3. YOUR SPEAKER – JAMES MCKINLAY
• 2014 CISO LEVEL SECURITY, RISK & COMPLIANCE CONSULTANCY ACROSS EUROPE
• 2013 PCIDSS COMPLIANCE AT WALMART FOR ASDA & GEORGE (LEVEL ONE MERCHANT)
• 2011 - 2013 PCIDSS COMPLIANCE MANCHESTER AIRPORTS GROUP (LEVEL THREE MERCHANT)
• 2006-2011 PCIDSS COMPLIANCE HOMELOAN MANAGEMENT LIMITED (LEVEL ONE SERVICE PROVIDER)
• 2006 ECOMMERCE SECURITY– THOMAS COOK SCHEDULED BUSINESS
4. EXEC SUMMARY –
• DEFENDERS ARE INCREASINGLY BEING OVERRUN BOTH BY EVENTS GENERATED BY ORDINARY
CYBERCRIME AND BY ADVANCED, TARGETED ATTACKS FROM SOPHISTICATED ADVERSARIES.
• INCREASED COMPLEXITY AND FREQUENCY OF ATTACKS, COMBINED WITH REDUCED EFFECTIVENESS OF
PREVENTATIVE CONTROLS, INCREASES THE NEED FOR ENTERPRISE-SCALE SECURITY INCIDENT RESPONSE
• THREAT INTELLIGENCE AND CONTINUOUS IMPROVEMENT OF INCIDENT RESPONSE PROCESSES ARE
NEEDED BY ENTERPRISES TO REDUCE THE EFFORT REQUIRED IN CONTAINING LOSSES AND RISKS.
5. WHAT DO I MEAN BY . . . .
•DETERMINED ATTACKERS
•BETTER INTELLIGENCE
•BETTER PREPARED
6. WHAT DO I MEAN BY DETERMINED ATTACKER
• GET IN PAST YOUR PREVENTATIVE DEFENCES
• STEAL SOME VALID CREDENTIALS
• REMOVE TOOLS USED IN GETTING IN
• FIND SOME REMOTE ACCESS AND USE VALID CREDENTIALS
• EXPLORE THE ENVIRONMENT
• STEAL DATA – RINSE AND REPEAT
8. PREVENTATIVE CONTROLS ARE NOT ENOUGH
A “Determined attacker will not be put off by traditional IT security technology
•Basic AV Avoidance
•Basic IDS Avoidance
•Modern Sandbox Avoidance
•WAF Identification
•Web Filter Avoidance
•Email Filter Avoidance
12. BASIC WAF IDENTIFICATION
• OWASP XSS TOOL “XENOTIX” GIVES US A EXAMPLE OF A GUI WAF IDENTIFIER
• HTTPS://WWW.OWASP.ORG/INDEX.PHP/OWASP_XENOTIX_XSS_EXPLOIT_FRAMEWORK
13. BASIC WEB PROXY AVOIDANCE
• HTTPS
• TOR BRIDGE RELAY
• HTTPS://WWW.TORPROJECT.ORG/
14. EMAIL FILTER AVOIDANCE TRICKS
• LARGE BENIGN ATTACHMENTS MEAN MESSAGES GET SKIPPED FOR SPAM PROCESSING
• WELL FORMED FIRST MESSAGE GETS SENDER ONTO A WHITELIST
• BACKGROUND READING
• “INSIDE THE SPAM CARTEL” , “BOTNETS THE KILLER APP” , “PHISHING EXPOSED”
19. WHAT IS THE MESSAGE
•DON'T GET COMPLAISANT –
IF THEY WANT TO GET IN
BADLY ENOUGH – THEY
WILL GET IN !
20. WHAT DO I MEAN BY . . . .
•DETERMINED ATTACKERS
•BETTER INTELLIGENCE
•BETTER PREPARED
21. WHAT DO I MEAN BY BETTER INTELLIGENCE
• TO KNOW WHAT YOU KNOW AND TO KNOW WHAT YOU DON'T KNOW IS THE SIGN OF ONE WHO KNOWS
• KNOW THE WEAKNESSES IN YOUR DEFENCES
• KNOW THE TECHNIQUES USED BY YOUR ENEMY
• KNOW WHO TO TURN TO FOR HELP
22. WHERE ARE MY WEAKNESSES
• INTERNAL AND EXTERNAL AUDIT REPORTS
• PENETRATION TEST RESULTS
• RISK WORKSHOPS
• INTERVIEW FRONT LINE STAFF
• WHISTLE-BLOWING HOTLINE
• ITS WORTH ASSUMING THAT YOUR PERIMETER HAS BEEN BREACHED
• AND THAT YOU SHOULD PLAN A RESPONSE STRATEGY
23. APT INTELLIGENCE REPORTS IN MARKETING
• VENDOR ISSUED APT REPORTS AND ADVANCED MALWARE REPORTS
• MANDIANT APT1 REPORT OPENED THE FLOOD GATES
24. MALWARE RESEARCH COMMUNITY
• HTTP://AVCAESAR.MALWARE.LU/
• HTTP://WWW.MALSHARE.COM/ABOUT.PHP
• HTTPS://MALWR.COM/
• HTTP://SUPPORT.CLEAN-MX.DE/CLEAN-MX/VIRUSES?
