Scot Secure 2019 Edinburgh (Day 1)

Welcome to
ScotSecure
2019
#scotsecure

Mark Stephen
BBC Scotland
@bbcscotland
#scotsecure

Ray Bugg
DIGIT
@digitfyi
#scotsecure

Steven Wilson
Europol
@europol
#scotsecure

International
Challenges of
Cybercrime
Investigation
Europol Unclassified- Basic Protection Level
Steven Wilson
Head of EC3
27 March, 2019

Europol Classified – EU RESTRICTED
The Hague, Netherlands
Headquarter
“Europol shall support and strengthen action by the competent authorities of the Member
States and their mutual cooperation in preventing and combating serious crime affecting two
or more Member States, terrorism and forms of crime which affect a common interest covered
by a Union policy”
(Europol Regulation)
Europol’s Mandate

Europol Liaison
Officers in:
• Interpol IGCI
• Interpol IPSG
• Washington DC
Liaison Bureaux Network

EC3’s Core Areas of Responsibility
Decryption Facility

Multi-Faceted Approach to Countering Cybercrime
❖ Internet Security
❖ Financial Services
❖ Academic Advisory Network
❖ Cybercrime Prevention
Network
❖ Communication Providers
❖ Forensic Expert Forum
SOCTA
IOCTA
Strategic
Plans
Operational
Actions
Evaluation

IOCTA 2018 – Key Threats & Trends
Card-not-present
fraud dominates
payment fraud, but
skimming continues
DDoS continues to
plague public and
private organisations
Ransomware
retains its
dominance
Social engineering
still the engine of
many cybercrimes

Major Cross-Border Cyber-Attacks
WannaCry
Ransomware
Attacks
(May 2017)
NotPetya Malware
Attacks
(June 2017)

5 arrests in
4 countries
37
searches in
7 countries
39 servers
seized in 13
countries 221
servers taken
offline64 TLDs
800,000
domains in 26
countries
Victim re-
mediation in
189 countries
Awareness
raising and
prevention
Avalanche

Cyber Attacks in the News

Script
Kiddies
Serious
Organised
Crime
Nation
States
Cyber
Criminals
Convergence of
Criminality

Joint Cybercrime Action Taskforce (J-CAT)
Identification
of priorities
Investigative
opportunities
INVESTIGATION
Chairmanship: Netherlands Vice-Chairmanship: US FBI
24/7 Permanent Taskforce
Operating from Europol HQ together with EC3
Taskforce Members: 17 LEA Agencies from 15 Member Countries
(9 EU MS, 6 TP) + Europol’s EC3

EU Law Enforcement Emergency Response
Protocol (LE ERP)
To support the EU MS LEA in providing
immediate response to major cyber-attacks
(in line with nation-level crisis management
mechanisms)
To facilitate collaboration and coordination with
other key players (public & private)
To provide the law enforcement contribution to
the EU crisis management structures
1
2
3
4

❖ Cooperation with Eurojust,
30 countries, the EBF, 300+
banks and other private-
sector partners
❖ Money muling awareness
campaign #DontBeaMule to
alert the public
❖ 26,376 Money mule
transactions reported
(preventing losses of more
than 36 million Euros)
❖ 168 Arrested, 1504 Money
mules and 140 money mule
organisers identified
European Money Mule Action IV (Sep - Nov 2018)

No More Ransom
136 Partners
Website available in
36 languages
68 tools capable of
decrypting 99 ransomware
families
> 72,000 devices
successfully decrypted
2017 SC Magazine Editor’s
Choice Award

Single Police Force
SBRC
University/LE Cooperation
Developing Industry
Scot in Europe – Perspective

What can Scotland do?
Scottish Business
Resilience Centre
Police Scotland
Cyber Hubs
Cyber Scotland:
education, skills &
awareness

<Add security marking if necessary>
Thank you

Alison Vincent
Valiha Consultancy
@draliv
#scotsecure

THE HUMAN FIREWALL
DR ALISON VINCENT
@draliv

THE FUTURE IS CLOSER THAN WE THINK

POLITICAL LANDSCAPE CHANGING
En garde! 'Cyber-war has begun' – and France will
hack first, its defence sec declares
Poland unveils details of plan for new cyber defence force

90% of malware infections
Tuesday Versus Friday
1 : 20
72% of data breaches

Malicious – acts
intentionally
Negligent - is sloppy
Compromised - acts
unintentionally
77%

Process.
Technology.
People.
IMPACTS ON AN ORGANISATIONAL STRATEGY

The Board
The Executive
Employees/Leaders
Customers/Supply Chain

The Board
The Executive
Employees/Leaders
Cyber Awareness Training
Video sound bites

The Board
The Executive
Employees/Leaders
Video sound bites
Internal Phishing Campaigns
Secure SDLC tooling
Gamification for apps developers

The Board
The Executive
Employees/Leaders
Include Executive Assistants
Target internal Phishing Campaigns
Digital Footprinting

The Board
The Executive
Employees/Leaders
Cyber Simulation Walk throughs
Balanced Board reporting

