Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Blue Team on a Budget / Your Perimeter Will Be Breached

345 views

Published on

At the ILTACON conference I did a session that focused on 10 tips/tricks/tools/scripts for detecting and responding to suspicious network activity, as well as hardening an environment to better protect it from future attacks.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Blue Team on a Budget / Your Perimeter Will Be Breached

  1. 1. THE PROJECTOR TOTALLY WORKS! IF YOU CAN READ THIS…
  2. 2. Brian Johnson / Emergent Networks Your Perimeter Will Be Breached
  3. 3. THIS IS A “FUD FREE” SESSION Fear Uncertainty Doubt
  4. 4. AGENDA • 2017 security “highlights” • My first breach response experience (a tale of tears and fears) • “Blue team on a budget” –10 tips to better secure your network Warning! This presentation has a Jack Nicholson theme!
  5. 5. 2017: SO FAR, A PAINFUL YEAR FOR SECURITY
  6. 6. WANNACRY/WCRY MALWARE Impact: infected several hundred thousand computers beginning in May Payload: encrypt files, demand $300-500 in Bitcoin Source: trendmicro.com
  7. 7. PETYA/NOTPETYA MALWARE Impact: infected computers in at least 65 countries in May Payload: encrypt files, demand $300-500 in Bitcoin P.S. even if you pay, you lose  Source: paloaltoneworks.com
  8. 8. July: an analyst’s contacts, Microsoft account login, email inbox and other sensitive company data was posted on Pastebin. Update from FireEye on Aug 7 (paraphrased): “The analyst wasn’t hacked…his social media and email accounts used passwords from breaches as old as 2016…” BREACHES/LEAKS OF CC#S AND PERSONAL INFO
  9. 9. BREACHES/LEAKS OF CC#S AND PERSONAL INFO May: Thousands of HIPAA-protected medical records exposed due to misconfigured backups
  10. 10. Who are the breach victims? “I’m too small to go after, right?”
  11. 11. What tactics are used?
  12. 12. LESSONS LEARNED? • Patch all your things • Use strong and unique passwords • Don’t click stuff • Know what’s going
  13. 13. Why are we continuing to get breached? Maybe we rely too much on:
  14. 14. MY FIRST BREACH RESPONSE: A PERSONAL STORY OF TEARS AND FEARS
  15. 15. FIRST SIGNS OF COMPROMISE: Virus detected! Virus detected!
  16. 16. CUSTOMER’S INCIDENT RESPONSE PLAN:
  17. 17. APPLICATION LOG
  18. 18. SYSTEM LOG
  19. 19. SECURITY LOG
  20. 20. FIREWALL LOGS
  21. 21. I WAS ALL:
  22. 22. TO MAKE MATTERS WORSE… • Spotty AV deployment • Cringeworthy patching • No centralized logging / alerting • Weak AD password policy
  23. 23. VERDICT? Burn and rebuild most of the environment 
  24. 24. SO WHAT SHOULD WE DO? A. Run B. Hide C. Be afraid D. A, B and C E. Get better at some security basics!
  25. 25. “BLUE TEAM ON A BUDGET!” (10 FREE/CHEAP WAYS TO IMPROVE NETWORK SECURITY)
  26. 26. DANIEL KAFFEE VS. COLONEL JESSUP It’s the morning of Kaffee’s big trial against Jessup…
  27. 27. Danny’s trial files are GONE!
  28. 28. TIP 1: TURN LOGGING UP TO “11”
  29. 29. This will come in handy later…
  30. 30. Lets take a look at Joanne’s machine…
  31. 31. OVER AT JOANNE’S PC:
  32. 32. WAS SHE HACKED? INSIDER THREAT? CAN WE GET MORE INSIGHT TO WHAT’S HAPPENING ON HER PC? Does she still love
  33. 33. TIP 2: INSTALL SYSMON
  34. 34. WHAT’S SYSMON? • I call it “system log on steroids!” • Microsoft makes it • It runs on Win7+ and Server 2008R2+ • The price is freeeeeeeeeee!
