SlideShare uma empresa Scribd logo
1 de 123
Baixar para ler offline
A"ack-­‐Driven	
  Defense	
  
	
  
	
  
zane@signalsciences.com	
  	
  
@zanelackey	
  
Who	
  am	
  I?	
  
•  Co-­‐Founder/CSO	
  @	
  Signal	
  Sciences	
  
•  Previously	
  built/led	
  the	
  Security	
  Engineering	
  
group	
  @	
  Etsy	
  
•  Prior	
  to	
  that,	
  offensive	
  research/pentesJng	
  @	
  
iSEC	
  Partners	
  
	
  	
  
This	
  talk	
  simply	
  isn’t	
  possible	
  without	
  a	
  number	
  of	
  
people:	
  
–  Ben	
  Hughes	
  
–  Brendan	
  Adamson	
  
–  Corey	
  Benninger	
  
–  Kai	
  Zhong	
  
–  Ken	
  Lee	
  
–  Kyle	
  Barry	
  
–  Marcus	
  Barczak	
  
–  Mike	
  Arpaia	
  
–  Omar	
  Ahmed	
  	
  
	
  	
  
Also	
  a	
  shout	
  out	
  to	
  secteams	
  we’ve	
  enjoyed	
  
collaboraJng	
  with:	
  
	
  
Facebook/GitHub/Google/Square/Twi"er	
  
 
What	
  is	
  Etsy?	
  	
  
	
  	
  
 
	
  	
  
 
Etsy?	
  Security?	
  …	
  Why!?	
  
	
  	
  
 
Advanced	
  Persistent	
  Tapestries	
  	
  
	
  	
  
 
	
  
	
  
This	
  talk	
  is	
  about	
  shiXing	
  from	
  historically	
  	
  	
  	
  	
  	
  	
  	
  
un-­‐contextualized	
  defensive	
  approaches	
  
	
  	
  
 
	
  
	
  
To	
  building	
  defenses	
  around	
  real	
  world	
  a"ack	
  
pa"erns	
  	
  
	
  	
  
 
	
  
	
  
Un-­‐contextualized?	
  	
  
	
  	
  
Historically	
  defense	
  has:	
  	
  
	
  
– Focused	
  on	
  the	
  perimeter	
  
	
  	
  
– Deployed	
  commodity	
  security	
  products	
  that	
  don’t	
  
address	
  real	
  a"ack	
  scenarios	
  	
  
– Treated	
  vulnerability	
  enumeraJon	
  (or	
  worse,	
  
compliance)	
  as	
  “pentesJng”	
  	
  
 
	
  
	
  
	
  These	
  don’t	
  address	
  modern	
  a"ack	
  behavior	
  	
  
	
  	
  
 
	
  
	
  
What	
  should	
  we	
  be	
  doing?	
  	
  
	
  	
  
Fundamentally	
  we	
  have	
  three	
  goals:	
  
	
  
1)  Raise	
  cost	
  to	
  a"ackers	
  
2)  Increase	
  the	
  odds	
  of	
  detecJng	
  compromise	
  
3)  Iterate	
  defenses	
  based	
  on	
  real	
  a"ack	
  pa"erns	
  
	
  	
  
	
  
	
  
 
Increasing	
  detecJon	
  
 
	
  
	
  
Build	
  your	
  defenses	
  from	
  an	
  offensive	
  mindset	
  	
  
	
  	
  
Instrument	
  detecJon	
  mechanisms	
  around	
  key	
  areas	
  of	
  
the	
  a"ack	
  chain:	
  
	
  
•  IniJal	
  compromise	
  
–  Defensive	
  rootkicng	
  	
  
•  Persistence/C2	
  
–  Host	
  level	
  
–  OrganizaJonal	
  level	
  
•  Lateral	
  Movement	
  
–  Network/systems	
  discovery	
  	
  
–  InformaJon	
  discovery	
  
IniJal	
  compromise	
  
 
	
  
	
  
Rootkit	
  your	
  endpoints	
  before	
  your	
  a"ackers	
  do	
  	
  	
  
 
	
  
Focus	
  on	
  the	
  combinaJon	
  of	
  system	
  behaviors	
  
and	
  commands	
  executed	
  
 
	
  
Specifically,	
  log	
  commands	
  executed	
  on	
  
endpoints	
  and	
  analyze	
  this	
  data	
  
	
  
	
  
	
  
 
	
  
Analyze	
  the	
  data	
  and	
  build	
  automaJc	
  alerJng	
  
from	
  anomalies	
  	
  
 
	
  
	
  
Anomalies?	
  	
  
 
	
  
From	
  a	
  macro	
  level,	
  bucket	
  users	
  into	
  	
  
technical	
  vs	
  non-­‐technical	
  	
  
 
Pa"erns	
  then	
  break	
  down	
  into:	
  
	
  	
  
– Anomalous	
  if	
  by	
  a	
  non-­‐technical	
  user	
  	
  
– Anomalous	
  if	
  by	
  technical	
  user	
  	
  
– Always	
  anomalous	
  	
  
	
  
Non-­‐Technical	
  bucket:	
  	
  
–  Alert	
  off	
  any	
  commands	
  which	
  show	
  technical	
  capabiliJes	
  
•  It’s	
  either	
  an	
  a"acker	
  or	
  your	
  IT	
  team	
  	
  
Technical	
  bucket:	
  	
  
–  Treat	
  individual	
  commands	
  and	
  behaviors	
  as	
  low	
  quality	
  
signals	
  
•  Aggregate	
  commands,	
  look	
  for	
  unique	
  combinaJons	
  and	
  bursts	
  
Always	
  anomalous	
  (both	
  buckets):	
  	
  
–  Analyze	
  a"ack	
  pa"erns	
  and	
  idenJfy	
  commands/behaviors	
  
strongly	
  indicaJve	
  of	
  compromise	
  
•  We’re	
  looking	
  at	
  you,	
  `uname	
  -­‐a`	
  	
  
	
  	
  
Non-­‐Technical	
  bucket:	
  	
  
–  Alert	
  off	
  any	
  commands	
  which	
  show	
  technical	
  capabiliJes	
  
•  It’s	
  either	
  an	
  a"acker	
  or	
  your	
  IT	
  team	
  	
  
Technical	
  bucket:	
  	
  
–  Treat	
  individual	
  commands	
  and	
  behaviors	
  as	
  low	
  quality	
  
signals	
  
•  Aggregate	
  commands,	
  look	
  for	
  unique	
  combinaJons	
  and	
  bursts	
  
Always	
  anomalous	
  (both	
  buckets):	
  	
  
–  Analyze	
  a"ack	
  pa"erns	
  and	
  idenJfy	
  commands/behaviors	
  
strongly	
  indicaJve	
  of	
  compromise	
  
•  We’re	
  looking	
  at	
  you,	
  `uname	
  -­‐a`	
  	
  
	
  	
  
Non-­‐Technical	
  bucket:	
  	
  
–  Alert	
  off	
  any	
  commands	
  which	
  show	
  technical	
  capabiliJes	
  
•  It’s	
  either	
  an	
  a"acker	
  or	
  your	
  IT	
  team	
  	
  
Technical	
  bucket:	
  	
  
–  Treat	
  individual	
  commands	
  and	
  behaviors	
  as	
  low	
  quality	
  
signals	
  
•  Aggregate	
  commands,	
  look	
  for	
  unique	
  combinaJons	
  and	
  bursts	
  
Always	
  anomalous	
  (both	
  buckets):	
  	
  
–  Analyze	
  a"ack	
  pa"erns	
  and	
  idenJfy	
  commands/behaviors	
  
strongly	
  indicaJve	
  of	
  compromise	
  
•  We’re	
  looking	
  at	
  you,	
  `uname	
  -­‐a`	
  	
  
	
  	
  
 	
  	
  Persistence	
  	
  
Host	
  level	
  persistence:	
  
	
  	
  
– Look	
  for	
  common	
  pa"erns	
  of	
  persistence	
  via	
  
programs	
  executed	
  on	
  boot,	
  kernel	
  modules	
  
loaded,	
  etc	
  
Host	
  level	
  persistence:	
  	
  
	
  
– Look	
  for	
  common	
  pa"erns	
  of	
  persistence	
  via	
  
programs	
  executed	
  on	
  boot,	
  kernel	
  modules	
  
loaded,	
  etc	
  
– Understand	
  that	
  in	
  pracJce	
  sophisJcated	
  
persistence	
  mechanisms	
  won’t	
  be	
  detected	
  	
  
•  Aim	
  to	
  detect	
  the	
  basics,	
  and	
  increase	
  a"acker	
  cost	
  by	
  
forcing	
  use	
  of	
  custom	
  persistence	
  mechanisms	
  	
  	
  	
  
 
	
  
Shout	
  out	
  to	
  @mimeframe	
  and	
  the	
  FB	
  secteam	
  
for	
  their	
  work	
  on	
  BigMac:	
  	
  
h"p://www.slideshare.net/mimeframe/
ruxcon-­‐2012-­‐15195589	
  	
  
 
	
  
PresenJng	
  the	
  Etsy	
  version	
  of	
  a	
  host	
  IDS:	
  	
  
 
	
  
PresenJng	
  the	
  Etsy	
  version	
  of	
  a	
  host	
  IDS:	
  	
  
Tripyarn	
  
 
	
