John-Luke Peck
This presentation will review in hindsight and retrospect several recent incident response engagements performed over the last 12 months by a 3rd-party (non-Microsoft affiliated) security and incident response services provider. During the talk the presenter will review what went well and what did not go well during the various engagements, with a particular focus on the data, services , and support available from Microsoft & Office365/AzureAD, and how they were and were not able to be leveraged during the various engagements.
This will include a focus on areas where:
* Necessary data was not available because the client had not taken, or were unaware of the need to take, steps to enable collection of the data
* The data & services available were successfully used during response efforts
The presentation will highlight:
* Lessons learned about Office365/AzureAD and Incident Response
* How Office365, AzureAD, and ATP services and data were used in the response efforts
* Recommendations for Office365/AzureAD tenants to improve their security & IR capabilities /before/ an incident occurs
All presented examples and incidents will be de-identified to maintain and protect privacy and operational security.
What this is NOT:
* A service provider's sales presentation
Network Forensics and Practical Packet AnalysisPriyanka Aash
Why Packet Analysis?
3 Phases - Analysis, Conversion & Collection
How do we do it ?
Statistics - Protocol Hierarchy
Statistics - End Points & Conversations
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefShah Sheikh
This document provides an overview of social engineering and how to mitigate social engineering risks. It defines social engineering as manipulating people into taking actions or divulging information. Social engineering attacks are categorized as computer-based (e.g. phishing emails) or human-based (e.g. in-person interactions). The document outlines common social engineering techniques like pretexting, reverse social engineering, and exploiting human behaviors. It emphasizes that effective mitigation requires a layered approach including security policies, employee awareness training, and incident response plans to address the ongoing social engineering threat.
Protecting Financial Networks from Cyber CrimeLancope, Inc.
Financial services organizations are prime targets for cyber criminals. They must take extreme care to protect customer data, while also ensuring high levels of network availability to allow for 24/7 access to critical financial information. Additionally, industry consolidation has created large, heterogeneous network environments within large financial institutions, making it difficult to ensure that networks have the necessary visibility and protection to prevent a devastating security breach. By leveraging NetFlow from existing network infrastructure, financial services organizations can achieve comprehensive visibility across even the largest, most complex networks. The ability to quickly detect a wide range of potentially malicious activity helps prevent damaging data breaches and network disruptions. Attend this informational webinar, conducted by Lancope’s Director of Security Research, Tom Cross, to learn: How NetFlow can help quickly uncover both internal and external threats How pervasive network insight can accelerate incident response and forensic investigations How to substantially decrease enterprise risks
Webinar: Ransomware: Strategies for Protecting Your Weakest Link - EndpointsStorage Switzerland
Join George Crump, Lead Analyst at Storage Switzerland, and W. Curtis Preston (a.k.a. Mr. Backup), Chief Technical Architect at Druva for this on demand webinar to learn the latest strategies for protecting your organization from a Ransomware Attack.
Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados"
Jim Butterworth - Senior Cybersecurity Director Guidance Software Inc.
Brasília, 04 de agosto de 2010
This document discusses the role of data visualization in cyber security analysis. It describes different types of security data like network packet captures, system logs, and flow data that can be visualized. Examples of visualizations include node-link diagrams to show network connections, packet contents, timelines to analyze events, and dashboards for situational awareness. Visual analytics helps analysts detect anomalies, understand attack patterns, and make informed decisions. Collaboration between security experts and data visualization experts is important to develop effective visual tools that integrate with analyst workflows.
Brian Fennimore discusses how threat data can be useful for security operations. He explains that threat data provides information like IP addresses and file hashes that can help identify threats. This data can be used in many ways, such as blocking malicious IPs or scanning for vulnerable files. Fennimore also describes how his company Virtustream uses threat data with Splunk for security monitoring, automation of compliance reporting, and enrichment of security information. He advocates consuming high quality threat data from various sources to help prevent security issues rather than just detect them after the fact.
John-Luke Peck
This presentation will review in hindsight and retrospect several recent incident response engagements performed over the last 12 months by a 3rd-party (non-Microsoft affiliated) security and incident response services provider. During the talk the presenter will review what went well and what did not go well during the various engagements, with a particular focus on the data, services , and support available from Microsoft & Office365/AzureAD, and how they were and were not able to be leveraged during the various engagements.
This will include a focus on areas where:
* Necessary data was not available because the client had not taken, or were unaware of the need to take, steps to enable collection of the data
* The data & services available were successfully used during response efforts
The presentation will highlight:
* Lessons learned about Office365/AzureAD and Incident Response
* How Office365, AzureAD, and ATP services and data were used in the response efforts
* Recommendations for Office365/AzureAD tenants to improve their security & IR capabilities /before/ an incident occurs
All presented examples and incidents will be de-identified to maintain and protect privacy and operational security.
What this is NOT:
* A service provider's sales presentation
Network Forensics and Practical Packet AnalysisPriyanka Aash
Why Packet Analysis?
3 Phases - Analysis, Conversion & Collection
How do we do it ?
