Upload
dyn
View
222
Download
0
Embed Size (px)
DESCRIPTION
Dyn Director of Security Chris Brenton did a presentation in NYC regarding DNS security and how he learned some valuable lessons the absurd way.
Citation preview
Security Through Absurdity:
Lessons Learned
December 13th, 2013
Security Through Absurdity:
Lessons Learned
December 13th, 2013
Chris Brenton
Director of Security
@chris_brenton
Why Security Through Absurdity?
Pg. 2 Security Through Absurdity: Lessons Learned @chris_brenton
Pg. 3 Security Through Absurdity: Lessons Learned @chris_brenton
Because we need to enjoy life’shumorous moments
Two paths lie before you…
Pg. 4 Security Through Absurdity: Lessons Learned @chris_brenton
Enjoy the Journey
•Find the humor “nuggets”•Leverage the life lessons•Grow and move forward
Pg. 5 Security Through Absurdity: Lessons Learned @chris_brenton
•Find the humor “nuggets”•Leverage the life lessons•Grow and move forward
Let It Thin Your Soul
Pg. 6 Security Through Absurdity: Lessons Learned @chris_brenton
“Like butter scraped overtoo much bread”
Rock The Gandalf Look
By increasing the gray hair density
Pg. 7 Security Through Absurdity: Lessons Learned @chris_brenton
By increasing the gray hair density
Rock The Gandalf Look
By increasing the gray hair density
I already have a 14 yr old daughter
dedicated to that last task
Pg. 8 Security Through Absurdity: Lessons Learned @chris_brenton
By increasing the gray hair density
I already have a 14 yr old daughter
dedicated to that last task
Our Journey Begins
Contracted as a security consultant
Owner wants locked down VPN
access to business
Pg. 9 Security Through Absurdity: Lessons Learned @chris_brenton
Contracted as a security consultant
Owner wants locked down VPN
access to business
Security Requirements
Normally disabled state
Must call first to get access
Must know IP address
Pg. 10 Security Through Absurdity: Lessons Learned @chris_brenton
Normally disabled state
Must call first to get access
Must know IP address
More Security Requirements
2 Factor authentication
Time limit on access
Log and alert on everything!
Pg. 11 Security Through Absurdity: Lessons Learned @chris_brenton
2 Factor authentication
Time limit on access
Log and alert on everything!
First Day Onsite
I show up early
Pg. 12 Security Through Absurdity: Lessons Learned @chris_brenton
First Day Onsite
I show up early
UPS arrives
Pg. 13 Security Through Absurdity: Lessons Learned @chris_brenton
I show up early
UPS arrives
First Day Onsite
I show up early
UPS arrives
Retrieves key from under rock
Pg. 14 Security Through Absurdity: Lessons Learned @chris_brenton
I show up early
UPS arrives
Retrieves key from under rock
First Day Onsite
I show up early
UPS arrives
Retrieves key from under rock
Lets themselves into building
Pg. 15 Security Through Absurdity: Lessons Learned @chris_brenton
I show up early
UPS arrives
Retrieves key from under rock
Lets themselves into building
Is This A Problem?
Pg. 16 Security Through Absurdity: Lessons Learned @chris_brenton
Is This A Problem?
Key has been under rock for 5 years
Pg. 17 Security Through Absurdity: Lessons Learned @chris_brenton
Is This A Problem?
Key has been under rock for 5 years
Everyone knows its there
Pg. 18 Security Through Absurdity: Lessons Learned @chris_brenton
Key has been under rock for 5 years
Everyone knows its there
Is This A Problem?
Key has been under rock for 5 years
Everyone knows its there– “X” employees (including disgruntle ones)– All delivery couriers
Pg. 19 Security Through Absurdity: Lessons Learned @chris_brenton
Key has been under rock for 5 years
Everyone knows its there– “X” employees (including disgruntle ones)– All delivery couriers
Is This A Problem?
