The UAE IA Standard is divided into 2 families of security controls: Management and Technical security controls. The control families are further structured into control sub-families and individual controls and sub-controls. There are 188 security controls prescribed as part of the standard.
Мастер-класс по защите от фишинга, прочитанный на CISO Forum 2017. Подробное описание с демонстрациями того, как реализуется фишинг, и как ему противостоять организационными и техническими мерами
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
Cyber Security: The Strategic View
By: Kah-Kin Ho, Head of Cyber Security Business Development Threat Response, Intelligence and Development (TRIAD)
This session begins by giving an overview of how Cisco sees the challenges and opportunities of cyber security for the Government which include areas such as recent development on applicability of International Law to Cyber conflict, the evolving role of the Government as the legitimate security provider, Public-Private Partnership issues, and the evolving technical, social and political threat landscape. Cisco recognizes that cyber security begins at the policy level and translates through to the operational and system level. We will discuss why an intelligence-led network-centric approach that focuses on enforcing policy, enhancing situational awareness, and providing the insight necessary to tackle threats before they impact information and infrastructure assets is key to Cyber Security.
The UAE IA Standard is divided into 2 families of security controls: Management and Technical security controls. The control families are further structured into control sub-families and individual controls and sub-controls. There are 188 security controls prescribed as part of the standard.
Мастер-класс по защите от фишинга, прочитанный на CISO Forum 2017. Подробное описание с демонстрациями того, как реализуется фишинг, и как ему противостоять организационными и техническими мерами
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
Cyber Security: The Strategic View
By: Kah-Kin Ho, Head of Cyber Security Business Development Threat Response, Intelligence and Development (TRIAD)
This session begins by giving an overview of how Cisco sees the challenges and opportunities of cyber security for the Government which include areas such as recent development on applicability of International Law to Cyber conflict, the evolving role of the Government as the legitimate security provider, Public-Private Partnership issues, and the evolving technical, social and political threat landscape. Cisco recognizes that cyber security begins at the policy level and translates through to the operational and system level. We will discuss why an intelligence-led network-centric approach that focuses on enforcing policy, enhancing situational awareness, and providing the insight necessary to tackle threats before they impact information and infrastructure assets is key to Cyber Security.
Overview of VPN protocols.
VPNs (Virtual Private Networks) are often viewed from the perspective of security with the goal of providing authentication and confidentiality.
However, the primary purpose of VPNs is to connect 2 topologically separated private networks over a public network (typically the Internet).
VPNs basically hook a network logically into another network so that both appear as one private local network.
Security is a possible add-on to VPNs. In many cases it makes perfectly sense to secure the VPNs communication over the unsecure public network.
VPN protocols typically employ a tunnel where data packets of the local network are encapsulated in an outer protocol for transmission over the public network.
The most important VPN protocols are IPSec, PPTP and L2TP. In recent years SSL/TLS based VPNs such as OpenVPN have gained widespread adoption.
Drawing from CrowdStrike's work, Cayce Beames will present evolving cybersecurity threats, discussed her thoughts on why traditional security is failing and shared a bit on what this "next generation endpoint protection" is about.
Cayce has been working in technology for over 25 years. From IT Systems Administration to Network Engineering and Internet Security, Risk Management and Compliance Auditing, Cayce has consulted with many Global corporations and traveled extensively. Cayce is currently a governance, risk and compliance analyst at CrowdStrike and founder of the not for profit, public benefit, education for kids organization called "The Computer Club" where she works to inspire kids and adults to address their fear of the unknown and make something awesome with technology.
This presentation looks at the core component of an Incident Response plan (NIST 800-61) as well as custom practical implementation framework developed by ELYSIUMSECURITY based on NIST and FIRST.
