MANCHESTER RANT
FEBRUARY 14TH 2014
YOUR SPEAKER – JAMES MCKINLAY
• 2014 CISO LEVEL SECURITY, RISK & COMPLIANCE CONSULTANCY ACROSS EUROPE
• 2013 PCIDSS COMPLI...
EXEC SUMMARY –
• DEFENDERS ARE INCREASINGLY BEING OVERRUN BOTH BY EVENTS GENERATED BY ORDINARY
CYBERCRIME AND BY ADVANCED,...
WHAT DO I MEAN BY . . . .

•DETERMINED ATTACKERS
•BETTER INTELLIGENCE
•BETTER PREPARED
WHAT DO I MEAN BY DETERMINED ATTACKER
• GET IN PAST YOUR PREVENTATIVE DEFENCES
• STEAL SOME VALID CREDENTIALS
• REMOVE TOO...
JIM ALDRIDGE BH2012

https://dl.mandiant.com/EE/library/BH2012_Aldridge_RemediationPres.pdf
PREVENTATIVE CONTROLS ARE NOT ENOUGH
A “Determined attacker will not be put off by traditional IT security technology
•Bas...
BASIC AV AVOIDANCE

• HTTPS://WWW.VEIL-FRAMEWORK.COM/FRAMEWORK/VEIL-EVASION/
BASIC IDS AVOIDANCE
• HTTP://WWW.MONKEY.ORG/~DUGSONG/FRAGROUTE/
• HTTP://EVADER.STONESOFT.COM
MODERN SANDBOX AVOIDANCE

• HTTP://WWW.GIRONSEC.COM/BLOG/2013/10/ANTI-SANDBOXING-IDEAS/
BASIC WAF IDENTIFICATION
• OWASP XSS TOOL “XENOTIX” GIVES US A EXAMPLE OF A GUI WAF IDENTIFIER
• HTTPS://WWW.OWASP.ORG/IND...
BASIC WEB PROXY AVOIDANCE

• HTTPS
• TOR BRIDGE RELAY
• HTTPS://WWW.TORPROJECT.ORG/
EMAIL FILTER AVOIDANCE TRICKS
• LARGE BENIGN ATTACHMENTS MEAN MESSAGES GET SKIPPED FOR SPAM PROCESSING
• WELL FORMED FIRST...
BASIC PHISHING MANAGERS

• SET - HTTP://WWW.SOCIAL-ENGINEER.ORG/FRAMEWORK
• PHISH FRENZY - HTTP://WWW.PENTESTGEEK.COM/2013...
COMPLETE ATTACK MANAGERS

• HTTP://WWW.ADVANCEDPENTEST.COM/FEATURES
• HTTP://WWW.FASTANDEASYHACKING.COM/
POST EXPLOITATION

• BOOK “CODING FOR PENETRATION TESTERS” HAS A CHAPTER DEVOTED TO THIS
POST EXPLOITATION (2)

• WCE - HTTP://WWW.AMPLIASECURITY.COM/RESEARCH.HTML
• PRIVILEGE ESCALATION - HTTPS://WWW.INSOMNIASE...
WHAT IS THE MESSAGE

•DON'T GET COMPLAISANT –
IF THEY WANT TO GET IN
BADLY ENOUGH – THEY
WILL GET IN !
WHAT DO I MEAN BY . . . .

•DETERMINED ATTACKERS

•BETTER INTELLIGENCE
•BETTER PREPARED
WHAT DO I MEAN BY BETTER INTELLIGENCE
• TO KNOW WHAT YOU KNOW AND TO KNOW WHAT YOU DON'T KNOW IS THE SIGN OF ONE WHO KNOWS...
WHERE ARE MY WEAKNESSES
• INTERNAL AND EXTERNAL AUDIT REPORTS
• PENETRATION TEST RESULTS
• RISK WORKSHOPS
• INTERVIEW FRON...
APT INTELLIGENCE REPORTS IN MARKETING
• VENDOR ISSUED APT REPORTS AND ADVANCED MALWARE REPORTS
• MANDIANT APT1 REPORT OPEN...
MALWARE RESEARCH COMMUNITY
• HTTP://AVCAESAR.MALWARE.LU/
• HTTP://WWW.MALSHARE.COM/ABOUT.PHP
• HTTPS://MALWR.COM/
• HTTP:/...
RSS ENABLED BLOGGING COMMUNITY