Statistics - Protocol Hierarchy
Statistics - End Points & Conversations
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefShah Sheikh
This document provides an overview of social engineering and how to mitigate social engineering risks. It defines social engineering as manipulating people into taking actions or divulging information. Social engineering attacks are categorized as computer-based (e.g. phishing emails) or human-based (e.g. in-person interactions). The document outlines common social engineering techniques like pretexting, reverse social engineering, and exploiting human behaviors. It emphasizes that effective mitigation requires a layered approach including security policies, employee awareness training, and incident response plans to address the ongoing social engineering threat.
Protecting Financial Networks from Cyber CrimeLancope, Inc.
Financial services organizations are prime targets for cyber criminals. They must take extreme care to protect customer data, while also ensuring high levels of network availability to allow for 24/7 access to critical financial information. Additionally, industry consolidation has created large, heterogeneous network environments within large financial institutions, making it difficult to ensure that networks have the necessary visibility and protection to prevent a devastating security breach. By leveraging NetFlow from existing network infrastructure, financial services organizations can achieve comprehensive visibility across even the largest, most complex networks. The ability to quickly detect a wide range of potentially malicious activity helps prevent damaging data breaches and network disruptions. Attend this informational webinar, conducted by Lancope’s Director of Security Research, Tom Cross, to learn: How NetFlow can help quickly uncover both internal and external threats How pervasive network insight can accelerate incident response and forensic investigations How to substantially decrease enterprise risks
Webinar: Ransomware: Strategies for Protecting Your Weakest Link - EndpointsStorage Switzerland
Join George Crump, Lead Analyst at Storage Switzerland, and W. Curtis Preston (a.k.a. Mr. Backup), Chief Technical Architect at Druva for this on demand webinar to learn the latest strategies for protecting your organization from a Ransomware Attack.
Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados"
Jim Butterworth - Senior Cybersecurity Director Guidance Software Inc.
Brasília, 04 de agosto de 2010
This document discusses the role of data visualization in cyber security analysis. It describes different types of security data like network packet captures, system logs, and flow data that can be visualized. Examples of visualizations include node-link diagrams to show network connections, packet contents, timelines to analyze events, and dashboards for situational awareness. Visual analytics helps analysts detect anomalies, understand attack patterns, and make informed decisions. Collaboration between security experts and data visualization experts is important to develop effective visual tools that integrate with analyst workflows.
Brian Fennimore discusses how threat data can be useful for security operations. He explains that threat data provides information like IP addresses and file hashes that can help identify threats. This data can be used in many ways, such as blocking malicious IPs or scanning for vulnerable files. Fennimore also describes how his company Virtustream uses threat data with Splunk for security monitoring, automation of compliance reporting, and enrichment of security information. He advocates consuming high quality threat data from various sources to help prevent security issues rather than just detect them after the fact.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
This document summarizes the Heartbleed vulnerability that was announced in April 2014. It allowed attackers to read portions of a server's memory and extract private keys and user cookies. The vulnerability was in OpenSSL and affected many major companies. It was possible due to a buffer over-read in the OpenSSL implementation of the TLS Heartbeat Extension. While initially many were vulnerable, within a month most major sites and services had patched the vulnerability. The event highlighted issues with OpenSSL's code quality and maintenance and increased funding to address these issues. It also demonstrated the need for rapid patching of 0-day vulnerabilities and the importance of defense in depth strategies.
This document discusses SCADA honeypots, which are devices or systems placed on a network with no operational purpose in order to detect attacks. Honeypots can detect attacks since anything accessing them is suspicious as they have no legitimate use. While some debate their effectiveness, honeypots can provide valuable information by allowing researchers to learn how attackers work when they interact with the honeypot. The level of interaction and visibility of the honeypot must be considered to balance obtaining useful data with security risks.
Hunting Attackers with Network Audit TrailsLancope, Inc.
Sophisticated, targeted attacks have become increasing difficult to detect and analyze. Attackers can employ 0-day vulnerabilities and exploit obfuscation techniques to evade detection systems and “fly under the radar” for long periods of time.
Gartner estimates 85% of breaches go completely undetected and 92% of the detected breaches are reported by third parties. New strategies for identifying network attack activity are necessary.
Learn how network logging technologies such as NetFlow and IPFIX can be applied to the problem of detecting sophisticated, targeted attacks and used to create an audit trail of network activity that can be analyzed, both automatically and by skilled investigators, to uncover anomalous traffic.
Lancope will demonstrate how to these records can be used to:
Discover active attacks in each phase of the attacker’s “kill chain.”
Determine the scope of successful breaches and document the timeline of the attacks
The document discusses threat modeling and provides an overview of the threat modeling process. It describes documenting assets and entry points, identifying threats using techniques like STRIDE and attack trees, assessing risk with DREAD, and resolving threats by mitigating them in stages from quick reductions to complete mitigation. An example threat of an insider attack on a database is analyzed in detail. The document concludes by recommending starting with the OWASP Top 10, incorporating threat modeling into the SDLC, and improving skills through resources like books and games.
This document summarizes Joseph Barnes' presentation on how the University of Illinois at Urbana-Champaign uses Splunk Enterprise to manage security. It describes Barnes' role overseeing privacy and security, and how the university was previously managing logs in a built syslog environment that was difficult to search. The presentation highlights use cases for Splunk in account compromise response, copyright infringement investigations, phishing campaigns detection, and assisting local police. It concludes that Splunk provides valuable insight, makes security management easier, and can empower more teams when used correctly.