  
Tripyarn’s	
  goal	
  is	
  to	
  alert	
  off	
  real	
  world	
  pa"erns	
  
of	
  compromise	
  and	
  persistence	
  
 
	
  
Lessons	
  learned	
  from	
  detecJng	
  hosJle	
  
persistence	
  mechanisms	
  
 
	
  
First,	
  find	
  the	
  legiJmate	
  OS-­‐provided	
  
mechanisms	
  you’re	
  interested	
  in	
  instrumenJng	
  
 
	
  
Treat	
  addiJons	
  to/modificaJon	
  of	
  these	
  
mechanisms	
  as	
  an	
  event	
  	
  
For	
  rare	
  events,	
  alert	
  on	
  every	
  occurrence	
  
– Low	
  false	
  posiJve	
  cost	
  	
  
	
  
Ex:	
  	
  
– New	
  SSH	
  keys	
  being	
  added	
  to	
  a	
  host	
  
– Crontabs	
  being	
  created	
  	
  
– etc	
  
 
	
  
For	
  events	
  that	
  happen	
  oXen,	
  use	
  data	
  
aggregated	
  across	
  the	
  organizaJon	
  to	
  detect	
  
anomalies	
  
 
	
  
	
  
Example:	
  Kernel	
  modules	
  
Goal:	
  Detect	
  a	
  malicious	
  kernel	
  module	
  loading	
  
on	
  an	
  endpoint	
  	
  
	
  
– We	
  thought	
  kernel	
  modules	
  loading	
  would	
  be	
  
fairly	
  rare	
  aXer	
  boot	
  and	
  we	
  could	
  alert	
  off	
  that	
  
alone.	
  We	
  were	
  wildly	
  wrong.	
  	
  
– WhitelisJng/blacklisJng	
  kernel	
  module	
  names	
  
wouldn’t	
  be	
  effecJve	
  
– Instead,	
  analyze	
  a	
  kernel	
  module	
  being	
  loaded	
  for	
  
organizaJonal	
  uniqueness	
  	
  
	
  
Goal:	
  Detect	
  a	
  malicious	
  kernel	
  module	
  loading	
  
on	
  an	
  endpoint	
  	
  
	
  
– We	
  thought	
  kernel	
  modules	
  loading	
  would	
  be	
  
fairly	
  rare	
  aXer	
  boot	
  and	
  we	
  could	
  alert	
  off	
  that	
  
alone.	
  We	
  were	
  wildly	
  wrong.	
  	
  
– WhitelisJng/blacklisJng	
  kernel	
  module	
  names	
  
wouldn’t	
  be	
  effecJve	
  
– Instead,	
  analyze	
  a	
  kernel	
  module	
  being	
  loaded	
  for	
  
organizaJonal	
  uniqueness	
  	
  
	
  
Goal:	
  Detect	
  a	
  malicious	
  kernel	
  module	
  loading	
  
on	
  an	
  endpoint	
  	
  
	
  
– We	
  thought	
  kernel	
  modules	
  loading	
  would	
  be	
  
fairly	
  rare	
  aXer	
  boot	
  and	
  we	
  could	
  alert	
  off	
  that	
  
alone.	
  We	
  were	
  wildly	
  wrong.	
  	
  
– WhitelisJng/blacklisJng	
  kernel	
  module	
  names	
  
wouldn’t	
  be	
  effecJve	
  
– Instead,	
  analyze	
  a	
  kernel	
  module	
  being	
  loaded	
  for	
  
organizaJonal	
  uniqueness	
  	
  
	
  
Goal:	
  Detect	
  a	
  malicious	
  kernel	
  module	
  loading	
  
on	
  an	
  endpoint	
  	
  
	
  
– We	
  thought	
  kernel	
  modules	
  loading	
  would	
  be	
  
fairly	
  rare	
  aXer	
  boot	
  and	
  we	
  could	
  alert	
  off	
  that	
  
alone.	
  We	
  were	
  wildly	
  wrong.	
  	
  
– WhitelisJng/blacklisJng	
  kernel	
  module	
  names	
  
wouldn’t	
  be	
  effecJve	
  
– Instead,	
  analyze	
  a	
  kernel	
  module	
  being	
  loaded	
  for	
  
organizaJonal	
  uniqueness	
  	
  
	
  
 
	
  
“Did	
  module	
  X	
  that	
  just	
  got	
  loaded	
  on	
  endpoint	
  Y	
  
get	
  loaded	
  on	
  less	
  than	
  N	
  systems	
  across	
  the	
  
organizaJon	
  in	
  the	
  last	
  D	
  days?”	
  	
  
	
  
	
  	
  
 
	
  
Use	
  a"ack	
  post-­‐exploitaJon	
  techniques	
  in	
  a	
  
defensive	
  context	
  by	
  separaJng	
  your	
  objecJves	
  
from	
  your	
  tooling	
  
	
  
	
  	
  
 
	
  
Specifically,	
  collect	
  data	
  on	
  the	
  endpoints	
  and	
  
analyze/alert	
  from	
  that	
  data	
  on	
  the	
  server-­‐side	
  
	
  	
  
 
	
  
When	
  an	
  a"acker	
  discovers	
  and	
  analyzes	
  your	
  
endpoint	
  security	
  mechanisms	
  they	
  shouldn’t	
  be	
  
able	
  to	
  automaJcally	
  learn	
  all	
  alerts	
  in	
  place	
  	
  
	
  	
  
OrganizaJonal	
  level	
  persistence:	
  
	
  
–  LegiJmate	
  remote	
  access	
  mechanisms	
  or	
  cloud	
  
systems	
  with	
  data	
  desired	
  by	
  a"acker	
  	
  
•  Ex:	
  VPN	
  and	
  GMail	
  	
   	
  	
  
–  Use	
  a	
  mixed	
  approach	
  of	
  manual	
  and	
  automated	
  
anomaly	
  detecJon	
  for	
  these	
  systems	
  	
  
•  GeneraJng	
  daily	
  rollups	
  of	
  new	
  accounts/keys	
  created	
  
•  AlerJng	
  off	
  account	
  creaJon/modificaJon	
  at	
  unusual	
  Jmes,	
  
from	
  unusual	
  locaJons,	
  etc	
  	
  
	
  	
  
OrganizaJonal	
  level	
  persistence:	
  
	
  
–  LegiJmate	
  remote	
  access	
  mechanisms	
  or	
  cloud	
  
systems	
  with	
  data	
  desired	
  by	
  a"acker	
  	
  
•  Ex:	
  VPN	
  and	
  GMail	
  	
   	
  	
  
–  Use	
  a	
  mixed	
  approach	
  of	
  manual	
  and	
  automated	
  
anomaly	
  detecJon	
  for	
  these	
  systems	
  	
  
•  GeneraJng	
  daily	
  rollups	
  of	
  new	
  accounts/keys	
  created	
  
•  AlerJng	
  off	
  account	
  creaJon/modificaJon	
  at	
  unusual	
  Jmes,	
  
from	
  unusual	
  locaJons,	
  etc	
  	
  
	
  	
  
 
	
  
	
  
Example:	
  GMail	
  	
  
	
  	
  
Goal:	
  Instrument	
  GMail	
  to	
  detect	
  compromise	
  of	
  domain	
  
admin	
  accounts	
  
	
  
–  GMail	
  provides	
  logs	
  of	
  interesJng	
  acJons	
  via	
  Admin	
  Audit	
  
API	
  and	
  Email	
  Audit	
  API	
  
–  Pull	
  down	
  logs	
  via	
  these	
  APIs,	
  store	
  them	
  locally	
  so	
  you	
  
have	
  a	
  record	
  of	
  acJons	
  	
  
–  Perform	
  alerJng	
  on	
  strong	
  signals	
  of	
  compromise	
  and	
  
persistence:	
  
•  Signins	
  from	
  unusual	
  locaJons/Jmes	
  
•  CreaJon	
  of	
  new	
  admin	
  level	
  accounts	
  
•  CreaJon	
  of	
  new	
  mail-­‐forwarding	
  filters	
  
•  Any	
  change	
  to	
  2FA	
  secngs	
  	
  
•  Etc	
  	
  
Goal:	
  Instrument	
  GMail	
  to	
  detect	
  compromise	
  of	
  domain	
  
admin	
  accounts	
  
	
  
–  GMail	
  provides	
  logs	
  of	
  interesJng	
  acJons	
  via	
  Admin	
  Audit	
  
API	
  and	
  Email	
  Audit	
  API	
  
–  Pull	
  down	
  logs	
  via	
  these	
  APIs,	
  store	
  them	
  locally	
  so	
  you	
  
have	
  a	
  record	
  of	
  acJons	
  	
  
–  Perform	
  alerJng	
  on	
  strong	
  signals	
  of	
  compromise	
  and	
  
persistence:	
  
•  Signins	
  from	
  unusual	
  locaJons/Jmes	
  
•  CreaJon	
  of	
  new	
  admin	
  level	
  accounts	
  
•  CreaJon	
  of	
  new	
  mail-­‐forwarding	
  filters	
  
•  Any	
  change	
  to	
  2FA	
  secngs	
  	
  
•  Etc	
  	
  
Goal:	
  Instrument	
  GMail	
  to	
  detect	
  compromise	
  of	
  domain	
  
admin	
  accounts	
  
	
  