RSS Band it http://rssbandit.org/

http://stopmalvertising.com/
IP REPUTATION COMMUNITIES
• EXAMPLE: ALIENVAULT OPEN THREAT EXCHANGE HTTPS://WWW.ALIENVAULT.COM/OPEN-THREAT-EXCHANGE
“NOT MARKETING” VENDOR REPORTS
• MICROSOFT SECURITY INTELLIGENCE REPORTS
• CISCO ANNUAL REPORTS
CISP ENVIRONMENT
• GOVERNMENT CYBER SECURITY STRATEGY INVOLVES REACHING OUT TO INDUSTRY BEYOND CNI
• GCHQ, CESG AND CPNI C...
READING: WHITEPAPERS
• FEW EXAMPLES

• SOC
• IR
• DATA BREACH
• MALWARE
REFERENCES
• PAPERS
•

HTTP://H71028.WWW7.HP.COM/ENTERPRISE/DOWNLOADS/SOFTWARE/ESP-BWP014-052809-09.PDF

•
•
•
•
•
•
•
•

...
BACKGROUND READING: BOOKS
DEEPER DIVE : BOOKS
WHAT DO I MEAN BY . . . .

•DETERMINED ATTACKERS
•BETTER INTELLIGENCE

•BETTER PREPARED
WHAT DO I MEAN BY BETTER PREPARED
• USER AWARENESS
• CYBER STRATEGY AT BOARD LEVEL
• IT ASSURANCE FRAMEWORK
• SECURITY OPE...
PHISHING AWARENESS
• DO YOU REMEMBER THE DIY SLIDES
PROFESSIONAL PHISHING AWARENESS
• PHISH5
• PHISHME
CYBER STRATEGY AT BOARD LEVEL
• GOVERNMENT COMMITMENT TO SUPPORT INDUSTRY
• .GOV.UK AND SEARCH “CYBER”
CYBER STRATEGY ( ALSO WORTH A READ)
• BELGIAN CHAMBER OF COMMERCE - BCSG
• HTTP://WWW.ICCBELGIUM.BE/INDEX.PHP/QUOMODO/BECY...
Manage IT
Operations

ITCF -V- ISMS
• CONTROL FRAMEWORK
• HTTP://WWW.ISACA.ORG/COBIT/PAGES/DEFAULT.ASPX
Processes for
Mana...
ITAF –V- ITCF
• WHAT IS IT ASSURANCE
SECOPS MATURITY (SOC)
• SIEM
• CORRELATION
• STAFFING
• DROWNING IN DATA
• HTTP://WWW8.HP.COM/H20195/V2/GETPDF.ASPX/4AA4-6...
SECOPS MATURITY (CIRT)
•
•
•
•
•
•
•

THREAT INTELLIGENCE FEEDS
LIVE RESPONSE TECHNIQUES
ENTERPRISE CLASS FORENSIC ACQUISI...
OPEN IOC
• WHAT IS OPEN IOC - HTTP://WWW.OPENIOC.ORG/
FREE TOOLS
• FROM MANDIANT
LESSONS WITH OPENIOC FREE TOOLS
SECOPS MATURITY (APT HUNTERS)
• WHAT IS REDLINE
• COLLECTS WINDOWS ACTIVITY FROM
•
•
•
•
•

FILE
REGISTRY
DNS LOOKUPS
PROC...
(.MANS) REDLINE TRIAGE COLLECTION
•1
(.MANS) REDLINE TRIAGE COLLECTION
•2
(.MANS) REDLINE TRIAGE COLLECTION
•3
TACKLING ADVANCED THREATS
• THERE IS NO SINGLE TECHNOLOGY TO
• “RULE THEM ALL”

