SlideShare a Scribd company logo

Mitigating Rapid Cyberattacks

•
•
Erdem Erdogan
Erdem Erdogan

This document discusses recommendations to improve defenses against rapid cyberattacks. It begins with a review of how rapid attacks work, then provides specific recommendations in four areas: attack surface reduction, lateral traversal/securing privileged access, business continuity/disaster recovery, and exploit mitigation. Potential blockers to implementing the recommendations are also identified relating to technology, processes, and stakeholder buy-in. Next steps include assigning action items identified in the meeting.

Software
1 of 46
Introduction 1 – Review Attacks 2 – Recommendations & Findings 3 – Discover Blockers Next Steps
Geographies All Duration ~60 minutes Impacted Computers 62,000 computers • 12,000 servers • 50,000 desktops
RAPID •Spreads through enterprise in minutes (no time for human response processes) AUTOMATED •No human interaction required after attack cycle starts DISRUPTIVE •Intentional operational disruption via destruction/encryption of data/systems
Name Role Expectations for today
Recommend Specific measures to improve your defenses against rapid cyberattacks Review How rapid cyberattacks work Discover Potential blockers preventing you from implementing recommended mitigations
Supply Chain – Attack started in IT supply-chain, not phishing or browsing Multi-technique – automated multiple traversal techniques effectively Fast – Automatic propagation (Worm behavior) left no time for security teams to react Destructive - Destroyed assets (vs. silent theft or ransom demand) • Encrypted a master file table (MFT), making it costly/difficult to retrieve data • Replaced boot record with malicious code making machine unbootable “New” attack Innovations Massive Impact
ENTER ANATOMY OF A PETYA ATTACK 2. Trojan MEDoc update installed launching malicious code 3. Multiple techniques used to spread rapidly: • MS17-010 Vulnerability (released March 2017) • Credential theft and impersonation 1. Attackers compromised software update infrastructure for MEDoc financial application • CLEARED WINDOWS EVENT LOGS • OTHER POTENTIAL ACTIONS? • ENCRYPTED MFT • MADE SYSTEMS UNBOOTABLE NETWORK & IDENTITY DEVICE SOFTWARE VENDOR EXECUTE TRAVERSE PREPARE
3. PROCESS EXECUTION EXECUTION • PSExec • WMIC 2. PRIVILEGE ACQUISITION TRAVERSE (Automated Worm Behavior) IMPERSONATION 1. Impersonate current session (SYSTEM) 2. Impersonate other active local sessions (using token) EXPLOITATION • MS17-010 (ETERNALBLUE)  (Execute as SYSTEM on remote host) 1. TARGETING NETWORK 1. Acquire IP Addresses • Servers & DCs - DHCP subnets • Other Hosts - Local network 2. Validate IP Addresses • TCP/139 and TCP/445 CONNECTED SHARES Note: Impersonation functionality has code similarities to Mimikatz
Targeted • Targeted at specific organizations. Offline Recovery Required • Online Backup servers were taken out. Communications down • Office 365 online but Active Directory & Federation down. Needed off-site backups and printed documents for restore procedures. Used Manual Text Messaging and Twitter Spread was inhibited by Windows 10’s Secure Boot, Server Core, and Network Isolation Less widespread than WannaCrypt, but more severe.
Review a. How rapid destruction attacks work b. Your current risk factors for rapid cyberattacks Recommend Specific measures to improve your defenses against rapid cyberattacks Discover potential blockers preventing you from implementing recommended mitigations
Attack Surface Reduction – Reduce critical risk factors across all attack stages (prepare, enter, traverse, execute) Lateral Traversal / Securing Privileged Access - Mitigate ability to traverse (spread) using impersonation and credential theft attacks Business Continuity / Disaster Recovery (BC/DR) – Rapidly resume business operations after a destructive attack Exploit mitigation – Mitigate software vulnerabilities that allow worms and attackers to enter and/or traverse an environment
1. Create malware-resistant backups of your critical systems and data 2. Immediately deploy critical Operating System security updates 3. Isolate (or retire) computers that cannot be updated and patched 4. Implement advanced e-mail and browser protections 5. Ensure host anti-malware solution gets real-time blocking responses from cloud 6. Implement unique local administrator passwords on all systems 7. Separate and protect privileged accounts 1. Rapidly deploy all critical security updates 2. Validate your backups using standard restore procedures and tools 3. Disable unneeded legacy protocols 4. Discover and reduce broad permissions on file repositories 5. Stay current DIRECT ATTACK MITIGATION RAPID ENABLEMENT 30 Days + DIRECT ATTACK MITIGATION LONGER ENABLEMENT D E F A U L T R E C O M M E N D A T I O N S
IDENTIFY PROTECT DETECT RESPOND RECOVER Mitigation recommendations
Attack Surface Reduction Lateral Traversal / Securing Privileged Access Business Continuity / Disaster Recovery (BC/DR) Exploit Mitigation 2. Immediately deploy critical OS security updates 1. Rapidly deploy all critical security updates 5. Stay current3. Isolate (or retire) computers that cannot be updated and patched 1. Create malware-resistant backups of your critical systems and data 2. Validate your backups using standard restore procedures and tools 7. Separate and protect privileged accounts 6. Implement unique local administrator passwords on all systems 3. Disable unneeded legacy protocols 4. Discover and reduce broad permissions on file repositories 4. Implement advanced e-mail and browser protections 5. Host anti-malware gets real-time blocking from cloud
1. Ensure outsourcing contracts and SLAs are compatible with rapid security response 2. Move critical workloads to SaaS and PaaS 3. Validate existing network controls (internet ingress, Lab/ICS/SCADA isolation) 4. Enable UEFI Secure Boot 5. Complete SPA roadmap Phase 2: • Reduce attack surface for Active Directory, Domain Controllers, and Service Accounts • Time-bound privileges (no permanent admins) • Just Enough Admin (JEA) for DC Maintenance 6. Protect backup and deployment systems from rapid destruction 7. Restrict inbound peer traffic on all workstations 8. Use application whitelisting 9. Remove local administrator privileges from end-users 10.Implement modern threat detection solutions D E F A U L T R E C O M M E N D A T I O N S Additional
Review a. How rapid destruction attacks work b. Your current risk factors for rapid cyberattacks Recommend Specific measures to improve your defenses against rapid cyberattacks Discover potential blockers preventing you from implementing recommended mitigations
You can't defeat the threats of the present with tools from past Photocredit:WikimediaCannonfromGaleraForte
We could patch 99%+ of our operating systems in 4 days if we had (or did)….
We could get all unsupported operating systems upgraded if we had (or did)….
We could deploy the credential theft recommendations if we had (or did)… Unique local administrator passwords on all systems (workstations, servers) Separate and protect privileged accounts
We could retire SMBv1, LM, and NTLMv1 if we had (or did)… TECHNOLOGY (Platforms, Tools, etc.) PROCESS (procedures, approvals, etc.) PEOPLE (Stakeholder buy- in, funding, etc.) Identifying Dependencies Removing Dependencies
Next steps <Highlight any action items identified in the meeting.> Add customer specifics Person responsible Completion date Action
