Designing and securing a network is very complex. With detailed requirements to support all of the latest devices, mobile computing, cloud services and the portability requirements of data, current networks are very porous, very difficult to secure and very compromised. What can we do to change that?
Main points covered:
•What are some of the most efficient ways to defend compromised networks?
•How to conduct threat hunting?
•What can we do when we are compromised by a threat?
Presenter:
Our special presenter for this webinar is Dr. Eric Cole, who has worked with a variety of clients, ranging from Fortune 500 companies to top international banks, to the CIA. He has presented at many security events, including SANS, and has also been interviewed by several chief media outlets, such as CNN, CBS News and 60 Minutes. In addition, he has been published in the Wall Street Journal, The New Yorker and IEEE Security and Privacy.
Organizer: Ardian Berisha
Date: July 12, 2017
Link of the recorded session: https://www.youtube.com/watch?v=lmztNFPrzEE
9548086042 for call girls in Indira Nagar with room service
CASE STUDY: How to Defend the Compromised Network?
1.
2. If you have not detected
an attack/compromise in
the last 12 months, it is
not because it is not
happening – it is because
you are not looking in the
right areas…
You are either hunting or being hunted
3. The Cold, Hard Facts
Executives, shareholders and
boards of directors have come to
recognize that compromises are
inevitable
The focus of security has
shifted to controlling and
minimizing the damage
from attacks
4. Introduction
• In implementing security the following assumptions must be
made:
– The network is compromised
– Client systems are compromised
– 100% security does not exist
• The goals of implementing security are:
– Control damage
– Minimize impact
– Timely Detection
– Being Proactive
5. Playbook for Success
How to Join the Winning Team
• Step 1: Proper Foundation
• Step 2: Plan of Attack – Control the Damage
• Step 3: Visibility and Optics
• Step 4: Proactive Incident Response – Threat Hunting
• Step 5: Active Defense - Deception
6. Step 1: Proper Foundation
What is the most important part of a
house?
What is the most important part of
security?
7. You Will Not Win Without a Solid
Foundation
- Asset Inventory
- Configuration
Management
- Change Control
8. One word that if properly embraced will
change everything:
9. One word that if properly embraced will
change everything:
D E – S C O P I N G
VIA
S E G M E N T A T I O N
10. Step 2: Plan of Attack
What is the difference between a minor
breach and a major breach?
11. It is ALL About the DATA
What is your most critical data?
Where is it located?
Who has access to it?
Who is actually accessing it?
What business processes need to access it?
12. What is the cause of damages in most
breaches?
13. Insiders Are Responsible for 90% of Security Incidents *
Mailicious
∙ Fraud/Data Theft
∙ Inappropriate access
∙ Disgruntled employee
Unintentional
∙ Misuse of systems
∙ Log-in/log-out failures
∙ Cloud storage
71%29%
* Verizon 2015 Data Breach Investigations Report
* Kaspersky Lab 2016 Security Risks Special Report
Are You Focused on the Correct Area?
14. Step 3: Visibility and Optics
You cannot manage what you cannot
measure….
How are you managing your security?
16. Step 4: Proactive Incident Response –
Threat Hunting
Threat hunting is the act of aggressively
tracking and eliminating cyber adversaries from
your network as early as possible.
17. Methods of Threat Hunting
Network-based hunting involves monitoring and analyzing network
traffic to look for indicators that an adversary might be on your network.
Host-based hunting involves analyzing an individual computer, looking
at both what is installed on the computer and what is running on the
systems, with the goal of finding signs of compromise.
18. Core Characteristics of Attacks
• Target an individual/system
• Deliver payload to system
• Upload files to the system
• Run processes
• Survive a reboot
• Make outbound connections (beacons to C2)
• Perform internal reconnaissance
• Pivot into the network
19. Core Characteristics of Attacks
• Target an individual/system
• Deliver payload to system
• Upload files to the system
• Run processes
• Survive a reboot
• Make outbound connections (beacons to C2)
• Perform internal reconnaissance
• Pivot into the network
20. Core Characteristics of Attacks
• Target an individual/system
• Deliver payload to system
• Upload files to the system
• Run processes
• Survive a reboot
• Make outbound connections (beacons to C2)
• Perform internal reconnaissance
• Pivot into the network
21. Step 5: Active Defense - Deception
Is your current network making it easy or
hard for the adversary to break in?
22. Active Defense – Offensive Countermeasures
• To make it harder for the adversary to break in – create a false reality
• Allow for early detection of the attack
• Provide an ever changing environment to slow down the attack process
23. Active Defense Techniques
• The following are some active defense techniques that can be used for
deception:
• Honeypots
• Honeycreds
• Jailed environments
• False headers
• Decoy IP’s and ports
• Tarpits
• Bogus DNS entries
24. It Is Time To Take Action
• If you network is compromised you must control
damage and perform timely detection:
– Network segmentation is key to controlling damage
– Anomaly detection of outbound traffic will catch compromise
– Asset identification will allow monitoring of approved devices
– Data discovery will focus in on key areas
– Outbound proxies will monitor and control traffic
25. Summary
• Identify your most critical assets
• Trace back what systems they reside on
• Understand all threats and
vulnerabilities
• Heavily segment with isolated VLANS
• Determine inbound and outbound data
flows
• Setup strict filtering and monitor for
anomalies