Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Upcoming SlideShare
Loading in...5
×
 

Anticipate and Prevent Cyber Attack Scenarios, Before They Occur

on

  • 1,561 views

Presented at ISSA Cornerstones of Trust June 6, 2012. ...

Presented at ISSA Cornerstones of Trust June 6, 2012.

No one wants to be the next cyber casualty. Collectively, organizations spend an enormous amount of resources deploying and managing security solutions to block malware, protect data, and keep critical business services operating.
Yet most organizations remain inadequately protected against evolving and dangerous cyber threats. In this session, we will learn to recognize common network attack scenarios and mitigate the combination of misconfigurations, vulnerabilities, access policy violations and other security gaps that can be exploited by sophisticated attackers.

High-profile breaches at Epsilon, Sony, and other enterprise and government networks have dominated the news lately, raising awareness of the need to design effective security strategies against sophisticated attacks and advanced persistent threats (APTs). Many companies struggle with where to begin to develop an effective plan of cyber defense.

During this session we will walk the audience through several attack scenarios using a visual attack explorer tool, highlighting the combination of security gaps that are often used and how to prevent them. Network modeling, vulnerability analysis, access path analysis, and attack simulation will all be introduced and we will show how these analytical tools can be used to quickly and automatically find exposed areas of a network.

Statistics

Views

Total Views
1,561
Views on SlideShare
1,561
Embed Views
0

Actions

Likes
1
Downloads
56
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Anticipate and Prevent Cyber Attack Scenarios, Before They Occur Anticipate and Prevent Cyber Attack Scenarios, Before They Occur Presentation Transcript

