SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming...
Transcript of SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming...
![Page 1: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/1.jpg)
SECURITY INSIDE THE PERIMETER-
THE CALL IS COMING FROM INSIDE THE HOUSE
Event Code: #ILTALSS #LSS17Date: June 13, 2017
Time: 3:00 PM - 4:00 PM ETLocation: Salon I
![Page 2: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/2.jpg)
2
Arlan McMillan
Kirkland & Ellis LLP, [email protected]
Arlan has over 20 years experience in Information Technology and Security and prior to joining Kirkland & Ellis LLP was the CISO for United Airlines.
He’s led a number of teams evaluating, developing and delivering security services, including as the CISO for the City of Chicago and Director of Global Information Security Operations for ABN AMRO, LaSalle bank.
In 2014 Arlan was honored to be voted as the Chicago area CISO of the Year and until joining Kirkland, was a board member of the Aviation Information Sharing and Analysis Center (A-ISAC).
SECURITY INSIDE THE PERIMETERTHE CALL IS COMING FROM INSIDE THE HOUSE
Obligatory legal disclaimer…. This discussion represents Arlan’s personal viewpoint which is not necessarily shared by his employer or the host of the event.
![Page 3: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/3.jpg)
A different approach to this type of conversation…
Lots of slides delivered quicklyYou will walk away with productDropbox.com
http://bit.ly/2r44mHWThis and other presentations for you to reuseCatalog of over 400 operational metricsThe CSF diagnostic and reporting templatesOther really cool stuff
3http://bit.ly/2r44mHW
![Page 4: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/4.jpg)
4http://bit.ly/2r44mHW
SIT BACK AND RELAX
![Page 5: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/5.jpg)
5http://bit.ly/2r44mHW
![Page 6: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/6.jpg)
1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!
2. Pro Tips3. Real Life Example4. War Stories from the Audience
6http://bit.ly/2r44mHW
![Page 7: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/7.jpg)
1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!
2. Pro Tips3. Real Life Example4. War Stories from the Audience
7http://bit.ly/2r44mHW
![Page 8: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/8.jpg)
DEFENDERS ARE LOSING
Its happening more often Over 4 billion records lost in 2016
> record high It costs more $4 million average cost of a data breach
> 29% increase since 2013 Humans are the #1 target 93% of all significant breaches began with
a phishing email
8http://bit.ly/2r44mHW
![Page 9: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/9.jpg)
ATTACKERS ARE OUT-PACING DEFENDERS% WHERE “DAYS OR LESS”
9
Source: “2016 Data Breach Investigations Report”, Verizon
http://bit.ly/2r44mHW
![Page 10: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/10.jpg)
ATTACKERS GET IN AND REMOVE DATA VERY FASTAVERAGE TIME TO COMPROMISE AND EXFILTRATION
10
Source: “2016 Data Breach Investigations Report”, Verizon
http://bit.ly/2r44mHW
![Page 11: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/11.jpg)
INTERNAL CONTROLS AREN’T EFFECTIVELY IMPLEMENTED% OF BREACH DISCOVERY METHODS
11
Source: “2016 Data Breach Investigations Report”, Verizon
http://bit.ly/2r44mHW
![Page 12: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/12.jpg)
BOUNTY ON LAW FIRMS
Flashpoint report published in January, 2017
Multiple Firms targeted by Russian handlerDomain Admin Access: $50,000Mail Server Access: $20,000Access to Office Computer of an Employee: $5,000
12http://bit.ly/2r44mHW
![Page 13: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/13.jpg)
13http://bit.ly/2r44mHW
![Page 14: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/14.jpg)
COMPRESSION
14http://bit.ly/2r44mHW
![Page 15: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/15.jpg)
RAPID PACE OF CHANGE
Computer power has doubled every year since the mid-1960’s
In 1978, a flight from New York City to Paris cost ~$900 and took 7 hours
If airlines accelerated as fast as computer technology…..
the same trip would cost less than one cent and take less than one second to complete
15http://bit.ly/2r44mHW
![Page 16: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/16.jpg)
1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!
