SlideShare a Scribd company logo

Offence oriented Defence

SensePost
SensePost

This document discusses common defensive strategies and how attackers bypass them. It notes that while best practices like passwords, patching, and anti-virus are important, they also introduce commonalities that attackers learn to exploit. The document recommends that defenders study attack techniques to prioritize risks and design defenses that differentiate from standard approaches in order to limit widespread exploitation.

1 of 38
Offence oriented Defence Dominic White & Jeremy du Bruyn @SensePost
This talk is about … • Understanding how attackers attack – acknowledging the problem – allows more innovative defence • Common defences allow common bypasses – Best practises introduce commonality that is exploited – Common defences lose out over time as attackers adapt • Many “security basics” are honestly hard – knowing the attacks help to prioritise
Why listen to us? • We attack networks and systems as our day (night) job – They’re often quite similar • We care about making them harder to attack • We spend time studying how others attack networks and systems – Other pentesters – Real bad guys (“APT” campaigns) • SensePost has been doing it since 2000 – Possibly more insight into .za infosec practises than any other
How defenders spend • Compliance/GRC – Policies, auditing, responding • Risk Management – Ranking, prioritising, justifying • Best Practises – Passwords, patches, policies • Technology – UTM, WAF, DLP, DAM, SIEM, IPS, AV • Staff – Compliance specialists, risk specialists, security managers, device ops managers
Truth is … • Those defences don’t – Block actual attacks – Move to counter the bypasses used to side-step them • Risk Management – Hard to link risk-based priorities to meaningful technical priorities • Compliance – “teach the test” – Little incentive to create contradictory measurements • Best Practice – We can’t honestly say we know how to defend – Some practises are hard/impossible to do – Common best practises have common bypasses
The Wall • Your defences are a wall • We get to evaluate the wall, figure out how to get over it, and do it – Attackers can often evaluate your defences before getting to you • Once we’ve done it, we have the capability/technique/tool we can do it again, with much less effort – Attackers can keep building their toolchain – Attackers are good at sharing • Defenders now need to build an increasingly huge wall as “the basics” become by-passable with tools
And so … • Popular defensive design patterns lead to popular attack patterns to bypass them – Knowing these can help you avoid or rejigger them • Some stuff has been recommended for decade+, are we really just too lazy? – Let’s just admit that some stuff, will never be done, and come up with a prioritisation strategy that works – Although, you shouldn’t need a pentest/breach to be reminded, design for them
PASSWORDS
Corporate Passwords • Best Practice – Enforce password complexity – Expire them monthly • Belief – Passwords will be more complex & harder to guess/crack – Passwords have a shelf life • Reality: – Users employ coping methods • Password1 or June2013 or Password8 • <Capital><rest of word><number> • Call centre resets to same password every time – Most organisations pick the same policy – Cracking common storage formats is efficient • NTLM / LanMan
Corporate Passwords • Best Practice: Lock an account after X failed login attempts • Belief: People won’t be able to guess passwords • Reality – Lockout period has a timeout, just try one password across all accounts (horizontal brute) • Bonus – Find an Internet-facing auth point & brute there for ext->int win – Executives get exceptions
So what? • Best practises created the vulnerability • Everybody doing the same thing lets attackers optimise • The actual attacks aren’t being looked for
Defend! • Differentiate yourself from the optimised attack – Blacklist common passwords – Enforce length rather than complexity (15+ bonus) – Extend password expiry • Crack your own passwords (or look for duplicate hashes) – Operationalise this as a metric • Monitor for horizontal brutes • Canary accounts • Two factor authentication
MASSPLOITATION
Service/Default Accounts • Best Practice: – Change all vendor supplied/service passwords from the default or disable • Belief: – Requires attackers to guess the password or can’t use the account • Reality: – The rate of developer new app use exceeds security capacity to secure – Complexity across application stack – Belief about network controls/development boxes lead to exceptions
Patching • Best Practice: – Ensure systems are fully patched • Belief: – Known vulnerabilities will not be exploitable • Reality: – Known systems are(?), unknown aren’t – Some software is easier to patch than others – Unknown vulnerabilities & patch window are realities
Baselines & Homogonaity • Best practice: – Ensure all systems are configured the same • Belief: – All systems will have the same security baseline • Reality: – A flaw in one is a flaw in all, Mistakes scale against you – Management agents are remote access methods – Local admin passwords …
So what? • 100% compliance for every piece of software, on every machine, for all time … – You need to do the basics, but let’s admit 100% as impossible – 99% on 1k machines, still gives 10 vuln hosts • Attackers are good at finding the 1% • Attackers care about exploitation, missing language packs not so much