CYBERSPACE
CYBER POWER
INTERNET
CYBER-ATTACK
INDIA AND PAKISTAN CYBER ATTACKS
TYPES OF CYBER CRIME
Hypotheses in the Research
Literature on the Influence of Mass Media on Criminal Behavior
Technology-Related Risk Factors for Criminal Behavior
COPYCAT CRIME:
CYBER SECURITY
SAFETY TIPS FOR CYBER CRIME
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...CODE BLUE
Microsoft Exchange Server is an email solution widely deployed within government and enterprises, and it is an integral part of both their daily operations and security. Needless to say, vulnerabilities in Exchange have long been the Holy Grail for attackers, hence our security research on Exchange. Surprisingly, we've found not only critical vulnerabilities such as ProxyLogon, but a whole new attack surface of Exchange.
This new attack surface is based on a significant change in Exchange Server 2013, where the fundamental protocol handler, Client Access Service (CAS), splits into frontend and backend. In this fundamental change of architecture, quite an amount of design debt was incurred, and, even worse, it introduced inconsistencies between contexts, leading us to discover this new attack surface.
To unveil the beauty of this attack surface and our novel exploitation, we'll start by analyzing this architecture, followed by 7 vulnerabilities that consist of server-side bugs, client-side bugs, and crypto bugs found via this attack surface. In the end, these vulnerabilities are chained into 3 attack vectors that shine in different attack scenarios: ProxyLogon, ProxyShell, and ProxyOracle. These attack vectors enable any unauthenticated attacker to uncover plaintext passwords and even execute arbitrary code on Microsoft Exchange Servers through port 443, which is exposed to the Internet by ~400K Exchange Servers.
This attack surface has its unparalleled impact for a reason: security researchers tend to find vulnerabilities from a certain perspective, such as digging for memory bugs, injections, or logic flaws, but we took a different approach by looking at Exchange from a high-level architectural view and captured this architecture-level attack surface, which yielded multiple vulnerabilities. We hope this brings a new paradigm to vulnerability research and inspires more security researchers to look into Exchange Server. Last but not least, we'll provide hardening actions to mitigate such types of 0days in Exchange.
The Zero Trust Model of Information Security Tripwire
In today’s IT threat landscape, the attacker might just as easily be over the cubicle wall as in another country. In the past, organizations have been content to use a trust and verify approach to information security, but that’s not working as threats from malicious insiders represent the most risk to organizations. Listen in as John Kindervag, Forrester Senior Analyst, explains why it’s not working and what you can do to address this IT security shortcoming.
In this webcast, you’ll hear:
Examples of major data breaches that originated from within the organization
Why it’s cheaper to invest in proactive breach prevention—even when the organization hasn’t been breached
What’s broken about the traditional trust and verify model of information security
About a new model for information security that works—the zero-trust model
Immediate and long-term activities to move organizations from the "trust and verify" model to the "verify and never trust" model
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKMITRE ATT&CK
From ATT&CKcon 4.0
By Lauren Brennan, GuidePoint Security
Evaluating the maturity of your security operations program can be complex and challenging. From choosing the right framework to use, to understanding all aspects of how people, processes, and technologies can cohesively operate to grow your SOC, evaluating your security operations is crucial. This presentation will discuss how to evaluate your security operations program using the MITRE ATT&CK framework and talk about best practices for evaluations. We will explore how to identify gaps in your operations and improve your overall security posture with foundational activities. Attendees can expect to learn practical tips for leveraging the MITRE framework as well as actionable takeaways for evaluating and improving their own security operations.
Falcon OverWatch Experts Hunt 24/7 To Stop Incidents Before They Become Breaches
Is your IT security team suffering from alert fatigue? For many organizations, chasing down every security alert can tax an already overburdened IT department, often resulting in a breach that might have been avoided. Adding to this challenge is an increase in sophisticated threats that strike so fast and frequently, traditional methods of investigation and response can’t offer adequate protection.
