SlideShare a Scribd company logo

Cloud security live hack - final meetup

Download as PPTX, PDF
A
AWS User Group North (Manchester)

Presented by Oliver Pinson-Roxburgh, (www.alertlogic.com) at AWS User Group meetup, November '17 "As organisations continue to shift to cloud computing, new research reveals a significant consolidation of threats in specific layers of the computing model. Effective attackers, always seeking the weakest spots in network defenses, understand the changing attack landscape and have adapted their attack methods to this new paradigm. How do we evolve our security strategies to meet this challenge? In this session Oliver will discuss: • Insights from the 2017 Cloud Security Report • What the top 6 web attack types are that account for 75% of verified incidents • Machine learning’s impact on detecting incidents and understanding attack progression As well as a Live Cyber Hack Demo showing you the impact of implementing web applications that lack the correct security controls.

Technology
1 of 25
UNDERSTANDING YOUR CLOUD ATTACK SURFACE LIVE HACK Oliver Pinson-Roxburgh
2 Hacking doesn’t look like this
3 It Doesn’t look like this
4 Technology Innovation – We want things fast Reaching 50 Million Users 75 years 35 days 38 years WWW 4 years 3.5 years
5 Cloud Has Disrupted Traditional Security Agility & automation Hyper-scalability
6 Attack Surface 21 80 25 3389 22 143 3
7 The Cloud Attack Surface /s 443
8 Alert Logic Cloud Security Report 2017 550 DAYS AUG 1, 2015 –JAN 31 2017 2,207,795 TOTAL TRUE POSITIVE SECURITY INCIDENTS ANALYZED 32.5 MILLION EVENTS DRIVING ESCALATED INCIDENTS 147 PETABYTES OF DATA ANALYZED 3807 CUSTOMERS ANALYZED 452 INDUSTRIES ACROSS 3 CONTINENTS
9 Web App Attacks – King of the Hill WEB APP ATTACK Recon 5% Server-side Malware 2% DoS / DDoS 1% Other 1% 75% DOS/DDOS 1% OTHER 1% SERVER-SIDE MALWARE 2% RECON 5% BRUTE FORCE 5% SQL INJECTION 55% SECURITY INCIDENT TYPES ESCALATED
10 Web App Attacks – King of the Hill WEB APP ATTACK ute Force 16% Recon 5% Server-side Malware 2% DoS / DDoS 1% Other 1% 75% DOS/DDOS 1% OTHER 1% SERVER-SIDE MALWARE 2% RECON 5% BRUTE FORCE 5% SQL INJECTION 55% REMOTE CODE EXECUTION 22% XXE 3% APACHE STRUTS RCE 6% WEB APP ATTACK RECON 5% FILE UPLOAD 6% OTHER 4% SECURITY INCIDENT TYPES ESCALATED
11 Workload Environments Impact Incident Volumes 2.5x more security incidents observed in Hybrid vs Public Cloud 51% higher rate of security incidents in on premises vs Cloud AVERAGE PER CUSTOMER SECURITY INCIDENT COUNTS
12 Covering all layers of your stack is complex Vulnerabilities in YOUR CODE Vulnerabilities in YOUR CONFIGS Vulnerabilitie s YOU INHERIT
Today’s Attacks are Becoming More Complex THE CYBER KILL CHAIN¹ THE IMPACT Financial loss Harm brand and reputation Scrutiny from regulators IDENTIFY & RECON INITIAL ATTACK COMMAND & CONTROL DISCOVER & SPREAD EXTRACT & EXFILTRATE • Attacks are multi-stage using multiple threat vectors • Takes organizations months to identify they have been compromised • 205 days on average before detection of compromise1 • Over two-thirds of organizations find out from a 3rd party they have been compromised2 1 – IDC Worldwide Security and Vulnerability Management 2014–2018 Forecast 2 – M-Trends 2015: A View from the Front Lines
