The Infosec Crossroads - 44CON 2016
-
Upload
saumil-shah -
Category
Data & Analytics
-
view
890 -
download
0
Transcript of The Infosec Crossroads - 44CON 2016
#44CON 2016 NETSQUARE
2016: THE INFOSEC crossroads >
SAUMIL SHAH - CEO,NET-SQUARE 44CON 2016
#44CON 2016 NETSQUARE
About Me
@therealsaumil
saumilshah hacker, trainer, speaker, author, photographer educating, entertaining and exasperating audiences since 1999
Saumil Shah CEO, Net-Square
#44CON 2016 NETSQUARE
Today's attacks succeed
because the defense is REACTIVE
#44CON 2016 NETSQUARE
The Evolution of Attacks
#44CON 2016 NETSQUARE
Servers Applications
Desktops Browsers
Pockets
How Have Targets Shifted?
#44CON 2016 NETSQUARE
Perimeter Security Web Apps Broadband
Networks
WiFi Social Networks
Cellular Data
The Game Changers
#44CON 2016 NETSQUARE
Attacks Follow The Money
Defacement DDoS Phishing
ID Theft Financial
Transactions Targeted
APT
#44CON 2016 NETSQUARE
Today's Fashion: Breaches
#44CON 2016 NETSQUARE
Firewalls
IDS/IPS
Antivirus
WAF
Endpoint Security
ASLR, DEP
Sandbox
One-way Hacking
Packet Fragmentation
Obfuscation
Character Encoding
DNS Exfiltration
Return Oriented Programming
Jailbreak
#44CON 2016 NETSQUARE
Latest Example: Stegosploit
IMAJS STEGO-
DECODER JAVASCRIPT
TARGET BROWSER POLYGLOT
PIXEL ENCODER
EXPLOIT CODE
IMAGE
ENCODED IMAGE
#44CON 2016 NETSQUARE
"Nakatomi space", wherein buildings reveal near-infinite interiors, capable of being traversed through all manner of non-architectural means
http://www.bldgblog.com/2010/01/nakatomi-space/
#44CON 2016 NETSQUARE
It was different 12 years ago!
Individual effort. 1 week dev time. 3-6 months shelf life. Hundreds of public domain exploits. "We did it for the fame. lols."
#44CON 2016 NETSQUARE
Today...
Team effort. 2-12 month dev time. 24h to 10d shelf life. Public domain exploits nearly zero. Cost,value of exploits has significantly risen. WEAPONIZATION.
#44CON 2016 NETSQUARE
Haroon Meer
"For a few hundred K, could you put together
a team that would break-in just about
anywhere?"
CCDCOE Conference on Cyber Conflict - 2010
#44CON 2016 NETSQUARE
$100k – 500k
#44CON 2016 NETSQUARE
Attacking is (much) cheaper than defence.
Attacker toolchains
are far more complex than the public
demonstrations we have seen so far.
#44CON 2016 NETSQUARE
The defenders tried to buy back their
bugs...
#44CON 2016 NETSQUARE
Bug Bounties: high stakes game
Chris Evans – Pwnium: Element 1337
#44CON 2016 NETSQUARE
Bug Bounties tried to fill a
reactive need.
#44CON 2016 NETSQUARE
Bug Bounties: backfiring?
#44CON 2016 NETSQUARE
#44CON 2016 NETSQUARE
The (d)evolution of Users
#44CON 2016 NETSQUARE Advanced Technology Is...Advanced
#44CON 2016 NETSQUARE
Technology in the hands of users
#44CON 2016 NETSQUARE
The user's going to pick dancing pigs over security every time.
Bruce Schneier
#44CON 2016 NETSQUARE
The more sophisticated the technology, the more vulnerable it is to primitive attack. People often overlook the obvious.
Doctor Who, "Pirate Planet"
XKCD 358 "Security"
#44CON 2016 NETSQUARE
#44CON 2016 NETSQUARE
The Wrong Approach to defense
#44CON 2016 NETSQUARE
Compliance != Security
#44CON 2016 NETSQUARE
#44CON 2016 NETSQUARE
Who are you more scared of?
Attackers or Auditors?
#44CON 2016 NETSQUARE
Attackers don't follow
standards and certifications.
#44CON 2016 NETSQUARE
Today's Infosec Defence?
Rules Signatures Updates
Machine Learning
#44CON 2016 NETSQUARE
#44CON 2016 NETSQUARE
Existing strategies
do not match attacker tactics.
#44CON 2016 NETSQUARE
UNREALISTIC TESTING SCENARIOS
• Wait for new production release
• Don't test on production
• Don't perform intrusive testing
• X is out of scope
• Test during off-peak hours
#44CON 2016 NETSQUARE
Intelligence Driven Security
net-square
From REACTIVE to PROACTIVE
#44CON 2016 NETSQUARE
Security Data
Warehouse
ANALYSIS AND INTELLIGENCE GATHERING
Collectors SENSORS Actions
Applications Internal Users
External Users
Perimeter Activity
#44CON 2016 NETSQUARE
We already have all the
information needed to defend our organization.
#44CON 2016 NETSQUARE
PROACTIVE Security Testing
#44CON 2016 NETSQUARE
@therealsaumil's
SEVEN AXIOMS of Security
#44CON 2016 NETSQUARE
Collect EVERYTHING!
THE SEVEN AXIOMS OF SECURITY
#44CON 2016 NETSQUARE
Can't MEASURE? Can't Use.
THE SEVEN AXIOMS OF SECURITY
#44CON 2016 NETSQUARE
Test like an attacker
RED TEAM.
THE SEVEN AXIOMS OF SECURITY
#44CON 2016 NETSQUARE
User RATINGS!
THE SEVEN AXIOMS OF SECURITY
#44CON 2016 NETSQUARE
Set BOOBY TRAPS.
THE SEVEN AXIOMS OF SECURITY
#44CON 2016 NETSQUARE
ANALYSIS decide Actions.
THE SEVEN AXIOMS OF SECURITY
#44CON 2016 NETSQUARE
BUY-IN FROM THE TOP
And the 7th...
#44CON 2016 NETSQUARE
Is your infosec team doing something creative
every day?
#44CON 2016 NETSQUARE
THANK YOU >
saumil shah www. net-square. com