The Board
The Executive
Employees/Leaders
Cyber Simulation Walk throughs
Balanced Board reporting
Include Executive Assistants
Target internal Phishing Campaigns
Digital Footprinting
internal Phishing Campaigns
Video sound bites
Secure SDLC tooling
Gamification for apps developers
Video sound bitesCustomers/Supply Chain

Mark Mitchell
Check Point
@draliv
#scotsecure

47©2019 Check Point Software Technologies Ltd.©2019 Check Point Software Technologies Ltd.
Mark Mitchell Security Engineer
Transitioning from Consumption
to Supply
SWITCHING SIDES:

48©2019 Check Point Software Technologies Ltd.
• Background
• Walls: Disrupt and Prevent
• Turning up for the wrong war
• Solutions
Agenda

• Background in both Commercial and Academic Sectors
• Trained Archaeologist
• Old enough to remember people being excited by Windows 95
Me

©2019 Check Point Software Technologies Ltd.
WALLS: DISRUPT
AND PREVENT

A History of Walls

What happens when the thinking gets stale?

TURNING UP FOR
THE WRONG WAR

2018

The Global Risks Report 2018

Where are we ?
1990 2000 2010 2015 2017
Networks
Gen II
Applications
Gen III
Payload
Gen IV
Virus
Gen I
Enterprises
are between
Gen 2-3
2.8
Mega
Gen V

59©2019 Check Point Software Technologies Ltd. 59©2018 Check Point Software Technologies Ltd.
Only 3% of IT Security Professionals Are at Gen V
89%
97% 98%
10%
3%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Gen 1: AV only Gen 2: FW+AV Gen 3: FW+AV+IPS Gen 4: All+Sandboxing+
Anti Bot
Gen 5: All+ Sandboxing in
prevention
mode+mobile+cloud
Cyber Security Generations Analysis
Market research
Source: Cyber Security Generations Survey among IT Professionals, March 2018, N=300

76% Experienced Attacks In Multiple Vectors
(More than one vector**)
24%
29%
33%
10%
4%
0%
5%
10%
15%
20%
25%
30%
35%
One Two Three Four Five
Number of Different Attack Vectors
** Vectors- PC, On-premise data Center, Cloud, Mobile, IoT
Source: Cyber Security Generations Survey among IT Professionals, March 2018, N=300

PROTECTED
NOT
PROTECTED
LET’S LOOK AT WHAT ORGANIZATIONS USE TODAY
NETWORK SANDBOXING MOBILE SECURITY
93% 99% 98%
CLOUD SECURITY
87% 96% 91%
2017 2017 20172016 2016 2016
BUT WE ARE STILL NOT USING THE MOST EFFECTIVE SECURITY !
86% more
300% more
350% more
DRAMATIC INCREASE IN PROTECTION

HOW ARE WE APPROACHING
CYBER SECURITY TODAY ?
A R E W E R E A D Y F O R T H E F U T U R E O F C Y B E R T H R E A T S ?

Technology B
Technology C
MULTI-VENDOR, ATTACK DETECTION
AND MITIGATION
A R C H I T E C T U R E A
Mitigation Tools
Breach
Detection and
Remediation
USING POINT SOLUTIONS…
“Attacks are inevitable, so we might as
well mitigate the damage”
POINT SOLUTIONS: Too many disparate
technologies
INHERENT GAPS: Incomplete coverage
between solutions
POST BREACH: Detection & mitigation tools
to minimize the damage

Technology B
Technology C
MULTI-VENDOR, ATTACK DETECTION
AND MITIGATION
A R C H I T E C T U R E A W e A l l
N e e d P r o t e c t i o n
Mitigation Tools
Breach
Detection and
Remediation
U N I F I E D
A R C H I T E C T U R E
Next Generation Firewall
Threat Prevention (AV, IPS)
Advanced Threat Prevention
Cloud Mobile Networks
A R C H I T E C T U R E B
UNIFIED ARCHITECURE
FOCUS ON PREVENTION

SOLUTIONS

• Internal Communication
• Read Communication
• Read and Research
• Policy and Process
• Collaborate
• Think like a bad Guy
• Detect and Prevent
• And remember…
Possible Solution

69©2019 Check Point Software Technologies Ltd.©2019 Check Point Software Technologies Ltd.
THANK YOU

Jon Hope
Sophos
@JonHope_Sophos
#scotsecure

See TheFuture….
JonHope
Senior Sales Engineer – UK&I

Today’sApproach to IT security is fallingbehind

Crypto-Ransomware (Cryptolocker)(2013)

