SlideShare ist ein Scribd-Unternehmen logo

Incident Response for the Work-from-home Workforce

Als PPTX, PDF herunterladen
Christopher Gerritz
Christopher Gerritz

Recommendations and considerations for securing and responding to incidents on the Work-from-home (WFH) workforce

Technologie
1 von 28
Incident Response to Remote Employees and Workforces 4/16/2020 Webinar
Infocyte - IR for Work from Home Workforce Validating integrity via live forensic analysis of a set of hosts Overview Situation: • COVID-19 has forced many businesses to Work-from-home (WFH) before they were ready • Attackers are taking advantage of this Today’s Discussion: 1. Remote Workers & IT Architectures 2. Prioritizing Attack Vectors 3. Detection & Response for the WFH workforce 4. Incident Response Process 5. Recommendations
Remote Workers & IT Architectures
Infocyte - IR for Work from Home Workforce Validating integrity via live forensic analysis of a set of hosts Legacy Architecture - The “M&M Defense” Situation: • Most enterprise networks are defended by the M&M model of defense: – Hard Candy Shell, Soft gooey center Traditional Managed Network Defenses Include: • Perimeter defenses (IDS, IPS, Firewall) • SD-WAN / MPLS / VPN • Network monitoring centrally managed controls (Active Directory)
Infocyte - IR for Work from Home Workforce Cloud-Model Architectures & Zero Trust Security Foundations: • The perimeter is the foundation in a legacy network • Identity is the foundation in a zero-trust or cloud-model architecture Cloud-model architecture defenses include: • Cloud-based identity (w/ SSO & MFA) • Endpoint Security Google’s “Beyond Corp” Zero-Trust model (2014) begins with this assumption: Connecting from a particular network must not determine which services and data you can access Learn More about Zero Trust: https://www.beyondcorp.com/
Infocyte - IR for Work from Home Workforce Validating integrity via live forensic analysis of a set of hosts What Really Matters With employees working from home, you don’t control the network or the perimeter... What Really Matters for WFH personnel security: 1. Verifying WHO is accessing corporate resources (Identity/Authentication) 2. Ensuring the device they connect from is secure/clean (Endpoint Security) A natural fit for Zero-Trust / Cloud-Model Principles
Infocyte - IR for Work from Home Workforce Validating integrity via live forensic analysis of a set of hosts Where are you on digital transformation? Does WFH increase risk to the enterprise? It Depends • Companies that rely on traditional network defenses find it difficult to transition to WFH workforce, increasing risks massively. • Organizations that already had wide cloud adoption find it much easier. WFH Workers Corporate owned devices or BYOD? Managed or Unmanaged?
Remote Worker Attack Vectors
Infocyte - IR for Work from Home Workforce Exploiting COVID-19 Attackers have all converged on the current situation • 98% of phishing emails are Coronavirus/COVID-19 themed. Source: https://www.fireeye.com/blog/threat-research/2020/04/limited-shifts-in-cyber-threat-landscape-driven-by-covid-19.html
Infocyte - IR for Work from Home Workforce Top Threats to Consider Source: https://enterprise.verizon.com/resources/reports/dbir/2019/results-and-analysis/ Home Office or Not: • All of these threats still exist with home workers and corporate networks, regardless of architecture. Vuln Scanning? • The threat rankings are pretty clear where our focus needs to be.
Infocyte - IR for Work from Home Workforce Top Three Attacks to Consider Weak Auth Trojans/Phishing Lost/Stolen Data Cloud and VPN services attacked directly with stolen passwords or brute forcing weak ones Invest in SSO/MFA-enabled cloud identity WFH devices infected with malware Enables session hijacking to compromised corporate network or cloud resources Invest in Endpoint Security for home devices Devices will be lost/stolen or damaged Store data in the cloud. Invest in remote device wipe software
Remote Worker Detection & Response
Infocyte - IR for Work from Home Workforce Endpoint Monitoring All devices require Endpoint Security Monitoring: • Upgrade: Consumer Antivirus won’t protect against corporate threats • Licensing: Modern endpoint vendors may have home device licenses or, like Infocyte, don’t have a restrictions on BYOD / Home networks. Security Monitoring / MDR: • Select a cloud-native endpoint monitoring solution (i.e. Infocyte RTS) • Manage alerts in a cloud console or send to cloud-based MDR provider Protection (Antivirus/EPP) + Endpoint Monitoring (EDR/MDR platform)
Agents Infocyte Cloud Cloud Architecture RTS Console customer1.Infocyte.com Controller Endpoints / Servers Endpoints Agentless Threat Intel & Analytics User Cloud (AWS) Plugin API & UI Agents communicate directly with cloud service Cloud infrastructure/workload monitoring via IaaS API Controllers can discover internal endpoints, then scan or deploy agents within a managed network Threat & Incident Response Platform
