SlideShare a Scribd company logo

Janitor vs cleaner

Download as PPTX, PDF
John Stauffacher
John Stauffacher

Slides for "Are you a Janitor or a Cleaner" ToorCon San Diego 2013

Technology
1 of 44
Are you Janitor or a Cleaner? John “geekspeed” Stauffacher @g33kspeed/geekspeed@gmail.com Matthew “mattrix” Hoy @mattrix_ / hoy.matthew@gmail.com
Brief Bio Matthew • About: – Information Security Professional for over 15 years – CISSP and GCIH • Contact: – @mattrix_ – hoy.matthew@gmail.com
Brief Bio John • About: – Information Security Professional for over 13 years – CISSP • Contact: – @g33kspeed – geekspeed@gmail.com
Purpose of this talk • Reliance on automated detection has caused many organizations to be weak in response to an incident • Many organizations have no idea who attacked them, why they were attacked or how the attack was executed • Use of old school methods with less reliance on automated tools can help to understand who, how and why (motive) • Strike Back
Purpose of this talk • Where we have failed • Many organizations fall victim to dangerous mindsets that prevent them from having an effective security program • How do we move forward • In order to strike back – we need to have our house in order.
The Janitor Re-images owned boxes and does not identify or analyze the attacker.
The Cleaner Goes beyond just re-imaging owned boxes. Can identify threat, attacker’s capability and take actions to stop attacker.
Incident Response vs. Immediate Action Theoretical Lifecycle of Incident Handling • • • • • • Preparation Identification Containment Eradication Recovery Lessons Learned Immediate Action During an attack there is no immediate order or lifecycle • True Preparation – Probably didn’t happen • Identification of Attacker • Isolate and Study Attacker • Stop Attacker • Restore Services • Take Attackers methods and rebuild defenses
Preparation • What is not working – Set it and forget it mentality – Inadequate staffing – Improper use of Vulnerability Assessments – No asset inventory – No classification of data
Preparation is key • Attackers have managed to run organizations that are not unlike the ones they attack
Preparation is key - Reconnaissance Weaponize Deliver Exploit Install C^2 Act on Objectives
Preparation is key • • • • • Marketing Operations Development Accounting HR
Preparation is key • Attackers are streamlined, efficient – Development takes days, not weeks. – Rapidly adapts to a changing landscape – Laser focus – Aren’t rushed by artificial deadlines / other interests
Where We Have Failed • We need to fill that position
Where We Have Failed • We let the business dictate our security posture.
Where We Have Failed • “Our department doesn’t do ‘preventative’ security scanning. We only scan after the application is in production.”
Where We Have Failed • “We can’t scan that server – it might crash.”
Where We Have Failed • Monitor mode
Where We Have Failed • Sandboxing The sandboxing appliances popularly deployed today are performing well against your average"0-day" malware threat, but capabilities decline dramatically the more targeted an adversary becomes. As such, organizations are much better at stopping the generic non-targeted "Internet threats", but becoming more vulnerable to marginally tuned malware. For example, any piece of malware that requires the user to perform an action at a specific time (before it acts maliciously) is sufficient to evade detection in most cases. - Gunter Ollmann (2013)
Where We Have Failed
Where We Have Failed • Bloat: in some organizations it is typical for individual business units to have their own security staff – …that don’t talk to each other – …that don’t share information – …that duplicate efforts
Where We Have Failed • When security takes a back seat to business
What we need to change • Security is EVERYONEs job. • Misalignment of security goals should be looked at as a vulnerability in itself – and dealt with accordingly
What we need to change • Attaching real monetary value to security incidents is a key way to get the attention of the stakeholders • Rather than being defensive – and feeling responsible – security organizations should monetize all incidents and use it as justification for program budget
What we need to change • We often fail inform management of something as simple as: - Cost of the solution vs Cost associated with a security incident.