• 1) RECOGNISE “PREVENTATIVE” ISN'T ENOUGH...
VENDORS TACKLING ADVANCED THREATS
• THERE IS NO SINGLE TECHNOLOGY TO RULE THEM ALL
ARBOR – Prevail
DAMBALLA – Failsafe
FID...
CREDITS
• JEFF YEUTER @ MANDIANT FOR THE REDLINE EXAMPLE
• JIM ALDRIDGE @ MANDIANT FOR THE BLACKHAT2012 APT PRESENTATION
•...
TIME IS PRECIOUS – THANK YOU FOR YOURS

• FIND ME ON LINKEDIN
• UK.LINKEDIN.COM/PUB/JAMES-MCKINLAY/16/A42/206/
Living with the threat of Determined Attackers - RANT0214
Upcoming SlideShare
Loading in …5
×

Living with the threat of Determined Attackers - RANT0214

6,916 views

Published on

Presentation Slides from Manchester RANT 14-02-2014

Published in: Technology
1 Comment
3 Likes
Statistics
Notes
  • Daounload here;http://www.sendspace.com/file/8kn03w
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
6,916
On SlideShare
0
From Embeds
0
Number of Embeds
54
Actions
Shares
0
Downloads
31
Comments
1
Likes
3
Embeds 0
No embeds

