The document presents a talk by Saumil Shah at HITB 2017, discussing the evolution of cybersecurity attacks and defenses from 2001 to 2017. It emphasizes the need for proactive security measures and a shift from reactive strategies, highlighting the importance of metrics and creative defenses in modern information security. Shah outlines seven axioms of security aimed at improving the effectiveness of security defenses and addressing the challenges posed by evolving threats.

1. #HITB2017AMSNETSQUARE
SAUMIL SHAH
CEO, NET SQUARE
@therealsaumil
#HITB2017AMS

2. #HITB2017AMSNETSQUARE
WARNING! Disruptive Thoughts
Ahead

3. #HITB2017AMSNETSQUARE
WARNING!
Block
Diagrams
Ahead

4. #HITB2017AMSNETSQUARE
About Me
Saumil Shah
CEO, Net Square
@therealsaumil
hacker, trainer, speaker,
photographer, rebel
educating, entertaining
and exasperating
audiences since 1999

5. #HITB2017AMSNETSQUARE
The Evolution of Attacks: 2001-17

6. #HITB2017AMSNETSQUARE
Servers Applications Desktops
Browsers Pockets Populations
The Evolution of Targets: 2001-17

7. #HITB2017AMSNETSQUARE
...Defense:
2001-17
Firewalls
IDS/IPS
Antivirus
WAF
DLP, EPS
DEP, ASLR
Sandbox
One-way Attacks
FragRouter
Obfuscation
Char Encoding
DNS Exfil
ROP, Infoleak
Jailbreak
Different.... but Same Same

8. #HITB2017AMSNETSQUARE
Example: ROWHAMMER
By Dsimic https://commons.wikimedia.org/w/index.php?curid=38868341

9. #HITB2017AMSNETSQUARE
IMAJS
STEGO-
DECODER
JAVASCRIPT
TARGET BROWSER
POLYGLOT
PIXEL
ENCODER
EXPLOIT
CODE
IMAGE
ENCODED IMAGE
Example: STEGOSPLOIT
http://stegosploit.info

10. #HITB2017AMSNETSQUARE
There
will be
Vulnerabilities

11. #HITB2017AMSNETSQUARE
wherein buildings reveal near-
infinite interiors, capable of being
traversed through all manner of
non-architectural means
http://www.bldgblog.com/2010/01/nakatomi-space/
Nakatomi Space

12. #HITB2017AMSNETSQUARE
Attacks
succeed
because
today's defense
is REACTIVE.

13. #HITB2017AMSNETSQUARE
Exploit Development - 2002
Individual effort.
1 week dev time.
3-6 months shelf life.
Hundreds of public
domain exploits.
"We did it
for the LOLs."

14. #HITB2017AMSNETSQUARE
TWO TIMELINES >

15. #HITB2017AMSNETSQUARE
The evolution of a new species
Credit @halvarflake
SafeSEH
DEP
ASLR
CFG
Isolated
Heap
NOZZLE
/GS
SEHOP
RelRO

16. #HITB2017AMSNETSQUARE
The MitiGator raises the bar...
...until it sees no more exploits
Credit @halvarflake

17. #HITB2017AMSNETSQUARE
A long time ago in a galaxy far,
far away...
MICROSOFT
STRIKES BACK

18. #HITB2017AMSNETSQUARE

19. #HITB2017AMSNETSQUARE
2005: Ciscogate – Michael Lynn
https://www.schneier.com/blog/archives/2005/07/cisco_harasses.html

20. #HITB2017AMSNETSQUARE
2009
CAN
SEC
WEST
Photo credit: Garrett Gee

21. #HITB2017AMSNETSQUARE
Exploit Development - 2012
2-12 month dev time.
24h to 10d shelf life.
Public domain
exploits = zero.
Cost,value of exploits
has significantly risen.
• COMMERCIALIZED
• WEAPONIZED
• POLITICIZED

22. #HITB2017AMSNETSQUARE
The defenders
tried to buy
back their
bugs...