14 Enter Machine Learning Over nine months : 8-10% of the customers we monitored were targeted by actors with better-than- average levels of skill and determination Each attack had a High degree of complexity Identified, approx. 231 attacks
15 Behind the Data Web apps can be the final destination…or initial entry point Perimeter AND Network AND System /log-based Detection defend your hosts see N / S / E / W in all of your protected environments WAF blocking/virtual patching, IDS, and log monitoring as air cover as you burn down your web app vulnerabilities • Redistribute malware directly / indirectly (exploit kits / watering hole) • Monetization through fraud (SEO, Coin Mining, Spam) • Entry point into Infrastructure • Lateral movement, privilege escalation • Steal data (exfiltration of information from databases)
16 Multi-stage Attacks Time: Day 1 Event: Early stage recon event Criticality: Medium Time: Day 3 Event: SQL Injection recon Criticality: Medium Time: Day 4 Event: SQL table enumeration Criticality: High Time: Day 4 Event: Injection Criticality: Critical Situation: Multiple address spaces and disparate unrelated events over days
17 Surgical Exfiltration 1 IP Address Duration: 7 minutes Surgical Exfiltration 1 IP Address Duration: 2 minutes Precision Recon 1 IP Address Duration: 12 minutes Precision Recon 1 IP Address Duration: 8 minutes Precision Recon 1 IP Address Duration: 1 minute Precision Recon 1 IP Address Duration: 11 minutes Sustained, Multi-stage Attack for Intellectual Property Theft September2016 2017AprilOctober November December January February March Jan 16th Jan 3rd Nov 2nd Feb 6th Continuous SQLi Reconnaissance to Better Understand the Environment (49 Unique IPs) Continuous General SQLi Testing (172 Unique IPs)
18 Zooming Into Adversary Activity
19 Attack Progression Timeline Over 6+ Months
20 Zoomed View of a Single SQLi Exfiltration Attempt 1) Tables belonging to specific owner exist? 2) Enumerate table names for owner 3) Count the number of columns for a specific table of interest 4) Enumerate column names for specific table 5) Count the rows of data within the table of interest 6) Enumerate column values from specific table (exfiltration event) Time Attackspecificity
New Approach The Principles of security do not change but your Approach to security needs to change
STORAGE DB NETWORKCOMPUTE Logical network segmentation Perimeter security services External DDoS, spoofing, and scanning prevented Hardened hypervisor System image library Root access for customer Secure coding and best practices Software and virtual patching Configuration management Access management Application-level attack monitoring Cloud Security Is A Shared, But Not Equal, Responsibility Access management Patch management Configuration hardening Security monitoring Log analysis Network threat detection Security monitoring Configuration best practices CUSTOMER RESPONSIBILITY APPS HOSTS NETWORKS FOUNDATION SERVICES • SQLi • Cross-site scripting • Web app exploits • Middleware exploits • Brute force attacks • Recon • Web shells • Command & Control • Service Misconfiguration • Suspicious IAM Activity
Live Hack – Getting closer
Live Hack – Much more like it
PRAY TO THE LIVE HACK – GODS!!!!