A new webcast from CrowdStrike, “Proactive Threat Hunting: Game-Changing Endpoint Protection Above and Beyond Alerting,” discusses why so many organizations are vulnerable to unseen threats and alert fatigue, and why having an approach that is both reactive and proactive is key. You’ll also learn about Falcon OverWatch™, CrowdStrike’s proactive threat hunting service that investigates and responds to threats immediately, dramatically increasing your ability to react before a damaging breach occurs.
Download the webcast slides to learn:
--How constantly reacting to alerts prevents you from getting ahead of the potentially damaging threats designed to bypass standard endpoint security
--Why an approach that includes proactive threat hunting, sometimes called Managed Detection and Response, is key to increasing protection against new and advanced threats
--How CrowdStrike Falcon OverWatch can provide 24/7 managed threat hunting, augmenting your security efforts with a team of cyber intrusion detection analysts and investigators who proactively identify and prioritize incidents before they become damaging breaches
Overview of VPN protocols.
VPNs (Virtual Private Networks) are often viewed from the perspective of security with the goal of providing authentication and confidentiality.
However, the primary purpose of VPNs is to connect 2 topologically separated private networks over a public network (typically the Internet).
VPNs basically hook a network logically into another network so that both appear as one private local network.
Security is a possible add-on to VPNs. In many cases it makes perfectly sense to secure the VPNs communication over the unsecure public network.
VPN protocols typically employ a tunnel where data packets of the local network are encapsulated in an outer protocol for transmission over the public network.
The most important VPN protocols are IPSec, PPTP and L2TP. In recent years SSL/TLS based VPNs such as OpenVPN have gained widespread adoption.
Drawing from CrowdStrike's work, Cayce Beames will present evolving cybersecurity threats, discussed her thoughts on why traditional security is failing and shared a bit on what this "next generation endpoint protection" is about.
Cayce has been working in technology for over 25 years. From IT Systems Administration to Network Engineering and Internet Security, Risk Management and Compliance Auditing, Cayce has consulted with many Global corporations and traveled extensively. Cayce is currently a governance, risk and compliance analyst at CrowdStrike and founder of the not for profit, public benefit, education for kids organization called "The Computer Club" where she works to inspire kids and adults to address their fear of the unknown and make something awesome with technology.
This presentation looks at the core component of an Incident Response plan (NIST 800-61) as well as custom practical implementation framework developed by ELYSIUMSECURITY based on NIST and FIRST.
CYBERSPACE
CYBER POWER
INTERNET
CYBER-ATTACK
INDIA AND PAKISTAN CYBER ATTACKS
TYPES OF CYBER CRIME
Hypotheses in the Research
Literature on the Influence of Mass Media on Criminal Behavior
Technology-Related Risk Factors for Criminal Behavior
COPYCAT CRIME:
CYBER SECURITY
SAFETY TIPS FOR CYBER CRIME
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...CODE BLUE
Microsoft Exchange Server is an email solution widely deployed within government and enterprises, and it is an integral part of both their daily operations and security. Needless to say, vulnerabilities in Exchange have long been the Holy Grail for attackers, hence our security research on Exchange. Surprisingly, we've found not only critical vulnerabilities such as ProxyLogon, but a whole new attack surface of Exchange.
This new attack surface is based on a significant change in Exchange Server 2013, where the fundamental protocol handler, Client Access Service (CAS), splits into frontend and backend. In this fundamental change of architecture, quite an amount of design debt was incurred, and, even worse, it introduced inconsistencies between contexts, leading us to discover this new attack surface.
To unveil the beauty of this attack surface and our novel exploitation, we'll start by analyzing this architecture, followed by 7 vulnerabilities that consist of server-side bugs, client-side bugs, and crypto bugs found via this attack surface. In the end, these vulnerabilities are chained into 3 attack vectors that shine in different attack scenarios: ProxyLogon, ProxyShell, and ProxyOracle. These attack vectors enable any unauthenticated attacker to uncover plaintext passwords and even execute arbitrary code on Microsoft Exchange Servers through port 443, which is exposed to the Internet by ~400K Exchange Servers.
