Sexy defense

4,390 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
4,390
On SlideShare
0
From Embeds
0
Number of Embeds
1,208
Actions
Shares
0
Downloads
63
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Sexy defense

  1. 1. Sexy DefenseMaximizing the Home-Field Advantage Iftach Ian Amit Director of Services, IOActive Image credit: IDF Spokesperson
  2. 2. Agenda• Whoami• Background - the Red Team was here...• What do they actually say? Reading reports 101• Methodology - flipping the Red-Team • Map • Correlate • Act• Examples• Conclusions
  3. 3. Iftach Ian Amit
  4. 4. Iftach Ian Amit
  5. 5. Iftach Ian Amit
  6. 6. Iftach Ian Amit
  7. 7. Iftach Ian Amit
  8. 8. Iftach Ian Amit
  9. 9. Iftach Ian Amit
  10. 10. Iftach Ian Amit
  11. 11. Iftach Ian Amit
  12. 12. Iftach Ian Amit
  13. 13. Iftach Ian Amit
  14. 14. Iftach Ian Amit
  15. 15. Iftach Ian Amit
  16. 16. BackgroundYou had a vulnerability assessment done.
  17. 17. BackgroundAnd you passed a pentest.
  18. 18. Background What did you ACTUALLY get? Pros ConsCompliance? +++ Security Posture? ---
  19. 19. BackgroundAnd then you had a Red-Team testcome in and wreck havoc...
  20. 20. BackgroundHow does that make you feel?
  21. 21. Shock
  22. 22. Denial
  23. 23. Anger
  24. 24. Resistance
  25. 25. Acceptance?
  26. 26. Reading bad reports• Here comes the boring part... Terminology... • Vulnerability • Exposure • Threat • Risk • (yup - you gotta be able to do suite talk to get the $$$).
  27. 27. VulnerabilityYou’ll find a lot of these in reports...“An issue with a software component that, when abused(exploited) can lead to anything from the software crashing,to compromising the system on which the software isinstalled so that the attacker can have full control over it.Additionally, vulnerabilities also refer to logic andoperational issues – whether in computing systems,in processes and procedures related to the businessoperations, patch management, or even password policies.”
  28. 28. Exposure• Say what?• Usually will connect vulnerabilities to a threat model relevant for the tested organization
  29. 29. Threat“Anything capable of acting against an assetin a manner that could result in harm”Defined by: Threat Community, ThreatAgents. • Capabilities • Accessibility to assets
  30. 30. Risk Ever seen one of these in a report? A real one?• The probability of something bad™ happening to an organization’s asset. • Yes, probability == math. Coherently formulate the elements (vuln, exposure, threat) into a risk score. • Repeatable, and defensible from a logical perspective
  31. 31. MethodologyTake a look at how we have been practicing attack and defense. For a VERY long time...
  32. 32. Defender view
  33. 33. Attacker view
  34. 34. What does it mean? Attack PostIntelligence Vuln. Exploit Control Exploitation Gathering Research
  35. 35. What does it mean? Attack PostIntelligence Vuln. Exploit Control Exploitation Gathering Research Defend
  36. 36. What does it mean? Attack PostIntelligence Vuln. Exploit Control Exploitation Gathering Research Mitigate Detection & Contain Defend
  37. 37. What does it mean? Attack PostIntelligence Vuln. Exploit Control Exploitation Gathering Research Threat Intelligence Data MitigateModeling Gathering Correlation Detection & Contain Defend
  38. 38. Remember!It’s NOT about: It IS about: • Egos Having a mindset of constant improvement • People There will always be gaps in the • Skills defense • IdentifyIT’S NOT FAIR! • Remediate • In the CONTEXT of RISK
  39. 39. Map (information & Security assets)• 1st - What is the business doing anyway? • How does it make $? • Processes, assets, people, technology, 3rd parties...• Security and Intelligence assets...
  40. 40. Map (exposures & Issues)• Start from a report (vuln, pt, red-team). • Work up from there while weeding out all the irrelevancies
  41. 41. InputsProcess Inputs Process Inputs 3rd Party Assets Vulnerability Controls Key personnel Simplified mapping of assets, processes, people, vulnerabilities, and controls
  42. 42. Map (Threats)• Do you know WHO is out to get you?• Their capabilities?• What do they know?• Their modus-operandi?• ...
