SlideShare ist ein Scribd-Unternehmen logo

What Happens Before the Kill Chain

OpenDNS
OpenDNS

A presentation by Dan Hubbard, CTO of OpenDNS, and Rick Holland, Principal Analyst at Forrester, Inc.

Technologie
1 von 55
Downloaden Sie, um offline zu lesen
1 CONFIDENTIAL Dan Hubbard, CTO, OpenDNS Rick Holland, Principal Analyst, Forrester What Happens Before the Kill Chain
2 CONFIDENTIAL Speakers Dan Hubbard CTO OpenDNS Rick Holland Principle Analyst Forrester
3 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 3 Agenda › The cyber kill chain › Targeted Attack Hierarchy of Needs › Making prevention work @rickhholland
4 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 4 STRESS
5 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 5 Time to discover is pathetic
6 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 6 asdf 205 days to discover
7 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 7 Adversaries are on shopping sprees
8 CONFIDENTIAL With no time limits
9 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 9 New Incident Response Metric: Mean Time Before CEO Apologizes
10 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 10 asdf ›  asdf We need bright ideas
11 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 11 Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
12 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 12 Agenda › The cyber kill chain › Targeted Attack Hierarchy of Needs › Making prevention work @rickhholland
13 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 13 Targeted attack hierarchy of needs Source: May 15, 2014, “Introducing Forrester's Targeted-Attack Hierarchy Of Needs, Part 1 Of 2” Forrester report
14 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 14 asdf ›  asdf
15 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 15 asdf ›  asdf Why should we give up on prevention?
16 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 16 asdf ›  asdf Why should you settle for detection and response?
17 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 17 asdf ›  asdf Can you imagine incident volume without prevention?
18 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 18 Prevention is dead? ›  Be wary of anyone claiming that prevention is dead ›  Especially if all the sell are detection tools or services ›  You should lead with prevention and fall back to detection and response Be suspicious
19 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 19 Agenda › The cyber kill chain › Targeted Attack Hierarchy of Needs › Making prevention work @rickhholland
20 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 20 Don’t wait for reconnaissance Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Action on objectives Source: http://cyber.lockheedmartin.com/cyber-kill-chain-lockheed-martin-poster
21 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 21 asdf ›  asdf Napoleon: “An army marches on its stomach”
22 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 22 asdf ›  asdf Attacks against your org rely upon infrastructure
23 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 23 Block enemy infrastructure ›  The best way to get time to containment down is to reduce the overall number of security incidents ›  Free up your limited resources to focus more on detection and response ›  You can disrupt the adversary by blocking its ability to target you ›  The military puts the kill in the kill chain, leave hack back to the government
24 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 24 Source: http://www.threatconnect.com/files/uploaded_files/The_Diamond_Model_of_Intrusion_Analysis.pdf The Diamond Model of Intrusion Analysis
25 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 25 Infrastructure that the adversary could reuse ›  Domain names ›  IP addresses ›  Command and Control structure ›  Internet Service Providers ›  Domain registrars ›  Web-mail providers
26 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 26 Lenny Zeltser: Report Template for Threat Intelligence and Incident Response Source: https://zeltser.com/cyber-threat-intel-and-ir-report-template/
27 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 27 Domain registration OPSEC fail ›  Careful observation of DNS registrant contact information history has revealed an OPSEC failure by the attackers in one instance. ›  For a brief period (possibly before the server was operational), WHOIS privacy was inactive, pointing at a real identity of the registrant. ›  This e-mail address leads to social media accounts that show public and clear affinity with Lebanese political activism.
28 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 28
29 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 29 Forrester definition: Predictive analytics ›  “Software and/or hardware solutions that allow firms to discover, evaluate, optimize, and deploy predictive models by analyzing big data sources to improve business performance or mitigate risk.”
30 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 30 Predictive security analytics ›  Uses Big Data analysis techniques to anticipate future attacker activity based on historical activity ›  Leverages machine learning, statistical analysis, and visualization ›  Unless you have a data science skills, navigating vendor marketing can be challenging ›  Ask vendors to provide use cases
31 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 31 asdf ›  asdf
32 CONFIDENTIAL OpenDNS Research Applied ResearchThought Leadership Response Customer / Prospect Engagements
33 CONFIDENTIAL Requests Per Day 70B Countries 160+ Daily Active Users 65M Enterprise Customers 10K Our Perspective Diverse Set of Data & Global Internet Visibility
34 CONFIDENTIAL Our view of the Internetproviding visibility into global Internet activity (e.g. BGP, AS, DNS)
35 CONFIDENTIAL Apply statistical models and human intelligence Identify probable malicious sites Ingest millions of data points per second How it works .com .cn .ru .net .com
36 CONFIDENTIAL How we develop our statistical models… 3D Visualization Data MiningSecurity Research Expertise
37 CONFIDENTIAL Single, correlated source of information Investigate Types of threat information provided WHOIS record data ASN attribution IP geolocation IP reputation scores Domain reputation scores Domain co-occurrences Anomaly detection (DGAs, FFNs) DNS request patterns/geo. distribution Passive DNS database
38 CONFIDENTIAL Predictive Intelligence InferenceKnowledge Learning Pre-Compromise Compromise Post-Compromise
39 CONFIDENTIAL Predictive Intelligence InferenceKnowledge Learning Reconnaissance Exploitation C & C Weaponization Delivery Installation Actions & Objectives
40 CONFIDENTIAL Before the Kill Chain Reconnaissance Weaponization Delivery Plan Build Test / Iterate
41 CONFIDENTIAL Predictive Intelligence Plan Build Test / Iterate •  Where will we host the infrastructure? •  How will it be fault tolerant? •  What domain / IP / Networks will I utilize? •  How will the backend scale? Reporting? Uptime? •  Private and public announcement and advertising? •  Testing and iteration of the solution
42 CONFIDENTIAL We see where attacks are staged
43 CONFIDENTIAL Examples
44 CONFIDENTIAL Malaysia Airlines DNS Hijack January 25, 2015
45 CONFIDENTIAL MALICIOUS ASN/IP IDENTIFIED Owned  by  Lizard  Squad   who  hacked  PS3  and  Xbox   Networks  in     December  2014  
46 CONFIDENTIAL OpenDNS recognized the domain hijacking on Jan 25th and blocked the DNS request, and hence any subsequent attack
47 CONFIDENTIAL WHOIS: BEDEP Example
48 CONFIDENTIAL WHOIS: Visualization of Inferences
49 CONFIDENTIAL WHOIS: Visualization of Inferences
50 CONFIDENTIAL WHOIS Registration date after first seen!
51 CONFIDENTIAL Anomaly Detection: Identify DGAs Domain Generation Algorithms: technique for generating malware domains on-the-fly yfrscsddkkdl.com qgmcgoqeasgommee.org iyyxtyxdeypk.com diiqngijkpop.ru Does the probability distribution of letters appear random? N-gram” analysis Do letter pairings match normal language patterns?
52 CONFIDENTIAL DGA Example: Gameover Min: May 30: Plan, Build, Test, Iterate
53 CONFIDENTIAL Conclusion §  Do not give up on prevention and shift *all* resources to detection §  Analyze your security posture for predictive elements §  Utilize hunting and analytic tools to increase security efficacy §  Explore security analytics to identify and map attacker infrastructure before the kill chain
54 CONFIDENTIAL Start a 14-Day Trial signup.opendns.com/freetrial
55 CONFIDENTIAL Questions?

