Mais conteúdo relacionado

Apresentações para você(20)

Similar a Cost of Attack(20)


Cost of Attack

  1. Cost of Attack Prioritize security investments by the cost and impact on attacker operations Mark Simos | @MarkSimos
  2. Security is complex and challenging Infrastructure Application Data People Attackers have a lot of options  Forcing security into a holistic complex approach  Regulatory Sprawl - 200+ daily updates from 750 regulatory bodies  Threats – Continuously changing threat landscape  Security Tools – dozens or hundreds of tools at customers Must secure across everything  Brand New - IoT, DevOps, and Cloud services, devices and products  Current/Aging - 5-25 year old enterprise IT servers, products, etc.  Legacy/Ancient - 30+ year old Operational Technology (OT) systems Nothing gets retired! Usually for fear of breaking something (& getting blamed) Hybrid of Everything, Everywhere, All at Once ‘Data swamp’ accumulates managed data + unmanaged ‘dark’ data
  3. 10 Laws of Cybersecurity Risk Not keeping up is falling behind Productivity always wins Attackers don't care Ruthless Prioritization is a survival skill Cybersecurity is a team sport Your network isn’t as trustworthy as you think it is Isolated networks aren’t automatically secure Encryption alone isn’t a data protection solution Technology doesn't solve people & process problems 10 9 8 7 6 5 4 3 2 Security success is ruining the attacker ROI (return on investment) 1
  4. Cost of Attack What it is – Analysis of the relative cost / friction to attack your assets & overall attacker return on investment (ROI) Prevalence – Relatively new concept that builds on existing security ROI concept Primary Use Cases – • Helps remove biases in defender thinking by requiring consideration of attacker perspective (and triggering them to see attackers as adaptable and pragmatic humans) • Increases accuracy of security defense prioritization – by allowing defenders to better predict changes in attacker behavior (in response to planned/potential defense changes) Known limitations – • Prioritization also needs to consider other factors including implementation cost, value of assets, ability to effectively implement and operate defenses, etc. • Estimation typically restricted to ordinal numbers (can’t be used accurately to add/multiply/etc.)
  5. Defenders must focus on A. Strong security controls + effective placement B. Rapid response to attacks C. Continuously testing & monitoring controls
  6. Phishing email to admin Looks like they have NGFW, IDS/IPS, and DLP I bet their admins 1. Check email from admin workstations 2. Click on links for higher paying jobs Low Found passwords.xls Now, let’s see if admins save service account passwords in a spreadsheet… High
  7. Replace password.xls ‘process’ with • PIM/PAM • Workload identities Sensitive Data Protection & Monitoring • Discover business critical assets with business, technology, and security teams • Increase security protections and monitoring processes • Encrypt data with Azure Information Protection Modernize Security Operations • Add XDR for identity, endpoint (EDR), cloud apps, and other paths • Train SecOps analysts on endpoints and identity authentication flows Protect Privileged Accounts Require separate accounts for Admins and enforce MFA/passwordless Privileged Access Workstations (PAWs) + enforce with Conditional Access Rigorous Security Hygiene • Rapid Patching • Secure Configuration • Secure Operational Practices
  8. • Insider Coercion/Extortion • Impersonate via Device/ Workstation Compromise • Insider Coercion/Extortion • Insider Coercion/Extortion with sophisticated execution For more details, see Example: Account Security • Password spray / brute force • Password theft • Insider Coercion/Extortion • Impersonate via Device/ Workstation Compromise
  9. Your budget spend should result in increased attacker cost/friction Measurability limitations
  10. Disrupting Attacker Return on Investment (ROI) • Attackers invest into attacks to get a return (money, prestige, promotions, etc.) • Disrupt attackers from getting to their goals with A. Strong security controls + rapid response B. Effective placement of controls C. Continuously testing & monitoring controls • Prioritize security investments (time, money, attention) using attacker cost and your cost • Attacker Cost / Disruption - increase attack friction/cost and reduce likelihood of success (past some attackers’ breaking points) • Defender Cost – Practical, effective, and cost-effective (cheap) defenses These slides are excerpts from Microsoft Security Architecture Design Session (ADS) Module 1 available through Microsoft Unified