Attack Surface Reduction Lateral Traversal / Securing Privileged Access Business Continuity / Disaster Recovery (BC/DR) Exploit Mitigation 2. Immediately deploy critical OS security updates 1. Rapidly deploy all critical security updates 5. Stay current3. Isolate (or retire) computers that cannot be updated and patched 1. Create malware-resistant backups of your critical systems and data 2. Validate your backups using standard restore procedures and tools 7. Separate and protect privileged accounts 6. Implement unique local administrator passwords on all systems 3. Disable unneeded legacy protocols 4. Discover and reduce broad permissions on file repositories 4. Implement advanced e-mail and browser protections 5. Host anti-malware gets real-time blocking from cloud
C R I T I C A L IT Impact – IT Processes and priorities may need to change to meet this objective User Experience Impact – Reboot of workstations or servers can cause temporary application or workstation downtime for users. Critical Operating System updates are applied to 99%+ of computers in 4 days or less. • Policy and process are documented (including validation/enforcement of results) • See “Isolate (or retire) computers…” recommendation for handling exceptions • Capability to rapidly deploy emergency workarounds (scripts, settings, etc.) Expected Organizational Impact Description Critical vulnerabilities allow code execution without user interaction and can: • Enable self-propagating malware (e.g. worms) • Facilitate rapid entry of any attack (such as browsing to a web page or opening email) Note: Some guidance (ASD top 4 | Essential 8) recommends applying within 48 hours Operating system services (or daemons) are the ideal mechanism for rapid destruction attacks as they are always running and many accept inbound network traffic For Microsoft operating systems, Windows Update provides a rapid deployment capability Rationale Quick win 0 to 30 days
For systems that cannot apply critical OS security updates within 4 days, apply alternate mitigations: • Upgrade any unsupported operating system to a current version • Retire unsupported system • Fully isolate systems from Internet and intranet / general-purpose networks Description Quick win 0 to 30 days Microsoft recognizes updating some operating systems is difficult because • Unsupported operating system required (for regulatory/support/etc. reasons) • Reboots associated with updates incur costs from interrupting business operations While these may be valid reasons for not updating, connected vulnerable systems create a major risk to the organization– as illustrated by two Petya cases: Case 1 – Significant business impact (halted business operations) because business critical ICS/SCADA systems were infected from the corporate intranet. Case 2 – ICS/SCADA business operations continued because legacy systems were completely isolated on a separate, inaccessible network. Rationale
IT Impact – IT Processes and priorities may need to change to meet this objective User Experience Impact – Reboot of workstations or servers can cause temporary application or workstation downtime for users. All applicable critical updates are applied to 99%+ of computers in 4 days or less. • Policy and process are documented (including validation/enforcement of results) • Systems with unsupported / End of Life software products should be upgraded, isolated, or retired • Capability to rapidly deploy emergency workarounds (scripts, settings, etc) Organizational Impact Description Critical vulnerabilities allow code execution without user interaction and can: • Facilitate rapid entry of any attack (such as browsing to a web page or opening email) • Enable self-propagating malware (e.g. worms) if application has a listening service/daemon Note: Some guidance (ASD top 4 | Essential 8) recommends applying within 48 hours Rationale 30 Days + C R I T I C A L
User Impact – User education. IT Impact - Deploying new operating system and updating applications can have a significant impact on an organization – from deploying, upgrading, to training. • Adopt Cloud Services for workloads when available • Use the latest operating system and applications to protect against modern threats • Windows 10 for Windows Workstations • Windows Server 2016 for Windows Servers • Latest revisions of Linux, Mac OSX, and Router/Switch/Mobile Device Operating Systems Expected Organizational Impact Description • Cloud services have been largely unaffected by rapid destruction attacks • Technology providers like Microsoft constantly invest in security to keep up with threats • Effectively mitigating some attacks requires new approaches that are impractical to retrofit into older systems (such as TPM hardware based security assurances). • New capabilities frequently enable digital transformation initiatives that are top priority for CEOs at most organizations. Rationale 30 Days +
Attack Surface Reduction Lateral Traversal / Securing Privileged Access Business Continuity / Disaster Recovery (BC/DR) Exploit Mitigation 2. Immediately deploy critical OS security updates 1. Rapidly deploy all critical security updates 5. Stay current3. Isolate (or retire) computers that cannot be updated and patched 1. Create malware-resistant backups of your critical systems and data 2. Validate your backups using standard restore procedures and tools 7. Separate and protect privileged accounts 6. Implement unique local administrator passwords on all systems 3. Disable unneeded legacy protocols 4. Discover and reduce broad permissions on file repositories 4. Implement advanced e-mail and browser protections 5. Host anti-malware gets real-time blocking from cloud
Impact on IT – level of impact will vary based on the existing backup practices and may require changes to processes and/or backup technology. Protect critical systems against effects of erasure/encryption • Automatically backup all critical data, critical systems, and dependencies • Protect critical backups against online deletion/encryption attacks (via multi-factor authentication or have the backups stored fully offline/off-site). Organizational Impact Description Rapid destruction attacks typically take down all online services including backup and deployment systems, slowing recovery of critical business systems Recovering quickly requires backups exist and are not deleted/encrypted by the attack. Rationale Quick win 0 to 30 days $
IT Impact – Minor impact for staff to perform backup validation and disaster recovery exercises. Recovery processes may need refinement and continued practice. Validate your end to end recovery process • Include “Complete IT system down” scenario into Business Continuity / Disaster Recovery (BC/DR) exercises to build readiness for rapid destruction attacks • All on-premises services will be unavailable (including communications, identity systems, and fileservers/SharePoint where BC/DR procedures may be stored). • Regularly validate critical system backups files using standard restore procedures • Evaluate the use of cloud backup/recovery capabilities like Azure Site Recovery Expected Organizational Impact Description Petya exposed major challenges with recovery processes at most affected enterprises: • Exercising restore procedures and tooling would avoid these by proactively exposing challenges before a real event • Cloud services were largely unaffected by rapid destruction attacks Note: This preparation also improve your resilience to ransomware attacks and natural disasters. Rationale 30 Days + $
