building security controls around attack models

@StephanChenette @AttackIQ

Building Security Controls Around Attack Models

#RuggedDevOps

If you see something cool…

Get today’s Rugged DevOps presentations in your inbox

[email protected]

#WhoAmI?

• @StephanChenette, CEO and Founder @AttackIQ

AttackIQ created the first continuous security testing platform to challenge existing host, network and cloud infrastructure security controls to help organizations safely validate and measure their defense in depth strategy.

• Started my career in 1999 in Security – total of 16+ years – Grad School at UCSD

• Director of research IOActive , Head of Websense Security Labs, SAIC, eEye Digital Security

• Sit on the advisory board for CyberTECH, CISO Round Table of Southern California and Build it Securely and I head up the local OWASP Chapter, AppSec California Conference

• Invited speaker at Blackhat, RSA, CanSec West, AusCERT, RECON, SOURCE, ToorCON, ISSA, etc.

• Main Interest - Offensive and Defensive Techniques

AgendaBuilding Security Controls Around Attack Models

Continuous Deployment

Continuous Validation

DevOps

Has established a culture and environment where building, testing, and releasing software,

can happen rapidly, frequently, and more reliably.


Infrastructure as Code

Rugged DevOps

Goal of Security: reduce business risk

Cyber security is a business

issue, not an IT issue.

Risk

Risk = impact * likelihood

Protecting Assets

Measures must be taken to ensure the integrity, security, accuracy, and privacy of all systems and data.

Wrap Security Controls around Valued Assets

• Compliance

• Business Continuity

Trust, but verify

Multiple Security Controls in place – how do you validate them all?

Continuous ValidationRugged DevOps Responsibility



Why Validate Security Controls?

To Minimize Risk.

Risk = impact * likelihood

If you drive impact down, the risk is minimized

Benefits – minimized risk, more effective, efficient, consolidated security program

How do you minimize your threat impact?

Identify The Attackers

Identify the Attack

Techniques

Build Adversarial Playbook

Replay Attacker Playbook

Analyze Security

Controls Results

Improve or Add New Security

Controls

This can start with simple validationIdentify security

control assumptions

Build Security Control Unit

Test

Exercise Unit Test

Analyze Security

Controls Results

Improve or Add New Security

Controls

Security testing is not point in time

DevOps is Code as Infrastructure

Rugged DevOps is Code as Security

Unit Testing Your Security Controls

Regression Testing your Security Infrastructure

Key Focus Points in Modelling

• Prioritizing the Highest Risk Threats, Adversarial Objectives and Methods

• Prioritize Security Controls (purpose, function, assumption)

• Create a process that can be:

– Automated, replicated and consistent

Attack Stages

• External Reconnaissance

• Initial Breach

• Gaining Persistence

• Escalate Privileges

• Lateral Movement

• Access to Data Stores

• Command and Control

• Exfiltration

Goal

• Duplicate real attack techniques and tactics in an automated fashion

• Automatically test each expectation as that asset or security control is deployed

Stage Tactic Pass/Fail/Detect Technology Controls

Initial Breach Install malware (Citadel) on vendor machine.

Use stolen credentials to connect to Target's network.

Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php).

Query Active Directory, using LDAP protocol, for relevant target services (MSSSQLvc/BillingServer).

Privilege Escalation Use "Pass-the-hash" to obtain NT hash token.

Persistence Create new domain admin account with stolen token.

Access to other Data Stores Utilize new credentials to scan, using "Angry IP Scanner," for accessible computers.

Use a port forwarding tool to tunnel through several servers, bypassing security measures.

Use RDP and Microsoft PSExec utility to execute processes.

Use Microsoft Orchestrator to remain persistent and execute arbitrary code.

Remotely install malware (Kaptoxa) onto POS machines, scrape POS memory, and save data to a local file.

Exfiltration Create remote fileshare on remote FTP-enabled machine and copy data file to the machine.

Use script to send file to attacker via FTP.

Example: Target Breach


• Initial Breach


Initial Breach Install malware (Citadel) on vendor machine.

Use stolen credentials to connect to Target's network.

Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php).




Privilege Escalation

Use "Pass-the-hash" to obtain NT hash

token.

Access to other Data Stores

Utilize new credentials to scan, using "Angry

IP Scanner," for accessible computers.

Use a port forwarding tool to tunnel through

several servers, bypassing security measures.

Use RDP and Microsoft PSExec utility to

execute processes.

Use Microsoft Orchestrator to remain

persistent and execute arbitrary code.

Remotely install malware (Kaptoxa) onto

POS machines, scrape POS memory, and

save data to a local file.

• Privilege Escalation




Use script to send file to attacker via FTP.

Measure

• Detection – Time

• Prevention – Yes/No


Initial Breach Install malware (Citadel) on vendor machine. PD Generic AV (Symantec)

Use stolen credentials to connect to Target's network. F Behavior Analytics

Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php). PD Web App Firewall


F N/A

Privilege Escalation Use "Pass-the-hash" to obtain NT hash token. PD AV Detected mimikatz

Persistence Create new domain admin account with stolen token. F N/A

Access to other Data Stores Utilize new credentials to scan, using "Angry IP Scanner," for accessible computers. F N/A

Use a port forwarding tool to tunnel through several servers, bypassing security measures. F Palo Alto

Use RDP and Microsoft PSExec utility to execute processes. D Crowdstrike Falcon

Use Microsoft Orchestrator to remain persistent and execute arbitrary code. P Cylance Prevent

Remotely install malware (Kaptoxa) onto POS machines, scrape POS memory, and save data to a local file.

F Symantec


F Behavior Analytics

Use script to send file to attacker via FTP. F Firewall/IPS


Modeling Exercise

• Installation of Web Shell on network

• Lateral Movement (Pass-the-Hash Technique) w/ mimikatz

• Use of known port scanner

• Use of PA/PSExec with dumped credential hashes

• Use of Built-in-tools at potentially anomalous times

• Download of known malware

• Access to FTP to potentially unknown remote machine

Defense-in-Depth Metrics

Identified Tactic

• % Failed

–% Detected

–% Prevented

• Identify, prioritize need for control technology

Trust, but Verify

• Validate your security controls

• Regression Testing

• Unit Testing

Focus

• Run routine attack modeling automatically as your apps/security controls are deployed via chef/Jenkins, etc.

• Identify gaps or blind spots

• Design your controls around the attacker tactics

Adversarial Modeling

• Does not take much time/energy

• Creates Data-driven reasoning around buying/purchasing decisions

• Build repository of related attacks

• Shows historical improvements around baseline

• Consolidates security technologies

Where to Start

• IT/Ops/SOC/Dev/Management Involvement

• Build threat intelligence/attack repository

• Move to attack models

• Communicate output clearly to show improvements

Conclusion

What can be measured can be improved

Implementing security controls around relevant attack models will save you time, money and

resources and focuses on minimizing the true risks to your organization

Security as Code


• Thank you.• Stephan Chenette, CEO and Founder,

[email protected]• @stephanchenette @attackiq

mailto:[email protected]

Get today’s Rugged DevOps presentations in your inbox

[email protected]