23. #HITB2017AMSNETSQUARE
Bug Bounties: high stakes game
Chris Evans – Pwnium: Element 1337

24. #HITB2017AMSNETSQUARE
Bug Bounties
tried to fill a
REACTIVE
need.

25. #HITB2017AMSNETSQUARE
Bug Bounties
Backfiring?

26. #HITB2017AMSNETSQUARE

27. #HITB2017AMSNETSQUARE
More
Reactive
Security

28. #HITB2017AMSNETSQUARE
Compliance != Security

29. #HITB2017AMSNETSQUARE

30. #HITB2017AMSNETSQUARE
Security = "RISK REDUCTION"
Rules
Signatures
Updates
Machine Learning

31. #HITB2017AMSNETSQUARE

32. #HITB2017AMSNETSQUARE
Existing defense
measures
do not match
attacker
tactics.

33. #HITB2017AMSNETSQUARE
Attackers
don't follow
compliance
standards and
certifications.

34. #HITB2017AMSNETSQUARE
The CISO: 2001-2017

35. #HITB2017AMSNETSQUARE
In 2001...
CIO CIO
INFOTECH =
BUSINESS
ENABLER
CISO
INFOSEC =
RISK
REDUCTION
$$$
C.Y.A.

36. #HITB2017AMSNETSQUARE
Dear CISO, Who are Scarier
ATTACKERS or AUDITORS?

37. #HITB2017AMSNETSQUARE
It is time we
...not by building firewalls...

38. #HITB2017AMSNETSQUARE
@therealsaumil's
SEVEN AXIOMS
of Security

39. #HITB2017AMSNETSQUARE
Intelligence Driven Defense
From REACTIVE to PROACTIVE

40. #HITB2017AMSNETSQUARE
Defense
doesn't mean
Risk Reduction
Seven Axioms of Security: 1

41. #HITB2017AMSNETSQUARE
The CISO's
job is
DEFENSE
Seven Axioms of Security: 1

42. #HITB2017AMSNETSQUARE
Compliance is NOT the CISO's job
"Not my circus,
Not my monkeys"
http://rafeeqrehman.com/2016/10/07/announcing-ciso-mindmap-2016/
90% TIME SPENT ON COMPLIANCE!

43. #HITB2017AMSNETSQUARE
In 2017...
CISO CISO INFOSEC = DEFENSE
CCO CHIEF COMPLIANCE OFFICER
DEFEND AGAINST ATTACKERS
DEFEND AGAINST AUDITORS

44. #HITB2017AMSNETSQUARE
Intelligence
begins by
COLLECTING
EVERYTHING!
Seven Axioms of Security: 2

45. #HITB2017AMSNETSQUARE
Collect Everything!
• Security Data Warehouse: first
step towards proactive security.
• Retention is CHEAPER than Deletion.
• Importance of HISTORICAL DATA
increases exponentially with time.

46. #HITB2017AMSNETSQUARE
Sources of Security Intelligence?

47. #HITB2017AMSNETSQUARE
"The Universe
tells you
everything you
need to know
about it,
as long as you are
prepared to
watch, to listen,
to smell, in short
to OBSERVE."
Sources of Security Intelligence

48. #HITB2017AMSNETSQUARE
Get CREATIVE, Get ORGANIC
ORGANIC SECURITY = Grow It Yourself!

49. #HITB2017AMSNETSQUARE
Schrödinger's Hack:
Systems exist in both
SECURE and HACKED
states at the
same time.
Seven Axioms of Security: 3

50. #HITB2017AMSNETSQUARE
TEST
REALISTICALLY
Seven Axioms of Security: 3

51. #HITB2017AMSNETSQUARE
Forgone conclusion:
"My System Is SECURE"
Test Strategy that will lead you this conclusion
• Wait for a new production build.
• Don't test on production only UAT.
• Perform Non-intrusive testing.
• X,Y,Z,.. are all out of Scope.
• Test during off-peak hours only.