SplunkLive! Philadelphia - University of ScrantonSplunk
The University of Scranton uses Splunk for centralized log collection and correlation of data from key systems like firewalls, networking equipment, and intrusion detection systems. Splunk allows the security team to quickly connect information from different data sources to investigate issues like copyright infringement. The university has created various security and network operations dashboards and automated searches in Splunk. Going forward, they plan to expand use of Splunk for additional security monitoring, analytics of web server logs, and institutional research.
Burning Down the Haystack to Find the Needle: Security Analytics in ActionJosh Sokol
This document discusses security analytics and how analyzing data from multiple security tools can provide greater visibility into threats. It introduces Josh Sokol and Walter Johnson who will discuss how security tools often work in silos and how an ecosystem where they can share data can help answer questions like whether a system is under attack. Network flow data is described as important "glue" that can tie events together to illustrate attack progressions.
This document outlines an agenda for a presentation on threat hunting with Splunk. The presentation will cover threat hunting basics, data sources for threat hunting, using Sysmon endpoint data, the cyber kill chain framework, and walking through an attack scenario using Splunk. It will also discuss advanced threat hunting techniques, applying machine learning and data science to security, and provide log in credentials for a hands-on demo environment.
Extending Network Visibility: Down to the EndpointLancope, Inc.
In today’s world of constantly evolving security threats and attack vectors, organizations need to be vigilant about monitoring their network infrastructure. The network perimeter and security infrastructure is often challenged with the adoption of mobile devices, cloud, and BYOD policies. The need for visibility into endpoint activity has become more important than ever.
Join Josh Applebaum (Ziften), Matthew Frederickson, (Council Rock School District) and Peter Johnson (Lancope) for a complimentary webinar to learn how you can achieve real-time network visibility and intelligence for improved incident response.
Discover how you can:
- Achieve additional visibility and context to network activity
- Enhance your existing security investments (NetFlow, Firewall, SIEM, threat intelligence)
- Improve incident response by obtaining real-time and historical endpoint data
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
When Edward Snowden leaked classified information to the mainstream media, it brought the dangers posed by insider threats to the forefront of public consciousness, and not without reason. Today’s agencies are drowning in fears surrounding sophisticated cyber-attacks but perhaps the most concerning type of attack out there – the insider threat. According to Forrester, abuse by malicious insiders makes up 25% of data breaches. Learn about the best practices and technologies you should be implementing now to avoid becoming the next victim of a high-profile attack.
- Become aware of the different types of insider threats, including their motives and methods of attack
- Understand why conventional security tools like firewalls, antivirus and IDS/IPS are powerless in the face of the insider threat
- Gain clarity on the various technologies, policies and best practices that should be put in place to help detect and thwart insider threats
- Discover how network logs, particularly NetFlow, can be used to cost-effectively monitor for suspicious insider behaviors that could indicate an attack
- Know about emerging attack methods such as muleware that could further escalate insider threats in the coming years
This document provides an overview and agenda for a presentation about Industrial Control System (ICS) security. It discusses how ICS devices have notoriously insecure software and protocols, and how they are increasingly being connected to the internet, exposing them to attacks. It describes a real-world example of an attack on a small town's water pressure system. The presentation details findings from running ICS honeypots that were targeted by attackers, including countries of origin and types of attacks. It provides a profile of one attacker and recommendations for improving ICS security.
Despite billions spent on enterprise cyber security, breaches from advanced attacks, costing millions, are occurring on a daily basis.
Our Solution: Complete Near Real-time Network Security Visibility and Awareness: If security analysts could see everything occurring on their network in real-time, breaches would occur but there would never be catastrophic damage – breach reaction would be almost instantaneous. Novetta Cyber Analytics is a linchpin enterprise security solution that enables security analysts, for the first time, to see a complete, near real-time, uncorrupted picture of their entire network. Security analysts then ask and receive answers to subtle questions – at the speed of thought – to enable detection, triage and response to breaches as they occur.
The Benefits: Increase events-responded-to an estimated 30X over.
Substantially reduce or eliminate damage from breaches.
Create a dramatically more effective and efficient security team.
Maximize current security infrastructure investment.
Be far more confident that your network is actually secure.
OUR DIFFERENTIATORS:
Understands the truth of what is happening on your network.
Detects advanced attacks that have breached perimeter defenses.
Develops a complete, near real-time understanding of suspicious behaviour.
Develops a battleground understanding of your entire security situation.
Augments current security solutions.
Proven speed, scale and effectiveness on the largest, most attacked networks on earth.
Hacking involves gaining unauthorized access to computer systems or networks. Common hacking techniques discussed in the document include DDoS attacks, sniffing, spoofing, phishing, and brute force/dictionary attacks. DDoS attacks aim to make computer resources unavailable by overloading them. Sniffing involves intercepting network traffic, while spoofing manipulates the source of network packets. Phishing tricks users into providing private information through fraudulent messages. Physical security also plays an important role in protecting against unauthorized access. The document provides an overview of these hacking techniques and security risks.
