think like a hacker
TRANSCRIPT
![Page 1: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/1.jpg)
![Page 2: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/2.jpg)
Rich CampagnaVP Products, Bitglass
@richcampagna
Nat KausikCEO, Bitglass@bnkausik
![Page 3: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/3.jpg)
Breach Stats
*California AG Breach Report 2014
![Page 4: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/4.jpg)
The Reality - Breaches Happen
*Source: Mandiant/FireEye
205 69%Average # of days before detection
Victims notified by external sources
“Two kinds of companies, those that were hacked and those that don’t yet know it”
- John Chambers, CEO, Cisco
![Page 5: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/5.jpg)
Types of Breaches
Nuisance Breach - Opportunistic hack on vulnerable end-points
Untargeted Breach - Opportunistic hack on vulnerable enterprises
Targeted Breach - Custom hack on specific enterprise
![Page 6: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/6.jpg)
Effectiveness of Defense: Good
Tools: Anti-X
Target: Vulnerable end-point
Weapon: Malware
Gain: Ad inserts, host control....
Nuisance Breach
![Page 7: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/7.jpg)
Effectiveness of Defense: Limited
Tools: Anti-X, NGFW, APT protection
Target: Vulnerable enterprises
Weapon: Malware
Gain: Credit card numbers, etc.
Untargeted Breach
![Page 8: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/8.jpg)
1. 3rd party website “Company Fun
Run”
2. Employees Register with
company creds
4. Log into JPM
5. Exfiltrate data over months
6. 3rd party website hires security guru, notifies JPMorgan
3. Hack 3rd party site to steal creds
Untargeted Breach
![Page 9: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/9.jpg)
Effectiveness of Defense: ???
Tools: ???
Target: Specific enterprises
Weapon: Many
Gain: Geo-political advantage?
Targeted Breach
![Page 10: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/10.jpg)
1. May 2014: Spoofed sites prennera.com, we11point.com
3. Employees login with Corporate
creds
4. Corporate creds
5. Log into Premera, Anthem
5. Query & steal 11M identities
2. Spear phishing emails
Jan 2015/Feb: IT discovers breach
Targeted Breach
![Page 11: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/11.jpg)
Think Like a Hacker
![Page 12: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/12.jpg)
Social Engineering, Phishing, Bribery, Etc.
Anatomy of a Data Breach
1. Bait
2. Infect
3. Arm
4. Explore
5. Exfiltrate
Exploit vulnerability
Install additional malware
Acquire & exfiltrate sensitive data
C&C
C&C
Data
C&CInternal replication / lateral movement
Info
![Page 13: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/13.jpg)
Social Engineering, Phishing, Bribery, Etc.
Anatomy of a Data Breach
1. Bait
2. Infect
3. Arm
4. Explore
5. Exfiltrate
Exploit vulnerability
Install additional malware
Acquire & exfiltrate sensitive data
C&C
C&C
Data
C&CInternal replication / lateral movementTr
aditi
onal
pre
vent
ion
tech
nolo
gies
Info
![Page 14: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/14.jpg)
Social Engineering, Phishing, Bribery, Etc.
Anatomy of a Data Breach
1. Bait
2. Infect
3. Arm
4. Explore
5. Exfiltrate
Exploit vulnerability
Install additional malware
Acquire & exfiltrate sensitive data
C&C
C&C
Data
C&CInternal replication / lateral movementTr
aditi
onal
pre
vent
ion
tech
nolo
gies
Info
Bre
ach
disc
over
y so
lutio
ns
![Page 15: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/15.jpg)
Social Engineering, Phishing, Bribery, Etc.
Think Like a Hacker
1. Bait
2. Infect
3. Arm
4. Explore
5. Exfiltrate
Exploit vulnerability
Install additional malware
Acquire & exfiltrate sensitive data
C&C
C&C
Data
C&CInternal replication / lateral movementTr
aditi
onal
pre
vent
ion
tech
nolo
gies
Info
Bre
ach
disc
over
y so
lutio
ns
Spoofed Domains,
New Domains, ...
Malware Hosts,C&C,
...
ToR, Anonymous Proxies, File
shares, ...
![Page 16: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/16.jpg)
Bitglass Breach Discovery
![Page 17: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/17.jpg)
Breach Discovery - How it Works
Upload Firewall or Proxy logs
Big Data Analysis of Outflows
Bitglass Breach Discovery
Ranked alerts on high-risk outflows
ShadowIT Risks
Drill-down investigation
No software
Bitglass Risk Intelligence
![Page 18: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/18.jpg)
Customer Example
Data exfiltration to ~200 TOR nodes
4 high-risk, high-volume Shadow IT apps
Case study at bitglass.com/resources
Transportation company
25,000 Employees
2M log lines per day
Findings
![Page 19: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/19.jpg)
© 2015 Bitglass – Confidential: Do Not Distribute
Customer Example
Several nodes infected with malwareNew domain contact, phishing attack likely
Case study at bitglass.com/resources
Big Pharma 20,000 Employees
2M log lines per day
Findings
![Page 20: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/20.jpg)
Customer Example
Contact with malware hosts
Command & control traffic
Contact with Dark Web
Bkrtx browser hijack outflows
Fed Agency 2,000 Employees
1GB logs per day
Findings
![Page 21: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/21.jpg)
Prevention-focused tools Bitglass Breach DiscoveryPrevention tools increasingly ineffective against targeted and persistent attacks
Outbound Data Flow Analysis catches breaches early
Existing and emerging anomaly detection technologies throw too many alerts to be useful
Prioritized alerts via cloud-powered big data analytics with proprietary ranking
SIEM requires curation of risk intelligence feeds and ongoing manual interpretation by SMEs
Rapid Deployment - Simply upload logs, nothing to install
Discovery vs Prevention
“Determined attackers can get malware into organizations at will.”
Neil MacDonald/Peter Firstbrook, Gartner
![Page 22: Think Like A Hacker](https://reader036.vdocument.in/reader036/viewer/2022081507/58d1d3861a28ab66108b4941/html5/thumbnails/22.jpg)
Bitglass Breach DiscoveryLimit the Damage