.CryptoHasYou., 777, 7ev3n, 7h9r, 8lock8, Alfa Ransomware, Alma Ransomware, Alpha Ransomware, AMBA, Apocalypse, ApocalypseVM,
AutoLocky, BadBlock, BaksoCrypt, Bandarchor, Bart, BitCryptor, BitStak, BlackShades Crypter, Blocatto, Booyah, Brazilian, BrLock,
Browlock, Bucbi, BuyUnlockCode, Cerber, Chimera, CoinVault, Coverton, Cryaki, Crybola, CryFile, CryLocker, CrypMIC, Crypren, Crypt38,
Cryptear, CryptFile2, CryptInfinite, CryptoBit, CryptoDefense, CryptoFinancial, CryptoFortress, CryptoGraphic Locker, CryptoHost,
CryptoJoker, CryptoLocker, Cryptolocker 2.0, CryptoMix, CryptoRoger, CryptoShocker, CryptoTorLocker2015, CryptoWall 1, CryptoWall 2,
CryptoWall 3, CryptoWall 4, CryptXXX, CryptXXX 2.0, CryptXXX 3.0, CryptXXX 3.1, CTB-Faker, CTB-Locker, CTB-Locker WEB,
CuteRansomware, DeCrypt Protect, DEDCryptor, DetoxCrypto, DirtyDecrypt, DMALocker, DMALocker 3.0, Domino, EDA2 / HiddenTear,
EduCrypt, El-Polocker, Enigma, FairWare, Fakben, Fantom, Fonco, Fsociety, Fury, GhostCrypt, Globe, GNL Locker, Gomasom, Goopic,
Gopher, Harasom, Herbst, Hi Buddy!, Hitler, HolyCrypt, HydraCrypt, iLock, iLockLight, International Police Association, JagerDecryptor,
Jeiphoos, Jigsaw, Job Crypter, KeRanger, KeyBTC, KEYHolder, KimcilWare, Korean, Kozy.Jozy, KratosCrypt, KryptoLocker, LeChiffre,
Linux.Encoder, Locker, Locky, Lortok, LowLevel04, Mabouia, Magic, MaktubLocker, MIRCOP, MireWare, Mischa, MM Locker, Mobef,
NanoLocker, Nemucod, NoobCrypt, Nullbyte, ODCODC, Offline ransomware, OMG! Ransomware, Operation Global III, PadCrypt, Pclock,
Petya, PizzaCrypts, PokemonGO, PowerWare, PowerWorm, PRISM, R980, RAA encryptor, Radamant, Rakhni,, Rannoh, Ransom32,
RansomLock, Rector, RektLocker, RemindMe, Rokku, Samas-Samsam, Sanction, Satana, Scraper, Serpico, Shark, ShinoLocker, Shujin,
Simple_Encoder, SkidLocker / Pompous, Smrss32, SNSLocker, Sport, Stampado, Strictor, Surprise, SynoLocker, SZFLocker, TeslaCrypt 0.x -
2.2.0, TeslaCrypt 3.0+, TeslaCrypt 4.1A, TeslaCrypt 4.2, Threat Finder, TorrentLocker, TowerWeb, Toxcrypt, Troldesh, TrueCrypter, Turkish
Ransom, UmbreCrypt, Ungluk, Unlock92, VaultCrypt, VenusLocker, Virlock, Virus-Encoder, WildFire Locker, Xorist, XRTN, Zcrypt, Zepto,
Zimbra, Zlader /Russian,Zyklon
200+Crypto-Ransomware Families

"You can't solve a problem on the same level that it was
created. Youhave to rise above it to the nextlevel."
- AlbertEinstein

Synchronized Security is BetterSecurity
Nick Ross
Sales Engineering UKI

Sophos History
Evolution to SynchronizedSecurity
Founded inAbingdon
(Oxford),UK
Divestednon-
core Cyber
business
Acquired
DIALOGS
Acquired
Astaro
2011 2012 2013
Acquired
Utimaco
SafewareAG
2008
First
checksum-
based
antivirus
software
Peter Lammer Jan Hruska
c1985 c1985
1985 1988 1989
First signature-
based antivirus
software
1996
US presence
established inBoston
Voted best
small/mediumsized
company inUK
Acquired
ENDFORCE
2014
Acquired
Cyberoam
Acquired
Mojave
Networks
Acquired
Barricade
IPO London
StockExchange
Launched
Synchronized Security
2007 2015
Acquired
Surfright
2017
Acquired
Invincea
2016
Acquired
PhishThreat
Acquired
Reflexion
2019
Acquired
Avid Secure
Acquired
DarkBytes

Synchronized Security: Better Security
15
Wireless
Web
Email
UTM
Next-Gen
Firewall
File Encryption
Disk Encryption
Endpoint
Next-Gen
Endpoint
Mobile
Server
Analytics
Unparalleled
protectionagainst
advanced threats
Significantly
reduced incident
responsetime
User Training

16
“No other company is close to delivering this type
of communication between endpoint andnetwork
security products.
Chris Christianson, vice president of security programs, IDC
“

Proven Technology in KeyAreas
Gartner Magic Quadrant
UNIFIED THREATMANAGEMENT
Gartner Magic Quadrant
ENDPOINT PROTECTIONPLATFORMS
TheForresterWaveTM
ENDPOINT ENCRYPTION
The Forrester Wave: Endpoint Encryption, Chris Sherman, 16 Jan 2015
UPDATE
MagicQuadrant for Unified Threat
Management,
JeremyD'Hoinne, RajpreetKaur,Adam
Hils, 20 June,2017
MagicQuadrant for Endpoint Protection Platforms,
Ian McShane,Avivah Litan,Eric Ouellet,Prajeet
Bhajanka;24January,2018