Key has been under rock for 5 years
Everyone knows its there– “X” employees (including disgruntle ones)– All delivery couriers– Even the local pizza parlor staff
Pg. 20 Security Through Absurdity: Lessons Learned @chris_brenton
Key has been under rock for 5 years
Everyone knows its there– “X” employees (including disgruntle ones)– All delivery couriers– Even the local pizza parlor staff
Did I Forget to Mention…
Business model was computer sales
Pg. 21 Security Through Absurdity: Lessons Learned @chris_brenton
Did I Forget to Mention…
Business model was computer sales
In excess of $15K in inventory
Pg. 22 Security Through Absurdity: Lessons Learned @chris_brenton
Business model was computer sales
In excess of $15K in inventory
Did I Forget to Mention…
Business model was computer sales
In excess of $15K in inventory
Nothing high risk saved on the
corporate network
Pg. 23 Security Through Absurdity: Lessons Learned @chris_brenton
Business model was computer sales
In excess of $15K in inventory
Nothing high risk saved on the
corporate network
Security Task List
Mitigate risks that could put you out
of business next week
Pg. 24 Security Through Absurdity: Lessons Learned @chris_brenton
Mitigate risks that could put you out
of business next week
Security Task List
Mitigate risks that could put you out
of business next week
Then move on to the week after that
Pg. 25 Security Through Absurdity: Lessons Learned @chris_brenton
Mitigate risks that could put you out
of business next week
Then move on to the week after that
Security Task List
Mitigate risks that could put you out
of business next week
Then move on to the week after that
Lather, rinse repeat
Pg. 26 Security Through Absurdity: Lessons Learned @chris_brenton
Mitigate risks that could put you out
of business next week
Then move on to the week after that
Lather, rinse repeat
What Did Life Teach Me?
Never assume a business risk analysis
has been performed
Pg. 27 Security Through Absurdity: Lessons Learned @chris_brenton
Never assume a business risk analysis
has been performed
What I Now Do Differently
Don’t assume your contact
understands their risks
Perform a mini risk assessmentPg. 28 Security Through Absurdity: Lessons Learned @chris_brenton
Don’t assume your contact
understands their risks
Perform a mini risk assessment
Pg. 29 Security Through Absurdity: Lessons Learned @chris_brenton
We implemented a great security solution…But don’t have resources to maintaining it
Case Study #2
Phishing test
Pg. 30 Security Through Absurdity: Lessons Learned @chris_brenton
Phishing test
Phishing Test Exercise
Contracted to help IT test
social engineering
Test all employees via email
Pg. 31 Security Through Absurdity: Lessons Learned @chris_brenton
Contracted to help IT test
social engineering
Test all employees via email
The Setup
Pg. 32 Security Through Absurdity: Lessons Learned @chris_brenton
The Results
13 of 450 employees hit reply
Pg. 33 Security Through Absurdity: Lessons Learned @chris_brenton
The Results
13 of 450 employees hit reply
Sent their logon credentials
Pg. 34 Security Through Absurdity: Lessons Learned @chris_brenton
13 of 450 employees hit reply
Sent their logon credentials
The Results
13 of 450 employees hit reply
Sent their logon credentials
Via plaintext email
Pg. 35 Security Through Absurdity: Lessons Learned @chris_brenton
13 of 450 employees hit reply
Sent their logon credentials
Via plaintext email
The Results
13 of 450 employees hit reply
Sent their logon credentials
Via plaintext email
To an unknown outside address
Pg. 36 Security Through Absurdity: Lessons Learned @chris_brenton
13 of 450 employees hit reply
Sent their logon credentials
Via plaintext email
To an unknown outside address
The Response
Email sent from real IT account
Pg. 37 Security Through Absurdity: Lessons Learned @chris_brenton
The Response
Email sent from real IT account
Phishing test revealed
Pg. 38 Security Through Absurdity: Lessons Learned @chris_brenton
Email sent from real IT account
Phishing test revealed
The Response
Email sent from real IT account
Phishing test revealed
Detailed explanation
Pg. 39 Security Through Absurdity: Lessons Learned @chris_brenton
Email sent from real IT account
Phishing test revealed
Detailed explanation
The Response
Email sent from real IT account
Phishing test revealed
Detailed explanation
Phishing email included as reference
Pg. 40 Security Through Absurdity: Lessons Learned @chris_brenton
Email sent from real IT account
Phishing test revealed
Detailed explanation
Phishing email included as reference
What Happened Next?
19 people hit “reply”
Pg. 41 Security Through Absurdity: Lessons Learned @chris_brenton
What Happened Next?
19 people hit “reply”
and sent their credentials
Pg. 42 Security Through Absurdity: Lessons Learned @chris_brenton
19 people hit “reply”
and sent their credentials
What Happened Next?