–  GMail	
  provides	
  logs	
  of	
  interesJng	
  acJons	
  via	
  Admin	
  Audit	
  
API	
  and	
  Email	
  Audit	
  API	
  
–  Pull	
  down	
  logs	
  via	
  these	
  APIs,	
  store	
  them	
  locally	
  so	
  you	
  
have	
  a	
  record	
  of	
  acJons	
  	
  
–  Perform	
  alerJng	
  on	
  strong	
  signals	
  of	
  compromise	
  and	
  
persistence:	
  
•  Signins	
  from	
  unusual	
  locaJons/Jmes	
  
•  CreaJon	
  of	
  new	
  admin	
  level	
  accounts	
  
•  CreaJon	
  of	
  new	
  mail-­‐forwarding	
  filters	
  
•  Any	
  change	
  to	
  2FA	
  secngs	
  	
  
•  Etc	
  	
  
Attack-driven defense
Lateral	
  movement	
  
Focusing	
  on	
  two	
  areas	
  of	
  lateral	
  movement:	
  
	
  
1.  Network/systems	
  discovery	
  	
  
2.  InformaJon	
  discovery	
  	
  
	
  
	
  	
  
 
	
  
Use	
  endpoint	
  firewalls	
  as	
  a	
  detecJon	
  
mechanism	
  (NOT	
  a	
  blocking	
  one)	
  
	
  	
  
 
	
  
Build	
  alerts	
  around	
  services	
  unused	
  on	
  your	
  
network	
  but	
  likely	
  interesJng	
  to	
  a"ackers	
  
	
  	
  
 
	
  
By	
  alerJng	
  on	
  (but	
  not	
  blocking!)	
  traffic	
  you	
  
don’t	
  immediately	
  signal	
  there’s	
  a	
  detecJon	
  
mechanism	
  in	
  place	
  	
  
	
  
 
	
  
Also	
  endpoint	
  firewalls	
  counter	
  Jming-­‐based	
  
evasions	
  
 
	
  
Any	
  traffic	
  to	
  targeted	
  service,	
  no	
  ma"er	
  how	
  
slow,	
  causes	
  alerts	
  
	
  
InformaJon	
  Discovery	
  
 
	
  
What	
  internal	
  systems	
  provide	
  informaJon	
  that	
  
help	
  an	
  a"acker	
  achieve	
  their	
  goals?	
  
 
	
   	
   	
   	
   	
   	
  -­‐	
  Wikis	
  
	
   	
   	
   	
   	
   	
  -­‐	
  Source	
  control	
  	
  
	
   	
   	
   	
   	
   	
  -­‐	
  Bug	
  tracking	
  
	
   	
   	
   	
   	
   	
  -­‐	
  Etc	
  
	
  	
  
 
	
  
Instrument	
  these	
  systems	
  the	
  way	
  you	
  would	
  
other	
  high-­‐value	
  pieces	
  of	
  infrastructure	
  	
  
Alert	
  off	
  behavioral	
  anomalies	
  such	
  as:	
  
–  Usage	
  outside	
  of	
  normal	
  hours	
  	
  
•  Your	
  a"ackers	
  are	
  rarely	
  in	
  your	
  Jme	
  zone	
  
–  Bursts	
  of	
  acJvity	
  	
  
•  Viewing	
  all	
  security	
  Jckets	
  in	
  the	
  bug	
  tracker	
  isn’t	
  even	
  done	
  
by	
  the	
  security	
  team	
  
–  Etc	
  
	
  	
  
Increasing	
  a"acker	
  cost	
  
Make	
  compromise	
  more	
  expensive	
  
	
  
– We’ll	
  discuss:	
  
•  Reducing	
  trusted	
  CA	
  roots	
  
•  Removing	
  cheap	
  exploitaJon	
  vectors	
  	
  
•  Forcing	
  updates	
  without	
  the	
  force	
  
•  LimiJng	
  drive-­‐by	
  exposure	
  	
  
•  PracJcal	
  goals	
  for	
  security	
  awareness	
  training	
  	
  
	
  	
  
How	
  can	
  you	
  reduce	
  the	
  likelihood	
  of	
  a	
  
DigiNotar-­‐like	
  MITM	
  happening	
  against	
  your	
  
organizaJon?	
  	
  
If	
  you	
  remove	
  unused	
  CAs,	
  when	
  one	
  is	
  
compromised	
  it	
  can’t	
  silently	
  MITM	
  your	
  
endpoints	
  
We	
  performed	
  several	
  months	
  of	
  anonymized	
  
traffic	
  analysis	
  to	
  record	
  what	
  CAs	
  were	
  seen	
  
during	
  our	
  employees	
  Internet	
  usage	
  
We	
  found	
  less	
  than	
  29%	
  of	
  SSL	
  CerJficate	
  
AuthoriJes	
  trusted	
  by	
  our	
  endpoints	
  were	
  
actually	
  used	
  
21.29%	
  	
  EQUIFAX	
  SECURE	
  CERTIFICATE	
  AUTHORITY	
  
10.37%	
  	
  ENTRUST.NET	
  SECURE	
  SERVER	
  CERTIFICATION	
  AUTHORITY	
  
10.07%	
  	
  DIGICERT	
  HIGH	
  ASSURANCE	
  EV	
  ROOT	
  CA	
  
8.97%	
  	
  	
  GO	
  DADDY	
  CLASS	
  2	
  CERTIFICATION	
  AUTHORITY	
  
7.91%	
  	
  	
  GEOTRUST	
  GLOBAL	
  CA	
  
7.23%	
  	
  	
  ADDTRUST	
  EXTERNAL	
  CA	
  ROOT	
  
6.48%	
  	
  	
  HTTP://WWW.VALICERT.COM/	
  
6.04%	
  	
  	
  GTE	
  CYBERTRUST	
  GLOBAL	
  ROOT	
  
4.45%	
  	
  	
  VERISIGN	
  CLASS	
  3	
  PUBLIC	
  PRIMARY	
  CERTIFICATION	
  AUTHORITY	
  -­‐	
  G5	
  
4.08%	
  	
  	
  CLASS	
  3	
  PUBLIC	
  PRIMARY	
  CERTIFICATION	
  AUTHORITY	
  
3.82%	
  	
  	
  BALTIMORE	
  CYBERTRUST	
  ROOT	
  
3.22%	
  	
  	
  CLASS	
  3	
  PUBLIC	
  PRIMARY	
  CERTIFICATION	
  AUTHORITY	
  -­‐	
  G2	
  
1.37%	
  	
  	
  THAWTE	
  PRIMARY	
  ROOT	
  CA	
  
1.36%	
  	
  	
  THAWTE	
  PREMIUM	
  SERVER	
  CA	
  
1.33%	
  	
  	
  ENTRUST.NET	
  CERTIFICATION	
  AUTHORITY	
  (2048)	
  
0.65%	
  	
  	
  GLOBALSIGN	
  ROOT	
  CA	
  
	
  
[The	
  CAs	
  which	
  had	
  <	
  0.5%	
  traffic	
  have	
  been	
  edited	
  out	
  for	
  brevity.	
  	
  
More	
  info	
  here:	
  h"p://codeascraX.com/2013/07/16/reducing-­‐the-­‐roots-­‐of-­‐some-­‐evil/]	
  
Our	
  raw	
  results:	
  	
  
 
By	
  removing	
  only	
  unused	
  CAs	
  you	
  don’t	
  teach	
  
users	
  to	
  click	
  through	
  SSL	
  errors	
  
	
  
ConJnue	
  traffic	
  analysis,	
  add/remove	
  trusted	
  
CAs	
  as	
  appropriate	
  
 
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  in	
  the	
  browser	
  is:	
  cheap,	
  reliable,	
  and	
  
efficient	
  (pick	
  three!)	
  	
  
	
  
	
  
 
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  in	
  the	
  browser	
  is:	
  cheap,	
  reliable,	
  and	
  
efficient	
  (pick	
  three!)	
  	
  
	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  …for	
  a"ackers	
  
	
  
	
  
Attack-driven defense
What	
  did	
  we	
  learn	
  when	
  we	
  removed	
  Java	
  web	
  
plugins	
  from	
  the	
  enterprise?	
  	
  
•  Hardly	
  any	
  groups	
  actually	
  needed	
  it	
  	
  
– Network	
  OperaJons,	
  for	
  legacy	
  networking	
  
equipment	
  	
  
•  For	
  them,	
  we	
  built	
  dedicated	
  Java	
  jump	
  boxes	
  
	
  	
  
Benefits:	
  	
  
1.  No	
  Java	
  on	
  any	
  laptops/desktops	
  
2.  Boxes	
  with	
  Java	
  can’t	
  hit	
  Internet	
  
3.  Able	
  to	
  frequently	
  re-­‐image	
  jump	
  boxes	
  
4.  Only	
  a	
  few	
  boxes	
  to	
  patch	
  	
  
 
But…	
  
	
  
Java	
  shows	
  back	
  up	
  when	
  you	
  apply	
  Apple	
  
patches.	
  	
  
 
But…	
  
	
  
Java	
  shows	
  back	
  up	
  when	
  you	
  apply	
  Apple	
  
patches.	
  	
