Build an infrastructure of “Command and Control” servers These manage infections and propagate malware Pg. 105 Security Through Absurdity: Lessons Learned @chris_brenton
    • How The Bad Guys Operate Build an infrastructure of “Command and Control” servers These manage infections and propagate malware The “brains” of the setup Pg. 106 Security Through Absurdity: Lessons Learned @chris_brenton
    • C&C Infrastructure Designed to be fault tolerant Pg. 107 Security Through Absurdity: Lessons Learned @chris_brenton
    • C&C Infrastructure Designed to be fault tolerant Kill one server, the rest take up the slack Pg. 108 Security Through Absurdity: Lessons Learned @chris_brenton
    • C&C Infrastructure Designed to be fault tolerant Kill one server, the rest take up the slack Dynamic DNS provides redundancy if server is blocked or taken down Pg. 109 Security Through Absurdity: Lessons Learned @chris_brenton
    • C&C Infrastructure Designed to be fault tolerant Kill one server, the rest take up the slack Dynamic DNS provides redundancy if server is blocked or taken down Can recover when a few servers are lost Pg. 110 Security Through Absurdity: Lessons Learned @chris_brenton
    • Old IR Methodology Block the account Pg. 111 Security Through Absurdity: Lessons Learned @chris_brenton
    • Old IR Methodology Block the account Black hole the host names Pg. 112 Security Through Absurdity: Lessons Learned @chris_brenton
    • Old IR Methodology Block the account Black hole the host names Problem: If you don’t get the whole C&C network it can recover Pg. 113 Security Through Absurdity: Lessons Learned @chris_brenton
    • New IR Methodology Research the account Pg. 114 Security Through Absurdity: Lessons Learned @chris_brenton
    • New IR Methodology Research the account Help innocent clients recover their system from infection Pg. 115 Security Through Absurdity: Lessons Learned @chris_brenton
    • New IR Methodology Research the account Help innocent clients recover their system from infection When evil, play cat and mouse  Pg. 116 Security Through Absurdity: Lessons Learned @chris_brenton
    • New IR in Practice Account created from Russia Pg. 117 Security Through Absurdity: Lessons Learned @chris_brenton
    • New IR in Practice Account created from Russia Ticked boxes as a suspect account Pg. 118 Security Through Absurdity: Lessons Learned @chris_brenton
    • New IR in Practice Account created from Russia Ticked boxes as a suspect account 12+ scripted host names created Pg. 119 Security Through Absurdity: Lessons Learned @chris_brenton
    • New IR in Practice Account created from Russia Ticked boxes as a suspect account 12+ scripted host names created Fingerprint of Neutrino actors Pg. 120 Security Through Absurdity: Lessons Learned @chris_brenton
    • Time For Some Fun Let them create their servers Pg. 121 Security Through Absurdity: Lessons Learned @chris_brenton
    • Time For Some Fun Let them create their servers Gave them time to deploy iframes Pg. 122 Security Through Absurdity: Lessons Learned @chris_brenton
    • Time For Some Fun Let them create their servers Gave them time to deploy iframes Let servers get integrated into C&C Pg. 123 Security Through Absurdity: Lessons Learned @chris_brenton
    • Time For Some Fun Let them create their servers Gave them time to deploy iframes Let servers get integrated into C&C Pointed their hosts at honeypots Pg. 124 Security Through Absurdity: Lessons Learned @chris_brenton
    • Impact of Redirection Broke some C&C functionality Pg. 125 Security Through Absurdity: Lessons Learned @chris_brenton
    • Impact of Redirection Broke some C&C functionality ID 30+ other C&C servers Pg. 126 Security Through Absurdity: Lessons Learned @chris_brenton
    • Impact of Redirection Broke some C&C functionality ID 30+ other C&C servers Block 140,000 infections Pg. 127 Security Through Absurdity: Lessons Learned @chris_brenton
    • Impact of Redirection Broke some C&C functionality ID 30+ other C&C servers Block 140,000 infections Collect new data on functionality Pg. 128 Security Through Absurdity: Lessons Learned @chris_brenton
    • What We Did Next Warn C&C owners of infection Pg. 129 Security Through Absurdity: Lessons Learned @chris_brenton
    • What We Did Next Warn C&C owners of infection Analyze previously unknown data Pg. 130 Security Through Absurdity: Lessons Learned @chris_brenton
    • What We Did Next Warn C&C owners of infection Analyze previously unknown data Share data with the community Pg. 131 Security Through Absurdity: Lessons Learned @chris_brenton
    • What We Did Next Warn C&C owners of infection Analyze previously unknown data Share data with the community Update our detection Pg. 132 Security Through Absurdity: Lessons Learned @chris_brenton
    • What The Bad Guys Did Next What they always do Pg. 133 Security Through Absurdity: Lessons Learned @chris_brenton
    • What The Bad Guys Did Next What they always do Try to set their network back up Pg. 134 Security Through Absurdity: Lessons Learned @chris_brenton
    • Segway to 6 hours later Bad guys come back Pg. 135 Security Through Absurdity: Lessons Learned @chris_brenton
    • Segway to 6 hours later Bad guys come back Using different account credentials Pg. 136 Security Through Absurdity: Lessons Learned @chris_brenton
    • Segway to 6 hours later Bad guys come back Using different account credentials Same fingerprint Pg. 137 Security Through Absurdity: Lessons Learned @chris_brenton
    • Segway to 6 hours later Bad guys come back Using different account credentials Same fingerprint Start spinning up new C&C servers Pg. 138 Security Through Absurdity: Lessons Learned @chris_brenton
    • Lather, Rinse, Repeat We let them setup their C&C network Pg. 139 Security Through Absurdity: Lessons Learned @chris_brenton
    • Lather, Rinse, Repeat We let them setup their C&C network Then take it all away  Pg. 140 Security Through Absurdity: Lessons Learned @chris_brenton
    • Lather, Rinse, Repeat We let them setup their C&C network Then take it all away  This repeats a third time Pg. 141 Security Through Absurdity: Lessons Learned @chris_brenton
    • Don’t Go Away Mad… Bad guys relocate to Central America service provider We warn the provider C&C network has yet to recover Pg. 142 Security Through Absurdity: Lessons Learned @chris_brenton
    • What Did Life Teach Me? Remember as you watch this film Pg. 143 Security Through Absurdity: Lessons Learned @chris_brenton
    • What Did Life Teach Me? Remember as you watch this film When things appear their darkest Pg. 144 Security Through Absurdity: Lessons Learned @chris_brenton
    • What Did Life Teach Me? Remember as you watch this film When things appear their darkest Evil may win some of the battles Pg. 145 Security Through Absurdity: Lessons Learned @chris_brenton
    • What Did Life Teach Me? Remember as you watch this film When things appear their darkest Evil may win some of the battles Good always wins the epic war  Pg. 146 Security Through Absurdity: Lessons Learned @chris_brenton
    • Thanks For Attending! cbrenton@dyn.com @Chris_Brenton Pg. 147 Security Through Absurdity: Lessons Learned @chris_brenton