19 people hit “reply”
and sent their credentials
In response to an email telling
them never to do this
Pg. 43 Security Through Absurdity: Lessons Learned @chris_brenton
19 people hit “reply”
and sent their credentials
In response to an email telling
them never to do this
Math Sanity Check…
13 < 19
Pg. 44 Security Through Absurdity: Lessons Learned @chris_brenton
Root Cause Analysis
“I just skipped to the executive
summary”
Pg. 45 Security Through Absurdity: Lessons Learned @chris_brenton
“I just skipped to the executive
summary”
What Did Life Teach Me?
Email is the wrong medium for
in-depth concepts
How you convey info matters
Pg. 46 Security Through Absurdity: Lessons Learned @chris_brenton
Email is the wrong medium for
in-depth concepts
How you convey info matters
What I Now Do Differently
Consider the proper medium to
convey required information
Pg. 47 Security Through Absurdity: Lessons Learned @chris_brenton
Consider the proper medium to
convey required information
Pg. 48 Security Through Absurdity: Lessons Learned @chris_brenton
We rely on host-based security… To warn uswhen the host has been compromised
Case Study #3
Phishing Rev 2
Pg. 49 Security Through Absurdity: Lessons Learned @chris_brenton
Phishing Rev 2
Phishing Attack
Spoofed email from CEO
Pg. 50 Security Through Absurdity: Lessons Learned @chris_brenton
Phishing Attack
Spoofed email from CEO
Claims to point to a BBC article
Pg. 51 Security Through Absurdity: Lessons Learned @chris_brenton
Spoofed email from CEO
Claims to point to a BBC article
Phishing Attack
Spoofed email from CEO
Claims to point to a BBC article
Link prompts for email logon
name and password
Pg. 52 Security Through Absurdity: Lessons Learned @chris_brenton
Spoofed email from CEO
Claims to point to a BBC article
Link prompts for email logon
name and password
The Results
6 people are duped
Pg. 53 Security Through Absurdity: Lessons Learned @chris_brenton
The Results
6 people are duped
Give away their logon name
and password
Pg. 54 Security Through Absurdity: Lessons Learned @chris_brenton
6 people are duped
Give away their logon name
and password
The Results
6 people are duped
Give away their logon name
and password
In order to read a news story
Pg. 55 Security Through Absurdity: Lessons Learned @chris_brenton
6 people are duped
Give away their logon name
and password
In order to read a news story
The Response
Containment
Pg. 56 Security Through Absurdity: Lessons Learned @chris_brenton
The Response
Containment
2 Factor authentication
Pg. 57 Security Through Absurdity: Lessons Learned @chris_brenton
Containment
2 Factor authentication
The Response
Containment
2 Factor authentication
Followed by a huge education
and awareness effort
Pg. 58 Security Through Absurdity: Lessons Learned @chris_brenton
Containment
2 Factor authentication
Followed by a huge education
and awareness effort
What Was Included
Email to all employees
Pg. 59 Security Through Absurdity: Lessons Learned @chris_brenton
What Was Included
Email to all employees
Internal blog entries
Pg. 60 Security Through Absurdity: Lessons Learned @chris_brenton
Email to all employees
Internal blog entries
What Was Included
Email to all employees
Internal blog entries
Updates to awareness training
Pg. 61 Security Through Absurdity: Lessons Learned @chris_brenton
Email to all employees
Internal blog entries
Updates to awareness training
What Was Included
Email to all employees
Internal blog entries
Updates to awareness training
Leverage the grape vine
Pg. 62 Security Through Absurdity: Lessons Learned @chris_brenton
Email to all employees
Internal blog entries
Updates to awareness training
Leverage the grape vine
Segway to 30 days later
Pg. 63 Security Through Absurdity: Lessons Learned @chris_brenton
Pentester Hired
Measure results of education effort
Pg. 64 Security Through Absurdity: Lessons Learned @chris_brenton
Pentester Hired
Measure results of education effort
Mass email phishing test sent
Pg. 65 Security Through Absurdity: Lessons Learned @chris_brenton
Measure results of education effort
Mass email phishing test sent
The Results
Good news!
Pg. 66 Security Through Absurdity: Lessons Learned @chris_brenton
The Results
Good news!