Recommended

BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat Security Conference
 
BlueHat v18 || The law of unintended consequences - gdpr impact on cybersecur...
BlueHat v18 || The law of unintended consequences - gdpr impact on cybersecur...BlueHat v18 || The law of unintended consequences - gdpr impact on cybersecur...
BlueHat v18 || The law of unintended consequences - gdpr impact on cybersecur...BlueHat Security Conference
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat Security Conference
 
Emerging Threats and Strategies of Defense
Emerging Threats and Strategies of Defense Emerging Threats and Strategies of Defense
Emerging Threats and Strategies of Defense Alert Logic
 
Next-Generation SIEM: Delivered from the Cloud
Next-Generation SIEM: Delivered from the Cloud Next-Generation SIEM: Delivered from the Cloud
Next-Generation SIEM: Delivered from the Cloud Alert Logic
 
#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack DemonstrationAlert Logic
 
Cyber Resiliency
Cyber ResiliencyCyber Resiliency
Cyber ResiliencyAlert Logic
 
Disección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeDisección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeCristian Garcia G.
 

Recommended

BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat Security Conference
 
BlueHat v18 || The law of unintended consequences - gdpr impact on cybersecur...
BlueHat v18 || The law of unintended consequences - gdpr impact on cybersecur...BlueHat v18 || The law of unintended consequences - gdpr impact on cybersecur...
BlueHat v18 || The law of unintended consequences - gdpr impact on cybersecur...BlueHat Security Conference
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat Security Conference
 
Emerging Threats and Strategies of Defense
Emerging Threats and Strategies of Defense Emerging Threats and Strategies of Defense
Emerging Threats and Strategies of Defense Alert Logic
 
Next-Generation SIEM: Delivered from the Cloud
Next-Generation SIEM: Delivered from the Cloud Next-Generation SIEM: Delivered from the Cloud
Next-Generation SIEM: Delivered from the Cloud Alert Logic
 
#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack DemonstrationAlert Logic
 
Cyber Resiliency
Cyber ResiliencyCyber Resiliency
Cyber ResiliencyAlert Logic
 
Disección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeDisección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeCristian Garcia G.
 
Using Big Data for Cybersecurity
Using Big Data for CybersecurityUsing Big Data for Cybersecurity
Using Big Data for CybersecuritySplunk
 
Custom defense - Blake final
Custom defense - Blake finalCustom defense - Blake final
Custom defense - Blake finalMinh Le
 
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"..."Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"...PROIDEA
 
MassTLC Opening Slides and Simulation Session
MassTLC Opening Slides and Simulation SessionMassTLC Opening Slides and Simulation Session
MassTLC Opening Slides and Simulation SessionMassTLC
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018Greg Foss
 
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your RiskHow to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your RiskSurfWatch Labs
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 
Security Starts at the Endpoint
Security Starts at the EndpointSecurity Starts at the Endpoint
Security Starts at the EndpointElasticsearch
 
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020MITRE - ATT&CKcon
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ..."Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...PROIDEA
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Raffael Marty
 
Machine Learning for Threat Detection
Machine Learning for Threat DetectionMachine Learning for Threat Detection
Machine Learning for Threat DetectionNapier University
 
"Meet Me in the Middle: Threat Indications & Warning to enable Operational Th...
"Meet Me in the Middle: Threat Indications & Warning to enable Operational Th..."Meet Me in the Middle: Threat Indications & Warning to enable Operational Th...
"Meet Me in the Middle: Threat Indications & Warning to enable Operational Th...PROIDEA
 
Splunk Discovery Day Hamburg - Security Session
Splunk Discovery Day Hamburg - Security SessionSplunk Discovery Day Hamburg - Security Session
Splunk Discovery Day Hamburg - Security SessionSplunk
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Greg Foss
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE - ATT&CKcon
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenSplunk
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 

More Related Content

What's hot

Using Big Data for Cybersecurity
Using Big Data for CybersecurityUsing Big Data for Cybersecurity
Using Big Data for CybersecuritySplunk
 
Custom defense - Blake final
Custom defense - Blake finalCustom defense - Blake final
Custom defense - Blake finalMinh Le
 
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"..."Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"...PROIDEA
 
MassTLC Opening Slides and Simulation Session
MassTLC Opening Slides and Simulation SessionMassTLC Opening Slides and Simulation Session
MassTLC Opening Slides and Simulation SessionMassTLC
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018Greg Foss
 
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your RiskHow to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your RiskSurfWatch Labs
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 
Security Starts at the Endpoint
Security Starts at the EndpointSecurity Starts at the Endpoint
Security Starts at the EndpointElasticsearch
 
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020MITRE - ATT&CKcon
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ..."Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...PROIDEA
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Raffael Marty
 
Machine Learning for Threat Detection
Machine Learning for Threat DetectionMachine Learning for Threat Detection
Machine Learning for Threat DetectionNapier University
 
"Meet Me in the Middle: Threat Indications & Warning to enable Operational Th...
"Meet Me in the Middle: Threat Indications & Warning to enable Operational Th..."Meet Me in the Middle: Threat Indications & Warning to enable Operational Th...
"Meet Me in the Middle: Threat Indications & Warning to enable Operational Th...PROIDEA
 