Survey Report onNews.Sophos.com
19

Customer expectations are NOT beingmet
20
Visibility
45%
of trafficis going
unidentified onaverage
Response
7 days
every month spent
responding to andfixing
infectedsystems
Protection
16
infections permonth
on average
What Network Admins Say are their top 3 complaints with their current firewall…
Source: Survey conductedby Vanson Bourne, November 2017 of 2,700 ITdecision makers
in organizations from100-5000 users in 10 countries across 5 continents

So what are theseExpectations?
21
Visibility Protection Response
What REALLYscares theadmin?
CloudAppsVisibility UnknownApps
Reporting
RansomwareDefence Zero-dayExploits LateralMovement
ResponseTimeCo-ordinated Threat
Defence
Source: Presenter’s own suppositions and musings

TheSolution – Synchronized Security
22
Visibility Protection Response
KeyAdvantages
✓ SynchronizedApplicationControl
✓ CASB CloudApp and Data Visibility
✓ IoT Discovery andClassification
(comingsoon)
KeyAdvantages
✓ Deep Learning in SophosSandstorm
✓ Top-rated IPS Engine by NSSLabs
✓ IPS &App Control SmartLists
New Networking, VPN, and ManagementFeatures
✓ Firewall RuleManagement
✓ Policy TestSimulator
✓ Unified LogViewer
✓ IKEv2 VPNSupport and Template
✓ Wildcard FQDN Support
✓ Azure HighAvailability
✓ DUO Multi-factorAuthentication
✓ Airgap Support (comingsoon)
✓ Chromebook SSO (comingsoon)
Management of XG Firewallin SophosCentral
KeyAdvantages
✓ SecurityHeatbeat
✓ Lateral Movement Prevention
(comingsoon)

23
Visibility
TheApp ControlProblem

24
OnAverage…
ITManagers cannot account forhow
45%of their bandwidth isconsumed

25
• Firewall app controlis
signature based
• The app world is
constantly evolving
• Some appsintentionally
change to avoid
detection
• Some app traffic istoo
generic (HTTP/HTTPS)

An ElegantSolution
Security Heartbeat™
SynchronizedApp Control
UnknownApplication
XG Firewall sees app trafficthat
does not match asignature
Endpoint SharesApp Info
Sophos Endpoint passes app
name, path and even categoryto
XG Firewall forclassification
Internet
XGFirewall
Sophos Endpoints
1 2
Application is Classified & Controlled
Automatically categorize and control
where possible or admincan manually set
category or policy toapply.
3

CASB - CloudAppVisibility
28
Visibility

CASB =Cloud Access SecurityBroker
SecuritCyAHeSaBrtbeat™
Provides visibility, control, and protectionto
Cloud Applications & Data in theCloud

Control CenterWidget
• Quick view on thedashboard
• Block unsanctioned apps
• Guarantee service tocritical
apps viaQoS
• Report on appusage
30

32
Response
Security Heartbeat

Synchronized Security - AutomaticResponse
SecurityHeartbeat™
XG Firewall SophosCentral
Servers
Security Heartbeat™ links Endpoints
with the firewall to monitor health
and immediately share thepresence
of threats.
Instant Identification
Security Heartbeat can
instantly share telemetry
about the user, systemsand
process responsible
Automated Response
Automatically isolate, or limit
network access, andencryption
keys for compromised systems
until they are cleanedup
Internet
XGFirewall Endpoints

Lateral Movement Protection
SecurityHeartbeat™
XGFirewall SophosCentral
Servers
Security Heartbeat™ links Endpoints
with the firewall to monitor health
and immediately share thepresence
of threats.
LateralMovement Protection
Firewall instantly informs all
other endpoints to ignore any
trafficfrom compromised
device.
Automated Response
Automatically isolate, or limit
network access, andencryption
keys for compromised systems
until they are cleanedup
Internet
XGFirewall Endpoints

All AvenuesClosed
36
Disable
Sophos Security
Red Health sentthrough
HB
System Isolates
Endpoint
Disable Heartbeat
FW detects MissingHeartbeat
System Isolates Endpoint
LeavesSophos
Securityalone
Sync Securitydetects
everything they do
and cuts the
communication
stream

It only took 2 minutes to find out that everything was under
control. Sophos XG Firewall detected the threat and Security
Heartbeat allowed the infected host to be immediately identified,
isolated and cleaned up. Instead of going into fire drill mode, we
were able to relax and finish ourlunch.
DJAnderson,CTO,Iron Cloud
It JustWorks!
“
“

Its Flexible!
Security Heartbeat™ &
Firewall
Replacement
Inline
Discover
Mode

Dr Kami Vaniea
University of Edinburgh
@draliv
#scotsecure

The Human Factors
Dr Kami Vaniea
@kaniea
kvaniea@inf.ed.ac.uk

115
How do I get
the scissors
out?

“Easy” to
dismiss by
hitting X …
116
Except that
hitting X
means “I
accept”