What we need to change Executives rely on the bottom line numbers, as well as their advisors to guide their decisions. They know very little about technology and most of them don’t really care. Speak their language. Express your concerns in dollar amounts and impact to the business.
What we need to change ~$250 per record for a DB breach (42 states have mandatory notification laws) If 3200 records of a database were breached… $800,000
What we need to change How much was that WAF?
What we need to change • Get serious about hiring • Stop putting bodies in chairs because somebody said we needed a body in a chair.
What we need to change • Teamwork • Align goals • Share information • Share tactics
What we need to change • Security needs to assert itself as a fixture • Too commonly thought of as an afterthought, or a remedy for an already bad situation • Security needs to have the ear of the major decision makers in the company. • The only tool for this is communication, and interaction • Security needs to have teeth • Back up your policy with corrective action
What we need to change • We need to fight back.
True Preparation • The (enemy) Attacker 1. Has no rules 2. Does not need Change Management to run Vulnerability Assessments against your people or infrastructure 3. Does not use checkbox settings in their tools to exploit your people or infrastructure 4. HAS NO RULES
Identification • What is not working – Reliance on automated detection – Set it and forget it mentality – Staffing • How was the incident identified? – Finding out about the compromise when you lose availability – Being Blacklisted – Pastebin
Identification Immediate Action • Assess your attacker’s capability • Skill Level of attacker – Direct or Indirect method • Create a dossier on your attacker • Identify attacker’s Motive - Usage • IP Addresses / Map this out / CIDR
Often Overlooked • Actual – Physical Assets • Data Value – What is on the physical asset? • Network Connectivity – Where did the attack take place from? Was this a pivot? Is there true defense in depth? • Target Value – Was this a crafted attack? Who’s machine is this? What access does the person have? – Yes APT again. • What devices do you have on the network to identify the attacker? • Ask people (end user) questions – Hey did you guys see any weird email?
Tools I Use • • • • • • robtex.com, spokeo.com, google.com, IRC NMAP, Wireshark Network Tap Acevpn, External Internet traceroute, telnet, ssh, netstat –an, RDP If you are looking during an ongoing attack – Bro IDS and Splunk can be put in place quickly • Plain pen and paper – important to use a book for each incident – this may be used for chain of custody
Containment • What is not working – We will just unplug the machine – Switch to DR which has the very same vulnerability that production had if not more – Re-image box and put it back into production
Flush out your attacker • If you found a phishing email? • Feed it some bogus info – You will need to provide at least 50 pieces of info • Check your application logs for that very same info (fake username) • Look at the timing – Is this automated or human? • Are there multiple IP Addresses used or just one?
Assess Attacker’s Capability • IP Addresses used • Determine Attacker’s potential for Ddos by IP Address space • Time for some OSINT • Do not be afraid to probe your attacker • I have scanned my attacker to determine the attacker’s assets
Strike Back • Get direct with your attacker after identification • Go to Meat Space – email or phone call • If you can’t be direct with the attacker than the ISP or host may be able to help • Or maybe not…
Strike Back • An incident occurred with intellectual property in which my client was accused of leaking • We were provided a single website of where this was leaked to • After determining that this did not originate from our side we were then able to turn the tables. • Maltego was used for the target • Spokeo was used for the target • End result - The person who leaked this was going to receive a very interesting letter
Lessons Learned • What is wrong – This is often a report that is seldom read – Focuses more on damage control – Does not solve the issue
Lessons Learned Immediate Action • • • • Intelligence gathering Attacker’s skillset Understand the motive of your attacker Create automated tools to identify future attacks – Robert Rowley provided an excellent example of this in his “Teach your WAF new tricks” talk • Use OSINT to learn about similar attackers