No notes for slide

Living with the threat of Determined Attackers - RANT0214

  1. 1. MANCHESTER RANT FEBRUARY 14TH 2014
  2. 2. YOUR SPEAKER – JAMES MCKINLAY • 2014 CISO LEVEL SECURITY, RISK & COMPLIANCE CONSULTANCY ACROSS EUROPE • 2013 PCIDSS COMPLIANCE AT WALMART FOR ASDA & GEORGE (LEVEL ONE MERCHANT) • 2011 - 2013 PCIDSS COMPLIANCE MANCHESTER AIRPORTS GROUP (LEVEL THREE MERCHANT) • 2006-2011 PCIDSS COMPLIANCE HOMELOAN MANAGEMENT LIMITED (LEVEL ONE SERVICE PROVIDER) • 2006 ECOMMERCE SECURITY– THOMAS COOK SCHEDULED BUSINESS
  3. 3. EXEC SUMMARY – • DEFENDERS ARE INCREASINGLY BEING OVERRUN BOTH BY EVENTS GENERATED BY ORDINARY CYBERCRIME AND BY ADVANCED, TARGETED ATTACKS FROM SOPHISTICATED ADVERSARIES. • INCREASED COMPLEXITY AND FREQUENCY OF ATTACKS, COMBINED WITH REDUCED EFFECTIVENESS OF PREVENTATIVE CONTROLS, INCREASES THE NEED FOR ENTERPRISE-SCALE SECURITY INCIDENT RESPONSE • THREAT INTELLIGENCE AND CONTINUOUS IMPROVEMENT OF INCIDENT RESPONSE PROCESSES ARE NEEDED BY ENTERPRISES TO REDUCE THE EFFORT REQUIRED IN CONTAINING LOSSES AND RISKS.
  4. 4. WHAT DO I MEAN BY . . . . •DETERMINED ATTACKERS •BETTER INTELLIGENCE •BETTER PREPARED
  5. 5. WHAT DO I MEAN BY DETERMINED ATTACKER • GET IN PAST YOUR PREVENTATIVE DEFENCES • STEAL SOME VALID CREDENTIALS • REMOVE TOOLS USED IN GETTING IN • FIND SOME REMOTE ACCESS AND USE VALID CREDENTIALS • EXPLORE THE ENVIRONMENT • STEAL DATA – RINSE AND REPEAT
  6. 6. JIM ALDRIDGE BH2012 https://dl.mandiant.com/EE/library/BH2012_Aldridge_RemediationPres.pdf
  7. 7. PREVENTATIVE CONTROLS ARE NOT ENOUGH A “Determined attacker will not be put off by traditional IT security technology •Basic AV Avoidance •Basic IDS Avoidance •Modern Sandbox Avoidance •WAF Identification •Web Filter Avoidance •Email Filter Avoidance
  8. 8. BASIC AV AVOIDANCE • HTTPS://WWW.VEIL-FRAMEWORK.COM/FRAMEWORK/VEIL-EVASION/
  9. 9. BASIC IDS AVOIDANCE • HTTP://WWW.MONKEY.ORG/~DUGSONG/FRAGROUTE/ • HTTP://EVADER.STONESOFT.COM
  10. 10. MODERN SANDBOX AVOIDANCE • HTTP://WWW.GIRONSEC.COM/BLOG/2013/10/ANTI-SANDBOXING-IDEAS/
  11. 11. BASIC WAF IDENTIFICATION • OWASP XSS TOOL “XENOTIX” GIVES US A EXAMPLE OF A GUI WAF IDENTIFIER • HTTPS://WWW.OWASP.ORG/INDEX.PHP/OWASP_XENOTIX_XSS_EXPLOIT_FRAMEWORK
  12. 12. BASIC WEB PROXY AVOIDANCE • HTTPS • TOR BRIDGE RELAY • HTTPS://WWW.TORPROJECT.ORG/
  13. 13. EMAIL FILTER AVOIDANCE TRICKS • LARGE BENIGN ATTACHMENTS MEAN MESSAGES GET SKIPPED FOR SPAM PROCESSING • WELL FORMED FIRST MESSAGE GETS SENDER ONTO A WHITELIST • BACKGROUND READING • “INSIDE THE SPAM CARTEL” , “BOTNETS THE KILLER APP” , “PHISHING EXPOSED”
  14. 14. BASIC PHISHING MANAGERS • SET - HTTP://WWW.SOCIAL-ENGINEER.ORG/FRAMEWORK • PHISH FRENZY - HTTP://WWW.PENTESTGEEK.COM/2013/11/04/INTRODUCING-PHISHING-FRENZY/ • SENINJA - HTTP://WWW.ALDEID.COM/WIKI/SOCIAL-ENGINEERING-NINJA
  15. 15. COMPLETE ATTACK MANAGERS • HTTP://WWW.ADVANCEDPENTEST.COM/FEATURES • HTTP://WWW.FASTANDEASYHACKING.COM/
  16. 16. POST EXPLOITATION • BOOK “CODING FOR PENETRATION TESTERS” HAS A CHAPTER DEVOTED TO THIS