  
Remove	
  it	
  on	
  an	
  ongoing	
  basis	
  	
  
	
  	
  
 	
  
 
	
  
	
  
	
  
Browser	
  updates	
  
	
  	
  
 
	
  
	
  
We	
  wanted	
  a	
  less	
  heavy	
  handed	
  approach	
  to	
  
ensuring	
  up	
  to	
  date	
  browsers	
  
	
  	
  
 
	
  
	
  
Built	
  browser	
  detecJon	
  logic	
  into	
  our	
  internal	
  
SSO	
  point	
  
	
  	
  
 
	
  
UX	
  is	
  key:	
  	
  
Show	
  in	
  screenshots	
  how	
  quick	
  it	
  is	
  to	
  update,	
  
provide	
  a	
  bypass	
  mechanism	
  	
  
	
  	
  
Attack-driven defense
 
	
  
	
  
Simply	
  asking	
  users	
  to	
  update	
  works	
  shockingly	
  
well	
  	
  
	
  	
  
 	
  
 
Funny	
  story,	
  users	
  will	
  install	
  malware	
  because	
  
an	
  ad	
  popup	
  told	
  them	
  to.	
  	
  
 
Funny	
  story,	
  users	
  will	
  install	
  malware	
  because	
  
an	
  ad	
  popup	
  told	
  them	
  to.	
  	
  
O8en.	
  	
  	
  
	
  
 
You	
  can	
  almost	
  enJrely	
  kill	
  this	
  source	
  of	
  
compromise	
  (for	
  free!)	
  by	
  pushing	
  adblocker	
  
plugins	
  to	
  the	
  organizaJon	
  	
  
	
  
Security	
  awareness	
  training	
  
 
	
  
Historically	
  we’ve	
  focused	
  on	
  reducing	
  the	
  
number	
  of	
  people	
  who	
  fall	
  for	
  phishing	
  
 
	
  
Historically	
  we’ve	
  focused	
  on	
  reducing	
  the	
  
number	
  of	
  people	
  who	
  fall	
  for	
  phishing	
  
This	
  is	
  the	
  wrong	
  goal	
  
 
	
  
If	
  you	
  go	
  from	
  being	
  36%	
  on	
  fire	
  to	
  27%	
  on	
  fire	
  
you’re	
  s;ll	
  on	
  fire	
  
	
  	
  
 
Instead,	
  focus	
  on	
  incenJvizing	
  users	
  to:	
  	
  
	
  
	
  	
  
 
The	
  metric	
  to	
  track/increase	
  is	
  the	
  likelihood	
  of	
  
phishing	
  emails	
  being	
  reported	
  to	
  security	
  	
  
	
  
Even	
  if	
  36%	
  sJll	
  fall	
  for	
  phishing,	
  as	
  long	
  as	
  one	
  
in	
  the	
  group	
  reports	
  it	
  IR	
  can	
  begin	
  
XXX	
  
	
  
	
  
	
  
	
  
	
  
	
  
Running	
  effecJve	
  a"ack	
  simulaJons	
  	
  	
  
 
	
  
Problems	
  with	
  “pentesJng”	
  are	
  well	
  understood	
  
in	
  the	
  offensive	
  community	
  but	
  not	
  as	
  well	
  in	
  
the	
  defensive	
  community	
  	
  
 
	
  
Pentests	
  typically	
  result	
  in	
  a	
  list	
  of	
  enumerated	
  
known	
  vulnerabiliJes	
  to	
  be	
  patched,	
  not	
  data	
  on	
  
how	
  a	
  real	
  a"acker	
  would	
  operate	
  against	
  a	
  
given	
  environment	
  	
  
	
  
 
A"ack	
  simulaJons	
  should	
  be	
  done	
  to	
  learn	
  how	
  
a"ackers	
  are	
  likely	
  to	
  achieve	
  goals	
  against	
  your	
  
organizaJon	
  
	
  
NOT	
  to	
  show	
  compromise	
  is	
  possible	
  
(spoiler	
  alert:	
  it	
  is.)	
  	
  
 
	
  
Use	
  this	
  a"ack	
  data	
  to	
  focus	
  where/how	
  to	
  build	
  
detecJon	
  mechanisms	
  
 
	
  
From	
  an	
  organizaJonal	
  side,	
  a"ack	
  simulaJons	
  
compliment	
  vulnerability	
  enumeraJon/
compliance/etc	
  	
  
 
	
  
Vulnerability	
  enumeraJon/compliance	
  are	
  
checklists	
  to	
  make	
  sure	
  you’re	
  covering	
  the	
  
basics	
  	
  
 
	
  
But	
  checklists	
  aren’t	
  owning	
  you,	
  a"ackers	
  are	
  
Four	
  keys	
  to	
  effecJve	
  a"ack	
  simulaJons:	
  
	
  
–  Goal	
  oriented	
  
•  “Obtain	
  domain	
  admin”,	
  “read	
  the	
  CEOs	
  email”,	
  “view	
  credit	
  card	
  data”,	
  …	
  	
  
–  Full	
  organizaJon	
  in	
  scope	
  
•  Have	
  a"ack	
  team	
  call	
  a	
  contact	
  if	
  they’re	
  about	
  to	
  do	
  something	
  risky	
  
–  Simulate	
  realisJc	
  compromise	
  pa"erns	
  	
  
•  Start	
  the	
  a"ack	
  team	
  on	
  a	
  standard	
  laptop/desktop	
  endpoint	
  inside	
  the	
  
organizaJon	
  to	
  simulate	
  phishing/clientside	
  compromise	
  	
  
•  Start	
  the	
  a"ack	
  team	
  on	
  a	
  database	
  or	
  web	
  server	
  to	
  simulate	
  SQL	
  injecJon/
RCE	
  
•  A"ack	
  team	
  should	
  be	
  encouraged	
  to	
  use	
  0days	
  
–  Break	
  simulaJon	
  down	
  into	
  iteraJons:	
  
•  Don’t	
  spend	
  the	
  full	
  engagement	
  Jme	
  on	
  only	
  round	
  of	
  tesJng,	
  once	
  one	
  team	
  
achieve	
  goal(s),	
  then	
  swap	
  in	
  new	
  a"ack	
  team	
  to	
  achieve	
  the	
  same	
  goal(s)	
  	
  
–  Ex:	
  We	
  try	
  to	
  run	
  3-­‐4	
  iteraJons	
  per	
  several	
  week	
  simulaJon	
  
Four	
  keys	
  to	
  effecJve	
  a"ack	
  simulaJons:	
  
	
  
–  Goal	
  oriented	
  
•  “Obtain	
  domain	
  admin”,	
  “read	
  the	
  CEOs	
  email”,	
  “view	
  credit	
  card	
  data”,	
  …	
  	
  
–  Full	
  organizaJon	
  in	
  scope	
  
•  Have	
  a"ack	
  team	
  call	
  a	
  contact	
  if	
  they’re	
  about	
  to	
  do	
  something	
  risky	
  
–  Simulate	
  realisJc	
  compromise	
  pa"erns	
  	
  
•  Start	
  the	
  a"ack	
  team	
  on	
  a	
  standard	
  laptop/desktop	
  endpoint	
  inside	
  the	
  
organizaJon	
  to	
  simulate	
  phishing/clientside	
  compromise	
  	
  
•  Start	
  the	
  a"ack	
  team	
  on	
  a	
  database	
  or	
  web	
  server	
  to	
  simulate	
  SQL	
  injecJon/
RCE	
  
•  A"ack	
  team	
  should	
  be	
  encouraged	
  to	
  use	
  0days	
  
–  Break	
  simulaJon	
  down	
  into	
  iteraJons:	
  
•  Don’t	
  spend	
  the	
  full	
  engagement	
  Jme	
  on	
  only	
  round	
  of	
  tesJng,	
  once	
  one	
  team	
  
achieve	
  goal(s),	
  then	
  swap	
  in	
  new	
  a"ack	
  team	
  to	
  achieve	
  the	
  same	
  goal(s)	
  	
  
–  Ex:	
  We	
  try	
  to	
  run	
  3-­‐4	
  iteraJons	
  per	
  several	
  week	
  simulaJon	
  
Four	
  keys	
  to	
  effecJve	
  a"ack	
  simulaJons:	
  
	
  
–  Goal	
  oriented	
  
•  “Obtain	
  domain	
  admin”,	
  “read	
  the	
  CEOs	
  email”,	
  “view	
  credit	
  card	
  data”,	
  …	
  	
  
–  Full	
  organizaJon	
  in	
  scope	
  
•  Have	
  a"ack	
  team	
  call	
  a	
  contact	
  if	
  they’re	
  about	
  to	
  do	
  something	
  risky	
  
–  Simulate	
  realisJc	
  compromise	
  pa"erns	
  	
  
•  Start	
  the	
  a"ack	
  team	
  on	
  a	
  standard	
  laptop/desktop	
  endpoint	
  inside	
  the	
  
organizaJon	
  to	
  simulate	
  phishing/clientside	
  compromise	
  	
  
•  Start	
  the	
  a"ack	
  team	
  on	
  a	
  database	
  or	
  web	
  server	
  to	
  simulate	
  SQL	
  injecJon/
RCE	
  
•  A"ack	
  team	
  should	
  be	
  encouraged	
  to	
  use	
  0days	
  throughout	
  engagement	
  
–  Break	
  simulaJon	
  down	
  into	
  iteraJons:	
  
