Building Security Controls around Attack Models
-
Upload
seniorstoryteller -
Category
Technology
-
view
745 -
download
0
Transcript of Building Security Controls around Attack Models
![Page 1: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/1.jpg)
@StephanChenette @AttackIQ
Building Security Controls Around Attack Models
![Page 2: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/2.jpg)
#RuggedDevOps
If you see something cool…
Get today’s Rugged DevOps presentations in your inbox
![Page 3: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/3.jpg)
#WhoAmI?
• @StephanChenette, CEO and Founder @AttackIQ
AttackIQ created the first continuous security testing platform to challenge existing host, network and cloud infrastructure security controls to help organizations safely validate and measure their defense in depth strategy.
• Started my career in 1999 in Security – total of 16+ years – Grad School at UCSD
• Director of research IOActive , Head of Websense Security Labs, SAIC, eEye Digital Security
• Sit on the advisory board for CyberTECH, CISO Round Table of Southern California and Build it Securely and I head up the local OWASP Chapter, AppSec California Conference
• Invited speaker at Blackhat, RSA, CanSec West, AusCERT, RECON, SOURCE, ToorCON, ISSA, etc.
• Main Interest - Offensive and Defensive Techniques
![Page 4: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/4.jpg)
AgendaBuilding Security Controls Around Attack Models
Continuous Deployment
Continuous Validation
![Page 5: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/5.jpg)
DevOps
Has established a culture and environment where building, testing, and releasing software,
can happen rapidly, frequently, and more reliably.
Continuous Deployment
Infrastructure as Code
![Page 6: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/6.jpg)
Rugged DevOps
Goal of Security: reduce business risk
Cyber security is a business
issue, not an IT issue.
![Page 7: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/7.jpg)
Risk
Risk = impact * likelihood
![Page 8: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/8.jpg)
Protecting Assets
Measures must be taken to ensure the integrity, security, accuracy, and privacy of all systems and data.
Wrap Security Controls around Valued Assets
• Compliance
• Business Continuity
![Page 9: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/9.jpg)
Trust, but verify
Multiple Security Controls in place – how do you validate them all?
![Page 10: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/10.jpg)
Continuous ValidationRugged DevOps Responsibility
Continuous Validation
Continuous Deployment
![Page 11: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/11.jpg)
Why Validate Security Controls?
To Minimize Risk.
Risk = impact * likelihood
If you drive impact down, the risk is minimized
Benefits – minimized risk, more effective, efficient, consolidated security program
![Page 12: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/12.jpg)
How do you minimize your threat impact?
Identify The Attackers
Identify the Attack
Techniques
Build Adversarial Playbook
Replay Attacker Playbook
Analyze Security
Controls Results
Improve or Add New Security
Controls
![Page 13: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/13.jpg)
This can start with simple validationIdentify security
control assumptions
Build Security Control Unit
Test
Exercise Unit Test
Analyze Security
Controls Results
Improve or Add New Security
Controls
![Page 14: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/14.jpg)
Security testing is not point in time
DevOps is Code as Infrastructure
Rugged DevOps is Code as Security
Unit Testing Your Security Controls
Regression Testing your Security Infrastructure
![Page 15: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/15.jpg)
Key Focus Points in Modelling
• Prioritizing the Highest Risk Threats, Adversarial Objectives and Methods
• Prioritize Security Controls (purpose, function, assumption)
• Create a process that can be:
– Automated, replicated and consistent
![Page 16: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/16.jpg)
Attack Stages
• External Reconnaissance
• Initial Breach
• Gaining Persistence
• Escalate Privileges
• Lateral Movement
• Access to Data Stores
• Command and Control
• Exfiltration
![Page 17: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/17.jpg)
Goal
• Duplicate real attack techniques and tactics in an automated fashion
• Automatically test each expectation as that asset or security control is deployed
![Page 18: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/18.jpg)
Stage Tactic Pass/Fail/Detect Technology Controls
Initial Breach Install malware (Citadel) on vendor machine.
Use stolen credentials to connect to Target's network.
Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php).
Query Active Directory, using LDAP protocol, for relevant target services (MSSSQLvc/BillingServer).
Privilege Escalation Use "Pass-the-hash" to obtain NT hash token.
Persistence Create new domain admin account with stolen token.
Access to other Data Stores Utilize new credentials to scan, using "Angry IP Scanner," for accessible computers.
Use a port forwarding tool to tunnel through several servers, bypassing security measures.
Use RDP and Microsoft PSExec utility to execute processes.
Use Microsoft Orchestrator to remain persistent and execute arbitrary code.