Forensic Collector Host Capabilities Extensions Memory On-Demand / PeriodicPeriodic / Triggered Artifacts Applications Autostarts Accounts Custom Collections Response Actions Remediation Extension Subsystem Detection Compliance Hardening Analytics Intel ReportingCloud Console Threat & Incident Response Platform Host/Server Real-Time Agent Process Monitor Logs Continuous RT Agent monitors endpoint process activity in real-time. Forensic Collector inspects memory and collects key forensic artifacts. Primary data collector for agentless and offline scans. Extensions are scripts or modules that perform custom collection or action. Isolation Active Agent
Infocyte - IR for Work from Home Workforce Identity Security Extending Active Directory - Azure AD - SAML Select a cloud-based identity provider - Okta, OneLogon, etc. - Should provide Multi-Factor Authentication (MFA) - Consider Hardware Security Keys (i.e. Ubikeys) - Consider feeding auth activity into a central monitoring solution (i.e.SIEM)
Infocyte - IR for Work from Home Workforce Monitoring Cloud Services 3rd Party Cloud Services • Get to know your cloud services’ logging and security features: – i.e. Microsoft 365 security center https://security.microsoft.com – Identity should tied to a cloud SSO identity provider – Heads up: Every service is unique… Your internal services: • Use a cloud-based identity provider: Azure AD, Okta, OneLogin, etc. • Ensure services are tied to your corporate identity provider (i.e. SAML) • Consider implementing centralized security feeds (activity logs)
Infocyte - IR for Work from Home Workforce Legacy Service Access Legacy on-prem apps are generally accessed via: • VPN • Remote Desktop Services (RDP/RDS) Secure your VPN & RD Gateways: • Remote Desktop is the #1 attacked service by ransomware attackers in 2019. All Ransomware families have capabilities to exploit it. • By default, RD Gateways are not secure: https://turbofuture.com/computers/How-To-Setup-a-Remote- Desktop-Gateway-Windows-Server-2016
Incident Response Process
2019 – Incident Response Readiness Detection: Typically detect malicious activity via endpoint monitoring, external reports, or support tickets. Triage Determine scope of breach, gather evidence/information. Contain Ensure it can’t spread or access corporate info Recover Business continuity - ensure business can continue Investigate Analyze evidence and determine root cause Learn Implement new controls based on lessons learned Incident Response Steps
Infocyte - IR for Work from Home Workforce Validating integrity via live forensic analysis of a set of hosts Getting Device Access Ideal: • Cloud-native endpoint security solution (EDR) should grant access directly to devices Workarounds: • Install a temporary agent on the affected device, or • Perform an offline/manual scan using Infocyte’s Collector (“survey”).
Infocyte - IR for Work from Home Workforce Got on-prem problems? Putting an on-prem security tools in the cloud for WFH devices? • Does it handle overlapping IPs? • Cross Platform for BYOD? • Secure?
Infocyte - IR for Work from Home Workforce Validating integrity via live forensic analysis of a set of hosts Getting BYOD Device Access Remember to get Consent: • Corporate BYOD policies should have a consent to monitoring, if not, get it in writing from the device owner • Talk to your legal counsel about this Things to collect: • Executables, OS and application logs, identified malware, scripts Things to avoid (scan them with an automated tool, but don’t collect): • Pictures, personal data, browsing history Be careful with Browsing History… Use a licensed forensics professional if you are interested in collecting this type of data.
Final Recommendations
Infocyte - IR for Work from Home Workforce My Advice: • Take the compromised device and issue/purchase a new one. • Don’t rely on at-home devices to store data, they should be treated like dumb replaceable terminals. • Assume the user reuses passwords: Know how to rapidly lock out a user from cloud services Resolutions
Infocyte - IR for Work from Home Workforce Securing Publicly Available Services Every IP on the internet is being bombarded by malicious requests... Required Security Features for globally accessible services: • Signed SSL Certificates for Authentication (Verifies service identity/authenticity) • Transport Encryption (i.e. HTTPS/TLS) • Multi-Factor Authentication (i.e. Auth0, WSO2) • Brute Force Mitigation (IP auto-block on multiple failed auth or malformed requests) Optional (based on your threat model): • DDoS protection (i.e. Cloudflare, Akamai, etc.) IP whitelist the service or restrict to VPN if you can’t enable these features
Infocyte - IR for Work from Home Workforce VPNs are becoming obsolete. • Cloud-model architectures don’t need them • VPNs give unnecessary full-network access • They are often inconvenient, expensive, and difficult to maintain VPNs are a Crutch, Not a Solution Corporate VPNs Role: • VPNs are mainly designed to extend the perimeter in legacy network architectures • VPNs provide remote authentication / access to on-prem non-cloud resources Read More On This: https://www.akamai.com/us/en/multimedia/documents/white- paper/the-4-benefits-of-vpn-elimination.pdf
QUESTIONS Chris Gerritz Co-Founder, Infocyte cgerritz@Infocyte.com Twitter: @gerritzc @InfocyteInc The Weapon of Choice for Incident Responders www.infocyte.com

