44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh

•Transferir como PPTX, PDF•

1 gostou•687 visualizações

According to the NIST National Vulnerability Database, 1772 software vulnerabilities with a CVSS score of 7 or higher were disclosed in 2012, and 2013 is so far (at the time of writing) not looking any better. A lot of times the window of exposure - from when a vulnerability is discovered to when a patch has been deployed - is very long. In a corporate environment, it’s not unusual to rely solely on patch management and semi-static security tools such as firewalls, IPS and antivirus for protection, and because of various reasons patch deployment might take a long time or may not even be possible. This talk will discuss why patch management is insufficient for protection against new vulnerabilities, how the traditional “defense in depth” model needs to be re-architected, and finally how the window of exposure can be reduced by active response before incidents occur.

Tecnologia

Surviving 0-days
reducing the window of exposure
Andreas Lindh, 44Con 2013

About me
• Security analyst/architect

• Defender by day
• @addelindh on Twitter

The window of exposure

Unknown

Out of our control

Discovery

Disclosure

In our control

Patch available

Patch deployed

Common protection
• Patching

• Virtual patching
• Uninstall

What if you can’t patch?
• Legacy systems

• 3rd party systems
• Insufficient tools

HD Moore’s law

Unknown

Out of our control

Discovery

Disclosure

In our control

Patch available

Patch deployed

"Put another way, n people want to fix
security holes, 10n people want to exploit
security holes, and 100000n want Tetris.”
(Dan Kaminsky)

Root cause
• Over-reliance on patching

• Network-centric defense
architecture
• All about prevention

Things to consider
• Exposure

• Attack likelihood
• History
• Patch status

Approach
• Prevention
• Mitigation
• ( Detection)

Focus
• Proactive

• Inside -> out
• Onion style
• Reusable (ideally)

An example
Software
restriction
policy

OS security
features
Sandbox

Intermediary
channels

Software

User
permissions
Endpoint protection

IPS

Pros and cons
• Pros
– Improved security baseline
– Reduced impact
– Pro-active

• Cons
– Generic

– Added complexity

Focus
• Specific vulnerability

• Fast implementation
• Input to #1

Pros and cons
• Pros
– Timely mitigation
– Focused approach
– Compliments #1

• Cons
– Limited time

– Reactive

Wrapping it up
• Patching takes time

• Can’t patch the unknown
• Traditional controls are
often insufficient

Mais conteúdo relacionado

Mais procurados

The modern web-scale network is a pretty complicated place. Modern techniques in Systems Management have made it trivial to create, destroy and repurpose any number of instance types. These instances can span the range from bare metal machines sitting in a datacenter, to 3rd party virtual machines on demand, and now these new containers and microservices seem to be all the rage. Instances are cattle, they are no longer pets. All of this perpetual churn and flexibility is exactly what you want in a constantly changing, highly available, and efficient infrastructure. The ability to create or destroy nodes on demand, or continuously and automatically scale up, down, and re-deploy applications as part of a continuous integration pipeline, have become necessary and an integral part of daily operations. However these systems can generate terabytes of network logs a day. And if your job is detecting, correlating, and alerting on the correct anomaly in all that data, the analogy of the needle in the haystack really doesn’t do it justice, something closer would be akin to finding a needle in the windstorm. How do you begin to collect, store, analyze, and alert on this much data without costing the company a small fortune? What are some practical steps you can take to reduce your overall risk and begin to gain more insight, visibility, and confidence into what is actually taking place on your network? This talk aims to give the attendee a solid understanding of the problem space, as well as recommendations and practical advice from someone who built their own ‘big data’ network and security monitor. It really is easier than it sounds.

Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...