Defend! • Admit you’ll never hit 100% • Use attacker tools/methods to find the 1% – Find the machines your risk/compliance based focus didn’t care about – Scope be damned! • Prioritise based on ease of exploitation – Availability/popularity/stability/ease of exploit • Make hard choices – do you need that software there? • Defence in depth – Check out hardening tools EMET/PAX (grsec) – Have a plan for once exploited
ANTI-ANTI-ANTI-ANTI-VIRUS
Anti-Virus • Best practice: – All systems must make use of Anti-virus to protect against malware • Belief: – Malware/attacks will be blocked – Malicious e-mail will be blocked – We don’t need to follow up if AV said it blocked • Reality: “All of us had missed detecting this malware for two years. That's a spectacular failure for the antivirus industry in general. We were out of our league, in our own game.” Mikko Hypponen
The truth • Mikko was talking about Flame (APT) • Is it that hard? • R600 will buy you access to a great “crypter” – Will make any file undetectable by AV, updated regularly • 20 lines of code to implement my own – Currently bypasses all AV, with a delay & custom file template
Attackers Get to Practise
So what? • You wouldn’t run without it, but guaranteed bypassable • We need to do something, AV is something, do AV • Attackers can test their attacks • Do we just keep building the wall & run all of them? • A lot of money at stake in perpetuating the problem – “I've never seen _single_ report when modern updated AV with all features was bypassed.” Jindrich Kubec Director of Threat Intelligence @ avast!
Defence! • AV isn’t useless, a signature may only be added a year from now, but it’ll tell you, you missed something – investigate • Push your vendor to do better, don’t accept lame signatures, get them to block techniques • Watch the logs, alerts then silent is a bypass pattern • Run multiple AV engines at different layers
LATERAL MOVEMENT
Network Pivoting & DMZs • Best Practice: – Separate your Internet-facing systems into their own network, then only allow connections into the DMZ, not out • Belief: – Contingency plan; even if your Internet-facing servers get hacked, hackers can’t get to your internal network • Reality: – “Lateral movement” is a regular action by so- called APT actors
DMZ – Screw ups • (lame) Web servers in the DMZ, DB in the internal net • Attack – SQLi on the DB (with command exec) gets you onto the internal network • (less lame) Web server & DB in DMZ/s, but on the domain • Attack – Get command exec, get domain account, connect to DC • (least lame) A connection can be initiated to the internal network • Attack – Move around until you can find something you can own, that has access to the internal network – Often not as hard as it sounds
The trouble with tunnels
Trying to explain a real attack …
The toolchain • “Pushing a camel through the eye of a needle” – 2008 BH/Defcon talk by Haroon Meer & Marco Slaviero • Released reDuh by haroon/marco/glenn/ian/gert @sensepost
Defend! • DMZs must disallow connections from being initiated to internal – Check for yourself, plugin and portscan • But, stuff’s not architected to make that easy • Web services provide hope – Expose integration services in the DMZ, have a worker from internal consume it • Other important advice we don’t have time for – Needs separate/disconnected management infrastructure – Don’t share with VPN – fundamentally different purposes – Actually, if you can, stick every machine in it’s own DMZ ala AP isolation – Don’t forget egress filtering & split DNS
Account Pivoting & Escalation • “When in doubt, attack the control plane. When certain, attack the data plane.” -David Ulevitch • Belief: – Centralised user management makes systems more secure. • Reality: – In some ways, yes, but it gives us organisation wide administrative accounts, and it’s easy(ish) to do.
Lateral Movement • Windows is *terrible* at passwords & keeping secrets – Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques • Attackers have gotten really good at post-exploitation • Attacks – Digest auth gives clear-text creds! (wce/mimikatz) – Windows security tokens work well too (incognito) – Still passing-the-hash 16 years later (wce/pth-toolkit) – SMB/NTLM relay attacks (metasploit) – NTLM/LM unsalted, Kerberos can’t do IP, crack away (john/hashcat) – Cached logins (at least they’re salted) • Lateral opportunities – if it works on one … – Local accounts (local admin) – Domain accounts (admin or service) – Apps & Agents (VNC, DBs etc.) – Connected shares
So what? • Good advice is blindly implemented, and the original point missed – DMZs are a great idea, but must not allow connections initiated in low trust network • Advanced protections have well understood bypasses and haven't grown – Tunnelling & windows cred extraction sound hard, but the tools are there • Your exposure is greater than the sum of the parts, you can't look at vulns in isolation, or at entry-only
Defend! • Use specialised/separate DA, server admin & user accounts – Only use the relevant account when required – Limit DAs to login from management network & management jump box (not laptop) • Monitor *all* your AD groups – Administrators, Enterprise Admins, Domain Admins, Shared Trust, Sub-Group inheritance • Beware of the tokens • Check out RODC & Attribute/Account Filters • Read MS’ paper
CONCLUSION
This talk was about … • Understanding how attackers attack – acknowledging the problem – allows more innovative defence • Common defences allow common bypasses – Best practises introduce commonality that is exploited – Common defences lose out over time as attackers adapt • Many “security basics” are honestly hard – knowing the attacks help to prioritise
Questions? research@sensepost.com @sensepost dominic@sensepost.com @singe

