Sexy defense

116
Sexy Defense Maximizing the Home-Field Advantage Iftach Ian Amit Director of Services, IOActive Image credit: IDF Spokesperson

description

 

Transcript of Sexy defense

Page 1: Sexy defense

Sexy DefenseMaximizing the Home-Field Advantage

Iftach Ian Amit

Director of Services, IOActive

Image credit: IDF Spokesperson

Page 2: Sexy defense

Agenda• Whoami

• Background - the Red Team was here...

• What do they actually say? Reading reports 101

• Methodology - flipping the Red-Team

• Map

• Correlate

• Act

• Examples

• Conclusions

Page 3: Sexy defense

Iftach Ian Amit

Page 4: Sexy defense

Iftach Ian Amit

Page 5: Sexy defense

Iftach Ian Amit

Page 6: Sexy defense

Iftach Ian Amit

Page 7: Sexy defense

Iftach Ian Amit

Page 8: Sexy defense

Iftach Ian Amit

Page 9: Sexy defense

Iftach Ian Amit

Page 10: Sexy defense

Iftach Ian Amit

Page 11: Sexy defense

Iftach Ian Amit

Page 12: Sexy defense

Iftach Ian Amit

Page 13: Sexy defense

Iftach Ian Amit

Page 14: Sexy defense

Iftach Ian Amit

Page 15: Sexy defense

Iftach Ian Amit

Page 16: Sexy defense

Background

You had a vulnerability assessment done.

Page 17: Sexy defense

Background

And you passed a pentest.

Page 18: Sexy defense

BackgroundWhat did you ACTUALLY get?

Pros ConsCompliance? +++ Security Posture? ---

Page 19: Sexy defense

Background

And then you had a Red-Team test come in and wreck havoc...

Page 20: Sexy defense

Background

How does that make you feel?

Page 21: Sexy defense

Shock

Page 22: Sexy defense

Denial

Page 23: Sexy defense

Anger

Page 24: Sexy defense

Resistance

Page 25: Sexy defense

Acceptance?

Page 26: Sexy defense

Reading bad reports

• Here comes the boring part... Terminology...

• Vulnerability

• Exposure

• Threat

• Risk

• (yup - you gotta be able to do suite talk to get the $$$).

Page 27: Sexy defense

VulnerabilityYou’ll find a lot of these in reports...

“An issue with a software component that, when abused (exploited) can lead to anything from the software crashing, to compromising the system on which the software is installed so that the attacker can have full control over it. Additionally, vulnerabilities also refer to logic and operational issues – whether in computing systems, in processes and procedures related to the business operations, patch management, or even password policies.”

Page 28: Sexy defense

Exposure

• Say what?

• Usually will connect vulnerabilities to a threat model relevant for the tested organization

Page 29: Sexy defense

Threat“Anything capable of acting against an asset in a manner that could result in harm”

Defined by: Threat Community, Threat Agents.

• Capabilities

• Accessibility to assets

Page 30: Sexy defense

RiskEver seen one of these in a report? A real one?

• The probability of something bad™ happening to an organization’s asset.

• Yes, probability == math. Coherently formulate the elements (vuln, exposure, threat) into a risk score.

• Repeatable, and defensible from a logical perspective

Page 31: Sexy defense

Methodology

Take a look at how we have been practicing attack and defense.

For a VERY long time...

Page 32: Sexy defense

Defender view

Page 33: Sexy defense

Attacker view

Page 34: Sexy defense

What does it mean?

Intelligence Gathering

Vuln. Research Exploit Control

Post Exploitation

Attack

Page 35: Sexy defense

What does it mean?

Intelligence Gathering

Vuln. Research Exploit Control

Post Exploitation

Attack

Defend

Page 36: Sexy defense

What does it mean?

Intelligence Gathering

Vuln. Research Exploit Control

Post Exploitation

Attack

Defend

DetectionMitigate

& Contain

Page 37: Sexy defense

What does it mean?

Intelligence Gathering

Vuln. Research Exploit Control

Post Exploitation

Attack

Defend

Threat Modeling

Intelligence Gathering

Data Correlation Detection

Mitigate & Contain

Page 38: Sexy defense

Remember!It’s NOT about:

• Egos

• People

• Skills

IT’S NOT FAIR!

It IS about:

Having a mindset of constant improvement

There will always be gaps in the defense

• Identify

• Remediate

• In the CONTEXT of RISK

Page 39: Sexy defense

Map (information & Security assets)

• 1st - What is the business doing anyway?

• How does it make $?

• Processes, assets, people, technology, 3rd parties...

• Security and Intelligence assets...

Page 40: Sexy defense

Map (exposures & Issues)

• Start from a report (vuln, pt, red-team).

• Work up from there while weeding out all the irrelevancies

Page 41: Sexy defense

Simplified mapping of assets, processes, people, vulnerabilities, and controls

Process

Inputs

InputsInputsProcess

3rdParty

Assets

Controls

Vulnerability

Key personnel

Page 42: Sexy defense

Map (Threats)

• Do you know WHO is out to get you?