Attack Surface Reduction Lateral Traversal / Securing Privileged Access Business Continuity / Disaster Recovery (BC/DR) Exploit Mitigation 2. Immediately deploy critical OS security updates 1. Rapidly deploy all critical security updates 5. Stay current3. Isolate (or retire) computers that cannot be updated and patched 1. Create malware-resistant backups of your critical systems and data 2. Validate your backups using standard restore procedures and tools 7. Separate and protect privileged accounts 6. Implement unique local administrator passwords on all systems 3. Disable unneeded legacy protocols 4. Discover and reduce broad permissions on file repositories 4. Implement advanced e-mail and browser protections 5. Host anti-malware gets real-time blocking from cloud
User Impact – None IT Impact – Deploy and configure solution, Update IT Support processes/practices Ensure the local administrator account password on each system is unique: • Unique random password for Administrator account on each workstation • Unique random password for Administrator account on each server • No other local administrator accounts should be active, enabled, or used Key Resources: LAPS | Securing Privilege Access Roadmap Organizational Impact Description • Attackers regularly exploit presence of identical passwords on the local administrator account (across workstations and/or servers) • While Petya required an local (or domain) account to be logged in and impersonated the credentials, the next attack likely will be able to use local accounts directly • Targeted attacks regularly involve stealing and re-using local credentials • Attack technique is automated in multiple tool(s) ( Death Star | GoFetch ) Rationale Quick win 0 to 30 days
30 Days + User Impact - Privileged users practices must be adjusted to separate account and workstation. IT Impact - Organization needs to deploy and maintain the new set of workstations. Separate and protect privileged credentials exposure to impersonation, theft and re-use • Create separate accounts for privileged activities that is restricted from using e-mail and browsing Internet. • Ensure privileged accounts are used only on trusted workstations (such as PAWs) • Enforce multi-factor authentication on privileged accounts Organizational Impact Description • Impersonation and credential theft for privileged accounts leads to rapid organization compromise (and has been automated: ( Death Star | GoFetch ) • Separating privileged accounts and workstation dramatically increases cost of this attack: • Standard users tasks expose accounts and workstations to compromise through phishing attacks, drive-by download attacks, and many other Internet-based attacks. • Purpose built workstations are simpler to protect and discourage overuse of privileges) • These mitigations also protect against the most prevalent technique in targeted attacks Rationale
Attack Surface Reduction Lateral Traversal / Securing Privileged Access Business Continuity / Disaster Recovery (BC/DR) Exploit Mitigation 2. Immediately deploy critical OS security updates 1. Rapidly deploy all critical security updates 5. Stay current3. Isolate (or retire) computers that cannot be updated and patched 1. Create malware-resistant backups of your critical systems and data 2. Validate your backups using standard restore procedures and tools 7. Separate and protect privileged accounts 6. Implement unique local administrator passwords on all systems 3. Disable unneeded legacy protocols 4. Discover and reduce broad permissions on file repositories 4. Implement advanced e-mail and browser protections 5. Host anti-malware gets real-time blocking from cloud
IT Impact – Inventory environment and dependent devices, application compatibility testing, remediate legacy systems (upgrade/migrate/retire/etc.), and deploy changes End-users – Varies based on application dependencies, but should be minimal with effective application testing plan. Disable legacy protocols that create unneeded attack surface • Server Message Block v1 (SMBv1) • LanMan (LM) and NTLMv1 authentication Expected Organizational Impact Description Successful worms require vulnerabilities in “universally” available components (e.g. running on nearly all computers in nearly all enterprises) Unneeded legacy protocols that are broadly available create significant organizational risk– • SMBv1 – ~30 year old protocol that Microsoft is removing from Windows and strongly recommends customers disable/remove (MS17-010 vulnerability in SMBv1 was used in Petya) • LanMan and NTLMv1 – Legacy authentication protocols with well-known and significant security weaknesses Rationale 30 Days +
User Impact – Minimal negative impact on end-user experience IT Impact – Deployment and management associated with the solutions Email - Implement advanced protections for phishing attacks that include: • Attachment/URL “sandbox detonation” – Protect against unknown malware and viruses • Time of Click Protections – rewrite links to protect against malicious links in e-mail messages at time of click (vs. just at time of send) Browsing - Implement advanced browser protection solutions that include: • Website analysis – Identify known malicious sites and suspicious site behavior • Download file analysis – Evaluate downloaded files to warn if it came from a known malicious site or is new/unknown (not on list of popular programs) Organizational Impact Description While Petya (and WannaCry [unconfirmed]) did not start with e-mail or browsing, this is an extremely unusual phenomenon for cyber attacks. • Phishing/Browsers are overwhelmingly used for almost all other attack patterns, so they are very likely to be included in future attacks Rationale Quick win 0 to 30 days
User Impact – Minimal negative impact on end-users experience IT Impact - Deployment and management associated with the solutions Ensure your host anti-malware solution gets real-time blocking responses from a cloud service. Organizational Impact Description • Rapid destruction attacks happen too fast for human response and you are reliant on automatic responses like those found in Antimalware solutions • Because every second counts in these attacks, your AV should immediately get the latest signatures from the cloud when it detects suspicious behavior • This feature (or similar) is available from several antivirus vendors (including the MAPS service for Windows Defender AV) but it is not always enabled in production. Rationale Quick win 0 to 30 days ?
IT Impact – Plan/implement processes (and optionally tool(s)) to discover, reduce, and monitor broad permissions. Reduce risk from broad permissions 1. Discover broad write/delete permissions on Fileshares, SharePoint, and other solutions • Broad is defined as many users having write/delete to business critical data 2. Reduce broad permissions (while meeting business collaboration requirements) 3. Configure continuous monitoring and/or ongoing discovery for broad permissions Organizational Impact Description • Destructive attacks spread and encrypt data using compromised accounts/workstations • Most ransomware encrypts files on all mapped drives, causing significant impact • Petya attacks propagated using logged in credentials • Reducing these broad permissions can reduce the impact of destructive attacks Rationale 30 Days +
Mitigating Rapid Cyberattacks