  43. 43. Logs• Everywhere, from everything.• Storage != $• Measure twice, cut once == get all logs, filter later
  44. 44. Marke0ng$ Forums$ Sales$ Business$Market$News$ Development$ Raw$ Intelligence$ CERTs$ Compe0tors$ Analysis$ Partners$ Customers$
  45. 45. Early warning signs• Weird PC behavior • File permissions• Volume of calls to • Access to specific files support on network storage• Physical elements • Employee awareness around the office • ...• Sales inquiries• Probes on a website
  46. 46. Early warning signs• Weird PC behavior • File permissions• Volume of calls to • Access to specific files support on network storage• Physical elements • Employee awareness around the office • ...• Sales inquiries• Probes on a website
  47. 47. People• Stalkers• Tailgaters• Smokers• Construction• Sales leads• IT guys
  48. 48. People• Stalkers• Tailgaters• Smokers• Construction AWARENESS• Sales leads• IT guys
  49. 49. Correlate external events and timelinesLocal news, Sports, entertainment, financial Regional news National events International stuff
  50. 50. Act• Building up your defense mojo• Training people to identify, report, react• Combining technology into the mix• Working with others (peers, vendors, intel sources, government?)
  51. 51. Assess where YOU are!• Get a clear view of your current security posture • Lying to yourself isn’t going to make you feel better • At least in long run... :-|
  52. 52. Constant development• Expect changes • Processes, partners, customers, 3rd parties, internal services/products, people, culture,• Embrace changes - never “sign off” into a finite strategy document. Make it a “living” document. • Educate people about it. • Show how it adapts according to the business. TO SUPPORT IT!
  53. 53. Align outwards
  54. 54. Align outwards• Compare notes with peers
  55. 55. Align outwards• Compare notes with peers• Keep track of what’s new on the offensive side
  56. 56. Align outwards• Compare notes with peers• Keep track of what’s new on the offensive side • And how it relates to you
  57. 57. Align outwards• Compare notes with peers• Keep track of what’s new on the offensive side • And how it relates to you• Never accept a successful audit or compliance to regulation as a sign of effective defense
  58. 58. Align outwards• Compare notes with peers• Keep track of what’s new on the offensive side • And how it relates to you• Never accept a successful audit or compliance to regulation as a sign of effective defense
  59. 59. Align outwards• Compare notes with peers• Keep track of what’s new on the offensive side • And how it relates to you• Never accept a successful audit or compliance to regulation as a sign of effective defense • Will usually prove the opposite
  60. 60. Align outwards• Compare notes with peers• Keep track of what’s new on the offensive side • And how it relates to you• Never accept a successful audit or compliance to regulation as a sign of effective defense • Will usually prove the opposite
  61. 61. Align outwards• Compare notes with peers• Keep track of what’s new on the offensive side • And how it relates to you• Never accept a successful audit or compliance to regulation as a sign of effective defense • Will usually prove the opposite • Great - you are now one with the lowest common denominator of the lowest bidders...
  62. 62. It’s not about:Tech People Skill
  63. 63. It’s about:Tech Cat Skill People Herding
  64. 64. Counter-intel• Own up to YOUR information• Set traps • Intelligence • Technology• Booby-trap tools, work with LE, and most importantly: LEGAL • IANAL!
  65. 65. Counter-intel• Own up to YOUR information• Set traps • Intelligence • Technology• Booby-trap tools, work with LE, and most importantly: LEGAL • IANAL!
  66. 66. Examples
  67. 67. 1. Identify your threat communities / agents2. Locate their “hangouts” (where they get toolz)3. Infiltrate to get info4. Manipulate “stuff” 1. Backdoor it. 2. Make sure it leaves a distinct signature.5. Update custom signature in detection systems6. Kick back, and watch the fun
  68. 68. Use THEIR tools...
  69. 69. Use THEIR tools... Hmmmmmmm...I betch’a people are going to miss it :-)
  70. 70. Demo time1. Download RAT2. Find appropriate location3. Insert RAT4. Release5. Profit?