This attack surface has its unparalleled impact for a reason: security researchers tend to find vulnerabilities from a certain perspective, such as digging for memory bugs, injections, or logic flaws, but we took a different approach by looking at Exchange from a high-level architectural view and captured this architecture-level attack surface, which yielded multiple vulnerabilities. We hope this brings a new paradigm to vulnerability research and inspires more security researchers to look into Exchange Server. Last but not least, we'll provide hardening actions to mitigate such types of 0days in Exchange.
The Zero Trust Model of Information Security Tripwire
In today’s IT threat landscape, the attacker might just as easily be over the cubicle wall as in another country. In the past, organizations have been content to use a trust and verify approach to information security, but that’s not working as threats from malicious insiders represent the most risk to organizations. Listen in as John Kindervag, Forrester Senior Analyst, explains why it’s not working and what you can do to address this IT security shortcoming.
In this webcast, you’ll hear:
Examples of major data breaches that originated from within the organization
Why it’s cheaper to invest in proactive breach prevention—even when the organization hasn’t been breached
What’s broken about the traditional trust and verify model of information security
About a new model for information security that works—the zero-trust model
Immediate and long-term activities to move organizations from the "trust and verify" model to the "verify and never trust" model
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKMITRE ATT&CK
From ATT&CKcon 4.0
By Lauren Brennan, GuidePoint Security
Evaluating the maturity of your security operations program can be complex and challenging. From choosing the right framework to use, to understanding all aspects of how people, processes, and technologies can cohesively operate to grow your SOC, evaluating your security operations is crucial. This presentation will discuss how to evaluate your security operations program using the MITRE ATT&CK framework and talk about best practices for evaluations. We will explore how to identify gaps in your operations and improve your overall security posture with foundational activities. Attendees can expect to learn practical tips for leveraging the MITRE framework as well as actionable takeaways for evaluating and improving their own security operations.
Falcon OverWatch Experts Hunt 24/7 To Stop Incidents Before They Become Breaches
Is your IT security team suffering from alert fatigue? For many organizations, chasing down every security alert can tax an already overburdened IT department, often resulting in a breach that might have been avoided. Adding to this challenge is an increase in sophisticated threats that strike so fast and frequently, traditional methods of investigation and response can’t offer adequate protection.
A new webcast from CrowdStrike, “Proactive Threat Hunting: Game-Changing Endpoint Protection Above and Beyond Alerting,” discusses why so many organizations are vulnerable to unseen threats and alert fatigue, and why having an approach that is both reactive and proactive is key. You’ll also learn about Falcon OverWatch™, CrowdStrike’s proactive threat hunting service that investigates and responds to threats immediately, dramatically increasing your ability to react before a damaging breach occurs.
Download the webcast slides to learn:
--How constantly reacting to alerts prevents you from getting ahead of the potentially damaging threats designed to bypass standard endpoint security
--Why an approach that includes proactive threat hunting, sometimes called Managed Detection and Response, is key to increasing protection against new and advanced threats
--How CrowdStrike Falcon OverWatch can provide 24/7 managed threat hunting, augmenting your security efforts with a team of cyber intrusion detection analysts and investigators who proactively identify and prioritize incidents before they become damaging breaches
Fireeye 201FireEye - система защиты от целенаправленных атак5DialogueScience
Угрозы Advanced Persistent Threat (APT), связанные с целевыми атаками злоумышленников, использующие уязвимости «нулевого дня», являются наиболее опасными и актуальными для большинства компаний. В рамках вебинара рассмотрен способ защиты от подобного рода угроз с помощью системы FireEye.
Спикер: Николай Петров, CISSP, Заместитель Генерального директора, ЗАО «ДиалогНаука»
FireEye - система защиты от целенаправленных атакDialogueScience
В настоящее время угрозы Advanced Persistent Threat (APT), связанные с целевыми атаками злоумышленников, использующие уязвимости «нулевого дня», являются наиболее опасными и актуальными для большинства компаний. В рамках вебинара будет рассмотрен способ защиты от подобного рода угроз с помощью системы FireEye.
