2. THE WHY?
The Ashley Madison Hack – Zero day exploit used to gain Server root access
$30 Million in fines, legal fees, settlements etc. Users are being blackmailed to this day
by hackers who stole their data
The Sony hack – Worm attacks through email attachments
$8 Million in remuneration to employees apart from loss of revenue due to leaked
movies
The linkedin hack – Web crawlers scraped data from the website
700 Million linked in users’ data posted online. Users targeted by spam
emails, scamsters and identity theft.
A total number of 110, 54 and 59 Indian Central Ministries, Departments and State
Government sites have been hacked during the year 2018, 2019 and 2020,
respectively
Around 3.7 Lakh Crore lost due to Cybercrimes in India since the year 2019
3. HACKERS ONLY NEED TO SUCCEED ONCE
DEFENDERS NEED TO SUCCEED EVERYTIME
7. TAKING SHORTCUTS
Intercepts the call to
the server
curl -X GET
'http://localhost:8080/a
ccounts/abc%27%20or%20%2
71%27=%271’
select customer_id,
acc_number,branch_id,
balance from Accounts
where customerId = 'abc'
or '1' = '1'
GETS ALL THE CUTOMER DATA
8. CONSEQUENCES
• Loss of client confidence
• Loss of business
• Potential lawsuits
• Negative press
• Mounting losses
• Catastrophe
10. THREAT MODELLING
• Identify threats early
• Identify attack surfaces and vulnerabilities
• Address them early
• Test regularly
• Release a quality secure product
• Eat pizza
11. THE ATTACK SURFACE CHECKLIST
• OWASP Top 10 - https://owasp.org/www-project-top-ten/
The OWASP top 10 list is constantly updated and is a list
compiled from observations around the most critical aspects of
web applications that can be vulnerable to be exploited by hackers.
• MITRE ATT&CK Matrix - https://attack.mitre.org/
The ATT&CK Matrix is a comprehensive checklist based on
analysis and real time observation of tools in the areas of Private
Sector organizations, Government agencies, Cybersecurity firms
and Community contributions.
16. RED TEAMING AND BAS TOOLS
• Form ethical hacking teams to exploit the entire attack surface
• Breach and Attack simulation tools automatically simulate real threats
and analyse how an attack can spread on successful penetration
BAS tools:
• AttackIQ
• Cymulate
• FireEye
17. CART – CONTINUOUS AUTOMATED RED
TEAMING
• Automates red teaming by finding attack surface automatically and runs a full
gamut of penetration tests against the attack surface
• Launches multi-stage attacks to simulate real time attacks
• Uses outside in approach and does not require hardware or software to be
installed on premises
Tools:
FireCompass (Most widely used and adopted)
Atomic Red Team + Swimlane SOAR
18. CONS OF BAS AND CART TOOLS
Cons:
• Lots of manual time and effort involved in simulating tests and
exploring attack surfaces
• Expensive
• Requires on premises installation of software and technical knowhow
• Predominantly provided by third party vendors
• Cannot be run against live production servers as they can be
disruptive
22. WHY MICROSERVICES?
• Containers can be shared around so everyone is working on the
same environment
• Multiple environments can be used as sandboxes for
dev/uat/pocs/chaos testing, etc
• Canary deployments
• SAST against pipelines, DAST against Containers and BAS
against Kubernetes clusters / Service Mesh
23. REDUCING ATTACK SURFACES
• Small apps smaller concerns
• Focus is on continuous testing, continuous patching
• Fewer tests to be executed as code base is small
• Re-engineering and re-architecting is a smaller effort in case
design breaking vulnerabilities are exposed
• Better management of priorities
24. BEST PRACTICES
• MFA and access controls
• Session and cookie hygiene
• Common Attack Matrix generated from SAST, DAST and BAS tools
• Encryption at rest – Database encryption, Storage Encryption
• Encryption in transit – HTTPS, SSL, TLS, FTPS, IP Whitelisting
• Password Vault services
• Authentication and Authorization as a service
• Active traffic monitoring to uncover anomalous system access
• CDNs and robust edge servers