SlideShare a Scribd company logo

Intelligent Application Security

Priyanka Aash, profile picture
Priyanka Aash

The document discusses shortcomings of traditional penetration testing and proposes an attacker emulation approach. It notes doctors once performed unnecessary medical procedures without understanding effectiveness. Similarly, penetration tests focus on finding bugs but not how real attackers operate. The document advocates profiling attacker groups, rebuilding their playbooks, replaying the playbooks against organizations, and using the results to strengthen defenses. It provides examples of how different attackers operate and argues this method could improve security assessments.

Technology
1 of 41
Downloaded 17 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#RSAC Julian Cohen Intelligent Application Security @HockeyInJune
#RSAC Julian Cohen | @HockeyInJune Product Security | Flatiron Health Previously Application Security | Financial Services Vulnerability Researcher | Defense Industry Penetration Tester | Boutique Consultancy Adjunct Professor | New York University
#RSAC Parallel Industry Anecdote
#RSAC Tonsillectomies in 1930 “It is a little difficult to believe that among the mass of tonsillectomies performed to-day all subjects for operation are selected with true discrimination, and one cannot avoid the conclusion that there is a tendency for the operation to be performed as a routine prophylactic ritual for no particular reason and with no particular result.” http://ije.oxfordjournals.org/content/37/1/9.full
#RSAC Mammary Artery Ligations in 1955 “Both the patients who did have their mammary arteries constricted and those who didn’t reported immediate relief from their chest pain. In both groups the relief lasted about three months—and then complaints about chest pain returned. Meanwhile, electrocardiograms showed no difference between those who had undergone the real operation and those who got the placebo operation.” Predictably Irrational, Dan Ariely, 2009
#RSAC Modern Security Medicine Doctors were recommending the procedure and patients were having the procedure, regardless of its effectiveness The expected results of the procedure did not match with the actual results, but no one noticed or changed anything
#RSAC Penetration Testing
#RSAC The Status Quo Penetration Testers are our experts Methodologies built from experience and intuition Application Security programs focused on fixing bugs Continuous loop of discovering and fixing issues Organizations continue to get owned
#RSAC Penetration Testing Considered Harmful Haroon Meer, 2010, 44CON Limited Scope Bad Testers Poor OPSEC The penetration testing industry a market for lemons http://blog.thinkst.com/p/penetration-testing-considered-harmful.html http://www.econ.yale.edu/~dirkb/teach/pdf/akerlof/themarketforlemons.pdf
#RSAC Penetration Testing Market Survey http://eprints.lancs.ac.uk/74275/1/Penetration_testing_online_2.pdf
#RSAC http://eprints.lancs.ac.uk/74275/1/Penetration_testing_online_2.pdf
#RSAC Average Penetration Test Results depend on which testers are available Results depend on your tester’s mood Results depend on your kick-off call Results depend on your scope Testers focused on writing a “Nice Report” Testers focused on discovering cool vulnerabilities
#RSAC Pentests Avoid Highly Likely Attacks Penetration Testing Considered Harmful Haroon Meer, 2010, 44CON http://blog.thinkst.com/p/penetration-testing-considered-harmful.html
#RSAC The Wrong Things In The Right Places Penetration testing avoids highly likely attacks because the vulnerabilities that our penetration testers and our application security engineers find are not the vulnerabilities that real attackers find
#RSAC Attackers
#RSAC Everything You Know Is Wrong Defenders make bad assumptions about attackers Defenders do not understand attackers Defenders are not profiling attackers correctly And that’s why the attackers keep winning
#RSAC Attacker Fallacies Resourced Attackers Intelligent Attackers http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf http://blog.trailofbits.com/2013/05/20/writing-exploits-with-the-elderwood-kit-part-2/
#RSAC Attacker Fallacies Motivated Attackers Dumb Attackers https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf https://en.wikipedia.org/wiki/Operation_Aurora
#RSAC Insight From Offense All attackers are resource constrained Resourced constrained attackers favor low-overhead attacks Low-overhead requires good scalability
#RSAC Attacker Playbooks Attackers that have multiple targets care about repeatability and scalability