CODE BLUE

OpenDNS presenter pack

Kim Jensen

Red team Engagement

Indranil Banerjee

Developing Software with Security in Mind

sblom

It is well known that computer exploitation will continue to increase in prevalence and sophistication. Computer network attacks and data exfiltrations are most successful when the methods of exploitation traverse the entry and egress vectors that are least expected and least defended in your network. Most of the time, no matter how well your perimeter is guarded, the user still represents the weakest avenue into that network. A clear need exists to better protect data transmitted and received by the user. But what are we to do when signature-based detection has long been defeated and anomaly/heuristic-based detection is not yet where we need it to be? The solution lies in enhancing the defense paradigm via the incorporation of intelligence-based security (Threat Intelligence) in the analysis of threats and discovery of malicious activity affecting your network, data, and your protected clients.

Incorporating Threat Intelligence into Your Enterprise Communications Systems...

EC-Council

Getting Started in Information Security

Dennis Maldonado

Hacking

NarendraGadde2

TakeDownCon Rocket City: Technology Deathmatch, The arms race is on by Sean B...

EC-Council

Katherine Fithen has been a leader in information security for more than 20 years. She retired as the Chief Privacy Officer and Director of Governance & Compliance at The Coca-Cola Company in July 2017. Prior to joining The Coca-Cola Company in 2002, Katherine was the Senior Manager of the CSIRT Program at PricewaterhouseCoopers, LLP, and prior to pwc, the Manager of the CERT®. Katherine has earned a Bachelor of Arts in Retail Management, a Master of Arts in Personnel Management, and a Master of Science in Information Science. Katherine is on several advisory boards for privacy and security. In August 2015, Katherine was listed as one of “Women in IT Security: 10 Power Players”

Global CISO Forum 2017: Privacy Partnership

EC-Council

Presented at Diana Initiative, Queercon 16, and DEFCON 27 Recon Village 8/9-10, 2019. When we think of the process for attacking an organization, OSINT comes to the front and center of our minds. This presentation takes a presenter with experience in applying OSINT to effective penetration testing and social engineering and reverse engineers the process to determine what steps can be taken to further complicate their efforts. This is a presentation that talks about online deception, decoy accounts, canary data, encryption, maintaining one’s social media in a secure manner, and protecting one’s identity as much as possible. While nothing is absolute, this is a presentation that will leave attendees more aware of techniques to make it harder for attackers to collect accurate OSINT, either by removal or deception.

DECEPTICONv2

👀 Joe Gray

ShadyRAT: Anatomy of targeted attack

Vladyslav Radetsky

2014: Mid-Year Threat Review

ESET

Slides from @jorgeorchilles and @brysonbort talk at Blackhat 2020 - Arsenal covering the C2 Matrix. Website: https://thec2matrix.com Blackhat: https://www.blackhat.com/us-20/arsenal/schedule/#c-matrix-comparison-of-command-and-control-frameworks-20768 Video: https://youtu.be/2i9KjHCR6ik Command and Control is one of the most important tactics in the MITRE ATT&CK matrix as it allows the attacker to interact with the target system and realize their objectives. Organizations leverage Cyber Threat Intelligence to understand their threat model and adversaries that have the intent, opportunity, and capability to attack. Red Team, Blue Team, and virtual Purple Teams work together to understand the adversary Tactics, Techniques, and Procedures to perform adversary emulations and improve detective and preventive controls. The C2 Matrix was created to aggregate all the Command and Control frameworks publicly available (open-source and commercial) in a single resource to assist teams in testing their own controls through adversary emulations (Red Team or Purple Team Exercises). Phase 1 lists all the Command and Control features such as the coding language used, channels (HTTP, TCP, DNS, SMB, etc.), agents, key exchange, and other operational security features and capabilities. This allows more efficient decisions making when called upon to emulate and adversary TTPs. It is the golden age of Command and Control (C2) frameworks. Learn how these C2 frameworks work and start testing against your organization to improve detective and preventive controls. The C2 Matrix currently has 41 command and control frameworks documented in a Google Sheet, web site, and questionnaire format.