Recommended

System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINAL
Martin Evans
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
Frank Avila Zapata
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
Fahri Firdausillah
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
edavid2685
 
Prueba de Presentacion
Prueba de PresentacionPrueba de Presentacion
Prueba de Presentacion
rubychavez
 
Avoid Meltdown from the Spectre - How to measure impact and track remediation
Avoid Meltdown from the Spectre - How to measure impact and track remediationAvoid Meltdown from the Spectre - How to measure impact and track remediation
Avoid Meltdown from the Spectre - How to measure impact and track remediation
Qualys
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
EnclaveSecurity
 
Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger
Andrey Bogdanov, Dmitry Khovratovich, and Christian RechbergerAndrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger
Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger
Information Security Awareness Group
 

Recommended

System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINAL
Martin Evans
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
Frank Avila Zapata
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
Fahri Firdausillah
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
edavid2685
 
Prueba de Presentacion
Prueba de PresentacionPrueba de Presentacion
Prueba de Presentacion
rubychavez
 
Avoid Meltdown from the Spectre - How to measure impact and track remediation
Avoid Meltdown from the Spectre - How to measure impact and track remediationAvoid Meltdown from the Spectre - How to measure impact and track remediation
Avoid Meltdown from the Spectre - How to measure impact and track remediation
Qualys
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
EnclaveSecurity
 
Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger
Andrey Bogdanov, Dmitry Khovratovich, and Christian RechbergerAndrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger
Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger
Information Security Awareness Group
 
Symantec Endpoint Protection
Symantec Endpoint ProtectionSymantec Endpoint Protection
Symantec Endpoint Protection
MindRiver Group
 
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection CenterSYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
Dsunte Wilson
 
GrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the CheapGrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the Cheap
Joel Cardella
 
Symantec Endpoint Protection Enterprise Edition Best Practices Guidelines
Symantec Endpoint Protection Enterprise Edition Best Practices GuidelinesSymantec Endpoint Protection Enterprise Edition Best Practices Guidelines
Symantec Endpoint Protection Enterprise Edition Best Practices Guidelines
Sree Harsha Boyapati
 
CIS Control Solution Guide
CIS Control Solution Guide CIS Control Solution Guide
CIS Control Solution Guide
Lauren Bell
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld
 
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and ReportingSYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
Dsunte Wilson
 
Patch Management - 2013
Patch Management - 2013Patch Management - 2013
Patch Management - 2013
Vicky Ames
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927
Todd Deshane
 
Atc ny friday-talk_20080808
Atc ny friday-talk_20080808Atc ny friday-talk_20080808
Atc ny friday-talk_20080808
Todd Deshane
 
The Truth About Viruses on Power Systems - Powertech
The Truth About Viruses on Power Systems - PowertechThe Truth About Viruses on Power Systems - Powertech
The Truth About Viruses on Power Systems - Powertech
HelpSystems
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
Karun Chennuri
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
AlienVault
 
0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討
Timothy Chen
 
Atc ny friday-talk_slides_20080808
Atc ny friday-talk_slides_20080808Atc ny friday-talk_slides_20080808
Atc ny friday-talk_slides_20080808
Todd Deshane
 
SYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
SYMANTEC ENDPOINT PROTECTION Performing Server and Database ManagementSYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
SYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
Dsunte Wilson
 
SYMANTEC ENDPOINT PROTECTION Administration Introduction
SYMANTEC ENDPOINT PROTECTION Administration IntroductionSYMANTEC ENDPOINT PROTECTION Administration Introduction
SYMANTEC ENDPOINT PROTECTION Administration Introduction
Dsunte Wilson
 
Design for security in operating system
Design for security in operating systemDesign for security in operating system
Design for security in operating system
Bhagyashree Barde
 
Symantec Endpoint Protection 12.1 RU6 MP6
Symantec Endpoint Protection 12.1 RU6 MP6Symantec Endpoint Protection 12.1 RU6 MP6
Symantec Endpoint Protection 12.1 RU6 MP6
Sarah Isaacs
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara
 
What is dr and bc 12-2017
What is dr and bc 12-2017What is dr and bc 12-2017
What is dr and bc 12-2017
Atef Yassin
 
TECHNICAL BRIEF Protecting & Migrating Legacy Windows OSes
TECHNICAL BRIEF Protecting & Migrating Legacy Windows OSesTECHNICAL BRIEF Protecting & Migrating Legacy Windows OSes
TECHNICAL BRIEF Protecting & Migrating Legacy Windows OSes
Symantec
 

More Related Content

What's hot

Symantec Endpoint Protection
Symantec Endpoint ProtectionSymantec Endpoint Protection
Symantec Endpoint Protection
MindRiver Group
 
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection CenterSYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
Dsunte Wilson
 
GrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the CheapGrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the Cheap
Joel Cardella
 
Symantec Endpoint Protection Enterprise Edition Best Practices Guidelines
Symantec Endpoint Protection Enterprise Edition Best Practices GuidelinesSymantec Endpoint Protection Enterprise Edition Best Practices Guidelines
Symantec Endpoint Protection Enterprise Edition Best Practices Guidelines
Sree Harsha Boyapati
 
CIS Control Solution Guide
CIS Control Solution Guide CIS Control Solution Guide
CIS Control Solution Guide
Lauren Bell
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld
 
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and ReportingSYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
Dsunte Wilson
 
Patch Management - 2013
Patch Management - 2013Patch Management - 2013
Patch Management - 2013
Vicky Ames
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927
Todd Deshane
 
Atc ny friday-talk_20080808
Atc ny friday-talk_20080808Atc ny friday-talk_20080808
Atc ny friday-talk_20080808
Todd Deshane
 
The Truth About Viruses on Power Systems - Powertech
The Truth About Viruses on Power Systems - PowertechThe Truth About Viruses on Power Systems - Powertech
The Truth About Viruses on Power Systems - Powertech
HelpSystems
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
Karun Chennuri
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
AlienVault
 
0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討
Timothy Chen
 
Atc ny friday-talk_slides_20080808
Atc ny friday-talk_slides_20080808Atc ny friday-talk_slides_20080808
Atc ny friday-talk_slides_20080808
Todd Deshane
 
SYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
SYMANTEC ENDPOINT PROTECTION Performing Server and Database ManagementSYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
SYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
Dsunte Wilson
 
SYMANTEC ENDPOINT PROTECTION Administration Introduction
SYMANTEC ENDPOINT PROTECTION Administration IntroductionSYMANTEC ENDPOINT PROTECTION Administration Introduction
SYMANTEC ENDPOINT PROTECTION Administration Introduction
Dsunte Wilson
 
Design for security in operating system
Design for security in operating systemDesign for security in operating system
Design for security in operating system
Bhagyashree Barde
 
Symantec Endpoint Protection 12.1 RU6 MP6
Symantec Endpoint Protection 12.1 RU6 MP6Symantec Endpoint Protection 12.1 RU6 MP6
Symantec Endpoint Protection 12.1 RU6 MP6
Sarah Isaacs
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara
 

What's hot (20)

Symantec Endpoint Protection
Symantec Endpoint ProtectionSymantec Endpoint Protection
Symantec Endpoint Protection
 