  17. 17. POST EXPLOITATION (2) • WCE - HTTP://WWW.AMPLIASECURITY.COM/RESEARCH.HTML • PRIVILEGE ESCALATION - HTTPS://WWW.INSOMNIASEC.COM/RELEASES
  18. 18. WHAT IS THE MESSAGE •DON'T GET COMPLAISANT – IF THEY WANT TO GET IN BADLY ENOUGH – THEY WILL GET IN !
  19. 19. WHAT DO I MEAN BY . . . . •DETERMINED ATTACKERS •BETTER INTELLIGENCE •BETTER PREPARED
  20. 20. WHAT DO I MEAN BY BETTER INTELLIGENCE • TO KNOW WHAT YOU KNOW AND TO KNOW WHAT YOU DON'T KNOW IS THE SIGN OF ONE WHO KNOWS • KNOW THE WEAKNESSES IN YOUR DEFENCES • KNOW THE TECHNIQUES USED BY YOUR ENEMY • KNOW WHO TO TURN TO FOR HELP
  21. 21. WHERE ARE MY WEAKNESSES • INTERNAL AND EXTERNAL AUDIT REPORTS • PENETRATION TEST RESULTS • RISK WORKSHOPS • INTERVIEW FRONT LINE STAFF • WHISTLE-BLOWING HOTLINE • ITS WORTH ASSUMING THAT YOUR PERIMETER HAS BEEN BREACHED • AND THAT YOU SHOULD PLAN A RESPONSE STRATEGY
  22. 22. APT INTELLIGENCE REPORTS IN MARKETING • VENDOR ISSUED APT REPORTS AND ADVANCED MALWARE REPORTS • MANDIANT APT1 REPORT OPENED THE FLOOD GATES
  23. 23. MALWARE RESEARCH COMMUNITY • HTTP://AVCAESAR.MALWARE.LU/ • HTTP://WWW.MALSHARE.COM/ABOUT.PHP • HTTPS://MALWR.COM/ • HTTP://SUPPORT.CLEAN-MX.DE/CLEAN-MX/VIRUSES? • HTTP://VIRUSSHARE.COM/ABOUT.4N6 • HTTP://VIRUSTOTAL.COM • HTTP://VXVAULT.SIRI-URZ.NET/VIRILIST.PHP • HTTP://WWW.OFFENSIVECOMPUTING.NET Small sample
  24. 24. RSS ENABLED BLOGGING COMMUNITY RSS Band it http://rssbandit.org/ http://stopmalvertising.com/
  25. 25. IP REPUTATION COMMUNITIES • EXAMPLE: ALIENVAULT OPEN THREAT EXCHANGE HTTPS://WWW.ALIENVAULT.COM/OPEN-THREAT-EXCHANGE
  26. 26. “NOT MARKETING” VENDOR REPORTS • MICROSOFT SECURITY INTELLIGENCE REPORTS • CISCO ANNUAL REPORTS
  27. 27. CISP ENVIRONMENT • GOVERNMENT CYBER SECURITY STRATEGY INVOLVES REACHING OUT TO INDUSTRY BEYOND CNI • GCHQ, CESG AND CPNI COLLABORATED ON CISP HTTPS://WWW.CISP.ORG.UK/
  28. 28. READING: WHITEPAPERS • FEW EXAMPLES • SOC • IR • DATA BREACH • MALWARE
  29. 29. REFERENCES • PAPERS • HTTP://H71028.WWW7.HP.COM/ENTERPRISE/DOWNLOADS/SOFTWARE/ESP-BWP014-052809-09.PDF • • • • • • • • HTTP://WWW.EMC.COM/COLLATERAL/WHITE-PAPERS/H12651-WP-CRITICAL-INCIDENT-RESPONSE-MATURITY-JOURNEY.PDF HTTPS://OTALLIANCE.ORG/RESOURCES/INCIDENT/2014OTADATABREACHGUIDE.PDF HTTP://WWW.MICROSOFT.COM/EN-GB/DOWNLOAD/DETAILS.ASPX?ID=34793 HTTP://WWW.ASD.GOV.AU/INFOSEC/TOP-MITIGATIONS/TOP35MITIGATIONSTRATEGIES-LIST.HTM HTTP://WWW.FIRST.ORG/CONFERENCE/2008/PAPERS/KILLCRECE-GEORGIA-SLIDES.PDF HTTP://WWW.SANS.ORG/READING-ROOM/WHITEPAPERS/DETECTION/EARLY-MALWARE-DETECTION-CORRELATION-INCIDENT-RESPONSE-SYSTEM-CASE-STUDIES-34485 HTTPS://WWW.GOV.UK/PUBLIC-SERVICES-NETWORK#PSN-STANDARDS HTTP://CSRC.NIST.GOV/PUBLICATIONS/NISTPUBS/800-61REV2/SP800-61REV2.PDF
  30. 30. BACKGROUND READING: BOOKS
  31. 31. DEEPER DIVE : BOOKS
  32. 32. WHAT DO I MEAN BY . . . . •DETERMINED ATTACKERS •BETTER INTELLIGENCE •BETTER PREPARED
  33. 33. WHAT DO I MEAN BY BETTER PREPARED • USER AWARENESS • CYBER STRATEGY AT BOARD LEVEL • IT ASSURANCE FRAMEWORK • SECURITY OPERATIONS MATURITY • SOC • CIRT • THREAT INTELLIGENCE • PROACTIVE APT HUNTERS