If you want to
find usability
problems,
look for signs.
117

First reaction: Pull
Sign says: Push
118

Why do we
involve users
in decisions?
120

Because
they have
contextual
knowledge
the
computer
doesn’t
have.
121

Good
security
decisions
involve
balancing
many
contextual
factors with
risks.
122

My Point:
Good security decisions are contextual and require
balancing risks with benefits.
124

Flicker SalFalko
• Encryption
• Usability
• Trust
• User focus
• Habituation
• Effectiveness

Unexpected
security
threats
126

Three
reasons
people don’t
use security
or privacy
technologies
1. They do not care about
security and privacy
2. They do not know about
security or privacy issues
3. They cannot use security and
privacy technologies
127
KAMI VANIEA

Perceptions of
online threats
(Kaspersky)

Folk Models of Hackers
Digital graffiti artists
Burglars who break into
computers for criminal
purposes
Criminals who target big
fish
Contractors who support
criminals
129
Wash, Rick. "Folk models of home computer security." Proceedings of
the Sixth Symposium on Usable Privacy and Security. ACM, 2010.

https://profile.facebook.com
April 1, 2019
132
https://facebook.profile.com
Which of these URLs goes to Facebook?
✓
✘

April 1, 2019
133
profile.facebook.comfacebook.profile.com

Mix of approaches
Security champions
 Find an encourage people who are already in teams
and already believe in security
Actionable guidance for users
 Provide guidance that users are able to follow
 Consider lost work, not just security
 Think through what following guidance requires
Express trust in employees
 Rules are there so you think before breaking them
Embedded training
 Put the “training” in the environment
 VERY challenging because requires the tech people to
do this right ☺
135

Questions?
Dr Kami Vaniea
@kaniea
kvaniea@inf.ed.ac.uk

Bridget Kenyon
Thales e-security
@bridgetkenyon
#scotsecure

It’s Alive!!
Realising an Effective Information Security Risk Framework
Bridget Kenyon Global CISO, Thales eSecurity

Anatomy
A. Setting your risk objectives,
strategy and vision
B. Designing a framework that
delivers for your environment
C. Planning, implementation and
testing
D. Key challenges and obstacles
E. Evaluating progress

– Mary Shelley, Frankenstein
“Nothing is so painful to the human mind as a great and sudden
change.”

A. Risk objectives, strategy and vision
• Who are your stakeholders? What do they value? How and when is their
performance measured? Why?
• Pin down context: business objectives and strategy
• Derive security objectives (SMART)
• Write strategy to deliver these objectives
• Use objectives and strategy to define vision

Sample objectives
Comply with legal, contractual and regulatory
obligations
Maintain/improve reputation with stakeholders
Balance risk against opportunity
Operate ethically

Sample strategy statements
Treat information/cyber risk as part of our business
risk
Use security as a competitive differentiator
Build on what we already have
Design in security from the beginning
Prioritise investment according to risk, requirements
and potential rewards

Sample vision statements
We show respect for customers and staff by
protecting their information
Cyber security is an enabler for our business
We are resilient in a challenging online world
We care about, respect and protect
information

B. Designing a frameworkB. Identifying a framework

C. Plan, implement, test
• Use project and change management methodologies
• Keep it lightweight:
• Adapt existing processes, make security part of BAU
• Budget for ongoing management of security
• Measure business outcomes

D. Challenges and obstacles
Issue Suggestion
Decision making shortcuts: behavioural
economics, System 1 thinking:
“iT should do this”
“It hasn’t happened to us yet”
Do not demonise
Nudge techniques
Supply chains
Transparency
Join up the links
Personal vs organisational risk appetite
Focus on business priorities
Use structured risk assessment approach
Re-scoping of projects
Monitor outcomes and reinforce
expectations

E. Evaluating progress
Top level metrics should:
• Map to business requirements
• Be amenable to “drill down” questions
• Use case studies and anecdotes
• Be actionable

Sample metrics
• Gap analysis vs key requirements (project, burn-down)
• Percentage of business processes with information risk management
integrated (project, burn-down)
• Value At Risk (BAU, against target)
• Running costs vs costs avoided (BAU, comparison)
• Revenue derived from security improvements

Benchmarking
• Find comparable organisations
• Look at longitudinal (historical) data as well as right now
• What worked for the other organisation, and why?
• What did NOT work, and why?
• Beware of pet topics

Conclusion
Focus on the business and its
direction
Build on what you already have
Identify the best existing framework
for your current situation
Take account of behavioural drivers
Learn from others
Type to enter a caption.

Thank you for your time!
Any questions?

