Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Continuous Monitoring and Real World Analysis

No description

Seth Misenar

on 4 June 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Continuous Monitoring and Real World Analysis

"No one can resist an idea whose time has come."
Victor Hugo
...but, they sure will try hard
Continuous Monitoring and Real World Analysis
Seth Misenar, GSE #28
Principal Instructor, SANS Institute

Facing the Problem
Organizational Denial or Failing at Step 1/12
Lies We Tell Ourselves
...and our auditors, shareholders, customers, bosses, employees
Being Part of the Solution
Underestimating our Adversaries
Underestimating our Vulnerability
Overestimating Abilities
Cyber Defense Paradigm Shift
“No statue has ever been put up to a critic." - Sibelius
The Truth Shall Set You Free
We spend $$$$ on security
Overestimating Abilities
...spending money on the same products and services (now with extra shiny) != security
We have Big Data, NG, Cloud, Mobile, Software Defined, BYOD, Threat Intel security awesome-sauce
There will always be a new shiny product and organizations wielding it ineffectively
We leverage a 3rd party MSSP team of elite cyber intrusion savants
<1% of all breaches were discovered by 3rd party monitoring services
The Truth Shall Set You Free
Attackers don't care about us
Underestimating Adversaries
30% of all targeted attacks against small businesses (up to 250 employees)
Source: Symantec Internet Security Threat Report 2014
Attackers don't REALLY care about us...
Your existence signifies that there is something worth protecting/stealing at your organization
Advanced attackers (APT) wouldn't target us
The other APT
(Average Phishing Threat)
could still be successful...
2015 Verizon DBIR:

23% of users open phishing emails and 11% open attachments
The Truth Shall Set You Free
We just had an audit (and passed)
Underestimating Vulnerabilities
So did every other significant (breached) org
...but we're compliant
Yup, until breached, and the postmortem (non)compliance ninjas come and nullify your previous seal of approval
We continuously scan our systems
Unfortunately, you also continuously find the same underlying issues...
Verizon DBIR 2015: 99.9% of vulnerabilities exploited 1 year after CVE published
Every device logs to a behemoth SIEM with flashy lights
Your overloaded, generically tuned, SIEM is not a magic bad-guy detector
Put differently
Resistance is Futile
Modern Cyber Defense
Key Principles
Continuous Monitoring and Real World Analysis
Seth Misenar, GSE #28
Senior Instructor - SANS Institute
Lead Author -
SEC511: Continuous Monitoring and Security Operations (#sec511)
Lead Author -
SEC542: Web Application Penetration Testing (#sec542)
Co-Author -
MGT414: SANS Training for CISSP
Syngress CISSP Study Guide
Offensive and Defensive Cyber Security Consultant
Ironic Photo Here
Adversary Informed Defense
Detection Dominant Design
Impact-Focused Defenses
Detection Dominant Practices
1 - Move to default deny egress -> focus on detects

2 - Start long tailing
: ASEPs, Processes, Services, Files
Network traffic
: DNS Queries, DNS Responses, SSL Certificates

3 - Deploy app whitelisting (block) -> focus on alerts

4 - Segment your org and Prevent/Detect/Respond at boundaries

5 - Develop/Deploy targeted adversary deception capabilities (
) for your high value targets/data

TL;DR/Top X/BuzzFeed Version
Seth Misenar, GSE #28
Principal Instructor, SANS Institute
Source: Verizon DBIR 2013
So Many Leaks So Little Time
Quit focusing on trying to prevent all of the little evils
Prevention of client endpoint compromise is a losing proposition
Instead, instrument security capabilities around stuff your org cares about
While initial compromise (of clients)happens rapidly, high value data theft typically takes much longer
Sad that we still often don't find out about about data theft until someone else tells us, but...
The time lag presents us with a key opportunity to start WINNING...
Targeted Adversary Deception/Detection
Honeypots have historically been primarily research/analysis tools...often more hobby than helpful
Let's instrument some very targeted deception with close monitoring
Take it wherever you want, but here are some examples some are reinterpreted traditional honeypot approaches
- An (or the) admin account no one should ever use
- A domain user that appears privileged, but is heavily restricted/monitored
- A dummy domain account with active access token (thought experiment -> could end badly)
- Data in a DB that should not be returned or ever seen/touched
- Tread carefully with this one if you put the files in public spaces
HoneyPorts -
Honey445 on every VLAN can be interesting
Of the Prevent/Detect/Respond security triad, most orgs focus on umbrella prevention, let's increase detection->response ability
Default Deny Egress
- Block everything outbound by default
Start with outbound for the internet
Once segmented (see below) also leaving critical VLAN
Proxy All Outbound Allows
- After default deny of all outbound, force allowed outbound to be proxied by a server/service
Application Whitelisting
- On CSC First Five and ASD Top 4, define all acceptable executables
Quit whining and make it happen
Internal (security) Segmentation
- Segment first according to likelihood (of attack) and impact (of compromise), and then further as permitted
Instrument Prevent/Detect/Respond capabilities between segments
On the surface, these might appear Preventive, but their Detect -> Response value outstrips their preventive capabilities
Key Adversary Tactics
Post-Exploitation activity is much easier to profile than the exploit du jour

- Adversaries want to survive a reboot/patch/user's getting a clue, so they will attempt to ensure continued access
Command and Control (C2)
- Adversaries need to guide their attack process to achieve their goal, so will need remote access
- The initial victim is not the adversary's goal, so they will move laterally within the organization
Which HTTPS do you think was C2?
Pivoting (and Long Tail Analysis)
@sethmisenar seth@contextsecurity.com
"...cyber criminals maintained
using well-known Windows startup registry
locations to launch their malware."
Mandiant 2015 M-Trends
Full transcript