52. #HITB2017AMSNETSQUARE
Can't MEASURE?
Can't Use.
Seven Axioms of Security: 4

53. #HITB2017AMSNETSQUARE
Why Keep Metrics?
• To show you are succeeding
– Corollary: to show you are failing
• To justify your existence and/or budget
• To argue for change
• For fun!
Marcus Ranum
Security Metrics: The Quest For Meaning
IT Defense 2016, Mainz

54. #HITB2017AMSNETSQUARE
How to Establish Metrics
• Look at your process and make a list of what is
quantifiable
• Ask yourself what quantities you are interested in
– Once things are quantified they go up, or down – which is about
the only convenient thing of metrics: they don't go sideways, too
• Which is a "good" direction: up or down?
• Do you know what constitutes a significant movement?
• Measure and iterate
Marcus Ranum
Security Metrics: The Quest For Meaning
IT Defense 2016, Mainz

55. #HITB2017AMSNETSQUARE Alberto Brandolini @ziobrando (The Bullshit Asymmetry)

56. #HITB2017AMSNETSQUARE
Why Metrics Win
• Often information security becomes what I call
a "battle of two narratives"
– Your opponent has the advantage of lying:
– "moving this to the cloud will save us $500,000/year!"
– To defend your narrative you need facts (from metrics) and
credible extrapolations (based on metrics) or your
opponent controls the narrative! *
* Plan B is to respond with lies of your own
Marcus Ranum
Security Metrics: The Quest For Meaning
IT Defense 2016, Mainz

57. #HITB2017AMSNETSQUARE
Users:
One Size Fits
NONE!
Seven Axioms of Security: 5

58. #HITB2017AMSNETSQUARE
The user's going to pick dancing pigs
over security every time.
Bruce Schneier

59. #HITB2017AMSNETSQUARE
Technology in the hands of users
@needadebitcard

60. #HITB2017AMSNETSQUARE

61. #HITB2017AMSNETSQUARE
numberofusers
infosec maturity
HOPELESS UNINFORMED PROACTIVE ROCK STARS
Identify your target users...
Always
going to be
an enigma.
If properly guided,
these users are willing
to improve their
usage habits.
The
next
Rock Star
users.
Leave them alone,
and possibly
learn from them.

62. #HITB2017AMSNETSQUARE
...and improve their maturitynumberofusers
infosec maturity
HOPELESS UNINFORMED PROACTIVE ROCK STARS

63. #HITB2017AMSNETSQUARE
The Best Defense
is a CREATIVE
Defense.
Seven Axioms of Security: 6

64. #HITB2017AMSNETSQUARE
A Creative
Defense is an
UNEXPECTED
Defense.
Seven Axioms of Security: 6

65. #HITB2017AMSNETSQUARE

66. #HITB2017AMSNETSQUARE
Make Defense
VISIBLE,
Make Defense
COUNT.
Seven Axioms of Security: 7

67. #HITB2017AMSNETSQUARE
Visible Defense
• Improve the User Maturity Curve.
• Reduce Blue Team's Response Time.
• Money Saved = Money Earned
Consistent Reduction in Frauds.
• Produce Creative Defense Tools.
• Attract Smarter Talent in Infosec.
• Weekly fitness check...

68. #HITB2017AMSNETSQUARE
ASSET
INVENTORY
REAL-TIME VISIBILITY
OF EVENTS
DETECT
UNAUTHORIZED ACTIVITY
CLASSIFY
UNAUTHORIZED ACTIVITY
ATTACKER CAPABILITY
DETECT INTRUSIONS
UNCOVER ATTACKERS
TRACK ATTACKERS
DEFEND & RECOVER
...The CISO
Strength
Test
https://github.com/swannman/ircapabilities

69. #HITB2017AMSNETSQUARE
Is your Infosec
team doing
something
creative
every day?

70. #HITB2017AMSNETSQUARE
@therealsaumil
www.net-square.com
#HITB2017AMS
Thank You, Drive Through
NETSQUARE