detecting threats - how to think like an attacker

DETECTING THREATSHOW TO THINK LIKE A CYBER ATTACKER

Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA, CISM, CRISCPrincipal Consultant

Cyber Risk WorkshopOctober 28th 2014 @ Hong Kong

WHO AM I?

• Spoken at Black Hat, High Tech Crime Investigation Association (Asia Pacific Conference), and Economist Corporate Network.

• Risk Consultant for Banks, Government and Critical Infrastructures.

• SANS GIAC Advisory Board Member.

• Former HKUST lecturer.

Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA, CISM, CRISCPrincipal Consultant

albert@securityronin.com

AGENDA

Cyber Attackers’• Motivations (Why do they hack you?)• Methods (How do they break in?)• Damage Potentials (What can they do to you?)

Countermeasures• How to detect cyber attacks?

Copyright © 2014 Albert Hui

CYBER ATTACKERS’ MOTIVATIONS

PRIMARY MOTIVATIONS

Secular Sacred

egomoneyideology

(e.g. hacktivists)

revenge(e.g. formeremployees)

curiosityindustrialespionage

war and terrorism(e.g. state-sponsored

hackers)

Copyright © 2014 Albert Hui

OPPORTUNISTIC ATTACKTREND: HACKER SUPPLY CHAIN

Anon Payment

Hacker Tools /

Bulletproof

Hosting

Monetization

Implications• Sophisticated attacks now available to

non-experts

• Lower breakeven point for attacks

• More “worthwhile” targets

Copyright © 2014 Albert Hui

TARGETED ATTACKTREND: CYBER WARFARE AND APT

Implications• More attack budgets

• 0-day attacks

• Threat level corresponds to strategic value

Copyright © 2014 Albert Hui

CYBER ATTACKERS’ METHODS

CYBER KILL CHAIN

Recon Weaponize Deliver Exploit Install C2 Action

Copyright © 2014 Albert Hui

ATTACK ROUTES

Outside-In(e.g. SQLi, XSS, CSRF)

Inside-Out(e.g. web malware, trojaned pdf) Indirect

Home

Office

FW, IPS, etc.

AV, HIPS, etc.Copyright © 2014 Albert Hui

CYBER ATTACKERS’ DAMAGE POTENTIALS

COMMON EXPLOITATIONS

Steal Stuff• Intellectual property theft

• Steal money

• Monetize the loot for credit card fraud, spam, DDoS etc.

Wreak Havoc• Break system (e.g. via DDoS)

• Cause system malfunction

• Delete business data and ransom

Consequential Damages• Legal and regulatory consequences

• Reputational damage

• Loss of license

Copyright © 2014 Albert Hui

DETECTING CYBER ATTACKS

PHILOSOPHY

Defender’s Dilemma• Must secure all possible vulnerabilities

Intruder’s Dilemma• Must evade all detections

Reason’s Swiss Cheese ModelPicture from NICPLD

Copyright © 2014 Albert Hui

ESSENTIALS FOR DETECTING CYBER ATTACKS

• Layered defense-in-depth• Redundant security (e.g. two different brands of FWs)• Security event correlation (e.g. SIEM)• Trustworthy logging• Up-to-date threat intelligence• Security awareness and reporting channel• Incident response capability (e.g. CSIRT)

Copyright © 2014 Albert Hui

processpeople

technology

THANK YOU

albert@securityronin.com