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection CenterSYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
 
GrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the CheapGrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the Cheap
 
Symantec Endpoint Protection Enterprise Edition Best Practices Guidelines
Symantec Endpoint Protection Enterprise Edition Best Practices GuidelinesSymantec Endpoint Protection Enterprise Edition Best Practices Guidelines
Symantec Endpoint Protection Enterprise Edition Best Practices Guidelines
 
CIS Control Solution Guide
CIS Control Solution Guide CIS Control Solution Guide
CIS Control Solution Guide
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
 
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and ReportingSYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
 
Patch Management - 2013
Patch Management - 2013Patch Management - 2013
Patch Management - 2013
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927
 
Atc ny friday-talk_20080808
Atc ny friday-talk_20080808Atc ny friday-talk_20080808
Atc ny friday-talk_20080808
 
The Truth About Viruses on Power Systems - Powertech
The Truth About Viruses on Power Systems - PowertechThe Truth About Viruses on Power Systems - Powertech
The Truth About Viruses on Power Systems - Powertech
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
 
0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討
 
Atc ny friday-talk_slides_20080808
Atc ny friday-talk_slides_20080808Atc ny friday-talk_slides_20080808
Atc ny friday-talk_slides_20080808
 
SYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
SYMANTEC ENDPOINT PROTECTION Performing Server and Database ManagementSYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
SYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
 
SYMANTEC ENDPOINT PROTECTION Administration Introduction
SYMANTEC ENDPOINT PROTECTION Administration IntroductionSYMANTEC ENDPOINT PROTECTION Administration Introduction
SYMANTEC ENDPOINT PROTECTION Administration Introduction
 
Design for security in operating system
Design for security in operating systemDesign for security in operating system
Design for security in operating system
 
Symantec Endpoint Protection 12.1 RU6 MP6
Symantec Endpoint Protection 12.1 RU6 MP6Symantec Endpoint Protection 12.1 RU6 MP6
Symantec Endpoint Protection 12.1 RU6 MP6
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
 

Similar to Mitigating Rapid Cyberattacks

What is dr and bc 12-2017
What is dr and bc 12-2017What is dr and bc 12-2017
What is dr and bc 12-2017
Atef Yassin
 
TECHNICAL BRIEF Protecting & Migrating Legacy Windows OSes
TECHNICAL BRIEF Protecting & Migrating Legacy Windows OSesTECHNICAL BRIEF Protecting & Migrating Legacy Windows OSes
TECHNICAL BRIEF Protecting & Migrating Legacy Windows OSes
Symantec
 
Presentation for information security & hacking
Presentation for information security & hackingPresentation for information security & hacking
Presentation for information security & hacking
faizanmalik255119
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer System
Editor IJCATR
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
MarlboroAbyad
 
Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...
Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...
Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...
powerofgametest
 
Microsoft Operating System Vulnerabilities
Microsoft Operating System VulnerabilitiesMicrosoft Operating System Vulnerabilities
Microsoft Operating System Vulnerabilities
Information Technology
 
Microsoft OS Vulnerabilities
Microsoft OS VulnerabilitiesMicrosoft OS Vulnerabilities
Microsoft OS Vulnerabilities
SecurityTube.Net
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilities
phanleson
 
How to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro GauciHow to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro Gauci
Alan Quayle
 
TADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform downTADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform down
Sandro Gauci
 
Network Diagram of a company ABCD Roshan basnet it 29
Network Diagram of a company ABCD Roshan basnet it 29Network Diagram of a company ABCD Roshan basnet it 29
Network Diagram of a company ABCD Roshan basnet it 29
rosu555
 
1. Security and vulnerability assessment analysis tool - Microsoft.docx
1. Security and vulnerability assessment analysis tool - Microsoft.docx1. Security and vulnerability assessment analysis tool - Microsoft.docx
1. Security and vulnerability assessment analysis tool - Microsoft.docx
paynetawnya
 
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVIncident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Alexander Sverdlov
 
Cloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceCloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform Service
Soumitra Bhattacharyya
 
Jump start your recovery, with Muhammad Tahir
Jump start your recovery, with Muhammad TahirJump start your recovery, with Muhammad Tahir
Jump start your recovery, with Muhammad Tahir
Veritas Technologies LLC
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
siti829412
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014
Sophos Benelux
 
Introduction to Network and System Administration
Introduction to Network and System AdministrationIntroduction to Network and System Administration
Introduction to Network and System Administration
Duressa Teshome
 

Similar to Mitigating Rapid Cyberattacks (20)

What is dr and bc 12-2017
What is dr and bc 12-2017What is dr and bc 12-2017
What is dr and bc 12-2017
 
TECHNICAL BRIEF Protecting & Migrating Legacy Windows OSes
TECHNICAL BRIEF Protecting & Migrating Legacy Windows OSesTECHNICAL BRIEF Protecting & Migrating Legacy Windows OSes
TECHNICAL BRIEF Protecting & Migrating Legacy Windows OSes
 
Presentation for information security & hacking
Presentation for information security & hackingPresentation for information security & hacking
Presentation for information security & hacking
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer System
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...
Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...
Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...
 
Microsoft Operating System Vulnerabilities
Microsoft Operating System VulnerabilitiesMicrosoft Operating System Vulnerabilities
Microsoft Operating System Vulnerabilities
 
Microsoft OS Vulnerabilities
Microsoft OS VulnerabilitiesMicrosoft OS Vulnerabilities
Microsoft OS Vulnerabilities
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilities
 
How to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro GauciHow to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro Gauci
 
TADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform downTADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform down
 
Network Diagram of a company ABCD Roshan basnet it 29
Network Diagram of a company ABCD Roshan basnet it 29Network Diagram of a company ABCD Roshan basnet it 29
Network Diagram of a company ABCD Roshan basnet it 29
 
1. Security and vulnerability assessment analysis tool - Microsoft.docx
1. Security and vulnerability assessment analysis tool - Microsoft.docx1. Security and vulnerability assessment analysis tool - Microsoft.docx
1. Security and vulnerability assessment analysis tool - Microsoft.docx
 
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVIncident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
 
Cloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceCloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform Service
 
Jump start your recovery, with Muhammad Tahir
Jump start your recovery, with Muhammad TahirJump start your recovery, with Muhammad Tahir
Jump start your recovery, with Muhammad Tahir
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014
 
Introduction to Network and System Administration
Introduction to Network and System AdministrationIntroduction to Network and System Administration
Introduction to Network and System Administration
 