Recommended

Ed McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat IntelligenceEd McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat Intelligencecentralohioissa
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Lateral Movement by Default
Lateral Movement by DefaultLateral Movement by Default
Lateral Movement by DefaultInnoTech
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of DreamsGreg Foss
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Robi Sen
 
Jason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 PredictionsJason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 Predictionscentralohioissa
 

Recommended

Ed McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat IntelligenceEd McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat Intelligencecentralohioissa
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Lateral Movement by Default
Lateral Movement by DefaultLateral Movement by Default
Lateral Movement by DefaultInnoTech
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of DreamsGreg Foss
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Robi Sen
 
Jason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 PredictionsJason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 Predictionscentralohioissa
 
Ethical Hacking by Krutarth Vasavada
Ethical Hacking by Krutarth VasavadaEthical Hacking by Krutarth Vasavada
Ethical Hacking by Krutarth VasavadaKrutarth Vasavada
 
Grc t17
Grc t17Grc t17
Grc t17SelectedPresentations
 
2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1FRSecure
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
 
Its time to grow up by Eric C.
Its time to grow up by Eric C.Its time to grow up by Eric C.
Its time to grow up by Eric C.ISSA LA
 
Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017FRSecure
 
Slide Deck - CISSP Mentor Program Class Session 1
Slide Deck - CISSP Mentor Program Class Session 1Slide Deck - CISSP Mentor Program Class Session 1
Slide Deck - CISSP Mentor Program Class Session 1FRSecure
 
Analogic Opsec 101
Analogic Opsec 101Analogic Opsec 101
Analogic Opsec 101vicenteDiaz_KL
 
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobileClick and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobilegrugq
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingEric Jernigan MSIA, CISSP, CISM, CRISC
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramResilient Systems
 
2018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 22018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 2FRSecure
 
Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To IDERA Software
 
Lean Hunting
Lean HuntingLean Hunting
Lean HuntingBen Johnson
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinarThreatConnect
 
Slide Deck – Session 3 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 3 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 3 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 3 – FRSecure CISSP Mentor Program 2017FRSecure
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actorsOWASP EEE
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKelly Robertson
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityStephen Cobb
 

More Related Content

What's hot

Ethical Hacking by Krutarth Vasavada
Ethical Hacking by Krutarth VasavadaEthical Hacking by Krutarth Vasavada
Ethical Hacking by Krutarth VasavadaKrutarth Vasavada
 
2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1FRSecure
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
 
Its time to grow up by Eric C.
Its time to grow up by Eric C.Its time to grow up by Eric C.
Its time to grow up by Eric C.ISSA LA
 
Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017FRSecure
 
Slide Deck - CISSP Mentor Program Class Session 1
Slide Deck - CISSP Mentor Program Class Session 1Slide Deck - CISSP Mentor Program Class Session 1
Slide Deck - CISSP Mentor Program Class Session 1FRSecure
 
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobileClick and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobilegrugq
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramResilient Systems
 
2018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 22018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 2FRSecure
 
Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To IDERA Software
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinarThreatConnect
 
Slide Deck – Session 3 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 3 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 3 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 3 – FRSecure CISSP Mentor Program 2017FRSecure
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actorsOWASP EEE
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKelly Robertson
 

What's hot (20)

Ethical Hacking by Krutarth Vasavada
Ethical Hacking by Krutarth VasavadaEthical Hacking by Krutarth Vasavada
Ethical Hacking by Krutarth Vasavada
 
Grc t17
Grc t17Grc t17
Grc t17
 
2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
 
Its time to grow up by Eric C.
Its time to grow up by Eric C.Its time to grow up by Eric C.
Its time to grow up by Eric C.
 
Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017
 
Slide Deck - CISSP Mentor Program Class Session 1
Slide Deck - CISSP Mentor Program Class Session 1Slide Deck - CISSP Mentor Program Class Session 1
Slide Deck - CISSP Mentor Program Class Session 1
 
Analogic Opsec 101
Analogic Opsec 101Analogic Opsec 101
Analogic Opsec 101
 
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobileClick and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobile
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response Program
 
2018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 22018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 2
 
Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To
 
Lean Hunting
Lean HuntingLean Hunting
Lean Hunting
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinar
 
Slide Deck – Session 3 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 3 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 3 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 3 – FRSecure CISSP Mentor Program 2017
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application Security
 

Similar to Janitor vs cleaner

People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityStephen Cobb
 
Blitzing with your defense bea con
Blitzing with your defense bea conBlitzing with your defense bea con
Blitzing with your defense bea conInnismir
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference Rea & Associates
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.Pratum
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence programMark Arena
 
Social Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response PlansSocial Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response PlansRob Ragan
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In LibrariesBlake Carver
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007Jason Hong
 
Social engineering
Social engineeringSocial engineering
Social engineeringRobert Hood
 
Keeping you and your library safe and secure
Keeping you and your library safe and secureKeeping you and your library safe and secure
Keeping you and your library safe and secureLYRASIS
 
2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-securityStephen Cobb
 
Corporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence communityCorporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence communityantitree
 
I am my worst enemy — A first person look at Insider Threat
I am my worst enemy — A first person look at Insider ThreatI am my worst enemy — A first person look at Insider Threat
I am my worst enemy — A first person look at Insider ThreatAhmed Masud
 
Corp Web Risks and Concerns
Corp Web Risks and ConcernsCorp Web Risks and Concerns
Corp Web Risks and ConcernsPINT Inc
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarEmpired
 

Similar to Janitor vs cleaner (20)

People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 
Blitzing with your defense bea con
Blitzing with your defense bea conBlitzing with your defense bea con
Blitzing with your defense bea con
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 Sofia
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence program
 