17 способов проникновения во внутреннюю сеть компанииAleksey Lukatskiy
Презентация, рассматривающая различные нашумевшие инциденты и то, как их можно было бы вовремя обнаружить. Но многие компании эти рекомендации не выполняют, фокусируясь только на защите периметра
14 мая прошел открытый вебинар InfoWatch, посвященный теме целенаправленных атак и защите от них. В ходе презентации ведущий рассказал, что представляют целенаправленные/APT атаки, каким образом их организуют, в чем мотивация преступников и как защититься от подобных атак.
Посмотреть запись вебинара Андрея Арефьева, менеджера по развитию продуктов InfoWatch, можно по ссылке http://www.infowatch.ru/webinar/tad
Мое выступление на Kaspersky ICS Security Conference в сентябре 2020 года в Сочи о том, на что обращать внимание при разработке дашбордов по ИБ АСУ ТП для лиц, принимающих решения
Техническая защита персональных данных в соответствие с GDPR и ФЗ-152Aleksey Lukatskiy
Презентация на GDPR Day Online про техническую защиту персональных данных в соответствие с GDPR и ФЗ-152. Куча ссылок на стандарты и методички по защите ПДн в облаках, блокчейне, BYOD, ML, Big Data и т.п., а также чеклисты по технической защите ПДн от CNIL, ICO и др.
Бизнес-метрики ИБ для руководства финансовой организацииAleksey Lukatskiy
Презентация о том, как можно вынести тему ИБ на руководство финансовой организации? Как говорить с ним на языке денег и какие метрики использовать, если мы не можем монетизировать тему ИБ?
Краткое, но при этом талантливое :-) изложение ключевых идей, мыслей, новостей и фактов с Уральского форума по информационной безопасности финансовых организаций (2020).
17 способов опозорить ваш МСЭ и проникнуть в корпоративную сетьAleksey Lukatskiy
Презентация с обзором 17 способов проникновения в корпоративную сеть, минуя межсетевой экран. В качестве примера решения для борьбы с многими из них описывается Cisco Stealthwatch и Cisco ISE.
4. • Только 5% BEC-схем
используют
скомпрометированные учетные
записи
• 2/3 используют бесплатные
учетные записи в web-почте
• 28% атак с зарегистрированных
доменов
• 1 из 5 BEC emails включает имя
жертвы
Business Email Compromise (BEC)
Web-почта Зарегистри-
рованная
Скомпромети-
рованная
Most Common
Point-of-Origin
for BEC Scams
Популярные
источники
для BEC-схем
5. • Более чем половина всех
вредоносных вложений – это
регулярно используемые типы
документов
• 2 из 5 вредоносных файлов –
это документы Microsoft Office
• Менее 2% вложений –
бинарные / исполняемые
файлы
Вредоносные вложения
Тип Процент
Office 42.8%
Архив 31.2%
Скрипт 14.1%
PDF 9.9%
Бинарный 1.77%
Java 0.22%
Flash 0.0003%
6. Рост фишинговых доменов
64% рост новых фишинговых доменов в Q1 2019
Источник: Cisco Umbrella
Ежеквартально появляется около 500 тысяч новых фишинговых доменов
8. Пример: взлом Web-портала Equifax
• 10 марта 2017 года злоумышленники нашли
известную уязвимость на портале Equifax,
позволившую получить доступ к Web-
порталу и выполнять на нем команды
• Информация об уязвимости была разослана
US CERT двумя днями ранее
• После идентификации уязвимости
злоумышленники запустили эксплойт и
получили доступ к системе, проверив