Prof Bill Buchanan
Napier Uni
@billatnapier
#scotsecure

Panel Discussion
Dr Kami Vaniea – Uni of Edinburgh
Prof Bill Buchanan – Napier
Bridget Kenyon – Thales e-Security
Steve Johnson – Orion Health
#scotsecure

Drinks &
Networking
#scotsecure

TAKETHEREDPILL
STEVE JOHNSON | MARCH 2019

Primary Care
& Out of Hours
Social Care
& Council
Hospice &
Third Sector
PharmacyAmbulanceHospital Community &
Mental Health
Citizen & Carer
Access
Role-based
Access
Single Citizen Record
Contributing to the
Record
Managing Care
Contributing to the Record
Engaging in Care

Collect
Detect
Predict
Control
Smart systems | The evolutionary path

Device software
Device hardware

Device software
Device hardware
Device software
Device hardware

Device software
Device hardware
Device software
Device hardware
Smart product
applications
Rules / analytics
engine
Application platform
Service database
(data lake)

Device software
Device hardware
Device software
Device hardware
Externaldataservices
Macrosystemintegration
Smart product
applications
Rules / analytics
engine
Service database
(data lake)

Device software
Device hardware
Device software
Device hardware
Administration&
security
Externaldataservices
Macrosystemintegration
Smart product
applications
Rules / analytics
engine
Service database
(data lake)

My mind is like my internet browser:
I have 19 tabs open,
3 are frozen,
and I’ve no idea where the music is coming from…

Blue Team Operations:
Hunting for the 1%
Ian McGowan
Managing Consultant

CHALLENGES
BLUE TEAM
OPERATIONS
THREAT
ACTORS
CYBER
THREAT
INTELLIGENCE
ACTIONABLE
INTELLIGENCE

Modern threats take their time
and leverage the holistic attack surface
The Cyber Attack Lifecycle
Environmental
Awareness
Reconnaissance
& Probing
Delivery &
Attack
Exploitation &
Installation
System
Compromise

Challenging Attack Surface
• Digital Transformation
• Complex Systems
• ‘Protect’ Focused Budgets
• False Positives

Blue Team Operations

Detection & Response Times
High Vulnerability Low Vulnerability
Months
Days
Hours
Minutes
Weeks
MTTD&MTTR
Exposed to Threats Resilient to Threats

Defensive
Monitoring

Detection to Response
TIME TO DETECT TIME TO RESPOND
Logging RespondTriageAnalysis RecoverDefend
Point Solutions
Central
Database
Log & Event
Correlation
Threat Hunting
Assess Threat
Determine
Priority
Threat Analysis
Chain of
Evidence
Orchestration
and Automation
Contain and
Eradicate
Lessons Learned
Reporting

Threat Hunting
• Methodology
• Technology
• Skilled People
• Threat Intelligence

Incident Response

VPNFilter Malware
• Advanced Modular Malware
• Code Reuse from APT28
• ~500K SOHO Devices
• 54 countries
• Destructive Capability

Threat
Intelligence

Intelligence Lifecycle
COLLECTION ANALYSIS PROCESSING DISSEMINATION

Intelligence Lifecycle Ouput
COLLECTION
Feeds, Incidents,
Notifications
ANALYSIS
Intel Quality,
Validity, Life
PROCESSING
Intel packages,
indicators, TTPs
DISSEMINATION
Endpoints,
NetFlow, NGFW

300+
Full Time Threat
Intel Researchers
Millions
Of Telemetry
Agents
4
Global Data
Centers
1100+
Threat Traps
100+
Threat Intelligence
Partners
Threat Intel
Honeypots
Open Source
Communities
Vulnerability
Discovery
(Internal)
Product
Telemetry
Internet-Wide
Scanning
20 Billion
Threats Blocked
Intel Sharing
Daily Intelligence Flow
Customer
Data
Sharing
Programs
Provider
Coordination
Program
Open Source
Intel Sharing
3rd Party Programs
(MAPP)
Industry Sharing
Partnerships
(ISACs)
500+
Participants
3.4 Billion
AMP Queries
130 Billion
DNS Requests
16 Billion
Daily Web
Requests
(CWS/WSA)

Threat Intelligence Dissemination
Actionable Intelligence
Network Endpoint Cloud
Next-Gen
IPS
NetFlow
IOC Sharing
EPP
EDR
Email Security
Web Security
Cloud Access
Brokering
Cloud
Workload
Protection
Intrusion
Detection
Firewalls

Actionable Intelligence

Pre-Positioning Defences
Augmenting your strategy, tactics and operations with
a high-fidelity threat intelligence feed will improve your
intrusion detection by preparing you for the most likely
attack scenarios.

Attack Surface

Cyber Kill Chain
by Lockheed Martin

MITRE ATT&CK Framework
• Adversary TTPs
• Threat Modelling
• Identify Gaps
• Prioritise Risk Mitigation
• Adversary Emulation

Addressing the Overlap
Attack
Surface
Threat
Intelligence

Blue Team Operations
• Silver Bullets
• Strong Fundamentals
• Kill Chain & ATT&CK
• Threat Model
• Actionable Intelligence

Thank-you!

