Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BSides 2016 Presentation


Published on

  • Login to see the comments

  • Be the first to like this

BSides 2016 Presentation

  1. 1. Defending Against APT’s (Advanced Persistent Threats) Presented By: Angelo Rago Twitter: @arrago2 E-mail:
  2. 2. Disclaimer • Please note that all opinions shared during today’s presentation are solely my own, and do not reflect those of my employer, past or future employers or my clients. @ARRAGO2
  3. 3. Learning Objectives  Understand Best Practices for Defending Against Advanced Persistent Threats  Identify and Understand Common Trends and Challenges within Infosec for 2016  Mitigation of APT’s @ARRAGO2
  4. 4. Who Am I? • 10 Years of experience within the Infosec Industry  Fortune 500’s  SMB’s  Telecom  Healthcare @ARRAGO2
  5. 5. What is Blue Team Definition: The group responsible for defending an enterprise, and maintaining its security posture against red team and actual attacks. @ARRAGO2
  6. 6. Common Challenges in Corporations • Allocation of Resources • Allocation of Funding • Time Management • Skill Shortage @ARRAGO2
  7. 7. Story Time! A Tale of Two Clients… • Client 1: A Ransomware Attack Gone WRONG • Client 2: A Ransomware Attack PREVENTED @ARRAGO2
  8. 8. Look for Executables Sniff Traffic Analyze Logs Identify Patterns Identify Rogue Processes, Connections, Services, Users, Scheduled Tasks What We Do (Defenders) Minimize the amount of recognizable changes Generate Minimal Traffic Install Multiple avenues of Persistence Continue to pervade a system and obtain persistence again if discovered What They Do (Attackers) @ARRAGO2
  9. 9. The Technical Issues…  Passwords  Securing the Environment  Understanding the Attacker’s Goal @ARRAGO2
  10. 10. Passwords (aka where most problems stem from) • Easy to Guess Passwords • No Real Enforcement • No Second Level Authentication • Enforced Policies @ARRAGO2
  11. 11. Forget It…We’re Lazy! (aka Headaches) • Easy To Remember • Reuse Old Password • Based on easily Identifiable information • Reuse same passwords multiple places • We Never Learn! @ARRAGO2
  12. 12. Securing the Environment (The Basics…) Patching Hardening TestingLogging Aggregate Data Build Situational Awareness @ARRAGO2
  13. 13. • Persistence • Data exploitation • Find default / weak passwords • Compromise as many systems as possible The Attacker’s Goal @ARRAGO2
  14. 14.  Lock down workstations by Group Policies  Limit network traffic  Restrict Remote SAM calls from PC’s  Disable Java  Disable Macros  Whitelist good extensions  Monitor for odd patterns or behaviors What We Can Do @ARRAGO2  Backups
  15. 15. In addition, Organizations such as NIST recommend the following to mitigate threats:  Apply Industry Best Practices  Vulnerability Scan  Use Emet  Disable Telnet  Disable HTTP  Ensure no Clear Text Passwords are used  No open WiFi  Use SSL Version 3 NIST- National Institute of Standards and Technology @ARRAGO2
  16. 16.  Option 1: Minimal End User Impact  Option 2: Balanced End User Impact  Option 3: Hardened Environment (This also brings with it overhead and complexity) Group Policies @ARRAGO2
  17. 17. A Look Back at 2016 • Ransomware attacks primarily targeted Healthcare, Government, and Educational Institutions • Ransomware Variants:  Crysis  Locky  Odin  Cerber @ARRAGO2
  18. 18. A Look Back at 2016 (Continued) • State Sponsored Leaks • State Sponsored Tools being sold  i.e. Equation Group @ARRAGO2
  19. 19. A Look Back at 2016 (Continued) • DDOS Attacks Attackers / National States The Good Guys @ARRAGO2
  20. 20. Where Do We Go From Here? • Ignore Everything We’ve Learned OR • Use the Knowledge we have in front of us to create change, and secure our environment @ARRAGO2
  21. 21. Questions? @ARRAGO2
  22. 22. Thanks for Listening! E- Email: Twitter Handle: @arrago2 @ARRAGO2