Recommended

Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
SensePost
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
SensePost
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
SensePost
 
The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security
Filip Waeytens
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
dnomura
 

Recommended

Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
SensePost
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
SensePost
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
SensePost
 
The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security
Filip Waeytens
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
dnomura
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
Heartbleed && Wireless
Heartbleed && WirelessHeartbleed && Wireless
Heartbleed && Wireless
Luis Grangeia
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingSteve Phillips
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
Andrew Morris
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
SBWebinars
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
Kali presentation
Kali presentationKali presentation
Kali presentation
Zain Ul abadin
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
Imperva Incapsula
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Priyanka Aash
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
Chong-Kuan Chen
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat Security Conference
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux
Jason Murray
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security Flaw
ConnectSafely
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
APNIC
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
CODE BLUE
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux ppt
AbhayNaik8
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
SensePost
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
SensePost
 

More Related Content

What's hot

External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
Heartbleed && Wireless
Heartbleed && WirelessHeartbleed && Wireless
Heartbleed && Wireless
Luis Grangeia
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingSteve Phillips
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
Andrew Morris
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
SBWebinars
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
Kali presentation
Kali presentationKali presentation
Kali presentation
Zain Ul abadin
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
Imperva Incapsula
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Priyanka Aash
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
Chong-Kuan Chen
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat Security Conference
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux
Jason Murray
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security Flaw
ConnectSafely
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
APNIC
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
CODE BLUE
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux ppt
AbhayNaik8
 

What's hot (20)

External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
Heartbleed && Wireless
Heartbleed && WirelessHeartbleed && Wireless
Heartbleed && Wireless
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration Testing
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
 
Kali presentation
Kali presentationKali presentation
Kali presentation
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security Flaw
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux ppt
 

Viewers also liked

Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
SensePost
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
SensePost
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
SensePost
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
SensePost
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
SensePost
 
La Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tLa Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren't
pinkflawd
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
Trowalts
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
SensePost
 