Notas do Editor

  1. Key Takeaway: These 10 Laws of Cybersecurity Risk provides a good guideline for security architecture and design Security success is ruining the attacker ROI Security can’t achieve an absolutely secure state so deter attackers by disrupting and degrading their ability to realize Return on Investment (ROI). Increase the attacker’s cost and decreasing the attacker’s return for your most important assets. Not keeping up is falling behind Security is a continuous journey and if you aren't staying current, it will continually get cheaper and cheaper for attackers to successfully take control of your assets.  You must continually update your security patches, security strategies, threat awareness, inventory, security tooling, security hygiene, security monitoring, permission models, and anything else that changes over time. Productivity always wins If security isn’t easy for users, they will work around it to get their job done. Always make sure solutions are secure and usable. Attackers don't care Attackers are willing to use any available method to get into your environment and increase control over it including compromising a networked printer, a fish tank thermometer, a cloud service, a PC, a Server, a Mac, a mobile device, use of a malicious insider, use of a configuration mistake, or just asking for passwords in a phishing email. Your job is to understand and take away the easiest and cheapest options as well as the most useful ones (e.g. anything that leads to administrative privileges across many systems). Ruthless Prioritization is a survival skill Nobody has enough time and resources to eliminate all risks to all resources. Always start with what is most important to the organization, most interesting to attackers, and continuously update this prioritization. CLICK 1 Cybersecurity is a team sport Nobody can do it all, so always focus on the things that only you (or your organization) can do to protect the organization's mission. For things that others can do better or cheaper, have them do it (security vendors, cloud providers, community) Your network isn’t a trustworthy as you think it is A security strategy that relies on passwords and trusting any intranet device is only marginally better than no security strategy at all. Attackers easily evade these defenses so the trust level of each device, user, and application must be proven and validated continuously starting with a level of zero trust Isolated networks aren’t automatically secure While air-gapped networks can offer strong security when maintained correctly, successful examples are extremely rare because each node must be completely isolated from outside risk. If security is critical enough to place resources on an isolated network, you should invest in mitigations to address potential connectivity via methods such as USB media (e.g. required for patches), bridges to intranet network, and external devices (e.g. vendor laptops on a production line), and insider threats that could circumvent all technical controls. Encryption alone isn’t a data protection solution Encryption protects against out of band attacks (on network packets, files, storage, etc.), but data is only as secure as the decryption key (key strength + protections from theft/copying) and other authorized means of access. Technology doesn't solve people and process problems While machine learning, artificial intelligence, and other technologies offer amazing leaps forward in security (if applied correctly), cybersecurity is a human challenge and will never be solved by technology alone. Additional Information For reference, these are the Immutable Laws of Security v2.1 (Technical Focus)  Law #1: If a bad actor can persuade you to run their program on your computer, it's not solely your computer anymore. Law #2: If a bad actor can alter the operating system on your computer, it's not your computer anymore. Law #3: If a bad actor has unrestricted physical access to your computer, it's not your computer anymore. Law #4: If you allow a bad actor to run active content in your website, it's not your website any more. Law #5: Weak passwords trump strong security. Law #6: A computer is only as secure as the administrator is trustworthy. Law #7: Encrypted data is only as secure as its decryption key. Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all. Law #9: Absolute anonymity isn't practically achievable, online or offline. Law #10: Technology is not a panacea.
  2. UNFINISHED SLIDE NOTES Security does require strong controls, but it also requires you to carefully place those controls on all paths that attackers can use. You must also be ready to rapidly respond to attacks so that you can contain any success as they have very quickly. And you must constantly test and validate your controls to ensure that they will work when attackers attack. Security is all about disrupting attackers return on investment (ROI) increase attacker cost/friction lower the returns on investment for an attack (access/change less data, less sensitive data or gain access to less valuable systems Most of the time via cost of attack?
  3. Let’s take a look at this through the eyes of an attacker and use real examples. Attackers will quickly figure out that an organization has NexGen firewalls (NGFW), intrusion detection/prevention systems (IDS/IPS), Xxxxxxxxx Going directly after these resources is generally a high cost of attack for them (unless your organization isn’t applying security updates and configuration best practices to your edge devices) A common tactic that attackers use to get around this is to target IT administrators with fishing attacks. Who wouldn’t be tempted to click on the link that promised hire pay for a similar job role at another company? Most IT admin‘s at most organizations use their administrative desktop for day-to-day email and web browsing, meaning that a successful attack or compromise through that fishing link would actually lead to control of the administrative desktop and all the credentials on it(including the administrative credentials that have privileges throughout the environment). Now let’s say that they don’t get admin accounts right away the attacker would go ahead and explore the local system and search for things like “passwords.XLS“, which is a common way that IT admin‘s use to store service account and other credentials Once the attackers have access to this, it is fairly easy for them to silently access all of the business systems and data that they want for stealing it, altering it, or encrypting it for the purposes of a ransomware extortion payment. Most organizations do not have (rigorous) monitoring of these accounts and how they are used, making them blind to anomalous usage like this.
