building security controls around attack models
TRANSCRIPT
@StephanChenette @AttackIQ
Building Security Controls Around Attack Models
#RuggedDevOps
If you see something cool…
Get today’s Rugged DevOps presentations in your inbox
#WhoAmI?
• @StephanChenette, CEO and Founder @AttackIQ
AttackIQ created the first continuous security testing platform to challenge existing host, network and cloud infrastructure security controls to help organizations safely validate and measure their defense in depth strategy.
• Started my career in 1999 in Security – total of 16+ years – Grad School at UCSD
• Director of research IOActive , Head of Websense Security Labs, SAIC, eEye Digital Security
• Sit on the advisory board for CyberTECH, CISO Round Table of Southern California and Build it Securely and I head up the local OWASP Chapter, AppSec California Conference
• Invited speaker at Blackhat, RSA, CanSec West, AusCERT, RECON, SOURCE, ToorCON, ISSA, etc.
• Main Interest - Offensive and Defensive Techniques
AgendaBuilding Security Controls Around Attack Models
Continuous Deployment
Continuous Validation
DevOps
Has established a culture and environment where building, testing, and releasing software,
can happen rapidly, frequently, and more reliably.
Continuous Deployment
Infrastructure as Code
Rugged DevOps
Goal of Security: reduce business risk
Cyber security is a business
issue, not an IT issue.
Risk
Risk = impact * likelihood
Protecting Assets
Measures must be taken to ensure the integrity, security, accuracy, and privacy of all systems and data.
Wrap Security Controls around Valued Assets
• Compliance
• Business Continuity
Trust, but verify
Multiple Security Controls in place – how do you validate them all?
Continuous ValidationRugged DevOps Responsibility
Continuous Validation
Continuous Deployment
Why Validate Security Controls?
To Minimize Risk.
Risk = impact * likelihood
If you drive impact down, the risk is minimized
Benefits – minimized risk, more effective, efficient, consolidated security program
How do you minimize your threat impact?
Identify The Attackers
Identify the Attack
Techniques
Build Adversarial Playbook
Replay Attacker Playbook
Analyze Security
Controls Results
Improve or Add New Security
Controls
This can start with simple validationIdentify security
control assumptions
Build Security Control Unit
Test
Exercise Unit Test
Analyze Security
Controls Results
Improve or Add New Security
Controls
Security testing is not point in time
DevOps is Code as Infrastructure
Rugged DevOps is Code as Security
Unit Testing Your Security Controls
Regression Testing your Security Infrastructure
Key Focus Points in Modelling
• Prioritizing the Highest Risk Threats, Adversarial Objectives and Methods
• Prioritize Security Controls (purpose, function, assumption)
• Create a process that can be:
– Automated, replicated and consistent
Attack Stages
• External Reconnaissance
• Initial Breach
• Gaining Persistence
• Escalate Privileges
• Lateral Movement
• Access to Data Stores
• Command and Control
• Exfiltration
Goal
• Duplicate real attack techniques and tactics in an automated fashion
• Automatically test each expectation as that asset or security control is deployed
Stage Tactic Pass/Fail/Detect Technology Controls
Initial Breach Install malware (Citadel) on vendor machine.
Use stolen credentials to connect to Target's network.
Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php).
Query Active Directory, using LDAP protocol, for relevant target services (MSSSQLvc/BillingServer).
Privilege Escalation Use "Pass-the-hash" to obtain NT hash token.
Persistence Create new domain admin account with stolen token.
Access to other Data Stores Utilize new credentials to scan, using "Angry IP Scanner," for accessible computers.
Use a port forwarding tool to tunnel through several servers, bypassing security measures.
Use RDP and Microsoft PSExec utility to execute processes.
Use Microsoft Orchestrator to remain persistent and execute arbitrary code.
Remotely install malware (Kaptoxa) onto POS machines, scrape POS memory, and save data to a local file.
Exfiltration Create remote fileshare on remote FTP-enabled machine and copy data file to the machine.