Adolescent Body Image
Adolescent Body ImageAdolescent Body Image
Adolescent Body Image
McCarty
 
Vivaravakasa niyamam oru padanam
Vivaravakasa niyamam oru padanamVivaravakasa niyamam oru padanam
Vivaravakasa niyamam oru padanam
Lalith Babu
 
Reaction to stressful experiences
Reaction to stressful experiences Reaction to stressful experiences
Reaction to stressful experiences
Upwork
 
Coping strategies ppt
Coping strategies pptCoping strategies ppt
Coping strategies ppt
JANETH O. BUHAWE/MOTI
 
stress and coping
stress and copingstress and coping
stress and coping
kumar mahi
 
Coping Strategies
Coping StrategiesCoping Strategies
Coping Strategies
Rohan Solanki
 
Swot analysis
Swot analysisSwot analysis
Swot analysis
Gunjan Srivastava
 

Viewers also liked (17)

Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
 
La Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tLa Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren't
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
 
Adolescent Body Image
Adolescent Body ImageAdolescent Body Image
Adolescent Body Image
 
Vivaravakasa niyamam oru padanam
Vivaravakasa niyamam oru padanamVivaravakasa niyamam oru padanam
Vivaravakasa niyamam oru padanam
 
Reaction to stressful experiences
Reaction to stressful experiences Reaction to stressful experiences
Reaction to stressful experiences
 
Product oriented
Product orientedProduct oriented
Product oriented
 
Coping strategies ppt
Coping strategies pptCoping strategies ppt
Coping strategies ppt
 
stress and coping
stress and copingstress and coping
stress and coping
 
Coping Strategies
Coping StrategiesCoping Strategies
Coping Strategies
 
Johari window
Johari windowJohari window
Johari window
 
Swot analysis
Swot analysisSwot analysis
Swot analysis
 

Similar to Offence oriented Defence

Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM Techniques
ReliaQuest
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
Zane Lackey
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
Security fundamentals
Security fundamentalsSecurity fundamentals
Security fundamentals
SofoklisEfremidisAIT
 
Security Fundamentals
Security FundamentalsSecurity Fundamentals
Security Fundamentals
SecureIoT H2020 funded project
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.ppt
ajajkhan16
 
Computer Security
Computer SecurityComputer Security
Computer Security
Greater Noida Institute Of Technology
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
ch18 ABCD.pdf
ch18 ABCD.pdfch18 ABCD.pdf
ch18 ABCD.pdf
georgejustymirobi1
 
C days2015
C days2015C days2015
C days2015
Nuno Loureiro
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
North Texas Chapter of the ISSA
 
DEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersDEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testers
Felipe Prado
 
Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit v
ArthyR3
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Meletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information securityMeletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information security
Meletis Belsis MPhil/MRes/BSc
 
Truth and Consequences
Truth and ConsequencesTruth and Consequences
Truth and Consequences
Mohammed Almeshekah
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
Digital Bond
 

Similar to Offence oriented Defence (20)

Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM Techniques
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Security fundamentals
Security fundamentalsSecurity fundamentals
Security fundamentals
 
Security Fundamentals
Security FundamentalsSecurity Fundamentals
Security Fundamentals
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.ppt
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
 
Sql securitytesting
Sql securitytestingSql securitytesting
Sql securitytesting
 
ch18 ABCD.pdf
ch18 ABCD.pdfch18 ABCD.pdf
ch18 ABCD.pdf
 
C days2015
C days2015C days2015
C days2015
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
 
DEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersDEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testers
 
Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit v
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Meletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information securityMeletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information security
 
Truth and Consequences
Truth and ConsequencesTruth and Consequences
Truth and Consequences
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
 

More from SensePost

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
SensePost
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
SensePost
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
SensePost
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
SensePost
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
SensePost
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
SensePost
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
SensePost
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
SensePost
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
SensePost
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
SensePost
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nation
SensePost
 
OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?
SensePost
 
Security threats facing SA businessess
Security threats facing SA businessessSecurity threats facing SA businessess
Security threats facing SA businessess
SensePost
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
SensePost
 