• HTTP://VIRUSSHARE.COM/ABOUT.4N6
• HTTP://VIRUSTOTAL.COM
• HTTP://VXVAULT.SIRI-URZ.NET/VIRILIST.PHP
• HTTP://WWW.OFFENSIVECOMPUTING.NET
Small sample
25. RSS ENABLED BLOGGING COMMUNITY
RSS Band it http://rssbandit.org/
http://stopmalvertising.com/
26. IP REPUTATION COMMUNITIES
• EXAMPLE: ALIENVAULT OPEN THREAT EXCHANGE HTTPS://WWW.ALIENVAULT.COM/OPEN-THREAT-EXCHANGE
28. CISP ENVIRONMENT
• GOVERNMENT CYBER SECURITY STRATEGY INVOLVES REACHING OUT TO INDUSTRY BEYOND CNI
• GCHQ, CESG AND CPNI COLLABORATED ON CISP HTTPS://WWW.CISP.ORG.UK/
33. WHAT DO I MEAN BY . . . .
•DETERMINED ATTACKERS
•BETTER INTELLIGENCE
•BETTER PREPARED
34. WHAT DO I MEAN BY BETTER PREPARED
• USER AWARENESS
• CYBER STRATEGY AT BOARD LEVEL
• IT ASSURANCE FRAMEWORK
• SECURITY OPERATIONS MATURITY
• SOC
• CIRT
• THREAT INTELLIGENCE
• PROACTIVE APT HUNTERS
37. CYBER STRATEGY AT BOARD LEVEL
• GOVERNMENT COMMITMENT TO SUPPORT INDUSTRY
• .GOV.UK AND SEARCH “CYBER”
38. CYBER STRATEGY ( ALSO WORTH A READ)
• BELGIAN CHAMBER OF COMMERCE - BCSG
• HTTP://WWW.ICCBELGIUM.BE/INDEX.PHP/QUOMODO/BECYBERSECURE
39. Manage IT
Operations
ITCF -V- ISMS
• CONTROL FRAMEWORK
• HTTP://WWW.ISACA.ORG/COBIT/PAGES/DEFAULT.ASPX
Processes for
Management
COBITv5
Processes for
Governance
Deliver, Service
and Support
Manage IT
Assets
Manage IT
Configurations
Manage IT
Incidents
Manage
Business
Continuity
Manage
Information
Security
Manage
Business
Process
46. SECOPS MATURITY (APT HUNTERS)
• WHAT IS REDLINE
• COLLECTS WINDOWS ACTIVITY FROM
•
•
•
•
•
FILE
REGISTRY
DNS LOOKUPS
PROCESSES IN MEMORY
NETWORK CONNECTIONS
• FIRST RESPONDER INVESTIGATIONS
50. TACKLING ADVANCED THREATS
• THERE IS NO SINGLE TECHNOLOGY TO
• “RULE THEM ALL”
• 1) RECOGNISE “PREVENTATIVE” ISN'T ENOUGH
• 2) GET SENIOR LEVEL SPONSORSHIP
• 3) GET THE RIGHT PEOPLE
• 4) GET THE RIGHT TOOLING
51. VENDORS TACKLING ADVANCED THREATS
• THERE IS NO SINGLE TECHNOLOGY TO RULE THEM ALL
ARBOR – Prevail
DAMBALLA – Failsafe
FIDELIS – XPS
LANCOPE – StealthWatch
SOURCEFIRE - FireAMP
RSA – Netwitness
SOLERA – DeepSee
SOLERA – BluecoatATP
AHNLABS – MDS
CHECKPOINT – threat emulation
FIREEYE – ATP
LASTLINE – Previct
MCAFEE – ValidEdge
TREND – Deep Discovery
PALOALTO – Wildfire
BLUERIDGE – Appguard
BROMIUM – vsentry
HBGARY – DigitalDNA
INVINCEA – Enterprise
Threat Analyser
RSA – ecat
TRIUMFANT – mdar
Mandiant
Carbon Black
Guidance Software
CounterTack
CrowdStrike
Tanium
Intelligent ID
Nexthink
Webroot
LogRhythm
TrustCloud
Cyvera
52. CREDITS
• JEFF YEUTER @ MANDIANT FOR THE REDLINE EXAMPLE
• JIM ALDRIDGE @ MANDIANT FOR THE BLACKHAT2012 APT PRESENTATION
• ANTON CHUVAKIN @ GARTNER FOR THE PAPER “SECURITY INCIDENT RESPONSE IN THE AGE OF APT”
53. TIME IS PRECIOUS – THANK YOU FOR YOURS
• FIND ME ON LINKEDIN
• UK.LINKEDIN.COM/PUB/JAMES-MCKINLAY/16/A42/206/