Empfohlen

Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Jared Atkinson
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELKTripwire
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 

Empfohlen

Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Jared Atkinson
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELKTripwire
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No OneJared Atkinson
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
BSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesBSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesGuglielmo Scaiola
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...CODE BLUE
 
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Dragos, Inc.
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat Security Conference
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence Sam Bowne
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
 

Weitere ähnliche Inhalte

Was ist angesagt?

Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No OneJared Atkinson
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
BSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesBSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesGuglielmo Scaiola
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...CODE BLUE
 
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Dragos, Inc.
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat Security Conference
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence Sam Bowne
 

Was ist angesagt? (20)

Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheap
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No One
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
 
BSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesBSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniques
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
 
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat Intelligence
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World Incidents
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 

Ähnlich wie Incident Response for the Work-from-home Workforce

Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
 
[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael Firstenberg[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael FirstenbergTI Safe
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...Chrysostomos Christofi
 
Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Zoho Corporation
 
Resume | Vijay Navgire
Resume | Vijay Navgire Resume | Vijay Navgire
Resume | Vijay Navgire Vijay Νavgire
 
VMI based malware detection in virtual environment
VMI based malware detection in virtual environmentVMI based malware detection in virtual environment
VMI based malware detection in virtual environmentAyush Gargya
 
Cybersecurity
Cybersecurity Cybersecurity
Cybersecurity nado-web
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
Defining Security Intelligence for the Enterprise - What CISOs Need to Know
Defining Security Intelligence for the Enterprise - What CISOs Need to KnowDefining Security Intelligence for the Enterprise - What CISOs Need to Know
Defining Security Intelligence for the Enterprise - What CISOs Need to KnowIBM Security
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protectionxband
 
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...Criminal IP
 
Endpoint Security Pres.pptx
Endpoint Security Pres.pptxEndpoint Security Pres.pptx
Endpoint Security Pres.pptxNBBNOC
 

Ähnlich wie Incident Response for the Work-from-home Workforce (20)

Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael Firstenberg[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael Firstenberg
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
 
Post Wannacry Update
Post Wannacry UpdatePost Wannacry Update
Post Wannacry Update
 
Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​
 
Resume | Vijay Navgire
Resume | Vijay Navgire Resume | Vijay Navgire
Resume | Vijay Navgire
 
VMI based malware detection in virtual environment
VMI based malware detection in virtual environmentVMI based malware detection in virtual environment
VMI based malware detection in virtual environment
 
Cybersecurity
Cybersecurity Cybersecurity
Cybersecurity
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
IIoT Endpoint Security
IIoT Endpoint Security IIoT Endpoint Security
IIoT Endpoint Security
 
Defining Security Intelligence for the Enterprise - What CISOs Need to Know
Defining Security Intelligence for the Enterprise - What CISOs Need to KnowDefining Security Intelligence for the Enterprise - What CISOs Need to Know
Defining Security Intelligence for the Enterprise - What CISOs Need to Know
 
Managing security threats in today’s enterprise
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterprise
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protection
 
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
 
Endpoint Security Pres.pptx
Endpoint Security Pres.pptxEndpoint Security Pres.pptx
Endpoint Security Pres.pptx
 

Kürzlich hochgeladen

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 

Kürzlich hochgeladen (20)