•  Don’t	
  spend	
  the	
  full	
  engagement	
  Jme	
  on	
  only	
  round	
  of	
  tesJng,	
  once	
  one	
  team	
  
achieve	
  goal(s),	
  then	
  swap	
  in	
  new	
  a"ack	
  team	
  to	
  achieve	
  the	
  same	
  goal(s)	
  	
  
–  Ex:	
  We	
  try	
  to	
  run	
  3-­‐4	
  iteraJons	
  per	
  several	
  week	
  simulaJon	
  
Four	
  keys	
  to	
  effecJve	
  a"ack	
  simulaJons:	
  
	
  
–  Goal	
  oriented	
  
•  “Obtain	
  domain	
  admin”,	
  “read	
  the	
  CEOs	
  email”,	
  “view	
  credit	
  card	
  data”,	
  …	
  	
  
–  Full	
  organizaJon	
  in	
  scope	
  
•  Have	
  a"ack	
  team	
  call	
  a	
  contact	
  if	
  they’re	
  about	
  to	
  do	
  something	
  risky	
  
–  Simulate	
  realisJc	
  compromise	
  pa"erns	
  	
  
•  Start	
  the	
  a"ack	
  team	
  on	
  a	
  standard	
  laptop/desktop	
  endpoint	
  inside	
  the	
  
organizaJon	
  to	
  simulate	
  phishing/clientside	
  compromise	
  	
  
•  Start	
  the	
  a"ack	
  team	
  on	
  a	
  database	
  or	
  web	
  server	
  to	
  simulate	
  SQL	
  injecJon/
RCE	
  
•  A"ack	
  team	
  should	
  be	
  encouraged	
  to	
  use	
  0days	
  throughout	
  engagement	
  	
  
–  Break	
  simulaJon	
  down	
  into	
  iteraJons:	
  
•  Don’t	
  spend	
  the	
  full	
  engagement	
  Jme	
  on	
  only	
  round	
  of	
  tesJng,	
  once	
  one	
  team	
  
achieve	
  goal(s),	
  then	
  swap	
  in	
  new	
  a"ack	
  team	
  to	
  achieve	
  the	
  same	
  goal(s)	
  	
  
–  Ex:	
  We	
  try	
  to	
  run	
  3-­‐4	
  iteraJons	
  per	
  several	
  week	
  simulaJon	
  
 
	
  
The	
  project	
  output	
  should	
  be	
  a>ack	
  chains	
  showing	
  
how	
  a"ack	
  team	
  went	
  from	
  A-­‐>B-­‐>C	
  to	
  achieve	
  
goals,	
  what	
  steps	
  they	
  took	
  and	
  why	
  	
  
 
	
  
Just	
  as	
  importantly,	
  what	
  steps	
  they	
  didn’t	
  take	
  
	
  
Ex:	
  “We	
  didn’t	
  try	
  to	
  find	
  internal	
  network	
  diagrams	
  on	
  
your	
  wiki	
  because	
  zone	
  transfers	
  were	
  enabled	
  so	
  we	
  
could	
  got	
  enough	
  data	
  about	
  your	
  network	
  from	
  that”	
  	
  
	
  	
  
 
	
  
Remember,	
  the	
  goal	
  is	
  to	
  simulate	
  realisJc	
  
a"ack	
  behaviors	
  and	
  pa"erns	
  that	
  can	
  be	
  used	
  
to	
  enhance	
  detecJon	
  
 
	
  
In	
  addiJon,	
  simulate	
  varying	
  a"ack	
  profiles	
  from	
  
quick	
  &	
  noisy	
  to	
  quietly	
  maintaining	
  persistence	
  	
  	
  
 
	
  
Over	
  mulJple	
  iteraJons	
  learn	
  what	
  behaviors	
  
overlap	
  between	
  a"ackers	
  and	
  what	
  strong	
  
signals	
  of	
  lateral	
  movement	
  in	
  your	
  environment	
  
look	
  like	
  
	
  
TL;DR	
  
(The	
  secJon	
  formerly	
  known	
  as	
  “Conclusions”)	
  	
  
	
  	
  
Defend	
  like	
  an	
  a"acker	
  
	
  	
  
 
	
  
Where	
  should	
  defense	
  focus?	
  	
  
	
  
–  Increase	
  a"acker	
  cost	
  by	
  reducing	
  cheap	
  compromise	
  
vectors	
  
–  Build	
  detecJon	
  mechanisms	
  around	
  real	
  a"ack	
  
pa"erns	
  
•  Analyze	
  past	
  compromises,	
  new	
  offensive	
  research,	
  and	
  
conduct	
  realisJc	
  a"ack	
  simulaJons	
  to	
  obtain	
  data	
  
–  Depending	
  on	
  scale,	
  have	
  true	
  offensive	
  capabiliJes	
  on	
  staff	
  or	
  a	
  
call	
  away	
  
–  Have	
  product/tooling	
  development	
  capabiliJes	
  within	
  
your	
  security	
  team	
  
•  Roughly	
  one	
  quarter	
  of	
  our	
  team	
  is	
  soXware	
  engineers	
  who	
  
focus	
  on	
  building	
  internal	
  security	
  products	
  
Thanks!	
  
zane@signalsciences.com	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  @zanelackey	
  	
  

Mais conteúdo relacionado

Mais procurados

Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns CrowdStrike
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Bot Manager + Cloudlet Strengthen Mitigation Capability
Bot Manager + Cloudlet Strengthen Mitigation CapabilityBot Manager + Cloudlet Strengthen Mitigation Capability
Bot Manager + Cloudlet Strengthen Mitigation CapabilityAkamai Developers & Admins
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Ceh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversCeh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversVi Tính Hoàng Nam
 

Mais procurados (20)

Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
Bot Manager + Cloudlet Strengthen Mitigation Capability
Bot Manager + Cloudlet Strengthen Mitigation CapabilityBot Manager + Cloudlet Strengthen Mitigation Capability
Bot Manager + Cloudlet Strengthen Mitigation Capability
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Ceh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversCeh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webservers
 

Destaque

How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing  with Devops - OWASP EU 2014Continuous Security Testing  with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops Chris Gates
 
CISCO. Алексей Лукацкий: "Тенденции в области угроз безопасности"
CISCO. Алексей Лукацкий: "Тенденции в области угроз безопасности"CISCO. Алексей Лукацкий: "Тенденции в области угроз безопасности"
CISCO. Алексей Лукацкий: "Тенденции в области угроз безопасности"Expolink
 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterCanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterStefan Esser
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceSymantec
 
The Factoring Dead: Preparing for the Cryptopocalypse
The Factoring Dead: Preparing for the CryptopocalypseThe Factoring Dead: Preparing for the Cryptopocalypse
The Factoring Dead: Preparing for the CryptopocalypseAlex Stamos
 
Banking Innovations Forum 2009 - Bartłomiej Kozakowski, Comarch
Banking Innovations Forum 2009 - Bartłomiej Kozakowski, ComarchBanking Innovations Forum 2009 - Bartłomiej Kozakowski, Comarch
Banking Innovations Forum 2009 - Bartłomiej Kozakowski, ComarchComarch SA
 
Building Software Systems at Google and Lessons Learned
Building Software Systems at Google and Lessons LearnedBuilding Software Systems at Google and Lessons Learned
Building Software Systems at Google and Lessons Learnedparallellabs
 
Ops Meta-Metrics: The Currency You Pay For Change
Ops Meta-Metrics: The Currency You Pay For ChangeOps Meta-Metrics: The Currency You Pay For Change
Ops Meta-Metrics: The Currency You Pay For ChangeJohn Allspaw
 
Тенденции, влияющие на информационную безопасность
Тенденции, влияющие на информационную безопасностьТенденции, влияющие на информационную безопасность
Тенденции, влияющие на информационную безопасностьAleksey Lukatskiy
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanSonatype
 
The Retail Enterprise - And the rise of the omni-present consumer Part 2
The Retail Enterprise - And the rise of the omni-present consumer Part 2The Retail Enterprise - And the rise of the omni-present consumer Part 2
The Retail Enterprise - And the rise of the omni-present consumer Part 2Zensar Technologies Ltd.
 
