Detecting Threats - How to Think Like an Attacker
-
Upload
albert-hui -
Category
Business
-
view
538 -
download
1
description
Transcript of Detecting Threats - How to Think Like an Attacker
![Page 1: Detecting Threats - How to Think Like an Attacker](https://reader036.fdocuments.us/reader036/viewer/2022081401/55908e361a28ab916d8b467b/html5/thumbnails/1.jpg)
DETECTING THREATSHOW TO THINK LIKE A CYBER ATTACKER
Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA, CISM, CRISCPrincipal Consultant
Cyber Risk WorkshopOctober 28th 2014 @ Hong Kong
![Page 2: Detecting Threats - How to Think Like an Attacker](https://reader036.fdocuments.us/reader036/viewer/2022081401/55908e361a28ab916d8b467b/html5/thumbnails/2.jpg)
WHO AM I?
• Spoken at Black Hat, High Tech Crime Investigation Association (Asia Pacific Conference), and Economist Corporate Network.
• Risk Consultant for Banks, Government and Critical Infrastructures.
• SANS GIAC Advisory Board Member.
• Former HKUST lecturer.
Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA, CISM, CRISCPrincipal Consultant
![Page 3: Detecting Threats - How to Think Like an Attacker](https://reader036.fdocuments.us/reader036/viewer/2022081401/55908e361a28ab916d8b467b/html5/thumbnails/3.jpg)
AGENDA
Cyber Attackers’• Motivations (Why do they hack you?)• Methods (How do they break in?)• Damage Potentials (What can they do to you?)
Countermeasures• How to detect cyber attacks?
Copyright © 2014 Albert Hui
![Page 4: Detecting Threats - How to Think Like an Attacker](https://reader036.fdocuments.us/reader036/viewer/2022081401/55908e361a28ab916d8b467b/html5/thumbnails/4.jpg)
CYBER ATTACKERS’ MOTIVATIONS
![Page 5: Detecting Threats - How to Think Like an Attacker](https://reader036.fdocuments.us/reader036/viewer/2022081401/55908e361a28ab916d8b467b/html5/thumbnails/5.jpg)
PRIMARY MOTIVATIONS
Secular Sacred
egomoneyideology
(e.g. hacktivists)
revenge(e.g. formeremployees)
curiosityindustrialespionage
war and terrorism(e.g. state-sponsored
hackers)
Copyright © 2014 Albert Hui
![Page 6: Detecting Threats - How to Think Like an Attacker](https://reader036.fdocuments.us/reader036/viewer/2022081401/55908e361a28ab916d8b467b/html5/thumbnails/6.jpg)
OPPORTUNISTIC ATTACKTREND: HACKER SUPPLY CHAIN
Anon Payment
Hacker Tools /
Bulletproof
Hosting
Monetization
Implications• Sophisticated attacks now available to
non-experts
• Lower breakeven point for attacks
• More “worthwhile” targets
Copyright © 2014 Albert Hui
![Page 7: Detecting Threats - How to Think Like an Attacker](https://reader036.fdocuments.us/reader036/viewer/2022081401/55908e361a28ab916d8b467b/html5/thumbnails/7.jpg)
TARGETED ATTACKTREND: CYBER WARFARE AND APT
Implications• More attack budgets
• 0-day attacks
• Threat level corresponds to strategic value
Copyright © 2014 Albert Hui
![Page 8: Detecting Threats - How to Think Like an Attacker](https://reader036.fdocuments.us/reader036/viewer/2022081401/55908e361a28ab916d8b467b/html5/thumbnails/8.jpg)
CYBER ATTACKERS’ METHODS
![Page 9: Detecting Threats - How to Think Like an Attacker](https://reader036.fdocuments.us/reader036/viewer/2022081401/55908e361a28ab916d8b467b/html5/thumbnails/9.jpg)
CYBER KILL CHAIN
Recon Weaponize Deliver Exploit Install C2 Action
Copyright © 2014 Albert Hui
![Page 10: Detecting Threats - How to Think Like an Attacker](https://reader036.fdocuments.us/reader036/viewer/2022081401/55908e361a28ab916d8b467b/html5/thumbnails/10.jpg)
ATTACK ROUTES
Outside-In(e.g. SQLi, XSS, CSRF)
Inside-Out(e.g. web malware, trojaned pdf) Indirect
Home
Office
FW, IPS, etc.
AV, HIPS, etc.Copyright © 2014 Albert Hui
![Page 11: Detecting Threats - How to Think Like an Attacker](https://reader036.fdocuments.us/reader036/viewer/2022081401/55908e361a28ab916d8b467b/html5/thumbnails/11.jpg)
CYBER ATTACKERS’ DAMAGE POTENTIALS
![Page 12: Detecting Threats - How to Think Like an Attacker](https://reader036.fdocuments.us/reader036/viewer/2022081401/55908e361a28ab916d8b467b/html5/thumbnails/12.jpg)
COMMON EXPLOITATIONS
Steal Stuff• Intellectual property theft
• Steal money
• Monetize the loot for credit card fraud, spam, DDoS etc.
Wreak Havoc• Break system (e.g. via DDoS)
• Cause system malfunction
• Delete business data and ransom
Consequential Damages• Legal and regulatory consequences
• Reputational damage
• Loss of license
Copyright © 2014 Albert Hui
![Page 13: Detecting Threats - How to Think Like an Attacker](https://reader036.fdocuments.us/reader036/viewer/2022081401/55908e361a28ab916d8b467b/html5/thumbnails/13.jpg)
DETECTING CYBER ATTACKS
![Page 14: Detecting Threats - How to Think Like an Attacker](https://reader036.fdocuments.us/reader036/viewer/2022081401/55908e361a28ab916d8b467b/html5/thumbnails/14.jpg)
PHILOSOPHY
Defender’s Dilemma• Must secure all possible vulnerabilities
Intruder’s Dilemma• Must evade all detections
Reason’s Swiss Cheese ModelPicture from NICPLD
Copyright © 2014 Albert Hui
![Page 15: Detecting Threats - How to Think Like an Attacker](https://reader036.fdocuments.us/reader036/viewer/2022081401/55908e361a28ab916d8b467b/html5/thumbnails/15.jpg)
ESSENTIALS FOR DETECTING CYBER ATTACKS
• Layered defense-in-depth• Redundant security (e.g. two different brands of FWs)• Security event correlation (e.g. SIEM)• Trustworthy logging• Up-to-date threat intelligence• Security awareness and reporting channel• Incident response capability (e.g. CSIRT)
Copyright © 2014 Albert Hui
processpeople
technology