#RSAC Operational Efficiency Playbooks depend on: Who their targets are Intended success rate How fast they need to convert
#RSAC Attackers operate like efficient businesses • Experts at the top • Employees are cheap and complete simple tasks • Employees who don't meet their goals are fired • Inefficient organizations fail quickly Penetration testers operate like hobbyists • All employees are experts • Employees are expensive • Employees who do not produce are hard to fire • Organizations that do not produce do not fail • Customers rarely care about output
#RSAC Attackers In defense, we mistake attacker efficiency for inadequacy We are not being effective against certain attackers because we don’t understand how they operate
#RSAC Complexity of Solution If you don't like the game, hack the playbook… Peiter “Mudge” Zatko, 2011, Everywhere http://www.slideshare.net/scovetta/2011-11-07-cyber-colloquium-zatko
#RSAC Attacker Cost Graph Attacker “Math” 101 Dino Dai Zovi, 2011, SOURCE Boston, Summercon https://www.trailofbits.com/resources/attacker_math_101_slides.pdf
#RSAC Case Study: Syrian Electronic Army Also: Lizard Squad and Anonymous Politically-motivated, low-resourced attackers DNS hijacking by phishing DNS providers DDoS attacks with custom software Website defacing on shared hosting providers Conclusion: No web vulnerabilities used http://news.harvard.edu/gazette/story/2013/08/hack-attacks-explained/ http://www.infowar-monitor.net/2011/06/syrian-electronic-army-disruptive-attacks-and-hyped-targets/
#RSAC Case Study: Elderwood Also: PLA Unit 61398 State-sponsored, well-resourced attackers Mostly low reliability Internet Explorer bugs ASLR/DEP bypasses with Microsoft Office/Java Exploits delivered via phishing and watering holes Conclusion: Web vulnerabilities only when needed http://blog.trailofbits.com/2013/05/14/writing-exploits-with-the-elderwood-kit-part-1/ http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
#RSAC Case Study: ShadowCrew Also: Other organized crime groups Financially-motivated, well-resourced attackers Credit card data theft via SQL injection Typically targets one website at a time Scaled poorly with tools like sqlmap and havij Conclusion: One web vulnerability used at a time http://www.wired.com/2010/03/tjx-sentencing/
#RSAC Observations Real attackers don’t attack web applications (mostly) These vulnerabilities are not scalable and repeatable Attackers focus on inexpensive, but effective methods The only application security threat is sqlmap (sqlmap is not much of a threat)
#RSAC http://momentum.partners/docs/Cybersecurity_Market_Review_Q4_2015.pdf New Security Strategy
#RSAC Lockheed Martin’s Intrusion Kill Chain Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Ph.D. 6th International Conference Information Warfare and Security (ICIW 11) http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
#RSAC Attacker Emulation Identify Attackers Profile Attackers Obtain Key Tactics Rebuild Playbook Replay Playbook Utilize Results
#RSAC Step 4: Rebuild Playbook Run sqlmap against your web applications
#RSAC Results Repeatable Precise Practical Effective
#RSAC Threat “Intelligence” Instead of ephemeral information like IP addresses, MD5 hashes, and other indicators of compromise, we should be collecting and sharing indelible information on techniques and procedures
#RSAC Free Business Ideas Intelligence on attacker tactics and procedures Attack emulation service Which attacker groups I am vulnerable to Identify Attackers Profile Attackers Obtain Key Tactics Rebuild Playbook Replay Playbook Utilize Results
#RSAC Conclusion The security industry lacks a focus on accurate attacker methodologies during assessments
#RSAC Future Work We are only discussing application security The same techniques can be applied to: Infrastructure Security and Lateral Movement Client-Side Security and Endpoint Security Reconnaissance and Social Engineering (Phishing)
#RSAC Attacker Emulation Example: RSA Identify Attackers: Economic Espionage Strategic Espionage Profile Attackers: State-Sponsored Well-Resourced Obtain Key Tactics: Phishing Watering Hole Client-Side Exploitation Rebuild Playbook: Public Reconnaissance Phishing Campaigns Client-Side Exploitation Replay Playbook: Launch Attack Utilize Results: Exploit Mitigation Sandboxing Execution Tree Analysis
#RSAC Thanks Justin Berman Nicholas Arvanitis Chris Sandulow Stuart Larsen Spencer Jackson Dino Dai Zovi Nick Freeman Brandon Edwards
#RSAC We’re Hiring! security@flatiron.com