This document summarizes a presentation about exploiting Android's Binder inter-process communication (IPC) mechanism to conduct malware attacks. It describes how Binder works and how malware authors have increasingly targeted it. Three demonstration attacks are shown: a keylogger that intercepts keyboard inputs via Binder, grabbing sensitive form data that transits between app activities via Binder, and intercepting SMS messages by intercepting Binder calls made by the SMS app to retrieve messages from the telephony manager. The document advocates encrypting sensitive data moving between apps via Binder to help prevent these kinds of attacks.
This presentation was delivered at BSides Augusta in September 2016. The A/V portion is available here: https://www.youtube.com/watch?v=i6p71t9PFWM
Abstract:
"We can all agree that threat ("Evil") detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for insecure conditions ("Ways for Evil to do Evil things") that might allow threat actors to succeed in their mission.
This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune-ranked organizations and challenge you to expand your security operations thinking beyond signature-based detection.
- What is Hunting?
- How have we done it?
- What have we found, and what should be done about those findings?
- How might you achieve similar outcomes in your own environment?"
Speakers:
- Jacqueline Stokes (@find_evil) is an infosec enthusiast who picked up hacking as a preteen and cut her teeth over multiple years in Iraq. Her ongoing mission is to assess and advise clients on the most actionable and forward-thinking methods to improve detection, response, and containment of advanced threats. Jackie likes long walks on the beach, 90's nostalgia, and is the president and founding member of the Kevin Mandia Fan Club.
- Danny Akacki (@dakacki) was a Lead Analyst with GE Capitals' Applied Intelligence team prior to his employment with Mandiant, and now works for Bank of America's hunt team. He is a pragmatic optimist and believes we are probably screwed, but hopes we aren't. Danny enjoys finding evil on the weekends.
- Stephen Hinck (@stephenhinck) is a Senior Security Analyst at Oracle, Inc. Stephen stumbled into the information security world years ago and has since only managed to dig his way deeper to the rabbit hole. With a background in security operations, incident response and threat hunting, Stephen's experience is multi-faceted. Although he enjoys many things, he absolutely hates writing silly bios like this one.
The document discusses online investigative computer protection processes. It recommends installing firewall and antivirus software, updating browsers, blocking cookies, and configuring the operating system and spyware detection software. It also discusses keeping the investigative computer secure through regular maintenance, encryption of files, cloning or imaging the hard drive, and keeping the system clean.
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenSplunk
Ransomware ist nicht mehr nur ein auf Privatanwender ausgerichtetes Ärgernis, sondern hat sich zu einer ernstzunehmenden Bedrohung für Unternehmen und Regierungseinrichtungen entwickelt.
In unserem Webinar können Sie mehr darüber herausfinden, was Ransomware genau ist und wie es funktioniert. Anschliessend zeigen wir Ihnen das Ganze in einer Live Demo mit Daten aus einer Windows Ransomware Infektion.
Detailliert zeigen wir Ihnen:
- wie Sie mit Splunk Enterprise Ransomware IOCs "jagen"
- wie Sie Malicious Endpoint Verhalten aufdecken
- Abwehrstrategien
business model, business model canvas, mission model, mission model canvas, customer development, hacking for defense, H4D, lean launchpad, lean startup, stanford, startup, steve blank, pete newell, bmnt, entrepreneurship, I-Corps, Security, NSIN, NSA, disposable infrastructure, cyber, Joe Felter, DOD
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
This document summarizes the Heartbleed vulnerability that was announced in April 2014. It allowed attackers to read portions of a server's memory and extract private keys and user cookies. The vulnerability was in OpenSSL and affected many major companies. It was possible due to a buffer over-read in the OpenSSL implementation of the TLS Heartbeat Extension. While initially many were vulnerable, within a month most major sites and services had patched the vulnerability. The event highlighted issues with OpenSSL's code quality and maintenance and increased funding to address these issues. It also demonstrated the need for rapid patching of 0-day vulnerabilities and the importance of defense in depth strategies.
This document discusses SCADA honeypots, which are devices or systems placed on a network with no operational purpose in order to detect attacks. Honeypots can detect attacks since anything accessing them is suspicious as they have no legitimate use. While some debate their effectiveness, honeypots can provide valuable information by allowing researchers to learn how attackers work when they interact with the honeypot. The level of interaction and visibility of the honeypot must be considered to balance obtaining useful data with security risks.
Hunting Attackers with Network Audit TrailsLancope, Inc.
Sophisticated, targeted attacks have become increasing difficult to detect and analyze. Attackers can employ 0-day vulnerabilities and exploit obfuscation techniques to evade detection systems and “fly under the radar” for long periods of time.
Gartner estimates 85% of breaches go completely undetected and 92% of the detected breaches are reported by third parties. New strategies for identifying network attack activity are necessary.
Learn how network logging technologies such as NetFlow and IPFIX can be applied to the problem of detecting sophisticated, targeted attacks and used to create an audit trail of network activity that can be analyzed, both automatically and by skilled investigators, to uncover anomalous traffic.
Lancope will demonstrate how to these records can be used to:
Discover active attacks in each phase of the attacker’s “kill chain.”
Determine the scope of successful breaches and document the timeline of the attacks
The document discusses threat modeling and provides an overview of the threat modeling process. It describes documenting assets and entry points, identifying threats using techniques like STRIDE and attack trees, assessing risk with DREAD, and resolving threats by mitigating them in stages from quick reductions to complete mitigation. An example threat of an insider attack on a database is analyzed in detail. The document concludes by recommending starting with the OWASP Top 10, incorporating threat modeling into the SDLC, and improving skills through resources like books and games.
