Embed Size (px)
Citation preview
w w w . m e n a i s c . c o m
Outmaneuver, Outperform, and Outfight the Adversary
GAINING A DECISIVE ADVANTAGE THROUGH TERRAIN BASED CYBER
DEFENSE
NICK LANTUHCEO
Gaining A Decisive Advantage Through Terrain Based Cyber Defense
Outmaneuver, Outperform, and Outfight the Adversary
Nick LantuhCEO, Fidelis [email protected]
© Fidelis Cybersecurity
Security Operation Centers (SOCs) Under Siege Lack full visibility of devices on the network
and no contextual understanding of threats
Overwhelming volumes of alerts to triage and investigations to conduct
Capabilities are not fully utilized, while duplicative capabilities add complexity
Products lack integration and automation, slowing down response times
3
Focus on reactive measures rather than predictive or proactive approaches
More data isn’t better – it’s about zeroing in on the right data and making it actionable
There is no holistic understanding of a composite solution’s effectiveness
© Fidelis Cybersecurity
SIEM - Centric Security is Log Centric and Not Enough
4
To connect the dots, we rely on a compliance tool… the SIEM But the SIEM is fully dependent on the connected sources of
log-related data from disparate sources
Flood of alerts and false positives based on log and flow-based, noisy indicators – Slows the Ability to Respond!
Missing content and context!
Can’t rapidly answer the: Who, What, When, Where and How
© Fidelis Cybersecurity
Detect What Others MissExisting threat detection and response solutions (including DLP) do not look in ALL of the Right Places
Can’t find malware hidden deep inside content
WHAT they see WHEN they see it
Initial Compromise
Establish Foothold
Escalate Privileges
Lateral Propagation
Data Staging& Exfiltration
Don’t see attackers after the initial compromise
ATTACK LIFECYCLEEmail & Attachment
Archive
MaliciousBinary
Blind to attackers operating on non-standard ports
WHERE they look
HTTP (port 80)HTTPS (port 443)
Mail (port 25)
Thousands ofports and protocols
5
© Fidelis Cybersecurity
Detect What Others MissExisting threat detection and response solutions (including DLP) do not look in ALL of the Right Places
Can’t find malware hidden deep inside content
WHAT they see WHEN they see it
Initial Compromise
Establish Foothold
Escalate Privileges
Lateral Propagation
Data Staging& Exfiltration
Don’t see attackers after the initial compromise
ATTACK LIFECYCLEEmail & Attachment
Archive
MaliciousBinary
Blind to attackers operating on non-standard ports
WHERE they look
HTTP (port 80)HTTPS (port 443)
Mail (port 25)
Thousands ofports and protocols
Most Security Solutions Only Look HERE
But Attackers Live Here… and Fidelis Sees Them
6
© Fidelis Cybersecurity
Understanding the Power of Metadata
7
Manual searching, automatic analytics, anomaly detection… At a fraction of the cost of full PCAP storage and much faster response times
WHO:
Domain user, Webmail user, FTP user, email address, device ID, organization name
WHAT:
filenames, SHA256, MD5, content tags, malware name, malware type
WHEN:
From right now back through time – as long as you’re willing to store the data
HOW:
protocols, applications, file type, User Agent,
custom protocols, obfuscated files and
scripts
WHERE:
Source, Destination, country, IP address, organization, URL,
Domain
© Fidelis Cybersecurity
The Security Objective: Protect Data and Assets
In Order to Protect Data, YOU MUST KNOW YOUR TERRAIN
1. What do we need to secure?
2. What information is of value?
3. What assets do we have?
4. What are adversaries doing?
Adversaries Know How to Exploit Blind Spots in Your Terrain
8
Know Your Network
Determine most likely paths of:Exfiltration
C&CSurveillance
Etc.
© Fidelis Cybersecurity
Gain The Decisive Advantage Continuous real-time visibility of managed and unmanaged assets (including
which assets have vulnerabilities, what are the most critical, where critical data resides, and exposing the high-risk paths to the most critical assets and data) to minimize blind spots in the environment
Threat-driven operation (alert defenders to the emerging and evolving threats most likely to impact their networks and systems) because you can’t defeat what you don’t detect
Shape the adversary experience (modifying the attack surface in favor of the defenders’) by adding cost, risk, and complexity to their operations
Consolidate cybersecurity stack with proactive (including dynamically changing cybersecurity posture in response to evolving threats), protective, predictive, reflective & reactive defensive cyber operations into a single coherent interface
9
© Fidelis Cybersecurity10
See across all traffic, all ports, all protocols, lateral movement and all endpoint activity Discover and classify all network assets, including enterprise IoT, software inventory, CVE
Decode and analyze embedded sessions with patented Deep Session Inspection® Inspect all content flowing over the network – from both threat and data loss perspective
DeepVisibility
Automate response - isolate the endpoint, rollback to previous snapshot, CVE scanning, jumpstart playbooks, and more
Confirm and stop data theft by content inspection of all outgoing network activity
FasterResponse
Capture and store all metadata for real-time and retrospective analysis Accurate and fast detection driven by curated threat intelligence, integrated sandboxing,
machine learning algorithms to extract IoCs, and AV
Automatically validate, consolidate, and correlate network alerts against every endpoint
AccurateDetection
Gain Full Visibility, Detect and Respond to Threats Faster with Fidelis Elevate
© Fidelis Cybersecurity11
Terrain: Discover & Identify Your Assets Provides Insights of an Organization’s Resources Passive Identification, Profiling and Classification Assets
Devices (servers, endpoint, IoT, legacy systems) Data
OS, Applications, Ports Comm. Channels and Network Servers Usage
Shadow-IT tools, Legacy Applications, App Servers, Tools Servers: FTP, SSH, DNS, Proxy
Discover Automatic Processes Vs. Human Browsing Sessions Internal and External Activities
Visualization Graphs of Asset Connectivity
© Fidelis Cybersecurity
“Cyber terrain exists across the cyberspace planes and there are many features of cyber terrain that can provide an advantage to one side or the other. By understanding this cyber key terrain, a network defender knows where to focus his energy to prevent penetration and an attacker can select a target within a network that provides maximum potential for success.”