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 

Incident Response for the Work-from-home Workforce

  • 1. Incident Response to Remote Employees and Workforces 4/16/2020 Webinar
  • 2. Infocyte - IR for Work from Home Workforce Validating integrity via live forensic analysis of a set of hosts Overview Situation: • COVID-19 has forced many businesses to Work-from-home (WFH) before they were ready • Attackers are taking advantage of this Today’s Discussion: 1. Remote Workers & IT Architectures 2. Prioritizing Attack Vectors 3. Detection & Response for the WFH workforce 4. Incident Response Process 5. Recommendations
  • 3. Remote Workers & IT Architectures
  • 4. Infocyte - IR for Work from Home Workforce Validating integrity via live forensic analysis of a set of hosts Legacy Architecture - The “M&M Defense” Situation: • Most enterprise networks are defended by the M&M model of defense: – Hard Candy Shell, Soft gooey center Traditional Managed Network Defenses Include: • Perimeter defenses (IDS, IPS, Firewall) • SD-WAN / MPLS / VPN • Network monitoring centrally managed controls (Active Directory)
  • 5. Infocyte - IR for Work from Home Workforce Cloud-Model Architectures & Zero Trust Security Foundations: • The perimeter is the foundation in a legacy network • Identity is the foundation in a zero-trust or cloud-model architecture Cloud-model architecture defenses include: • Cloud-based identity (w/ SSO & MFA) • Endpoint Security Google’s “Beyond Corp” Zero-Trust model (2014) begins with this assumption: Connecting from a particular network must not determine which services and data you can access Learn More about Zero Trust: https://www.beyondcorp.com/
  • 6. Infocyte - IR for Work from Home Workforce Validating integrity via live forensic analysis of a set of hosts What Really Matters With employees working from home, you don’t control the network or the perimeter... What Really Matters for WFH personnel security: 1. Verifying WHO is accessing corporate resources (Identity/Authentication) 2. Ensuring the device they connect from is secure/clean (Endpoint Security) A natural fit for Zero-Trust / Cloud-Model Principles
  • 7. Infocyte - IR for Work from Home Workforce Validating integrity via live forensic analysis of a set of hosts Where are you on digital transformation? Does WFH increase risk to the enterprise? It Depends • Companies that rely on traditional network defenses find it difficult to transition to WFH workforce, increasing risks massively. • Organizations that already had wide cloud adoption find it much easier. WFH Workers Corporate owned devices or BYOD? Managed or Unmanaged?
  • 9. Infocyte - IR for Work from Home Workforce Exploiting COVID-19 Attackers have all converged on the current situation • 98% of phishing emails are Coronavirus/COVID-19 themed. Source: https://www.fireeye.com/blog/threat-research/2020/04/limited-shifts-in-cyber-threat-landscape-driven-by-covid-19.html
  • 10. Infocyte - IR for Work from Home Workforce Top Threats to Consider Source: https://enterprise.verizon.com/resources/reports/dbir/2019/results-and-analysis/ Home Office or Not: • All of these threats still exist with home workers and corporate networks, regardless of architecture. Vuln Scanning? • The threat rankings are pretty clear where our focus needs to be.
  • 11. Infocyte - IR for Work from Home Workforce Top Three Attacks to Consider Weak Auth Trojans/Phishing Lost/Stolen Data Cloud and VPN services attacked directly with stolen passwords or brute forcing weak ones Invest in SSO/MFA-enabled cloud identity WFH devices infected with malware Enables session hijacking to compromised corporate network or cloud resources Invest in Endpoint Security for home devices Devices will be lost/stolen or damaged Store data in the cloud. Invest in remote device wipe software
  • 13. Infocyte - IR for Work from Home Workforce Endpoint Monitoring All devices require Endpoint Security Monitoring: • Upgrade: Consumer Antivirus won’t protect against corporate threats • Licensing: Modern endpoint vendors may have home device licenses or, like Infocyte, don’t have a restrictions on BYOD / Home networks. Security Monitoring / MDR: • Select a cloud-native endpoint monitoring solution (i.e. Infocyte RTS) • Manage alerts in a cloud console or send to cloud-based MDR provider Protection (Antivirus/EPP) + Endpoint Monitoring (EDR/MDR platform)
  • 14. Agents Infocyte Cloud Cloud Architecture RTS Console customer1.Infocyte.com Controller Endpoints / Servers Endpoints Agentless Threat Intel & Analytics User Cloud (AWS) Plugin API & UI Agents communicate directly with cloud service Cloud infrastructure/workload monitoring via IaaS API Controllers can discover internal endpoints, then scan or deploy agents within a managed network Threat & Incident Response Platform