More Related Content

PDF
Introduction and a Look at Security Trends
Priyanka Aash
 
PDF
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
PDF
DON'T Use Two-Factor Authentication...Unless You Need It!
Priyanka Aash
 
PDF
Rise of the Hacking Machines
Priyanka Aash
 
PPTX
New Paradigms for the Next Era of Security
Sounil Yu
 
PDF
Evidence-Based Security: The New Top Five Controls
Priyanka Aash
 
PDF
Final presentation january iia cybersecurity securing your 2016 audit plan
Cameron Forbes Over
 
PPTX
Cybersecurity: How to Use What We Already Know
jxyz
 
Introduction and a Look at Security Trends
Priyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
DON'T Use Two-Factor Authentication...Unless You Need It!
Priyanka Aash
 
Rise of the Hacking Machines
Priyanka Aash
 
New Paradigms for the Next Era of Security
Sounil Yu
 
Evidence-Based Security: The New Top Five Controls
Priyanka Aash
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Cameron Forbes Over
 
Cybersecurity: How to Use What We Already Know
jxyz
 

What's hot (20)

PDF
The Incident Response Playbook for Android and iOS
Priyanka Aash
 
PPTX
Lessons Learned in Automated Decision Making / How to Delay Building Skynet
Sounil Yu
 
PDF
Pulling our-socs-up
Priyanka Aash
 
PPTX
Cyber Defense Matrix: Reloaded
Sounil Yu
 
PDF
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
MITRE - ATT&CKcon
 
PPTX
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Sounil Yu
 
PPTX
LIFT OFF 2017: Transforming Security
Robert Herjavec
 
PPTX
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Dragos, Inc.
 
PPTX
Cyber threat intelligence: maturity and metrics
Mark Arena
 
PPTX
The Diamond Model for Intrusion Analysis - Threat Intelligence
ThreatConnect
 
PDF
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Enterprise Management Associates
 
PPT
The Changing Security Landscape
Arrow ECS UK
 
PDF
Insights from-NSAs-cybersecurity-threat-operations-center
Priyanka Aash
 
PPTX
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
North Texas Chapter of the ISSA
 
PPTX
IOT Security FUN-damental
Satria Ady Pradana
 
PDF
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Priyanka Aash
 
PPTX
LIFT OFF 2017: Ransomware and IR Overview
Robert Herjavec
 
PDF
Pactera - Cloud, Application, Cyber Security Trend 2016
Kyle Lai
 
PDF
Hacking Cracking 2008
Jim Geovedi
 
PPTX
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Black Duck by Synopsys
 
The Incident Response Playbook for Android and iOS
Priyanka Aash
 
Lessons Learned in Automated Decision Making / How to Delay Building Skynet
Sounil Yu
 
Pulling our-socs-up
Priyanka Aash
 
Cyber Defense Matrix: Reloaded
Sounil Yu
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
MITRE - ATT&CKcon
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Sounil Yu
 
LIFT OFF 2017: Transforming Security
Robert Herjavec
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Dragos, Inc.
 
Cyber threat intelligence: maturity and metrics
Mark Arena
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
ThreatConnect
 
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Enterprise Management Associates
 
The Changing Security Landscape
Arrow ECS UK
 
Insights from-NSAs-cybersecurity-threat-operations-center
Priyanka Aash
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
North Texas Chapter of the ISSA
 
IOT Security FUN-damental
Satria Ady Pradana
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Priyanka Aash
 
LIFT OFF 2017: Ransomware and IR Overview
Robert Herjavec
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Kyle Lai
 
Hacking Cracking 2008
Jim Geovedi
 
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Black Duck by Synopsys
 
Ad

Similar to Intelligent Application Security (20)

PDF
Implementing a comprehensive application security progaram - Tawfiq
OWASP-Qatar Chapter
 
PPTX
Cybersecurity fundamental
Sudipto Krishna Dutta
 
PDF
Insecure trends in web technologies 2009
Chandrakanth Narreddy
 
PPTX
Appsec2013 assurance tagging-robert martin
drewz lin
 
DOCX
Charan Resume
Charan Mukkamala
 
PPTX
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Invincea, Inc.
 
PDF
Applied cognitive security complementing the security analyst
Priyanka Aash
 
PDF
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
Nathan Anderson
 
PPTX
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
Claus Cramon Houmann
 
PDF
AOA_Report_TrapX_AnatomyOfAttack-MEDJACK
Saul Rosales
 
PPTX
First line of defense for cybersecurity : AI
Ahmed Banafa
 
PPTX
Designing Trustworthy AI: A User Experience Framework at RSA 2020
Carol Smith
 
PDF
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
eightbit
 
PDF
Top 13 hacking software for beginners.pdf
Dipak Tiwari
 
PDF
Fighting malware - keeping your Intellectual Property safe
Prayukth K V
 
PDF
Big Bang Theory: The Evolution of Pentesting High Security Environments
Chris Gates
 
DOCX
CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief in
OllieShoresna
 
PPTX
Introduction to cyber security
AliyuMuhammadButu
 
PPTX
Threat Check for Struts Released, Equifax Breach Dominates News
Black Duck by Synopsys
 
PDF
Securing the “Weakest Link”
Priyanka Aash
 
Implementing a comprehensive application security progaram - Tawfiq
OWASP-Qatar Chapter
 
Cybersecurity fundamental
Sudipto Krishna Dutta
 
Insecure trends in web technologies 2009
Chandrakanth Narreddy
 
Appsec2013 assurance tagging-robert martin
drewz lin
 
Charan Resume
Charan Mukkamala
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Invincea, Inc.
 
