communicating external threat and response widescreen
TRANSCRIPT
COMMUNICATING EXTERNAL THREAT & RESPONSE
Metaphor & Use Case
AGENDA• Who am I?• Why do we need YACKC?• Viewing External Cyber Threat as a common Metaphor• Use Case: Communicating a Cyber Attack through the Metaphor• Use Case: Viewing the Critical Security Controls• Discussion, Q&A
WHO AM I?• I’m delighted to be here in
my capacity as an independent information security professional
• All works created on my own time with my personal resources
• Any opinions stated – while borrowing heavily from other, smarter people – are mine (and are open for debate & change)
“A METAPHOR IS A KIND O' LIE TO HELP PEOPLE UNDERSTAND WHAT'S TRUE.”
― Terry Pratchett
WHY DO WE NEED YACKC?(YET ANOTHER CYBER KILL CHAIN)
• Current “Cyber Kill Chain” models are hard (for everyone) to understand• Defense Industry Oriented (Kill Chain, Weaponization)• Information-Security Jargon (Mission Objectives, Lateral Movement)
• Current Models can glorify “Advanced Persistent Threats”, “Cyber Hackers”• Executives are already “afraid of us”• Asymmetry of information can lead to distrust
• Fundamentally all external cyber attacks are about the theft or destruction of value.
• This is an easy concept to understand and relate to• A metaphor here can create a good mental map and common form of
understanding from which to move forward as a team
PEEPING-IN
BREAK AND …
ENTER
ROOM TO ROOM
THEFT / VANDALISM
Peeping In Break and … … Enter Room-to-Room Theft / Vandalism
ACTI
VITY
• Look ‘n Listen
• Gain Intelligence
• How the company works
• Who are the important people?
• Compromise a person, network, system, or application
• Phishing
• Watering Hole
• Missing Patches
• Misconfiguration
• Run hacking software from within the company
• “Leave the door open”
• “Make themselves a key”
• Search for value
• Go back and Peep-Break-Enter again as necessary
• Steal Value
• Destroy Value
USE CASE #1: BIG BAD HACK• Communicating External Attack & Response
• What did the attackers do? • How did they do it?• What vulnerabilities were exploited in the attack?• What is our response?• How do we know our response addresses the likelihood of the same attack
working again?
• Source Material• South Carolina Public Breach Report• The Hacking Team Confession• (Some personal experience)
Peeping In Break and … … Enter Room-to-Room Theft / Vandalism
WHAT DID THE ATTACKERS DO?
ACTI
VITY
• Obtain some valid email addresses
• Google, LinkedIn, File “MetaData”
• Send Phishing email, capturing username & password
• 0-Day Firmware Vulnerability
• Install backdoor software
• Steal passwords
• Create and maintain “reverse shell”
• Steal domain admin account
• Access 44 systems
• Search for systems, locating backups, email, file shares
• Zip database file and transfer to the Internet
• Transfer 400GB in stolen data, information, and malware code to the Internet
Peeping In Break and … … Enter Room-to-Room Theft / Vandalism
HOW DID THEY DO IT?
MET
HO
D /
TOO
LS
0-Day Malware
gsec.exetelnet.exe
systeminfo.exe
7zip.exeRDPCustom
Backdoorat.exe
Reverse Shells
email-harvester
recon-ng
shodan
whois
LinkedIn phishing emailSCD0R.COM*
Responder.py
Mimikatz (PTH)
metagoofil
at.exe
proxychains
* Some examples, such as an imagined SCD0R.COM are for illustrative purposes only and do not reflect the specific hacking method / domain used.
Peeping In Break and … … Enter Room-to-Room Theft / Vandalism
WHAT VULNERABILITIES WERE EXPLOITED?
EXPL
OIT
S Personal Gullibility
Local Admin RightsPoor Security Hygiene
Vulnerable Application
Common admin passwords on multiple systems
Un- or Poorly-monitored Systems
Unchecked Internet Access
Poor password / pwd management
“Flat” Networks
Unencrypted data
Pride
Unprotected Backups
Lack of IDS / IPS Systems
No MultiFactor Auth
Peeping In Break and … … Enter Room-to-Room Theft / Vandalism
WHAT IS OUR RESPONSE?
PRO
TECT
ED
BY
password Rules
enhanced loggingzero cached creds
application white-listing
Random Local Passwords
Remove local admin rights
e-mail malware detection
Multifactor authentication
Internet Whitelisting
Endpoint ControlsPatching
Intrusion Detection / Prevention Systems
W2K
Data Encryption
Patching
Education & Awareness
dnsadmins@
Honey Net / Pot
ALL TOGETHER NOWCommunicating External Attack & Response
What did the attackers do? How did they do it?What vulnerabilities were exploited in the attack?What is our response?How do we know our response addresses the likelihood of the same attack working again?
USE CASE #2: PRIORITIZED CRITICAL SECURITY CONTROLS
Peeping In Break and … … Enter Room-to-Room Theft / Vandalism
CRITICAL SECURITY CONTROL MAPPING (TOP 10)
CRIT
ICAL
SE
CURI
TY
CON
TRO
L M
APPI
NG
#1 Inventory of Authorized and Unauthorized Devices
#2 Inventory of Authorized and Unauthorized Software
#3 Secure Configurations for Hardware and Software.
#4 Continuous Vulnerability Assessment and Remediation
#5 Controlled Use of Administrative Privileges
#6 Maintenance, Monitoring, and Analysis of Audit Logs
#7 Email and Web Browser Protections
#8 Malware Defenses
#9 Limitation and Control of Network Ports, Protocols, and Services
#10 Data Recovery Capability
Q & A• Topics:
• What mistakes did I make?• What would I do differently?
GRAPHICSThis graphic work on this page is licensed under the Creative Commons Attribution 4.0 International License.
To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/