возможность запуска команд
• Никаких данных украдено еще не было
9. Шаг 2 в атаке на Equifax: эксплуатация
уязвимости
• 13 мая 2017 года
злоумышленники
эксплуатировали эту
уязвимость и проникли во
внутренние системы, выполнив
ряд маскирующих процедур
• Например, использовалось
существующее
зашифрованное соединение
для генерации
запросов/получения ответов
Результат: утечка финансовой информации
146 миллионов человек
11. Для борьбы с 0-Day тоже есть методы
1%
9%
90%Сигнатуры и
правила
Поведенческий анализ,
облачная репутация,
Threat Intelligence, NTA
Машинное обучение,
песочницы, threat hunting,
forensics
Широко
распространенное,
обычное ВПО
Сложное ВПО
Целевое и
уникальное ВПО
12. Современные технологии защиты e-mail
Репутационные
фильтры
70-80%
уровень
блокирования
Фильтрация
абонентов
SPF, DKIM
& DMARC
CASE
Сканиро-
вание
несколь-
кими
движками
Антивирус
Блокирова
ние 100%
известных
вирусов
Репутация
файлов
Блокирова
ние по
хешам
файлов
Анализ
файлов
Свыше
300
признаков
поведения
Обнаружение
Graymail
Соцсети,
маркетинг,
реклама
Фильтрация
контента
Правила
фильтра-
ции
Фильтрация по
мета-данным
9-12 ч
среднее
время
опереже-
ния
Защита от
фишинга
Анализ
поведения
Анализ и.
репутация
файлов
Сканирован
ие
исходящей
почты
Шифрование
Правила
шифрова-
ния
Защита
доменов
Защита
бренда
Антивирус
Блокирова
ние 100%
известных
вирусов
CASE
Сканиро-
вание
несколь-
кими
движками
Защита от
утечек
Инспекция
чувстви-
тельных
данных
DP
Ретроспектива
Alert on verdict
changes and
Auto-delete from
O365
Graymail
отписка
Link
Validation &
Unsubscribe
Перезапись и
контроль URL
Track user
clicks and
report on
URLS
Фильтрация абонентов и контента Фильтрация вирусов и ВПО
Антиспуфинг Анализ URL 0-Day ВПО
Антифишинг
Анализ URL
Фильтрация контента
Анализ URL
Пост-обработка
Фильтрация вирусов и ВПОАнтиспуфинг Фильтрация контента Анализ URL 0-Day ВПОФильтрация
0-Day
13. VPNFilter Инструменты
Тактики
• Направлена на периметровые устройства
• Перенаправляет и изменяет сетевой трафик
Процессы
• Брать все, искать интересующее
• Заразить и закрепиться
• Фреймворк для построения собственных
ботнетов
• Модульная архитектура для обновления
• Сложная C2 & многоходовая платформа
• Ботнет из периметровых сетевых
устройств и систем хранения
• Инфицировано свыше 500K
уязвимых устройств (не Cisco)
Описание
DNS
мониторинг
NGFW, NGIPS
NTA
14. Взлом NASA
• В апреле 2018 хакеры
проникли во внутреннюю
сеть NASA и украли 500 МБ
данных по миссии на Марс
• В качестве точки входа
использовался портативный
компьютер Raspberry Pi,
установленный в сети NASA
15. Сетевая инфраструктура может быть не только
системой защиты, но и мишенью
0
1
2
3
4
Не ограничивайтесь
периметром
Используйте
Netflow или IPFIX
Используйте
несемплированный
Netflow
Проверьте загрузку
оборудования
Начните с уровня
доступа
5
6
7
8
9
Если российское, то с
поддержкой flow (или хотя
с поддержкой SPAN)
Комбинируйте
NTA и СОВ/СОА
Думайте о зонировании,
а не о МСЭ
Интегрируйте средства
мониторинга сети и
контроля сетевого доступа
Учитывайте стратегию
развития своей сети
17. Olympic Destroyer Инструменты
Тактики
• Цепочка поставок
• Расширение плацдарма через WMI и PSEXEC
