Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building Security Controls around Attack Models

Stephan Chenette persentation at Rugged DevOps: DevOps Connect during RSA Conference 2016

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

Building Security Controls around Attack Models

  1. 1. @StephanChenette @AttackIQ Building Security Controls Around Attack Models
  2. 2. #RuggedDevOps If you see something cool… Get today’s Rugged DevOps presentations in your inbox mmiller@sonatype.com
  3. 3. #WhoAmI? • @StephanChenette, CEO and Founder @AttackIQ AttackIQcreated the first continuoussecurity testing platform to challengeexisting host, network and cloud infrastructure securitycontrols to help organizationssafely validate and measure their defense in depth strategy. • Started my career in 1999 in Security – total of 16+ years – Grad School at UCSD • Director of research IOActive , Head of Websense Security Labs, SAIC, eEye Digital Security • Sit on the advisory board for CyberTECH, CISO Round Table of Southern California and Build it Securely and I head up the local OWASP Chapter, AppSec California Conference • Invited speaker at Blackhat, RSA, CanSec West, AusCERT, RECON, SOURCE, ToorCON, ISSA, etc. • Main Interest - Offensive and Defensive Techniques
  4. 4. Agenda Building Security Controls Around Attack Models Continuous Deployment Continuous Validation
  5. 5. DevOps Has established a culture and environment where building, testing, and releasing software, can happen rapidly, frequently, and more reliably. Continuous Deployment Infrastructure as Code
  6. 6. Rugged DevOps Goal of Security: reduce business risk Cyber security is a business issue, not an IT issue.
  7. 7. Risk Risk = impact * likelihood
  8. 8. Protecting Assets Measures must be taken to ensure the integrity, security, accuracy, and privacy of all systems and data. Wrap Security Controls around Valued Assets • Compliance • Business Continuity
  9. 9. Trust, but verify Multiple Security Controls in place – how do you validate them all?
  10. 10. Continuous Validation Rugged DevOps Responsibility Continuous Validation Continuous Deployment
  11. 11. Why Validate Security Controls? To Minimize Risk. Risk = impact * likelihood If you drive impact down, the risk is minimized Benefits – minimized risk, more effective, efficient, consolidated security program
  12. 12. How do you minimize your threat impact? Identify The Attackers Identify the Attack Techniques Build Adversarial Playbook Replay Attacker Playbook Analyze Security Controls Results Improve or Add New Security Controls
  13. 13. This can start with simple validation Identify security control assumptions Build Security Control Unit Test Exercise Unit Test Analyze Security Controls Results Improve or Add New Security Controls
  14. 14. Security testing is not point in time DevOps is Code as Infrastructure Rugged DevOps is Code as Security Unit Testing Your Security Controls Regression Testing your Security Infrastructure
  15. 15. Key Focus Points in Modelling • Prioritizing the Highest Risk Threats, Adversarial Objectives and Methods • Prioritize Security Controls (purpose, function, assumption) • Create a process that can be: – Automated, replicated and consistent
  16. 16. Attack Stages • External Reconnaissance • Initial Breach • Gaining Persistence • Escalate Privileges • Lateral Movement • Access to Data Stores • Command and Control • Exfiltration
  17. 17. Goal • Duplicate real attack techniques and tactics in an automated fashion • Automatically test each expectation as that asset or security control is deployed
  18. 18. Stage Tactic Pass/Fail/Detect Technology Controls Initial Breach Install malware (Citadel) on vendor machine. Use stolen credentials to connect to Target's network. Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php). Query Active Directory, using LDAP protocol, for relevant target services (MSSSQLvc/BillingServer). Privilege Escalation Use "Pass-the-hash" to obtain NT hash token. Persistence Create new domain admin account with stolen token. Access to other Data Stores Utilize new credentials to scan, using "Angry IP Scanner," for accessible computers. Use a port forwarding tool to tunnel through several servers, bypassing security measures. Use RDP and Microsoft PSExec utility to execute processes. Use Microsoft Orchestratorto remain persistent and execute arbitrary code. Remotely install malware (Kaptoxa) onto POS machines, scrape POS memory, and save data to a local file. Exfiltration Create remote fileshare on remote FTP-enabled machine and copy data file to the machine. Use script to send file to attacker via FTP. Example: Target Breach