Recently uploaded

AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise EditionWhy Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Envertis Software Solutions
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
Aftab Hussain
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
Octavian Nadolu
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
Green Software Development
 
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
kalichargn70th171
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
Ayan Halder
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
pavan998932
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
Sven Peters
 
DDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systemsDDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systems
Gerardo Pardo-Castellote
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
Alina Yurenko
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
How to write a program in any programming language
How to write a program in any programming languageHow to write a program in any programming language
How to write a program in any programming language
Rakesh Kumar R
 

Recently uploaded (20)

AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise EditionWhy Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
 
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
 
DDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systemsDDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systems
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
How to write a program in any programming language
How to write a program in any programming languageHow to write a program in any programming language
How to write a program in any programming language
 

Mitigating Rapid Cyberattacks

  • 1.
  • 2.
  • 3. Introduction 1 – Review Attacks 2 – Recommendations & Findings 3 – Discover Blockers Next Steps
  • 4. Geographies All Duration ~60 minutes Impacted Computers 62,000 computers • 12,000 servers • 50,000 desktops
  • 5. RAPID •Spreads through enterprise in minutes (no time for human response processes) AUTOMATED •No human interaction required after attack cycle starts DISRUPTIVE •Intentional operational disruption via destruction/encryption of data/systems
  • 7. Recommend Specific measures to improve your defenses against rapid cyberattacks Review How rapid cyberattacks work Discover Potential blockers preventing you from implementing recommended mitigations
  • 8. Supply Chain – Attack started in IT supply-chain, not phishing or browsing Multi-technique – automated multiple traversal techniques effectively Fast – Automatic propagation (Worm behavior) left no time for security teams to react Destructive - Destroyed assets (vs. silent theft or ransom demand) • Encrypted a master file table (MFT), making it costly/difficult to retrieve data • Replaced boot record with malicious code making machine unbootable “New” attack Innovations Massive Impact
  • 9. ENTER ANATOMY OF A PETYA ATTACK 2. Trojan MEDoc update installed launching malicious code 3. Multiple techniques used to spread rapidly: • MS17-010 Vulnerability (released March 2017) • Credential theft and impersonation 1. Attackers compromised software update infrastructure for MEDoc financial application • CLEARED WINDOWS EVENT LOGS • OTHER POTENTIAL ACTIONS? • ENCRYPTED MFT • MADE SYSTEMS UNBOOTABLE NETWORK & IDENTITY DEVICE SOFTWARE VENDOR EXECUTE TRAVERSE PREPARE
  • 10. 3. PROCESS EXECUTION EXECUTION • PSExec • WMIC 2. PRIVILEGE ACQUISITION TRAVERSE (Automated Worm Behavior) IMPERSONATION 1. Impersonate current session (SYSTEM) 2. Impersonate other active local sessions (using token) EXPLOITATION • MS17-010 (ETERNALBLUE)  (Execute as SYSTEM on remote host) 1. TARGETING NETWORK 1. Acquire IP Addresses • Servers & DCs - DHCP subnets • Other Hosts - Local network 2. Validate IP Addresses • TCP/139 and TCP/445 CONNECTED SHARES Note: Impersonation functionality has code similarities to Mimikatz
  • 11. Targeted • Targeted at specific organizations. Offline Recovery Required • Online Backup servers were taken out. Communications down • Office 365 online but Active Directory & Federation down. Needed off-site backups and printed documents for restore procedures. Used Manual Text Messaging and Twitter Spread was inhibited by Windows 10’s Secure Boot, Server Core, and Network Isolation Less widespread than WannaCrypt, but more severe.
  • 12.
  • 13.
  • 14. Review a. How rapid destruction attacks work b. Your current risk factors for rapid cyberattacks Recommend Specific measures to improve your defenses against rapid cyberattacks Discover potential blockers preventing you from implementing recommended mitigations
  • 15. Attack Surface Reduction – Reduce critical risk factors across all attack stages (prepare, enter, traverse, execute) Lateral Traversal / Securing Privileged Access - Mitigate ability to traverse (spread) using impersonation and credential theft attacks Business Continuity / Disaster Recovery (BC/DR) – Rapidly resume business operations after a destructive attack Exploit mitigation – Mitigate software vulnerabilities that allow worms and attackers to enter and/or traverse an environment
  • 16. 1. Create malware-resistant backups of your critical systems and data 2. Immediately deploy critical Operating System security updates 3. Isolate (or retire) computers that cannot be updated and patched 4. Implement advanced e-mail and browser protections 5. Ensure host anti-malware solution gets real-time blocking responses from cloud 6. Implement unique local administrator passwords on all systems 7. Separate and protect privileged accounts 1. Rapidly deploy all critical security updates 2. Validate your backups using standard restore procedures and tools 3. Disable unneeded legacy protocols 4. Discover and reduce broad permissions on file repositories 5. Stay current DIRECT ATTACK MITIGATION RAPID ENABLEMENT 30 Days + DIRECT ATTACK MITIGATION LONGER ENABLEMENT D E F A U L T R E C O M M E N D A T I O N S
  • 18. Attack Surface Reduction Lateral Traversal / Securing Privileged Access Business Continuity / Disaster Recovery (BC/DR) Exploit Mitigation 2. Immediately deploy critical OS security updates 1. Rapidly deploy all critical security updates 5. Stay current3. Isolate (or retire) computers that cannot be updated and patched 1. Create malware-resistant backups of your critical systems and data 2. Validate your backups using standard restore procedures and tools 7. Separate and protect privileged accounts 6. Implement unique local administrator passwords on all systems 3. Disable unneeded legacy protocols 4. Discover and reduce broad permissions on file repositories 4. Implement advanced e-mail and browser protections 5. Host anti-malware gets real-time blocking from cloud
  • 19. 1. Ensure outsourcing contracts and SLAs are compatible with rapid security response 2. Move critical workloads to SaaS and PaaS 3. Validate existing network controls (internet ingress, Lab/ICS/SCADA isolation) 4. Enable UEFI Secure Boot 5. Complete SPA roadmap Phase 2: • Reduce attack surface for Active Directory, Domain Controllers, and Service Accounts • Time-bound privileges (no permanent admins) • Just Enough Admin (JEA) for DC Maintenance 6. Protect backup and deployment systems from rapid destruction 7. Restrict inbound peer traffic on all workstations 8. Use application whitelisting 9. Remove local administrator privileges from end-users 10.Implement modern threat detection solutions D E F A U L T R E C O M M E N D A T I O N S Additional
  • 20. Review a. How rapid destruction attacks work b. Your current risk factors for rapid cyberattacks Recommend Specific measures to improve your defenses against rapid cyberattacks Discover potential blockers preventing you from implementing recommended mitigations
  • 21.
  • 22. You can't defeat the threats of the present with tools from past Photocredit:WikimediaCannonfromGaleraForte