Application Secret Management with KMS
Application Secret Management with KMSApplication Secret Management with KMS
Application Secret Management with KMSSonatype
 
Beschikbaar jr. HBO Netwerk/Security/DevOps Engineer
Beschikbaar jr. HBO Netwerk/Security/DevOps EngineerBeschikbaar jr. HBO Netwerk/Security/DevOps Engineer
Beschikbaar jr. HBO Netwerk/Security/DevOps EngineerMarc Servaes (06-47841367)
 

Destaque (20)

ruxc0n 2012
ruxc0n 2012ruxc0n 2012
ruxc0n 2012
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 
Apps en office15
Apps en office15Apps en office15
Apps en office15
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing  with Devops - OWASP EU 2014Continuous Security Testing  with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
 
CISCO. Алексей Лукацкий: "Тенденции в области угроз безопасности"
CISCO. Алексей Лукацкий: "Тенденции в области угроз безопасности"CISCO. Алексей Лукацкий: "Тенденции в области угроз безопасности"
CISCO. Алексей Лукацкий: "Тенденции в области угроз безопасности"
 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterCanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber Resilience
 
The Factoring Dead: Preparing for the Cryptopocalypse
The Factoring Dead: Preparing for the CryptopocalypseThe Factoring Dead: Preparing for the Cryptopocalypse
The Factoring Dead: Preparing for the Cryptopocalypse
 
Banking Innovations Forum 2009 - Bartłomiej Kozakowski, Comarch
Banking Innovations Forum 2009 - Bartłomiej Kozakowski, ComarchBanking Innovations Forum 2009 - Bartłomiej Kozakowski, Comarch
Banking Innovations Forum 2009 - Bartłomiej Kozakowski, Comarch
 
Building Software Systems at Google and Lessons Learned
Building Software Systems at Google and Lessons LearnedBuilding Software Systems at Google and Lessons Learned
Building Software Systems at Google and Lessons Learned
 
Ops Meta-Metrics: The Currency You Pay For Change
Ops Meta-Metrics: The Currency You Pay For ChangeOps Meta-Metrics: The Currency You Pay For Change
Ops Meta-Metrics: The Currency You Pay For Change
 
Тенденции, влияющие на информационную безопасность
Тенденции, влияющие на информационную безопасностьТенденции, влияющие на информационную безопасность
Тенденции, влияющие на информационную безопасность
 
Devops security
Devops securityDevops security
Devops security
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
 
The Retail Enterprise - And the rise of the omni-present consumer Part 2
The Retail Enterprise - And the rise of the omni-present consumer Part 2The Retail Enterprise - And the rise of the omni-present consumer Part 2
The Retail Enterprise - And the rise of the omni-present consumer Part 2
 
Application Secret Management with KMS
Application Secret Management with KMSApplication Secret Management with KMS
Application Secret Management with KMS
 
Beschikbaar jr. HBO Netwerk/Security/DevOps Engineer
Beschikbaar jr. HBO Netwerk/Security/DevOps EngineerBeschikbaar jr. HBO Netwerk/Security/DevOps Engineer
Beschikbaar jr. HBO Netwerk/Security/DevOps Engineer
 

Semelhante a Attack-driven defense

Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containersJohn Kinsella
 
Reading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationReading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationMichael Rushanan
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT  (Raiding Internet of Things)  by Jacob HolcombRIoT  (Raiding Internet of Things)  by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive securityScott Behrens
 
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...Maarten Balliauw
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...SegInfo
 
[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®Nelson Brito
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022MichaelM85042
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Alex Pinto
 

Semelhante a Attack-driven defense (20)

Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containers
 
Reading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationReading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of Procrastination
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT  (Raiding Internet of Things)  by Jacob HolcombRIoT  (Raiding Internet of Things)  by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive security
 
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
 

Último

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 

Último (20)