This document summarizes Joseph Barnes' presentation on how the University of Illinois at Urbana-Champaign uses Splunk Enterprise to manage security. It describes Barnes' role overseeing privacy and security, and how the university was previously managing logs in a built syslog environment that was difficult to search. The presentation highlights use cases for Splunk in account compromise response, copyright infringement investigations, phishing campaigns detection, and assisting local police. It concludes that Splunk provides valuable insight, makes security management easier, and can empower more teams when used correctly.
SplunkLive! Philadelphia - University of ScrantonSplunk
The University of Scranton uses Splunk for centralized log collection and correlation of data from key systems like firewalls, networking equipment, and intrusion detection systems. Splunk allows the security team to quickly connect information from different data sources to investigate issues like copyright infringement. The university has created various security and network operations dashboards and automated searches in Splunk. Going forward, they plan to expand use of Splunk for additional security monitoring, analytics of web server logs, and institutional research.
Burning Down the Haystack to Find the Needle: Security Analytics in ActionJosh Sokol
This document discusses security analytics and how analyzing data from multiple security tools can provide greater visibility into threats. It introduces Josh Sokol and Walter Johnson who will discuss how security tools often work in silos and how an ecosystem where they can share data can help answer questions like whether a system is under attack. Network flow data is described as important "glue" that can tie events together to illustrate attack progressions.
This document outlines an agenda for a presentation on threat hunting with Splunk. The presentation will cover threat hunting basics, data sources for threat hunting, using Sysmon endpoint data, the cyber kill chain framework, and walking through an attack scenario using Splunk. It will also discuss advanced threat hunting techniques, applying machine learning and data science to security, and provide log in credentials for a hands-on demo environment.
Extending Network Visibility: Down to the EndpointLancope, Inc.
In today’s world of constantly evolving security threats and attack vectors, organizations need to be vigilant about monitoring their network infrastructure. The network perimeter and security infrastructure is often challenged with the adoption of mobile devices, cloud, and BYOD policies. The need for visibility into endpoint activity has become more important than ever.
Join Josh Applebaum (Ziften), Matthew Frederickson, (Council Rock School District) and Peter Johnson (Lancope) for a complimentary webinar to learn how you can achieve real-time network visibility and intelligence for improved incident response.
Discover how you can:
- Achieve additional visibility and context to network activity
- Enhance your existing security investments (NetFlow, Firewall, SIEM, threat intelligence)
- Improve incident response by obtaining real-time and historical endpoint data
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
When Edward Snowden leaked classified information to the mainstream media, it brought the dangers posed by insider threats to the forefront of public consciousness, and not without reason. Today’s agencies are drowning in fears surrounding sophisticated cyber-attacks but perhaps the most concerning type of attack out there – the insider threat. According to Forrester, abuse by malicious insiders makes up 25% of data breaches. Learn about the best practices and technologies you should be implementing now to avoid becoming the next victim of a high-profile attack.
- Become aware of the different types of insider threats, including their motives and methods of attack
- Understand why conventional security tools like firewalls, antivirus and IDS/IPS are powerless in the face of the insider threat
- Gain clarity on the various technologies, policies and best practices that should be put in place to help detect and thwart insider threats
- Discover how network logs, particularly NetFlow, can be used to cost-effectively monitor for suspicious insider behaviors that could indicate an attack
- Know about emerging attack methods such as muleware that could further escalate insider threats in the coming years
This document provides an overview and agenda for a presentation about Industrial Control System (ICS) security. It discusses how ICS devices have notoriously insecure software and protocols, and how they are increasingly being connected to the internet, exposing them to attacks. It describes a real-world example of an attack on a small town's water pressure system. The presentation details findings from running ICS honeypots that were targeted by attackers, including countries of origin and types of attacks. It provides a profile of one attacker and recommendations for improving ICS security.
Despite billions spent on enterprise cyber security, breaches from advanced attacks, costing millions, are occurring on a daily basis.
Our Solution: Complete Near Real-time Network Security Visibility and Awareness: If security analysts could see everything occurring on their network in real-time, breaches would occur but there would never be catastrophic damage – breach reaction would be almost instantaneous. Novetta Cyber Analytics is a linchpin enterprise security solution that enables security analysts, for the first time, to see a complete, near real-time, uncorrupted picture of their entire network. Security analysts then ask and receive answers to subtle questions – at the speed of thought – to enable detection, triage and response to breaches as they occur.
The Benefits: Increase events-responded-to an estimated 30X over.
Substantially reduce or eliminate damage from breaches.
Create a dramatically more effective and efficient security team.
Maximize current security infrastructure investment.
Be far more confident that your network is actually secure.
OUR DIFFERENTIATORS:
Understands the truth of what is happening on your network.
Detects advanced attacks that have breached perimeter defenses.
Develops a complete, near real-time understanding of suspicious behaviour.
Develops a battleground understanding of your entire security situation.
Augments current security solutions.
Proven speed, scale and effectiveness on the largest, most attacked networks on earth.