  • Gidi Cohen CEO, Founder Skybox Security, Inc.Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 1
  • Why can’t we curb the threat? Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 2
  • The Network Complexity Challenge Enterprise network • 55,000 nodes • 300 firewalls • 25,000 rules • 65 network changes/day • 10,000 daily reported vulnerabilities Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 3
  • Heterogeneous Networks are the Norm Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 4
  • Vulnerabilities and Threats Abound buffer attack blocked rules Misconfigured firewall USBs Misconfigured firewall policy violation social networks social networks missing IPS signature blocked rules asset vulnerabilities default password threat origins Misconfigured firewall access violation blocked rules threat origins blocked rules access policy violations access policy violations buffer attack violation default password access default password Misconfigured firewall USBs USBs policy violation social networksblocked rules policy violation access violation missing IPS signature social networksthreat originssocial networks policy violation access violation USBs missing IPS signature Misconfigured firewall threat origins social networks buffer attack buffer attack social networks social networks blocked rules missing IPS signature blocked rules access violation access violation Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 5
  • Every Organization Feels the Pain 88% of organizations: experienced significant damage or disruption due to attacks or data breaches in past six months Damage to brand Minor Web DoS None, 10.0% Data breach of (e.g. attack, 1.7% customer or hactivism), 6.7% confidential Damage to records, 20.0% information systems or data, 18.3% Misuse or Service unauthorized down, 60.0% access to information, 35.0 % Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc.
  • Vulnerability Management Program Key for Risk Reduction• Most respondents see their VM program as a key to reduce risk level and respond to threats To reduce our security risk level To proactively prevent threats before they happen To respond to new threats To provide an accurate assessment of our security status To meet compliance requirements To prioritize and minimize patching costs 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc.
  • Vulnerability Scans – Too Little, too Late Frequency and Coverage 350 Where you need to be 300 Daily updatesFrequency x/year 250 90%+ hosts 200 150 Critical systems, DMZ Partner/External networks Avg. scan: every 30 days 100 Avg. scan: every 60-90 days 50-75% of hosts 50 <50% of hosts 0 10% 20% 30% 40% 50% 60% 70% 80% 90% % of Network Scanned Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc.
  • Vulnerability Scanning: Not EffectiveWe are concerned about disruptions from scanning 59% We don’t have the resources to analyze more frequent scan data 58% We dont have the resources to deal with broader patching activity 41% Some hosts are not scannable due to their use 34% The cost of licenses is prohibitive 29%Unable to gain credentialed access to scan portions of the network 12% We just don’t need to scan more 5% Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc.
  • Old Gen Tech – Can’t Keep Up Vulnerability ScannersToo much  Disruptive to the network data  Not suitable for daily operations  Irrelevant for the Internet of Things Security Information & Event Management (SIEM)Reactive  Real-time is too late  Lacks context to deal with incidents Network Configuration ManagementLimited  Config management, not security view  No holistic view of network security Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 10
  • Security is UnmanageablePainful, Costly, Reactive Unable to keep pace with Damaging attacks, business network changes, new services disruption, loss of IP Compliance reporting Inefficient processes, consumes scarce resources escalating management costs Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 11
  • It’s going to get a lot worse (Mobile, Virtualization, Clouds) Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 12
  • The Security Management Gap is140 Widening Fast120  BYOD and BYOC the new norm100  Virtual servers now 50% of80 deployments Security  Security programs can’t keep60 challenges up40  Can you achieve a 16X20 improvement in 4 years? 0 2009 2010 2011 Ability to2013 2014 2012 execute How? Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 13
  • Many Attacks, Similar Root CausesScenario Attack Technique Contributing factors Buffer overflow Known vulnerabilitiesData Breach SQL injection, RFI, XSS Policy complianceCyber Theft DDOS Device misconfigurationsHacktivism Client-side attack Insiders APT combining techniques VulnerabilitiesEspionage Known and zero-day Policy complianceCyber Crime vulnerabilities Social engineering Custom malware Firewall bypass Firewall misconfigurationUnauthorized Stolen credentials VulnerabilitiesAccess Policy complianceStepping stone Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 14
  • The Missing Piece:Security Risk Management Holistic Visibility of the IT Infrastructure • Networks, routers, firewalls, … • End points – servers, desktops, virtual machines, mobile • Cloud and virtualization infrastructure Predictive Security Analytics  Cyber attack simulation – APT, malicious code  Network security analysis – firewalls, network path analysis  Security metrics Cost Saving - Integrated into Daily Operations • Proactive, automated operation • Scale to any environment • Integrated with existing infrastructure Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 15
  • Future Architecture of Security Management SOC Console Security Risk Security Information & Management Event Management (SRM) (SIEM) Proactive, pre-attack Post-attack incident exposure management managementPatch Management, Vulnerability Scanners, A lot of logs, events Asset Management, Threat Intelligence, network traffic Network & Security Configs, Mobile Device Management Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 16
  • ProactiveSecurity Risk Management prevents attacks Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 17
  • Elements of a Predictive Approach Situational Awareness – Where are we right now?  Contextual and current data  Network context – configuration, controls, policies  Vulnerability data  Threat data Analytics – Where are the biggest risks?  Network modeling  Access Paths  Risk Analysis  Threat Impact Operational – What should we do to prevent?  Must improve and simplify daily security activities or why bother  Actionable Intelligence  Secure Change Management process Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 18
  • Situational AwarenessUsing a Network ModelFirewall Router Load IPS Vulnerability Patch Balancer Scanner Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 19
  • How is the Model Created? Gather info on Import topology data network topology  Device configs  Routing tables Automatically create a hierarchical model tree, grouping hosts by TCP/IP network Add function, location, type Analyze model to detect missing info – hosts, ACLs, routing rules for gateways Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 20
  • Network Model Enables Analytics  Normalized view of the network security situation  Visualize entire network  Updated continuously  Multiple models (sandboxes): Live, Forensic, and What-if Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 21
  • Network Path Analysis Complete End-to- End path analysis Highlighting ACL’s and routing rules Supports NAT, VPN, Dynami c Routing and Authenticated rules Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 22
  • Find Exploitable Vulnerabilities Vulnerabilities • CVE 2009-203 • CVE 2006-722 • CVE 2006-490 Rogue AdminInternet Hacker Compromised Partner Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 23
  • Simulate all Possible Attacks Vulnerabilities • CVE 2009-203 • CVE 2006-722 • CVE 2006-490 Rogue AdminInternet Hacker Attack Compromised Simulations Partner Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 24
  • Proactive Intelligence to Prevent Attack Connectivity Path Probable attack vector to Finance servers asset group This attack is a “multi-step” attack, crossing several network zones Business Impact Attack Vector How to Block Potential Attack? © 2012 Skybox Security Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 25
  • Quantify and Prioritize Risks Vulnerability (CVSS Score & CIA Impact) X Exposure (Threat Origins & Network) X Business Impact (CIA Impact and Asset Importance) {Attack Simulation} Risk Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 26
  • Plan Defensive Strategy Most Critical ActionsVulnerabilities Threats 27 Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc.
  • Example Attack Scenarios Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 28
  • Attack Vector w/ Network Propagation Remote Code Execution1. Buffer overflow vulnerability MS11-004 on FTP server in DMZ2. Exploit to gain root control on the FTP server3. FTP server trust relations with DNS server in core network4. DNS server running Free BSD has BIND vulnerability - enables control of DNS server5. Finance server compromised. Significant damage or data loss Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 29
  • Prevent a Buffer Overflow Attack  Identifies all potential attack pathsBuffer Overflow Attack  Attack simulation reveals a small number of exposed vulnerabilities  Issue an urgent request to patch the FTP server  Security team patches a single vulnerability to block potential attack and reduce high risk of Financial Server compromise Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 30
  • Attack Vector w/ Network PropagationFirewall Bypass Attack Steps 1. DMZ firewall allowed access Firewall Bypass through TCP port 443 to internal network (which might be okay) 2. A misconfigured load balancer rule performed NAT to TCP port 80 3. Allowing port 80 access to the development network – a very risky situation Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 31
  • Preventing a Firewall Bypass Attack Automatically assess configurations of firewalls, load balancers, IPS devices, and routers Create an up-to-date network model Check policy rules such as: “No access from Internet to Internal except …” End-to-end access path analysis – every possible path Issues tickets to address violations in order of impact to business Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 32
  • Wide Attack Surface Expose Client-Side Attack Vectors User opens infected email attachment or clicks link to a A vulnerability or misconfig on malicious or hacked website desktops is exploited and malware is installedMalware enables attacker tocollect data frommachine, continue attackwithin the network, and senddata back to attacker Source: SANS Tutorial: HTTP Client-side Exploit Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 33
  • Preventing a Client-Side Attack EMEA region at highest risk Retrieve exact list of vulnerable hosts Remediate in order Adobe Reader 9.x and of risk impact 8.x contribute themajority of the risk (76%) Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 34
  • Reinvent your Security Program Add Proactive Security Tools Now  Situational awareness  Predictive Use the Force, Luke!  Risk-based analytics  Decision support Set the bar really high  Unbelievable scale  Adapt to new architectures Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc. 35
  • Thank you Gidi Cohen CEO, Founder info@skyboxsecurity.com +1 (408) 441-8060 DisclaimerThe views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views andopinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the SanFrancisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants theaccuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed asprofessional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or otherexpert assistance is required, the services of a competent professional should be sought. 36 Presenter - Gidi Cohen – Content Copyright ©2012 Skybox Security, Inc.