  71. 71. Demo1. Obtain crypter2. Enhance [not in this demo]3. Leave a “unique” present in crypted files4. Release5. Profit?
  72. 72. Law is hackable• Don’t think that it’s impossible to get by with these things...• Example: Microsoft’s takedown of Bredolab - legal bypass by using trademark infringement claims • Directly affect infected computers!
  73. 73. Kippohttp://code.google.com/p/kippo/
  74. 74. Artillery• Open up listeners on multiple ports• Anything that touches them gets blacklisted • You can play with this to report instead of blacklist...• Monitor filesystem changes and email diff to you.• Block SSH brute-force attackssvn co http://svn.secmaniac.com/artillery artillery/
  75. 75. Then: Technology• Find stuff that works FOR you. Or make it. • SIEM/SOC would be a major focus • Other correlation engines• Feed technology all the data it can handle • Financial info? Semantic data? Google Alerts? --> Anything goes...
  76. 76. Counter Intelligence use-case Problemdormant accounts used for fraud (and/or money laundering)
  77. 77. Counter Intelligence use-case Problemdormant accounts used for fraud (and/or money laundering) Account
  78. 78. Counter Intelligence use-case Problemdormant accounts used for fraud (and/or money laundering) Account
  79. 79. Counter Intelligence use-case Problemdormant accounts used for fraud (and/or >1yr dormant money laundering) Account
  80. 80. Counter Intelligence use-case Problemdormant accounts used for fraud (and/or >1yr dormant money laundering) Account laundering
  81. 81. Counter Intelligence use-case Problemdormant accounts used for fraud (and/or >1yr dormant money laundering) Account laundering Intl. transfers
  82. 82. Counter Intelligence use-case Problemdormant accounts used for fraud (and/or >1yr dormant money laundering) Account laundering Internal/ Intl. transfers External???
  83. 83. Account
  84. 84. AccountAccount Account Account Account
  85. 85. ListAccountAccount Account Account Account
  86. 86. AccountingMarketing List Branch mgmt. Account Account Account Account Account
  87. 87. Accounting ListAccountAccount Account Account AccountMarketing Branch mgmt.
  88. 88. Accounting List List Account AccountAccountAccount Account Account Account Account Account AccountMarketing Branch mgmt.
  89. 89. Accounting List List Account AccountAccountAccount Account Account Account Account Account Account ListMarketing Account Account Account Account Account Branch mgmt.
  90. 90. Accounting List ListAccount Account AccountAccount Account Account Account Account Account Account ListMarketing Account Account Account Account Account Branch mgmt. Internal user
  91. 91. Accounting List ListAccount Account AccountAccount Account Account Account Account Account Account ListMarketing Account Account Account Account Account Branch mgmt. Internal user
  92. 92. Accounting List ListAccount Account AccountAccount Account Account Account Account Account Account ListMarketing Account Account Account Account Account Branch mgmt. Internal user
  93. 93. Internal user
  94. 94. Internal user PC
  95. 95. Internal user PC
  96. 96. Internal user PC Trojan
  97. 97. Internal user PC Trojan
  98. 98. Internal user PC Trojan
  99. 99. Internal user PC Trojan C&C
  100. 100. Internal user PC Trojan C&C Bad Guys(tm)
  101. 101. Play nice with others
  102. 102. Play nice with others CERTS
  103. 103. Play nice with others CERTS Government
  104. 104. Play nice with others CERTS Government Peers
  105. 105. Play nice with others CERTS Government Peers Competitors
  106. 106. ConclusionsThe whole is greater than the sum of its elements [insert tacky “zen” slide with some stones]
  107. 107. Call for Action• Vendors: • Defenders: • Start working on • Own up to your data, products that can network, and business “communicate” with information • Gather intelligence on your potential • Loosely typed data adversaries • Language processing • Focus your defenses on of arbitrary data assets, not compliance formats or “best practices” • Correlation across • Take the initiative! sources AND over time
  108. 108. ktnxbye!Questions?Paper available at: http://iamit.org/docs/sexydefense.pdftwitter: @iiamit *Image credits: Google Images and the Internetz

×