Social Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response PlansSocial Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response Plans
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Keeping you and your library safe and secure
Keeping you and your library safe and secureKeeping you and your library safe and secure
Keeping you and your library safe and secure
 
2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security
 
Corporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence communityCorporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence community
 
I am my worst enemy — A first person look at Insider Threat
I am my worst enemy — A first person look at Insider ThreatI am my worst enemy — A first person look at Insider Threat
I am my worst enemy — A first person look at Insider Threat
 
Corp Web Risks and Concerns
Corp Web Risks and ConcernsCorp Web Risks and Concerns
Corp Web Risks and Concerns
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
What to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breachWhat to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breach
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Recently uploaded (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

Janitor vs cleaner

  • 1. Are you Janitor or a Cleaner? John “geekspeed” Stauffacher @g33kspeed/geekspeed@gmail.com Matthew “mattrix” Hoy @mattrix_ / hoy.matthew@gmail.com
  • 2. Brief Bio Matthew • About: – Information Security Professional for over 15 years – CISSP and GCIH • Contact: – @mattrix_ – hoy.matthew@gmail.com
  • 3. Brief Bio John • About: – Information Security Professional for over 13 years – CISSP • Contact: – @g33kspeed – geekspeed@gmail.com
  • 4. Purpose of this talk • Reliance on automated detection has caused many organizations to be weak in response to an incident • Many organizations have no idea who attacked them, why they were attacked or how the attack was executed • Use of old school methods with less reliance on automated tools can help to understand who, how and why (motive) • Strike Back
  • 5. Purpose of this talk • Where we have failed • Many organizations fall victim to dangerous mindsets that prevent them from having an effective security program • How do we move forward • In order to strike back – we need to have our house in order.
  • 6. The Janitor Re-images owned boxes and does not identify or analyze the attacker.
  • 7. The Cleaner Goes beyond just re-imaging owned boxes. Can identify threat, attacker’s capability and take actions to stop attacker.
  • 8. Incident Response vs. Immediate Action Theoretical Lifecycle of Incident Handling • • • • • • Preparation Identification Containment Eradication Recovery Lessons Learned Immediate Action During an attack there is no immediate order or lifecycle • True Preparation – Probably didn’t happen • Identification of Attacker • Isolate and Study Attacker • Stop Attacker • Restore Services • Take Attackers methods and rebuild defenses
  • 9. Preparation • What is not working – Set it and forget it mentality – Inadequate staffing – Improper use of Vulnerability Assessments – No asset inventory – No classification of data
  • 10. Preparation is key • Attackers have managed to run organizations that are not unlike the ones they attack
  • 13. Preparation is key • Attackers are streamlined, efficient – Development takes days, not weeks. – Rapidly adapts to a changing landscape – Laser focus – Aren’t rushed by artificial deadlines / other interests
  • 14. Where We Have Failed • We need to fill that position
  • 15. Where We Have Failed • We let the business dictate our security posture.
  • 16. Where We Have Failed • “Our department doesn’t do ‘preventative’ security scanning. We only scan after the application is in production.”
  • 17. Where We Have Failed • “We can’t scan that server – it might crash.”
  • 18. Where We Have Failed • Monitor mode
  • 19. Where We Have Failed • Sandboxing The sandboxing appliances popularly deployed today are performing well against your average"0-day" malware threat, but capabilities decline dramatically the more targeted an adversary becomes. As such, organizations are much better at stopping the generic non-targeted "Internet threats", but becoming more vulnerable to marginally tuned malware. For example, any piece of malware that requires the user to perform an action at a specific time (before it acts maliciously) is sufficient to evade detection in most cases. - Gunter Ollmann (2013)
  • 20. Where We Have Failed
  • 21. Where We Have Failed • Bloat: in some organizations it is typical for individual business units to have their own security staff – …that don’t talk to each other – …that don’t share information – …that duplicate efforts
  • 22. Where We Have Failed • When security takes a back seat to business
  • 23. What we need to change • Security is EVERYONEs job. • Misalignment of security goals should be looked at as a vulnerability in itself – and dealt with accordingly
  • 24. What we need to change • Attaching real monetary value to security incidents is a key way to get the attention of the stakeholders • Rather than being defensive – and feeling responsible – security organizations should monetize all incidents and use it as justification for program budget