Empfohlen

Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
Symantec Brasil
 
Hands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout SessionHands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout Session
Splunk
 
Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...
Huntsman Security
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
FireEye, Inc.
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Shakacon
 
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018
African Cyber Security Summit
 

Empfohlen

Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
Symantec Brasil
 
Hands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout SessionHands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout Session
Splunk
 
Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...
Huntsman Security
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
FireEye, Inc.
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Shakacon
 
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018
African Cyber Security Summit
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
CrowdStrike
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
CrowdStrike
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 
Upgrading Your Firewall? Its Time for an Inline Security Fabric
Upgrading Your Firewall? Its Time for an Inline Security FabricUpgrading Your Firewall? Its Time for an Inline Security Fabric
Upgrading Your Firewall? Its Time for an Inline Security Fabric
Rahul Neel Mani
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
MITRE ATT&CK
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021
Adrian Sanabria
 
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseCrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
Brendon Macaraeg
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
Shawn Croswell
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdStrike
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your Company
Veriato
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Splunk
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
mdagrossa
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
Soc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- themSoc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- them
Priyanka Aash
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
Lancope, Inc.
 
OFFENSIVE IDS
OFFENSIVE IDSOFFENSIVE IDS
OFFENSIVE IDS
Sylvain Martinez
 
Predicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-managementPredicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-management
Priyanka Aash
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 
Blackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream PresentationBlackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream Presentation
OpenDNS
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
Priyanka Aash
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
CrowdStrike
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
CrowdStrike
 
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseCrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
Brendon Macaraeg
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
Shawn Croswell
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your Company
Veriato
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
mdagrossa
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
Lancope, Inc.
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 

Was ist angesagt? (20)

Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Upgrading Your Firewall? Its Time for an Inline Security Fabric
Upgrading Your Firewall? Its Time for an Inline Security FabricUpgrading Your Firewall? Its Time for an Inline Security Fabric
Upgrading Your Firewall? Its Time for an Inline Security Fabric
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021
 
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseCrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your Company
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 
Soc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- themSoc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- them
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
OFFENSIVE IDS
OFFENSIVE IDSOFFENSIVE IDS
OFFENSIVE IDS
 
Predicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-managementPredicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-management
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 

Andere mochten auch

Final Project Report-SIEM
Final Project Report-SIEMFinal Project Report-SIEM
Final Project Report-SIEM
Rangan Yoga
 

Andere mochten auch (13)

Blackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream PresentationBlackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream Presentation
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
 
Final Project Report-SIEM
Final Project Report-SIEMFinal Project Report-SIEM
Final Project Report-SIEM
 
AfterGlow
AfterGlowAfterGlow
AfterGlow
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 
FireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceFireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment Experience
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
 
SOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation LabyrinthSOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation Labyrinth
 
penetest VS. APT
penetest VS. APTpenetest VS. APT
penetest VS. APT
 
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not
 
Computer Forensics: You can run but you can't hide
Computer Forensics: You can run but you can't hideComputer Forensics: You can run but you can't hide
Computer Forensics: You can run but you can't hide
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 

Ähnlich wie What Happens Before the Kill Chain

Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Netskope
 
5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice
AlgoSec
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
Brian Kelly
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
Lancope, Inc.
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Lancope, Inc.
 
Survival of the Fittest: How to Build a Cyber Resilient Organization
Survival of the Fittest: How to Build a Cyber Resilient OrganizationSurvival of the Fittest: How to Build a Cyber Resilient Organization
Survival of the Fittest: How to Build a Cyber Resilient Organization
Tripwire
 

Ähnlich wie What Happens Before the Kill Chain (20)

Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
 
5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice
 
Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvert
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
 
"Navigate the MDR Marketplace Like a Pro!"
"Navigate the MDR Marketplace Like a Pro!" "Navigate the MDR Marketplace Like a Pro!"
"Navigate the MDR Marketplace Like a Pro!"
 
Top 5 Data Security Strategies in QA
Top 5 Data Security Strategies in QATop 5 Data Security Strategies in QA
Top 5 Data Security Strategies in QA
 
5 Steps to Defend from Targeted Attacks with Security Integration
5 Steps to Defend from Targeted Attacks with Security Integration5 Steps to Defend from Targeted Attacks with Security Integration
5 Steps to Defend from Targeted Attacks with Security Integration
 
Big data analytics as an on demand service by Kevin Crosbie.
Big data analytics as an on demand service by Kevin Crosbie.Big data analytics as an on demand service by Kevin Crosbie.
Big data analytics as an on demand service by Kevin Crosbie.
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
B3948
B3948B3948
B3948
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
 
Survival of the Fittest: How to Build a Cyber Resilient Organization
Survival of the Fittest: How to Build a Cyber Resilient OrganizationSurvival of the Fittest: How to Build a Cyber Resilient Organization
Survival of the Fittest: How to Build a Cyber Resilient Organization
 
The X Factor in Data Centric Security
The X Factor in Data Centric SecurityThe X Factor in Data Centric Security
The X Factor in Data Centric Security
 
April 2015 Webinar: Cyber Hunting with Sqrrl
April 2015 Webinar: Cyber Hunting with SqrrlApril 2015 Webinar: Cyber Hunting with Sqrrl
April 2015 Webinar: Cyber Hunting with Sqrrl
 
Memory forensics and incident response
Memory forensics and incident responseMemory forensics and incident response
Memory forensics and incident response
 
5 Möglichkeiten zur Verbesserung Ihrer Security
5 Möglichkeiten zur Verbesserung Ihrer Security5 Möglichkeiten zur Verbesserung Ihrer Security
5 Möglichkeiten zur Verbesserung Ihrer Security
 

Mehr von OpenDNS

Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
OpenDNS
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
OpenDNS
 
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
OpenDNS
 
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIOMSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
OpenDNS
 

Mehr von OpenDNS (20)