Fight the Good Fight
Against the Bad Bots
SCOT-SECURE 27 MARCH 2019
PRESENTED BY:
David Warburton, Senior Threat Research Evangelist
F5 Networks

Attack Automation Isthe
Single Biggest Threat
$2.3
billion
in account takeover
losses (2016)
48.2%
Humans
28.9%
Bad Bots
22.9%
Good Bots
1.2%
Monitoring Bots
2.9%
Commercial Crawlers
6.6%
Search Engine Bots
12.2%
Feed Fetchers
24.3%
Impersonators
1.7%
Scrapers
0.3%
Spammers
2.6%
Hacker Tools
229 | © F5
NETWORKS

21.45%
19.24%
16.49% 62.05%
2.51% 78.25%
Tickets 22.97% 7.82% 69.21%
Healthcare 24.37% 57.58% 18.04%
Financial 24.66% 4.35% 70.99%
Airlines 43.90% 0.93% 55.18%
Gambling 53.08% 0.09% 46.80%
Travel (incl.Airlines
Ecommerce
Travel (no Airlines) 4.50% 3.46% 92.04%
Real Estate 12.44% 37.21% 50.35%
Insurance 12.88% 18.65% 68.47%
Adult Entertainment 17.57% 0.47% 81.95%
% ofTraffic
Humans vs Good Bots vs Bad Bots
BY INDUSTRY
Bad Bots Good Bots Human
Source: GlobalDots Bad Bot Report 2018
230 | © F5
NETWORKS

Ratio of Bad Bots to Good Bots by Site Size
Large Sites Medium Sites Small Sites Tiny Sites
38.1%
61.9%
44.4%
55.6%
65.3%
34.7%
56.1%
38.9%
Bad Bots Good Bots
Source: GlobalDots Bad Bot Report 2018
231 | © F5 NETWORKS

Bot AttackTools
Headless Chrome
Sentry MBA

Thingbots: Multi-purpose AttackBots
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
7 Bots
SORA
OWARI
UPnPProxy
OMNI
RoamingMantis
Wicked
VPNFilter
Mirai
BigBrother
Rediation
1 Bot
3 BotsRemaiten
1 Bot
Moon
1Bot
Aidra
1 Bot
Hydra
2 Bots
WireX
Reaper
3 Bots
Satori Fam
Amnesia
Persirai
1 Bot
Brickerbot
6 Bots
Masuta
PureMasuta
Hide ‘N Seek
JenX
OMG
DoubleDoor
1 Bot
Crash
override
1 Bot
Gafgyt
Family
2 Bots
Darlloz
Marcher
1Bot
Psyb0t
4 Bots
Hajime
Trickbot
IRC Telnet
Annie
Shifting from primarily
DDoS to multi-purpose
Crypto-miner
DDoS
PDoS
Proxy Servers
Unknown…
Rent-a-bot
Credential Collector
Install-a-bot
Multi-purpose Bot
Fraud trojan
ICS protocol monitoring
Tor Node
Sniffer
Thingbot Attack Type
DNS Hijack

Username Password Username Password Username Password Username Password
support support 10101 10101 root root tomcat tomcat
root root dbadmin admin support support PlcmSpIp PlcmSpIp
admin admin123 butter xuelp123 admin admin123 sshd sshd
ubnt ubnt ftpuser asteriskftp ubnt ubnt monitor monitor
usuario usuario PlcmSpIp PlcmSpIp service service butter xuelp123
service service tomcat tomcat usuario usuario mysql mysql
pi raspberry hadoop hadoop pi raspberry hadoop hadoop
user user mysql mysql user user user1 user1
guest guest vagrant vagrant test test cisco cisco
test test jenkins jenkins guest guest vagrant vagrant
mother f***** www www mother f***** 101 101
supervisor supervisor a a oracle oracle ts3 ts3
git git apache apache operator operator FILTER**** FILTER****
0 0 minecraft minecraft supervisor supervisor apache apache
ftp ftp testuser testuser ftp ftp telnet telnet
operator operator ts3 ts3 git git jenkins jenkins
oracle oracle backup backup ubuntu ubuntu Management TestingR2
osmc osmc vnc vnc nagios nagios www www
ubuntu ubuntu deploy deploy postgres postgres zabbix zabbix
default 1 odoo odoo uucp uucp backup backup
monitor monitor user1 user1 Admin admin anonymous any@
postgres
nagios
postgres
nagios
alex
zabbix
alex
zabbix
ftpuser
Root
asteriskftp a
osmc
a
osmc
1111 1111 10101 10101 1234 <Any Pass> tomcat tomcat
api api dbadmin admin PlcmSpIp PlcmSpIp
Source: The Hunt for IoT: The Growth and Evolution of Thingbots Ensures Chaos, F5 Labs, March 2018
Observed in activeattacks
Defaults not changed
of credentials
Username = Password
87%
Top 50 AttackedCredentials
Q3 2017 Q4 2017