• Their capabilities?

• What do they know?

• Their modus-operandi?

• ...

Page 43: Sexy defense

Logs

• Everywhere, from everything.

• Storage != $

• Measure twice, cut once == get all logs, filter later

Page 44: Sexy defense

Raw$Intelligence$

Marke0ng$

Sales$

Business$Development$

Compe0tors$

Partners$

Customers$

Analysis$

CERTs$

Market$News$

Forums$

Page 45: Sexy defense

Early warning signs• Weird PC behavior

• Volume of calls to support

• Physical elements around the office

• Sales inquiries

• Probes on a website

• File permissions

• Access to specific files on network storage

• Employee awareness

• ...

Page 46: Sexy defense

Early warning signs• Weird PC behavior

• Volume of calls to support

• Physical elements around the office

• Sales inquiries

• Probes on a website

• File permissions

• Access to specific files on network storage

• Employee awareness

• ...

Page 47: Sexy defense

People• Stalkers

• Tailgaters

• Smokers

• Construction

• Sales leads

• IT guys

Page 48: Sexy defense

People• Stalkers

• Tailgaters

• Smokers

• Construction

• Sales leads

• IT guys

AWARENESS

Page 49: Sexy defense

Correlate

external events and timelines

Local news, Sports, entertainment, financial Regional news National events

International stuff

Page 50: Sexy defense

Act

• Building up your defense mojo

• Training people to identify, report, react

• Combining technology into the mix

• Working with others (peers, vendors, intel sources, government?)

Page 51: Sexy defense

Assess where YOU are!

• Get a clear view of your current security posture

• Lying to yourself isn’t going to make you feel better

• At least in long run... :-|

Page 52: Sexy defense

Constant development

• Expect changes

• Processes, partners, customers, 3rd parties, internal services/products, people, culture,

• Embrace changes - never “sign off” into a finite strategy document. Make it a “living” document.

• Educate people about it.

• Show how it adapts according to the business. TO SUPPORT IT!

Page 53: Sexy defense

Align outwards

Page 54: Sexy defense

Align outwards• Compare notes with peers

Page 55: Sexy defense

Align outwards• Compare notes with peers

• Keep track of what’s new on the offensive side

Page 56: Sexy defense

Align outwards• Compare notes with peers

• Keep track of what’s new on the offensive side

• And how it relates to you

Page 57: Sexy defense

Align outwards• Compare notes with peers

• Keep track of what’s new on the offensive side

• And how it relates to you

• Never accept a successful audit or compliance to regulation as a sign of effective defense

Page 58: Sexy defense

Align outwards• Compare notes with peers

• Keep track of what’s new on the offensive side

• And how it relates to you

• Never accept a successful audit or compliance to regulation as a sign of effective defense

Page 59: Sexy defense

Align outwards• Compare notes with peers

• Keep track of what’s new on the offensive side

• And how it relates to you

• Never accept a successful audit or compliance to regulation as a sign of effective defense

• Will usually prove the opposite

Page 60: Sexy defense

Align outwards• Compare notes with peers

• Keep track of what’s new on the offensive side

• And how it relates to you

• Never accept a successful audit or compliance to regulation as a sign of effective defense

• Will usually prove the opposite

Page 61: Sexy defense

Align outwards• Compare notes with peers

• Keep track of what’s new on the offensive side

• And how it relates to you

• Never accept a successful audit or compliance to regulation as a sign of effective defense

• Will usually prove the opposite

• Great - you are now one with the lowest common denominator of the lowest bidders...

Page 62: Sexy defense

It’s not about:

PeopleTech

Skill

Page 63: Sexy defense

It’s about:

Tech Skill PeopleCat Herding

Page 64: Sexy defense

Counter-intel

• Own up to YOUR information

• Set traps

• Intelligence

• Technology

• Booby-trap tools, work with LE, and most importantly: LEGAL

• IANAL!

Page 65: Sexy defense

Counter-intel

• Own up to YOUR information

• Set traps

• Intelligence

• Technology

• Booby-trap tools, work with LE, and most importantly: LEGAL

• IANAL!

Page 66: Sexy defense

Examples

Page 67: Sexy defense

1. Identify your threat communities / agents

2. Locate their “hangouts” (where they get toolz)

3. Infiltrate to get info

4. Manipulate “stuff”

1. Backdoor it.

2. Make sure it leaves a distinct signature.

5. Update custom signature in detection systems

6. Kick back, and watch the fun

Page 68: Sexy defense
Page 69: Sexy defense
Page 70: Sexy defense
Page 71: Sexy defense
Page 72: Sexy defense

Use THEIR tools...

Page 73: Sexy defense

Use THEIR tools...

Hmmmmmmm...I betch’a people are going to miss it :-)

Page 74: Sexy defense

Demo time

1. Download RAT2. Find appropriate location3. Insert RAT4. Release5. Profit?

Page 75: Sexy defense
Page 76: Sexy defense
Page 77: Sexy defense
Page 78: Sexy defense

Demo1. Obtain crypter2. Enhance [not in this demo]3. Leave a “unique” present in crypted files4. Release5. Profit?