New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
 
Highly Available Docker Networking With BGP
Highly Available Docker Networking With BGPHighly Available Docker Networking With BGP
Highly Available Docker Networking With BGP
 
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got StolenOne Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
 
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote SlidesOpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
 
Docker at OpenDNS
Docker at OpenDNSDocker at OpenDNS
Docker at OpenDNS
 
IP Routing, AWS, and Docker
IP Routing, AWS, and DockerIP Routing, AWS, and Docker
IP Routing, AWS, and Docker
 
Defcon
DefconDefcon
Defcon
 
Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE BostonMarauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
 
Network Security: A Four Point Analysis of Appliances vs. the Cloud
Network Security: A Four Point Analysis of Appliances vs. the CloudNetwork Security: A Four Point Analysis of Appliances vs. the Cloud
Network Security: A Four Point Analysis of Appliances vs. the Cloud
 
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
 
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
 
Baythreat Cryptolocker Presentation
Baythreat Cryptolocker PresentationBaythreat Cryptolocker Presentation
Baythreat Cryptolocker Presentation
 
Cryptolocker Webcast
Cryptolocker WebcastCryptolocker Webcast
Cryptolocker Webcast
 
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIOMSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
 
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentUmbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
 
Fast Detection of New Malicious Domains using DNS
Fast Detection of New Malicious Domains using DNSFast Detection of New Malicious Domains using DNS
Fast Detection of New Malicious Domains using DNS
 

Kürzlich hochgeladen

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Kürzlich hochgeladen (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