  • 15. Forensic Collector Host Capabilities Extensions Memory On-Demand / PeriodicPeriodic / Triggered Artifacts Applications Autostarts Accounts Custom Collections Response Actions Remediation Extension Subsystem Detection Compliance Hardening Analytics Intel ReportingCloud Console Threat & Incident Response Platform Host/Server Real-Time Agent Process Monitor Logs Continuous RT Agent monitors endpoint process activity in real-time. Forensic Collector inspects memory and collects key forensic artifacts. Primary data collector for agentless and offline scans. Extensions are scripts or modules that perform custom collection or action. Isolation Active Agent
  • 16. Infocyte - IR for Work from Home Workforce Identity Security Extending Active Directory - Azure AD - SAML Select a cloud-based identity provider - Okta, OneLogon, etc. - Should provide Multi-Factor Authentication (MFA) - Consider Hardware Security Keys (i.e. Ubikeys) - Consider feeding auth activity into a central monitoring solution (i.e.SIEM)
  • 17. Infocyte - IR for Work from Home Workforce Monitoring Cloud Services 3rd Party Cloud Services • Get to know your cloud services’ logging and security features: – i.e. Microsoft 365 security center https://security.microsoft.com – Identity should tied to a cloud SSO identity provider – Heads up: Every service is unique… Your internal services: • Use a cloud-based identity provider: Azure AD, Okta, OneLogin, etc. • Ensure services are tied to your corporate identity provider (i.e. SAML) • Consider implementing centralized security feeds (activity logs)
  • 18. Infocyte - IR for Work from Home Workforce Legacy Service Access Legacy on-prem apps are generally accessed via: • VPN • Remote Desktop Services (RDP/RDS) Secure your VPN & RD Gateways: • Remote Desktop is the #1 attacked service by ransomware attackers in 2019. All Ransomware families have capabilities to exploit it. • By default, RD Gateways are not secure: https://turbofuture.com/computers/How-To-Setup-a-Remote- Desktop-Gateway-Windows-Server-2016
  • 20. 2019 – Incident Response Readiness Detection: Typically detect malicious activity via endpoint monitoring, external reports, or support tickets. Triage Determine scope of breach, gather evidence/information. Contain Ensure it can’t spread or access corporate info Recover Business continuity - ensure business can continue Investigate Analyze evidence and determine root cause Learn Implement new controls based on lessons learned Incident Response Steps
  • 21. Infocyte - IR for Work from Home Workforce Validating integrity via live forensic analysis of a set of hosts Getting Device Access Ideal: • Cloud-native endpoint security solution (EDR) should grant access directly to devices Workarounds: • Install a temporary agent on the affected device, or • Perform an offline/manual scan using Infocyte’s Collector (“survey”).
  • 22. Infocyte - IR for Work from Home Workforce Got on-prem problems? Putting an on-prem security tools in the cloud for WFH devices? • Does it handle overlapping IPs? • Cross Platform for BYOD? • Secure?
  • 23. Infocyte - IR for Work from Home Workforce Validating integrity via live forensic analysis of a set of hosts Getting BYOD Device Access Remember to get Consent: • Corporate BYOD policies should have a consent to monitoring, if not, get it in writing from the device owner • Talk to your legal counsel about this Things to collect: • Executables, OS and application logs, identified malware, scripts Things to avoid (scan them with an automated tool, but don’t collect): • Pictures, personal data, browsing history Be careful with Browsing History… Use a licensed forensics professional if you are interested in collecting this type of data.
  • 25. Infocyte - IR for Work from Home Workforce My Advice: • Take the compromised device and issue/purchase a new one. • Don’t rely on at-home devices to store data, they should be treated like dumb replaceable terminals. • Assume the user reuses passwords: Know how to rapidly lock out a user from cloud services Resolutions
  • 26. Infocyte - IR for Work from Home Workforce Securing Publicly Available Services Every IP on the internet is being bombarded by malicious requests... Required Security Features for globally accessible services: • Signed SSL Certificates for Authentication (Verifies service identity/authenticity) • Transport Encryption (i.e. HTTPS/TLS) • Multi-Factor Authentication (i.e. Auth0, WSO2) • Brute Force Mitigation (IP auto-block on multiple failed auth or malformed requests) Optional (based on your threat model): • DDoS protection (i.e. Cloudflare, Akamai, etc.) IP whitelist the service or restrict to VPN if you can’t enable these features
  • 27. Infocyte - IR for Work from Home Workforce VPNs are becoming obsolete. • Cloud-model architectures don’t need them • VPNs give unnecessary full-network access • They are often inconvenient, expensive, and difficult to maintain VPNs are a Crutch, Not a Solution Corporate VPNs Role: • VPNs are mainly designed to extend the perimeter in legacy network architectures • VPNs provide remote authentication / access to on-prem non-cloud resources Read More On This: https://www.akamai.com/us/en/multimedia/documents/white- paper/the-4-benefits-of-vpn-elimination.pdf
  • 28. QUESTIONS Chris Gerritz Co-Founder, Infocyte cgerritz@Infocyte.com Twitter: @gerritzc @InfocyteInc The Weapon of Choice for Incident Responders www.infocyte.com