2. Pro Tips3. Real Life Example4. War Stories from the Audience
16http://bit.ly/2r44mHW
![Page 17: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/17.jpg)
5 THREAT CATEGORIES
17http://bit.ly/2r44mHW
![Page 18: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/18.jpg)
#1: NUISANCE
18http://bit.ly/2r44mHW
![Page 19: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/19.jpg)
#2: HACKTIVISTS
19http://bit.ly/2r44mHW
![Page 20: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/20.jpg)
#3: ORGANIZED CRIME
20http://bit.ly/2r44mHW
![Page 21: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/21.jpg)
#4: ESPIONAGE
21http://bit.ly/2r44mHW
![Page 22: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/22.jpg)
#5: DESTRUCT, DENY, DESTROY
22http://bit.ly/2r44mHW
![Page 23: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/23.jpg)
PLA GENERAL STAFF ORG CHART
23http://bit.ly/2r44mHW
![Page 24: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/24.jpg)
PLA UNIT 61398 – BASE OF OPERATIONS12-STORY BUILDING IN A PUBLIC, MIXED-USE AREA IN SHANGHAI
24http://bit.ly/2r44mHW
![Page 25: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/25.jpg)
10 STEP APT DANCE“A” “ADVANCED”…. SHOULD JUST BE NAMED “PT”
25http://bit.ly/2r44mHW
![Page 26: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/26.jpg)
10 STEP APT DANCE
26http://bit.ly/2r44mHW
![Page 27: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/27.jpg)
DNC & CLINTON CAMPAIGN COMPROMISES – JOHN PODESTA
Highly crafted to look like standard Google password change email
108 sent, 20 clicked – then forwarded to 16 more people of which 4 more clicked
Stole passwords on individuals & silently installed malware on target’s computer which then allowed attacker to move laterally and infect other nearby computers
27http://bit.ly/2r44mHW
![Page 28: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/28.jpg)
1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!
2. Pro Tips3. Real Life Example4. War Stories from the Audience
28http://bit.ly/2r44mHW
![Page 29: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/29.jpg)
There is significant variability is the number of possible ways that a bad guy can do you harm….
…. but 90% of the time it happens in just a few different ways.
Plan for the 90% and you’ll be well on your way for the other rest. (5+7)
29http://bit.ly/2r44mHW
![Page 30: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/30.jpg)
5 CYBER SCENARIOS TO PLAN FOR
1. Malware spread (crypto)2. Insider data harvesting and exfiltration3. External breach of client data4. External breach of non-client data5. Wide-spread destruction of computer assets
30http://bit.ly/2r44mHW
![Page 31: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/31.jpg)
7 BCM SCENARIOS TO PLAN FOR
31http://bit.ly/2r44mHW
![Page 32: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/32.jpg)
1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning and testingd. Paperwork now!
2. Pro Tips3. Real Life Example4. War Stories from the Audience
32http://bit.ly/2r44mHW
![Page 33: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/33.jpg)
GET READY NOW
1. When a big one hits, you will need outside help from a forensics firm.
2. Don’t wait to setup the paperwork. Do it now. It will cost nothing and save you bundles.
3. The FF should be hired by the GC Office with the goal of providing legal advice. Privilege!
4. Limit who gets the report.
https://sites-shb.vuture.net/42/214/may-2017/5.22.2017---pdsa.asp?sid=6d7417d9-e318-4f2e-ae39-7bcf48f5d5d2
33http://bit.ly/2r44mHW
![Page 34: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/34.jpg)
1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!
2. Pro Tips3. Real Life Example4. War Stories from the Audience
34http://bit.ly/2r44mHW
![Page 35: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/35.jpg)
35http://bit.ly/2r44mHW
![Page 36: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/36.jpg)
36http://bit.ly/2r44mHW
![Page 37: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/37.jpg)
4 PRO TIPS
1. Tactical focus = Patching, Web & Email2. IS is Risk Management, not Cyber IT3. Authoritative Controls4. Tabletops
37http://bit.ly/2r44mHW
![Page 38: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/38.jpg)
TACTICAL FOCUS = PATCHING, WEB & EMAIL
Not much to say here… get really good on these three first.
We can talk about all the really cool tools, techniques and PowerShell Kung fu you can bring to bear against an adversary but a strong patching process is the by far the most powerful.