What Happens Before the Kill Chain

  • 1. 1 CONFIDENTIAL Dan Hubbard, CTO, OpenDNS Rick Holland, Principal Analyst, Forrester What Happens Before the Kill Chain
  • 2. 2 CONFIDENTIAL Speakers Dan Hubbard CTO OpenDNS Rick Holland Principle Analyst Forrester
  • 3. 3 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 3 Agenda › The cyber kill chain › Targeted Attack Hierarchy of Needs › Making prevention work @rickhholland
  • 4. 4 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 4 STRESS
  • 5. 5 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 5 Time to discover is pathetic
  • 6. 6 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 6 asdf 205 days to discover
  • 7. 7 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 7 Adversaries are on shopping sprees
  • 9. 9 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 9 New Incident Response Metric: Mean Time Before CEO Apologizes
  • 10. 10 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 10 asdf ›  asdf We need bright ideas
  • 11. 11 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 11 Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
  • 12. 12 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 12 Agenda › The cyber kill chain › Targeted Attack Hierarchy of Needs › Making prevention work @rickhholland
  • 13. 13 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 13 Targeted attack hierarchy of needs Source: May 15, 2014, “Introducing Forrester's Targeted-Attack Hierarchy Of Needs, Part 1 Of 2” Forrester report
  • 14. 14 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 14 asdf ›  asdf
  • 15. 15 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 15 asdf ›  asdf Why should we give up on prevention?
  • 16. 16 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 16 asdf ›  asdf Why should you settle for detection and response?
  • 17. 17 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 17 asdf ›  asdf Can you imagine incident volume without prevention?
  • 18. 18 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 18 Prevention is dead? ›  Be wary of anyone claiming that prevention is dead ›  Especially if all the sell are detection tools or services ›  You should lead with prevention and fall back to detection and response Be suspicious
  • 19. 19 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 19 Agenda › The cyber kill chain › Targeted Attack Hierarchy of Needs › Making prevention work @rickhholland
  • 20. 20 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 20 Don’t wait for reconnaissance Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Action on objectives Source: http://cyber.lockheedmartin.com/cyber-kill-chain-lockheed-martin-poster
  • 21. 21 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 21 asdf ›  asdf Napoleon: “An army marches on its stomach”
  • 22. 22 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 22 asdf ›  asdf Attacks against your org rely upon infrastructure
  • 23. 23 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 23 Block enemy infrastructure ›  The best way to get time to containment down is to reduce the overall number of security incidents ›  Free up your limited resources to focus more on detection and response ›  You can disrupt the adversary by blocking its ability to target you ›  The military puts the kill in the kill chain, leave hack back to the government
  • 24. 24 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 24 Source: http://www.threatconnect.com/files/uploaded_files/The_Diamond_Model_of_Intrusion_Analysis.pdf The Diamond Model of Intrusion Analysis
  • 25. 25 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 25 Infrastructure that the adversary could reuse ›  Domain names ›  IP addresses ›  Command and Control structure ›  Internet Service Providers ›  Domain registrars ›  Web-mail providers
  • 26. 26 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 26 Lenny Zeltser: Report Template for Threat Intelligence and Incident Response Source: https://zeltser.com/cyber-threat-intel-and-ir-report-template/
