Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps


Published on

If you’re tasked with keeping your enterprise network infrastructure secure against cyber attacks, then you’d better start thinking like a hacker. Do you know what your network looks like? Where are all the access points? Can you create a short list of the most vital vulnerabilities a hacker could exploit? And how long does it take you to get this info? Days? Weeks? Never?
In this webcast, we will discuss a practical game plan to continuously monitor your cyber security status and proactively fix concerns before they become a data breach or attack. Learn how to minimize risks by combining a detailed understanding of your network topology, cyber threats, and likely attack scenarios with everyday security management processes. This webcast is appropriate for firewall and network administrators, IT security managers, and CISOs in medium to large business and government agencies.

We will examine:

• Network mapping – How to create a virtual network model to use for security architecture planning and policy compliance checks

• Access analysis – Ways to identify all network access routes , to block unauthorized access and quickly troubleshoot network availability issues

• Securing the perimeter – Enable daily checks of firewalls and network devices to keep them configured securely

• Attack simulation – Find and fix the vulnerabilities most likely to be used in an attack – every day

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Think Like a Hacker: Using Network Analytics and Attack Simulation to Find and Fix Security Gaps

  1. 1. Think Like a Hacker: Using Network Analytics and AttackSimulation to Find and Fix Security Gaps • Michelle Johnson Cobb • VP, Marketing and BD • March 15, 2012 • SANS webcast © 2012 Skybox Security
  2. 2. Skybox Security OverviewLeading Security Risk Management Solutions • Automated Firewall Management • Continuous Network Compliance • Risk and Vulnerability Management Unique, High-Performance Technology • Network Modeling • Access Path Analysis • Attack Simulation Proven in Demanding Network Environments • 6 of the top 10 banks, 5 of the 10 largest NATO members • Financial Services, Retail, Energy, Government, Defense, Retail, Telecommunications, Manufacturing, Technology © 2012 Skybox Security 2
  3. 3. Preventing Attacks is not Trivial • 300 firewalls • 25,000 rules • 250 routers/gateways • 55,000 nodes • 65 daily network changes • 10,000 daily reported vulnerabilities • Infrastructure spanning three continents © 2012 Skybox Security 3
  4. 4. First… Think Like a Hacker Pre-Attack Gather info on Or Find and Fix to network topologyReconnaissance? Prevent Attack? Find access paths Find exploitable vulnerabilities Hacker toolkit: Security Manager Wireshark, nmap, toolkit: Nessus, netcat, Try out attack Snort, Google, John scenarios the Ripper, etc. © 2012 Skybox Security 4
  5. 5. Building a Network Model Gather info on network topology Automatically import data from network devices, management systemsFirewall Router Load IPS Vulnerability Patch Balancer Scanner © 2012 Skybox Security 5
  6. 6. Feeding the Network Model Gather info on network topologyMust be imported, normalized, correlated © 2012 Skybox Security 6
  7. 7. How is the Model Created? Gather info on network topology• Import topology data • Device configs • Routing tables• Automatically create a hierarchical model tree, grouping hosts by TCP/IP network• Add function, location, type• Analyze model to detect missing info – hosts, ACLs, routing rules for gateways © 2012 Skybox Security 7
  8. 8. Comprehensive Network Model Gather info on network topology • Normalized view of the network security situation • Visualize entire network • Updated continuously • 3 models: Live, Forensic, and What-if © 2012 Skybox Security
  9. 9. Virtual “Sandbox” for Complex Security Analysis Analyze access paths Prioritize exposed vulnerabilitiesFind devicemisconfigurations © 2012 Skybox Security
  10. 10. Now - Check the Firewalls! Find access paths• Analyze firewall rule base against policies/best practices (NIST, PCI…)• Identify risky rules• Uniform policy for all firewalls
  11. 11. Access Analyzer Finds all Paths Find access paths• Complete End-to- End path analysis• Highlighting ACL’s and routing rules• Supports NAT, VPN, Dynamic Routing and Authenticated rules
  12. 12. Determine Rules Allowing Access Find access paths• Find blocking or allowing devices• Show rules involved• View routes