D. Raymond, G. Conti, T. Cross, and M. Nowatkowski, “Key terrain in cyberspace: Seeking the high ground,”
in Cyber Conflict (CyCon), 2014 6th International Conference on, June 2014.
12
What is Key Terrain in Cyber Space?
© Fidelis Cybersecurity
Attack Surface Manipulation: Understand the Ratios
13
Quantity of Exploitable Terrain
Quantity of Total Terrain
Lower this number by patching vulnerabilities, decommissioning
Challenges:• Maybe hard due to unknown CVE• Legacy Systems • Systems unable to have EP
deployed to them
Increase this number by deploying unexploitable terrain (i.e. decoy hosts)
Challenges:• No ability to orchestrate or
configure the deployment of decoys
Key Takeaway: The problem with altering the numerator to lower the overall attack surface is that there may be systems that cannot be patched. This poses a unique problem for monitoring and detecting issues where many of these assets are static and require additional mechanisms for protection.
Percentage of Exploitable
Terrain
Cyber Security Goal:Reduce this ratio to impact the percentage of exploitable terrain
© Fidelis Cybersecurity
Sensors Agents Decoys
Threat IntelligenceFidelis Insight
3rd Party Threat IntelCustomer Defined Intel
SandboxingExecution AnalysisFile & Web Analysis
ML-based Malware Detection
A Curated Security Stack— Integrated, Automated & CorrelatedFIDELIS ELEVATE™
SIEM
Real Time Analysis –Detect and Respond
Historical Metadata –Hunt and Investigate
Response Automation and Analytics Engine
Breadcrumbs | DecoysAD | MITM
Gateway | Internal |CloudEmail | Web
Windows | LinuxMac | Cloud
Data ScienceStatistical analysis
Supervised learning models
SOAR
14
© Fidelis Cybersecurity15
ATT&CK™ Matrix for Enterprise
Detection & Response in-Depth Across the Kill Chain
Initial Access
20+ DETECTION METHODS ACROSS THE ENTIRE KILL CHAINEndpoint & Asset Terrain | Deep Session & Deep Packet Inspection | Sandboxing | Malware Detection | Metadata Analytics | Threat Intel
NETWORK VISIBILITY, DETECTION & RESPONSE All ports and all protocols, Internal, Mail, and Web / ICAP sensors; On-premise and in the cloud
ENDPOINT VISIBILITY, DETECTION & RESPONSE Agents installed on assets; On-premise and in the cloud
DECEPTION Terrain visibility, decoys and breadcrumbs; Network sensors; No agents
Execution Persistence Privilege Escalation
Defense Evasion
Credential Access
Discovery Lateral Movement
Collection Exfiltration Command & Control
© Fidelis Cybersecurity16
Benefits of Fidelis Deception
SecurityResearch
Smart AlarmSystem
EnterpriseIoT Devices
Non-StandardDevices
High Fidelity Alerts Few False Positives
Low FrictionEnterprise Scale
Automation & Adaptation
No Risk No Impact
Network Terrain Mapping
© Fidelis Cybersecurity
Deploy & Test Decoys
17
Endpoint PC1
InternetEndpoint PC2
DataServer
Endpoint PC3
Decoy Data Server
Folder
Decoy
Web Service
Decoy Web Service
Decoy Endpoint
Automatic creation of decoys Auto deployment & visibility test Advertise on networks DNS and ARP poisoning
© Fidelis Cybersecurity18
Endpoint PC1
InternetEndpoint PC2
DataServer
Endpoint PC3
Decoy Data Server
Folder
Decoy
Web Service
Decoy Web Service
Decoy Endpoint
“Breadcrumb”
CookiesRegistryFilesRecent docs.RDP/FTP/Service
Deploy Breadcrumbs
Auto create breadcrumbs Targeted mini-trap placement
© Fidelis Cybersecurity19
Endpoint PC1
InternetEndpoint PC2
DataServer
Endpoint PC3
Web Service
Decoy Web Service
Decoy Endpoint Decoy
Folder
Active Directory Deception
Faked UsersDecoy“Breadcrumb”
Faked User
Decoys access AD as normal assets using fake users.
Decoy services published in AD.
ActiveDirectory
© Fidelis Cybersecurity
Profile & Classification
20
Endpoint PC1
Endpoint PC2
DataServer
Endpoint PC3
Decoy Data Server
Folder
Decoy
Web Service
Decoy Web Service
Decoy Endpoint
“Breadcrumb”
Internet
DNSHTTPSSL
BrowsersToolsEtc
Traffic Analysis
Decoy Endpoint
Endpoint PC4
Cloud-basedSandboxing
© Fidelis Cybersecurity
Streamline cybersecurity defenses to maximize the operational effectiveness and efficiency
OUTPERFORM the adversary by investing in reactive, proactive, and predictive capabilities to provide 100% coverage of cyber threat frameworkOUTFIGHT the adversaries by delivering robust threat intelligence and hunting for advanced threats within our rich metadataOUTMANUVER the adversary by altering the percentage of overall exploitable terrain using dynamic deceptionOperate Inside the Attackers Decision Cycle to GAIN THE DECISIVE ADVANTAGE
Wrap Up
Thank YouQ & A
Nick [email protected]
Join the Conversation:www.twitter.com/fideliscyber
www.threatgeek.com