Hacking involves gaining unauthorized access to computer systems or networks. Common hacking techniques discussed in the document include DDoS attacks, sniffing, spoofing, phishing, and brute force/dictionary attacks. DDoS attacks aim to make computer resources unavailable by overloading them. Sniffing involves intercepting network traffic, while spoofing manipulates the source of network packets. Phishing tricks users into providing private information through fraudulent messages. Physical security also plays an important role in protecting against unauthorized access. The document provides an overview of these hacking techniques and security risks.
This document summarizes a presentation about exploiting Android's Binder inter-process communication (IPC) mechanism to conduct malware attacks. It describes how Binder works and how malware authors have increasingly targeted it. Three demonstration attacks are shown: a keylogger that intercepts keyboard inputs via Binder, grabbing sensitive form data that transits between app activities via Binder, and intercepting SMS messages by intercepting Binder calls made by the SMS app to retrieve messages from the telephony manager. The document advocates encrypting sensitive data moving between apps via Binder to help prevent these kinds of attacks.
This presentation was delivered at BSides Augusta in September 2016. The A/V portion is available here: https://www.youtube.com/watch?v=i6p71t9PFWM
Abstract:
"We can all agree that threat ("Evil") detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for insecure conditions ("Ways for Evil to do Evil things") that might allow threat actors to succeed in their mission.
This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune-ranked organizations and challenge you to expand your security operations thinking beyond signature-based detection.
- What is Hunting?
- How have we done it?
- What have we found, and what should be done about those findings?
- How might you achieve similar outcomes in your own environment?"
Speakers:
- Jacqueline Stokes (@find_evil) is an infosec enthusiast who picked up hacking as a preteen and cut her teeth over multiple years in Iraq. Her ongoing mission is to assess and advise clients on the most actionable and forward-thinking methods to improve detection, response, and containment of advanced threats. Jackie likes long walks on the beach, 90's nostalgia, and is the president and founding member of the Kevin Mandia Fan Club.
- Danny Akacki (@dakacki) was a Lead Analyst with GE Capitals' Applied Intelligence team prior to his employment with Mandiant, and now works for Bank of America's hunt team. He is a pragmatic optimist and believes we are probably screwed, but hopes we aren't. Danny enjoys finding evil on the weekends.
- Stephen Hinck (@stephenhinck) is a Senior Security Analyst at Oracle, Inc. Stephen stumbled into the information security world years ago and has since only managed to dig his way deeper to the rabbit hole. With a background in security operations, incident response and threat hunting, Stephen's experience is multi-faceted. Although he enjoys many things, he absolutely hates writing silly bios like this one.
The document discusses online investigative computer protection processes. It recommends installing firewall and antivirus software, updating browsers, blocking cookies, and configuring the operating system and spyware detection software. It also discusses keeping the investigative computer secure through regular maintenance, encryption of files, cloning or imaging the hard drive, and keeping the system clean.
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenSplunk
Ransomware ist nicht mehr nur ein auf Privatanwender ausgerichtetes Ärgernis, sondern hat sich zu einer ernstzunehmenden Bedrohung für Unternehmen und Regierungseinrichtungen entwickelt.
In unserem Webinar können Sie mehr darüber herausfinden, was Ransomware genau ist und wie es funktioniert. Anschliessend zeigen wir Ihnen das Ganze in einer Live Demo mit Daten aus einer Windows Ransomware Infektion.
Detailliert zeigen wir Ihnen:
- wie Sie mit Splunk Enterprise Ransomware IOCs "jagen"
- wie Sie Malicious Endpoint Verhalten aufdecken
- Abwehrstrategien
business model, business model canvas, mission model, mission model canvas, customer development, hacking for defense, H4D, lean launchpad, lean startup, stanford, startup, steve blank, pete newell, bmnt, entrepreneurship, I-Corps, Security, NSIN, NSA, disposable infrastructure, cyber, Joe Felter, DOD
The document provides an overview of security testing and hacking. It discusses the basics of vulnerability testing, different methodologies like network testing and web application testing. It outlines three main types of security tests: audits, assessments, and penetration tests. It discusses the importance of having permission and ethics when conducting security work. The document also provides a brief history of hacking and how the techniques have evolved over time as external vulnerabilities have been addressed.
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
This document discusses how Splunk can be used for security analytics and threat detection. It describes how Splunk allows organizations to centrally gather and correlate security-related data from various sources like networks, endpoints, applications and threat intelligence feeds. This enables use cases like monitoring for known threats, detecting unknown threats, incident investigation and user behavior analytics. Advanced techniques like machine learning and user/entity behavior analytics are also discussed to help identify anomalous activity that could indicate security incidents or threats.
Security is a major concern for organizations and individuals as information has become more valuable. The need for security has existed since information first became important. While firewalls and antivirus software provide some protection, they do not make an organization fully secure. Security involves processes for prevention, detection, reaction, and forensics. It is difficult to implement security perfectly due to costs, user resistance, evolving threats, and time/budget constraints for security teams. Hackers use various techniques like information gathering, password cracking, viruses, denial of service attacks, sniffing, and system exploits to compromise targets. Organizations implement defenses like firewalls, intrusion detection, honeypots, anti-sniffing measures, antivirus software, security awareness
Praesidio CTO, Sean Cassidy presented at FinDEVr New York 2016 on role-based behavior analytics, using patterns and anomalies in user behavior as indicators of attack. View his slides from the presentation here.