  35. 35. WHAT’S SYSMON? Things that get logged include: –Process being created / terminated –Network connections –File timestamp modifications
  36. 36. WHAT’S SYSMON? Sysmon pairs well with a good config!
  37. 37. SYSMON IS EASY TO INSTALL…
  38. 38. Lets see what kind of interesting things Sysmon
  39. 39. A SUSPICIOUS DOWNLOAD WAS LOGGED!
  40. 40. AND A SUSPICIOUS NETWORK CONNECTION! WE’LL COME BACK TO “DNSCAT” LATER
  41. 41. WE SUSPECT SHE CLICKED SOMETHING BAD… HOW CAN WE GET MORE INSIGHT?
  42. 42. TIP 3: INSTALL AN ONION Not this This
  43. 43. Management interface Sniffing interface
  44. 44. Wait a minute! Could the Security Onion “sniff” this if the download was over HTTPS?! Remember we turned up PowerShell logging?
  45. 45. Joanne’s AD account password
  46. 46. WAIT! I THOUGHT WE STOPPED THE MIMIKATZ ATTACK??!!?
  47. 47. TIP 4: DON’T PUT TOO MUCH FAITH IN ENDPOINT PROTECTION
  48. 48. Lets swap “katz” for dogz!”
  49. 49. After a few more small tweaks to the script:
  50. 50. ATTACKER HAS JOANNE’S PASSWORD IS THAT THE EXTENT OF THE DAMAGE?
  51. 51. TIP 5: KEEP AN EYE ON ACTIVE DIRECTORY
  52. 52. WHAT WAS THAT “DNSCAT2” BUSINESS ALL ABOUT?
  53. 53. 2309sd.badguy.co m ba83jfs.badguy.co m dfs30- 1.badguy.com f8b100.badguy.com Joanne’s PC Bad guy’s DNS server
  54. 54. It’s (around) 9:30 a.m. Do you know what’s happening with your DNS traffic?
  55. 55. TIP 6: MEET RITA (REAL INTELLIGENCE THREAT ANALYTICS) Not this one
  56. 56. That’s a lot of DNS requests!
  57. 57. WHOIS LOOKUP
  58. 58. Time for Kaffee to close the case! We have the evidence we need!
  59. 59. “Did you hack my network? DID YOU HACK MY NETWORK?!” “YOU’RE GOSH DARN RIGHT
  60. 60. “You have no idea how to defend a country network…”
  61. 61. “Wait ‘til you see tips 7-10!”
  62. 62. TIP 7: DEPLOY A CANARY! Not this This
  63. 63. THE CANARY PRETENDS TO BE A JUICY TARGET And speaking of port
  64. 64. Not this Rita …RITA can log these too!
  65. 65. THE CANARY LOOKS REAL!
  66. 66. THE CANARY LOOKS REAL!
  67. 67. CANARY CAN CHIRP OUT ALARMS
  68. 68. And speaking of passwords…
  69. 69. TIP 8: USE STRONG PASSWORDS
  70. 70. • Minimum password length: 14 • Passwords must meet complexity requirements • Do not store passwords using reversible encryption • Enforce password history of 24+ …don’t forget about local admin
  71. 71. TIP 9: INSTALL LAPS (LOCAL ADMINISTRATOR PASSWORD SOLUTION)
  72. 72. PC01 PC02 PC03 Local Administrator account password: TheShining1980 Without LAPS…
  73. 73. PC01 PC02 PC03 Local admin password: Local admin password: Local admin password: CNKSEMFRnz579dPdw007 Ol9JnmHcb3grRYkcXg2D 13dvoHim28ka6RwSy2yd With LAPS…
  74. 74. TIP 10: SCAN AND PATCH ALL YOUR THINGS!
  75. 75. NMAP – a Swiss army knife for network scanning! • Been around since 1997 • Runs on just about any OS • Entire books written about it!
  76. 76. • Not free but cheap (~$2k a year) • Identifies missing OS/third-party patches, security misconfigurations, etc. • Easy to schedule scans and receive email alerts on critical items
  77. 77. Reporting is a little ho-hum
  78. 78. • Makes pretty pictures/reports out of scan data • $65/license
  79. 79. + 168 563 3824 0 500 1000 1500 2000 2500 3000 3500 4000 4500 Vulnerabilities Critical High Medium
  80. 80. +
  81. 81. +
  82. 82. HERE ENDS THE 10 TIPS
  83. 83. Qs and As …and one more slide before we go!
  84. 84. Brian Johnson Emergent Networks BrianJ@EmergentNetworks.com @7MinSec www.7ms.us

×