Splunk Discovery Day Hamburg - Security Session
Splunk Discovery Day Hamburg - Security SessionSplunk Discovery Day Hamburg - Security Session
Splunk Discovery Day Hamburg - Security SessionSplunk
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Greg Foss
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE - ATT&CKcon
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenSplunk
 

What's hot (20)

Using Big Data for Cybersecurity
Using Big Data for CybersecurityUsing Big Data for Cybersecurity
Using Big Data for Cybersecurity
 
Custom defense - Blake final
Custom defense - Blake finalCustom defense - Blake final
Custom defense - Blake final
 
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"..."Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
 
MassTLC Opening Slides and Simulation Session
MassTLC Opening Slides and Simulation SessionMassTLC Opening Slides and Simulation Session
MassTLC Opening Slides and Simulation Session
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018
 
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your RiskHow to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
 
Security Starts at the Endpoint
Security Starts at the EndpointSecurity Starts at the Endpoint
Security Starts at the Endpoint
 
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ..."Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
 
Machine Learning for Threat Detection
Machine Learning for Threat DetectionMachine Learning for Threat Detection
Machine Learning for Threat Detection
 
"Meet Me in the Middle: Threat Indications & Warning to enable Operational Th...
"Meet Me in the Middle: Threat Indications & Warning to enable Operational Th..."Meet Me in the Middle: Threat Indications & Warning to enable Operational Th...
"Meet Me in the Middle: Threat Indications & Warning to enable Operational Th...
 
Splunk Discovery Day Hamburg - Security Session
Splunk Discovery Day Hamburg - Security SessionSplunk Discovery Day Hamburg - Security Session
Splunk Discovery Day Hamburg - Security Session
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
 

Similar to Cloud security live hack - final meetup

Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunk
 
Next Generation Firewall and IPS
Next Generation Firewall and IPSNext Generation Firewall and IPS
Next Generation Firewall and IPSData#3 Limited
 
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...EC-Council
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecuritySplunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...PlatformSecurityManagement
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionAlert Logic
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionAlert Logic
 
FireEye Report.ppt
FireEye Report.pptFireEye Report.ppt
FireEye Report.pptDubemJavapi
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threatsZscaler
 
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...Criminal IP
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 

Similar to Cloud security live hack - final meetup (20)

Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
 
Next Generation Firewall and IPS
Next Generation Firewall and IPSNext Generation Firewall and IPS
Next Generation Firewall and IPS
 
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
FireEye Report.ppt
FireEye Report.pptFireEye Report.ppt
FireEye Report.ppt
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
 
