Break IT Down by Josh Smith
-
Upload
ec-council -
Category
Technology
-
view
112 -
download
0
Transcript of Break IT Down by Josh Smith
BREAK I.T. DOWNA look at computer network defense techniques and strategies that actually work in a world of blinky light sales. Strait up defense served with a side of sarcasm.
Joshua Smith – 2016.07.19
THE GOAL
Discuss real world defense techniques to that make an attackers job hard(er)This does not mean It will be easy
It will be free (don’t forget about the cost of time)
THE PROBLEM
It’s 2016 and we still see headlines like this:Noodles & Company Payment Data May Have Been Hacked
From high seas to high tech: Pirates hack shipping company
Hackers selling 117 million LinkedIn passwords
Troy investment company hacked; $495K stolen
Lone wolf claims responsibility for DNC hack
Canadian Gold-Mining Company Hacked, 14.8 GB Data Stolen
China steel firm obtained hacked DuPont trade secrets
HOW?
A macro enabled document, pivot, profit, rinse and repeat
1995 produced the first macro based malware
We are still fighting (and losing) a 20+ year old battle
20 YEARS I SAID
THE ISSUE
Defense is the daughter of offense If you don’t know an attackers tradecraft you are going to have a hard time keeping them
out
We are being sold: Machine Learning
Cyber
Next Gen
The Cloud
Etc.
Technical Control Recommendation Priority
Application WhitelistingOnly approved applications should be allowed to run (this includes .exe, .dll, .js, .bat, etc.) 1
Patch 3rd Party Software 3rd party software (Flash, Silverlight, Java, etc.) needs to be patched 2Patch OS OS patches properly distributed in a timely manner 3Restrict Admin Privileges Users should not be running with administrative rights 4
Host-based Intrusion Detection/Prevention System (HIDS/HIPS)
Implement a HIDS/HIPS to identify when prevention has failed and a host has been successfully compromised 5
Network SegmentationNetwork segmentation helps mitigate post compromise pivoting (i.e., Pass-the-Hash and Pass-the-Ticket) 6
Web Application Firewall (WAF)Implement a WAF to help detect and prevent web based attacks against external websites 7
Event Monitoring
Implement a monitored SIEM to gain visibility into your networks. Event sources include, but not limited to firewall, AV, Active Directory, hosts, IDS/IPS, web logs, etc. 8
Office Document Threat Prevention
All .doc, .docm, .xls, and .xlsm documents should be blocked if possible at the email level and via Group Policy Objects (GPO’s) 9
SSL InterceptionSSL traffic should be intercepted (with exceptions) to identify malicious traffic and filtered as well. 10
APPLICATION WHITELISTING
Only approved applications are allowed to run Free and paid for options
AV is the inverse of this (blacklisting)
Not foolproof (see powershell.exe)
So when a unapproved program tries to run, it gets this:
PATCH 3RD PARTY SOFTWARE
Adobe Flash is currently the most exploited 3rd party software*
Other things like Adobe Reader, Microsoft Silverlight
*This title used belong to Oracle/Sun Java, but that is no longer the case
PATCH OS
Patching Matters Even on Linux and embedded devices
Remote exploits get all the press, but privilege escalation is what we typically exploit (if any exploits are used at all)
RESTRICT ADMINISTRATOR PRIVS
Don’t let users run as administrators*
Why?PivotingPasswordsPersistence
* Yes, I know that this can be very hard
HOST BASED IDS/IPS
So I just bypassed your next-gen firewall, IPS, and synergistic AV product to compromise a fully patched box
DO YOU SEE ME PIVOTING AND EXFILITRATING ALL OF YOUR DATA
OUT THE FRONT DOOR?
TAKEAWAY
If you don’t remember anything else from this presentation remember this:
DON’T FORGET ABOUT DETECTION
Required Reading: https://ghostbin.com/paste/6kho7
NETWORK SEGMENTATION
You have your company critical documents accessible to a machine that can look up Pokemon Go cheats?
WEB APPLICATION FIREWALL (WAF)
Website logs are often overlooked
Website attacks can be a forewarning of other things to come
EVENT MONITORING
Logs need to be collected *and* analyzed
Budgets often account for the cost of tools, not the time required to learn, monitor, and review those tools
A NOTE ABOUT “PEN TESTING”
There is a vast difference between Vulnerability Assessment
Penetration Test
Red Teaming/Adversary Simulation
Helpful when you believe you are secure or you need to grease the wheels to get more money
To reduce costs don’t be afraid to whitecard (but make sure that doesn’t invalidate your test to the executives)
SUMMARY
You probably can use a lot of what you already have to make security at your organization better
Don’t fall for the blinky lights, buzzword laden sales job
Cultural changes are hard and require management by in
Don’t tailor your defense to what security companies are selling, tailor to what attackers are attacking
Leverage red team engagements to get the support you need to make changes
Don’t forget about detection
Defense is hard, not impossible
REFERENCES
Infosec Reactions - https://securityreactions.tumblr.com/
ASD Strategies to Mitigate Targeted Cyber Intrusions - http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm
Application Whitelisting - http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf
Disable Office Macros - https://medium.com/@networksecurity/it-s-time-to-secure-microsoft-office-be50ec2797e3#.x5ll30jza