  34. 34. PHISHING AWARENESS • DO YOU REMEMBER THE DIY SLIDES
  35. 35. PROFESSIONAL PHISHING AWARENESS • PHISH5 • PHISHME
  36. 36. CYBER STRATEGY AT BOARD LEVEL • GOVERNMENT COMMITMENT TO SUPPORT INDUSTRY • .GOV.UK AND SEARCH “CYBER”
  37. 37. CYBER STRATEGY ( ALSO WORTH A READ) • BELGIAN CHAMBER OF COMMERCE - BCSG • HTTP://WWW.ICCBELGIUM.BE/INDEX.PHP/QUOMODO/BECYBERSECURE
  38. 38. Manage IT Operations ITCF -V- ISMS • CONTROL FRAMEWORK • HTTP://WWW.ISACA.ORG/COBIT/PAGES/DEFAULT.ASPX Processes for Management COBITv5 Processes for Governance Deliver, Service and Support Manage IT Assets Manage IT Configurations Manage IT Incidents Manage Business Continuity Manage Information Security Manage Business Process
  39. 39. ITAF –V- ITCF • WHAT IS IT ASSURANCE
  40. 40. SECOPS MATURITY (SOC) • SIEM • CORRELATION • STAFFING • DROWNING IN DATA • HTTP://WWW8.HP.COM/H20195/V2/GETPDF.ASPX/4AA4-6539ENN.PDF • HTTP://WWW.ACI-NA.ORG/SITES/DEFAULT/FILES/S4-NESSI.PDF • HTTP://WWW.SECURITE.ORG/PRESENTATIONS/SOC/MEITSEC-SOC-NF-V11.PDF
  41. 41. SECOPS MATURITY (CIRT) • • • • • • • THREAT INTELLIGENCE FEEDS LIVE RESPONSE TECHNIQUES ENTERPRISE CLASS FORENSIC ACQUISITION STAFF DEVELOPMENT MALWARE REVERSING SKILLS / SOCIAL ENGINEERING SKILLS WORKFLOW BPM TOOLING NETWORK CONTAINMENT / NAC
  42. 42. OPEN IOC • WHAT IS OPEN IOC - HTTP://WWW.OPENIOC.ORG/
  43. 43. FREE TOOLS • FROM MANDIANT
  44. 44. LESSONS WITH OPENIOC FREE TOOLS
  45. 45. SECOPS MATURITY (APT HUNTERS) • WHAT IS REDLINE • COLLECTS WINDOWS ACTIVITY FROM • • • • • FILE REGISTRY DNS LOOKUPS PROCESSES IN MEMORY NETWORK CONNECTIONS • FIRST RESPONDER INVESTIGATIONS
  46. 46. (.MANS) REDLINE TRIAGE COLLECTION •1
  47. 47. (.MANS) REDLINE TRIAGE COLLECTION •2
  48. 48. (.MANS) REDLINE TRIAGE COLLECTION •3
  49. 49. TACKLING ADVANCED THREATS • THERE IS NO SINGLE TECHNOLOGY TO • “RULE THEM ALL” • 1) RECOGNISE “PREVENTATIVE” ISN'T ENOUGH • 2) GET SENIOR LEVEL SPONSORSHIP • 3) GET THE RIGHT PEOPLE • 4) GET THE RIGHT TOOLING
  50. 50. VENDORS TACKLING ADVANCED THREATS • THERE IS NO SINGLE TECHNOLOGY TO RULE THEM ALL ARBOR – Prevail DAMBALLA – Failsafe FIDELIS – XPS LANCOPE – StealthWatch SOURCEFIRE - FireAMP RSA – Netwitness SOLERA – DeepSee SOLERA – BluecoatATP AHNLABS – MDS CHECKPOINT – threat emulation FIREEYE – ATP LASTLINE – Previct MCAFEE – ValidEdge TREND – Deep Discovery PALOALTO – Wildfire BLUERIDGE – Appguard BROMIUM – vsentry HBGARY – DigitalDNA INVINCEA – Enterprise Threat Analyser RSA – ecat TRIUMFANT – mdar Mandiant Carbon Black Guidance Software CounterTack CrowdStrike Tanium Intelligent ID Nexthink Webroot LogRhythm TrustCloud Cyvera
  51. 51. CREDITS • JEFF YEUTER @ MANDIANT FOR THE REDLINE EXAMPLE • JIM ALDRIDGE @ MANDIANT FOR THE BLACKHAT2012 APT PRESENTATION • ANTON CHUVAKIN @ GARTNER FOR THE PAPER “SECURITY INCIDENT RESPONSE IN THE AGE OF APT”
  52. 52. TIME IS PRECIOUS – THANK YOU FOR YOURS • FIND ME ON LINKEDIN • UK.LINKEDIN.COM/PUB/JAMES-MCKINLAY/16/A42/206/

×