An order of magnitude improvement
in people reporting the attack
Pg. 67 Security Through Absurdity: Lessons Learned @chris_brenton
Good news!
An order of magnitude improvement
in people reporting the attack
The Results
Bad News!
Pg. 68 Security Through Absurdity: Lessons Learned @chris_brenton
The Results
Bad News!
6 people failed the test
Pg. 69 Security Through Absurdity: Lessons Learned @chris_brenton
Bad News!
6 people failed the test
The Results
Bad News!
6 people failed the test
It’s a different 6 people
Pg. 70 Security Through Absurdity: Lessons Learned @chris_brenton
Bad News!
6 people failed the test
It’s a different 6 people
6 = 6
What Did Life Teach Me?
You Can Never Save Everyone
Strive for 100% but have realistic
(cost effective) expectations
Pg. 71 Security Through Absurdity: Lessons Learned @chris_brenton
You Can Never Save Everyone
Strive for 100% but have realistic
(cost effective) expectations
What I Now Do Differently
Awareness training is good
A reward system motivates people to
leverage what they learned
Pg. 72 Security Through Absurdity: Lessons Learned @chris_brenton
Awareness training is good
A reward system motivates people to
leverage what they learned
Pg. 73 Security Through Absurdity: Lessons Learned @chris_brenton
We have an Internet policy…But not a Bring Your Own Device policy.
Case Study #4
Product security evaluation
Pg. 74 Security Through Absurdity: Lessons Learned @chris_brenton
Product security evaluation
The Setup
Contracted by a bank
Pg. 75 Security Through Absurdity: Lessons Learned @chris_brenton
The Setup
Contracted by a bank
Evaluate a new system they are
considering for purchase
Pg. 76 Security Through Absurdity: Lessons Learned @chris_brenton
Contracted by a bank
Evaluate a new system they are
considering for purchase
The Setup
Contracted by a bank
Evaluate a new system they are
considering for purchase
Hired to evaluate security
Pg. 77 Security Through Absurdity: Lessons Learned @chris_brenton
Contracted by a bank
Evaluate a new system they are
considering for purchase
Hired to evaluate security
The Evaluation
Pg. 78 Security Through Absurdity: Lessons Learned @chris_brenton
The Evaluation
Worst system ever!!!
Pg. 79 Security Through Absurdity: Lessons Learned @chris_brenton
The Evaluation
Worst system ever!!!
Hybrid that combines Windows
and a mini computer
Pg. 80 Security Through Absurdity: Lessons Learned @chris_brenton
Worst system ever!!!
Hybrid that combines Windows
and a mini computer
The Evaluation
Worst system ever!!!
Hybrid that combines Windows
and a mini computer
Got root 3 times in 20 minutes
Pg. 81 Security Through Absurdity: Lessons Learned @chris_brenton
Worst system ever!!!
Hybrid that combines Windows
and a mini computer
Got root 3 times in 20 minutes
0wn3d During Preso
Pg. 82 Security Through Absurdity: Lessons Learned @chris_brenton
My Write Up
Most pointed review I’ve written to date
Pg. 83 Security Through Absurdity: Lessons Learned @chris_brenton
My Write Up
Most pointed review I’ve written to date
Documented why the architecture was
horribly flawed
Pg. 84 Security Through Absurdity: Lessons Learned @chris_brenton
Most pointed review I’ve written to date
Documented why the architecture was
horribly flawed
My Write Up
Most pointed review I’ve written to date
Documented why the architecture was
horribly flawed
Can’t be patched!
Pg. 85 Security Through Absurdity: Lessons Learned @chris_brenton
Most pointed review I’ve written to date
Documented why the architecture was
horribly flawed
Can’t be patched!
Quick Factoid!
The word “horrible” has over 50
synonyms
Pg. 86 Security Through Absurdity: Lessons Learned @chris_brenton
Quick Factoid!
The word “horrible” has over 50
synonyms
It is actually possible to use them all
in a single professional documents
Pg. 87 Security Through Absurdity: Lessons Learned @chris_brenton
The word “horrible” has over 50
synonyms
It is actually possible to use them all
in a single professional documents
How The Bank Responded
Pg. 88 Security Through Absurdity: Lessons Learned @chris_brenton
How The Bank Responded
They purchased the system
Pg. 89 Security Through Absurdity: Lessons Learned @chris_brenton
How The Bank Responded
They purchased the system
And opted for the premium support
Pg. 90 Security Through Absurdity: Lessons Learned @chris_brenton
They purchased the system
And opted for the premium support
How The Bank Responded
They purchased the system
And opted for the premium support
Contract had already been signed
Pg. 91 Security Through Absurdity: Lessons Learned @chris_brenton
They purchased the system
And opted for the premium support
Contract had already been signed
Convo With The Bank
Me: Which part of “horribly insecure”
did you not understand?
Pg. 92 Security Through Absurdity: Lessons Learned @chris_brenton
Me: Which part of “horribly insecure”
did you not understand?
Convo With The Bank
Bank: But we can migrate the data
without any conversion costs!
Pg. 93 Security Through Absurdity: Lessons Learned @chris_brenton
Bank: But we can migrate the data
without any conversion costs!
Convo With The Bank
Me: Sounds like you made up your
mind ahead of time. Why did you
have me evaluate the system?
Pg. 94 Security Through Absurdity: Lessons Learned @chris_brenton
Me: Sounds like you made up your
mind ahead of time. Why did you
have me evaluate the system?
Convo With The Bank
Bank: We hoped you would like it.
Pg. 95 Security Through Absurdity: Lessons Learned @chris_brenton
What Did Life Teach Me?
Not everyone understands
“Security Speak”
Pg. 96 Security Through Absurdity: Lessons Learned @chris_brenton
Not everyone understands
“Security Speak”
What I Now Do Differently
Tailor to your audience: Convert
“security speak” to “risk” and
“financial” lingo
Pg. 97 Security Through Absurdity: Lessons Learned @chris_brenton
Tailor to your audience: Convert
“security speak” to “risk” and
“financial” lingo
Pg. 98 Security Through Absurdity: Lessons Learned @chris_brenton
We collect system logs…but no one actually looks at them
Case Study #5
The Epic battle of good and evil…
Pg. 99 Security Through Absurdity: Lessons Learned @chris_brenton
The Setup
DNS SaaS company
Pg. 100 Security Through Absurdity: Lessons Learned @chris_brenton
The Setup
DNS SaaS company
Offers a “dynamic DNS” product
Pg. 101 Security Through Absurdity: Lessons Learned @chris_brenton
DNS SaaS company
Offers a “dynamic DNS” product
The Setup
DNS SaaS company
Offers a “dynamic DNS” product
Great solution for cloud users
Pg. 102 Security Through Absurdity: Lessons Learned @chris_brenton
DNS SaaS company
Offers a “dynamic DNS” product
Great solution for cloud users
The Setup
DNS SaaS company
Offers a “dynamic DNS” product
Great solution for cloud users
Unfortunately can be used for evil
Pg. 103 Security Through Absurdity: Lessons Learned @chris_brenton
DNS SaaS company
Offers a “dynamic DNS” product
Great solution for cloud users
Unfortunately can be used for evil
How The Bad Guys Operate
Build an infrastructure of “Command
and Control” servers
Pg. 104 Security Through Absurdity: Lessons Learned @chris_brenton
How The Bad Guys Operate
Build an infrastructure of “Command
and Control” servers
These manage infections and propagate
malware
Pg. 105 Security Through Absurdity: Lessons Learned @chris_brenton
Build an infrastructure of “Command
and Control” servers
These manage infections and propagate
malware
How The Bad Guys Operate
Build an infrastructure of “Command
and Control” servers
These manage infections and propagate
malware
The “brains” of the setup
Pg. 106 Security Through Absurdity: Lessons Learned @chris_brenton
Build an infrastructure of “Command
and Control” servers
These manage infections and propagate
malware
The “brains” of the setup
C&C Infrastructure
Designed to be fault tolerant
Pg. 107 Security Through Absurdity: Lessons Learned @chris_brenton
C&C Infrastructure
Designed to be fault tolerant
Kill one server, the rest take up the slack
Pg. 108 Security Through Absurdity: Lessons Learned @chris_brenton
C&C Infrastructure
Designed to be fault tolerant
Kill one server, the rest take up the slack
Dynamic DNS provides redundancy if
server is blocked or taken down
Pg. 109 Security Through Absurdity: Lessons Learned @chris_brenton
Designed to be fault tolerant
Kill one server, the rest take up the slack
Dynamic DNS provides redundancy if
server is blocked or taken down
C&C Infrastructure
Designed to be fault tolerant
Kill one server, the rest take up the slack
Dynamic DNS provides redundancy if
server is blocked or taken down
Can recover when a few servers are lost
Pg. 110 Security Through Absurdity: Lessons Learned @chris_brenton
Designed to be fault tolerant
Kill one server, the rest take up the slack
Dynamic DNS provides redundancy if
server is blocked or taken down
Can recover when a few servers are lost
Old IR Methodology
Block the account
Pg. 111 Security Through Absurdity: Lessons Learned @chris_brenton
Old IR Methodology
Block the account
Black hole the host names
Pg. 112 Security Through Absurdity: Lessons Learned @chris_brenton
Block the account
Black hole the host names
Old IR Methodology
Block the account
Black hole the host names
Problem: If you don’t get the
whole C&C network it can recover
Pg. 113 Security Through Absurdity: Lessons Learned @chris_brenton
Block the account
Black hole the host names
Problem: If you don’t get the
whole C&C network it can recover
New IR Methodology
Research the account
Pg. 114 Security Through Absurdity: Lessons Learned @chris_brenton
New IR Methodology
Research the account
Help innocent clients recover their
system from infection
Pg. 115 Security Through Absurdity: Lessons Learned @chris_brenton
Research the account
Help innocent clients recover their
system from infection
New IR Methodology
Research the account
Help innocent clients recover their
system from infection
When evil, play cat and mouse
Pg. 116 Security Through Absurdity: Lessons Learned @chris_brenton
Research the account
Help innocent clients recover their
system from infection
When evil, play cat and mouse
New IR in Practice
Account created from Russia
Pg. 117 Security Through Absurdity: Lessons Learned @chris_brenton
Account created from Russia
New IR in Practice
Account created from Russia
Ticked boxes as a suspect account
Pg. 118 Security Through Absurdity: Lessons Learned @chris_brenton
Account created from Russia
Ticked boxes as a suspect account
New IR in Practice
Account created from Russia
Ticked boxes as a suspect account
12+ scripted host names created
Pg. 119 Security Through Absurdity: Lessons Learned @chris_brenton
Account created from Russia
Ticked boxes as a suspect account
12+ scripted host names created
New IR in Practice
Account created from Russia
Ticked boxes as a suspect account
12+ scripted host names created
Fingerprint of Neutrino actors
Pg. 120 Security Through Absurdity: Lessons Learned @chris_brenton
Account created from Russia
Ticked boxes as a suspect account
12+ scripted host names created
Fingerprint of Neutrino actors
Time For Some Fun
Let them create their servers
Pg. 121 Security Through Absurdity: Lessons Learned @chris_brenton
Let them create their servers
Time For Some Fun
Let them create their servers
Gave them time to deploy iframes
Pg. 122 Security Through Absurdity: Lessons Learned @chris_brenton
Let them create their servers
Gave them time to deploy iframes
Time For Some Fun
Let them create their servers
Gave them time to deploy iframes
Let servers get integrated into C&C
Pg. 123 Security Through Absurdity: Lessons Learned @chris_brenton
Let them create their servers
Gave them time to deploy iframes
Let servers get integrated into C&C
Time For Some Fun
Let them create their servers
Gave them time to deploy iframes
Let servers get integrated into C&C
Pointed their hosts at honeypots
Pg. 124 Security Through Absurdity: Lessons Learned @chris_brenton
Let them create their servers
Gave them time to deploy iframes
Let servers get integrated into C&C
Pointed their hosts at honeypots
Impact of Redirection
Broke some C&C functionality
Pg. 125 Security Through Absurdity: Lessons Learned @chris_brenton
Impact of Redirection
Broke some C&C functionality
ID 30+ other C&C servers
Pg. 126 Security Through Absurdity: Lessons Learned @chris_brenton
Broke some C&C functionality
ID 30+ other C&C servers
Impact of Redirection
Broke some C&C functionality
ID 30+ other C&C servers
Block 140,000 infections
Pg. 127 Security Through Absurdity: Lessons Learned @chris_brenton
Broke some C&C functionality
ID 30+ other C&C servers
Block 140,000 infections
Impact of Redirection
Broke some C&C functionality
ID 30+ other C&C servers
Block 140,000 infections
Collect new data on functionality
Pg. 128 Security Through Absurdity: Lessons Learned @chris_brenton
Broke some C&C functionality
ID 30+ other C&C servers
Block 140,000 infections
Collect new data on functionality
What We Did Next
Warn C&C owners of infection
Pg. 129 Security Through Absurdity: Lessons Learned @chris_brenton
What We Did Next
Warn C&C owners of infection
Analyze previously unknown data
Pg. 130 Security Through Absurdity: Lessons Learned @chris_brenton
Warn C&C owners of infection
Analyze previously unknown data
What We Did Next
Warn C&C owners of infection
Analyze previously unknown data
Share data with the community
Pg. 131 Security Through Absurdity: Lessons Learned @chris_brenton
Warn C&C owners of infection
Analyze previously unknown data
Share data with the community
What We Did Next
Warn C&C owners of infection
Analyze previously unknown data
Share data with the community
Update our detection
Pg. 132 Security Through Absurdity: Lessons Learned @chris_brenton
Warn C&C owners of infection
Analyze previously unknown data
Share data with the community
Update our detection
What The Bad Guys Did Next
What they always do
Pg. 133 Security Through Absurdity: Lessons Learned @chris_brenton
What they always do
What The Bad Guys Did Next
What they always do
Try to set their network back up
Pg. 134 Security Through Absurdity: Lessons Learned @chris_brenton
What they always do
Try to set their network back up
Segway to 6 hours later
Bad guys come back
Pg. 135 Security Through Absurdity: Lessons Learned @chris_brenton
Segway to 6 hours later
Bad guys come back
Using different account credentials
Pg. 136 Security Through Absurdity: Lessons Learned @chris_brenton
Bad guys come back
Using different account credentials
Segway to 6 hours later
Bad guys come back
Using different account credentials
Same fingerprint
Pg. 137 Security Through Absurdity: Lessons Learned @chris_brenton
Bad guys come back
Using different account credentials
Same fingerprint
Segway to 6 hours later
Bad guys come back
Using different account credentials
Same fingerprint
Start spinning up new C&C servers
Pg. 138 Security Through Absurdity: Lessons Learned @chris_brenton
Bad guys come back
Using different account credentials
Same fingerprint
Start spinning up new C&C servers
Lather, Rinse, Repeat
We let them setup their C&C
network
Pg. 139 Security Through Absurdity: Lessons Learned @chris_brenton
We let them setup their C&C
network
Lather, Rinse, Repeat
We let them setup their C&C
network
Then take it all away
Pg. 140 Security Through Absurdity: Lessons Learned @chris_brenton
We let them setup their C&C
network
Then take it all away
Lather, Rinse, Repeat
We let them setup their C&C
network
Then take it all away
This repeats a third time
Pg. 141 Security Through Absurdity: Lessons Learned @chris_brenton
We let them setup their C&C
network
Then take it all away
This repeats a third time
Don’t Go Away Mad…
Bad guys relocate to Central
America service provider
We warn the provider
C&C network has yet to recover
Pg. 142 Security Through Absurdity: Lessons Learned @chris_brenton
Bad guys relocate to Central
America service provider
We warn the provider
C&C network has yet to recover
What Did Life Teach Me?
Remember as you watch this film
Pg. 143 Security Through Absurdity: Lessons Learned @chris_brenton
What Did Life Teach Me?
Remember as you watch this film
When things appear their darkest
Pg. 144 Security Through Absurdity: Lessons Learned @chris_brenton
Remember as you watch this film
When things appear their darkest
What Did Life Teach Me?
Remember as you watch this film
When things appear their darkest
Evil may win some of the battles
Pg. 145 Security Through Absurdity: Lessons Learned @chris_brenton
Remember as you watch this film
When things appear their darkest
Evil may win some of the battles
What Did Life Teach Me?
Remember as you watch this film
When things appear their darkest
Evil may win some of the battles
Good always wins the epic war
Pg. 146 Security Through Absurdity: Lessons Learned @chris_brenton
Remember as you watch this film
When things appear their darkest
Evil may win some of the battles
Good always wins the epic war
Thanks For Attending!
@Chris_Brenton
Pg. 147 Security Through Absurdity: Lessons Learned @chris_brenton
@Chris_Brenton