  • 23. We could patch 99%+ of our operating systems in 4 days if we had (or did)….
  • 24. We could get all unsupported operating systems upgraded if we had (or did)….
  • 25. We could deploy the credential theft recommendations if we had (or did)… Unique local administrator passwords on all systems (workstations, servers) Separate and protect privileged accounts
  • 26. We could retire SMBv1, LM, and NTLMv1 if we had (or did)… TECHNOLOGY (Platforms, Tools, etc.) PROCESS (procedures, approvals, etc.) PEOPLE (Stakeholder buy- in, funding, etc.) Identifying Dependencies Removing Dependencies
  • 27.
  • 28. Next steps <Highlight any action items identified in the meeting.> Add customer specifics Person responsible Completion date Action
  • 29.
  • 30. Attack Surface Reduction Lateral Traversal / Securing Privileged Access Business Continuity / Disaster Recovery (BC/DR) Exploit Mitigation 2. Immediately deploy critical OS security updates 1. Rapidly deploy all critical security updates 5. Stay current3. Isolate (or retire) computers that cannot be updated and patched 1. Create malware-resistant backups of your critical systems and data 2. Validate your backups using standard restore procedures and tools 7. Separate and protect privileged accounts 6. Implement unique local administrator passwords on all systems 3. Disable unneeded legacy protocols 4. Discover and reduce broad permissions on file repositories 4. Implement advanced e-mail and browser protections 5. Host anti-malware gets real-time blocking from cloud
  • 31. C R I T I C A L IT Impact – IT Processes and priorities may need to change to meet this objective User Experience Impact – Reboot of workstations or servers can cause temporary application or workstation downtime for users. Critical Operating System updates are applied to 99%+ of computers in 4 days or less. • Policy and process are documented (including validation/enforcement of results) • See “Isolate (or retire) computers…” recommendation for handling exceptions • Capability to rapidly deploy emergency workarounds (scripts, settings, etc.) Expected Organizational Impact Description Critical vulnerabilities allow code execution without user interaction and can: • Enable self-propagating malware (e.g. worms) • Facilitate rapid entry of any attack (such as browsing to a web page or opening email) Note: Some guidance (ASD top 4 | Essential 8) recommends applying within 48 hours Operating system services (or daemons) are the ideal mechanism for rapid destruction attacks as they are always running and many accept inbound network traffic For Microsoft operating systems, Windows Update provides a rapid deployment capability Rationale Quick win 0 to 30 days
  • 32. For systems that cannot apply critical OS security updates within 4 days, apply alternate mitigations: • Upgrade any unsupported operating system to a current version • Retire unsupported system • Fully isolate systems from Internet and intranet / general-purpose networks Description Quick win 0 to 30 days Microsoft recognizes updating some operating systems is difficult because • Unsupported operating system required (for regulatory/support/etc. reasons) • Reboots associated with updates incur costs from interrupting business operations While these may be valid reasons for not updating, connected vulnerable systems create a major risk to the organization– as illustrated by two Petya cases: Case 1 – Significant business impact (halted business operations) because business critical ICS/SCADA systems were infected from the corporate intranet. Case 2 – ICS/SCADA business operations continued because legacy systems were completely isolated on a separate, inaccessible network. Rationale
  • 33. IT Impact – IT Processes and priorities may need to change to meet this objective User Experience Impact – Reboot of workstations or servers can cause temporary application or workstation downtime for users. All applicable critical updates are applied to 99%+ of computers in 4 days or less. • Policy and process are documented (including validation/enforcement of results) • Systems with unsupported / End of Life software products should be upgraded, isolated, or retired • Capability to rapidly deploy emergency workarounds (scripts, settings, etc) Organizational Impact Description Critical vulnerabilities allow code execution without user interaction and can: • Facilitate rapid entry of any attack (such as browsing to a web page or opening email) • Enable self-propagating malware (e.g. worms) if application has a listening service/daemon Note: Some guidance (ASD top 4 | Essential 8) recommends applying within 48 hours Rationale 30 Days + C R I T I C A L
  • 34. User Impact – User education. IT Impact - Deploying new operating system and updating applications can have a significant impact on an organization – from deploying, upgrading, to training. • Adopt Cloud Services for workloads when available • Use the latest operating system and applications to protect against modern threats • Windows 10 for Windows Workstations • Windows Server 2016 for Windows Servers • Latest revisions of Linux, Mac OSX, and Router/Switch/Mobile Device Operating Systems Expected Organizational Impact Description • Cloud services have been largely unaffected by rapid destruction attacks • Technology providers like Microsoft constantly invest in security to keep up with threats • Effectively mitigating some attacks requires new approaches that are impractical to retrofit into older systems (such as TPM hardware based security assurances). • New capabilities frequently enable digital transformation initiatives that are top priority for CEOs at most organizations. Rationale 30 Days +
  • 35. Attack Surface Reduction Lateral Traversal / Securing Privileged Access Business Continuity / Disaster Recovery (BC/DR) Exploit Mitigation 2. Immediately deploy critical OS security updates 1. Rapidly deploy all critical security updates 5. Stay current3. Isolate (or retire) computers that cannot be updated and patched 1. Create malware-resistant backups of your critical systems and data 2. Validate your backups using standard restore procedures and tools 7. Separate and protect privileged accounts 6. Implement unique local administrator passwords on all systems 3. Disable unneeded legacy protocols 4. Discover and reduce broad permissions on file repositories 4. Implement advanced e-mail and browser protections 5. Host anti-malware gets real-time blocking from cloud
  • 36. Impact on IT – level of impact will vary based on the existing backup practices and may require changes to processes and/or backup technology. Protect critical systems against effects of erasure/encryption • Automatically backup all critical data, critical systems, and dependencies • Protect critical backups against online deletion/encryption attacks (via multi-factor authentication or have the backups stored fully offline/off-site). Organizational Impact Description Rapid destruction attacks typically take down all online services including backup and deployment systems, slowing recovery of critical business systems Recovering quickly requires backups exist and are not deleted/encrypted by the attack. Rationale Quick win 0 to 30 days $
  • 37. IT Impact – Minor impact for staff to perform backup validation and disaster recovery exercises. Recovery processes may need refinement and continued practice. Validate your end to end recovery process • Include “Complete IT system down” scenario into Business Continuity / Disaster Recovery (BC/DR) exercises to build readiness for rapid destruction attacks • All on-premises services will be unavailable (including communications, identity systems, and fileservers/SharePoint where BC/DR procedures may be stored). • Regularly validate critical system backups files using standard restore procedures • Evaluate the use of cloud backup/recovery capabilities like Azure Site Recovery Expected Organizational Impact Description Petya exposed major challenges with recovery processes at most affected enterprises: • Exercising restore procedures and tooling would avoid these by proactively exposing challenges before a real event • Cloud services were largely unaffected by rapid destruction attacks Note: This preparation also improve your resilience to ransomware attacks and natural disasters. Rationale 30 Days + $
