Your SlideShare is downloading. ×
0
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps

1,821

Published on

If you’re tasked with keeping your enterprise network infrastructure secure against cyber attacks, then you’d better start thinking like a hacker. Do you know what your network looks like? Where are …

If you’re tasked with keeping your enterprise network infrastructure secure against cyber attacks, then you’d better start thinking like a hacker. Do you know what your network looks like? Where are all the access points? Can you create a short list of the most vital vulnerabilities a hacker could exploit? And how long does it take you to get this info? Days? Weeks? Never?
In this webcast, we will discuss a practical game plan to continuously monitor your cyber security status and proactively fix concerns before they become a data breach or attack. Learn how to minimize risks by combining a detailed understanding of your network topology, cyber threats, and likely attack scenarios with everyday security management processes. This webcast is appropriate for firewall and network administrators, IT security managers, and CISOs in medium to large business and government agencies.

We will examine:

• Network mapping – How to create a virtual network model to use for security architecture planning and policy compliance checks

• Access analysis – Ways to identify all network access routes , to block unauthorized access and quickly troubleshoot network availability issues

• Securing the perimeter – Enable daily checks of firewalls and network devices to keep them configured securely

• Attack simulation – Find and fix the vulnerabilities most likely to be used in an attack – every day

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,821
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
51
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Think Like a Hacker: Using Network Analytics and AttackSimulation to Find and Fix Security Gaps • Michelle Johnson Cobb • VP, Marketing and BD • March 15, 2012 • SANS webcast © 2012 Skybox Security
  • 2. Skybox Security OverviewLeading Security Risk Management Solutions • Automated Firewall Management • Continuous Network Compliance • Risk and Vulnerability Management Unique, High-Performance Technology • Network Modeling • Access Path Analysis • Attack Simulation Proven in Demanding Network Environments • 6 of the top 10 banks, 5 of the 10 largest NATO members • Financial Services, Retail, Energy, Government, Defense, Retail, Telecommunications, Manufacturing, Technology © 2012 Skybox Security 2
  • 3. Preventing Attacks is not Trivial • 300 firewalls • 25,000 rules • 250 routers/gateways • 55,000 nodes • 65 daily network changes • 10,000 daily reported vulnerabilities • Infrastructure spanning three continents © 2012 Skybox Security 3
  • 4. First… Think Like a Hacker Pre-Attack Gather info on Or Find and Fix to network topologyReconnaissance? Prevent Attack? Find access paths Find exploitable vulnerabilities Hacker toolkit: Security Manager Wireshark, nmap, toolkit: Nessus, netcat, Try out attack Snort, Google, John scenarios the Ripper, etc. © 2012 Skybox Security 4
  • 5. Building a Network Model Gather info on network topology Automatically import data from network devices, management systemsFirewall Router Load IPS Vulnerability Patch Balancer Scanner © 2012 Skybox Security 5
  • 6. Feeding the Network Model Gather info on network topologyMust be imported, normalized, correlated © 2012 Skybox Security 6
  • 7. How is the Model Created? Gather info on network topology• Import topology data • Device configs • Routing tables• Automatically create a hierarchical model tree, grouping hosts by TCP/IP network• Add function, location, type• Analyze model to detect missing info – hosts, ACLs, routing rules for gateways © 2012 Skybox Security 7
  • 8. Comprehensive Network Model Gather info on network topology • Normalized view of the network security situation • Visualize entire network • Updated continuously • 3 models: Live, Forensic, and What-if © 2012 Skybox Security
  • 9. Virtual “Sandbox” for Complex Security Analysis Analyze access paths Prioritize exposed vulnerabilitiesFind devicemisconfigurations © 2012 Skybox Security
  • 10. Now - Check the Firewalls! Find access paths• Analyze firewall rule base against policies/best practices (NIST, PCI…)• Identify risky rules• Uniform policy for all firewalls
  • 11. Access Analyzer Finds all Paths Find access paths• Complete End-to- End path analysis• Highlighting ACL’s and routing rules• Supports NAT, VPN, Dynamic Routing and Authenticated rules