Penetration testing and social engineering
Penetration testing and social engineeringPenetration testing and social engineering
Penetration testing and social engineering
SensePost
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the face
SensePost
 
The jar of joy
The jar of joyThe jar of joy
The jar of joy
SensePost
 
Web 2.0 security woes
Web 2.0 security woesWeb 2.0 security woes
Web 2.0 security woes
SensePost
 
The difference between a duck
The difference between a duckThe difference between a duck
The difference between a duck
SensePost
 
When good code goes bad
When good code goes badWhen good code goes bad
When good code goes bad
SensePost
 

More from SensePost (20)

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nation
 
OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?
 
Security threats facing SA businessess
Security threats facing SA businessessSecurity threats facing SA businessess
Security threats facing SA businessess
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
 
Penetration testing and social engineering
Penetration testing and social engineeringPenetration testing and social engineering
Penetration testing and social engineering
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the face
 
The jar of joy
The jar of joyThe jar of joy
The jar of joy
 
Web 2.0 security woes
Web 2.0 security woesWeb 2.0 security woes
Web 2.0 security woes
 
The difference between a duck
The difference between a duckThe difference between a duck
The difference between a duck
 
When good code goes bad
When good code goes badWhen good code goes bad
When good code goes bad
 

Recently uploaded

Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 

Recently uploaded (20)

Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 

Offence oriented Defence

  • 1. Offence oriented Defence Dominic White & Jeremy du Bruyn @SensePost
  • 2. This talk is about … • Understanding how attackers attack – acknowledging the problem – allows more innovative defence • Common defences allow common bypasses – Best practises introduce commonality that is exploited – Common defences lose out over time as attackers adapt • Many “security basics” are honestly hard – knowing the attacks help to prioritise
  • 3. Why listen to us? • We attack networks and systems as our day (night) job – They’re often quite similar • We care about making them harder to attack • We spend time studying how others attack networks and systems – Other pentesters – Real bad guys (“APT” campaigns) • SensePost has been doing it since 2000 – Possibly more insight into .za infosec practises than any other
  • 4. How defenders spend • Compliance/GRC – Policies, auditing, responding • Risk Management – Ranking, prioritising, justifying • Best Practises – Passwords, patches, policies • Technology – UTM, WAF, DLP, DAM, SIEM, IPS, AV • Staff – Compliance specialists, risk specialists, security managers, device ops managers
  • 5. Truth is … • Those defences don’t – Block actual attacks – Move to counter the bypasses used to side-step them • Risk Management – Hard to link risk-based priorities to meaningful technical priorities • Compliance – “teach the test” – Little incentive to create contradictory measurements • Best Practice – We can’t honestly say we know how to defend – Some practises are hard/impossible to do – Common best practises have common bypasses
  • 6. The Wall • Your defences are a wall • We get to evaluate the wall, figure out how to get over it, and do it – Attackers can often evaluate your defences before getting to you • Once we’ve done it, we have the capability/technique/tool we can do it again, with much less effort – Attackers can keep building their toolchain – Attackers are good at sharing • Defenders now need to build an increasingly huge wall as “the basics” become by-passable with tools
  • 7. And so … • Popular defensive design patterns lead to popular attack patterns to bypass them – Knowing these can help you avoid or rejigger them • Some stuff has been recommended for decade+, are we really just too lazy? – Let’s just admit that some stuff, will never be done, and come up with a prioritisation strategy that works – Although, you shouldn’t need a pentest/breach to be reminded, design for them
  • 9. Corporate Passwords • Best Practice – Enforce password complexity – Expire them monthly • Belief – Passwords will be more complex & harder to guess/crack – Passwords have a shelf life • Reality: – Users employ coping methods • Password1 or June2013 or Password8 • <Capital><rest of word><number> • Call centre resets to same password every time – Most organisations pick the same policy – Cracking common storage formats is efficient • NTLM / LanMan
  • 10. Corporate Passwords • Best Practice: Lock an account after X failed login attempts • Belief: People won’t be able to guess passwords • Reality – Lockout period has a timeout, just try one password across all accounts (horizontal brute) • Bonus – Find an Internet-facing auth point & brute there for ext->int win – Executives get exceptions
  • 11. So what? • Best practises created the vulnerability • Everybody doing the same thing lets attackers optimise • The actual attacks aren’t being looked for
  • 12. Defend! • Differentiate yourself from the optimised attack – Blacklist common passwords – Enforce length rather than complexity (15+ bonus) – Extend password expiry • Crack your own passwords (or look for duplicate hashes) – Operationalise this as a metric • Monitor for horizontal brutes • Canary accounts • Two factor authentication
  • 14. Service/Default Accounts • Best Practice: – Change all vendor supplied/service passwords from the default or disable • Belief: – Requires attackers to guess the password or can’t use the account • Reality: – The rate of developer new app use exceeds security capacity to secure – Complexity across application stack – Belief about network controls/development boxes lead to exceptions
  • 15. Patching • Best Practice: – Ensure systems are fully patched • Belief: – Known vulnerabilities will not be exploitable • Reality: – Known systems are(?), unknown aren’t – Some software is easier to patch than others – Unknown vulnerabilities & patch window are realities
  • 16. Baselines & Homogonaity • Best practice: – Ensure all systems are configured the same • Belief: – All systems will have the same security baseline • Reality: – A flaw in one is a flaw in all, Mistakes scale against you – Management agents are remote access methods – Local admin passwords …
  • 17. So what? • 100% compliance for every piece of software, on every machine, for all time … – You need to do the basics, but let’s admit 100% as impossible – 99% on 1k machines, still gives 10 vuln hosts • Attackers are good at finding the 1% • Attackers care about exploitation, missing language packs not so much
  • 18. Defend! • Admit you’ll never hit 100% • Use attacker tools/methods to find the 1% – Find the machines your risk/compliance based focus didn’t care about – Scope be damned! • Prioritise based on ease of exploitation – Availability/popularity/stability/ease of exploit • Make hard choices – do you need that software there? • Defence in depth – Check out hardening tools EMET/PAX (grsec) – Have a plan for once exploited