  4. UNFINISHED SLIDE NOTES So what kinds of technical controls can help an organization mitigate these risks? First, applying security controls to the Business Critical assets that matter most to the organization so that they have elevated preventive controls and monitoring/response processes to quickly block, detect, and recover from attacks on them. Next, focusing on privileged accounts that has access to all assets across the organization and all of the means to gain control of them (such as compromising the admin‘s desktop, The storage of service account passwords, etc.) Applying security hygiene like patching, configuration validation, and establishing safe standard processes for administrative practices. Updating security operations tools, skills, and processes so that they are monitoring anomalies at the identity, application, data, and other layers in addition to monitoring for Network layer anomalies Think of all controls as “parts of a whole” defense Flip the “get 99% right and do one thing wrong” onto the attacker Highlight ADS is built to show how to do this with identiy/access, SOC, infra, etc.
  5. Key Takeaway – Defenders should be focusing on ruining the attacker's model by raising the cost of attack. The example here describes how to increase the cost of attacking a users or admin‘s account. Increasing the cost of attack is designed to shift the landscape of security and the return on investment for attackers This changes the: “Defenders dilemma” – one mistake in your defenses and the adversary will be successful anyways, sending defenders ‘back to the drawing board’ To an “Attackers Dilemma” – one mistake in your attack campaign will undo the hard work put into the attack - planning, researching, finding/purchasing vulnerabilities, etc. and send the attackers ‘back to the drawing board’ CLICK 1 You should block the cheapest path to techniques first. These are attack techniques that have been used against you, your industry peers in others in industry. Blocking these will rapidly raise the cost to attack your environment CLICK 2 You need good detection and response processes/capabilities to limit the time and freedom of attackers to conduct attacks while on your environment and to explore while they are there. These capabilities will also quickly raise the cost to attack your environment CLICK 3 Other investments should default to a lower priority than known attacks and detection/response. Once you have solid detection/response in place and key defenses against known attacks, your investments can start shifting toward potential and future attacks, but this is not a luxury most organizations can afford in their security budget or as an acceptable risk. Consider your full return on investment - When evaluating security investments, you should also consider the level of effort required. Consider if the security activity will consume a high amount of team time and resources (e.g. manual certificate management) that would be better spent on more effective defenses (e.g. applying patches, hunting for threats, implementing a different solution for device identity, etc.)
  6. Key Takeaway –focusing on raising cost of attack for attackers makes your organization more resilient to cybersecurity risk Various types of attackers have different thresholds of cost of attack that they can withstand in the pursuit of their objectives (mission and money driven alike) CLICK 1 A defender’s budget should raise the cost of attack for all types of attackers (who may be specifically targeting the organization or opportunistically targeting many organizations) CLICK 2 Microsoft is focusing on simplifying the application and integration of advanced security techniques so that many organizations can benefit from these capabilities and help increase attacker cost. Additional Information Organized crime (especially ransomware/extortion gangs) can have a budget in excess of many nation state actors, but they are focused on profit opportunities so they are often less determined to compromise a specific organization than a nation state actor.
  7. Key Takeaway: Cost of attack is a useful and powerful tool for guiding decisions despite some serious limitations on precisely measuring it. While the term “cost” in cost of attack frequently makes people expect that it is a clear “ratio” measurement like any other business costs in a budget spreadsheet, the precise number is actually very difficult to obtain and calculate. This is because attackers rarely publish these numbers (except occasionally in secretive dark markets / online forums). Additionally, the cost of attack for any given organization can vary considerably from another one and wouldn’t normally be posted in these markets. Despite this limitation, cost of attack can be very useful for organization as they consider and select security initiatives and capabilities to invest in. Some examples Many organizations purchase security products for advanced features and capabilities (which often require further investment in training and operational staff). These organizations rarely ask whether these capabilities will add more friction/cost to for the top attack profiles vs. other alternatives such as investment into security hygiene (like applying security patches) lower cost initiative that uses existing security data/tools Consolidate technical solutions to lower the burden on analysts and increase their ability to detect and respond to threats A business may find it more effective (and cost effective) to implement business processes for employees handling money transfers (e.g. phone call with someone who recognizes the CFO’s voice) vs. investing in expensive technical controls.