Use script to send file to attacker via FTP.
Example: Target Breach
Example: Target Breach
• Initial Breach
Stage Tactic Pass/Fail/Detect Technology Controls
Initial Breach Install malware (Citadel) on vendor machine.
Use stolen credentials to connect to Target's network.
Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php).
Query Active Directory, using LDAP protocol, for relevant target services (MSSSQLvc/BillingServer).
Example: Target Breach
Stage Tactic Pass/Fail/Detect Technology Controls
Privilege Escalation
Use "Pass-the-hash" to obtain NT hash
token.
Access to other Data Stores
Utilize new credentials to scan, using "Angry
IP Scanner," for accessible computers.
Use a port forwarding tool to tunnel through
several servers, bypassing security measures.
Use RDP and Microsoft PSExec utility to
execute processes.
Use Microsoft Orchestrator to remain
persistent and execute arbitrary code.
Remotely install malware (Kaptoxa) onto
POS machines, scrape POS memory, and
save data to a local file.
• Privilege Escalation
Example: Target Breach
Stage Tactic Pass/Fail/Detect Technology Controls
Exfiltration Create remote fileshare on remote FTP-enabled machine and copy data file to the machine.
Use script to send file to attacker via FTP.
Measure
• Detection – Time
• Prevention – Yes/No
Stage Tactic Pass/Fail/Detect Technology Controls
Initial Breach Install malware (Citadel) on vendor machine. PD Generic AV (Symantec)
Use stolen credentials to connect to Target's network. F Behavior Analytics
Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php). PD Web App Firewall
Query Active Directory, using LDAP protocol, for relevant target services (MSSSQLvc/BillingServer).
F N/A
Privilege Escalation Use "Pass-the-hash" to obtain NT hash token. PD AV Detected mimikatz
Persistence Create new domain admin account with stolen token. F N/A
Access to other Data Stores Utilize new credentials to scan, using "Angry IP Scanner," for accessible computers. F N/A
Use a port forwarding tool to tunnel through several servers, bypassing security measures. F Palo Alto
Use RDP and Microsoft PSExec utility to execute processes. D Crowdstrike Falcon
Use Microsoft Orchestrator to remain persistent and execute arbitrary code. P Cylance Prevent
Remotely install malware (Kaptoxa) onto POS machines, scrape POS memory, and save data to a local file.
F Symantec
Exfiltration Create remote fileshare on remote FTP-enabled machine and copy data file to the machine.
F Behavior Analytics
Use script to send file to attacker via FTP. F Firewall/IPS
Example: Target Breach
Modeling Exercise
• Installation of Web Shell on network
• Lateral Movement (Pass-the-Hash Technique) w/ mimikatz
• Use of known port scanner
• Use of PA/PSExec with dumped credential hashes
• Use of Built-in-tools at potentially anomalous times
• Download of known malware
• Access to FTP to potentially unknown remote machine
Defense-in-Depth Metrics
Identified Tactic
• % Failed
–% Detected
–% Prevented
• Identify, prioritize need for control technology
Trust, but Verify
• Validate your security controls
• Regression Testing
• Unit Testing
Focus
• Run routine attack modeling automatically as your apps/security controls are deployed via chef/Jenkins, etc.
• Identify gaps or blind spots
• Design your controls around the attacker tactics
Adversarial Modeling
• Does not take much time/energy
• Creates Data-driven reasoning around buying/purchasing decisions
• Build repository of related attacks
• Shows historical improvements around baseline
• Consolidates security technologies
Where to Start
• IT/Ops/SOC/Dev/Management Involvement
• Build threat intelligence/attack repository
• Move to attack models
• Communicate output clearly to show improvements
Conclusion
What can be measured can be improved
Implementing security controls around relevant attack models will save you time, money and
resources and focuses on minimizing the true risks to your organization
Security as Code
Continuous Validation
• Thank you.• Stephan Chenette, CEO and Founder,
[email protected]• @stephanchenette @attackiq
Get today’s Rugged DevOps presentations in your inbox