Transcript Using the Dell PowerPoint template

How Secure is Your Business?
Protecting Your Data in the New
Environment
Eric Browning CISSP, CRISC, CISA, CEH
Principal Security Architect
SecureWorks
1
Classification: // /Confidential - Limited External Distribution:
Background
•
•
•
•
•
•
•
Active duty Army combat medic – 5 years
High speed data support
1 man IT shop for mid sized org
GRC consulting, pen testing, IR
Security architect
CISO role for a cloud DBaaS
Back at SCWX
2
Classification: // /Confidential - Limited External Distribution:
Agenda
• Strategy
• Common Entry Methods
• Incident Response
• Baking in Threat Intelligence
• Lessons Learned
3
Classification: // /Confidential - Limited External Distribution:
The Mathematics Chaos Theory
Chaos: When the present determines
the future, but the approximate
present does not approximately
determine the future.
The Butterfly Effect
http://en.wikipedia.org/wiki/Chaos_theory
4
Classification: // /Confidential - Limited External Distribution:
Required Sun Tzu for a Security Presentation
5
Classification: // /Confidential - Limited External Distribution:
Military Aspects of Terrain
•
•
•
•
•
Obstacles
Avenues of Approach
Key Terrain
Observation
Cover and Concealment
6
Classification: // /Confidential - Limited External Distribution:
Security Strategy
•
Cannot prevent a determined intruder in all cases
• Must also rely on detection and response
•
Cannot protect a network, but you can defend it
• Filter/Prevent what you can
• Increase visibility
• Manage vulnerabilities
• Continuous Hunting/Blue Teaming
7
Classification: // /Confidential - Limited External Distribution:
Detection and Response is a Complex Problem
• Old adage – we have to be right 100% of the time
• Evasion techniques continue to evolve
• Technology alone will not solve this problem
• Proper instrumentation is not the norm
8
Classification: // /Confidential - Limited External Distribution:
Agenda
• Strategy
• Common Entry Methods
• Incident Response
• Baking in Threat Intelligence
• Lessons Learned
9
Classification: // /Confidential - Limited External Distribution:
How is the adversary entering the environment?
Targeted Intrusion Initial Access Vector
14%
Phishing
29%
29%
29%
Credential
Abuse
Scan & Exploit
Web Exploit
Source: Targeted Threat Responses Jan 2015 – Sept 2015
Classification: // /Confidential - Limited External Distribution:
10
Phishing…Everyday Occurrence
11
Classification: // /Confidential - Limited External Distribution:
Phishing…Everyday Occurrence
12
Classification: // /Confidential - Limited External Distribution:
Strategic Web Compromise (SWC)
Sites of Interest
Identify
Vulnerable
Site &
Place
Exploit
Exploit used to
deliver initial
foothold malware
1.
2.
3.
4.
5.
6.
User Visits
Compromised
Site
Adversary identifies websites known or suspected to be visited by designated target
Identified sites are probed for vulnerability
Adversary places exploits on one or more sites where it is likely to be accessed by targets
Users visit malicious website
Exploits are attempted against visitors. Delivery is often filtered by IP or other characteristics
Initial foothold malware is delivered to the victim
Classification: // /Confidential - Limited External Distribution:
13
Scan and Exploit
Scans website for available vulnerabilities
Identifies Struts with unpatched vulnerabilities
Deploys webshell
Adversary can now try to escalate privileges, dump passwords and move laterally in internal network
14
Classification: // /Confidential - Limited External Distribution:
Web Exploit Kits
• Online Malicious Advertisement
• Content Delivery Networks
• Search engine poisoning
15
Classification: // /Confidential - Limited External Distribution:
Living off the Land
• PsExec.exe – Sysinternals PsTools - tool that executes a
program on a remote system
• PowerShell - http://www.powershellempire.com/
• Task Scheduler
16
Classification: // /Confidential - Limited External Distribution:
Living off the Land
“Transport rule found on server that
blind copies any messages with
?CMS?, ?pw?, ?pwd?, ?pass? or
?password? in the body or subject
of an email on server XYZ to email
account
[email protected]”
17
Classification: // /Confidential - Limited External Distribution:
Ransomware Proliferation
18
Classification: // /Confidential - Limited External Distribution:
Agenda
•
Strategy
•
Common Entry Methods
• Incident Response
•
Baking in Threat Intelligence
•
Lessons Learned
19
Classification: // /Confidential - Limited External Distribution:
OODA Loop
20
Classification: // /Confidential - Limited External Distribution: