Upload
buithien
View
231
Download
2
Embed Size (px)
Citation preview
SESSION ID:
#RSAC
Joseph R. Salazar
Using Deception and Forensics to Detect Threats from Within
CRWD-R02
Sales Engineering ManagerAttivo Networks
#RSAC
About you (I assume…)
3
You are somewhat familiar with current threats
You have passing familiarity with deception technologies
You are familiar with forensic technologies
You want to improve your information security
#RSAC
Objectives
4
To understand why breaches are so prevalent
To show the value of deception technologies
To explore how forensics can enhance security
#RSAC
The Cycle of Pain
5
Source: Infosecinstitute.org
CompleteMission
InitialCompromise
InitialRecon
EstablishFoothold
EscalatePrivileges
#RSAC
Anatomy of a Data Breach
Initial ReconAttacker chooses a target
Attacker does research on the targetSocial networkingIT network
CompleteMission
InitialCompromise
InitialRecon
EstablishFoothold
EscalatePrivileges
6
#RSAC
Anatomy of a Data Breach
Initial compromiseAttacker compromises a system
Phishing attackSocial engineeringTechnical breach
InitialCompromise
CompleteMission
InitialCompromise
InitialRecon
EstablishFoothold
EscalatePrivileges
7
#RSAC
Anatomy of a Data Breach
8
CompleteMission
InitialCompromise
InitialRecon
EstablishFoothold
EscalatePrivileges
Establish a FootholdAttacker installs malware on the compromised system
Remote Access TrojanBackdoorHarvest stored credentialsEstablish Command and Control
#RSAC
Anatomy of a Data Breach
9
CompleteMission
InitialCompromise
InitialRecon
EstablishFoothold
EscalatePrivileges
The Persistence CycleAttacker escalates privileges on the compromised system
Attacker spreads to other systems
Attacker maintains a persistentpresence on compromised systems or networks
#RSAC
Anatomy of a Data Breach
10
Complete missionAttacker packages files for theft
Attacker exfiltrates stolen data
Attacker deletes traces of activities during the breach
CompleteMission
InitialCompromise
InitialRecon
EstablishFoothold
EscalatePrivileges
#RSAC
Why are breaches so prevalent?
11
Users are bad at security
AV can’t keep up with new malware
Unpatched vulnerabilities
Distributed workforce and the porous perimeter
#RSAC
Users – the Weakest Link
12
Bromium Survey – January 2015end users are the biggest security headache
Ponemon Institute Survey – 2015more security incidents are caused by unintentional mistakes than by intentional and/or malicious acts
#RSAC
AV (in)effectiveness
13
Imperva Hacker Intel monthly trend report #14, 2012
Damballa research findings, October 2014
Lastline labs report, May 2014, and April 2015
#RSAC
Malware Detection
14
AV detectionSignature
File byte sequenceFile hash
Heuristics
Malware sandbox
#RSAC
Malware Detection Evasion
15
Evading AVCompression
Packaging and encoding
Encryption
Targeting
File-less execution
Evading sandbox analysisDelayed Onset
Sandbox hypervisor detection
Human Pulse detection
#RSAC
Vulnerabilities and the porous perimeter
16
Complex software has undisclosed vulnerabilitiesZero days
Malware economy
Distributed workforce“free” wi-fi
#RSAC
What is Deception?
18
Military deception refers to attempts to mislead enemy forces during warfare, usually by creating or amplifying an artificial fog of war through disinformation and other methods.
Wikipedia
#RSAC
The assumption: No one should legitimately be communicating with your deception assets
Deceive and detect
Deception mechanismsHoneypots
Honeynets
Honeytokens
Deception in Information Security
19
#RSAC
Honeynets
21
"A honeynet is a network of high interaction honeypots that simulates a production network and configured such that all activity is monitored, recorded and in a degree, discreetly regulated."
Lance Spitzner, founder of the Honeynet Project, in his 1999 paper "To Build a Honeypot“.
#RSAC
Honeytokens
22
Non-production pieces of data
No prevention of data tampering
Indicates that data integrity has been compromised
#RSAC
Traditional Deception as Network Security
24
Distracts attackers from sensitive production assets
Decreases likelihood of attacker finding a legitimate production asset
Increases likelihood of detecting internal scans
Understand what data was breached
#RSAC
Modern Deception for Intelligence
25
Provides threat intelligence and insightTactics/techniques/procedures
Targets/motives
Integration with security devices
#RSAC
What is computer forensics?
26
Computer forensics (sometimes known as computer forensic science) is a branch of digital forensic science pertaining to evidence found in computers and digital storage media.
Wikipedia
#RSAC
Forensics and malware incident response
28
Positive identification of infected systems
Post infection malware analysis
Identify affected data
#RSAC
What about network forensics?
29
Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection.
Wikipedia
#RSAC
Tying forensics with deception
31
Host forensics on a deception asset
Network forensics on networked deception assets
Threat intelligenceHost change tracking
IOCs
PCAPs
#RSAC
Wrapping it up (the quiz at the end)
32
Why are breaches so prevalent?
What can deception do for you?
What can forensics give you?
#RSAC
Applying this back home
33
Next week you should:Identify gaps in your internal visibility and threat intelligence
In the first three months following this presentation, you should:Evaluate deception and forensics solutions to bridge those gaps
Within six months to a year, you should:Deploy deception and forensic solutions that meet your requirements