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 

Cloud security live hack - final meetup

  • 1. UNDERSTANDING YOUR CLOUD ATTACK SURFACE LIVE HACK Oliver Pinson-Roxburgh
  • 4. 4 Technology Innovation – We want things fast Reaching 50 Million Users 75 years 35 days 38 years WWW 4 years 3.5 years
  • 5. 5 Cloud Has Disrupted Traditional Security Agility & automation Hyper-scalability
  • 6. 6 Attack Surface 21 80 25 3389 22 143 3
  • 7. 7 The Cloud Attack Surface /s 443
  • 8. 8 Alert Logic Cloud Security Report 2017 550 DAYS AUG 1, 2015 –JAN 31 2017 2,207,795 TOTAL TRUE POSITIVE SECURITY INCIDENTS ANALYZED 32.5 MILLION EVENTS DRIVING ESCALATED INCIDENTS 147 PETABYTES OF DATA ANALYZED 3807 CUSTOMERS ANALYZED 452 INDUSTRIES ACROSS 3 CONTINENTS
  • 9. 9 Web App Attacks – King of the Hill WEB APP ATTACK Recon 5% Server-side Malware 2% DoS / DDoS 1% Other 1% 75% DOS/DDOS 1% OTHER 1% SERVER-SIDE MALWARE 2% RECON 5% BRUTE FORCE 5% SQL INJECTION 55% SECURITY INCIDENT TYPES ESCALATED
  • 10. 10 Web App Attacks – King of the Hill WEB APP ATTACK ute Force 16% Recon 5% Server-side Malware 2% DoS / DDoS 1% Other 1% 75% DOS/DDOS 1% OTHER 1% SERVER-SIDE MALWARE 2% RECON 5% BRUTE FORCE 5% SQL INJECTION 55% REMOTE CODE EXECUTION 22% XXE 3% APACHE STRUTS RCE 6% WEB APP ATTACK RECON 5% FILE UPLOAD 6% OTHER 4% SECURITY INCIDENT TYPES ESCALATED
  • 11. 11 Workload Environments Impact Incident Volumes 2.5x more security incidents observed in Hybrid vs Public Cloud 51% higher rate of security incidents in on premises vs Cloud AVERAGE PER CUSTOMER SECURITY INCIDENT COUNTS
  • 12. 12 Covering all layers of your stack is complex Vulnerabilities in YOUR CODE Vulnerabilities in YOUR CONFIGS Vulnerabilitie s YOU INHERIT
  • 13. Today’s Attacks are Becoming More Complex THE CYBER KILL CHAIN¹ THE IMPACT Financial loss Harm brand and reputation Scrutiny from regulators IDENTIFY & RECON INITIAL ATTACK COMMAND & CONTROL DISCOVER & SPREAD EXTRACT & EXFILTRATE • Attacks are multi-stage using multiple threat vectors • Takes organizations months to identify they have been compromised • 205 days on average before detection of compromise1 • Over two-thirds of organizations find out from a 3rd party they have been compromised2 1 – IDC Worldwide Security and Vulnerability Management 2014–2018 Forecast 2 – M-Trends 2015: A View from the Front Lines
  • 14. 14 Enter Machine Learning Over nine months : 8-10% of the customers we monitored were targeted by actors with better-than- average levels of skill and determination Each attack had a High degree of complexity Identified, approx. 231 attacks
  • 15. 15 Behind the Data Web apps can be the final destination…or initial entry point Perimeter AND Network AND System /log-based Detection defend your hosts see N / S / E / W in all of your protected environments WAF blocking/virtual patching, IDS, and log monitoring as air cover as you burn down your web app vulnerabilities • Redistribute malware directly / indirectly (exploit kits / watering hole) • Monetization through fraud (SEO, Coin Mining, Spam) • Entry point into Infrastructure • Lateral movement, privilege escalation • Steal data (exfiltration of information from databases)
  • 16. 16 Multi-stage Attacks Time: Day 1 Event: Early stage recon event Criticality: Medium Time: Day 3 Event: SQL Injection recon Criticality: Medium Time: Day 4 Event: SQL table enumeration Criticality: High Time: Day 4 Event: Injection Criticality: Critical Situation: Multiple address spaces and disparate unrelated events over days
  • 17. 17 Surgical Exfiltration 1 IP Address Duration: 7 minutes Surgical Exfiltration 1 IP Address Duration: 2 minutes Precision Recon 1 IP Address Duration: 12 minutes Precision Recon 1 IP Address Duration: 8 minutes Precision Recon 1 IP Address Duration: 1 minute Precision Recon 1 IP Address Duration: 11 minutes Sustained, Multi-stage Attack for Intellectual Property Theft September2016 2017AprilOctober November December January February March Jan 16th Jan 3rd Nov 2nd Feb 6th Continuous SQLi Reconnaissance to Better Understand the Environment (49 Unique IPs) Continuous General SQLi Testing (172 Unique IPs)
  • 20. 20 Zoomed View of a Single SQLi Exfiltration Attempt 1) Tables belonging to specific owner exist? 2) Enumerate table names for owner 3) Count the number of columns for a specific table of interest 4) Enumerate column names for specific table 5) Count the rows of data within the table of interest 6) Enumerate column values from specific table (exfiltration event) Time Attackspecificity
  • 21. New Approach The Principles of security do not change but your Approach to security needs to change
  • 22. STORAGE DB NETWORKCOMPUTE Logical network segmentation Perimeter security services External DDoS, spoofing, and scanning prevented Hardened hypervisor System image library Root access for customer Secure coding and best practices Software and virtual patching Configuration management Access management Application-level attack monitoring Cloud Security Is A Shared, But Not Equal, Responsibility Access management Patch management Configuration hardening Security monitoring Log analysis Network threat detection Security monitoring Configuration best practices CUSTOMER RESPONSIBILITY APPS HOSTS NETWORKS FOUNDATION SERVICES • SQLi • Cross-site scripting • Web app exploits • Middleware exploits • Brute force attacks • Recon • Web shells • Command & Control • Service Misconfiguration • Suspicious IAM Activity
  • 23. Live Hack – Getting closer
  • 24. Live Hack – Much more like it
  • 25. PRAY TO THE LIVE HACK – GODS!!!!