  • 20. Anti-Virus • Best practice: – All systems must make use of Anti-virus to protect against malware • Belief: – Malware/attacks will be blocked – Malicious e-mail will be blocked – We don’t need to follow up if AV said it blocked • Reality: “All of us had missed detecting this malware for two years. That's a spectacular failure for the antivirus industry in general. We were out of our league, in our own game.” Mikko Hypponen
  • 21. The truth • Mikko was talking about Flame (APT) • Is it that hard? • R600 will buy you access to a great “crypter” – Will make any file undetectable by AV, updated regularly • 20 lines of code to implement my own – Currently bypasses all AV, with a delay & custom file template
  • 22. Attackers Get to Practise
  • 23. So what? • You wouldn’t run without it, but guaranteed bypassable • We need to do something, AV is something, do AV • Attackers can test their attacks • Do we just keep building the wall & run all of them? • A lot of money at stake in perpetuating the problem – “I've never seen _single_ report when modern updated AV with all features was bypassed.” Jindrich Kubec Director of Threat Intelligence @ avast!
  • 24. Defence! • AV isn’t useless, a signature may only be added a year from now, but it’ll tell you, you missed something – investigate • Push your vendor to do better, don’t accept lame signatures, get them to block techniques • Watch the logs, alerts then silent is a bypass pattern • Run multiple AV engines at different layers
  • 26. Network Pivoting & DMZs • Best Practice: – Separate your Internet-facing systems into their own network, then only allow connections into the DMZ, not out • Belief: – Contingency plan; even if your Internet-facing servers get hacked, hackers can’t get to your internal network • Reality: – “Lateral movement” is a regular action by so- called APT actors
  • 27. DMZ – Screw ups • (lame) Web servers in the DMZ, DB in the internal net • Attack – SQLi on the DB (with command exec) gets you onto the internal network • (less lame) Web server & DB in DMZ/s, but on the domain • Attack – Get command exec, get domain account, connect to DC • (least lame) A connection can be initiated to the internal network • Attack – Move around until you can find something you can own, that has access to the internal network – Often not as hard as it sounds
  • 28. The trouble with tunnels
  • 29. Trying to explain a real attack …
  • 30. The toolchain • “Pushing a camel through the eye of a needle” – 2008 BH/Defcon talk by Haroon Meer & Marco Slaviero • Released reDuh by haroon/marco/glenn/ian/gert @sensepost
  • 31. Defend! • DMZs must disallow connections from being initiated to internal – Check for yourself, plugin and portscan • But, stuff’s not architected to make that easy • Web services provide hope – Expose integration services in the DMZ, have a worker from internal consume it • Other important advice we don’t have time for – Needs separate/disconnected management infrastructure – Don’t share with VPN – fundamentally different purposes – Actually, if you can, stick every machine in it’s own DMZ ala AP isolation – Don’t forget egress filtering & split DNS
  • 32. Account Pivoting & Escalation • “When in doubt, attack the control plane. When certain, attack the data plane.” -David Ulevitch • Belief: – Centralised user management makes systems more secure. • Reality: – In some ways, yes, but it gives us organisation wide administrative accounts, and it’s easy(ish) to do.
  • 33. Lateral Movement • Windows is *terrible* at passwords & keeping secrets – Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques • Attackers have gotten really good at post-exploitation • Attacks – Digest auth gives clear-text creds! (wce/mimikatz) – Windows security tokens work well too (incognito) – Still passing-the-hash 16 years later (wce/pth-toolkit) – SMB/NTLM relay attacks (metasploit) – NTLM/LM unsalted, Kerberos can’t do IP, crack away (john/hashcat) – Cached logins (at least they’re salted) • Lateral opportunities – if it works on one … – Local accounts (local admin) – Domain accounts (admin or service) – Apps & Agents (VNC, DBs etc.) – Connected shares
  • 34. So what? • Good advice is blindly implemented, and the original point missed – DMZs are a great idea, but must not allow connections initiated in low trust network • Advanced protections have well understood bypasses and haven't grown – Tunnelling & windows cred extraction sound hard, but the tools are there • Your exposure is greater than the sum of the parts, you can't look at vulns in isolation, or at entry-only
  • 35. Defend! • Use specialised/separate DA, server admin & user accounts – Only use the relevant account when required – Limit DAs to login from management network & management jump box (not laptop) • Monitor *all* your AD groups – Administrators, Enterprise Admins, Domain Admins, Shared Trust, Sub-Group inheritance • Beware of the tokens • Check out RODC & Attribute/Account Filters • Read MS’ paper
  • 37. This talk was about … • Understanding how attackers attack – acknowledging the problem – allows more innovative defence • Common defences allow common bypasses – Best practises introduce commonality that is exploited – Common defences lose out over time as attackers adapt • Many “security basics” are honestly hard – knowing the attacks help to prioritise