  • 25. What we need to change • We often fail inform management of something as simple as: - Cost of the solution vs Cost associated with a security incident.
  • 26. What we need to change Executives rely on the bottom line numbers, as well as their advisors to guide their decisions. They know very little about technology and most of them don’t really care. Speak their language. Express your concerns in dollar amounts and impact to the business.
  • 27. What we need to change ~$250 per record for a DB breach (42 states have mandatory notification laws) If 3200 records of a database were breached… $800,000
  • 28. What we need to change How much was that WAF?
  • 29. What we need to change • Get serious about hiring • Stop putting bodies in chairs because somebody said we needed a body in a chair.
  • 30. What we need to change • Teamwork • Align goals • Share information • Share tactics
  • 31. What we need to change • Security needs to assert itself as a fixture • Too commonly thought of as an afterthought, or a remedy for an already bad situation • Security needs to have the ear of the major decision makers in the company. • The only tool for this is communication, and interaction • Security needs to have teeth • Back up your policy with corrective action
  • 32. What we need to change • We need to fight back.
  • 33. True Preparation • The (enemy) Attacker 1. Has no rules 2. Does not need Change Management to run Vulnerability Assessments against your people or infrastructure 3. Does not use checkbox settings in their tools to exploit your people or infrastructure 4. HAS NO RULES
  • 34. Identification • What is not working – Reliance on automated detection – Set it and forget it mentality – Staffing • How was the incident identified? – Finding out about the compromise when you lose availability – Being Blacklisted – Pastebin
  • 35. Identification Immediate Action • Assess your attacker’s capability • Skill Level of attacker – Direct or Indirect method • Create a dossier on your attacker • Identify attacker’s Motive - Usage • IP Addresses / Map this out / CIDR
  • 36. Often Overlooked • Actual – Physical Assets • Data Value – What is on the physical asset? • Network Connectivity – Where did the attack take place from? Was this a pivot? Is there true defense in depth? • Target Value – Was this a crafted attack? Who’s machine is this? What access does the person have? – Yes APT again. • What devices do you have on the network to identify the attacker? • Ask people (end user) questions – Hey did you guys see any weird email?
  • 37. Tools I Use • • • • • • robtex.com, spokeo.com, google.com, IRC NMAP, Wireshark Network Tap Acevpn, External Internet traceroute, telnet, ssh, netstat –an, RDP If you are looking during an ongoing attack – Bro IDS and Splunk can be put in place quickly • Plain pen and paper – important to use a book for each incident – this may be used for chain of custody
  • 38. Containment • What is not working – We will just unplug the machine – Switch to DR which has the very same vulnerability that production had if not more – Re-image box and put it back into production
  • 39. Flush out your attacker • If you found a phishing email? • Feed it some bogus info – You will need to provide at least 50 pieces of info • Check your application logs for that very same info (fake username) • Look at the timing – Is this automated or human? • Are there multiple IP Addresses used or just one?
  • 40. Assess Attacker’s Capability • IP Addresses used • Determine Attacker’s potential for Ddos by IP Address space • Time for some OSINT • Do not be afraid to probe your attacker • I have scanned my attacker to determine the attacker’s assets
  • 41. Strike Back • Get direct with your attacker after identification • Go to Meat Space – email or phone call • If you can’t be direct with the attacker than the ISP or host may be able to help • Or maybe not…
  • 42. Strike Back • An incident occurred with intellectual property in which my client was accused of leaking • We were provided a single website of where this was leaked to • After determining that this did not originate from our side we were then able to turn the tables. • Maltego was used for the target • Spokeo was used for the target • End result - The person who leaked this was going to receive a very interesting letter
  • 43. Lessons Learned • What is wrong – This is often a report that is seldom read – Focuses more on damage control – Does not solve the issue
  • 44. Lessons Learned Immediate Action • • • • Intelligence gathering Attacker’s skillset Understand the motive of your attacker Create automated tools to identify future attacks – Robert Rowley provided an excellent example of this in his “Teach your WAF new tricks” talk • Use OSINT to learn about similar attackers

Editor's Notes

  1. In theory one would use PICERL for Incident ResponseDuring an active attack one cannot follow a flowchart or particular order.
  2. ---START HERE--
  3. Marketing – Phishing | Grey marketOperations – BotnetsDevelopment – Days | Weeks not monthsAccounting - $PROFITHR - Recruitment
  4. Attacker will wait the day after thanksgiving - -it aintxmas