the other side of the fence. dealing with hackers and malware
Post on 18-Oct-2014
438 views
DESCRIPTION
A small talk I gave at Barcamp Bangalore on dealing with malwares and hackers from the perspective of an Information Security Manager.TRANSCRIPT
The Other Side of the Fence .Dealing with Malware *Hackers
Prasanna Vhttp://vprasanna.com
We generally hear about hackers& malware, the damage they create,the money & data they steal.
How's it to be on The Other Side?
We generally hear about hackers& malware, the damage they create,the money & data they steal.
How's it to be on The Other Side?
Episode 1: The Conficker Strikes
Somewhere during November 2008, an enterprisehaving thousands of systems spread acrossthe world
Holiday season, most of team were on leave
Complaints of network congestion, Domain controller was slow
We saw unprecedented network traffic, within LAN & Outbound to unusual IP addresses!
Rapid replication of suspicious system behavior across the globe
Antivirus on the systems were generally up-to-date with definitions
Our Network IDS was detecting traffic destined to random global IP addresses on destination ports 445
Turns out that the infected machines were missing patches, most importantly MS08-67
Apparently, these systems were also missing OS hardening that was put in place
We had Failed!
Effective logging and monitoring are like
torchlight
Layered defense mechanism andthe role of Security Information & Event Management (SIEM)
Security information from hosts & network logs helped identify the infected machines
Patch the systems or disable network access
Pivot!Being good in spreadsheet helps the admins
Anti-Virus and Firewall are not the ultimate solutionsto today’s sophisticated threats.
Foolproof security ?
There is Reasonable Security
14
……And it is achieved in layers
Episode DHCP Server Goes 2 -Rogue
An admin s worst nightmare’
Catastrophe Strikes!
1. Logged to gateway / router. Internet is fine.2. Logged into UTM, sessions have doubled.3. No malwares reported in the AV manager!
Wireshark is an Admin’s best friend!
“Documentation is your life savior”
Was able to identify the offending machine based on a list I had generated earlier
Turns out that a user had set up a server and
did not know to disable DHCP functionality!
People are the weakest link
Learning's:
• Internal users can cause as much trouble as hackers and malware
22
Information Security is about People, Process & Technology
Prx
Disclaimer
All opinions mentioned here are my personal and not necessarily
of my employer, current or previous.
Thank You
Prasanna V
Cofounder @PacketVerify
http://vprasanna.com
@terminalfix