Attacks Targeting Europe (last 90days)
Protocol
SIP(5060)
SMB(445)
ICS(2222)
HTTPS (443)
RDP(3389)
SQL(1433)
SSH (22)
HTTP (80)
MySQL (3306)
Telnet (23)
SIP-TLS (5061)
Port 54184 (54184)
Remote Framebuffer (5900)
Port 8291(8291)
DSL Forum CWMP(7547)
Port 5902 (5902)
HTTP Alternate (see port 80) (8080)
Simple Mail Transfer(25)
NETBIOS (139)
Port 8545 (8545)

Shifting Sources
Previouslyunseen
IPaddresses
100% 80%
Previouslyunseen
networks(ASN)

Attack web and
mobile apps
Launch denial of service
Scan for vulnerabilities
(reconnaissance)
Infect users with malware
Account takeover
and fraud
Web scraping and
theft
What Do Malicious BotsDo?
77%
of web app
attacks start from
botnets

How Do Bots Attack the App Layer?
USERNAME
Account
Takeover
• Credential
stuffing
• Credential
cracking
• Account
aggregation
• Account
creation
Payment
Card Data
• Carding
• Card
cracking
• Cashing out
Vulnerability
Scanning
• Vulnerability
scanning
• Footprinting
• Fingerprinting
DoS / Resource
Hoarding
• Scalping
• Denial of
inventory
• Denial of
service (DoS)
• Sniping
• Expediting
Content
Theft
• Content
scraping
Other
Attacks
• Ad fraud
• CAPTCHA
defeat
• Skewing
• Spamming
• Token
cracking

70
MILLION
427
MILLION
150
MILLION
3
BILLION
117
MILLION
3 out of 4“Nearly 3 out of 4 consumers use duplicate passwords,
many of which have not been changed in five years or more.2
”
1) Symantec Internet Security Threat Report, April 2017
2) Password Statistics: The Bad, the Worse and the Ugly, Entrepreneur Europe
In the last 8 years more than 7.1 billion identities have been exposed in data breaches1
Credential Stuffing

USERNAME Credit Card
Data
USERNAME Intellectual
Property
USERNAME Healthcare
Data
USERNAME Passport
Data
USERNAME Financial
Data
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
USERNAME
Credentials from
Previous Breaches
USERNAME USERNAME
Account Takeover ‒ CredentialStuffing

Attackers must automate to find weaknesses for manualprobing
Bots allow attackers to scale theiroperations
Many reconnaissance tools available
• Shodan, publicwww.com, BuiltWith.com,etc.
• Network mappers (Nmap)
• WGET, SQLMap, etc.
• Headless browsers (Phantom.js, Selenium)
Vulnerability Scanning

Shortcomings of Today’sApproach
Code-level
security
Difficultly differentiating between
humans and modern bots
Lags behind rapid pace
of bot evolution
IP
blocking
Sheer volume of IPs
difficult to track and block
Ineffective at blocking
TOR-based bots
Traditional
WAF
Designed to protect against
OWASP Top 10
Rely solely on captcha for
bot protection

What is Required for Accurate Bot Detection?
Bot Signatures
+ DNS Checks
JS Challenge
+ Browser
Fingerprinting
Browser
Capabilities Human
Detection
Optional
CAPTCHA Anomalies
Server should not receive traffic

Detect GET flood
attacks against
Heavy URIs
Identify non-human
surfing patterns
Fingerprint to
identify beyond
IP address
Operating system
Geolocation
Browser
• Screen size and colour depth
• Plugin details
• Time zone
• HTTP_ACCEPT headers
• Language
• System fonts
• Touch support
• Extensions
Behavioural Analysis andFingerprinting

Customer Internet
WFirAsFttrimeseporenqdusewstitthoIwnjebctseedrvJeSr:
Request is not passed to the server
Server
WAF verifies response authenticity
Cookie is signed, time stamped,
and fingerprinted
No challenge response from bots
Valid resBpoontssearisesdernotptpoetdheserver
WAF
JSJS
JavaScript Based BotDetection
LEGITIMATE BROWSER VERIFICATION

Appliances Virtual Edition Managed Services Cloud Edition Managed Rules
Behaviour analytics
+ Bot protection
+ App-level encryption
+ Anti-bot mobile SDK
Advanced WAF
Mobile
users
Attackers
Bots
Desktop
users
Bot Management Solution
DEPLOYMENT MODELS

Network
Floods
Malformed
Requests
Scanners
and Bots
Known Bad
Hosts
Workflow
Enforcement
WAF
Reduce Cloud Costs

AI and FutureBots

Classify and control
increasingly
automated traffic
Eliminating
30-40% of web traffic
has a big impact
Bot detection
requires less
per-application tuning
Key Takeaways

Read more about these and
other threats
Stay up-to-date
Sign up for F5 Labs
https://interact.f5.com/AppProtectLibrary F5labs.com

Scot Secure 2019 Edinburgh (Day 1)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Scot Secure 2019 Edinburgh (Day 1)

Similar to Scot Secure 2019 Edinburgh (Day 1) (20)

More from Ray Bugg

More from Ray Bugg (20)

Recently uploaded

Recently uploaded (20)

Scot Secure 2019 Edinburgh (Day 1)