Page 79: Sexy defense
Page 80: Sexy defense

Law is hackable

• Don’t think that it’s impossible to get by with these things...

• Example: Microsoft’s takedown of Bredolab - legal bypass by using trademark infringement claims

• Directly affect infected computers!

Page 81: Sexy defense

Kippo

http://code.google.com/p/kippo/

Page 82: Sexy defense

Artillery

• Open up listeners on multiple ports

• Anything that touches them gets blacklisted

• You can play with this to report instead of blacklist...

• Monitor filesystem changes and email diff to you.

• Block SSH brute-force attacks

svn co http://svn.secmaniac.com/artillery artillery/

Page 83: Sexy defense

Then: Technology

• Find stuff that works FOR you. Or make it.

• SIEM/SOC would be a major focus

• Other correlation engines

• Feed technology all the data it can handle

• Financial info? Semantic data? Google Alerts? --> Anything goes...

Page 84: Sexy defense

Counter Intelligence use-case

Problemdormant accounts used

for fraud (and/or money laundering)

Page 85: Sexy defense

Counter Intelligence use-case

Problemdormant accounts used

for fraud (and/or money laundering)

Account

Page 86: Sexy defense

Counter Intelligence use-case

Problemdormant accounts used

for fraud (and/or money laundering)

Account

Page 87: Sexy defense

Counter Intelligence use-case

Problemdormant accounts used

for fraud (and/or money laundering)

Account

>1yr dormant

Page 88: Sexy defense

Counter Intelligence use-case

Problemdormant accounts used

for fraud (and/or money laundering)

Account

>1yr dormant

laundering

Page 89: Sexy defense

Counter Intelligence use-case

Problemdormant accounts used

for fraud (and/or money laundering)

Account

>1yr dormant

laundering

Intl. transfers

Page 90: Sexy defense

Counter Intelligence use-case

Problemdormant accounts used

for fraud (and/or money laundering)

Account

>1yr dormant

laundering

Intl. transfersInternal/External???

Page 91: Sexy defense

Account

Page 92: Sexy defense

AccountAccountAccountAccountAccount

Page 93: Sexy defense

List

AccountAccountAccountAccountAccount

Page 94: Sexy defense

Marketing

Accounting

Branch mgmt.List

AccountAccountAccountAccountAccount

Page 95: Sexy defense

Marketing

Accounting

Branch mgmt.

List

AccountAccountAccountAccountAccount

Page 96: Sexy defense

Marketing

Accounting

Branch mgmt.

List

AccountAccountAccountAccountAccount

List

AccountAccountAccountAccountAccount

Page 97: Sexy defense

Marketing

Accounting

Branch mgmt.

List

AccountAccountAccountAccountAccount

List

AccountAccountAccountAccountAccountList

AccountAccountAccountAccountAccount

Page 98: Sexy defense

Marketing

Accounting

Branch mgmt.

List

AccountAccountAccountAccountAccount

List

AccountAccountAccountAccountAccountList

AccountAccountAccountAccountAccount

Internaluser

Page 99: Sexy defense

Marketing

Accounting

Branch mgmt.

List

AccountAccountAccountAccountAccount

List

AccountAccountAccountAccountAccountList

AccountAccountAccountAccountAccount

Internaluser

Page 100: Sexy defense

Marketing

Accounting

Branch mgmt.

List

AccountAccountAccountAccountAccount

List

AccountAccountAccountAccountAccountList

AccountAccountAccountAccountAccount

Internaluser

Page 101: Sexy defense

Internaluser

Page 102: Sexy defense

Internaluser

PC

Page 103: Sexy defense

Internaluser

PC

Page 104: Sexy defense

Internaluser

PC Trojan

Page 105: Sexy defense

Internaluser

PC Trojan

Page 106: Sexy defense

Internaluser

PC Trojan

Page 107: Sexy defense

Internaluser

PC Trojan

C&C

Page 108: Sexy defense

Internaluser

PC Trojan

C&CBad Guys(tm)

Page 109: Sexy defense

Play nice with others

Page 110: Sexy defense

Play nice with others

CERTS

Page 111: Sexy defense

Play nice with others

CERTS

Government

Page 112: Sexy defense

Play nice with others

CERTS

Government

Peers

Page 113: Sexy defense

Play nice with others

CERTS

Government

Peers

Competitors

Page 114: Sexy defense

Conclusions

The whole is greater than the sum of its

elements[insert tacky “zen” slide with some stones]

Page 115: Sexy defense

Call for Action• Vendors:

• Start working on products that can “communicate” with information

• Loosely typed data

• Language processing of arbitrary data formats

• Correlation across sources AND over time

• Defenders:

• Own up to your data, network, and business

• Gather intelligence on your potential adversaries

• Focus your defenses on assets, not compliance or “best practices”

• Take the initiative!

Page 116: Sexy defense

ktnxbye!Questions?Paper available at: http://iamit.org/docs/sexydefense.pdf

twitter: @iiamit

*Image credits: Google Images and the Internetz