Remotely install malware (Kaptoxa) onto POS machines, scrape POS memory, and save data to a local file.
Exfiltration Create remote fileshare on remote FTP-enabled machine and copy data file to the machine.
Use script to send file to attacker via FTP.
Example: Target Breach
![Page 19: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/19.jpg)
Example: Target Breach
• Initial Breach
Stage Tactic Pass/Fail/Detect Technology Controls
Initial Breach Install malware (Citadel) on vendor machine.
Use stolen credentials to connect to Target's network.
Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php).
Query Active Directory, using LDAP protocol, for relevant target services (MSSSQLvc/BillingServer).
![Page 20: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/20.jpg)
Example: Target Breach
Stage Tactic Pass/Fail/Detect Technology Controls
Privilege Escalation
Use "Pass-the-hash" to obtain NT hash
token.
Access to other Data Stores
Utilize new credentials to scan, using "Angry
IP Scanner," for accessible computers.
Use a port forwarding tool to tunnel through
several servers, bypassing security measures.
Use RDP and Microsoft PSExec utility to
execute processes.
Use Microsoft Orchestrator to remain
persistent and execute arbitrary code.
Remotely install malware (Kaptoxa) onto
POS machines, scrape POS memory, and
save data to a local file.
• Privilege Escalation
![Page 21: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/21.jpg)
Example: Target Breach
Stage Tactic Pass/Fail/Detect Technology Controls
Exfiltration Create remote fileshare on remote FTP-enabled machine and copy data file to the machine.
Use script to send file to attacker via FTP.
![Page 22: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/22.jpg)
Measure
• Detection – Time
• Prevention – Yes/No
![Page 23: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/23.jpg)
Stage Tactic Pass/Fail/Detect Technology Controls
Initial Breach Install malware (Citadel) on vendor machine. PD Generic AV (Symantec)
Use stolen credentials to connect to Target's network. F Behavior Analytics
Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php). PD Web App Firewall
Query Active Directory, using LDAP protocol, for relevant target services (MSSSQLvc/BillingServer).
F N/A
Privilege Escalation Use "Pass-the-hash" to obtain NT hash token. PD AV Detected mimikatz
Persistence Create new domain admin account with stolen token. F N/A
Access to other Data Stores Utilize new credentials to scan, using "Angry IP Scanner," for accessible computers. F N/A
Use a port forwarding tool to tunnel through several servers, bypassing security measures. F Palo Alto
Use RDP and Microsoft PSExec utility to execute processes. D Crowdstrike Falcon
Use Microsoft Orchestrator to remain persistent and execute arbitrary code. P Cylance Prevent
Remotely install malware (Kaptoxa) onto POS machines, scrape POS memory, and save data to a local file.
F Symantec
Exfiltration Create remote fileshare on remote FTP-enabled machine and copy data file to the machine.
F Behavior Analytics
Use script to send file to attacker via FTP. F Firewall/IPS
Example: Target Breach
![Page 24: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/24.jpg)
Modeling Exercise
• Installation of Web Shell on network
• Lateral Movement (Pass-the-Hash Technique) w/ mimikatz
• Use of known port scanner
• Use of PA/PSExec with dumped credential hashes
• Use of Built-in-tools at potentially anomalous times
• Download of known malware
• Access to FTP to potentially unknown remote machine
![Page 25: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/25.jpg)
Defense-in-Depth Metrics
Identified Tactic
• % Failed
–% Detected
–% Prevented
• Identify, prioritize need for control technology
![Page 26: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/26.jpg)
Trust, but Verify
• Validate your security controls
• Regression Testing
• Unit Testing
![Page 27: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/27.jpg)
Focus
• Run routine attack modeling automatically as your apps/security controls are deployed via chef/Jenkins, etc.
• Identify gaps or blind spots
• Design your controls around the attacker tactics
![Page 28: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/28.jpg)
Adversarial Modeling
• Does not take much time/energy
• Creates Data-driven reasoning around buying/purchasing decisions
• Build repository of related attacks
• Shows historical improvements around baseline
• Consolidates security technologies
![Page 29: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/29.jpg)
Where to Start
• IT/Ops/SOC/Dev/Management Involvement
• Build threat intelligence/attack repository
• Move to attack models
• Communicate output clearly to show improvements
![Page 30: Building Security Controls around Attack Models](https://reader034.fdocuments.net/reader034/viewer/2022052706/58ef303a1a28abc7088b45a7/html5/thumbnails/30.jpg)
Conclusion
What can be measured can be improved
Implementing security controls around relevant attack models will save you time, money and
resources and focuses on minimizing the true risks to your organization
Security as Code
Continuous Validation