Blackhat 2020 Arsenal - C2 Matrix

Jorge Orchilles

Honeypots for proactively detecting security incidents

APNIC

Blackhat USA Mobile Security Panel 2011

Tyler Shields

Security Architecture

Phil Huggins FBCS CITP

Watering Hole Attacks: Detect End-User Compromise Before the Damage is Done

AlienVault

One of the main reasons information security is so hard to achieve today is that IT itself is changing so rapidly. Cloud computing places security in the hands of a third-party service provider. Mobile technology, meanwhile, places security in the hands of the end user. And the emergence of intelligent, Internet-connected, non-computer devices -- the Internet of Things -- represents an entirely new set of security challenges. In this slide deck, you'll learn how IT organizations can build a security strategy that works when so much of the computing environment is outside their span of control. She will also touch upon how security departments can implement technologies and practices that will work in both today's IT environment and tomorrow's dynamic, multi-dimensional computing world.

Preparing a Next Generation IT Strategy

Bishop Fox

Worst-Case Scenario: Being Detected without Knowing You are Detected

Ashwini Almad

Fun with Application Security

Bruce Abernethy

Mais procurados (20)

Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...

OpenDNS presenter pack

Red team Engagement

Developing Software with Security in Mind

Incorporating Threat Intelligence into Your Enterprise Communications Systems...

Getting Started in Information Security

Hacking

TakeDownCon Rocket City: Technology Deathmatch, The arms race is on by Sean B...

Global CISO Forum 2017: Privacy Partnership

DECEPTICONv2

ShadyRAT: Anatomy of targeted attack

2014: Mid-Year Threat Review

Blackhat 2020 Arsenal - C2 Matrix

Honeypots for proactively detecting security incidents

Blackhat USA Mobile Security Panel 2011

Security Architecture

Watering Hole Attacks: Detect End-User Compromise Before the Damage is Done

Preparing a Next Generation IT Strategy

Worst-Case Scenario: Being Detected without Knowing You are Detected

Fun with Application Security

Semelhante a 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh

Despite changing threats and the near certainty of compromise, most IT security programs are much the same as they were a decade ago. How have attacker motivations and tactics changed, and why? What does this mean for IT security departments, and how must they adapt? This webinar will detail the security challenges organizations face today, the implications of changes in attacker tactics and motivations, and what firms can do to better align their security program with today's reality. Our featured speakers for this webinar will be: - Ted Julian, Chief Marketing Officer, Co3 Systems - Colby Clark, Director of Incident Management, Fishnet Security

Today's Breach Reality, The IR Imperative, And What You Can Do About It

Resilient Systems

Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?

Codero

Insider threat v3

Lancope, Inc.

Defending Enterprise IT - beating assymetricality

Claus Cramon Houmann

The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018

Pukhraj Singh

2023 NCIT: Introduction to Intrusion Detection

APNIC

This presentation was delivered at SkyDogCon 6 in October 2016. The A/V is available here: https://www.youtube.com/watch?list=PLLEf-wPc7Tyae19iTuzKOXmPj-IQBIWuU&v=mKxGulV2Z74 It is an updated version of the original deck presented at BSides Augusta 2016 - Added original content including information on use cases and added definition/clarity. Abstract: "We can all agree that threat ("Evil") detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for insecure conditions ("Ways for Evil to do Evil things") that might allow threat actors to succeed in their mission. This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune-ranked organizations and challenge you to expand your security operations thinking beyond signature-based detection. - What is Hunting? - How have we done it? - What have we found, and what should be done about those findings? - How might you achieve similar outcomes in your own environment?" Speakers: - Jacqueline Stokes (@find_evil) is an infosec enthusiast who picked up hacking as a preteen and cut her teeth over multiple years in Iraq. Her ongoing mission is to assess and advise clients on the most actionable and forward-thinking methods to improve detection, response, and containment of advanced threats. Jackie likes long walks on the beach, 90's nostalgia, and is the president and founding member of the Kevin Mandia Fan Club.

Hunting: Defense Against The Dark Arts v2

Spyglass Security

Threat Intelligence: State-of-the-art and Trends - Secure South West 2015

Andreas Sfakianakis

[Bucharest] Catching up with today's malicious actors

OWASP EEE

We can all agree that threat detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for ways for evil to do evil things. This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune ranked organizations. We hope to challenge you to expand your security operations, moving beyond traditional signature based detection.

Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016

Danny Akacki

Capture the flag (CTF) exercises and events continue to increase in popularity providing essential training and skills development for defenders on blue teams and attackers on red teams. Jeopardy style or attack-defense CTF cyber exercises enable experienced participants and novices to work side by side on teams developing communication, time management and problem solving skills in a safe environment with ground rules and prizes for winners. Defending blue teams often dread the embarrassment of being attacked and compromised until modern deception defenses arrived. Deception defenses mimic a real environment with decoys and breadcrumbs creating an unknown mine field for attackers to detect their activity and movements giving defending blue teams a new advantage.

Capture the Flag Exercise Using Active Deception Defense

Fidelis Cybersecurity

Technologies and Policies for a Defensible Cyberspace

mark-smith

Ten security product categories you've (probably) never heard of

Adrian Sanabria

Common themes in cyber attacks and what they mean for defenders' presentation...

APNIC

Incident response, Hacker Techniques and Countermeasures

Jose L. Quiñones-Borrero

Insight live om It-sikkerhed- Peter Schjøtt

Mediehuset Ingeniøren Live

Vulnerability Assessments, Penetration Tests and Red Teaming – Do you know what these tactics are all about? In this session, we will present our understanding of these practices in terms of when to apply them and what to expect. Nowadays, organizations run on top of hundreds, if not thousands, of Information Technology assets with some of them on premise and others cloud based. Having control over all of this is a challenging task. Based on our extensive experience with securing our customers, I will show what real findings and attack trends look like while hopefully, shedding some light on how to be prepared to resist current attacks.

Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...

Core Security

UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...

APNIC

Security is now important to all of us, not just people who work at Facebook. Most developers think about security in terms of security technologies that they want to apply to their systems, and then ask how secure the system is. From a secure systems perspective, this is the wrong way around. To build a secure system, you need to start from the things that need to be protected and the threats to those resources. In this session, Eoin dives into the fundamentals of system security to introduce the topics we need to understand in order to decide how to secure our systems.

System Security Beyond the Libraries

Eoin Woods

Cyber Threat Hunting Workshop.pdf

ssuser4237d4

Semelhante a 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh (20)

Today's Breach Reality, The IR Imperative, And What You Can Do About It

Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?

Insider threat v3

Defending Enterprise IT - beating assymetricality

The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018

2023 NCIT: Introduction to Intrusion Detection

Hunting: Defense Against The Dark Arts v2

Threat Intelligence: State-of-the-art and Trends - Secure South West 2015

[Bucharest] Catching up with today's malicious actors

Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016

Capture the Flag Exercise Using Active Deception Defense

Technologies and Policies for a Defensible Cyberspace

Ten security product categories you've (probably) never heard of

Common themes in cyber attacks and what they mean for defenders' presentation...

Incident response, Hacker Techniques and Countermeasures

Insight live om It-sikkerhed- Peter Schjøtt

Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...

UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...

System Security Beyond the Libraries

Cyber Threat Hunting Workshop.pdf

Mais de 44CON

Your job is to secure operations. But nobody listens to you. There’s no budget. Management keeps making bad security decisions that seem to sabotage your efforts. Do you flee or do you try harder? The security books, blogs, and tweeting pundits out there tell us we need to learn the language of business. We need to put risk in terms of money that management understands. We need to be like the management we’re trying to protect. And that’s where it all falls apart. The security to business relationship is often textbook abusive codependency. You do well and nobody notices. You fail and you get fired or worse- shamed by your peers over social media for whatever the company releases as the statement for the breach. So how do you do SecOps under those conditions? This talk will focus on new ways to approach SecOps to face the challenges you have today with business demands. We will look at new security research that will make a difference for how you do your job. Most of all we will show you technical security practices to help you sustain your new found stance.

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...

44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh

Semelhante a 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh (20)

Mais de 44CON

Mais de 44CON (20)

Último

Último (20)

44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh

Notas do Editor