Applied cognitive security complementing the security analyst
Priyanka Aash
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
Nathan Anderson
 
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
Claus Cramon Houmann
 
AOA_Report_TrapX_AnatomyOfAttack-MEDJACK
Saul Rosales
 
First line of defense for cybersecurity : AI
Ahmed Banafa
 
Designing Trustworthy AI: A User Experience Framework at RSA 2020
Carol Smith
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
eightbit
 
Top 13 hacking software for beginners.pdf
Dipak Tiwari
 
Fighting malware - keeping your Intellectual Property safe
Prayukth K V
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Chris Gates
 
CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief in
OllieShoresna
 
Introduction to cyber security
AliyuMuhammadButu
 
Threat Check for Struts Released, Equifax Breach Dominates News
Black Duck by Synopsys
 
Securing the “Weakest Link”
Priyanka Aash
 
Ad

More from Priyanka Aash (20)

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
Priyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
Keynote : Presentation on SASE Technology
Priyanka Aash
 
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 

Recently uploaded (20)

PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Approach and Philosophy of On baking technology
30anthuong17
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Cloud computing and distributed systems.
kkkkkhan
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 

Intelligent Application Security

  • 2. #RSAC Julian Cohen | @HockeyInJune Product Security | Flatiron Health Previously Application Security | Financial Services Vulnerability Researcher | Defense Industry Penetration Tester | Boutique Consultancy Adjunct Professor | New York University
  • 4. #RSAC Tonsillectomies in 1930 “It is a little difficult to believe that among the mass of tonsillectomies performed to-day all subjects for operation are selected with true discrimination, and one cannot avoid the conclusion that there is a tendency for the operation to be performed as a routine prophylactic ritual for no particular reason and with no particular result.” http://ije.oxfordjournals.org/content/37/1/9.full
  • 5. #RSAC Mammary Artery Ligations in 1955 “Both the patients who did have their mammary arteries constricted and those who didn’t reported immediate relief from their chest pain. In both groups the relief lasted about three months—and then complaints about chest pain returned. Meanwhile, electrocardiograms showed no difference between those who had undergone the real operation and those who got the placebo operation.” Predictably Irrational, Dan Ariely, 2009
  • 6. #RSAC Modern Security Medicine Doctors were recommending the procedure and patients were having the procedure, regardless of its effectiveness The expected results of the procedure did not match with the actual results, but no one noticed or changed anything
  • 8. #RSAC The Status Quo Penetration Testers are our experts Methodologies built from experience and intuition Application Security programs focused on fixing bugs Continuous loop of discovering and fixing issues Organizations continue to get owned
  • 9. #RSAC Penetration Testing Considered Harmful Haroon Meer, 2010, 44CON Limited Scope Bad Testers Poor OPSEC The penetration testing industry a market for lemons http://blog.thinkst.com/p/penetration-testing-considered-harmful.html http://www.econ.yale.edu/~dirkb/teach/pdf/akerlof/themarketforlemons.pdf
  • 10. #RSAC Penetration Testing Market Survey http://eprints.lancs.ac.uk/74275/1/Penetration_testing_online_2.pdf
  • 12. #RSAC Average Penetration Test Results depend on which testers are available Results depend on your tester’s mood Results depend on your kick-off call Results depend on your scope Testers focused on writing a “Nice Report” Testers focused on discovering cool vulnerabilities
  • 13. #RSAC Pentests Avoid Highly Likely Attacks Penetration Testing Considered Harmful Haroon Meer, 2010, 44CON http://blog.thinkst.com/p/penetration-testing-considered-harmful.html
  • 14. #RSAC The Wrong Things In The Right Places Penetration testing avoids highly likely attacks because the vulnerabilities that our penetration testers and our application security engineers find are not the vulnerabilities that real attackers find
  • 16. #RSAC Everything You Know Is Wrong Defenders make bad assumptions about attackers Defenders do not understand attackers Defenders are not profiling attackers correctly And that’s why the attackers keep winning
  • 17. #RSAC Attacker Fallacies Resourced Attackers Intelligent Attackers http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf http://blog.trailofbits.com/2013/05/20/writing-exploits-with-the-elderwood-kit-part-2/