Editor's Notes

  1. H highlighted the risk that pentesters stop emulating bad guys, and start emulating other pentesters. We agreed. Helpfully, the amount of campaign analysis available today means we can study real attacker methods in ways we couldn’t before, and it turns out, they do a lot of the same things we find ourselves doing when faced with the same constraints. Different tools maybe, but similar tactics.
  2. Risk management e.g. if we take a log monitoring box, is it obvious that that provides access to critical system x
  3. The conclusion here, is we need something more than just building the wall. And Lockheed showed us with the kill chain, that investigation-lead based on understanding of actual attacks, can give you that.
  4. e.g. anti-virus or ASLRAttackers keep building their toolchain (ref H in pushing a camel through the eye of a needle)Defenders “we need to do something, x is something, let’s do x”When attackers encounter something new, they need to spend time to figure it out and bypass it, this looks like alert, alert, nothing. Assuming stuff is blocked, is the wrong approach.Obscure defences, specific to your org or use, are less likely to have been seen before, and will generate a detection, a detection can be turned into an investigation if you move up and down the process, knowing it.
  5. Highlight upcoming examples
  6. Attackers know the coping methods, study passwords, and optimise.Example of phoning call centre and asking what they reset your account to.
  7. Thing to stop bruting, doesn’t stop bruting.Citrix, OWA, any ad-auth point
  8. Passwords longer than 15 can’t be cracked by hashcat, and LM is disabled
  9. We call this massploitation, because we have scripts to take advantage of the risks we highlight, to automatically pwn as many boxes as we can. At one stage, we have 40k meterpreter sessions.
  10. Remind people of the subtelty here. We’re not saying you can pwn through missing patched, we’re saying everyone knows that, but we’ve never stopped it, so why do we keep pursuing the impossibleMaybe you remember to do sql, but wahat about tomcat/hp management/axis2/postgres/mysql/firebird/etc. etc.
  11. Result: passwords are left to defaults, blank or just fuggin easy. Maybe you remember to do sql, but wahat about tomcat/hp management/axis2/postgres/mysql/firebird/etc. etc.
  12. Management agents; splunk, intel, hp system management, nagios
  13. A flaw in one, is a flaw in all.
  14. Remind people of the subtelty here. We’re not saying you can pwn through missing patched, we’re saying everyone knows that, but we’ve never stopped it, so why do we keep pursuing the impossible
  15. Hard choices – all software comes at a cost, if you aren’t actively managing it (cost), then it’s making you vulnerable (cost)
  16. You don’t have to test your payloads on a live client, test them against their AV before you get there. Attackers can test climbing the wall.
  17. The problem is, people aren’t disciplined in how they build their DMZs, it’s also honestly hard
  18. Dominic made this, not Panda. If you see this attributed to panda, it’s because he is a plagariser.
  19. Hope someone gets the Star Trek reference. The trouble with tribbles was an episode of Star Trek in 1967. They bring a tribble (a small furry alien that purrs) onto the ship, they soon multiply exponentially and infiltrate all the ships systems.
  20. HBGary referred to reDUH as “insidious”.There are many ways to skin this cat, and it can get pretty sneaky e.g. timingDNS exfil used to be niche (e.g. squeeza) not it’s everywhere sqlmap, sqlninja, metasploit, iodine
  21. As pentesters, we’re timebound more than any other constraint, so we go for the control plane. Going for the data/app plane requires more business knowledge. But I know IT and I know IT people need a way to manage lots of boxes. If I crack that, I can get access to anything else, it’s just a matter of time.
  22. Info leakage findings are lame, except the domain gives you *so much* of it. It makes it too easy for finding admins. Mention Etienne’s PsLoggedOn
  23. Microsoft published a doc about defending againstpth attacks this yearTruthfully,unix suffers from similar flaws at scale – ssh keys, world readable config files, bash history. It’s just that AD is the default paradigm for this stuff.
  24. Two points here. The obvious is, maybe someone should build it. But the other is that you could likely automate this and win in most cases. Some of it has been done before e.g. conficker (ms08-067 &amp; creds). We send juniors in for internals a lot of the time, because we know they can pwn these things.
  25. Cargo-cult DMZ implementations
  26. We need a way to clear all tokens (of logged out users?). The group thing is a big one. It’s easy to hide an admin account 5 group levels down. Or hide it in Administrators which is where Domain Admins inherits its status from.
  27. If you walk away thinking any of these attacks are novel, then you’ve missed the point. These attacks are so common/well understood that they are second nature to an attacker. We need novel ways of defending.Understand Passwords -&gt; horiz brute, monitor for itMassploitation -&gt; prioritise the ones you find with stable/easy exploitable vulns AV -&gt; know what you get, don’t blindly trust it Lateral -&gt; Attack result is greater than the sum of it’s parts