Editor's Notes

  1. It took about 75 years for the telephone to connect 50 million people. Today a simple iPhone app Cn reach that milestone in a matter of days. In the past 10 years the rate of adoption of new technologies has accelerated at dizzying speed. Can we keep up with it all?
  2. Ports, old school, quite easy to understand, tiered approach, firewalls between each As we’ve transitioned from this model into a new one of APIs and interconnected services much of IT have been prepared for the new world order, security sometimes prefers to operate within these same patterns In my previous role and since joining Alert Logic I’ve come to understand that often the from the security perspective the cloud kind of looked like this
  3. Which I can empathise with, in my experience security and network teams alike are used to dealing in ports and directions. I know I have at times – though as a developer and architect we often deal more with the logical. hence the need to express our security measures in other ways that relate to todays threats
  4. Goal Demonstrate why full-stack security is needed by showing how different vectors in each layer are attacked show huge scope of growing attack surface – too much to cover in-house Key Talking Pts Why are web apps the #1 source of breaches? Because attackers can use any layer of the application and infrastructure stack to today gain access, build footholds, and laterally move within your system.   From the top of the stack Web application attacks like SQL injection and cross-site scripting are hard to prevent and detect because they are look innocent to the host and network and use the application’s own functionality and flaws to trick the application into giving up control. Ideally all applications would be carefully built according to all secure coding best practices. Of course most developers will say their apps are secure. Maybe so, but it’s also human nature to think we are better than we actually are. In one study, 94% of professors rated themselves above average relative to their peers. If you look at the facts, the failure rate of applications to pass audits just fpr the OWASP Top 10 is 61% Developers are in for a tough battle getting those numbers up since development cycles are only getting faster and web applications are getting more complex.   At the bottom of the stack Will AWS hardening at the bottom of the stack get us off the hook? Well from what we see at least exploits like Wannacry and NotPetya seem to be non-issues in the cloud. But what we see in cloud infrastructure layers are cloud services being mis-configured by users, such as open S3 buckets leaving data up for grabs at Verizon, Republican National Committee and the World Wrestling Federation. These are very easy mistakes to prevent, so why worry about them? There number of cloud services being configured on a given day is going up, and they are going faster, so less time to double check your work. Not to mention the fact that new AWS services are being launched all the time, so there is a lot to learn.   All across the entire stack We see applications being made of more and more components and APIs, each of which can have their own plug-ins and servlets, especially content management systems like Joomla, Magento, Wordpress & Drupal. Quarterly scanning for compliance isn’t enough. Attackers can come out in droves as soon as they hear a patch has been released, racing to breach your system before you can find and fix it yourself. For example, after Joomla announced two patches for its systems in 2016 the number of exploits in the wild raced from a few hundred on the first day to over 27,000 in just 2 more days.   So, you need to protect all layers of the application stack from a variety of vectors, otherwise you are leaving a door open for attackers.   Trying to pull this all together yourself would mean not only tracking the growing number of vulnerabilities in your environment but also continuously developing your own signatures and rules and analytics for detection and blocking. Discovery What can you share about breaches you may have had? What might a shorter dwell time have meant to you? Tips Treat as a build slide: pace as if it were one slide with multiple builds
  5. Kill Chain Discuss what it is and how it relates to the anatomy of an attack Discuss how we will show each stage of this being enacted as we run through the live hack RevSlider Exploit   Discuss that we’re going to demonstrate an exploit in a popular Plugin as an example of what we’ve been discussing earlier in the presentation. Show the Plugin in Action and what it is/does on the WP Site - https://vuldb.com/?id.76139