Overview:
It is easy for attackers to beat traditional security measures: antivirus, firewalls, and intrusion detection systems. This is because those methods are akin to blacklisting known bad behavior. Attackers need only to modify their behavior slightly to avoid the blacklist. Anomaly detection, instead models normal user behavior and alerts when attackers deviate from that without any humans specifying what normal behavior is.
So what is anomaly detection, how does it work, and how can you apply it to your network?
Splunk for Security: Background & Customer Case StudyAndrew Gerber
Presented at SplunkLive! Denver on August 4, 2015; provides background on the Splunk value proposition for security use cases based on actual experience, a walkthrough of a Splunk engagement at a major national healthcare customer, and examples of three use cases that provided actionable value beyond what was possible with the previous SIEM solution.
FireSIGHT Management Center (FMC) slidesAmy Gerrie
The FireSIGHT Management Center (FMC) provides concise summaries of security events in 3 sentences or less by leveraging extensive network, endpoint, application and threat intelligence data. It improves security operations by reducing the number of tools needed to understand events, shortening the time to scoping and containment. The FMC also automates the correlation of critical events to identify indicators of compromise and focus security teams on remediation.
Weaknesses in authentication and encryption across many systems allowed significant security flaws to emerge in 2008, including issues with DNS, SSL, and SNMPv3. These flaws occurred because critical systems like DNS, which underlie authentication in many other areas, cannot reliably authenticate responses. Fixing these problems was challenging due to dependencies between systems and the complexity of coordinating updates. The speaker argues that securing DNS could help address authentication issues in linked systems by providing a secure, scalable place to publish cryptographic keys and other authentication data.
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunk
Splunk products provide a flexible and fast security intelligence platform that makes security personnel and processes more efficient by providing quick and flexible access to all of the data and information needed to detect, investigate and remediate threats. This presentation will discuss best practices for building out or enhancing an analytics based security strategy and how Splunk products can make people, process, and technology work better together.
Designing an Incident Response Plan is difficult. On one hand, you have the extremely detailed "Best Practices" while on the other hand you have real world resource constraints.
This document summarizes three major security events that have been in the news over the last 12 months: the Heartbleed vulnerability, large-scale data breaches like the Target breach, and revelations about the NSA from documents leaked by Edward Snowden. For each event, key details are provided about what happened and potential implications for CIOs and companies. Perspective and best practices around data security, insider threats, and legal/policy issues are also discussed.
The latest massive IoT DDoS attack from the Mirai botnet that took major websites like Twitter and Reddit offline for hours – has already gained notoriety as one of the worst DDoS strikes in history.
In this webinar Manish Rai & Ty Powers of Great Bay Software will help you understand exactly how the enterprise IoT landscape is changing, and what it means for the assumptions organizations have been making in regards to safeguarding against IoT cyberattacks. You will:
Gain insights into how the recent IoT-based DDoS attacks were launched
How similar attacks could be launched inside enterprise networks
How to safeguard against IoT device compromises
How to reduce your risk, whose job is it anyway?
Learn about what your peers are doing for IoT device security, relevant findings from the 2016 Great Bay Software IoT Security Survey
Watch this ondemand webinar with this link: https://go.greatbaysoftware.com/owb-safeguarding-against-iot-ddos-attacks
Top 3 MAC Spoofing Challenges You Cannot Afford to IgnoreGreat Bay Software
This document discusses the increasing challenges of MAC spoofing and data breaches. It outlines three main challenges: lack of visibility into devices on the network, the growing number of non-traditional Internet of Things devices, and the risk of trusting devices based only on MAC address. A network monitoring solution called Beacon is presented as able to provide comprehensive visibility of all devices, important contextual information, and scalability to address these challenges posed by MAC spoofing and the evolving network landscape.
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
Every time a new information technology finds its way into production, it seems as though we end up repeating the same process – security vulnerabilities will be discovered and disclosed in that technology, and users and vendors will deny that the risks are significant. Only after major attacks occur do we really start to see efforts to address the inherent risks in a systematic way.
We’re falling into this exact same trap again with Industrial Control and SCADA systems, but in this case the problem is worse, because the inherent nature of control systems prevents us from applying many of the strategies that have been used to protect other kinds of computer networks.
Join Lancope’s Director of Security Research, Tom Cross, for a look at the five stages of grief that organizations seem to pass through as they come to terms with security risks, and how far we’ve come regarding Industrial Control Systems.
Hear about:
The state of Control Systems security vulnerabilities
Attack activity that is prompting a change in perspective
The unique, long-term challenges associated with protecting SCADA networks
How anomaly detection can play a key role in protecting SCADA systems now
The document discusses various security issues related to using the internet and networking. It introduces basic security concepts like confidentiality, integrity and availability. It then examines specific problems such as hijacked web servers, denial of service attacks, unsolicited commercial email, operator errors and natural disasters. It also defines and explains security terms like probes, scans, packet sniffers and malicious code. The overall document provides a high-level overview of internet security risks and challenges.
