Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Continuous Monitoring and Real World Analysis

No description
by

Seth Misenar

on 4 June 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Continuous Monitoring and Real World Analysis

"No one can resist an idea whose time has come."
Victor Hugo
...but, they sure will try hard
Continuous Monitoring and Real World Analysis
Seth Misenar, GSE #28
Principal Instructor, SANS Institute

Facing the Problem
Organizational Denial or Failing at Step 1/12
Lies We Tell Ourselves
...and our auditors, shareholders, customers, bosses, employees
Being Part of the Solution
Underestimating our Adversaries
Underestimating our Vulnerability
Overestimating Abilities
Cyber Defense Paradigm Shift
“No statue has ever been put up to a critic." - Sibelius
The Truth Shall Set You Free
Lie:
We spend $$$$ on security
Overestimating Abilities
Truth:
...spending money on the same products and services (now with extra shiny) != security
Lie:
We have Big Data, NG, Cloud, Mobile, Software Defined, BYOD, Threat Intel security awesome-sauce
Truth:
There will always be a new shiny product and organizations wielding it ineffectively
Lie:
We leverage a 3rd party MSSP team of elite cyber intrusion savants
Truth:
<1% of all breaches were discovered by 3rd party monitoring services
The Truth Shall Set You Free
Lie:
Attackers don't care about us
Underestimating Adversaries
Truth:
30% of all targeted attacks against small businesses (up to 250 employees)
Source: Symantec Internet Security Threat Report 2014
Lie:
Attackers don't REALLY care about us...
Truth:
Your existence signifies that there is something worth protecting/stealing at your organization
Lie:
Advanced attackers (APT) wouldn't target us
Truth:
The other APT
(Average Phishing Threat)
could still be successful...
2015 Verizon DBIR:

23% of users open phishing emails and 11% open attachments
The Truth Shall Set You Free
Lie:
We just had an audit (and passed)
Underestimating Vulnerabilities
Truth:
So did every other significant (breached) org
Lie:
...but we're compliant
Truth:
Yup, until breached, and the postmortem (non)compliance ninjas come and nullify your previous seal of approval
Lie:
We continuously scan our systems
Truth:
Unfortunately, you also continuously find the same underlying issues...
Verizon DBIR 2015: 99.9% of vulnerabilities exploited 1 year after CVE published
Lie:
Every device logs to a behemoth SIEM with flashy lights
Truth:
Your overloaded, generically tuned, SIEM is not a magic bad-guy detector
Put differently
Resistance is Futile
Modern Cyber Defense
Key Principles
Continuous Monitoring and Real World Analysis
Selfie
Seth Misenar, GSE #28
Senior Instructor - SANS Institute
Lead Author -
SEC511: Continuous Monitoring and Security Operations (#sec511)
Lead Author -
SEC542: Web Application Penetration Testing (#sec542)
Co-Author -
MGT414: SANS Training for CISSP
|
Syngress CISSP Study Guide
Offensive and Defensive Cyber Security Consultant
Ironic Photo Here
SEC511
cyber.gd/sec511
cyber.gd/511_CMRW
Prezi
Adversary Informed Defense
Detection Dominant Design
Impact-Focused Defenses
Detection Dominant Practices
1 - Move to default deny egress -> focus on detects

2 - Start long tailing
Systems
: ASEPs, Processes, Services, Files
Network traffic
: DNS Queries, DNS Responses, SSL Certificates

3 - Deploy app whitelisting (block) -> focus on alerts

4 - Segment your org and Prevent/Detect/Respond at boundaries

5 - Develop/Deploy targeted adversary deception capabilities (
honeytraps
) for your high value targets/data

TL;DR/Top X/BuzzFeed Version
Seth Misenar, GSE #28
Principal Instructor, SANS Institute
Source: Verizon DBIR 2013
So Many Leaks So Little Time
Quit focusing on trying to prevent all of the little evils
Prevention of client endpoint compromise is a losing proposition
Instead, instrument security capabilities around stuff your org cares about
While initial compromise (of clients)happens rapidly, high value data theft typically takes much longer
Sad that we still often don't find out about about data theft until someone else tells us, but...
The time lag presents us with a key opportunity to start WINNING...
Targeted Adversary Deception/Detection
HoneyTraps
Honeypots have historically been primarily research/analysis tools...often more hobby than helpful
Let's instrument some very targeted deception with close monitoring
Take it wherever you want, but here are some examples some are reinterpreted traditional honeypot approaches
HoneyLocalAdmin
- An (or the) admin account no one should ever use
HoneyDomAcct
- A domain user that appears privileged, but is heavily restricted/monitored
HoneySAT
- A dummy domain account with active access token (thought experiment -> could end badly)
HoneyTables/Records
- Data in a DB that should not be returned or ever seen/touched
HoneyFiles
- Tread carefully with this one if you put the files in public spaces
HoneyPorts -
Honey445 on every VLAN can be interesting
Of the Prevent/Detect/Respond security triad, most orgs focus on umbrella prevention, let's increase detection->response ability
Default Deny Egress
- Block everything outbound by default
Start with outbound for the internet
Once segmented (see below) also leaving critical VLAN
Proxy All Outbound Allows
- After default deny of all outbound, force allowed outbound to be proxied by a server/service
Application Whitelisting
- On CSC First Five and ASD Top 4, define all acceptable executables
Quit whining and make it happen
Internal (security) Segmentation
- Segment first according to likelihood (of attack) and impact (of compromise), and then further as permitted
Instrument Prevent/Detect/Respond capabilities between segments
On the surface, these might appear Preventive, but their Detect -> Response value outstrips their preventive capabilities
Key Adversary Tactics
Post-Exploitation activity is much easier to profile than the exploit du jour

Persistence
- Adversaries want to survive a reboot/patch/user's getting a clue, so they will attempt to ensure continued access
Command and Control (C2)
- Adversaries need to guide their attack process to achieve their goal, so will need remote access
Pivoting
- The initial victim is not the adversary's goal, so they will move laterally within the organization
Persistence
C2
Which HTTPS do you think was C2?
Pivoting (and Long Tail Analysis)
@sethmisenar seth@contextsecurity.com
"...cyber criminals maintained
stealthy
persistence
using well-known Windows startup registry
locations to launch their malware."
Mandiant 2015 M-Trends
Full transcript