  • 38. Attack Surface Reduction Lateral Traversal / Securing Privileged Access Business Continuity / Disaster Recovery (BC/DR) Exploit Mitigation 2. Immediately deploy critical OS security updates 1. Rapidly deploy all critical security updates 5. Stay current3. Isolate (or retire) computers that cannot be updated and patched 1. Create malware-resistant backups of your critical systems and data 2. Validate your backups using standard restore procedures and tools 7. Separate and protect privileged accounts 6. Implement unique local administrator passwords on all systems 3. Disable unneeded legacy protocols 4. Discover and reduce broad permissions on file repositories 4. Implement advanced e-mail and browser protections 5. Host anti-malware gets real-time blocking from cloud
  • 39. User Impact – None IT Impact – Deploy and configure solution, Update IT Support processes/practices Ensure the local administrator account password on each system is unique: • Unique random password for Administrator account on each workstation • Unique random password for Administrator account on each server • No other local administrator accounts should be active, enabled, or used Key Resources: LAPS | Securing Privilege Access Roadmap Organizational Impact Description • Attackers regularly exploit presence of identical passwords on the local administrator account (across workstations and/or servers) • While Petya required an local (or domain) account to be logged in and impersonated the credentials, the next attack likely will be able to use local accounts directly • Targeted attacks regularly involve stealing and re-using local credentials • Attack technique is automated in multiple tool(s) ( Death Star | GoFetch ) Rationale Quick win 0 to 30 days
  • 40. 30 Days + User Impact - Privileged users practices must be adjusted to separate account and workstation. IT Impact - Organization needs to deploy and maintain the new set of workstations. Separate and protect privileged credentials exposure to impersonation, theft and re-use • Create separate accounts for privileged activities that is restricted from using e-mail and browsing Internet. • Ensure privileged accounts are used only on trusted workstations (such as PAWs) • Enforce multi-factor authentication on privileged accounts Organizational Impact Description • Impersonation and credential theft for privileged accounts leads to rapid organization compromise (and has been automated: ( Death Star | GoFetch ) • Separating privileged accounts and workstation dramatically increases cost of this attack: • Standard users tasks expose accounts and workstations to compromise through phishing attacks, drive-by download attacks, and many other Internet-based attacks. • Purpose built workstations are simpler to protect and discourage overuse of privileges) • These mitigations also protect against the most prevalent technique in targeted attacks Rationale
  • 41. Attack Surface Reduction Lateral Traversal / Securing Privileged Access Business Continuity / Disaster Recovery (BC/DR) Exploit Mitigation 2. Immediately deploy critical OS security updates 1. Rapidly deploy all critical security updates 5. Stay current3. Isolate (or retire) computers that cannot be updated and patched 1. Create malware-resistant backups of your critical systems and data 2. Validate your backups using standard restore procedures and tools 7. Separate and protect privileged accounts 6. Implement unique local administrator passwords on all systems 3. Disable unneeded legacy protocols 4. Discover and reduce broad permissions on file repositories 4. Implement advanced e-mail and browser protections 5. Host anti-malware gets real-time blocking from cloud
  • 42. IT Impact – Inventory environment and dependent devices, application compatibility testing, remediate legacy systems (upgrade/migrate/retire/etc.), and deploy changes End-users – Varies based on application dependencies, but should be minimal with effective application testing plan. Disable legacy protocols that create unneeded attack surface • Server Message Block v1 (SMBv1) • LanMan (LM) and NTLMv1 authentication Expected Organizational Impact Description Successful worms require vulnerabilities in “universally” available components (e.g. running on nearly all computers in nearly all enterprises) Unneeded legacy protocols that are broadly available create significant organizational risk– • SMBv1 – ~30 year old protocol that Microsoft is removing from Windows and strongly recommends customers disable/remove (MS17-010 vulnerability in SMBv1 was used in Petya) • LanMan and NTLMv1 – Legacy authentication protocols with well-known and significant security weaknesses Rationale 30 Days +
  • 43. User Impact – Minimal negative impact on end-user experience IT Impact – Deployment and management associated with the solutions Email - Implement advanced protections for phishing attacks that include: • Attachment/URL “sandbox detonation” – Protect against unknown malware and viruses • Time of Click Protections – rewrite links to protect against malicious links in e-mail messages at time of click (vs. just at time of send) Browsing - Implement advanced browser protection solutions that include: • Website analysis – Identify known malicious sites and suspicious site behavior • Download file analysis – Evaluate downloaded files to warn if it came from a known malicious site or is new/unknown (not on list of popular programs) Organizational Impact Description While Petya (and WannaCry [unconfirmed]) did not start with e-mail or browsing, this is an extremely unusual phenomenon for cyber attacks. • Phishing/Browsers are overwhelmingly used for almost all other attack patterns, so they are very likely to be included in future attacks Rationale Quick win 0 to 30 days
  • 44. User Impact – Minimal negative impact on end-users experience IT Impact - Deployment and management associated with the solutions Ensure your host anti-malware solution gets real-time blocking responses from a cloud service. Organizational Impact Description • Rapid destruction attacks happen too fast for human response and you are reliant on automatic responses like those found in Antimalware solutions • Because every second counts in these attacks, your AV should immediately get the latest signatures from the cloud when it detects suspicious behavior • This feature (or similar) is available from several antivirus vendors (including the MAPS service for Windows Defender AV) but it is not always enabled in production. Rationale Quick win 0 to 30 days ?
  • 45. IT Impact – Plan/implement processes (and optionally tool(s)) to discover, reduce, and monitor broad permissions. Reduce risk from broad permissions 1. Discover broad write/delete permissions on Fileshares, SharePoint, and other solutions • Broad is defined as many users having write/delete to business critical data 2. Reduce broad permissions (while meeting business collaboration requirements) 3. Configure continuous monitoring and/or ongoing discovery for broad permissions Organizational Impact Description • Destructive attacks spread and encrypt data using compromised accounts/workstations • Most ransomware encrypts files on all mapped drives, causing significant impact • Petya attacks propagated using logged in credentials • Reducing these broad permissions can reduce the impact of destructive attacks Rationale 30 Days +