  19. 19. Example: Target Breach • Initial Breach Stage Tactic Pass/Fail/Detect Technology Controls Initial Breach Install malware (Citadel) on vendormachine. Use stolen credentials to connect to Target's network. Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php). Query Active Directory, using LDAP protocol, for relevant target services (MSSSQLvc/BillingServer).
  20. 20. Example: Target Breach Stage Tactic Pass/Fail/Detect Technology Controls Privilege Escalation Use "Pass-the-hash" to obtain NT hash token. Access to other Data Stores Utilize new credentials to scan, using "Angry IP Scanner," for accessible computers. Use a port forwarding tool to tunnel through several servers, bypassing security measures. Use RDP and Microsoft PSExec utility to execute processes. Use Microsoft Orchestrator to remain persistent and execute arbitrary code. Remotely install malware (Kaptoxa) onto POS machines, scrape POS memory, and save data to a local file. • Privilege Escalation
  21. 21. Example: Target Breach Stage Tactic Pass/Fail/Detect Technology Controls Exfiltration Create remote fileshare on remote FTP-enabled machine and copy data file to the machine. Use script to send file to attacker via FTP.
  22. 22. Measure • Detection – Time • Prevention – Yes/No
  23. 23. Stage Tactic Pass/Fail/Detect Technology Controls Initial Breach Install malware (Citadel) on vendor machine. PD Generic AV (Symantec) Use stolen credentials to connect to Target's network. F Behavior Analytics Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php). PD Web App Firewall Query Active Directory, using LDAP protocol, for relevant target services (MSSSQLvc/BillingServer). F N/A Privilege Escalation Use "Pass-the-hash" to obtain NT hash token. PD AV Detected mimikatz Persistence Create new domain admin account with stolen token. F N/A Access to other Data Stores Utilize new credentials to scan, using "Angry IP Scanner," for accessible computers. F N/A Use a port forwarding tool to tunnel through several servers, bypassing security measures. F Palo Alto Use RDP and Microsoft PSExec utility to execute processes. D Crowdstrike Falcon Use Microsoft Orchestratorto remain persistent and execute arbitrary code. P Cylance Prevent Remotely install malware (Kaptoxa) onto POS machines, scrape POS memory, and save data to a local file. F Symantec Exfiltration Create remote fileshare on remote FTP-enabled machine and copy data file to the machine. F Behavior Analytics Use script to send file to attacker via FTP. F Firewall/IPS Example: Target Breach
  24. 24. Modeling Exercise • Installation of Web Shell on network • Lateral Movement (Pass-the-Hash Technique) w/ mimikatz • Use of known port scanner • Use of PA/PSExec with dumped credential hashes • Use of Built-in-tools at potentially anomalous times • Download of known malware • Access to FTP to potentially unknown remote machine
  25. 25. Defense-in-Depth Metrics Identified Tactic • % Failed –% Detected –% Prevented • Identify, prioritize need for control technology
  26. 26. Trust, but Verify • Validate your security controls • Regression Testing • Unit Testing
  27. 27. Focus • Run routine attack modeling automatically as your apps/security controls are deployed via chef/Jenkins, etc. • Identify gaps or blind spots • Design your controls around the attacker tactics
  28. 28. Adversarial Modeling • Does not take much time/energy • Creates Data-driven reasoning around buying/purchasing decisions • Build repository of related attacks • Shows historical improvements around baseline • Consolidates security technologies
  29. 29. Where to Start • IT/Ops/SOC/Dev/Management Involvement • Build threat intelligence/attack repository • Move to attack models • Communicate output clearly to show improvements
  30. 30. Conclusion What can be measured can be improved Implementing security controls around relevant attack models will save you time, money and resources and focuses on minimizing the true risks to your organization Security as Code Continuous Validation
  31. 31. • Thank you. • Stephan Chenette, CEO and Founder, stephan@attackiq.com • @stephanchenette @attackiq
  32. 32. Get today’s Rugged DevOps presentations in your inbox mmiller@sonatype.com

×