38http://bit.ly/2r44mHW
![Page 39: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/39.jpg)
IS = RM, NOT CYBER IT How you communicate and build support for your
program is the best cyber-defense! Information Security is Risk Management “current risk posture” vs “target risk posture” 5 Questions
1. Are there any material risks to the Firm and if so, what are their potential costs and likelihoods of occurrence?
2. Is my security program aligned to the organization’s desired risk profile?
3. Is my organization more or less secure than last year?
4. Am I spending the right amount of money?
5. How do I compare against my peers?
39http://bit.ly/2r44mHW
![Page 40: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/40.jpg)
40
IS is RISK MANAGEMENT
Functional Requirements
1
2
3
http://bit.ly/2r44mHW
![Page 41: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/41.jpg)
AUTHORITATIVE CONTROLSYOU HAVE A ROADMAP
41http://bit.ly/2r44mHW
![Page 42: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/42.jpg)
TABLETOPS
42http://bit.ly/2r44mHW
Train how you fight Tests readiness A clear signal to leadership and others that cyber is a
priority A great way to improve visibility and generate
conversation Part of a CISO’s job is sales – you need to sell people on
why they need to do one thing over another
![Page 43: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/43.jpg)
1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!
2. Pro Tips3. Real Life Example4. War Stories from the Audience
43http://bit.ly/2r44mHW
![Page 44: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/44.jpg)
INCIDENT TIMELINE
44http://bit.ly/2r44mHW
ref event comment01 AV cleans MIMIKATZ & triggers alert in SOC Bad guy forgot to disable AV – no
password on AV
02 SecOps investigates & sees login with a shared TECH ID from nearby workstation
Abuse of shared admin ID used by techs for break-fix
03 Investigate workstation – login from unusual user
04 Investigate user – doesn’t typically even use a computer + weak password
Patient Zero unknown but most likely the user #03 by way of a phishing victim
05 Setup alerts for all suspicious IDs Hackers going lateral
07 See user’s ID connect to company SSL VPN “published desktop” and then touch several other internal workstations
No 2FA – No segmentation
08 Source IP = VPN in China Bad guy obfuscating true location – could be originating from anywhere in the world
![Page 45: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/45.jpg)
INCIDENT TIMELINE CONT.
45http://bit.ly/2r44mHW
ref event comment09 Observed an IP from Shanghai “accidentally”
connect for 30sec before disconnecting and then a new connection over VPN being est. immediately
Bad OpSec!! We now know where you’re really coming from!
10 Setup alerts for any connections from that VPN Only fire 9-5 local time in Shanghai except on Chinese holidays
11 See multiple connections using multiple IDs Result of ID harvesting
12 Monitor connections and video record desktop sessions
We now have training videos!
13 Observe bad guy using MIMIKATZ to pull any cached creds – they just do this over and over
“C” team following script to build dbs of our IDs and Pswds
14 Observe for ~20 days & prepare
15 Over three nights – 2FA for VPN, password resets for over 40K users, patch all systems to current, deploy AEPP to 90% of all workstation and server assets
16 Bad guys kicked out…. kind of
![Page 46: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/46.jpg)
46http://bit.ly/2r44mHW
ref event comment17 AEPP alerts on PlugX RAT on insignificant, irrelevant
and forgotten system“B” team will have a back-door. Be ready & make sure asset inventory is up to date!
18 Immediately shut down & analyze system No way we would have seen the PlugX w/o Falcon
19 Deploy Forensic software to many servers
20 ID use of Service Account to go lateral Disable interactive and network login for all Svc Accts.
21 Continue to close doors w/ new visibility and authority to implement changes at will
22 Remove common tech ID on all workstations Makes going lateral much more difficult
INCIDENT TIMELINE CONT.
All said an done, this was about 60 days of all hands working in 24x7 shifts to address and then another 90 to clean up.
While no data was lost, its still very expensive.
![Page 47: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/47.jpg)
1. Train How You Fighta. Numbers from the battlefieldb. Know your enemyc. Scenario planning (5+7)d. Paperwork now!
2. Pro Tips3. Real Life Example4. War Stories from the Audience
47http://bit.ly/2r44mHW
![Page 48: SECURITY INSIDE THE PERIMETER Security I… · security inside the perimeter-the call is coming from inside the house event code: #iltalss #lss17 date: june 13, 2017. time: 3:00 pm](https://reader033.fdocuments.net/reader033/viewer/2022060207/5f03c4cd7e708231d40aad6c/html5/thumbnails/48.jpg)
48http://bit.ly/2r44mHW
Share your war story or…