Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Taking the Attacker Eviction Red Pill (v2.0)

18,132 views

Published on

This presentation is about how you can structure your analysis to increase the chances of success when attempting to evict an advanced attacker. It's my thoughts on how to think when deciding how and when to respond and attempt to evict a mission driven attacker from your infrastructure. This is a continuation of my previous work on the Cyber Threat Intelligence Matrix.

P.S. The concepts are still work in progress, and the slide deck is a bit rough around the edges, but I hope it can spark some ideas and help you out. If you have feedback I would also greatly appreciate hearing from you, e.g. on Twitter (@FrodeHommedal).

Published in: Technology
  • DOWNLOAD FULL MOVIE, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... ,DOWNLOAD FULL. MOVIE 4K,FHD,HD,480P here { https://tinyurl.com/yybdfxwh }
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL MOVIE, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... ,DOWNLOAD FULL. MOVIE 4K,FHD,HD,480P here { https://tinyurl.com/yybdfxwh }
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Video recording: https://www.youtube.com/watch?v=WAvO0Y0nOws
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Taking the Attacker Eviction Red Pill (v2.0)

  1. 1. Taking the Attacker Eviction RED PILL
  2. 2. Taking the Attacker Eviction RED PILL Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
  3. 3. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Or how to structure your thinking when countering espionage and sabotage from “APT”
  4. 4. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 In this talk we will look at the attempted eviction of a mission driven and well organized adversary
  5. 5. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Beware that this is work in progress and still a bit rough around the edges
  6. 6. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Incident Response PICERL: Prepare Identify Contain Eradicate Recover Lessons Learned NIST: Preparation Detect & Analyze Contain & Eradicate & Recover Post IncidentActivities Bottom Line: Eventually you will try to get the attacker off your network
  7. 7. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Incident Response PICERL: Prepare Identify Contain Eradicate Recover Lessons Learned NIST: Preparation Detect & Analyze Contain & Eradicate & Recover Post IncidentActivities Bottom Line: Eventually you will try to get the attacker off your network
  8. 8. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Turns out there’s a lot of uncertainty to deal with when responding to a targeted and advanced “APT breach”
  9. 9. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Incident Response when facing an APT threat Best Practice: Scope before you start responding. Common Misstep: Acting too soon, giving your adversary time to adapt.
  10. 10. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Incident Response when facing an APT threat Best Practice: Scope before you start responding. Common Misstep: Acting too soon, giving your adversary time to adapt.
  11. 11. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 It turns out “acting too soon” is a thing when responding to an APT threat
  12. 12. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 If you want to respond effectively you need to reduce the uncertainty and understand when it’s the right time to act
  13. 13. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Understanding common APT patterns
  14. 14. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Intrusion Patterns of “APT” threats Sting Operation: Also called “smash and grab”. A direct attack to get a specific piece of information. Persistent Infiltration: A long running campaign against you, where your adversary will gain and sustain unauthorized access to your infrastructure for a long period of time. Response: When responding, you should take into consideration what kind of pattern you are seeing.
  15. 15. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Intrusion Patterns of “APT” threats Sting Operation: Also called “smash and grab”. A direct attack to get a specific piece of information. Persistent Infiltration: A long running campaign against you, where your adversary will gain and sustain unauthorized access to your infrastructure for a long period of time. Response: When responding, you should take into consideration what kind of pattern you are seeing.
  16. 16. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The Structure of an APT infiltration Access: An APT infiltration is all about access.They work a lot to gain and sustain access. Extract: The purpose of gaining access is to find and extract useful information (or abuse your infrastructure). Deliver: All of this is done to deliver on goals set for the attacker’s mission.
  17. 17. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The Structure of an APT infiltration Access: An APT infiltration is all about access.They work a lot to gain and sustain access. Extract: The purpose of gaining access is to find and extract useful information (or abuse your infrastructure). Deliver: All of this is done to deliver on goals set for the attacker’s mission.
  18. 18. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The Structure of an APT infiltration Access: An APT infiltration is all about access.They work a lot to gain and sustain access. Extract: The purpose of gaining access is to find and extract useful information (or abuse your infrastructure). Deliver: All of this is done to deliver on goals set for the attacker’s mission.
  19. 19. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Why you are targeted by an APT attack team Adversarial Relationship: For you to ever be targeted by an APT attack team you must be relevant for some kind of adversarial relationship. Provide Access: And you must provide access to something that will help the offensive party gain an advantage in that relationship. Collection: What you are observing though is only the collection part of a much bigger process.
  20. 20. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Why you are targeted by an APT attack team Adversarial Relationship: For you to ever be targeted by an APT attack team you must be relevant for some kind of adversarial relationship. Provide Access: And you must provide access to something that will help the offensive party gain an advantage in that relationship. Collection: What you are observing though is only the collection part of a much bigger process.
  21. 21. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Why you are targeted by an APT attack team Adversarial Relationship: For you to ever be targeted by an APT attack team you must be relevant for some kind of adversarial relationship. Provide Access: And you must provide access to something that will help the offensive party gain an advantage in that relationship. Collection: What you are observing though is only the collection part of a much bigger process.
  22. 22. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Why you are targeted by an APT attack team Adversarial Relationship: For you to ever be targeted by an APT attack team you must be relevant for some kind of adversarial relationship. Provide Access: And you must provide access to something that will help the offensive party gain an advantage in that relationship. Collection: What you are observing though is only the collection part of a much bigger process.
