Break IT Down by Josh Smith
0 likes164 views
The document discusses effective computer network defense techniques and strategies amidst prevalent cyber threats, emphasizing the importance of understanding attacker methodologies. Key recommendations include application whitelisting, patching software and operating systems, restricting admin privileges, utilizing host-based intrusion detection, and implementing event monitoring. The author stresses the need for organizations to leverage existing resources and adapt defenses based on actual threats, rather than relying on buzzword-heavy cybersecurity marketing.
Break IT Down by Josh Smith
- 1. BREAK I.T. DOWN A look at computer network defense techniques and strategies that actually work in a world of blinky light sales. Strait up defense served with a side of sarcasm. Joshua Smith – 2016.07.19
- 2. ABOUT ME
- 3. THE GOAL Discuss real world defense techniques to that make an attackers job hard(er) This does not mean It will be easy It will be free (don’t forget about the cost of time)
- 4. THE PROBLEM It’s 2016 and we still see headlines like this: Noodles & Company Payment Data May Have Been Hacked From high seas to high tech: Pirates hack shipping company Hackers selling 117 million LinkedIn passwords Troy investment company hacked; $495K stolen Lone wolf claims responsibility for DNC hack Canadian Gold-Mining Company Hacked, 14.8 GB Data Stolen China steel firm obtained hacked DuPont trade secrets
- 5. HOW? A macro enabled document, pivot, profit, rinse and repeat 1995 produced the first macro based malware We are still fighting (and losing) a 20+ year old battle 20 YEARS I SAID
- 6. THE ISSUE Defense is the daughter of offense If you don’t know an attackers tradecraft youare going to have a hard time keeping them out We are being sold: Machine Learning Cyber Next Gen The Cloud Etc.
- 7. IT’S MACROS TODAY, HOWEVER, JUST REMEMBER
- 8. Technical Control Recommendation Priority Application Whitelisting Only approved applications should beallowed to run (this includes .exe, .dll, .js, .bat, etc.) 1 Patch 3rd Party Software 3rd party software(Flash, Silverlight, Java, etc.) needs to bepatched 2 Patch OS OS patches properly distributed in a timely manner 3 Restrict Admin Privileges Users should not berunning with administrativerights 4 Host-based Intrusion Detection/PreventionSystem (HIDS/HIPS) Implement a HIDS/HIPS to identify when prevention has failed and a host has been successfully compromised 5 Network Segmentation Network segmentationhelps mitigatepost compromisepivoting (i.e., Pass- the-Hash and Pass-the-Ticket) 6 Web Application Firewall (WAF) Implement a WAF to help detect and prevent web based attacks against external websites 7 Event Monitoring Implement a monitored SIEM to gain visibility into your networks. Event sources include, but not limited to firewall, AV, ActiveDirectory, hosts, IDS/IPS, web logs, etc. 8 Office Document Threat Prevention All .doc, .docm, .xls, and .xlsm documents should beblocked if possibleat the email level and via Group Policy Objects (GPO’s) 9 SSL Interception SSL traffic should beintercepted (with exceptions) to identifymalicious traffic and filtered as well. 10
- 9. APPLICATION WHITELISTING Only approved applications are allowed to run Free and paid for options AV is the inverseof this (blacklisting) Not foolproof (seepowershell.exe) So when a unapproved program tries to run, it gets this:
- 10. PATCH 3RD PARTY SOFTWARE Adobe Flash is currently the most exploited 3rd party software* Other things like Adobe Reader, Microsoft Silverlight *This title usedbelongtoOracle/SunJava,butthatisnolongerthe case
- 11. PATCH OS PatchingMatters Even on Linux and embedded devices Remote exploits get all the press, but privilege escalation is what we typically exploit (if any exploits are used at all)
- 12. RESTRICT ADMINISTRATOR PRIVS Don’t let users run as administrators* Why? Pivoting Passwords Persistence * Yes, I know that this can bevery hard
- 14. HOST BASED IDS/IPS So I just bypassed your next-gen firewall, IPS, and synergistic AV product to compromise a fully patched box DO YOU SEE ME PIVOTING AND EXFILITRATING ALL OF YOUR DATA OUT THE FRONT DOOR?
- 15. NO? ATTACKER BE LIKE..
- 16. TAKEAWAY If you don’t remember anythingelse from this presentation remember this: DON’T FORGET ABOUT DETECTION Required Reading: https://ghostbin.com/paste/6kho7
- 17. NETWORK SEGMENTATION You have your company critical documents accessible to a machine that can look up Pokemon Go cheats?
- 18. WEB APPLICATION FIREWALL (WAF) Website logs are often overlooked Website attacks can be a forewarning of other things to come
- 19. EVENT MONITORING Logs need to be collected *and* analyzed Budgets often accountfor the cost of tools, not the time required to learn, monitor, and review those tools
- 20. OFFICE DOCUMENT THREAT PREVENTION Disable macros Can be done via GPOs
- 21. SSL INSPECTION About 50% of web traffic is now encrypted, including a lot of malicious traffic
- 22. A NOTE ABOUT “PEN TESTING” There is a vast difference between Vulnerability Assessment Penetration Test Red Teaming/Adversary Simulation Helpful when you believe you are secure or you need to grease the wheels to get more money To reduce costs don’t be afraid to whitecard (but make sure that doesn’t invalidate your test to the executives)
- 23. SUMMARY You probably can use a lot of what you already have to make security at your organization better Don’t fall for the blinky lights, buzzword laden sales job Cultural changes are hard and require management by in Don’t tailor your defense to what security companies are selling, tailor to what attackers are attacking Leverage red team engagements to get the support you need to make changes Don’t forget about detection Defense is hard, not impossible
- 24. REFERENCES Infosec Reactions - https://securityreactions.tumblr.com/ ASD Strategies to Mitigate Targeted Cyber Intrusions - http://www.asd.gov.au/infosec/top- mitigations/mitigations-2014-table.htm Application Whitelisting - http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf Disable Office Macros - https://medium.com/@networksecurity/it-s-time-to-secure-microsoft- office-be50ec2797e3#.x5ll30jza