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 

Attack-driven defense

  • 1. A"ack-­‐Driven  Defense       zane@signalsciences.com     @zanelackey  
  • 2. Who  am  I?   •  Co-­‐Founder/CSO  @  Signal  Sciences   •  Previously  built/led  the  Security  Engineering   group  @  Etsy   •  Prior  to  that,  offensive  research/pentesJng  @   iSEC  Partners      
  • 3. This  talk  simply  isn’t  possible  without  a  number  of   people:   –  Ben  Hughes   –  Brendan  Adamson   –  Corey  Benninger   –  Kai  Zhong   –  Ken  Lee   –  Kyle  Barry   –  Marcus  Barczak   –  Mike  Arpaia   –  Omar  Ahmed        
  • 4. Also  a  shout  out  to  secteams  we’ve  enjoyed   collaboraJng  with:     Facebook/GitHub/Google/Square/Twi"er  
  • 5.   What  is  Etsy?        
  • 7.   Etsy?  Security?  …  Why!?      
  • 9.       This  talk  is  about  shiXing  from  historically                 un-­‐contextualized  defensive  approaches      
  • 10.       To  building  defenses  around  real  world  a"ack   pa"erns        
  • 12. Historically  defense  has:       – Focused  on  the  perimeter       – Deployed  commodity  security  products  that  don’t   address  real  a"ack  scenarios     – Treated  vulnerability  enumeraJon  (or  worse,   compliance)  as  “pentesJng”    
  • 13.        These  don’t  address  modern  a"ack  behavior        
  • 14.       What  should  we  be  doing?        
  • 15. Fundamentally  we  have  three  goals:     1)  Raise  cost  to  a"ackers   2)  Increase  the  odds  of  detecJng  compromise   3)  Iterate  defenses  based  on  real  a"ack  pa"erns          
  • 17.       Build  your  defenses  from  an  offensive  mindset        
  • 18. Instrument  detecJon  mechanisms  around  key  areas  of   the  a"ack  chain:     •  IniJal  compromise   –  Defensive  rootkicng     •  Persistence/C2   –  Host  level   –  OrganizaJonal  level   •  Lateral  Movement   –  Network/systems  discovery     –  InformaJon  discovery  
  • 20.       Rootkit  your  endpoints  before  your  a"ackers  do      
  • 21.     Focus  on  the  combinaJon  of  system  behaviors   and  commands  executed  
  • 22.     Specifically,  log  commands  executed  on   endpoints  and  analyze  this  data        
  • 23.     Analyze  the  data  and  build  automaJc  alerJng   from  anomalies    
  • 25.     From  a  macro  level,  bucket  users  into     technical  vs  non-­‐technical    
  • 26.   Pa"erns  then  break  down  into:       – Anomalous  if  by  a  non-­‐technical  user     – Anomalous  if  by  technical  user     – Always  anomalous      
  • 27. Non-­‐Technical  bucket:     –  Alert  off  any  commands  which  show  technical  capabiliJes   •  It’s  either  an  a"acker  or  your  IT  team     Technical  bucket:     –  Treat  individual  commands  and  behaviors  as  low  quality   signals   •  Aggregate  commands,  look  for  unique  combinaJons  and  bursts   Always  anomalous  (both  buckets):     –  Analyze  a"ack  pa"erns  and  idenJfy  commands/behaviors   strongly  indicaJve  of  compromise   •  We’re  looking  at  you,  `uname  -­‐a`        
  • 28. Non-­‐Technical  bucket:     –  Alert  off  any  commands  which  show  technical  capabiliJes   •  It’s  either  an  a"acker  or  your  IT  team     Technical  bucket:     –  Treat  individual  commands  and  behaviors  as  low  quality   signals   •  Aggregate  commands,  look  for  unique  combinaJons  and  bursts   Always  anomalous  (both  buckets):     –  Analyze  a"ack  pa"erns  and  idenJfy  commands/behaviors   strongly  indicaJve  of  compromise   •  We’re  looking  at  you,  `uname  -­‐a`        
  • 29. Non-­‐Technical  bucket:     –  Alert  off  any  commands  which  show  technical  capabiliJes   •  It’s  either  an  a"acker  or  your  IT  team     Technical  bucket:     –  Treat  individual  commands  and  behaviors  as  low  quality   signals   •  Aggregate  commands,  look  for  unique  combinaJons  and  bursts   Always  anomalous  (both  buckets):     –  Analyze  a"ack  pa"erns  and  idenJfy  commands/behaviors   strongly  indicaJve  of  compromise   •  We’re  looking  at  you,  `uname  -­‐a`        
  • 31. Host  level  persistence:       – Look  for  common  pa"erns  of  persistence  via   programs  executed  on  boot,  kernel  modules   loaded,  etc  
  • 32. Host  level  persistence:       – Look  for  common  pa"erns  of  persistence  via   programs  executed  on  boot,  kernel  modules   loaded,  etc   – Understand  that  in  pracJce  sophisJcated   persistence  mechanisms  won’t  be  detected     •  Aim  to  detect  the  basics,  and  increase  a"acker  cost  by   forcing  use  of  custom  persistence  mechanisms        
  • 33.     Shout  out  to  @mimeframe  and  the  FB  secteam   for  their  work  on  BigMac:     h"p://www.slideshare.net/mimeframe/ ruxcon-­‐2012-­‐15195589    
  • 34.     PresenJng  the  Etsy  version  of  a  host  IDS:    
  • 35.     PresenJng  the  Etsy  version  of  a  host  IDS:     Tripyarn  
  • 36.     Tripyarn’s  goal  is  to  alert  off  real  world  pa"erns   of  compromise  and  persistence  
  • 37.     Lessons  learned  from  detecJng  hosJle   persistence  mechanisms  
  • 38.     First,  find  the  legiJmate  OS-­‐provided   mechanisms  you’re  interested  in  instrumenJng  
  • 39.     Treat  addiJons  to/modificaJon  of  these   mechanisms  as  an  event    
  • 40. For  rare  events,  alert  on  every  occurrence   – Low  false  posiJve  cost       Ex:     – New  SSH  keys  being  added  to  a  host   – Crontabs  being  created     – etc  
  • 41.     For  events  that  happen  oXen,  use  data   aggregated  across  the  organizaJon  to  detect   anomalies  
  • 42.       Example:  Kernel  modules  
  • 43. Goal:  Detect  a  malicious  kernel  module  loading   on  an  endpoint       – We  thought  kernel  modules  loading  would  be   fairly  rare  aXer  boot  and  we  could  alert  off  that   alone.  We  were  wildly  wrong.     – WhitelisJng/blacklisJng  kernel  module  names   wouldn’t  be  effecJve   – Instead,  analyze  a  kernel  module  being  loaded  for   organizaJonal  uniqueness      
  • 44. Goal:  Detect  a  malicious  kernel  module  loading   on  an  endpoint       – We  thought  kernel  modules  loading  would  be   fairly  rare  aXer  boot  and  we  could  alert  off  that   alone.  We  were  wildly  wrong.     – WhitelisJng/blacklisJng  kernel  module  names   wouldn’t  be  effecJve   – Instead,  analyze  a  kernel  module  being  loaded  for   organizaJonal  uniqueness      
  • 45. Goal:  Detect  a  malicious  kernel  module  loading   on  an  endpoint       – We  thought  kernel  modules  loading  would  be   fairly  rare  aXer  boot  and  we  could  alert  off  that   alone.  We  were  wildly  wrong.     – WhitelisJng/blacklisJng  kernel  module  names   wouldn’t  be  effecJve   – Instead,  analyze  a  kernel  module  being  loaded  for   organizaJonal  uniqueness      
  • 46. Goal:  Detect  a  malicious  kernel  module  loading   on  an  endpoint       – We  thought  kernel  modules  loading  would  be   fairly  rare  aXer  boot  and  we  could  alert  off  that   alone.  We  were  wildly  wrong.     – WhitelisJng/blacklisJng  kernel  module  names   wouldn’t  be  effecJve   – Instead,  analyze  a  kernel  module  being  loaded  for   organizaJonal  uniqueness      
  • 47.     “Did  module  X  that  just  got  loaded  on  endpoint  Y   get  loaded  on  less  than  N  systems  across  the   organizaJon  in  the  last  D  days?”          
  • 48.     Use  a"ack  post-­‐exploitaJon  techniques  in  a   defensive  context  by  separaJng  your  objecJves   from  your  tooling        
  • 49.     Specifically,  collect  data  on  the  endpoints  and   analyze/alert  from  that  data  on  the  server-­‐side      
  • 50.     When  an  a"acker  discovers  and  analyzes  your   endpoint  security  mechanisms  they  shouldn’t  be   able  to  automaJcally  learn  all  alerts  in  place        
  • 51. OrganizaJonal  level  persistence:     –  LegiJmate  remote  access  mechanisms  or  cloud   systems  with  data  desired  by  a"acker     •  Ex:  VPN  and  GMail         –  Use  a  mixed  approach  of  manual  and  automated   anomaly  detecJon  for  these  systems     •  GeneraJng  daily  rollups  of  new  accounts/keys  created   •  AlerJng  off  account  creaJon/modificaJon  at  unusual  Jmes,   from  unusual  locaJons,  etc        
  • 52. OrganizaJonal  level  persistence:     –  LegiJmate  remote  access  mechanisms  or  cloud   systems  with  data  desired  by  a"acker     •  Ex:  VPN  and  GMail         –  Use  a  mixed  approach  of  manual  and  automated   anomaly  detecJon  for  these  systems     •  GeneraJng  daily  rollups  of  new  accounts/keys  created   •  AlerJng  off  account  creaJon/modificaJon  at  unusual  Jmes,   from  unusual  locaJons,  etc        
  • 53.       Example:  GMail        
  • 54. Goal:  Instrument  GMail  to  detect  compromise  of  domain   admin  accounts     –  GMail  provides  logs  of  interesJng  acJons  via  Admin  Audit   API  and  Email  Audit  API   –  Pull  down  logs  via  these  APIs,  store  them  locally  so  you   have  a  record  of  acJons     –  Perform  alerJng  on  strong  signals  of  compromise  and   persistence:   •  Signins  from  unusual  locaJons/Jmes   •  CreaJon  of  new  admin  level  accounts   •  CreaJon  of  new  mail-­‐forwarding  filters   •  Any  change  to  2FA  secngs     •  Etc    
  • 55. Goal:  Instrument  GMail  to  detect  compromise  of  domain   admin  accounts     –  GMail  provides  logs  of  interesJng  acJons  via  Admin  Audit   API  and  Email  Audit  API   –  Pull  down  logs  via  these  APIs,  store  them  locally  so  you   have  a  record  of  acJons     –  Perform  alerJng  on  strong  signals  of  compromise  and   persistence:   •  Signins  from  unusual  locaJons/Jmes   •  CreaJon  of  new  admin  level  accounts   •  CreaJon  of  new  mail-­‐forwarding  filters   •  Any  change  to  2FA  secngs     •  Etc    
  • 56. Goal:  Instrument  GMail  to  detect  compromise  of  domain   admin  accounts     –  GMail  provides  logs  of  interesJng  acJons  via  Admin  Audit   API  and  Email  Audit  API   –  Pull  down  logs  via  these  APIs,  store  them  locally  so  you   have  a  record  of  acJons     –  Perform  alerJng  on  strong  signals  of  compromise  and   persistence:   •  Signins  from  unusual  locaJons/Jmes   •  CreaJon  of  new  admin  level  accounts   •  CreaJon  of  new  mail-­‐forwarding  filters   •  Any  change  to  2FA  secngs     •  Etc    
  • 59. Focusing  on  two  areas  of  lateral  movement:     1.  Network/systems  discovery     2.  InformaJon  discovery          
  • 60.     Use  endpoint  firewalls  as  a  detecJon   mechanism  (NOT  a  blocking  one)      
  • 61.     Build  alerts  around  services  unused  on  your   network  but  likely  interesJng  to  a"ackers      
  • 62.     By  alerJng  on  (but  not  blocking!)  traffic  you   don’t  immediately  signal  there’s  a  detecJon   mechanism  in  place      
  • 63.     Also  endpoint  firewalls  counter  Jming-­‐based   evasions  
  • 64.     Any  traffic  to  targeted  service,  no  ma"er  how   slow,  causes  alerts    
  • 66.     What  internal  systems  provide  informaJon  that   help  an  a"acker  achieve  their  goals?  
  • 67.              -­‐  Wikis              -­‐  Source  control                -­‐  Bug  tracking              -­‐  Etc      