  • 18. #RSAC Attacker Fallacies Motivated Attackers Dumb Attackers https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf https://en.wikipedia.org/wiki/Operation_Aurora
  • 19. #RSAC Insight From Offense All attackers are resource constrained Resourced constrained attackers favor low-overhead attacks Low-overhead requires good scalability
  • 20. #RSAC Attacker Playbooks Attackers that have multiple targets care about repeatability and scalability
  • 21. #RSAC Operational Efficiency Playbooks depend on: Who their targets are Intended success rate How fast they need to convert
  • 22. #RSAC Attackers operate like efficient businesses • Experts at the top • Employees are cheap and complete simple tasks • Employees who don't meet their goals are fired • Inefficient organizations fail quickly Penetration testers operate like hobbyists • All employees are experts • Employees are expensive • Employees who do not produce are hard to fire • Organizations that do not produce do not fail • Customers rarely care about output
  • 23. #RSAC Attackers In defense, we mistake attacker efficiency for inadequacy We are not being effective against certain attackers because we don’t understand how they operate
  • 24. #RSAC Complexity of Solution If you don't like the game, hack the playbook… Peiter “Mudge” Zatko, 2011, Everywhere http://www.slideshare.net/scovetta/2011-11-07-cyber-colloquium-zatko
  • 25. #RSAC Attacker Cost Graph Attacker “Math” 101 Dino Dai Zovi, 2011, SOURCE Boston, Summercon https://www.trailofbits.com/resources/attacker_math_101_slides.pdf
  • 26. #RSAC Case Study: Syrian Electronic Army Also: Lizard Squad and Anonymous Politically-motivated, low-resourced attackers DNS hijacking by phishing DNS providers DDoS attacks with custom software Website defacing on shared hosting providers Conclusion: No web vulnerabilities used http://news.harvard.edu/gazette/story/2013/08/hack-attacks-explained/ http://www.infowar-monitor.net/2011/06/syrian-electronic-army-disruptive-attacks-and-hyped-targets/
  • 27. #RSAC Case Study: Elderwood Also: PLA Unit 61398 State-sponsored, well-resourced attackers Mostly low reliability Internet Explorer bugs ASLR/DEP bypasses with Microsoft Office/Java Exploits delivered via phishing and watering holes Conclusion: Web vulnerabilities only when needed http://blog.trailofbits.com/2013/05/14/writing-exploits-with-the-elderwood-kit-part-1/ http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
  • 28. #RSAC Case Study: ShadowCrew Also: Other organized crime groups Financially-motivated, well-resourced attackers Credit card data theft via SQL injection Typically targets one website at a time Scaled poorly with tools like sqlmap and havij Conclusion: One web vulnerability used at a time http://www.wired.com/2010/03/tjx-sentencing/
  • 29. #RSAC Observations Real attackers don’t attack web applications (mostly) These vulnerabilities are not scalable and repeatable Attackers focus on inexpensive, but effective methods The only application security threat is sqlmap (sqlmap is not much of a threat)
  • 31. #RSAC Lockheed Martin’s Intrusion Kill Chain Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Ph.D. 6th International Conference Information Warfare and Security (ICIW 11) http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
  • 33. #RSAC Step 4: Rebuild Playbook Run sqlmap against your web applications
  • 35. #RSAC Threat “Intelligence” Instead of ephemeral information like IP addresses, MD5 hashes, and other indicators of compromise, we should be collecting and sharing indelible information on techniques and procedures
  • 36. #RSAC Free Business Ideas Intelligence on attacker tactics and procedures Attack emulation service Which attacker groups I am vulnerable to Identify Attackers Profile Attackers Obtain Key Tactics Rebuild Playbook Replay Playbook Utilize Results
  • 37. #RSAC Conclusion The security industry lacks a focus on accurate attacker methodologies during assessments
  • 38. #RSAC Future Work We are only discussing application security The same techniques can be applied to: Infrastructure Security and Lateral Movement Client-Side Security and Endpoint Security Reconnaissance and Social Engineering (Phishing)
  • 39. #RSAC Attacker Emulation Example: RSA Identify Attackers: Economic Espionage Strategic Espionage Profile Attackers: State-Sponsored Well-Resourced Obtain Key Tactics: Phishing Watering Hole Client-Side Exploitation Rebuild Playbook: Public Reconnaissance Phishing Campaigns Client-Side Exploitation Replay Playbook: Launch Attack Utilize Results: Exploit Mitigation Sandboxing Execution Tree Analysis
  • 40. #RSAC Thanks Justin Berman Nicholas Arvanitis Chris Sandulow Stuart Larsen Spencer Jackson Dino Dai Zovi Nick Freeman Brandon Edwards