  13. 13. Check for Access Policy Violations Find access paths• Define what is allowed, limited and denied between Security Zones• Compliance Metrics• Violating Rules• Exceptions• Multiple policies• Dashboard
  14. 14. Exploitable Vulnerabilities?Start with the scan… Find exploitable Vulnerabilities • CVE 2009-203 vulnerabilities • CVE 2006-722 • CVE 2006-490
  15. 15. Add Skybox Vulnerability Dictionary Content Find exploitable vulnerabilities• Collects vulnerability data from multiple sources (scanners, published repositories, threat feeds)• Represent vulnerabilities in standard format• Adds severity, degree of difficulty, commonality of exploit and attack impact (CIA)• Models pre-conditions for exploitation – used in attack simulation © 2012 Skybox Security 15
  16. 16. Look at Potential Threat Origins Find exploitable Vulnerabilities • CVE 2009-203 vulnerabilities • CVE 2006-722 • CVE 2006-490 Rogue AdminInternetHacker Compromised Partner
  17. 17. Simulate all Possible Attacks Find exploitable Vulnerabilities • CVE 2009-203 vulnerabilities • CVE 2006-722 • CVE 2006-490 Rogue AdminInternetHacker Attack Compromised Simulations Partner
  18. 18. How Attack Simulation WorksConnectivity Path Probable attack vector to Finance servers asset group This attack is a “multi-step” attack, crossing several network zones Business Impact Attack Vector How to Block Potential Attack? © 2012 Skybox Security
  19. 19. Quantify and Prioritize Risks Vulnerability (CVSS Score & CIA Impact) + Exposure (Threat Origins & Network) + Business Impact (CIA Impact and Asset Importance) {Attack Simulation} Risk
  20. 20. Plan Defensive Strategy Most Critical ActionsVulnerabilities Threats © 2012 Skybox Security
  21. 21. Skybox Security PortfolioFirewall Assurance Network Assurance Risk Control Automated firewall Network compliance and Identify exposedanalysis and audits access path analysis vulnerabilities Change Manager Threat Manager Complete firewall Workflow to address change workflow new threats © 2012 Skybox Security 21
  22. 22. Remote Buffer Overflow Attack Steps1. Buffer overflow vulnerability MS11-004 on FTP server in DMZ2. Exploit to gain root control on the FTP server3. FTP server trust relations with DNS server in core network4. DNS server running Free BSD has BIND vulnerability - enables control of DNS server5. Finance server compromised. Significant damage or data loss
  23. 23. Prevent a Buffer Overflow Attack • Skybox Risk Control identifies attack pathsBuffer Overflow Attack • Attack simulation reveals a small number of exposed vulnerabilities • Skybox issues urgent ticket request to patch the FTP server • Security team patches a single vulnerability to block potential attack and reduce high risk of Financial Server compromise © 2012 Skybox Security 23
  24. 24. Firewall Bypass Attack Steps 1. DMZ firewall allowed access through TCP portFirewall Bypass 443 to internal network (which might be okay) 2. A misconfigured load balancer rule performed NAT to TCP port 80 3. Allowing port 80 access to the development network – a very risky situation © 2012 Skybox Security 24
  25. 25. Preventing the Firewall Bypass Attack• Skybox Firewall Assurance automatically finds risky rules and configs in firewalls• Skybox Network Assurance creates up-to-date network model and checks rest of layer 3 devices - load balancers, switches, routers• Skybox checks policy rules such as: “No access from Internet to Internal except …”• End-to-end access path analysis – every possible path• Skybox issues tickets to address violations reported
  26. 26. Client-Side Attack Steps User opens infected email attachment or clicks link to a A vulnerability or misconfig malicious or hacked website on desktops is exploited and malware is installedMalware enables attackerto collect data frommachine, continue attackwithin the network, andsend data back to attacker Source: SANS Tutorial: HTTP Client-side Exploit
  27. 27. Preventing a Client-Side Attack EMEA region at highest risk Retrieve exact list of vulnerable hosts Remediate in order Adobe Reader 9.x and of risk impact 8.x contribute themajority of the risk (76%)
  28. 28. Best Practices to Prevent Attacks Get the comprehensive Find security gaps network view every dayPrioritize by Validate changes Automate security risk level in advance processes © 2012 Skybox Security 28
  29. 29. Time for Questions Thank You! © 2012 Skybox Security