  • 68.     Instrument  these  systems  the  way  you  would   other  high-­‐value  pieces  of  infrastructure    
  • 69. Alert  off  behavioral  anomalies  such  as:   –  Usage  outside  of  normal  hours     •  Your  a"ackers  are  rarely  in  your  Jme  zone   –  Bursts  of  acJvity     •  Viewing  all  security  Jckets  in  the  bug  tracker  isn’t  even  done   by  the  security  team   –  Etc      
  • 71. Make  compromise  more  expensive     – We’ll  discuss:   •  Reducing  trusted  CA  roots   •  Removing  cheap  exploitaJon  vectors     •  Forcing  updates  without  the  force   •  LimiJng  drive-­‐by  exposure     •  PracJcal  goals  for  security  awareness  training        
  • 72. How  can  you  reduce  the  likelihood  of  a   DigiNotar-­‐like  MITM  happening  against  your   organizaJon?    
  • 73. If  you  remove  unused  CAs,  when  one  is   compromised  it  can’t  silently  MITM  your   endpoints  
  • 74. We  performed  several  months  of  anonymized   traffic  analysis  to  record  what  CAs  were  seen   during  our  employees  Internet  usage  
  • 75. We  found  less  than  29%  of  SSL  CerJficate   AuthoriJes  trusted  by  our  endpoints  were   actually  used  
  • 76. 21.29%    EQUIFAX  SECURE  CERTIFICATE  AUTHORITY   10.37%    ENTRUST.NET  SECURE  SERVER  CERTIFICATION  AUTHORITY   10.07%    DIGICERT  HIGH  ASSURANCE  EV  ROOT  CA   8.97%      GO  DADDY  CLASS  2  CERTIFICATION  AUTHORITY   7.91%      GEOTRUST  GLOBAL  CA   7.23%      ADDTRUST  EXTERNAL  CA  ROOT   6.48%      HTTP://WWW.VALICERT.COM/   6.04%      GTE  CYBERTRUST  GLOBAL  ROOT   4.45%      VERISIGN  CLASS  3  PUBLIC  PRIMARY  CERTIFICATION  AUTHORITY  -­‐  G5   4.08%      CLASS  3  PUBLIC  PRIMARY  CERTIFICATION  AUTHORITY   3.82%      BALTIMORE  CYBERTRUST  ROOT   3.22%      CLASS  3  PUBLIC  PRIMARY  CERTIFICATION  AUTHORITY  -­‐  G2   1.37%      THAWTE  PRIMARY  ROOT  CA   1.36%      THAWTE  PREMIUM  SERVER  CA   1.33%      ENTRUST.NET  CERTIFICATION  AUTHORITY  (2048)   0.65%      GLOBALSIGN  ROOT  CA     [The  CAs  which  had  <  0.5%  traffic  have  been  edited  out  for  brevity.     More  info  here:  h"p://codeascraX.com/2013/07/16/reducing-­‐the-­‐roots-­‐of-­‐some-­‐evil/]   Our  raw  results:    
  • 77.   By  removing  only  unused  CAs  you  don’t  teach   users  to  click  through  SSL  errors     ConJnue  traffic  analysis,  add/remove  trusted   CAs  as  appropriate  
  • 78.                            in  the  browser  is:  cheap,  reliable,  and   efficient  (pick  three!)        
  • 79.                            in  the  browser  is:  cheap,  reliable,  and   efficient  (pick  three!)                                  …for  a"ackers      
  • 81. What  did  we  learn  when  we  removed  Java  web   plugins  from  the  enterprise?    
  • 82. •  Hardly  any  groups  actually  needed  it     – Network  OperaJons,  for  legacy  networking   equipment     •  For  them,  we  built  dedicated  Java  jump  boxes      
  • 83. Benefits:     1.  No  Java  on  any  laptops/desktops   2.  Boxes  with  Java  can’t  hit  Internet   3.  Able  to  frequently  re-­‐image  jump  boxes   4.  Only  a  few  boxes  to  patch    
  • 84.   But…     Java  shows  back  up  when  you  apply  Apple   patches.    
  • 85.   But…     Java  shows  back  up  when  you  apply  Apple   patches.     Remove  it  on  an  ongoing  basis        
  • 86.    
  • 87.         Browser  updates      
  • 88.       We  wanted  a  less  heavy  handed  approach  to   ensuring  up  to  date  browsers      
  • 89.       Built  browser  detecJon  logic  into  our  internal   SSO  point      
  • 90.     UX  is  key:     Show  in  screenshots  how  quick  it  is  to  update,   provide  a  bypass  mechanism        
  • 92.       Simply  asking  users  to  update  works  shockingly   well        
  • 93.    
  • 94.   Funny  story,  users  will  install  malware  because   an  ad  popup  told  them  to.    
  • 95.   Funny  story,  users  will  install  malware  because   an  ad  popup  told  them  to.     O8en.        
  • 96.   You  can  almost  enJrely  kill  this  source  of   compromise  (for  free!)  by  pushing  adblocker   plugins  to  the  organizaJon      
  • 98.     Historically  we’ve  focused  on  reducing  the   number  of  people  who  fall  for  phishing  
  • 99.     Historically  we’ve  focused  on  reducing  the   number  of  people  who  fall  for  phishing   This  is  the  wrong  goal  
  • 100.     If  you  go  from  being  36%  on  fire  to  27%  on  fire   you’re  s;ll  on  fire      
  • 101.   Instead,  focus  on  incenJvizing  users  to:          
  • 102.   The  metric  to  track/increase  is  the  likelihood  of   phishing  emails  being  reported  to  security       Even  if  36%  sJll  fall  for  phishing,  as  long  as  one   in  the  group  reports  it  IR  can  begin  
  • 103. XXX               Running  effecJve  a"ack  simulaJons      
  • 104.     Problems  with  “pentesJng”  are  well  understood   in  the  offensive  community  but  not  as  well  in   the  defensive  community    
  • 105.     Pentests  typically  result  in  a  list  of  enumerated   known  vulnerabiliJes  to  be  patched,  not  data  on   how  a  real  a"acker  would  operate  against  a   given  environment      
  • 106.   A"ack  simulaJons  should  be  done  to  learn  how   a"ackers  are  likely  to  achieve  goals  against  your   organizaJon     NOT  to  show  compromise  is  possible   (spoiler  alert:  it  is.)    
  • 107.     Use  this  a"ack  data  to  focus  where/how  to  build   detecJon  mechanisms  
  • 108.     From  an  organizaJonal  side,  a"ack  simulaJons   compliment  vulnerability  enumeraJon/ compliance/etc    
  • 109.     Vulnerability  enumeraJon/compliance  are   checklists  to  make  sure  you’re  covering  the   basics    
  • 110.     But  checklists  aren’t  owning  you,  a"ackers  are  
  • 111. Four  keys  to  effecJve  a"ack  simulaJons:     –  Goal  oriented   •  “Obtain  domain  admin”,  “read  the  CEOs  email”,  “view  credit  card  data”,  …     –  Full  organizaJon  in  scope   •  Have  a"ack  team  call  a  contact  if  they’re  about  to  do  something  risky   –  Simulate  realisJc  compromise  pa"erns     •  Start  the  a"ack  team  on  a  standard  laptop/desktop  endpoint  inside  the   organizaJon  to  simulate  phishing/clientside  compromise     •  Start  the  a"ack  team  on  a  database  or  web  server  to  simulate  SQL  injecJon/ RCE   •  A"ack  team  should  be  encouraged  to  use  0days   –  Break  simulaJon  down  into  iteraJons:   •  Don’t  spend  the  full  engagement  Jme  on  only  round  of  tesJng,  once  one  team   achieve  goal(s),  then  swap  in  new  a"ack  team  to  achieve  the  same  goal(s)     –  Ex:  We  try  to  run  3-­‐4  iteraJons  per  several  week  simulaJon  
  • 112. Four  keys  to  effecJve  a"ack  simulaJons:     –  Goal  oriented   •  “Obtain  domain  admin”,  “read  the  CEOs  email”,  “view  credit  card  data”,  …     –  Full  organizaJon  in  scope   •  Have  a"ack  team  call  a  contact  if  they’re  about  to  do  something  risky   –  Simulate  realisJc  compromise  pa"erns     •  Start  the  a"ack  team  on  a  standard  laptop/desktop  endpoint  inside  the   organizaJon  to  simulate  phishing/clientside  compromise     •  Start  the  a"ack  team  on  a  database  or  web  server  to  simulate  SQL  injecJon/ RCE   •  A"ack  team  should  be  encouraged  to  use  0days   –  Break  simulaJon  down  into  iteraJons:   •  Don’t  spend  the  full  engagement  Jme  on  only  round  of  tesJng,  once  one  team   achieve  goal(s),  then  swap  in  new  a"ack  team  to  achieve  the  same  goal(s)     –  Ex:  We  try  to  run  3-­‐4  iteraJons  per  several  week  simulaJon  
  • 113. Four  keys  to  effecJve  a"ack  simulaJons:     –  Goal  oriented   •  “Obtain  domain  admin”,  “read  the  CEOs  email”,  “view  credit  card  data”,  …     –  Full  organizaJon  in  scope   •  Have  a"ack  team  call  a  contact  if  they’re  about  to  do  something  risky   –  Simulate  realisJc  compromise  pa"erns     •  Start  the  a"ack  team  on  a  standard  laptop/desktop  endpoint  inside  the   organizaJon  to  simulate  phishing/clientside  compromise     •  Start  the  a"ack  team  on  a  database  or  web  server  to  simulate  SQL  injecJon/ RCE   •  A"ack  team  should  be  encouraged  to  use  0days  throughout  engagement   –  Break  simulaJon  down  into  iteraJons:   •  Don’t  spend  the  full  engagement  Jme  on  only  round  of  tesJng,  once  one  team   achieve  goal(s),  then  swap  in  new  a"ack  team  to  achieve  the  same  goal(s)     –  Ex:  We  try  to  run  3-­‐4  iteraJons  per  several  week  simulaJon  
  • 114. Four  keys  to  effecJve  a"ack  simulaJons:     –  Goal  oriented   •  “Obtain  domain  admin”,  “read  the  CEOs  email”,  “view  credit  card  data”,  …     –  Full  organizaJon  in  scope   •  Have  a"ack  team  call  a  contact  if  they’re  about  to  do  something  risky   –  Simulate  realisJc  compromise  pa"erns     •  Start  the  a"ack  team  on  a  standard  laptop/desktop  endpoint  inside  the   organizaJon  to  simulate  phishing/clientside  compromise     •  Start  the  a"ack  team  on  a  database  or  web  server  to  simulate  SQL  injecJon/ RCE   •  A"ack  team  should  be  encouraged  to  use  0days  throughout  engagement     –  Break  simulaJon  down  into  iteraJons:   •  Don’t  spend  the  full  engagement  Jme  on  only  round  of  tesJng,  once  one  team   achieve  goal(s),  then  swap  in  new  a"ack  team  to  achieve  the  same  goal(s)     –  Ex:  We  try  to  run  3-­‐4  iteraJons  per  several  week  simulaJon  
  • 115.     The  project  output  should  be  a>ack  chains  showing   how  a"ack  team  went  from  A-­‐>B-­‐>C  to  achieve   goals,  what  steps  they  took  and  why    
  • 116.     Just  as  importantly,  what  steps  they  didn’t  take     Ex:  “We  didn’t  try  to  find  internal  network  diagrams  on   your  wiki  because  zone  transfers  were  enabled  so  we   could  got  enough  data  about  your  network  from  that”        
  • 117.     Remember,  the  goal  is  to  simulate  realisJc   a"ack  behaviors  and  pa"erns  that  can  be  used   to  enhance  detecJon  
  • 118.     In  addiJon,  simulate  varying  a"ack  profiles  from   quick  &  noisy  to  quietly  maintaining  persistence      
  • 119.     Over  mulJple  iteraJons  learn  what  behaviors   overlap  between  a"ackers  and  what  strong   signals  of  lateral  movement  in  your  environment   look  like    
  • 120. TL;DR   (The  secJon  formerly  known  as  “Conclusions”)        
  • 121. Defend  like  an  a"acker      
  • 122.     Where  should  defense  focus?       –  Increase  a"acker  cost  by  reducing  cheap  compromise   vectors   –  Build  detecJon  mechanisms  around  real  a"ack   pa"erns   •  Analyze  past  compromises,  new  offensive  research,  and   conduct  realisJc  a"ack  simulaJons  to  obtain  data   –  Depending  on  scale,  have  true  offensive  capabiliJes  on  staff  or  a   call  away   –  Have  product/tooling  development  capabiliJes  within   your  security  team   •  Roughly  one  quarter  of  our  team  is  soXware  engineers  who   focus  on  building  internal  security  products  
  • 123. Thanks!   zane@signalsciences.com                      @zanelackey