  23. 23. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Why you are targeted by an APT attack team Adversarial Relationship: For you to ever be targeted by an APT attack team you must be relevant for some kind of adversarial relationship. Providing Access: And you must provide access to something that will help the offensive party gain an advantage in that relationship. Observing Collection: What you are observing though is only the collection part of a much bigger process.
  24. 24. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Intermission
  25. 25. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The IR and eviction process should not really be about evicting the attackers but rather keeping them out and preventing them from effortlessly re-entering
  26. 26. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 It also shouldn’t be about cleaning networks but rather mitigating risk as effectively as possible
  27. 27. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 And sometimes this actually means leaving your network compromised while covertly containing the most important risks by using what you learn from the attackers
  28. 28. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 So how do we make that decision?
  29. 29. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 By structured analytical thinking using analytical models
  30. 30. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 DwellTime The time an attacker has stayed undetected in your network. Short: Hours to day. Good changes of catching up with the attacker. Medium: Days to weeks.You may catch up if you have a capable and enabled team. Long: Months to years. Depending on the attacker your chances are in all fairness pretty slim without a full purge or migration.
  31. 31. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 DwellTime The time an attacker has stayed undetected in your network. Short: Hours to day. Good changes of catching up with the attacker. Medium: Days to weeks.You may catch up if you have a capable and enabled team. Long: Months to years. Depending on the attacker your chances are in all fairness pretty slim without a full purge or migration.
  32. 32. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Intrusion Patterns of APT threats Sting Operation: Also called “smash and grab”. A direct attack to get a specific piece of information. Persistent Infiltration: A long running campaign against you, where your adversary will gain and sustain unauthorized access to your infrastructure for a long period of time. Response: When responding, you should take into consideration what kind of pattern you are seeing.
  33. 33. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 TheThreatType Matrix ThreatType: Strategic |Tactical | Operational Capability: Low | Medium | High Strategic: You are a high priority and long term target for your adversary Tactical: You are a short/medium term target for a specific reason Operational: You are a target because the attacker wants infrastructure
  34. 34. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 TheThreatType Matrix ThreatType: Strategic |Tactical | Operational Capability: Low | Medium | High Strategic: You are a high priority and long term target for your adversary Tactical: You are a short/medium term target for a specific reason Operational: You are a target because the attacker wants infrastructure
  35. 35. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 TheThreatType Matrix ThreatType: Strategic |Tactical | Operational Capability: Low | Medium | High Strategic: You are a high priority and long term target for your adversary Tactical: You are a short/medium term target for a specific reason Operational: You are a target because the attacker wants infrastructure
  36. 36. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The RiskType Matrix RiskType: Strategic |Tactical | Operational Impact: Low | Medium | High Strategic: Affects your org’s long term strategic goals Tactical: Affects your org’s current and near future execution Operational: Affects your org’s (IT) operation
  37. 37. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The RiskType Matrix RiskType: Strategic |Tactical | Operational Impact: Low | Medium | High Strategic: Affects your org’s long term strategic goals Tactical: Affects your org’s current and near future execution Operational: Affects your org’s (IT) operation
  38. 38. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The RiskType Matrix RiskType: Strategic |Tactical | Operational Impact: Low | Medium | High Strategic: Affects your org’s long term strategic goals Tactical: Affects your org’s current and near future execution Operational: Affects your org’s (IT) operation
  39. 39. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
  40. 40. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
  41. 41. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
  42. 42. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
  43. 43. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
  44. 44. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
  45. 45. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
  46. 46. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Threat Metrics to help you navigate CTI Matric: Identifying knowledge gaps. ThreatType Matric: Identifying type of threat. RiskType Matric: Identifying type of risk. Intrusion Pattern: Identifying type of infiltration. DwellTime: Identifying length of infiltration.
  47. 47. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 With these models in mind we will look at some response patterns
  48. 48. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Response Patterns for your consideration Ignore: Ignorance or actively ignoring. Disrupt: Continuous remediation. Engage: A game of chess heavily reliant on intelligence and a high operational tempo. Clean: Scope, shut down and clean. Migrate: Build new and migrate.
  49. 49. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Response Patterns for your consideration Ignore: Ignorance or actively ignoring. Disrupt: Continuous remediation. Engage: A game of chess heavily reliant on intelligence and a high operational tempo. Clean: Scope, shut down and clean. Migrate: Build new and migrate.
  50. 50. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Response Patterns for your consideration Ignore: Ignorance or actively ignoring. Disrupt: Continuous remediation. Engage: A game of chess heavily reliant on intelligence and a high operational tempo. Clean: Scope, shut down and clean. Migrate: Build new and migrate.
  51. 51. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Response Patterns for your consideration Ignore: Ignorance or actively ignoring. Disrupt: Continuous remediation. Engage: A game of chess heavily reliant on intelligence and a high operational tempo. Clean: Scope, shut down and clean. Migrate: Build new and migrate.
  52. 52. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Wrap up
  53. 53. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 So what truth is THE RED PILL of attacker eviction exposing? A way more complex and adversarial incident response reality than most responders are ready to acknowledge
  54. 54. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Yet the key takeaway is that if you understand your attacker you will be able to improve your response significantly
  55. 55. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Then you can apply the right response pattern to the identified intrusion pattern and the identified threat and risk types
  56. 56. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017 Always outnumbered. Never outgunned! @FrodeHommedal no.linkedin.com/in/hommedal frodehommedal.no

×