  • 27. 27 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 27 Domain registration OPSEC fail ›  Careful observation of DNS registrant contact information history has revealed an OPSEC failure by the attackers in one instance. ›  For a brief period (possibly before the server was operational), WHOIS privacy was inactive, pointing at a real identity of the registrant. ›  This e-mail address leads to social media accounts that show public and clear affinity with Lebanese political activism.
  • 28. 28 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 28
  • 29. 29 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 29 Forrester definition: Predictive analytics ›  “Software and/or hardware solutions that allow firms to discover, evaluate, optimize, and deploy predictive models by analyzing big data sources to improve business performance or mitigate risk.”
  • 30. 30 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 30 Predictive security analytics ›  Uses Big Data analysis techniques to anticipate future attacker activity based on historical activity ›  Leverages machine learning, statistical analysis, and visualization ›  Unless you have a data science skills, navigating vendor marketing can be challenging ›  Ask vendors to provide use cases
  • 31. 31 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 31 asdf ›  asdf
  • 32. 32 CONFIDENTIAL OpenDNS Research Applied ResearchThought Leadership Response Customer / Prospect Engagements
  • 33. 33 CONFIDENTIAL Requests Per Day 70B Countries 160+ Daily Active Users 65M Enterprise Customers 10K Our Perspective Diverse Set of Data & Global Internet Visibility
  • 34. 34 CONFIDENTIAL Our view of the Internetproviding visibility into global Internet activity (e.g. BGP, AS, DNS)
  • 35. 35 CONFIDENTIAL Apply statistical models and human intelligence Identify probable malicious sites Ingest millions of data points per second How it works .com .cn .ru .net .com
  • 36. 36 CONFIDENTIAL How we develop our statistical models… 3D Visualization Data MiningSecurity Research Expertise
  • 37. 37 CONFIDENTIAL Single, correlated source of information Investigate Types of threat information provided WHOIS record data ASN attribution IP geolocation IP reputation scores Domain reputation scores Domain co-occurrences Anomaly detection (DGAs, FFNs) DNS request patterns/geo. distribution Passive DNS database
  • 38. 38 CONFIDENTIAL Predictive Intelligence InferenceKnowledge Learning Pre-Compromise Compromise Post-Compromise
  • 39. 39 CONFIDENTIAL Predictive Intelligence InferenceKnowledge Learning Reconnaissance Exploitation C & C Weaponization Delivery Installation Actions & Objectives
  • 40. 40 CONFIDENTIAL Before the Kill Chain Reconnaissance Weaponization Delivery Plan Build Test / Iterate
  • 41. 41 CONFIDENTIAL Predictive Intelligence Plan Build Test / Iterate •  Where will we host the infrastructure? •  How will it be fault tolerant? •  What domain / IP / Networks will I utilize? •  How will the backend scale? Reporting? Uptime? •  Private and public announcement and advertising? •  Testing and iteration of the solution
  • 42. 42 CONFIDENTIAL We see where attacks are staged
  • 44. 44 CONFIDENTIAL Malaysia Airlines DNS Hijack January 25, 2015
  • 45. 45 CONFIDENTIAL MALICIOUS ASN/IP IDENTIFIED Owned  by  Lizard  Squad   who  hacked  PS3  and  Xbox   Networks  in     December  2014  
  • 46. 46 CONFIDENTIAL OpenDNS recognized the domain hijacking on Jan 25th and blocked the DNS request, and hence any subsequent attack
  • 51. 51 CONFIDENTIAL Anomaly Detection: Identify DGAs Domain Generation Algorithms: technique for generating malware domains on-the-fly yfrscsddkkdl.com qgmcgoqeasgommee.org iyyxtyxdeypk.com diiqngijkpop.ru Does the probability distribution of letters appear random? N-gram” analysis Do letter pairings match normal language patterns?
  • 52. 52 CONFIDENTIAL DGA Example: Gameover Min: May 30: Plan, Build, Test, Iterate
  • 53. 53 CONFIDENTIAL Conclusion §  Do not give up on prevention and shift *all* resources to detection §  Analyze your security posture for predictive elements §  Utilize hunting and analytic tools to increase security efficacy §  Explore security analytics to identify and map attacker infrastructure before the kill chain
  • 54. 54 CONFIDENTIAL Start a 14-Day Trial signup.opendns.com/freetrial