  • 12. Determine Rules Allowing Access Find access paths• Find blocking or allowing devices• Show rules involved• View routes
  • 13. Check for Access Policy Violations Find access paths• Define what is allowed, limited and denied between Security Zones• Compliance Metrics• Violating Rules• Exceptions• Multiple policies• Dashboard
  • 14. Exploitable Vulnerabilities?Start with the scan… Find exploitable Vulnerabilities • CVE 2009-203 vulnerabilities • CVE 2006-722 • CVE 2006-490
  • 15. Add Skybox Vulnerability Dictionary Content Find exploitable vulnerabilities• Collects vulnerability data from multiple sources (scanners, published repositories, threat feeds)• Represent vulnerabilities in standard format• Adds severity, degree of difficulty, commonality of exploit and attack impact (CIA)• Models pre-conditions for exploitation – used in attack simulation © 2012 Skybox Security 15
  • 16. Look at Potential Threat Origins Find exploitable Vulnerabilities • CVE 2009-203 vulnerabilities • CVE 2006-722 • CVE 2006-490 Rogue AdminInternetHacker Compromised Partner
  • 17. Simulate all Possible Attacks Find exploitable Vulnerabilities • CVE 2009-203 vulnerabilities • CVE 2006-722 • CVE 2006-490 Rogue AdminInternetHacker Attack Compromised Simulations Partner
  • 18. How Attack Simulation WorksConnectivity Path Probable attack vector to Finance servers asset group This attack is a “multi-step” attack, crossing several network zones Business Impact Attack Vector How to Block Potential Attack? © 2012 Skybox Security
  • 19. Quantify and Prioritize Risks Vulnerability (CVSS Score & CIA Impact) + Exposure (Threat Origins & Network) + Business Impact (CIA Impact and Asset Importance) {Attack Simulation} Risk
  • 20. Plan Defensive Strategy Most Critical ActionsVulnerabilities Threats © 2012 Skybox Security
  • 21. Skybox Security PortfolioFirewall Assurance Network Assurance Risk Control Automated firewall Network compliance and Identify exposedanalysis and audits access path analysis vulnerabilities Change Manager Threat Manager Complete firewall Workflow to address change workflow new threats © 2012 Skybox Security 21
  • 22. Remote Buffer Overflow Attack Steps1. Buffer overflow vulnerability MS11-004 on FTP server in DMZ2. Exploit to gain root control on the FTP server3. FTP server trust relations with DNS server in core network4. DNS server running Free BSD has BIND vulnerability - enables control of DNS server5. Finance server compromised. Significant damage or data loss
  • 23. Prevent a Buffer Overflow Attack • Skybox Risk Control identifies attack pathsBuffer Overflow Attack • Attack simulation reveals a small number of exposed vulnerabilities • Skybox issues urgent ticket request to patch the FTP server • Security team patches a single vulnerability to block potential attack and reduce high risk of Financial Server compromise © 2012 Skybox Security 23
  • 24. Firewall Bypass Attack Steps 1. DMZ firewall allowed access through TCP portFirewall Bypass 443 to internal network (which might be okay) 2. A misconfigured load balancer rule performed NAT to TCP port 80 3. Allowing port 80 access to the development network – a very risky situation © 2012 Skybox Security 24
  • 25. Preventing the Firewall Bypass Attack• Skybox Firewall Assurance automatically finds risky rules and configs in firewalls• Skybox Network Assurance creates up-to-date network model and checks rest of layer 3 devices - load balancers, switches, routers• Skybox checks policy rules such as: “No access from Internet to Internal except …”• End-to-end access path analysis – every possible path• Skybox issues tickets to address violations reported
  • 26. Client-Side Attack Steps User opens infected email attachment or clicks link to a A vulnerability or misconfig malicious or hacked website on desktops is exploited and malware is installedMalware enables attackerto collect data frommachine, continue attackwithin the network, andsend data back to attacker Source: SANS Tutorial: HTTP Client-side Exploit
  • 27. Preventing a Client-Side Attack EMEA region at highest risk Retrieve exact list of vulnerable hosts Remediate in order Adobe Reader 9.x and of risk impact 8.x contribute themajority of the risk (76%)
  • 28. Best Practices to Prevent Attacks Get the comprehensive Find security gaps network view every dayPrioritize by Validate changes Automate security risk level in advance processes © 2012 Skybox Security 28
  • 29. Time for Questions Thank You! www.skyboxsecurity.com © 2012 Skybox Security

×