• Автоматическое расширение плацдарма с
украденными учетными данными
Процессы
• Кража учетных данных и расширение
плацдарма
• Фокусированная атака, направленная на
получение политической выгоды
• PSEXEC / WMI / Creds stealer / Browser stealer
• Использование легальных системных утилит
• Mimikatz и воровство учетных данных
• Направлен на Олимпийские игры в Ю.Корее
• Авторство приписывают Северной Корее
Описание
Борьба
с ВПО
Email
Security
DNS
мониторинг
NGFW, NGIPS
NTA EDR
19. Nyetya
Sec Ops Day
Инструменты
Тактики
• Цепочка поставок и от жертвы к жертве
• Быстрое распространение
• Разрушение систем / сетей
Процессы
• Разработан для максимально быстрого и
эффективного нанесения ущерба
• Похож на вымогателя, но является
деструктивным по сути
• Ransomware с тактикой червя
• Спроектирован для распространения внутри,
не снаружи
• Использование Eternal Blue / Eternal Romance
и Admin Tools (WMI/PSExec)
• Продвинутый актор, ассоциированный с
государством
• Деструктивная атака маскировалась под
Ransomware
• Наиболее дорогой инцидент в истории
Описание
20. CCleaner Инструменты
Тактики
• Цепочка поставок и от жертвы к жертве
• Медленная внутренняя разведка
• Сложная многоходовая атака
Процессы
• Высокоточная идентификация жертв
через датамайнинг
• Ориентирован на скрытность, рассчитан
на долгую «игру»
• Целевой фишинг
• Комплексная разведка и профилирование
цели
• Кейлогер и вор пользовательских учетных
данных
• Продвинутый актор, ассоциированный с
государством
• Возможность выполнять сложные и
длинные операции, фокусированные на
краже интеллектуальной собственности
Описание
22. Нормальное распределение длин поддоменов Аномалии в названии поддоменов
log.nu6timjqgq4dimbuhe.3ikfsb---отредактировано---cg3.7s3bnxqmavqy7sec.dojfgj.com
log.nu6timjqgq4dimbuhe.otlz5y---отредактировано---ivc.v55pgwcschs3cbee.dojfgj.com
Что скрывается в этой строке на 231 символ?
DNS как неконтролируемый канал
Утечка данных кредитных карт, получение обновлений ВПО и т.п.
23. 17 каналов проникновения плохих парней в
вашу организацию
1. E-mail
2. Web
3. Site-to-Site VPN
4. Remote Access VPN
5. Sharing resources
6. USB
7. Wi-Fi
8. Warez
9. BYOD
10. Embedded
11. Клиент-сервер с
шифрованием
12. DevOps
13. Подрядчики
14. Уязвимость на
портале
15. «Водопой» (Waterhole)
16. DNS
17. Облако
24. • Начать с пересмотра стратегии кибербезопасности
• Понять мотивацию злоумышленников для их предприятия
• Учесть тактику, техники и процедуры (TTP), используемые
злоумышленниками
• Идентифицировать слабые звенья в организации, в сети, в
системе защиты
• Думать как злоумышленники – действовать как безопасники
(применяйте Red Team / Blue Team)
• Учитывать жизненный цикл атаки «ДО – ВО ВРЕМЯ - ПОСЛЕ»
Что надо делать компаниям?
25. • Пересмотреть систему защиты
• Сбалансировать технологии защиты (предотвращение,
обнаружение и реагирование) – вместо соотношения 80-15-5
перейдите к 33-33-34
• Задуматься о безопасности внутренней сети, а не только о
защите периметра
• Мониторить даже то, чего по политике нет (Wi-Fi, мобильные
устройства, 3G/4G-модемы, облака и т.п.)
• Внедрить систему Threat Intelligence для раннего
предупреждения об угрозах
Что надо делать компаниям?