They can strike anywhere and at any time. Their effects can range from the annoying to the downright
disastrous. Users fear them; IT departments dread them. They can create chaos, causing downtime, latency,
loss of productivity, increased costs, loss of revenue, unhappy users and, worst of all, dissatisfied customers. Many noble men and women battle these network problems every day – increasing bandwidth, implementing new
monitoring systems, even hiring more employees. But more often than not, they treat the symptoms without
ever truly knowing the root the cause of the problem. That’s where our hero comes into the story…
This document discusses how Splunk has helped the University of Maryland improve security visibility and incident response. It provides an overview of the speaker and UMD, challenges they previously faced with scattered logs and limited visibility, and how Splunk has provided faster search capabilities and the ability to correlate data from multiple sources. Use cases described how Splunk has helped with real-world incident investigations, security alerts and threat response, breach detection, and compliance reporting. Best practices and lessons learned are also shared.
Similar to To see things others can't - APTs, Incident Response, DDoS (20)
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
3. 3
Under the microscope: a well known example
Tim
Gjelten
of
NPR
reports
that
he
simply
downloaded
[the
documents]
off
the
company’s
internal
Top
Secret
net:
According
to
the
officials,
the
documents
Snowden
leaked
—
the
memoranda,
PowerPoint
slides,
agency
reports,
court
orders
and
opinions
—
had
all
been
stored
in
a
file-‐sharing
locaJon
on
the
NSA’s
intranet
site.
The
documents
were
put
there
so
NSA
analysts
and
officials
could
read
them
online
and
discuss
them.
Snowden,
because
he
had
TS
clearance,
had
access
to
this
net.
Not
only
that,
but
his
job
descripJon
provided
him
cover
to
be
the
one
moving
documents
around
on
that
net.
“It’s
kind
of
brilliant,
if
you’re
him,”
an
official
said
to
Gjelten.
“His
job
was
to
do
what
he
did.
He
wasn’t
a
ghost.
He
wasn’t
that
clever.
He
did
his
job.
He
was
observed
[moving
documents],
but
it
was
his
job.”
Strangely
these
comments
are
in
direct
contrast
with
the
previous
NSA
narraJve,
which
painted
Snowden
as
a
brilliant
cyber
tacJcian
who
masked
his
movements
on
the
net
—
leaving
officials
clueless
as
to
what
he
took.
“If
they
can’t
tell
what
Snowden
took
so
many
months
later,
they
don’t
have
very
good
auditability
at
all,”
writes
Mike
Masnick.
“Furthermore,
this
raises
serious
quesJons
about
the
NSA’s
data
management
capabiliJes.”
5. 5
Some inconvenient questions
• How do you detect if one of your employees copies
all the documents from your file server to his PC at
home?
– He transfers them directly from your network via FTP
– He copies them from the file server to a USB disk connected to his
PC
• How do you detect privileged users abusing encrypted
channels (SSH, VPNs) for malicious activities?
• Does your firewall / IPS / IDS / Anti-Malware know what
time it is?
6. 6
Inconvenient answers
• How do you detect you have been compromised?
• Sometimes, you just don’t.
• Traditional security solutions are still necessary,
but do not scale
– Antivirus
– End-point agents
– Network Access Control
• Behaviour Anomaly detection is key.
7. 7
More inconvenient questions
• As I said, sometimes, you just don’t realize you
have been compromised until it’s too late.
• What is your incident response strategy?
• How do you trace back the cause of the
compromise?
• How do you understand when and how the attack
initially happened?
• APT:
– Advanced = smart
– Persistent = long-lasting
9. 9
So you want to have a 200TB .pcap...
• You need packet capture infrastructure
• You need storage
• You need to be able to apply today’s knowledge to
last year’s traffic
• You need power and intelligence
11. 11
A view from 30000 meters high
• We all know what a DDoS attack is, right?
• digitalattackmap.com from Google
Ideas
12. A real world case
• Online gaming community
– 3 million registered users, 30.000
simultaneous players online
– Free platform with premium paying
subscriptions
– Repeatedly attacked at peak time
(Saturday evening), causing players
disconnections, lost points, complains,
troubleshooting time, etc.
13. The damage and the first reactions
• Attacks continued for weeks
• Dropped from 3 to 2 million subscribers
• Increased ISP bandwidth from 20Mbps to 100Mbps
• Tried deploying firewalls, IPS
• No success
• Customers were moving to the competition, website
risked being shut down for good.
14. Enter Arbor
• The customer contacted us
• Our reseller got in touch with the customer’s ISP
• Installed trial
• Visibility and basic protection achieved.
17. Volumetric attacks
• Fine tuning of customer premise equipment blocked
all attacks;
• Attackers escalated in size: 100Mbps bandwidth
congested in minutes.
• Need for upstream protection.
18. Cloud signaling
The
Internet
Upstream
Provider
Local
Provider
Customer
Premises
miJgaJon
ISP-‐based
miJgaJon
A_ackers
19. Cloud signaling
The
Internet
Upstream
Provider
Local
Provider
Customer
Premises
miJgaJon
ISP-‐based
miJgaJon
A_ackers
Cloud
Signaling
Request
25. Stop attacks at the right place: build your arsenal
A
microscope,
to
see
the
Jny
details
A
moviola,
to
replay
what
happened
Behavior
analysis
to
detect
anomalies
levels,
to
get
the
complete
picture.
Inspec.on...
at
different
26. ...and most of all...
Build
a
team
of
experts
with
the
right
mix
of
skills.